You already had a closer look on our Open Banking products and would like to learn more on  Worldline Bank Connect?

As a licensed entity, via Bank Connect you can reach all banks with a single integration. You can pull account data of your retail or business clients or submit payments on behalf of your clients. 

To implement Bank Connect you can consult  the API description. 

In addition, you will need to handle end user's bank selection and redirection to your portal. For faster integration and better user experience we offer Worldline Bank Selection Interface for Payment and Data - a set of predefined screens that could be customized with your branding allowing to choose the banks and handling the complexity of different PSD2 authorization flows (redirect / decoupled / embedded), so that you will be able to focus on your product and leave the boring stuff to us.

 Additionally you should also check the following sections: 

• Access Management Module

• Reach Directory API for Payment and Data - it describes how to query the reach directory and interpret it's response. The reach directory will tell you which banks are connected to our platform and how you can identify implementation differences across banks.

• Push Notification API  (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back office (optional)- in case you would like to manually check your transactions

Version 2.9.1 to 2.10.0

Introduction

Credit Insight, is an Open Banking Product which relies on an AIS collection of transaction data for the selected client.

The prerequisites to provide a Credit Insight analysis are :

• At least one CHECKING account provided
• At least 20 transactions within the last 90 days
• Transactions must be in EURO
• A callback URL must be provided beforehand.

The workflow goes as follows :

1. The Initiating Party posts and initiates a registration for the client, and chooses the relevant product option.
2. Worldline responds with the appropriate URL for the consent and AIS session, and the client is then redirected to the AIS Bank selection pages.
3. Once the client has selected its bank(s) and accounts, Worldline collects the transactions and balances for the last three months from the bank(s).
4. The Credit Insight analysis is performed, and once the results are available, they are sent to the Initiating Party's callback URL.

Details

For the Credit Insight usecase the relevant and usable endpoints are within the Account Information extended service:

• POST /register : initiates the process

• POST /register/{registrationId}/initialisation/{psuId} : used to retrieve the URL to the AIS consent page for the PSU (client)

• GET /register/{registrationId}/status : allows the Initiating Party to know the status of the process (optional)

After the process is initiated and the client has consented to give access to his account(s), the processing begins on the Credit Insight engine.

Once it has completed, the Initiating Party receives the response on the callback URL they provided during the onboarding.

The initial POST /register call should be as follows:

POST /register

{
    "RegistrationId": "<registration_id>",
    "Psus": [
        {
            "PsuId": "<psu_id>"
        },
    ],
    "Parameter":[
        {
            "Key":"option",
            "Value":"NONE||CS||PS||CSPS"
        }
    ]
}

The Product options need to be specified, in the "Parameter" field. Depending on the items the Initiating party needs returned. In any case, the base response will comprise the Credit Insights, which are further detailed below. The Product options are :

• CS : Credit Score
• PS : Payment Score
• CSPS : Both
• NONE : No scores, only the insights

Credit Insights: The Credit Insights service takes the raw balance and transaction data from the bank and transforms this into an insightful financial report.

All of the transactions are categorized with a specific focus credit, important data is flagged (such as existing loans, payment rejections, etc…) and useful metrics are calculated.

All of this is delivered by API to provide you an instant analysis based on data retrieved directly from the consumer’s bank.

Credit Score: The Credit Score is a number score out of 1000 (a consumer with a score of 0 is the most risky and 1000 the least risky). This number provides a highly accurate predictive assessment of the risk of default within 12 months of the scoring.

Payment score: The payment score is designed for use with short-term credit (repayment period of around 3 months). This is provided as a score out of 10 (a consumer with a score of 0 is the most risky and 10 the least risky).

The second call (POST /register/<registration_id>/initialisation/<psu_id>) is meant to provide a base country for the initiation screens that will be shown to the client.

POST /register/<registration_id>/initialisation/<psu_id>
{
  "PsuData":{
    "Country": "FR||DE||XY.."
  }
}

After the client has consented to the AIS process, the transactions are fetched and processed in the WL Credit Insight engine.

Once the analysis is performed, the following insights are sent within the response to the Initiating Party :

In order to promote the use of FIDO and to help standardize the user experience, the FIDO Alliance has written some guidelines about how to display information related to FIDO when using it on a website.
However, these guidelines are mainly constructed around the use of FIDO for account log-in. In the case of transaction validation and two factor authentication using WAFL, some of the recommendations are not really applicable.

You will find here what we could extract from this official documentation that is relevant to apply in our context and that we used in our demonstration.

FIDO during the user journey - Our interpretation

• Until the user is logged-in, no change on the website.
• Once the user is logged-in, on the their main dashboard, advertise the fact that a new way to Authenticate payments is available, and link to the settings to enable it, but only if the device supports FIDO.
  (see how to check that in the implementation guide)
  Do not mention FIDO yet, but only biometrics.
  Use a fingerprint icon matching the user platform : Apple icon for Mac and iOS; generic icon for other platforms.
• In the user settings, the section dedicated to FIDO activation should :
  • Use proper biometrics icon.
  • Start mentioning FIDO.
  • Offer registration only on supported device.
  • Mention that even though it is supported, it might be necessary to enable it in the device settings, and indicate how to do so. (Ex: Windows Hello can be disabled, but FIDO will appear as supported by the device)
  • Insist on the benefits of using FIDO : it's faster and it's simpler.
  • Display the FIDO logo.
  • At the bottom, add a link to display some FIDO key facts, as provided in the official guidelines.
• During transaction validation, if the user used an other validation method, invite the user to register FIDO after a successful transaction if their device is not registered yet.
•  

Official extracts

Information about Security Keys

• What is a security key?

  A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.

• Why should I use a security key?

  Security keys protect you against imposter websites that try to steal login credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.

• How security keys work

  You must first add security keys using the button above. Once added, you'll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.

  • What security technology do security keys use?

    Most keys use an authentication "standard" called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website's actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.

• Why do security keys look like thumb drives?

  Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer's USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.

• What happens if my security key gets stolen?

  The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.

• Add more than one security key

  Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.

• Purchase security keys

  Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys.

• Name your security keys

  Give you security key a friendly "nickname" that only you can see, so you know which key you registered with this account at a later point in time.

Information about Device Unlock

• How device unlock works

  A technology called FIDO lets you sign in securely without relying on a password. Once you've registered your computer's PIN, facial recognition, fingerprint, or security key, FIDO verifies it's really you and doesn't transmit any of your login information over the internet.

• Why use device unlock

  Easy, safe—and private! FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

• More information

  Registering with FIDO provides you with an additional login option for this device—your password remains valid.

Learn more content

This part contains the information that could be used in any "Learn more" link, tooltip, popup to be displayed under the FIDO icon under Registration or Authentication buttons.

FIDO lets you sign in securely without relying on a password by keeping your login information securely on your device. Nowhere else.

How it works ?

1. A technology called FIDO lets you sign in securely without relying on a password.
2. FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers.
3. Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your login information over the internet.
4. Easy, safe—and private!
5. Registering with FIDO provides you with an additional login option for this device—your password remains valid.
6. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

FIDO Facts content

This part contains some facts elaborated after some studies involving final users that are designed to improve trust in FIDO.

• FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.
• In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.
• FIDO makes sign-in easy, safe, and private!
• FIDO technology uses your computer’s built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.
• Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet.
• Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.
• Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO.

What is FIDO ?

FIDO (Fast Identity Online) main purpose is to reduce the use of passwords and improve authentication standards on desktop and mobile devices. FIDO is designed to protect personal security and privacy because private keys and biometrics, if used, never leave a person's device. You can swipe a fingerprint or enter a one-time PIN, for example, without needing to remember a complex password. FIDO is also supported by major browsers and operating systems.

What is Worldline solution ?

Worldline is proposing FIDO2 Webauthn solution for web in order to provide 2-Factor Authentication with a simple and pleasant user experience. The solution is fully standardized and combine a possession factor with the following list of authenticators :

Authentication factors compatible with FIDO 2​

• Fingerprint (with device sensor)​

• Face recognition ​

• PIN of the operating system (Windows, iOS…)​

• FIDO hardware tokens

• Memorized path

Integration modes​

Pop-up (managed by the browser via WebAuthn…)

Delivery modes

Full API mode

Main features

Biometrics from any device

All the biometric sensors can be used :  fingerprint computer’s  sensor, mobile’s biometric sensors, camera…

Multi-use cases​

FIDO authentication can suits any use case. (online banking use cases, 3DS use cases, with emvCO2.3 and SPC, delegated authentication…)

Frictionless UX​

No app or plug-ins are needed to be installed from the user.

How does it works ?

Here are the components of the solution.

On the device is the Relying Party (RP) Application that runs in the browser. The application calls for WebAuthn APIs to reach FIDO authenticators.

The RP Application calls the RP App Server to perform FIDO Authentication. The RP App Server is linked to the application that manages the FIDO authentication context.

The RP App Server calls the WL FIDO Server, which is a shared certified server that manages FIDO enrolment and authentication.

Architecture of the authentication process

How does it look ?

Step 1

Before validating a transaction, you can check the context. Click on “validate” to start the authentication.

Step 2

Scan your finger on the biometric sensor to authenticate your transaction.

Step 3

If your fingerprint is recognized, you are authenticated.

Step 4

Your transaction is validated.

What does Worldline offer ?

The solution relies on the Worldline certified FIDO Server that manages the enrollment and authentication. This service is used by APIs. Any RP Application Server that is known by the Worldline FIDO Server can perform FIDO operations.

However, the RP Application Server can either be managed by the client or Worldline. Worldline solution contains a RP Server that can be used by clients.

On the browser side, either the client application makes the calls to the WebAuthn APIs, or it can use the proposed Worldline Front.

STEP 1: Select your Product 
Depending on your use case you might be interested in one or multiple of our Open Banking products. Feel free to browse the information on our Website and Developer Portal to understand how we can contribute to your success and assess the required integration effort. We recommend checking out the Terminology Section before accessing the API documentation. 

STEP 2: Assess Easiness of Integration
We have prepared a couple of sandbox scenario's for Payment and Data which you can use to get an idea of our solution without any development on your end. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal.

STEP 3: Get your Quote 
Contact us to get a product demo and a tailor-made quotation. Please include the name of the product(s) that you are interested in, in what countries your users are located, and estimated volumes. Shortly after we will provide you with a custom quote. 

STEP 4: Access your Test Environment
We will set you up to access our Test Environment where you can test your development. In case you have your own PSD2 license, we will need to obtain your eIDAS certificates and register you with the selected banks. We included a Postman collection / Curl examples to help you with integration testing.To get an idea how easy it is to implement our Open Banking API, you do not need to write a single line of code. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal. Once you are ready to start implementation on your side, our Support team will provide you with your application key and client secret that you will you to obtain a token for the sandbox environment.
You already would like to kick off your onboarding or you might have further questions? We are there to support you in case of any questions.  

STEP 5: Go Live
Once the commercial agreement is signed and integration testing is completed, we will provide you with production credentials. We recommend performing a small pilot to ensure smooth user experience in a live environment. Your setup (Tenant Setup) is done by Worldline, while the Merchant and Sub Merchant Setup can be managed by yourself via Back Office (a set of screens which can be offered white labeled) or via Merchant Subscription Management API (useful if integration with an existing CRM system is desired).

Do not hesitate to contact us in case you have any queries related to technical implementation or you would like to receive a quotation.
We are there to support your growth!