ob-data-ais-s3

Read more about ob-data-ais-s3

AIS Download Transactions

Some ASPSPs do not provide paginated transactions response. In those cases it isn’t possible to predict the number of transactions to be received in response of a GET transactions request.

Even if the ASPSP is supporting paginated responses it might be possible that response on the GET transactions request contains a download link only and no transactions, if the number of transactions is considered too high. In this cases or if the bank isn’t giving the response instead of JSON in CAMT format for example, the "Open Banking Service" response on the GET transactions will have a download link instead of a set of transactions.

By calling that download link, the response will be given in a streamed JSON structure starting the stream of transactions already before all transactions are downloaded from the ASPSP. If the bank provides the transactions in a non-JSON format the transactions are converted to JSON on the fly by "Open Banking Service".

Processing flow for this scenario is similar to described in “AIS with Redirect Authorisation + Accounts + Balances + Transactions (With Date filter only)” section with addition of GET /download/transactions API to be called by initiating party (user).

Step – 1 : Get the reach details :

Reach details provides list of APIs needs to be used for this scenario and mandatory fields needs to be passed for successful API call towards ASPSP mock.

Call the reach API – GET /aspsps. Get the ASPSP details with Name = “Account information redirect + Download transactions” and the ASPSP ID = “20102”, which has to be used to initiate the consent with redirect mode of authorisation and other further requests.

Remark : Details of reach information provided in developer portal are limited and informational purpose to give initiating party (user) an idea about how reach information looks like. Initiating party (user) can skip this step and use specified ASPSP ID for the scenario to try out.

Step - 2 : Obtain customer's (PSU) consent to access accounts information :

Call the POST /consents API to obtain customer's (PSU) consent. In response of POST /consents, initiating party (user) will receive consent ID, ASPSP redirect link to authorise the consent and link to call GET /consents/status API to get the status of the consent.

Below are some consent related functionalities initiating party (user) can try out.

Below consent permissions are supported to access customer's (PSU) details.

  Permissions (Array)

   {[

      "Accounts",

      "Balances",

      "Transactions"

   ]}

Initiating party (user) can request permissions in below combination based on customer's (PSU) request:

- Request permissions for only "Accounts" - Initiating party (user) can only request list of accounts from customer's (PSU) bank. Balances and Transaction details cannot be requested.

- Request permissions for "Accounts", "Balances" - Initiating party can get request of accounts and balances details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Transactions" - Initiating party can request list of accounts and transaction details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Balances", "Transactions" - Initiating party can request list of accounts, balances and transaction details for requested accounts from customer's (PSU) bank.

- If there's no permissions provided in request, by default "Open Banking Service" sends request to get the consent for "Accounts", "Balances", "Transactions" from ASPSP.

- If "OwnerName" indicator set to "true" in consents request, initiating party (user) can receive actual owner name (if supported and provided by ASPSP) in response of GET /accounts API.

- "TransactionFromDateTime" and "TransactionToDateTime" can be provided in POST /consents request, so that Initiating party (user) can access list of transactions within a specific time period only.

- The fields below are being ignored in POST /consents request in the sandbox.

ValidUntilDate,
FrequencyPerDay,
RecurringIndicatior,
CombinedServiceIndicator,
PreferredScaMethod

If GET /consents/status endpoint has been called before user provides his / her approval, initiating party (user) will receive consent status = "Open" from the ASPSP Mock in response.

Step - 3 : Authorise or Cancel the consent at ASPSP Mock :

With ASPSP redirect link received in response of POST /consents, customer (PSU) will get redirect to ASPSP Mock GUI login page. On this login page, customer (PSU) can provide dummy credential details as ASPSP GUI page is example purpose only. Once customer (PSU) provides his / her dummy credentials, he / she will be redirected to ASPSP Mock GUI page with "Approve" & "Deny" buttons to authorise or reject the consent.

If customer (PSU) "Approve" the consent, consent will be created with the ASPSP Mock and customer (PSU) will redirect back to initiating party (user).

If customer (PSU) "Deny" the consent, ASPSP Mock will reject the consent request and customer (PSU) will redirect back to initiating party (user).

Remark : GUI pages of ASPSP Mock for customer login and to authorise the consent is just a demo purpose. Actual ASPSP GUI pages may vary based on acutal ASPSP.

Step - 4 : Get the consent status :

Call the GET /consents/status API to get the latest consent status from ASPSP Mock.

If consent is authorised by customer (PSU), initiating party (user) will receive consent status = "Authorised".

If consent is deny by customer (PSU), initiating party (user) will receive consent status = "Rejected" as final consent status.

Remark : Consent status provided for this scenario is just to guide initiating party (user) for consent process. Actual consent status may vary based on scenario from actual ASPSP.

Step - 5 : Get the list of accounts :

Once consent is authorised by the customer (PSU), call the GET /accounts API to obtain list of accounts from ASPSP Mock.

Step - 6 : Get balances details for respective account :

Once initiating party (user) obtains list of accounts from ASPSP Mock, call GET /balances API to get the balance details of respective account from ASPSP Mock.

Remark : This is an optional step for this scenario. User can skip this step.

Step - 7 : Get the transaction details for respective account :

After getting list of customer's (PSU) accounts from ASPSP Mock, call the GET /transactions API to retrieve transactions details of respective account from ASPSP Mock. In response, initiating party (user) will receive GET /download/transactions API link.

Step - 8 : Call the GET /download/transactions API :

Call the GET /download/transactions API and in response initiating party (user) will receive streamed JSON structure.

Sequence Diagram :

ob-data-ais-s2

Read more about ob-data-ais-s2

AIS with Redirect Authorisation and Accounts, Balances & Transactions (DateTime filter)

Using this scenario, initiating party (user) can request transaction data from ASPSP Mock using date & time filter ("dateFrom" & "dateTo" query parameters). This is to let initiating party (user) know that some actual ASPSPs are provides requested transaction data based on date & time.

Step - 1 : Get the reach details :

Reach details provides list of APIs and mandatory fields needs to be used for successful request towards ASPSP mock.

Call the reach API - GET /aspsps. Get the ASPSP details with Name = "Account Information redirect + Transaction datetime filter" and the ASPSP ID = "20116", which has to be used to initiate the consent with redirect mode of authorisation and other further requests.

Step - 2 : Obtain customer's (PSU) consent to access accounts information :

Below are some consent related functionalities initiating party (user) can try out.

Below consent permissions are supported to access customer's (PSU) details.

   Permissions (Array)

   {[

      "Accounts",

      "Balances",

      "Transactions"

   ]}

Initiating party (user) can request permissions in below combination based on customer's (PSU) request:

- Request permissions for only "Accounts" - Initiating party (user) can only request list of accounts from customer's (PSU) bank. Balances and Transaction details cannot be requested.

- Request permissions for "Accounts", "Balances" - Initiating party can get request of accounts and balances details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Transactions" - Initiating party can request list of accounts and transaction details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Balances", "Transactions" - Initiating party can request list of accounts, balances and transaction details for requested accounts from customer's (PSU) bank.

- If there's no permissions provided in request, by default "Open Banking Service" sends request to get the consent for "Accounts", "Balances", "Transactions" from ASPSP

If "OwnerName" indicator set to "true" in consents request, initiating party (user) can receive actual owner name (if supported and provided by ASPSP) in response of GET /accounts API.
"TransactionFromDateTime" and "TransactionToDateTime" can be provided in POST /consents request, so that initiating party (user) can access list of transactions within a specific time period only.
Currently below fields are being ignored in POST /consents request in developer portal. We may introduce another scenario later on to include below fields functionalities.
ValidUntilDate,
FrequencyPerDay,
RecurringIndicatior,
CombinedServiceIndicator,
PreferredScaMethod

If GET /consents/status endpoint has been called before user provides his / her approval, initiating party (user) will receive consent status = "Open" from the ASPSP Mock in response.

Step - 3 : Authorise or Cancel the consent at ASPSP Mock :

With ASPSP redirect link received in response of POST /consents, customer (PSU) will get redirect to ASPSP Mock GUI login page. On this login page, customer (PSU) can provide dummy credential details as ASPSP GUI page is example purpose only. Once customer (PSU) provides his / her dummy credentials, he / she will be rediereted to ASPSP Mock GUI page with "Approve" & "Deny" buttons to authorise or reject the consent.

If customer (PSU) "Approve" the consent, consent will be created with the ASPSP Mock and customer (PSU) will redirect back to initiating party (user).

If customer (PSU) "Deny" the consent, ASPSP Mock will reject the consent request and customer (PSU) will redirect back to initiating party (user).

Remark : GUI pages of ASPSP Mock for customer login and to authorise the consent is just a demo purpose. Actual ASPSP GUI pages may vary based on actual ASPSP.

Step - 4 : Get the consent status :

Call the GET /consents/status API to get the latest consent status from ASPSP Mock.

If consent is authorised by customer (PSU), initiating party (user) will receive consent status = "Authorised".

If consent is deny by customer (PSU), initiating party (user) will receive consent status = "Rejected" as final consent status.

Remark : Consent status provided for this scenario is just to guide initiating party (user) for consent process. Actual consent status may vary based on scenario from actual ASPSP.

Step - 5 : Get the list of accounts :

Once consent is authorised by the customer (PSU), call the GET /accounts API to obtain list of accounts from ASPSP Mock.

Step - 6 : Get balances details for respective account :

Once initiating party (user) obtains list of accounts from ASPSP Mock, call GET /balances API to get the balance details of respective account from ASPSP Mock.

Step - 7 : Get the transaction details for respective account :

Call the GET /transactions API to retrieve transactions details of respective account from ASPSP Mock. Initiating party (user) can try out below functionalities of GET /transactions API.

Initiating party (user) can request to get transaction data for specific date range using "dateFrom" & "dateTo" query parameters. Remark : For this filter if initiating party (user) provides date & time in "dateFrom" & "dateTo" fields, ASPSP Mock will return transaction data based on both date & time provided. This is to let initiating party (user) know that some actual ASPSPs are also behaves the same way to filter transaction data (Omit time part).
If ASPS Mock respond with large number of transactions, initiating party (user) may receive paginated transactions response.
In case of paginated response, initiating party (user) can retrieve appropriate transactions page using "first", "next", "previous", "last", "self" links provided in response.

Sequence Diagram :

ob-data-ais-s1

Read more about ob-data-ais-s1

AIS with Redirect Authorisation and Accounts, Balances & Transactions (Date filter)

Customer's (PSU) consent needs to be acquire first to access his / her bank's accounts details. In the Redirect Authorisation approach, the browser session of the customer (PSU) is redirected from the Initiating Party (user) to the ASPSP Mock. In that case the ASPSP Mock provides all the pages required for authentication (usually username, password). After that the customer (PSU) is redirected to the "Open Banking Service" and from there back to the Initiating Party (user).

Take the following steps to complete this scenario.

Step - 1 : Get the reach details :

Reach details provides list of APIs and mandatory fields needs to be used for successful request towards ASPSP mock.

Call the reach API - GET /aspsps. Get the ASPSP details with Name = "Account Information redirect + Transaction Date filter" and the ASPSP ID = "20101", which has to be used to initiate the consent with redirect mode of authorisation and other further requests.

Step - 2 : Obtain customer's (PSU) consent to access accounts information :

Below are some consent related functionalities initiating party (user) can try out.

Below consent permissions are supported to access customer's (PSU) details.

   Permissions (Array)

   {[

      "Accounts",

      "Balances",

      "Transactions"

   ]}

Initiating party (user) can request permissions in below combination based on customer's (PSU) request:

- Request permissions for only "Accounts" - Initiating party (user) can only request list of accounts from customer's (PSU) bank. Balances and Transaction details cannot be requested.

- Request permissions for "Accounts", "Balances" - Initiating party can get request of accounts and balances details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Transactions" - Initiating party can request list of accounts and transaction details for requested accounts from customer's (PSU) bank.

- Request permissions for "Accounts", "Balances", "Transactions" - Initiating party can request list of accounts, balances and transaction details for requested accounts from customer's (PSU) bank.

If there's no permissions provided in request, by default "Open Banking Service" sends request to get the consent for "Accounts", "Balances", "Transactions" from ASPSP

If "OwnerName" indicator set to "true" in consent request, initiating party (user) can receive actual owner name (if supported and provided by ASPSP) in response of GET /accounts API.
"TransactionFromDateTime" and "TransactionToDateTime" can be provided in POST /consents request, so that initiationg party (user) can access list of transactions within a specific time period only.
Currently below fields are being ignored in POST /consents request in developer portal. We may introduce another scenario later on to include below fields functionalities.
ValidUntilDate,
FrequencyPerDay,
RecurringIndicatior,
CombinedServiceIndicator,
PreferredScaMethod

If GET /consents/status endpoint has been called before user provides his / her approval, initiating party (user) will receive consent status = "Open" from the ASPSP Mock in response.

Step - 3 : Authorise or Cancel the consent at ASPSP Mock :

If customer (PSU) "Approve" the consent, consent will be created with the ASPSP Mock and customer (PSU) will redirect back to initiating party (user).

If customer (PSU) "Deny" the consent, ASPSP Mock will reject the consent request and customer (PSU) will redirect back to initiating party (user).

Remark : GUI pages of ASPSP Mock for customer login and to authorise the consent is just a demo purpose. Actual ASPSP GUI pages may vary based on actual ASPSP.

Step - 4 : Get the consent status :

Call the GET /consents/status API to get the latest consent status from ASPSP Mock.

If consent is authorised by customer (PSU), initiating party (user) will receive consent status = "Authorised".

If consent is deny by customer (PSU), initiating party (user) will receive consent status = "Rejected" as final consent status.

Remark : Consent status provided for this scenario is just to guide initiating party (user) for consent process. Actual consent status may vary based on scenario from actual ASPSP.

Step - 5 : Get the list of accounts :

Once consent is authorised by the customer (PSU), call the GET /accounts API to obtain list of accounts from ASPSP Mock.

Step - 6 : Get balances details for respective account :

Once initiating party (user) obtains list of accounts from ASPSP Mock, call GET /balances API to get the balance details of respective account from ASPSP Mock.

Step - 7 : Get the transaction details for respective account :

Call the GET /transactions API to retrieve transactions details of respective account from ASPSP Mock. Initiating party (user) can try out below functionalities of GET /transactions API.

Initiating party (user) can request to get transaction data for specific date range using "dateFrom" & "dateTo" query parameters. Remark : For this filter if initiating party (user) provides date & time in "dateFrom" & "dateTo" fields, ASPSP Mock will return transaction data based on date only. It will omit time part to filter transaction data. This is to let initiating party (user) know that some actual ASPSPs are also behaves the same way to filter transaction data (Omit time part).
If ASPS Mock respond with large number of transactions, initiating party (user) may receive paginated transactions response.
In case of paginated response, initiating party (user) can retrieve appropriate transaction page using "first", "next", "previous", "last", "self" links provided in response.

Sequence Diagram :

ob-data-ais-sand

Read more about ob-data-ais-sand

List of Account Information Service Scenarios

Below you'll find a list of Account Information Scenarios. Each scenario has a separate page with a step by step description of the steps to complete the scenario. You can choose a scenario by providing the corresponding ASPSP ID in the request which initiates the consent.

To simplify the interaction, these scenario's work with a static token which doesn't expire. This sandbox token is supplied in the API reference.

You can use the sandbox:

On the API reference page (only for registered users, look for the 'try' button)
With a tool like Postman

Sr. No.	Scenario Name	ASPSP ID	Scenario Guideline
01.	AIS with Redirect Authorisation and Accounts, Balances & Transactions (Date filter only)	20101	Read more
02.	AIS with Redirect Authorisation and Accounts, Balances & Transactions (DateTime filter)	20116	Read more
03.	AIS Download Transactions	20102	Read more
04.	AIS Delete Consents	20101	Read more

ob-data-ais-api

Read more about ob-data-ais-api

Account Information API

API Reference

Consent

Before a TPP can access account information from a PSU he has to have consent of the PSU to do so.

The Open Banking Service will keep track of the consent status. And will check if the consent is in the authorized state before continuing towards the ASPSP.

A lot of banks allow one consent per PSU per TPP only. This becomes a problem if a TPP has Initiating Parties set up having a relation to the same PSU. If a PSU grants consent to a first Initiating Party for an account at a given ASPSP and afterwards grants consent to another Initiating Party for the same or another account at the same ASPSP this second consent will overwrite the first one at the ASPSP since it is requested via the same TPP. By that, the first Initiating Party will not be able to use its consent anymore at that ASPSP.

This is a structural problem introduced by the ASPSP by managing only one single consent for each PSU per TPP. There is an initiative ongoing to have ASPSPs extending their service by allowing multiple consents per PSU and TPP which would solve this problem.

Consent Status

Figure: Consent Status when GET consent/status API is called.

The consent status will be set when the GET consent/status API is called on the Open Banking Service.

Status	Description
Open	In case of a redirect scenario, where a TPP has to take additional steps to get the consent, like redirecting the PSU towards the ASPSP
Pending	We didn’t get an answer yet. We stopped polling. The TPP should do a get consent to get an update on the status of the consent.
Rejected	Rejected by PSU/ASPSP
PartiallyAuthorised	The consent is due to a multi-level authorisation, some but not all mandated authorisations have been performed yet.
Authorised	Consent was granted, and is active.
Expired	The time the consent was active has been expired.
Revoked	Consent was revoked by PSU or ASPSP.
RevokedAtTpp	Consent status changes to ‘RevokedAtTpp’ in the Open Banking Service if ASPSP responds with an error for DELETE Consents request. This is to inform the Initiating Party that the actual status of consent at ASPSP side is unknown due to error and the consent is not usable at TPP side anymore.
Error	An error occurred.
Inactive	Indicates that a consent is inactive because it has been replaced by a newer authorized consent (only 1 consent per psu- ASPSP protocol is allowed, so that the Open Banking Service doesn’t have to choose and can always just pick the authorized one while doing the other AIS calls).

Permission

Consent can be given to grant access according to three permission groups:

Accounts
Balances
Transactions

AIS Endpoints

The base URL for the account information service API is: /xs2a/routingservice/services/ob/ais/v3

(The most recent up-to-date reference of the API is given by the swagger files.)

POST Consents

Endpoint: POST /psus/{psuId}/consents

This endpoint is used by the Initiating Party to set up a consent for a PSU for an ASPSP.

Depending on the ASPSPs API the possible combinations of permissions and account references differ. In the Reach Directory 'Options' inform about the ASPSP specific options. The detailed information for an ASPSP for this API is given within the value for the Option ACCOUNT_REFERENCES_SUPPORTEDFORMS (see the chapter Reach API, Options) as list of parameters separated by a ‘|’. The available parameters are described in the table below. (The default for this list is: ‘Filled|Empty‘)

Parameter Value for ACCOUNT_REFERENCES_SUPPORTEDFORMS	Comments
Filled	Account List is supported, if not set, the ‘PermittedAccountReferences’ are not supported
Empty	Empty account lists are supported, requests without account references are accepted
AvailableAccounts	If this set, empty ‘PermittedAccountReferences’ are interpreted as permission for accounts access only, if the permissions are requests for Accounts
AvailableAccountsWithBalances	If this set, empty ‘PermittedAccountReferences’ are interpreted as permission for accounts and balances access, if the permissions are requests for Accounts, Balances
AllPSD2	If this set, empty ‘PermittedAccountReferences’ are interpreted as permission for accounts, balances and transactions access if the permissions are requests for Accounts, Balances, Transactions

The Open Banking Service translates the given combination on requested permissions and account lists as shown in the diagram below. In the first step the requested permissions are set to the default (Accounts, Balances, Transactions) if no permissions are contained in the request.

figure: Initiating Party to set up a consent for a PSU for an ASPSP (PostConsents)

Request

Remarks

The body parameter ‘RecurringIndicator’ steers the ASPSP to grant a recurring consent, which can be reused within its validity period for an undefined number of AIS requests or for a single request (session) only. The default is to request a recurring consent. By default recurring consent is valid till 180 days, if ValidUntilDate is not provided.

Response

POST Identification

Endpoint: POST /psus/{psuId}/consents/{consentId}/identification

This endpoint is used in Decoupled Approach to start the authorization explicitly and identifying the PSU at the ASPSP to enable the Push message to be sent to the PSU’s device.

Request

Response

Remark

The Initiating Party will have to poll for status changes, since the authorization is done in Decoupled Approach and no feedback are provided by the ASPSP to the TPP directly.

POST Authorisations

Endpoint: POST /psus/{psuId}/consents/{consentId}/authorisations/{authorisationId}

This endpoint is used in 2 approaches

Embedded Approach to start the authorisation and provide the required information according the first step of the embedded authorization flow.
Redirect Approach to start explicit redirect authorisation. Mostly is being used in case of multi-level authorisation.

Request

Response

PUT Authorisations

Endpoint: PUT /psus/{psuId}/authorisations/{authorisationId}

This endpoint is used in Embedded Approach to provide the required information according to the necessary steps driven by the ASPSP due to the Links section.

Request

Response

GET Consent Status

Endpoint: GET /psus/{psuId}/consents/{consentId}/status

This endpoint is used to retrieve the status of a consent.

Request

Response

DELETE Consents

Endpoint: DELETE /psus/{psuId}/consents/{consentId}

This endpoint is used to revoke a consent. When this endpoint is called the Open Banking Service will also try to revoke the consent at ASPSP side. If this is successful the status of the consent will be changed to ‘Revoked’. If it’s not possible to revoke the status at the ASPSP side the status of the consent will be set to ‘RevokedAtTpp’, The consent might still be active on the ASPSP side bit will no longer be used by the Open Banking Service.

Request

Response

The response is an HTTP response with the HTTP code 204

GET Accounts

Endpoint: GET /psus/{psuId}/accounts

This endpoint is used to retrieve the list of accounts of a PSU.

Request

Response

GET Balances

Endpoint: GET /psus/{psuId}/aspsps/{aspspId}/accounts/{accountId}/balances

This endpoint is used to retrieve the balances of an account of a PSU.

Request

Response

GET Transactions

Endpoint: GET /psus/{psuId}/aspsps/{aspspId}/accounts/{accountId}/transactions

This endpoint is used to retrieve the balances of an account of a PSU.

Request

Response

GET Download Transactions

Endpoint: GET /download/psus/{psuId}/aspsps/{aspspId}/accounts/{accountId}/transactions

Some ASPSPs do not provide paginated transactions response. In those cases it isn’t possible to predict the number of transactions to be received in response of a GET transactions request. Even if the ASPSP is supporting paginated responses it might be possible that reponse on the GET transactions request contains a download link only and no transactions, if the number of transactions is considered too high. In this cases or if the bank isn’t giving the response instead of JSON in CAMT format for example, the Open Banking Service response on the GET transactions will have a download link instead of a set of transactions.

Request

Response

The JSON structure of the response to this request is the same as it is for GET transactions. The only difference is that there will be no MetaData and no links like First, Prev, Next, Last or Download be contained.

AIS Extended service

AIS Extended: Multi-Level SCA

If the extended Services are subscribed for AIS, the Open Banking Service supports the Multi-Level SCA feature. In this case consent has to be authorized by multiple PSUs.

There are no specific endpoints defined for this. The single authorizations have to be started explicitly by the POST Authorization endpoint for each single PSU.

Registration Use Cases

The set of registration API's allows the initiating party to perform a specific use case with the AIS data. It's possible to add mulitple PSU's to one registration resource so that, for example, a Credit score can be calculated for a family.

note: post register can have an array of PSUs, the post register API can then be started for each PSU individually.

Example of a possible registration flow:

ob-data-ais-reach

Read more about ob-data-ais-reach

Reach Directory API

API Reference

The Reach Directory API allows the Initiating Party to retrieve a list of all reachable ASPSP's via the Open Banking Service. The main information that can be received is the ASPSP name and ID, which has to be used to identify the ASPSP to which the payment should be addressed.

The information returned by the Reach Directory API doesn't change frequently. It will be sufficient to retrieve a new list once a day.

ASPSP's have implemented their APIs based on several standards, sometimes with proprietary deviations. Since the Open Banking Service offers a unified API to reach ASPSP's, additional information is provided to inform the Initiating Party about specific details required to make a successful payment request.

How these specific details are communicated in the Reach Directory response is described in the sections 'Details' and 'Options'

Details

The Details section in the reach directory response consists of the following fields:

Api
FieldName
Type
Value
ProtocolVersion

Mandatory information in this section is the Api, which is defining for which endpoint the information is applicable. If there is no FieldName given, the Type is describing whether this endpoint is available (SUPPORTED) or not (UNSUPPORTED).

Type	Description if NOT combined with a FieldName
UNSUPPORTED	The mentioned Api is not supported by the ASPSP, the TPP solution will throw an error if it’s used. This is mentioned for Api’s which are normally supported (for the api’s not mentioned in the row below)
SUPPORTED	The mentioned Api is supported by the ASPSP. This is mentioned for the following Api’s (because they are usually not supported): - POST /psus/{psuId}/Aspsps/{aspspId}/pre-authentication" If the Post is supported the corresponding api methods (GET, PUT, DELETE) are also supported, if defined in the swagger.

Type

Description if NOT combined with a FieldName

UNSUPPORTED

The mentioned Api is not supported by the ASPSP, the TPP solution will throw an error if it’s used.

This is mentioned for Api’s which are normally supported (for the api’s not mentioned in the row below)

SUPPORTED

The mentioned Api is supported by the ASPSP. This is mentioned for the following Api’s (because they are usually not supported):

- POST /psus/{psuId}/Aspsps/{aspspId}/pre-authentication"

If the Post is supported the corresponding api methods (GET, PUT, DELETE) are also supported, if defined in the swagger.

If the FieldName is given, the Type is describing whether the field is UNSUPPORTED, SUPPORTED, MANDATORY or FORBIDDEN. The table below specifies the rules for the Type-FieldName combination:

Type	Description if combined with a FieldName
UNSUPPORTED	The mentioned FieldName is ignored if provided to the TPP solution, the TPP solution will not throw an error
SUPPORTED	A subset of the values in the mentioned FieldName is supported. The Value field (which is always supplied with the SUPPORTED Type) will indicate which values are supported. If no value is provided by the initiating party the TPP solution will use a default value. If an unsupported value is used, the TPP solution will throw an error.
MANDATORY	The mentioned FieldName is mandatory and has to be filled. If supplied, the Value field will indicate which values are supported. If the Value field is not supplied no validation on the field is done by the TPP solution. If the mentioned FieldName is not filled by the initiating party the TPP solution will throw an error. If an unsupported value is used, the TPP solution will throw an error.
FORBIDDEN	The mentioned FieldName is forbidden. The TPP solution will throw an error if the initiating party fills this field and the request will not be sent to the Aspsp.

The FieldName may refer to a header field in the same way. Since the fields in an API endpoint are unique for header and body there is no distinction between header and body in the Details record.

The Value is providing detailed information of that field within the given Api. If the Value contains a list of values, they are separated by ‘|’.

In addition the ProtocolVersion used for the communication between the TPP solution and the ASPSP is provided, although this information isn’t crucial for the Initiating Party.

Example for API

An example for API without the FieldName is the pre-authentication API. For most ASPSPs a pre-authentication is not supported. For those ASPSPs where a pre-authentication is possible there is a record in the Details:

"Api": "POST /psus/{psuId}/Aspsps/{aspspId}/pre-authentication",
"Type": "SUPPORTED",
"ProtocolVersion": "BG_V_1_3_0"

Examples for API combined with FieldName

An example of API combined with a FieldName is the Post /payments API with the PaymentProduct field. This field is defined as optional in the corresponding swagger file. The swagger also indicates that four values can be given: Normal, Instant, Target2 or Domestic. In the case that only a subset of these values is supported by the ASPSP, the following record is provided in the reach directory response:

"Api": "POST /payments",
"FieldName": "PaymentProduct",
"Type": "SUPPORTED",
"Value": "Normal|Instant",
"ProtocolVersion": "BG_V_1_3_0"

In this example above Type SUPPORTED indicates the PaymentProduct field is still optional but the values to be used are restricted to Normal and Instant.

It would be possible to configure the same for Type MANDATORY. In that case the PaymentProduct has to be specified in the POST payment request.

"Api": "POST /payments",
"FieldName": "DebtorName",
"Type": "MANDATORY",
"ProtocolVersion": "BG_V_1_3_0"

In this example the Type is MANDATORY, the DebtorName has to be provided in the body. No Value is given, so no validation is done for the content.

Options

The Options section is providing information regarding the way of using API endpoints for specific ASPSPs similar to the Details section. But the information given here is not that specifically related a single API’s endpoint. It is more to be seen as a parameter for the ASPSP itself even though a clear separation between API endpoint and ASPSP globally isn’t that clear always.

Since the Options are not defined for a single endpoint there is no Api attribute given for the single options. Instead they have two keys (Key1 and Key2) identifying the use of the single Option. An example for this is:

"Key1": "PREAUTH_MANDATORY",
"Value": "1",
"Level": "INFORMATIONAL"

In this case for the given ASPSP pre-authentication is mandatory because the value is set to 1. The setting of 1 is reflecting that the option is set. A list of possible option keys is given below. The Key2 is currently not used. It is foreseen to allow definition of grouped options having the same main key Key1 and a different sub-key key2. An example for options provided in the Reach API is shown below:

Key1	Key2	Value	Level	Description
PREAUTH_MANDATORY		1, 0	INFORMATIONAL	The pre-authentication (regardless whether being done implicitly or explicitly) is mandatory. Default 0
PREAUTH_EXPLICIT_REQUIRED		1, 0	CRITICAL	Pre-authentication has to be done explicitly by the POST pre-authentication endpoint
ACCOUNT_REFERENCES_SUPPORTEDFORMS		Filled, Empty, AvailableAccounts, AvailableAccountsWithBalances, AllPSD2	INFORMATIONAL	More information on the values can be found on the Account Information API page

GET ASPSPs

The base URL for the Reach Directory is: /xs2a/routingservice/services/directory/v3

Endpoint: GET /aspsps

This endpoint is used to retrieve the reach directory.

Request

Response

Example: Reach AIS

Request

GET https://xs2a.ewl.de/xs2a/routingservice/services/directory/v2/ASPSPs?allDetails=true&allOptions=true
 
Authorization: Bearer dc983c2fe3bd5cf2565cde42805e236e
Accept: application/json
Content-Type: application/json
X-Request-Id: ABCDEF12-2000-4000-1234-f61950068a1c
MessageCreateDateTime: 2020-08-19T10:11:36.770+02:00
Host: xs2a.ewl.de

Response

HTTP/1.1 200 OK
Cache-Control: no-cache,no-store
MessageCreateDateTime: 2020-08-19T10:44:36.258Z
X-Request-Id: 1af27926-08f4-4479-865a-d6dcca5d11
Pragma: no-cache
Date: Wed, 19 Aug 2020 10:44:36 GMT
Connection: keep-alive
Strict-Transport-Security: max-age=31536000 ; includeSubDomains; preload
Transfer-Encoding: chunked
Content-Type: application/json
{
    "Service": "AIS",
    "ASPSP":     [
              {
            "AspspId": "6002",
            "Name": [    {
                "Label": "Your Bank",
                "Language": "en"
            }],
            "CountryCode": "GB",
            "CategoryLabel": [],
            "Details": [{"ProtocolVersion": "OB_UK_V_1_1_1"}],
            "Options": [],
            "BIC": "BNPADEFE"
        },                {
            "AspspId": "50002",
              "Name": [   {
                "Label": "Second Bank",
                "Language": "en"
            }],
            "CountryCode": "DE",
            "CategoryLabel": [Retail],
            "Details": [            {
                "Api": "POST /psus/{psuId}/aspsps/{aspspId}/pre-authentication",
                "Type": "SUPPORTED",
                "ProtocolVersion": "BG_V_1_3_0"
            },            {
                "Api": "POST /payments",
                "FieldName": "DebtorName",
                "Type": "MANDATORY",
                "ProtocolVersion": "BG_V_1_3_0"
            },            {
                "Api": "POST /payments",
                "FieldName": "PaymentProduct",
                "Type": "MANDATORY",
                "Value": "Normal|Instant|Target2|Domestic",
                "ProtocolVersion": "BG_V_1_3_0"
            }],
            "Options": [            {
                "Key1": "PREAUTH_MANDATORY",
                "Value": "1",
                "Level": "INFORMATIONAL"
            }],
            "BIC": "DE12ZZZ123"
        }
    ]
}

ob-data-ais-transactionflow

Read more about ob-data-ais-transactionflow

ais transaction flow

ob-data-ais

Read more about ob-data-ais

Account Information

The APIs presented in the Account Information section can be used to access a PSU’s (Payment Service User) bank account, held with any reachable ASPSP. Retrieval of PSU’s account information is only allowed upon explicit consent of the account holder.

Account Information Consent

The APIs for Account Information require consent by the PSU. There are different approaches offered by the different ASPSPs to authorize this consent. Although the implementation may differ for some ASPSPs they can be categorized to three types:

Redirect
Decoupled
Embedded

Redirect

In the Redirect Approach the browser session of the PSU is redirected from the Initiating Party to the ASPSP. In that case the ASPSP provides all the pages required for authentication (usually username, password) and for the Strong Customer Authentication SCA for example by a One Time Password (OTP). After that the PSU is redirected to the Open Banking Service and from there back to the Initiating Party.

Decoupled

In the Decoupled Approach no redirection takes place. Instead the ASPSP notifies the PSU on a mobile App for example. The authentication is executed by the app without involving the Initiating Party or the Open Banking Service. Since this approach is asynchronous the Initiating Party (and the Open Banking Service) do not know when the authentication process has been finished and the status of the consent or payment at the ASPSP has been updated.

Embedded

In the Embedded Approach the Initiating Party has to provide all the screens required for the authentication process and to communicate all necessary steps over the API of the Open Banking Service to the ASPSP.

Authorisation steps

In any case the Initiating Party can set the PreferredScaMethod (Embedded, Decoupled, Redirect) to select the preferred SCA approach with the consent Initiation Request. However, the selection of the approach will be by the ASPSP, depending on whether it supports a few of them, or just one. Even if the requested approach is supported, it might not be guaranteed, that the ASPSP will select it.

The Initiating Party can set UseAuthorisationLandingPages (true, false) to true to use the Bank Selection Interface. In the response he will then receive a RedirectUrl towards the Bank Selection Interface. The Bank Selection Interface will handle the authorisation flow for the specific ASPSP, including retrieving additional information from the PSU if required.

The selected flow with which authentication will go through, is being identified by the name of a hyperlink, provided in the response.

The table below includes every possible step with the corresponding approach. In the response of each request the named link informs about the next request to be sent according to the actual state in the flow.

Hyperlink Name	Hyperlink URL API	Description	SCA Approach
PreAuthenticationForEmbedded	POST /pre-auth	Pre-Authentication is required and will be made with Embedded Approach.	Embedded
RedirectUrl	Redirect link	URL of PSU’s authentication or authorisation on APSPS side, or towards the Initiation Service	Redirect
RedirectUrl (towards the Bank selection interface)	a Worldline URL, can optionally be white labeled	The Worldline provide Bank selection interface will take care of the subsequent authorization flow. In practice this means that from the Initiating Party perspective it will always be a redirect flow.	Redirect
PostAuthorisationForExplicit	POST /authorisation	Mostly is being used when multi-sca should be done with Redirect Approach. Nobody required in the request.	Redirect/Embedded
PostIdentificationForDecoupled	POST /identification	Requires PSU’s identification at ASPSP for Decoupled Approach.	Decoupled
PostAuthorisationForEmbedded	POST /authorisation	Start of Authentication with PSU’s credentials at ASPSP.	Embedded
SelectAuthenticationMethod	PUT /authorisation	The update of the authorisation resource where selected SCA method should be provided	Embedded
AuthorizeTransaction	PUT /authorisation	The update of the authorisation resource where challenge response (OTP) should be provided.	Embedded
ConfirmationRequired	POST /confirmation	Confirmation of the transaction after authorisation is being done or being exempted.	Redirect/Embedded/Decoupled
PutAuthorisationForEmbedded	PUT /authorisation	The update of the authorisation resource with PSU’s credentials, when some other authorisation steps have been done before.	Embedded

Sequence diagrams

Below the sequence of requests corresponding for the different approaches are shown in sequence diagrams. Depending on the individual implementation of the ASPSP the actual flow may differ slightly.

Redirect Flow Example

The sequence diagram below is an example of a typical AIS flow. In this case the Strong Customer Authentication SCA is done using the redirect flow.

Once the status of the consent is retrieved with the Get psus/consents/status the consent is stored within the Open Banking Service (including all the relevant tokens if applicable for the ASPSP). When the Get psus/accounts API is called the Open Banking Service will use pick the correct consent and use it towards the ASPSP. The Initiating Party does not have to keep track of the consents himself.

The consent can be valid for at most 90 days (this will change to 180 days in the near future). The Open Banking Service will provide an http 401 response with error code 123 ‘The PSU consent is expired’ if AIS data is requested after the validity of the consent is expired. The Initiating Party should then request a new consent.

Decoupled Flow Example

Embedded Flow Example

ob-data-initservice

Read more about ob-data-initservice

Bank Selection Interface

for Data

API Reference

The Bank Selection Interface provides a set of white labeled screens which supports the ASPSP selection and the PSU interaction required for certain authorisation flows. It can be used by setting the field UseAuthorisationLandingPages= true in the Consent request. The Bank selection interface will simplify the integration effort for the Initiating Party.

Below a few screenshots how the screens look on a mobile device with the Worldline branding. Select the demonstration button above to see how the Bank Selection Interface works in a live setting.

Step 1: Bank Selection

Users quickly find their bank: we highlight popular ones and provide a blazing-fast search experience.

Step 2: Authorize access

After the user validates through the bank’s mobile app or SMS code, the user’s identity and IBAN are instantly retrieved.

Step 3: Account Selection

Users can select just the bank accounts they wish to share and give the consent

Step 4: Succes

Success! The user’s identity and IBAN are instantly retrieved

Cards: General Features

Read more about Cards: General Features

General Features

Remind current PIN of the card

The API allows a card identified by the Issuer Card External Reference or the Card Reference to be blocked and replaced.

This API regroups Block a card and Replace a card APIs in a single request.

As result, the card is blocked and the new card is created.

If any error occurs while card blocking or card replacing, the card is neither blocked nor replaced.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/remind-pin

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/remind-pin

Request data:

{
   "sendingMode":"Normal",
   "deliveryType":"CUSTOMER"
}

Response data:

{
   "responseMetadata":{
      "correlationId":"2b54aa5c-aaf7-4b93-b6b2-5e12b92fa16b",
      "statusMessage":"Executed successfully",
      "statusCode":200,
      "responseDateTime":"2023-01-03T15:14:13.531+0100",
      "timeTakenMs":206
   },
   "data":{
      "orderIdentifier":{
         "orderReference":"202301032000000000389047"
      },
      "currentInternalStatus":"ORDERABLE",
      "orderType":"PinMailerOrder"
   }
}

Retrieve Card

This API enables card information for a given card identifier to be retrieved.

The response can also be enriched (if specified as embedded fields in input) with additional data such as the status history of the card, the card Contract information, the card order identifiers linked to the card.

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}

Below an example of request for

The issuer: 1234
Card reference: 2000000000386135

POST /api/v2/issuers/1234/cards/2000000000386135

Response data:

{
   "data":{
      "issuerId":"1234",
      "cardIdentifier":{
         "cardReference":"2000000000386135",
         "issuerCardExternalReference":"EXTREF_CARD_REF_MCI_ABC_CNT_235644290"
      },
      "pan":"5212137209162844",
      "maskedPan":"521213******2844",
      "expiryDate":"1227",
      "panSequenceNumber":"1",
      "status":"ACTIVE",
      "statusDate":"2022-12-22T11:18:11.973+00:00",
      "embossingName":"REMY NAME",
      "artwork":"12340001",
      "permanentlyBlocked":false,
      "emergencyCard":false,
      "emergencyCashAdvance":false,
      "renewed":false,
      "replaced":false,
      "cardContractIdentifier":{
         "cardContractReference":"12342000000000386134",
         "issuerCardContractExternalReference":"EXTREF_CARD_CRT_REF_MCI_ABC_CNT_235644290"
      },
      "isCardDigitalizationAllowed":false,
      "panReference":"2011231c953ee52147efb5a43d532c8fa43f",
      "cardScheme":"MASTERCARD",
      "virtual":false,
      "techAndAppModelName":"M_1234_APPTEC_MCI",
      "contractType":"CONSUMER"
   }
}

Search card with PAN, PAN sequence number and expiry date

This API enables card information to be retrieved based on PAN, PAN sequence number and expiry date information as search criteria.

The response can be enriched (if specified as embedded fields in input) with additional data such as the status history of the card, the card Contract information, the card order identifiers linked to the card.

API links

POST /api/v2/issuers/{issuerId}/cards/search

Below an example of request with the response

Issuer: 1234
PAN: 4546175178227826

As the expiry date and the sequence number are not in the request, the response gives all existing cards with the card number (here, 2 cards are provided)

POST /api/v2/issuers/1234/cards/search

Request data:

{
   "pan":"4546175178227826"
}

Response data:

{
   "responseMetadata":{
      "correlationId":"a65a1fdb-dd67-4535-9b62-a62a4efc5c3f",
      "statusMessage":"Executed successfully",
      "statusCode":200,
      "responseDateTime":"2023-01-03T15:44:43.195+0100",
      "timeTakenMs":34
   },
   "data":[
      {
         "issuerId":"1234",
         "cardIdentifier":{
            "cardReference":"2000000000364034"
         },
         "pan":"4546175178227826",
         "maskedPan":"454617******7826",
         "expiryDate":"1127",
         "panSequenceNumber":"2",
         "status":"ACTIVE",
         "statusDate":"2022-11-23T13:14:44.818+00:00",
         "embossingName":"Boris PAVLOV",
         "artwork":"DebitClassic",
         "permanentlyBlocked":false,
         "emergencyCard":false,
         "emergencyCashAdvance":false,
         "renewed":false,
         "replaced":false,
         "cardContractIdentifier":{
            "cardContractReference":"12342000000000364012",
            "issuerCardContractExternalReference":"EXTREF_CARD_CRT_REF_VIS_ING_CNT_20221123145502"
         },
         "isCardDigitalizationAllowed":false,
         "panReference":"1500df38371f4b2541edad420044e1ba67ba",
         "cardScheme":"VISA",
         "virtual":false,
         "techAndAppModelName":"M_1234_APPTEC_EMVT0VISA",
         "contractType":"CONSUMER"
      },
      {
         "issuerId":"1234",
         "cardIdentifier":{
            "cardReference":"2000000000364013",
            "issuerCardExternalReference":"EXTREF_CARD_REF_VIS_ING_CNT_20221123145502"
         },
         "pan":"4546175178227826",
         "maskedPan":"454617******7826",
         "expiryDate":"1127",
         "panSequenceNumber":"1",
         "status":"ACTIVE",
         "statusDate":"2022-11-23T12:55:04.256+00:00",
         "embossingName":"REMYPAVLOV",
         "artwork":"DebitClassic",
         "permanentlyBlocked":false,
         "emergencyCard":false,
         "emergencyCashAdvance":false,
         "renewed":false,
         "replaced":true,
         "replacementReason":"CARD_DATA_UPDATE",
         "cardContractIdentifier":{
            "cardContractReference":"12342000000000364012",
            "issuerCardContractExternalReference":"EXTREF_CARD_CRT_REF_VIS_ING_CNT_20221123145502"
         },
         "isCardDigitalizationAllowed":false,
         "panReference":"1500df38371f4b2541edad420044e1ba67ba",
         "cardScheme":"VISA",
         "virtual":false,
         "techAndAppModelName":"M_1234_APPTEC_EMVT0VISA",
         "contractType":"CONSUMER"
      }
   ]
}

Retrieve Card Contract for a Card

The API enables the card contract information related to a given card to be retrieved.

The response can also be enriched (if specified as embedded fields in input) with additional data such as the list of models linked to the card contract, the account identifiers linked to the card contract, the identifiers and the information of the linked cards.

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}/card-contract

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/card-contract

Below is an example of the request and the response

In input:

The issuer 1234
The card contract reference : 12342000000000242108

GET /api/v2/issuers/1234/card-contracts/12342000000000242108

Response data:

"data":{
   "issuerId":"1234",
   "cardContractIdentifier":{
      "cardContractReference":"12342000000000242108",
      "issuerCardContractExternalReference":"T_1234_CARD_VISA_DEBIT_CLASSIC_SHARE"
   },
   "cardTemplateReference":"T_1234_CARD_VISA_DEBIT_CLASSIC_SHARE",
   "cardTypeCode":"F",
   "status":"ACTIVE",
   "openingDate":"2022-06-14T12:54:58.930+00:00",
   "activationDate":"2022-06-14T12:54:58.930+00:00",
   "trustedAuthenticationReference":"123420220614145458365",
   "newCardRenewalAllowed":true,
   "issuerBranchCode":"NO_BRANCH",
   "artwork":"DebitClassicShare",
   "forcedEmbossingName":"ROSINETTE F CANAILLETTE",
   "schemeDeclarationOptOut":true,
   "principalSupplementaryCardIndicator":"PRINCIPAL",
   "productCategory":"DEBIT",
   "productCategoryLabel":"IMMEDIATE_DEBIT_DEBIT",
   "specificFields":{
      "cardContractKey2":"value2",
      "cardContractKey1":"value1"
   },
   "productIdentifier":{
      "issuerProductExternalReference":"PDT_1234_VISA_DEBIT_CLASSIC_SHARE",
      "productReference":"PDT_1234_VISA_DEBIT_CLASSIC_SHARE"
   },
   "cardHolderIdentifier":{
      "customerReference":"CUS10000243078"
   },
   "contractIdentifier":{
      "contractReference":"REF_MCI_BSW_CNT_216566294",
      "issuerContractExternalReference":"LEGACY_REF_MCI_BSW_CNT_216566294"
   },
   "cardProfileDescription":"P_1234_CARD_VISA_DEBIT_CLASSIC_SHARE",
   "cardProfileReference":"P_1234_CARD_VISA_DEBIT_CLASSIC_SHARE"
}

Retrieve Card event list

The API enables the events information related to a given card to be retrieved (e.g. status change such as card blocking/card activation, card issuing for replacement or renewal, PIN change.)

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}/card-events

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/card-events

Below is an example of the request and the response for:

The issuer 1234
The card reference : 2000000000374460

Following event types are then returned : CardBlocking, CardOrderIssuing, CardActivation, CardIssuing

GET /api/v2/issuers/1234/cards/2000000000374460/card-events

Response data:

{
   "data":[
      {
         "eventType":"CardBlocking",
         "eventDate":"2022-12-05T16:16:19.514+00:00",
         "reason":"LOST",
         "waiveFee":false,
         "blockingInformation":{
            "cardBlockingDateTime":"2022-12-05T16:16:19.514+00:00",
            "blockAgent":"admin",
            "blockingReason":"LOST",
            "blockingReasonDetail":"LOST",
            "lostStolenDate":"2022-10-11T11:14:08.493+00:00",
            "lossPlace":"lossPlace",
            "lossCountry":"lossCountry",
            "lastUsageDate":"2022-10-11T11:14:08.493+00:00",
            "lastUsagePlace":"lastUsage",
            "lossCircumstances":"lossCircumstances",
            "lossReportedBy":"lossReportedBy",
            "lossReportedVia":"lossReportedVia",
            "fraudCode":"01",
            "contactData":"contactData",
            "pinCompromised":true,
            "customerRequestingBlockDate":"2022-10-14T08:14:08.493+00:00",
            "transferEffectiveDate":"2022-10-14T08:14:08.493+00:00",
            "noReplacementReason":"tempAddr",
            "comment":"comment",
            "cppFlag":false,
            "scheduledCardBlockingReason":"LOST"
         }
      },
      {
         "eventType":"CardOrderIssuing",
         "eventDate":"2022-12-05T13:13:43.385+00:00",
         "waiveFee":false
      },
      {
         "eventType":"CardActivation",
         "eventDate":"2022-12-05T13:13:43.288+00:00",
         "reason":"CARD_CREATION",
         "waiveFee":false
      },
      {
         "eventType":"CardIssuing",
         "eventDate":"2022-12-05T13:13:43.185+00:00",
         "waiveFee":false
      }
   ]
}

Retrieve blocking information for a card

The API enables the blocking information related to a given card to be retrieved.

As a response, a set of information is returned such as :

Blocking reason and blocking date time
The date when our system receives the blocking instruction
If the PIN has been compromised
Additional information in case blocking reason is LOST : Lost date, Loss circumstances, the place or the country where the card has been lost
if a permanent card blocking is scheduled in the future
if the card has been compromised in Common Point of Purchase (card is in CPP list)

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}/blocking-information

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/blocking-information

Below an example of request and the response for:

Issuer: 1234
Card reference: 2000000000374460

GET /api/v2/issuers/1234/cards/2000000000374460/blocking-information

Response data:

{
   "data":{
      "cardBlockingDateTime":"2022-12-05T16:16:19.514+00:00",
      "blockAgent":"admin",
      "blockingReason":"LOST",
      "blockingReasonDetail":"LOST",
      "lossPlace":"lossPlace",
      "lossCountry":"lossCountry",
      "lastUsageDate":"2022-10-11T11:14:08.493+00:00",
      "lastUsagePlace":"lastUsage",
      "lossCircumstances":"lossCircumstances",
      "lossReportedBy":"lossReportedBy",
      "lossReportedVia":"lossReportedVia",
      "fraudCode":"01",
      "contactData":"contactData",
      "customerRequestingBlockDate":"2022-10-14T08:14:08.493+00:00",
      "transferEffectiveDate":"2022-10-14T08:14:08.493+00:00",
      "noReplacementReason":"tempAddr",
      "cppFlag":false
   }
}

Update blocking information for a card

The API enables blocking information related to a given card to be updated such as:

Blocking reason among those available for the issuer
Blocking detail
Lost and stolen date if the blocking reason is LOST or STOLEN
The flag indicating whether the card is in a CPP list
The flag indicating whether the PIN is compromised
Scheduled blocking information : delay or blocking reason if the delay is not yet reached

API links

PATCH /api/v2/issuers/{issuerId}/cards/{cardReference}/blocking-information

PATCH /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/blocking-information

Below an example of request for

Issuer: 1234
Card reference: 2000000000444867

/api/v2/issuers/1234/cards/2000000000444867/blocking-information

Request data:

{
   "cppFlag":true,
   "blockingReason":"LOST",
   "blockingReasonDetail":"Detail blk rsn",
   "lostStolenDate":"2023-03-06T17:18:42.806Z",
   "pinCompromised":true,
   "transferEffectiveDate":"2023-03-06T17:18:42.806Z",
   "comment":"fieldComment"
}

Response data:

{
   "responseMetadata":{
      "correlationId":"492efcae-cc01-48e0-b5b4-8944ee5937ba",
      "statusMessage":"Executed successfully",
      "statusCode":200,
      "responseDateTime":"2023-03-06T18:26:22.009+0100",
      "timeTakenMs":70
   },
   "data":{
      "cardIdentifier":{
         "cardReference":"2000000000444867",
         "issuerCardExternalReference":"CARD-2023022800001A"
      }
   }
}

Update blocking information for all cards with same PAN or same PAN reference

The API is similar to “Update blocking information for a card” API but is applied to all cards having the same PAN or same PAN reference.

Blocking information can be updated such as:
Blocking reason among those available for the issuer
Blocking detail
Lost and stolen date if the blocking reason is LOST or STOLEN
The flag indicating whether the card is in a CPP list
The flag indicating whether the PIN is compromised
Scheduled blocking information : delay or blocking reason if the delay is not yet reached

In response, card information for each matched card is provided.

API links

POST /api/v2/issuers/{issuerId}/cards/update-all-blocking-information

Create emergency card

Emergency Card is a type of card that can be provided to a customer in emergency cases (for example, a customer has lost his card, while travelling outside his country and urgently needs a new card). The customer will call 24-hour service and request an Emergency Card.

In general, those cards will have short validity period and will not be renewed and replaced. Emergency Card is not produced by the issuer but by the scheme.

The emergency card creation is possible in our system only if an Emergency Card product is defined for the issuer and if the contract of the customer is allowed to issue an Emergency Card.

The API allows to create an emergency card for a given card

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/create-emergency-card

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/create-emergency-card

Create new TAN

For PIN self-selection without a direct bank connection to the card issuing institute - i.e., without online banking access - Worldline offers the variant PIN change with TAN (Trusted Authentication Number). This applies to card programs where the bank is the card issuer for another partner, e.g., TUI or eBay.

The API allows to generate a TAN, which is used as a one-time password, printed and sent to cardholder in order to change card pin by e.g. IVR.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/new-tan

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/new-tan

Below an example of request and the response for:

Issuer: 1234
Card reference: 2000000000410108

POST /api/v2/issuers/1234/cards/2000000000410108/new-tan

Request data:

{
   "tanOrigin":"string",
   "sendingMode":"normal",
   "waiveFee":false,
   "waiveShippingFee":false
}

Response data:

{
   "responseMetadata":{
      "correlationId":"a3e4fb90-72f9-4154-93d1-a0050b28c273",
      "statusMessage":"Executed successfully",
      "statusCode":200,
      "responseDateTime":"2023-01-31T15:22:50.893+0100",
      "timeTakenMs":155
   },
   "data":{
      "orderIdentifier":{
         "orderReference":"202301312000000000418220"
      },
      "currentInternalStatus":"ORDERABLE"
   }"orderType":"TanMailerOrder"
}

Retrieve CVV

This service offers the option to the issuer to display the CVV2 inside the mobile app.

As the CVV2 is not stored it must be re-created using the received card data from the request.

Note: Worldline will send the encrypted CVV2 towards the issuer. The issuer is responsible for displaying the CVV2 inside the mobile app or Homebanking service.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/display-cvv

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/display-cvv

Display Pin for a card

This service offers the option to the issuer to display the PIN inside the mobile app for a given card. The card is identified either by the internal or external card reference. Note: Worldline will only send the PIN block towards the issuer. The issuer is responsible for displaying the PIN inside the mobile app or Homebanking device.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/display-pin

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/display-pin

Set a Pin for a card

This Service allows the issuer to set the PIN after card creation, via issuer home banking or mobile app The card is identified either by the internal or external card reference.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/pin

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/pin

Reorder new Pin for a card

The API allows to order a new PIN for the card when a cardholder wants to change its PIN. The card must be in "CREATED" or "ACTIVE" status. As a result, a PIN mailer order with PIN REORDER reason is generated. This functionality can be used only if configured for the issuer.

API links

POST /api/v2/issuers/{issuerId}/cards/{cardReference}/pin

POST /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/pin

Below an example of request for the

Card reference: 2000000000259979
Issuer: 1234

POST /api/v2/issuers/1234/cards/2000000000259979/reorder-pin

Request data:

    {
   "sendingMode":"Normal",
   "deliveryType":"CUSTOMER"
}

Response data:

    {
   "responseMetadata":{
      "correlationId":"be841b98-4624-4df6-9a67-c07b0fd44cf6",
      "statusMessage":"Executed successfully",
      "statusCode":200,
      "responseDateTime":"2023-02-03T18:52:35.578+0100",
      "timeTakenMs":475
   },
   "data":{
      "orderIdentifier":{
         "orderReference":"202302032000000000327150"
      },
      "currentInternalStatus":"ORDERABLE",
      "orderType":"PinMailerOrder"
   }
}

List orders for a card

The API enables the orders information related to a given card to be retrieved. The response can also be enriched (if specified as embedded fields in input) with additional data such as the orders status history of the card, the card information.

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}/orders

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/orders

Below an example of request for the

Below is an example of the request and the response

In input:
- The issuer 1234
- The card reference : 2000000000242109
In response, one card order is provided back with the order reason (“FIRST_PIN_CARD_ISSUE”), the order date, the status, the pass-through data (“specific fields”) sent to the card embosser.

GET /api/v2/issuers/1234/cards/2000000000242109/orders

Response data:

    {
   "data":[
      {
         "issuerId":"1234",
         "orderType":"CardOrder",
         "orderIdentifier":{
            "orderReference":"202206142000000000242110"
         },
         "currentInternalStatus":"ORDERED",
         "currentInternalStatusDate":"2022-06-14T12:57:19.090+00:00",
         "sendingMode":"Normal",
         "deliveryType":"CUSTOMER",
         "orderReason":"FIRST_PIN_CARD_ISSUE",
         "cardProducer":"00022",
         "specificFields":{
            "insuranceCode":"insuranceCode",
            "cardOrderKey2":"value2",
            "cardOrderKey1":"value1"
         },
         "cardIdentifier":{
            "cardReference":"2000000000242109"
         },
         "free":true
      }
   ]
}

Retrieve card order for a card

The API enables the card order information related to a given card, and for a card order identified with the card order reference, to be retrieved.

API links

GET /api/v2/issuers/{issuerId}/cards/{cardReference}/orders

GET /api/v2/issuers/{issuerId}/cards/external-cards/{issuerCardExternalReference}/orders

Below is an example of the request and the response

In input:

The issuer 1234
The card reference : 2000000000242109
The card order reference: 202206142000000000242110

GET /api/v2/issuers/1234/cards/2000000000242109/orders/202206142000000000242110

Request data:

    {
   "sendingMode":"Normal",
   "deliveryType":"CUSTOMER"
}

Response data:

    {
   "data":{
      "issuerId":"1234",
      "orderType":"CardOrder",
      "orderIdentifier":{
         "orderReference":"202206142000000000242110"
      },
      "currentInternalStatus":"ORDERED",
      "currentInternalStatusDate":"2022-06-14T12:57:19.090+00:00",
      "sendingMode":"Normal",
      "deliveryType":"CUSTOMER",
      "orderReason":"FIRST_PIN_CARD_ISSUE",
      "cardProducer":"00022",
      "specificFields":{
         "insuranceCode":"insuranceCode",
         "cardOrderKey2":"value2",
         "cardOrderKey1":"value1"
      },
      "cardIdentifier":{
         "cardReference":"2000000000242109"
      },
      "free":true
   }
}

Subscribe to