What is FIDO ?

FIDO (Fast Identity Online) main purpose is to reduce the use of passwords and improve authentication standards on desktop and mobile devices. FIDO is designed to protect personal security and privacy because private keys and biometrics, if used, never leave a person's device. You can swipe a fingerprint or enter a one-time PIN, for example, without needing to remember a complex password. FIDO is also supported by major browsers and operating systems.

What is Worldline solution ?

Worldline is proposing FIDO2 Webauthn solution for web in order to provide 2-Factor Authentication with a simple and pleasant user experience. The solution is fully standardized and combine a possession factor with the following list of authenticators :

Authentication factors compatible with FIDO 2​

• Fingerprint (with device sensor)​
• Face recognition ​
• PIN of the operating system (Windows, iOS…)​
• FIDO hardware tokens
• Memorized path

Integration modes​

Pop-up (managed by the browser via WebAuthn…)

Delivery modes

Full API mode

Main features

Biometrics from any device

All the biometric sensors can be used :  fingerprint computer’s  sensor, mobile’s biometric sensors, camera…

Multi-use cases​

FIDO authentication can suits any use case. (online banking use cases, 3DS use cases, with emvCO2.3 and SPC, delegated authentication…)

Frictionless UX​

No app or plug-ins are needed to be installed from the user.

How does it works ?

Here are the components of the solution.

On the device is the Relying Party (RP) Application that runs in the browser. The application calls for WebAuthn APIs to reach FIDO authenticators.

The RP Application calls the RP App Server to perform FIDO Authentication. The RP App Server is linked to the application that manages the FIDO authentication context.

The RP App Server calls the WL FIDO Server, which is a shared certified server that manages FIDO enrolment and authentication.

Architecture of the authentication process

How does it look ?

Step 1

Before validating a transaction, you can check the context. Click on “validate” to start the authentication.

Step 2

Scan your finger on the biometric sensor to authenticate your transaction.

Step 3

If your fingerprint is recognized, you are authenticated.

Step 4

Your transaction is validated.

What does Worldline offer ?

The solution relies on the certified FIDO Server by Worldline that manages the enrollment and authentication. This service is used by APIs. Any Relying Party Application Server that is known by the FIDO Server by Worldline can perform FIDO operations.

On the browser side, either the client application makes the calls to the WebAuthn APIs, or it can use the proposed Worldline SDK.

STEP 1: Select your Product 
Depending on your use case you might be interested in one or multiple of our Open Banking products. Feel free to browse the information on our Website and Developer Portal to understand how we can contribute to your success and assess the required integration effort. We recommend checking out the Terminology Section before accessing the API documentation. 

STEP 2: Assess Easiness of Integration
We have prepared a couple of sandbox scenario's for Payment and Data which you can use to get an idea of our solution without any development on your end. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal.

STEP 3: Get your Quote 
Contact us to get a product demo and a tailor-made quotation. Please include the name of the product(s) that you are interested in, in what countries your users are located, and estimated volumes. Shortly after we will provide you with a custom quote. 

STEP 4: Access your Test Environment
We will set you up to access our Test Environment where you can test your development. In case you have your own PSD2 license, we will need to obtain your eIDAS certificates and register you with the selected banks. We included a Postman collection / Curl examples to help you with integration testing.To get an idea how easy it is to implement our Open Banking API, you do not need to write a single line of code. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal. Once you are ready to start implementation on your side, our Support team will provide you with your application key and client secret that you will you to obtain a token for the sandbox environment.
You already would like to kick off your onboarding or you might have further questions? We are there to support you in case of any questions.  

STEP 5: Go Live
Once the commercial agreement is signed and integration testing is completed, we will provide you with production credentials. We recommend performing a small pilot to ensure smooth user experience in a live environment. Your setup (Tenant Setup) is done by Worldline, while the Merchant and Sub Merchant Setup can be managed by yourself via Back Office (a set of screens which can be offered white labeled) or via Merchant Subscription Management API (useful if integration with an existing CRM system is desired).

Do not hesitate to contact us in case you have any queries related to technical implementation or you would like to receive a quotation.
We are there to support your growth!

A

Account-to-Account Payments
is a variable and configurable solution that allows merchants and acquirers to facilitate payments directly from a customer’s bank account. 

Account Validation 
allows any company to verify the account number. The service can be used whenever you need to collect user’s IBAN to prevent fraud or manual errors. 

AIS
Account Information Service: AIS is an online service for providing consolidated information on one or more payment accounts held by a payment service user with one or more other payment service providers, this means they can obtain an overview of their financial situation. Account information service providers can categorize expenditure, which also offers users a better insight into their spending patterns.

AISP
Account Information Service Provider is authorized to retrieve account information from financial institutions - with the consent of the user. This  can be a bank or a payment institution, that offers Services according to  PSD2.

Example: Finance Management: AISPs support retail clients in tracking and managing their financial situation, support them in possible investment decisions etc. by collecting their financial information.

ASPSP
The Account Servicing Payment Service Provider holds bank accounts in charge of their customers (see also PSU) and provides access to account holder's bank account to AISPs and PISPs.

B

Bank Connect
enables banks to initiate payments on behalf of their retail or business clients to move funds between own accounts or to pay others.

BVN
Betaalvereniging Nederland (Dutch Payment Association)

I

iDEAL 
It is Dutch online payment method that enables consumers to pay online through their own bank. 

iDEAL Hub
is a solution owned by Currence which provides a unified iDEAL experience. It's connected to the ASPSP's which provide the iDEAL 2.0 product.

Initiating Party
The Initiating Party contracts the TPP for the Open Banking Services, and can send requests on behalf of the PSU to the Worldline Open Banking Platform.

Initiation Service (aka Bank Selection Interface)
The Initiation Service is a way of Integration Worldline core XS2A PSD2 service through the dedicated Worldline Payment or Account data GUI. It is represented by a page, which allows the PSU to select his country and bank (ASPSPs) and complete his authentication and authorization process towards it in order to provide his consent for the  core PSD2 services PIS and AIS. All subsequent flows between ASPSP and the Initiation Service are handled by Initiation Service, without involvement of Initiating Party (e.g. the merchant).

O

OBeP
Online Banking ePayments: A payment network, created to fulfill the unique requirements of payments processed via the internet (ePayment). In order to authenticate the sender and the recipient it makes use of digital certificates and secure electronic transaction (SET) protocol.

Open Banking Services
The 'Open Banking Service' refers to Worldline Open Banking Platform which handles the routing of the messages.

P

PISP
Payment Initiation Service Provider is authorized to initiate payments into or out of an consumer’s bank account - on the behalf of a customer. PISPs are allowed to withdraw money directly from the customer's account, as long as the customer has given his consent. 

PIS
Payment Initiation Service: PISPs can initiate payments on behalf of their clients - from or to customer's bank account depending on the use case.
Typically payer needs to select their bank account, authenticate themselves to the bank and approve the payment.

PSD2
Second Payment Services Directive: Under PSD2 banks and institutions, who are account holder have to provide APIs for (licensed) external services providers. So their payments infrastructure and customer data will be opened for TPPs.

PSU
The Payment Service User (PSU) is an account holder in one or more ASPSPs and allows other parties to initiate payments requests and to pull account data.

R

Routing Service
The Routing Service allows sending transactions to the optimal payment gateway based on selected parameters.
Possible scenario for iDEAL transactions: The Customer calls the Routing Service via one of the Initiating Party’s connections. The Routing Service checks the transaction request and forwards the request to the Customer’s Bank. The response message from the Customer’s Bank contains a redirect URL, which is used by the Initiating Party to redirect the customer to the Customer’s Bank. The Customer confirms the request in his well-known online banking application. After that, the Customer is redirected to the Initiating Party. 

S

SCA
Strong Customer Authentication: Due to PSD2 introduced in 2019 to improve security in payment transactions. (A customers accesses his account online and initiates an electronic payment.) In sense of SCA each authentication should use a combination of two factors from the categories “knowledge” (password, code, PIN), “possession” (token, smartphone) and “inherence” (fingerprint, voice recognition).

T

Tenant
A Tenant is typically licensed as AISP or PISP:

The AISP Tenant is authorized to retrieve account information from financial institutions - with the consent of the customer. This can be a bank or a payment institution, that offers Services according to PSD2.

The PISP Tenant is authorized to initiate payments into or out of an consumer’s bank account - on behalf of a customer. PISPs are allowed to withdraw money directly from the customer's account, as long as the customer has given his consent. 

Tenant Setup
Worldline takes the steps to set up tenants (AISPs or PISPs) in the system due to their requirements, such as for example : 

Which services (PIS, AIS, PSU, Ideal 2.0) should be available? Which user roles are needed and which modules should be made available? Questions on permission control, content style, on translations etc. 

TPP
The Third Party Provider is an intermediate between Initiating Parties and ASPSPs and provides an interface used by the Initiating Party.

X

XS2A
Access to Account: XS2A Services enable Third Party Service Providers (TPP) to get access to consumer bank accounts. The framework is based on PSD2 - the European Banking Authority Regulatory Technical Standards requirements. The European Central Bank provides detailed information on PSD2: ECB Europe

Worldline Open Banking products are developed on top of Worldline Open Banking Platform. All products wrapped up on one central interface supported by user friendly bank selection dialogue. We offer simplified access to 3500 banks.

Open Banking Platform consists of several elements that you might use depending on the use case:

1. Access management module to define who can access Open Banking services. We setup your access rights during onboarding phase while you can manage the access rights of your clients (aka initiating parties) if applicable.

2. Authorization module to provide your public certificate and retrieve authorization token.

3. Open Banking API to pull account data and initiate payments using your or Worldline's PSD2 license.

4. Reach directory to review a list of supported banks and implementation differences between the banks

5. Predefined bank selection screens for better user experience and faster go live.

6. Notifications API to get notified on events that you subscribed for (e.g. payment status change).

7. Back office portal allowing to onboard and manage your clients, view transactions and create refunds.

8. Credit scoring portal allowing to search credit scoring requests and view data used for the calculation. 

9. Refund API helping merchants to issue account based refunds for a payment processed via Open Banking API.

To implement our products, you will need to check documentation of of each one of the relevant sections:

You can get in touch with us to receive your quotation and for implementation support.