Strong Customer Authentication Feature in development
Introduction
Strong Customer Authentication (SCA) is a requirement of the Payment Services Directive 2 (PSD2) in Europe. It mandates that electronic payments and sensitive wallet operations are performed with multi-factor authentication to increase the security.
SCA is designed to protect customers and reduce the risk of fraud by requiring them to provide two or more forms of identification. This helps to ensure that the user making the payment or sensitive wallet operation is the legitimate wallet owner and not a fraudster.
How SCA Works
Authentication Factors
SCA requires that electronic payments and sensitive wallet operations are performed with multi-factor authentication. This means that the user must provide at least two of the following three factors:
- Something the user knows (e.g., a password or PIN).
- Something the user has (e.g., a mobile phone or hardware token).
- Something the user is (e.g., a fingerprint or facial recognition).
Responsibilities
There are two ways to handle SCA in Embedded Wallet based on the level of responsibility the partner takes:
- Outsourced SCA - the partner is responsible for handling the SCA process.
- Embedded SCA - Paysafe is responsible for handling the SCA process.
- Hybrid SCA - Paysafe is responsible for handling the SCA process, excluding the communication with the end-user.
Paysafe currently supports only Outsourced SCA. For more information on the different SCA methods, see Handling SCA in Embedded Wallet.
Wallet Operations Requiring SCA
The wallet operations listed below necessitate the implementation of Strong Customer Authentication (SCA):
Authentication
Prepaid Cards
- Update а Prepaid Card
- Get Prepaid Card Details
- Handle Prepaid Card Secure Details
Transfers
- Transfer Money
Withdrawals
- Withdrawal Money
Handling SCA in Embedded Wallet
- Outsourced SCA
- Embedded SCA
- Hybrid SCA
Overview
Outsourced SCA refers to a process in which the responsibility for implementing and managing strong customer authentication is entirely delegated to the partner. The partner handles all aspects of the SCA process, including user authentication and compliance with regulations like PSD2.
Responsibilities
To successfully complete the wallet operation requiring SCA, the partner must perform the following tasks:
- Initiate the SCA process when requested by Paysafe.
- Authenticate the user using a secure method (e.g., PIN or OTP).
- Audit the outcome of the SCA process to Paysafe.
- Re-request the wallet operation resource, including the relevant SCA details.
How It Works
Users execute wallet operations that necessitate SCA authentication via the partner's front end using Paysafe's SDKs. Moreover, submitting the SCA process involves the partner's backend, which must initiate a business request to validate the authentication event execution.
The sequence of API calls will be as follows:
Overview
Embedded SCA refers to a process where Paysafe assumes complete responsibility for implementing and overseeing strong customer authentication, excluding the partner entirely. Paysafe manages all aspects of the SCA process, encompassing user authentication and compliance with regulations such as PSD2.
Responsibilities
To successfully complete the wallet operation requiring SCA, the partner must perform the following tasks:
- Initiate the SCA process through the SDK using the secure method specified by Paysafe.
- Handle the outcome of the SCA authentication process.
- Re-request the wallet operation resource, including the relevant SCA details.
How It Works
Users perform wallet operations requiring SCA authentication through the partner's front end, employing Paysafe's SDKs. Furthermore, submitting the SCA process involves the partner's front end once more, which must trigger a user request via the Paysafe SDK to confirm the authentication event execution.
The sequence of API calls will be as follows:
Overview
Hybrid SCA refers to a process where Paysafe assumes complete responsibility for implementing and overseeing strong customer authentication, excluding the communication with the end-user. Paysafe handles all aspects of the SCA process, including user authentication and adherence to regulations like PSD2, and the partner is responsible for properly informing the end-user about the authentication event.
Responsibilities
To successfully complete the wallet operation requiring SCA, the partner must perform the following tasks:
- Initiate the SCA process through the SDK using the secure method specified by Paysafe.
- Manage the communication with the end-user through a secure mechanism.
- Handle the outcome of the SCA authentication process.
- Re-request the wallet operation resource, including the relevant SCA details.
How It Works
Users perform wallet operations requiring SCA authentication through the partner's front end, employing Paysafe's SDKs. Initiating the SCA process requires the partner's backend to notify the end-user about the authentication event, while the partner's front end must initiate a user request through the Paysafe SDK to confirm its execution.
The sequence of API calls will be as follows:
Single vs. Multi-step Wallet Operations
Overview
Wallet Operations
The following examples demonstrate the flows for managing SCA for specific wallet operations. The wallet operations are split into two categories, based on the number of steps required:
- Single-step - authentication and prepaid cards.
- Multi-step - transfers and withdrawals.
SCA Process Structure
The Strong Customer Authentication (SCA) process is initiated when a wallet operation is performed and remains valid for a predefined period of time. If it expires, the user must reinitiate the process by performing the wallet operation again, if still active (e.g., payments have a predefined expiration period within which they must be completed).
When an SCA process is initiated, a challenge (e.g., OTP via SMS) is sent, which has a 15 minutes validity period. If the challenge expires, a new one must be sent. The number of challenges that can be sent is limited, and exceeding this limit triggers a cooldown period before new challenges can be issued.
Users must submit each challenge for verification (e.g., entering the OTP). The number of allowed attempts is limited, and once this limit is reached, further attempts are blocked. The challenge is then marked as failed, and the user must request a new challenge to retry the process. The challenge status is based on the most recent attempt.
To summarize, the structure is as follows:
A single wallet operation may initiate multiple SCA processes, with each process potentially requiring sending multiple challenges. Each challenge can be submitted for verification by the user multiple times. All of these elements are subject to the following limitations:
- Process: May have a predefined expiration period.
- Challenge: Must have a maximum number of initiation attempts and a predefined expiration period.
- Attempt: Must have a maximum number of initiation attempts.
Execute a Wallet Operation
- Single-step
- Multi-step
When a customer performs a single-step wallet operation, such as user authentication, internal checks based on the brand, country, and operation details are conducted to determine if SCA is required.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/brands/{{brand}}/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {{client-id:client-secret}}' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token={{partner-customer-token}}' \
--data-urlencode 'digital_fingerprint=bb229878-c877-4cc3-91c4-2030c34be28a'
The initial wallet operation request does not include SCA-Authorization: {{sca-details}}
header. Paysafe will
decide if SCA authentication is necessary for the wallet operation by conducting internal checks on the details
of the specific operation and adhering to PSD2 requirements.
Response
When the server receives a request for a protected resource that requires SCA, it responds with a
401 Unauthorized
status code. It also includes the WWW-Authenticate
header in the response to inform the
client about the authentication methods that might be used to gain access to the specific resource.
WWW-Authenticate: SCA realm="Authentication" auth-param1="ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGMyYzAtY2NlLTRiMzYtOTdlYy0yODFjOGY1ZDc0M2MiLAogICAgIndhbGxldE9wZXJhdGlvbklkIjogImE1ODY1ZmQ2LTE4YzItNDVhOC05OTUzLTFjMDBlYWMzNmMzNiIsCiAgICAiYXV0aGVudGljYXRpb25Nb2RlIjogIk9VVFNPVVJDRUQiLAogICAgImF2YWlsYWJsZVZlcmlmaWNhdGlvbnMiOiBbCiAgICAgIHsKICAgICAgICAibWV0aG9kIjogIlBJTiIKICAgICAgfSwKICAgICAgewogICAgICAgICJtZXRob2QiOiAiT1RQIiwKICAgICAgICAiY2hhbm5lbCI6ICJTTVMiLAogICAgICAgICJ0YXJnZXQiOiAiam8qKipAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgIF0sCiAgICAiY3JlYXRpb25UaW1lIjogIjIwMjEtMDctMTVUMTc6NTQ6MTJaIiwKICAgICJleHBpcmF0aW9uVGltZSI6ICIyMDIxLTA3LTE1VDE4OjA5OjEyWiIKICB9Cn0="
{
"error": {
"code": "DW-SCA-VERIFICATION-FAILED",
"message": "The wallet operation was unsuccessful.",
"details": [
"The wallet operation was declined because the SCA requirement is not completed."
]
}
}
The WWW-Authenticate
header will include the authentication scheme required by the server and any additional
information necessary for the client to authenticate. The format is as follows:
WWW-Authenticate: <auth-scheme> realm="<realm>" auth-param1="ewogICJzY2FEZXRhaWxzIjogewogICAgImV2ZW50SWQiOiAiMDZiZGMyYzAtY2NlLTRiMzYtOTdlYy0yODFjOGY1ZDc0M2MiLAogICAgIndhbGxldE9wZXJhdGlvbklkIjogImE1ODY1ZmQ2LTE4YzItNDVhOC05OTUzLTFjMDBlYWMzNmMzNiIsCiAgICAiYXV0aGVudGljYXRpb25Nb2RlIjogIk9VVFNPVVJDRUQiLAogICAgImF2YWlsYWJsZVZlcmlmaWNhdGlvbnMiOiBbCiAgICAgIHsKICAgICAgICAibWV0aG9kIjogIlBJTiIKICAgICAgfSwKICAgICAgewogICAgICAgICJtZXRob2QiOiAiT1RQIiwKICAgICAgICAiY2hhbm5lbCI6ICJTTVMiLAogICAgICAgICJ0YXJnZXQiOiAiam8qKipAZXhhbXBsZS5jb20iCiAgICAgIH0KICAgIF0sCiAgICAiY3JlYXRpb25UaW1lIjogIjIwMjEtMDctMTVUMTc6NTQ6MTJaIiwKICAgICJleHBpcmF0aW9uVGltZSI6ICIyMDIxLTA3LTE1VDE4OjA5OjEyWiIKICB9Cn0="
The key elements of the WWW-Authenticate
header are:
auth-scheme
- defines the method by which clients verify their identities (alwaysSCA
).realm
- describes the protected area (e.g.Authentication
,Withdrawal
,Transfer
, etc.).auth-param1
- base64-encoded parameter containing comprehensive SCA authentication properties which the partner should use to complete the process. It must include the unique identifiers related to the SCA authentication process, the necessary authentication mode, as well as the available verification methods.
To better understand the base64-encoded blob of data referred to by auth-param1
, here's an example of what it
contains:
{
"scaDetails": {
"eventId": "06bdc2c0-cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "OUTSOURCED",
"availableVerifications": [
{
"method": "PIN"
},
{
"method": "OTP",
"channel": "SMS",
"target": "+359***78"
}
]
"creationTime": "2021-07-15T17:54:12Z",
"expirationTime": "2021-07-15T18:09:12Z"
}
}
The scaDetails
property encompasses the following elements:
eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.authenticationMode
- the mode of the Strong Customer Authentication (SCA) authentication process (OUTSOURCED
,EMBEDDED
orHYBRID
).availableVerifications
- the available verification methods for the SCA authentication process. In an outsourced SCA scenario, this property will reflect the agreed-upon methods in the contract.creationTime
- the date and time when the SCA authentication event was created.expirationTime
- the date and time when the SCA authentication event will expire (if applicable).
For more information on the SCA authentication properties, refer to SCA Details.
When a customer executes a multi-step wallet operation, such as money transfer, internal checks based on the brand, country, and payment details are conducted to determine if SCA is required.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/profile/transfers/urn:transfer:01HZ09ZJM14WFE1891R55M5G16/status' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{customer-token}}' \
--data-raw '{
"status": "PROCESSING"
}'
The initial wallet operation request does not include scaDetails
request parameter. Paysafe will decide if
SCA authentication is necessary for the wallet operation by conducting internal checks on the details of the
specific operation and adhering to PSD2 requirements.
Response
When the server receives a request for a protected resource that requires SCA, the response will be as follows:
{
"amount": 1000,
"currencyCode": "USD",
"recipient": {
"customerId": "1100000001069474",
"email": "john.doe@paysafe.com"
},
"merchantRefNum": "33778b77-c1d6-4f8d-a3ae-0d05edb10a4f",
"transferDetails": {
"reason": "PEER_TRANSFER"
},
"id": "urn:transfer:01HZ09ZJM14WFE1891R55M5G16",
"slipId": "1100000015828617",
"fees": [
{
"amount": 100,
"currency": "USD",
"paymentReason": "MERCHANT_FEE"
}
]
"creationTime": "2024-01-01T19:14:08.642938Z",
"expirationTime": "2024-01-01T19:16:08.641413Z",
"status": "PENDING",
"nextStatus": ["PROCESSING"],
"action": "SCA",
"scaDetails": {
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "OUTSOURCED",
"availableVerifications": [
{
"method": "PIN"
},
{
"method": "OTP",
"channel": "SMS",
"target": "+359***78"
}
]
}
}
The main attributes of the response related to SCA authentication are as follows:
action
- indicates that the wallet operation requires SCA authentication.scaDetails
- represents the SCA authentication properties which the partner should use to complete the process.
The scaDetails
property encompasses the following elements:
eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.authenticationMode
- the mode of the Strong Customer Authentication (SCA) authentication process (OUTSOURCED
,EMBEDDED
orHYBRID
).availableVerifications
- the available verification methods for the SCA authentication process. In an outsourced SCA scenario, this property will not appear in the response because the partner manages the entire SCA process according to the agreed-upon methods in the contract.
Send an SCA Challenge
- Outsourced SCA
- Embedded SCA
- Hybrid SCA
The partner is fully responsible for sending the SCA challenge in the Outsourced SCA process, generating it using the agreed-upon verification mechanisms, delivering it securely to the end-user, verifying it, and reporting the outcome to Paysafe.
Once an SCA process is initiated, a challenge must be sent through one of the available verification mechanisms
(e.g., send an OTP code via SMS). Тhe challenges have their own expiration (e.g., the OTP sent via SMS is valid
for only a short time). If a challenge expires, a new one must be sent. Each challenge sent for the same process
will increment the currentChallenges
field. This process can only be performed a limited number of times, as
defined by allowableChallenges
(its value is determined by the best security practices). If this limit is
exceeded, an error will be returned, and no additional challenges can be sent for the same process until a
cooldown period has elapsed. After this period, the currentChallenges
are reset, and new challenges can be
sent for the same process as previously described.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/sca/events/06bdcd2c-0cce-4b36-97ec-281c8f5d743c/challenges' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{config-token OR user-token}}' \
--data-raw '{
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"verification": {
"method": "OTP",
"channel": "SMS"
},
"deviceInfo": {
"threatMetrixSessionId": "a71a475b-1956-4814-9c92-7faa8226b218",
"appType": "WEB_APP"
}
}'
The request must include the eventId
and walletOperationId
to link the authentication attempt to the
specific customer operation. Paysafe checks this unique association to prevent fraud. Additionally, the
verification
must be included to comply with the SCA requirement for
at least two factors from different categories.
Response
If Paysafe successfully send the SCA challenge, the response will be as outlined below:
{
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "HYBRID",
"verification": {
"method": "OTP",
"channel": "SMS",
"target": "+359***78"
},
"currentChallenges": 1,
"allowableChallenges": 5,
"creationTime": "2021-07-15T17:54:12Z",
"expirationTime": "2021-07-15T18:09:12Z"
}
The response will include the same properties as those returned during the initiation of the SCA process, plus
the currentChallenges
and allowableChallenges
fields, as well as creationTime
and expirationTime
. These
additions are necessary to prevent fraud and maintain the security of the SCA process (described in greater
detail above).
Sending the SCA challenge may encounter specific exceptions. For detailed information on these exceptions, refer to the SCA Authentication Errors section.
An example of such an error concerns a non-existing SCA authentication event or an incorrect link to the requested wallet operation:
{
"error": {
"code": "DW-SCA-EVENT-NOT-FOUND",
"message": "SCA authentication event was not found",
"details": [
"No SCA authentication event matching the provided data was found."
]
}
}
If the number of sent SCA challenges exceeds the allowed limit, the following error response will be returned:
{
"error": {
"code": "DW-SCA-CHALLENGES-EXCEEDED",
"message": "SCA authentication challenges sent exceeded",
"details": [
"SCA authentication challenges sent exceeded the allowed limit."
]
}
}
Once an SCA process is initiated, a challenge must be sent through one of the available verification mechanisms
(e.g., send an OTP code via SMS). Тhe challenges have their own expiration (e.g., the OTP sent via SMS is valid
for only a short time). If a challenge expires, a new one must be sent. Each challenge sent for the same process
will increment the currentChallenges
field. This process can only be performed a limited number of times, as
defined by allowableChallenges
(its value is determined by the best security practices). If this limit is
exceeded, an error will be returned, and no additional challenges can be sent for the same process until a
cooldown period has elapsed. After this period, the currentChallenges
are reset, and new challenges can be
sent for the same process as previously described.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/sca/events/06bdcd2c-0cce-4b36-97ec-281c8f5d743c/challenges' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{config-token OR user-token}}' \
--data-raw '{
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"verification": {
"method": "OTP",
"channel": "SMS"
},
"deviceInfo": {
"threatMetrixSessionId": "a71a475b-1956-4814-9c92-7faa8226b218",
"appType": "WEB_APP"
}
}'
The request must include the eventId
and walletOperationId
to link the authentication attempt to the
specific customer operation. Paysafe checks this unique association to prevent fraud. Additionally, the
verification
must be included to comply with the SCA requirement for
at least two factors from different categories.
Response
If Paysafe successfully send the SCA challenge, the response will be as outlined below:
{
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "HYBRID",
"verification": {
"method": "OTP",
"channel": "SMS",
"target": "+359***78"
},
"currentChallenges": 1,
"allowableChallenges": 5,
"creationTime": "2021-07-15T17:54:12Z",
"expirationTime": "2021-07-15T18:09:12Z"
}
The response will include the same properties as those returned during the initiation of the SCA process, plus
the currentChallenges
and allowableChallenges
fields, as well as creationTime
and expirationTime
. These
additions are necessary to prevent fraud and maintain the security of the SCA process (described in greater
detail above).
Sending the SCA challenge may encounter specific exceptions. For detailed information on these exceptions, refer to the SCA Authentication Errors section.
An example of such an error concerns a non-existing SCA authentication event or an incorrect link to the requested wallet operation:
{
"error": {
"code": "DW-SCA-EVENT-NOT-FOUND",
"message": "SCA authentication event was not found",
"details": [
"No SCA authentication event matching the provided data was found."
]
}
}
If the number of sent SCA challenges exceeds the allowed limit, the following error response will be returned:
{
"error": {
"code": "DW-SCA-CHALLENGES-EXCEEDED",
"message": "SCA authentication challenges sent exceeded",
"details": [
"SCA authentication challenges sent exceeded the allowed limit."
]
}
}
Send a Webhook Notification
- Outsourced SCA
- Embedded SCA
- Hybrid SCA
Webhooks are not available for the Outsourced SCA as the entire process is managed by the partner. Based on the wallet operation's result regarding SCA eligibility, the partner is responsible for executing and managing the process, from generating the SCA challenge (using the agreed-upon verification mechanisms), communicating it to the end-user, verifying it, and reporting the outcome to Paysafe.
Webhooks are not available for the Embedded SCA because Paysafe takes full responsibility for executing and managing the Strong Customer Authentication (SCA) process, without any involvement from the partner. Paysafe manages the entire SCA process, from generating the SCA challenge to directly communicating with the end-user via a secure channel and verifying the challenge.
Webhooks play a vital role in the Hybrid SCA, where Paysafe handles the entire Strong Customer Authentication (SCA) process, except for end-user communication. Paysafe is responsible for generating and verifying the SCA challenge, while the partner is responsible for properly informing the end-user about the authentication event.
Request
curl --location 'https://example.com/webhook/path/at/merchant/system/sca/events' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Signature: {{hmac-signature}}' \
--data-raw '{
"id": "07c3bcf5-1b6c-494e-9a29-776cfc54b4db",
"timestamp": "2021-07-15T17:54:12Z",
"verificationProcess": {
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "HYBRID",
"flow": {
"type": "AUTHENTICATION"
},
"verification": {
"method": "OTP",
"channel": "SMS",
"target": "+359878787878"
},
"value": "123456",
"creationTime": "2021-07-15T17:54:12Z",
"expirationTime": "2021-07-15T18:09:12Z"
}
}'
Signature
The webhook notification must contain a {{hmac-signature}}
header calculated using the following algorithm:
digest = HMAC_SHA256
- hmacKey, UTF 8 string containing the JSON webhook request body.signature = base 64 encode
- digest.
The code receiving the webhook needs to repeat this algorithm and compare the value generated with the value received in the header.
For more information on request signing, refer to Request Signing documentation.
Request Body
The webhook notification will include the following properties:
id
- the unique identifier of the webhook event.timestamp
- the date and time when the webhook event was created.verificationProcess
- the properties of the SCA authentication event:eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.authenticationMode
- the mode of the Strong Customer Authentication (SCA) authentication process (only theHYBRID
option is supported).flow
- the specific properties of the wallet flow that triggered the Strong Customer Authentication (SCA) process.verification
- the verification mechanism used for the SCA authentication attempt.value
- the value associated to the authentication event attempt, which must be communicated via a secure notification mechanism.creationTime
- the date and time when the SCA authentication event was created.expirationTime
- the date and time when the SCA authentication event will expire (if applicable).
For more information on the SCA webhooks, refer to SCA Authentication Event.
Retry Mechanism
In case event is not delivered the retry mechanism is involved. Webhooks service supports infinite retry mechanism with configurable timeout. Events are retried for multiple HTTP response statuses that can be configured as well. The retry is triggered on the event sending step.
For more information on retry mechanisms, refer to Retry Mechanism documentation.
Submit the SCA Authentication
The authenticationMode
property specifies the particular SCA authentication process that is required to authorize the
user to complete the wallet operation and indicates who is responsible for managing it. The potential options are:
OUTSOURCED
- The partner is responsible for managing the SCA process and must verify the customer's identity using a secure method. This can include using a previously established PIN or a one-time password (OTP) sent to the customer's mobile phone or email address. Other verification methods agreed-upon in the contract are also acceptable.EMBEDDED
- Paysafe is responsible for managing the SCA process and employs the necessary verification methods (specified by theavailableVerifications
property) to authenticate the user. The partner does not participate in the execution of the SCA process.HYBRID
- Paysafe oversees the SCA process and uses the required verification methods (outlined by theavailableVerifications
property) to authenticate the user. The partner is responsible for notifying the end-user about the authentication.
- Outsourced SCA
- Embedded SCA
- Hybrid SCA
Regardless of the outcome of the SCA authentication process conducted, the partner must report the result to Paysafe via an HTTP request. Paysafe will then perform additional internal security checks related to both successful and unsuccessful SCA attempts to ensure enhanced security and prevent fraud.
Submitting the SCA process necessitates the involvement of the partner's backend, which should trigger a B2B request. This ensures that the SCA authentication process cannot be abused by malicious actors.
For more information on performing SCA authentication, see:
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/sca/events/06bdcd2c-0cce-4b36-97ec-281c8f5d743c/attempts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Basic {{api-key-username:api-key-password}}' \
--data-raw '{
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"verification": {
"method": "OTP",
"channel": "SMS"
}
"status": "VERIFIED"
}'
Paysafe manages the SCA authentication process, which takes place through the partner's front end utilizing the Paysafe's SDKs. The SCA details obtained are used to confirm the user's identity and grant authorization for the customer to proceed with the requested wallet operation.
Submitting the SCA process requires the partner's front end to engage with Paysafe's SDKs. This setup ensures that the SCA authentication occurs directly between the customer and Paysafe, without requiring the partner's backend to intervene.
For more information on performing SCA authentication, see:
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/sca/events/06bdcd2c-0cce-4b36-97ec-281c8f5d743c/attempts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{config-token}}' \
--data-raw '{
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"verification": {
"method": "OTP",
"channel": "SMS"
},
"value": "123456",
"deviceInfo": {
"appType": "WEB_APP",
"threatMetrixSessionId": "bb229878-c877-4cc3-91c4-2030c34be28a"
}
}'
Paysafe oversees the SCA process, which is carried out through the partner's front end using Paysafe's SDKs. The gathered SCA information is used to verify the user's identity and authorize the customer to continue with the requested wallet operation.
The submission of the SCA process requires the partner's front end to interact with Paysafe's SDKs. This configuration ensures that the SCA authentication takes place directly between the customer and Paysafe, eliminating the need for involvement from the partner's backend.
For more information on performing SCA authentication, see:
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/sca/events/06bdcd2c-0cce-4b36-97ec-281c8f5d743c/attempts' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{config-token}}' \
--data-raw '{
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"verification": {
"method": "OTP",
"channel": "SMS"
},
"value": "123456",
"deviceInfo": {
"appType": "WEB_APP",
"threatMetrixSessionId": "bb229878-c877-4cc3-91c4-2030c34be28a"
}
}'
The SCA authentication confirmation request should contain the eventId
and walletOperationId
properties to ensure
that the authentication attempt is directly associated with the specific customer operation. Paysafe verifies this
unique relationship to prevent fraudulent activity. In addition to these properties, the verification
must be also
included to ensure compliance with the SCA rule requiring
at least two factors from different categories.
The incorporation of the remaining properties - status
, statusReason
, and value
may differ based on whether the
SCA authentication mode is outsourced, embedded or hybrid.
Response
If Paysafe successfully accepts and handles the SCA authentication confirmation API request, the response will be as outlined below:
{
"id": "13121989",
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36",
"authenticationMode": "OUTSOURCED",
"verification": {
"method": "OTP",
"channel": "SMS",
"target": "+359***78"
},
"status": "VERIFIED",
"currentAttempts": 1,
"allowableAttempts": 5,
"creationTime": "2024-01-01T19:14:12.642938Z"
}
Regardless of the status of the SCA authentication attempt, the response will include:
id
- the unique identifier of the SCA authentication event attempt (each attempt will possess a distinct identifier but will be associated with the same SCA event).eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.authenticationMode
- the mode of the Strong Customer Authentication (SCA) authentication process (OUTSOURCED
,EMBEDDED
orHYBRID
).verification
- the verification mechanism used for the SCA authentication attempt.status
- the status of the SCA authentication attempt.statusReason
- the reason for the status of the unsuccessful SCA authentication attempt.currentAttempts
- the number of current SCA authentication attempts.allowableAttempts
- the number of allowable SCA authentication attempts, before the invalidating the associated SCA authentication event.creationTime
- the date and time when the SCA authentication attempt was created.
Throughout the SCA authentication process, specific exceptions may arise. In such case the wallet operation would be failed. A new one must be initiated and the SCA process must be repeated. Detailed information regarding these exceptions is available in the SCA Authentication Errors section.
An example of such an error concerns a non-existing SCA authentication event or an incorrect link to the requested wallet operation:
{
"error": {
"code": "DW-SCA-EVENT-NOT-FOUND",
"message": "SCA authentication event was not found",
"details": [
"No SCA authentication event matching the provided data was found."
]
}
}
In case no SCA challenge was found, the following error response will be returned:
{
"error": {
"code": "DW-SCA-CHALLENGE-NOT-FOUND",
"message": "SCA challenge was not found",
"details": [
"No SCA challenge matching the provided data was found. Possibly one has never been created or has already been finalized due to expiration or other reason."
]
}
}
In case the SCA authentication attempts exceed the allowed limit, the following error response will be returned:
{
"error": {
"code": "DW-SCA-ATTEMPTS-EXCEEDED",
"message": "SCA authentication attempts exceeded",
"details": [
"SCA authentication attempts exceeded the allowed limit."
]
}
}
Finalize the Wallet Operation
- Single-step
- Multi-step
After Paysafe accepts and processes the SCA authentication confirmation request, the partner's system should proceed to re-request the same wallet resource, including the relevant details concerning the SCA authentication. These details are required to verify that the user is authorized to complete the requested wallet operation.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/auth/brands/{{brand}}/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {{client-id:client-secret}}' \
--header 'SCA-Authorization: {{sca-details}}' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token={{partner-customer-token}}' \
--data-urlencode 'digital_fingerprint=bb229878-c877-4cc3-91c4-2030c34be28a' \
The SCA authorization header name adheres to the convention established by the authentication scheme indicated
in the WWW-Authenticate
response header. The scheme employed is SCA
, and consequently, the corresponding
authorization header is denoted as SCA-Authorization
.
The specific authorization header must be included in the subsequent request to verify if the required SCA authentication was successfully verified and the user is authorized to complete the requested wallet operation.
If the request lacks this authorization header, or if the provided SCA properties are incorrect or unconfirmed, the outcome will follow the procedure outlined in step 1, necessitating the partner to repeat the process.
The {{sca-details}}
value should be a base64-encoded string containing the unique identifiers related to the
SCA authentication process, extracted from the auth-param1
value in the WWW-Authenticate
response header:
{
"scaDetails": {
"eventId": "06bdc2c0-cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36"
}
}
The primary components of the scaDetails
property are:
eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.
For more information on the SCA authentication attributes, refer to SCA Details.
If the SCA authentication is successfully completed and the wallet operation is processed, the response will be as described below:
Response
{
"access_token": "{{customer-token}}",
"expires_in": 900,
"refresh_token": "{{refresh-token}}",
"refresh_expires_in": 1800,
"token_type": "Bearer",
"scope": "whitelabelWallet"
}
After Paysafe accepts and processes the SCA authentication confirmation request, the partner's system should proceed to re-request the same wallet resource, including the relevant details concerning the SCA authentication. These details are required to verify that the user is authorized to complete the requested wallet operation.
Request
curl --location 'https://api.paysafe.com/digitalwallets/v1/profile/transfers/urn:transfer:01HZ0APZB0JNWW2XJCGX4N44MF/status' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer {{customer-token}}' \
--data-raw '{
"status": "PROCESSING",
"scaDetails": {
"eventId": "06bdcd2c-0cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36"
}
}'
The scaDetails
must be included in the subsequent wallet payment request to verify if the required SCA
authentication has already been successfully completed.
If the request lacks this request body parameter, or if the provided SCA properties are incorrect or unconfirmed, the outcome will follow the procedure outlined in step 1, necessitating the partner to repeat the process.
The scaDetails
value should contain only the unique identifiers related to the SCA authentication process:
{
"scaDetails": {
"eventId": "06bdc2c0-cce-4b36-97ec-281c8f5d743c",
"walletOperationId": "a5865fd6-18c2-45a8-9953-1c00eac36c36"
}
}
The primary components of the scaDetails
property are:
eventId
- the unique identifier of the SCA authentication event.walletOperationId
- the unique identifier of the wallet operation, used to associate it with the SCA authentication event.
For more information on the SCA authentication attributes, refer to SCA Details.
Response
If the SCA authentication is successfully completed and the wallet payment operation is sent for processing, the response will be as described below:
{
"amount": 1000,
"currencyCode": "USD",
"recipient": {
"customerId": "1100000001069474",
"email": "john.doe@paysafe.com"
},
"merchantRefNum": "33778b77-c1d6-4f8d-a3ae-0d05edb10a4f",
"transferDetails": {
"reason": "PEER_TRANSFER"
},
"id": "urn:transfer:01HZ09ZJM14WFE1891R55M5G16",
"slipId": "1100000015828617",
"fees": [
{
"amount": 100,
"currency": "USD",
"paymentReason": "MERCHANT_FEE"
}
]
"creationTime": "2024-01-01T19:14:08.642938Z",
"expirationTime": "2024-01-01T19:16:08.641413Z",
"status": "PROCESSING",
"action": "NONE"
}
The absence of SCA action
and scaDetails
in the response indicates that the wallet payment operation has
been successfully sent for processing.
Conclusion
The wallet operation is now complete, and the partner can proceed with the next steps. If the SCA authentication process wasn't successful, the partner should repeat the entire process as already outlined.