riverty logo

Docs

Strong Customer Authentication (SCA)

Strong Customer Authentication (also known as SCA) fulfills a set of regulatory requirements, designed to reduce fraud, making online payments more secure while establishing trust with consumers. SCA adds an extra layer of security by using a third party like a bank to verify the end-customer prior or during an online payment. Riverty currently offers this functionality in Sweden, Norway, Denmark, Finland, and the Netherlands.

Practical Use

SCA is used for risk handling (consumer ratings and fraud risk). For Norway and Sweden SCA is almost always mandatory as it is a key element of fraud prevention and it is a known process for online shoppers. In Sweden SCA is used by 98% of the population between 18-67 years of age.

Country Specifics

Country Sweden Norway Finland Denmark Netherlands DACH
Name of eID method BankID (SE) BankID (NO) FTN (Finnish Trust Network) MitID (replaces NemID) iDIN One Time Password (SMS/Email)
Required field(s) Identification number Identification number Identification number Identification number Date of birth, first name, last name Phone Number, Email Address
Country specific restrictions Only for customers using the following banks: ABN AMRO, ASN Bank, Bunq, ING, Rabobank, RegioBank, SNS. More info: https://www.idin.nl/en/can-i-use-idin/
Country specific testcases The last name has to be Vries and date of birth has to be 1975-07-25

Implementation

The SCA implementation uses a redirect flow which requires the end-customer to be redirected to the secure login URL that was provided by Riverty API during the Authorize Payment or Verify request. The end-customer will be presented with a page with further instructions. After the verification process is completed the end-customer is redirected back to merchant’s web page.

Riverty will decide for which orders and customers SCA will be triggered. This decision is based on a number of parameters, such as order amount, shipping address and other fraud and risk related variables.

Risk - Strong Customer Authentication (10).png

  1. Customer selects Riverty in the Merchant checkout and clicks ‘Pay’ to finalize a purchase
  2. Merchant does a Authorize payment request to Riverty API with customer and order details
  3. Riverty API decides based on merchant configuration if SCA is required to finalize the purchase. If SCA needs to be performed Riverty API sends a response with “outcome” : “Pending” and risk check messages containing “message” : "Strong identification needed" with “code” : “200.910”.
  4. The authorize payment response contains a “secureLoginUrl” where the return URL needs to be specified in the URL parameters “?merchantUrl=”. This specifies where the client would be redirected after the SCA process is completed or canceled.
  5. Merchant redirects customer to the secure login URL which contains the merchant redirect URL in the parameters.
  6. Customer uses the country specific eID method to verify their identity.
  7. After successful authentication Riverty redirects the customer to the merchant return URL (specified in step 4)
  8. Merchant has to make a GetOrder request to Riverty API to check what is the order status when customer arrives back on merchant’s page.
    • If the order status is accepted, order is finalized
    • If the order status is cancelled, expired or pending - order is not finalized. After 15 minutes the pending order times out, so a new try with a new order number is required.

Advice on timing of the GetOrder request

  • Trigger the GetOrder request when the customer is redirected back to the merchant return URL (see step 4 and 7)
  • If the customer is not back within one minute, we recommend to trigger the getOrder request automatically.
  • As long as the order status is "Pending", continue sending getOrder calls with an interval of 30 seconds.
  • Up until 15 minutes, then the order status will be automatically set to "Expired"