blob: 2a2ba3c1746b0a4a91d70710036ae0c45edb004d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
# FROM: https://github.com/w3c/webpayments/tree/gh-pages/PaymentFlows
@startuml
Participant "Payee (Merchant) PSP [Acquirer]" as MPSP
Participant "Payee (Merchant) [Acceptor] Site " as Payee
Actor "Payer (Shopper) [Cardholder] Browser" as Payer
participant "Browser Form Filler" as UA
participant "Card Scheme Directory" as CSD
participant "Issuing Bank [Issuer] Website" as CPSPW
participant "Issuing Bank [Issuer]" as CPSP
note over Payee, Payer: HTTPS
title
<b>Legacy Merchant Hosted Card Payment with Acquirer Supported 3DS (Current)</b>
<i>3DS is used to add confidence that the payer is who they say they are and importantly in the event of a dispute liability shift to the Issuer.</i>
end title
== Establish Payment Obligation ==
Payee->Payer: Present Check-out page with Pay Button
Payer->Payer: Select Card Payment Method
alt
UA->Payer: Form Fill
' Note right: fields are PAN & Expiry Date with optional CVV, & Address, Also Card Valid Date and Issue Number are required for some Schemes
else
Payer->Payer: User Fills Form
End
== Card Payment Initiation ==
Payer->Payee: Payment Initiation
' Note right: Custom code on merchant webpage can encrypt payload to reduce PCI burden from SAQ D to SAQ A-EP
opt
Payee->Payee: Store Card
' note right: Merchant can store card details apart from CVV (even if encrypted) for future use (a.k.a. Card on File)
end
Payee-\MPSP: Authorise
== 3DS part of flow ==
' Note over MPSP, Payee: At this point, the Merchant or Merchant's PSP can decide if it wishes to invoke 3DS. This might be based on transaction value (i.e. low value -> low risk) or other factors, e.g. if the Shopper is a repeat purchaser.
MPSP –> CSD: BIN to URL lookup (VAReq message)
CSD -> CSD: Lookup URL from BIN
CSD –> CPSPW : “PING”
'note right: verify URL validity
CPSPW –> CSD: “PING” response
CSD –> MPSP: URL
MPSP-/Payee: 3DS redirect (PAReq message)
Payee->Payer: 3DS redirect (PAReq message)
Payer->CPSPW: 3DS invoke
CPSPW-\Payer: 3DS challenge
Payer-/CPSPW: 3DS response (PARes message)
CPSPW->Payer: 3DS response (PARes message)
Payer->Payee: 3DS response (PARes message)
Payee-\MPSP: 3DS response (PARes message)
MPSP->MPSP: Verification of PARes signature
== End of 3DS ==
MPSP-\CPSP: Authorisation Request
CPSP-/MPSP: Authorisation Response
MPSP-/Payee: Authorisation Response
== Notification ==
Payee->Payer: Result Page
== Request for Settlement process (could be immediate, batch (e.g. daily) or after some days) ==
Alt
Payee -> MPSP : Capture
'note right: Later Capture may be called, for example after good shipped or tickets pickedup
Else
MPSP -> MPSP : Auto Capture in batch processing at end-of-day
End
MPSP->CPSP: Capture
== Fulfilment ==
Payee->Payer: Provide products or services
@enduml
|