You already had a closer look on our Open Banking products and would like to learn more on iDEAL?

iDEAL is a direct online transfer from account holder's bank account to the bank account of an entrepreneur or merchant.

iDEAL business transactions are based on the 4-Corner-Model which refers to four main actors, who participate in the business process. 
Please note: The iDeal website has an excellent Video and also the European Payments Council has a very good explanation of the four-corner-model that you can find here. 

The Customer, the Initiating Party, the Customer’s Bank and the Initiating Party’s Bank. These business transactions normally consist of two requests: The Transaction Request and the Status Request. 

The Transaction Request: The Initiating Party starts the transaction for the service, selected by the Customer (via the Initiating Party’s web shop). For the Webshop there are three possible ways of integration:

Direct API implementation, via Initiation Service or via Check out Service of Service Providers.

The Customer calls the Routing Service via one of the Initiating Party’s connections. The Routing Service checks the transaction request and forwards the request to the Customer’s Bank. The response message from the Customer’s Bank contains a redirect URL, which is used by the Initiating Party to redirect the customer to the Customer’s Bank. The Customer confirms the request in his well-known online banking application (this could be as example: start a credit transfer, sign an eMandate or provide an identity information). After that, the Customer is redirected to the Initiating Party. Normally this triggers the Initiating Party to perform a status request (see below). Meanwhile the complete request is forwarded from the Routing Service to the Backoffice by JMS (Java Message Service) queue.

The Status Request: The Initiating Party sends a Status Request to the Routing Service and the Routing Service forwards the request to the Customer’s Bank. The Customer Bank checks, whether the transaction has been confirmed by the Customer and provides information in the response. The Routing Service forwards the result of the Status Request to the Initiating Party. Meanwhile the complete request is forwarded from the Routing Service to the back office by JMS queue.

iDEAL 2.0

In the iDEAL 2.0 flow the Merchants have the possibility to directly initiate payments towards the iDEAL 2.0 Hub. Here you see an overview on the participating parties - the TPP Solution (green coloured) is provided by Worldline. 

The iDEAL Hub is a solution owned by Currence which provides a unified iDEAL experience. It is connected to the ASPSP's which provide the iDEAL 2.0 product. The PSU (Payment Service User) / Consumer is account holder by one or more ASPSPs and allows other parties to initiate payments requests. The TPP (Third Party Provider) / Acquirer is an intermediate between multiple Initiating Parties and ASPSPs and provides an interface used by the Initiating Party (as provided by Worldline, routing iDEAL payments).The Initiating Party / Merchant / cPSP  contracts the TPP for the iDEAL service and can sent an iDEAL payment request to the TPP Solution on behalf of a PSU. The ASPSP (Account Servicing Payment Service Provider) /Issuer is the Issuer bank, who is responsible for the Consumer's account.

To check Ideal implementation, please refer to iDEAL 2.0 section 

 Additionally you should also check the following sections: 

• Access Management Module

• Payment API - to learn how to create an Ideal payment transaction

• Push Notifications API (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back Office (optional) - to manage merchant subscriptions, view transactions and issue refunds.

You already had a closer look on our Open Banking products and would like to learn more on Worldline Credit Insight?

Credit Insight, is an Open Banking Product which is based on an AIS collection of transaction data for the selected client. The Credit Insights Service takes the raw balance and transaction data from the bank and transforms this into an insightful financial report. All of the transactions are categorized with a specific focus credit, important data is flagged (e.g. loans, payment rejections) and useful metrics are calculated. All of this is delivered by API to provide  an instant analysis based on data retrieved directly from the consumer’s bank. There are some prerequisites to be consider, if an Credit Insight analysis should be provided:

At least one CHECKING account is provided, 20 transactions within the last 90 days, the transaction currency must be Euro and -an URL for callback must be provided in advance. 

Workflow: 

The Initiating Party (you) posts and initiates a registration for the client, and chooses the relevant product option. Worldline responds with the appropriate URL for the consent and AIS session, and the client is then redirected to Worldline bank selection pages. Once the client has selected its bank(s) and accounts, Worldline collects the transactions and balances for the last three months from the bank(s). The Credit Insight analysis is performed, and once the results are available, they are sent to the Initiating Party's callback URL.

For Credit Insight the relevant and usable endpoints are within the Account Information extended service. 

Learn more? Please consult the Credit Insight section

Additionally you should also check the following sections: 

• Access Management Module

• Reach directory - to consult what banks are connected to our platform and how you can identify implementation differences across banks

• Bank Selection Interface - to implement Worldline's predefined screens for bank selection and redirection to/from the bank 

• Back Office (optional) - in case you would like to manually check your transactions or manage setup of your clients in Worldline's systems

• Credit Scoring dashboard (optional) - to check balances and transactions used for credit score calculation

You already had a closer look on our Open Banking products and would like to learn more on Account Validation?

Worldline Account Validation enables merchants to verify whether a cardholder's account exists when setting up recurring or bill payments. It is also used for validating a 'card-not-present' purchase before execution or submitting an authorization request for the full amount of a recurring payment, without affecting the availability of the cardholder's funds.

Additionally, Worldline Account Validation allows payers to confirm whether an issuer will accept a payment transaction on behalf of a specific payee for the actual transaction amount. This confirmation occurs before collecting funds from the payer and initiating the payment transaction authorization to credit the recipient's account.

To implement Account Validation, please have a look at the Account Information section. 

In addition, you will need to handle end user's bank selection and redirection to your software. For faster integration and better user experience we offer Worldline Bank Selection Interface - a set of predefined screens that could be customized with your branding allowing to choose the banks and handling the complexity of different PSD2 authorization flows (redirect / decoupled / embedded), so that you will be able to focus on your product and leave the boring stuff to us.

Additionally you should also check the following sections: 

• Access management module

• Reach directory - to consult what banks are connected to our platform and how you can identify implementation differences across banks

• Bank Selection Interface (optional) - in case you would like to implement Worldline's predefined screens for bank selection and redirection to/from the bank 

• Back office (optional) - in case you would like to manually check your transactions or manage setup of your clients in Worldline's systems

You already had a closer look on our Open Banking products and would like to learn more on Worldline Business Financial Management?

As a software provider you developed a solution allowing your business clients to handle their accounting, reconciliation, Accounts Receivable or Accounts Payable.

By implementing Worldline Business Financial Management solution, you will be able to automate bank feed import and initiate outgoing payments (e.g. payments for company expenses).

In addition, you will need to handle end user's bank selection and redirection to your software. For faster integration and better user experience we offer Worldline Bank Selection Interface - a set of predefined screens that could be customized with your branding allowing to choose the banks and handling the complexity of different PSD2 authorization flows (redirect / decoupled / embedded), so that you will be able to focus on your product and leave the boring stuff to us.

Depending on your use case (e.g. accounting or supplier invoice payments) you might be interested in the following sections:

• Access Management Module

• Account-to-Account - it describes possible authorization flows and how the Payment API supports those.

• Payment API - it describes the Payment API on a high level.

• Account Information - it descibes possible authorization flows and how the Account information API supports those. 

• Reach Directory API for Payment and Data - it describes how to query the reach directory and interpret it's response. The reach directory will tell you which banks are connected to our platform and how you can identify implementation differences across banks.

• Bank selection Interface (optional) for Payment and Data  - in case you would like to implement Worldline's predefined screens for bank selection and redirection to/from the bank 

• Push Notification API (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back Office (optional)- in case you would like to manually check your transactions or manage setup of your clients in Worldline's systems

You already had a closer look on our Open Banking products and would like to learn more on  Worldline Account to Account Payments?

As a merchant or a PSP you can accept a new payment method in addition to cards, so that clients can pay you via bank transfers directly from their bank account. You would need to add a new payment method to your checkout screen and integrate our Payment API.

In addition, you will need to handle bank selection and redirection to the bank and back to your shop. For faster integration and better user experience we offer Worldline Bank Selection Interface - a set of predefined screens that could be customized with your branding allowing to choose the banks and handling the complexity of different PSD2 authorization flows (redirect / decoupled / embedded), so that you will be able to focus on your product and leave the boring stuff to us.

The bank will process the payment once it was approved by the end user and according to the regular cut-off times which normally depend on the selected payment product (e.g. SEPA Instant payment or standard SEPA SCT payment). Then your bank will credit your bank account and you will be able to reconcile your bank statement with transactions recorded in the back office using our Account Data API.

Want to learn more? Please consult the API description.  In addition you should also read the following sections:

• Access Management Module 

• Refund API - to initiate refunds towards your clients. Contact us for more information.

• Reach Directory - it describes how to query the reach directory and interpret it's response. The reach directory will tell you which banks are connected to our platform and how you can identify implementation differences across banks.

• Bank Selection Interface (optional) - in case you would like to implement Worldline's predefined screens for bank selection and redirection to/from the bank 

• Push notifications API (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back office (optional) - in case you are a PSP and would like to manage your merchants or view their activity

You already had a closer look on our Open Banking products and would like to learn more on  Worldline Bank Connect?

As a licensed entity, via Bank Connect you can reach all banks with a single integration. You can pull account data of your retail or business clients or submit payments on behalf of your clients. 

To implement Bank Connect you can consult  the API description. 

In addition, you will need to handle end user's bank selection and redirection to your portal. For faster integration and better user experience we offer Worldline Bank Selection Interface for Payment and Data - a set of predefined screens that could be customized with your branding allowing to choose the banks and handling the complexity of different PSD2 authorization flows (redirect / decoupled / embedded), so that you will be able to focus on your product and leave the boring stuff to us.

 Additionally you should also check the following sections: 

• Access Management Module

• Reach Directory API for Payment and Data - it describes how to query the reach directory and interpret it's response. The reach directory will tell you which banks are connected to our platform and how you can identify implementation differences across banks.

• Push Notification API  (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back office (optional)- in case you would like to manually check your transactions

Version 2.9.1 to 2.10.0

Introduction

Credit Insight, is an Open Banking Product which relies on an AIS collection of transaction data for the selected client.

The prerequisites to provide a Credit Insight analysis are :

• At least one CHECKING account provided
• At least 20 transactions within the last 90 days
• Transactions must be in EURO
• A callback URL must be provided beforehand.

The workflow goes as follows :

1. The Initiating Party posts and initiates a registration for the client, and chooses the relevant product option.
2. Worldline responds with the appropriate URL for the consent and AIS session, and the client is then redirected to the AIS Bank selection pages.
3. Once the client has selected its bank(s) and accounts, Worldline collects the transactions and balances for the last three months from the bank(s).
4. The Credit Insight analysis is performed, and once the results are available, they are sent to the Initiating Party's callback URL.

Details

For the Credit Insight usecase the relevant and usable endpoints are within the Account Information extended service:

• POST /register : initiates the process

• POST /register/{registrationId}/initialisation/{psuId} : used to retrieve the URL to the AIS consent page for the PSU (client)

• GET /register/{registrationId}/status : allows the Initiating Party to know the status of the process (optional)

After the process is initiated and the client has consented to give access to his account(s), the processing begins on the Credit Insight engine.

Once it has completed, the Initiating Party receives the response on the callback URL they provided during the onboarding.

The initial POST /register call should be as follows:

POST /register

{
    "RegistrationId": "<registration_id>",
    "Psus": [
        {
            "PsuId": "<psu_id>"
        },
    ],
    "Parameter":[
        {
            "Key":"option",
            "Value":"NONE||CS||PS||CSPS"
        }
    ]
}

The Product options need to be specified, in the "Parameter" field. Depending on the items the Initiating party needs returned. In any case, the base response will comprise the Credit Insights, which are further detailed below. The Product options are :

• CS : Credit Score
• PS : Payment Score
• CSPS : Both
• NONE : No scores, only the insights

Credit Insights: The Credit Insights service takes the raw balance and transaction data from the bank and transforms this into an insightful financial report.

All of the transactions are categorized with a specific focus credit, important data is flagged (such as existing loans, payment rejections, etc…) and useful metrics are calculated.

All of this is delivered by API to provide you an instant analysis based on data retrieved directly from the consumer’s bank.

Credit Score: The Credit Score is a number score out of 1000 (a consumer with a score of 0 is the most risky and 1000 the least risky). This number provides a highly accurate predictive assessment of the risk of default within 12 months of the scoring.

Payment score: The payment score is designed for use with short-term credit (repayment period of around 3 months). This is provided as a score out of 10 (a consumer with a score of 0 is the most risky and 10 the least risky).

The second call (POST /register/<registration_id>/initialisation/<psu_id>) is meant to provide a base country for the initiation screens that will be shown to the client.

POST /register/<registration_id>/initialisation/<psu_id>
{
  "PsuData":{
    "Country": "FR||DE||XY.."
  }
}

After the client has consented to the AIS process, the transactions are fetched and processed in the WL Credit Insight engine.

Once the analysis is performed, the following insights are sent within the response to the Initiating Party :

In order to promote the use of FIDO and to help standardize the user experience, the FIDO Alliance has written some guidelines about how to display information related to FIDO when using it on a website.
However, these guidelines are mainly constructed around the use of FIDO for account log-in. In the case of transaction validation and two factor authentication using WAFL, some of the recommendations are not really applicable.

You will find here what we could extract from this official documentation that is relevant to apply in our context and that we used in our demonstration.

FIDO during the user journey - Our interpretation

• Until the user is logged-in, no change on the website.
• Once the user is logged-in, on the their main dashboard, advertise the fact that a new way to Authenticate payments is available, and link to the settings to enable it, but only if the device supports FIDO.
  (see how to check that in the implementation guide)
  Do not mention FIDO yet, but only biometrics.
  Use a fingerprint icon matching the user platform : Apple icon for Mac and iOS; generic icon for other platforms.
• In the user settings, the section dedicated to FIDO activation should :
  • Use proper biometrics icon.
  • Start mentioning FIDO.
  • Offer registration only on supported device.
  • Mention that even though it is supported, it might be necessary to enable it in the device settings, and indicate how to do so. (Ex: Windows Hello can be disabled, but FIDO will appear as supported by the device)
  • Insist on the benefits of using FIDO : it's faster and it's simpler.
  • Display the FIDO logo.
  • At the bottom, add a link to display some FIDO key facts, as provided in the official guidelines.
• During transaction validation, if the user used an other validation method, invite the user to register FIDO after a successful transaction if their device is not registered yet.
•  

Official extracts

Information about Security Keys

• What is a security key?

  A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.

• Why should I use a security key?

  Security keys protect you against imposter websites that try to steal login credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.

• How security keys work

  You must first add security keys using the button above. Once added, you'll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.

  • What security technology do security keys use?

    Most keys use an authentication "standard" called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website's actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.

• Why do security keys look like thumb drives?

  Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer's USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.

• What happens if my security key gets stolen?

  The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.

• Add more than one security key

  Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.

• Purchase security keys

  Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys.

• Name your security keys

  Give you security key a friendly "nickname" that only you can see, so you know which key you registered with this account at a later point in time.

Information about Device Unlock

• How device unlock works

  A technology called FIDO lets you sign in securely without relying on a password. Once you've registered your computer's PIN, facial recognition, fingerprint, or security key, FIDO verifies it's really you and doesn't transmit any of your login information over the internet.

• Why use device unlock

  Easy, safe—and private! FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

• More information

  Registering with FIDO provides you with an additional login option for this device—your password remains valid.

Learn more content

This part contains the information that could be used in any "Learn more" link, tooltip, popup to be displayed under the FIDO icon under Registration or Authentication buttons.

FIDO lets you sign in securely without relying on a password by keeping your login information securely on your device. Nowhere else.

How it works ?

1. A technology called FIDO lets you sign in securely without relying on a password.
2. FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers.
3. Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your login information over the internet.
4. Easy, safe—and private!
5. Registering with FIDO provides you with an additional login option for this device—your password remains valid.
6. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

FIDO Facts content

This part contains some facts elaborated after some studies involving final users that are designed to improve trust in FIDO.

• FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.
• In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.
• FIDO makes sign-in easy, safe, and private!
• FIDO technology uses your computer’s built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.
• Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet.
• Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.
• Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO.