Transaction Confirmation
Transaction confirmation under PSD2 involves verifying the identity of the customer and ensuring the security of the transaction. It typically requires the use of two or more factors from the following categories:
- Knowledge factors: Something the end-customer knows, such as a password or PIN.
- Possession factors: Something the end-customer possesses, such as a mobile phone
- Inherence factors: Something inherent to the end-customer, such as biometric data (FingerId, FaceID etc.).
The purpose of using multiple factors is to provide an extra layer of security by requiring the end-customer to provide evidence from different categories. This helps to mitigate the risks of unauthorized access and fraud.
PSD2 Exemptions
In line with PSD2, certain outgoing wire transfers & sends may be exempted from Strong Customer Authentication (SCA).
- Low Value Transaction: Transactions below €30 or equivalent are not challenged, unless the user exceeds a cumulative transfer amount of €100 (or equivalent) or 5 successful transactions, or the transaction is deemed high risk.
Contact our support team to enable the Low Value exemption
- Trusted Beneficiaries: The destination instrument of the send transaction is the identity's trusted beneficiary list.
The status of transactions that do not require SCA automatically moves to EXECUTED and no further action is required.
Authentication factors
To verify a transaction, the logged-in user must have enrolled their mobile device for strong customer authentication.
We currently support SMS and BIOMETRICS as possible authentication factors.
Transaction Confirmation
For transactions to be executed, the logged-in user must authenticate the transaction (unless the transaction is PSD2 exempted). These are the transactions that must be challenged:
-
Single Outgoing Wire Transfers
-
Bulk Outgoing Wire Transfers
-
Single Send Transaction
-
Bulk Send Transaction
You can use the challenges
/multi/challenges/otp/{channel}endpoint to verify a single, or multiple OWTs and Sends at the same time, by providing the transaction ID(s) in theresourceIdsfield. This endpoint should be used in favour of the deprecated endpoint that can only be used for single OWTs.
Read more on how to reduce the number of approvals required when executing transactions by using Beneficiaries
Sending a Challenge
You can trigger the transaction verification process by calling the transaction challenge API. The user is requested to perform a two-factor authentication based on the channel.
If SMS is used, a text message is sent to the mobile number associated with the user's credentials. For root users, this is the mobile number provided when onboarding the corporate or consumer identity, while for authorised users, this is the mobile number provided when onboarding the user.
If you would like to authenticate the second-factor via SMS, trigger the wire transfer SCA challenge API endpoint, which sends an OTP via text message.
Verifying the Challenge
If SMS was the selected channel, you must build a page in your application where the user can enter the verification code they received in the text message, then submit it via the challenge verify API.
The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed; any further attempts beyond this return CHALLENGE_LIMIT_EXCEED. After the final incorrect attempt, the state of the corresponding transaction is updated to REJECTED and no further challenges can be triggered against this transaction.