In order to promote the use of FIDO and to help standardize the user experience, the FIDO Alliance has written some guidelines about how to display information related to FIDO when using it on a website.
However, these guidelines are mainly constructed around the use of FIDO for account log-in. In the case of transaction validation and two factor authentication using WAFL, some of the recommendations are not really applicable.

You will find here what we could extract from this official documentation that is relevant to apply in our context and that we used in our demonstration.

FIDO during the user journey - Our interpretation​

• Until the user is logged-in, no change on the website.

• Once the user is logged-in, on the their main dashboard, advertise the fact that a new way to Authenticate payments is available, and link to the settings to enable it, but only if the device supports FIDO.
  (see how to check that in the implementation guide)
  Do not mention FIDO yet, but only biometrics.
  Use a fingerprint icon matching the user platform : Apple icon for Mac and iOS; generic icon for other platforms.

• In the user settings, the section dedicated to FIDO activation should :

  • Use proper biometrics icon.

  • Start mentioning FIDO.

  • Offer registration only on supported device.

  • Mention that even though it is supported, it might be necessary to enable it in the device settings, and indicate how to do so. (Ex: Windows Hello can be disabled, but FIDO will appear as supported by the device)

  • Insist on the benefits of using FIDO : it's faster and it's simpler.

  • Display the FIDO logo.

  • At the bottom, add a link to display some FIDO key facts, as provided in the official guidelines.

• During transaction validation, if the user used an other validation method, invite the user to register FIDO after a successful transaction if their device is not registered yet.

Official extracts​

Information about Security Keys​

• What is a security key?

  A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.

• Why should I use a security key?

  Security keys protect you against imposter websites that try to steal login credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.

• How security keys work

  You must first add security keys using the button above. Once added, you'll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.

  • What security technology do security keys use?

    Most keys use an authentication "standard" called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website's actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.

• Why do security keys look like thumb drives?

  Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer's USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.

• What happens if my security key gets stolen?

  The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.

• Add more than one security key

  Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.

• Purchase security keys

  Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys.

• Name your security keys

  Give you security key a friendly "nickname" that only you can see, so you know which key you registered with this account at a later point in time.

Information about Device Unlock​

• How device unlock works

  A technology called FIDO lets you sign in securely without relying on a password. Once you've registered your computer's PIN, facial recognition, fingerprint, or security key, FIDO verifies it's really you and doesn't transmit any of your login information over the internet.

• Why use device unlock

  Easy, safe—and private! FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

• More information

  Registering with FIDO provides you with an additional login option for this device—your password remains valid.

Learn more content​

This part contains the information that could be used in any "Learn more" link, tooltip, popup to be displayed under the FIDO icon under Registration or Authentication buttons.

FIDO lets you sign in securely without relying on a password by keeping your login information securely on your device. Nowhere else.

How it works ?​

1. A technology called FIDO lets you sign in securely without relying on a password.

2. FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers.

3. Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your login information over the internet.

4. Easy, safe—and private!

5. Registering with FIDO provides you with an additional login option for this device—your password remains valid.

6. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

FIDO Facts content​

This part contains some facts elaborated after some studies involving final users that are designed to improve trust in FIDO.

• FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.

• In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.

• FIDO makes sign-in easy, safe, and private!

• FIDO technology uses your computer’s built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.

• Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet.

• Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.

• Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO.

To make things easy for the frontend work, we provide a file wrapping the main Java APIs of the Relying Party Server in JavaScript : api.services.ts
It will provide APIs to register / authenticate with WAFL on the Relying Party server.

Checking availability​

To avoid providing a frustrating user experience, it is recommended to check that the device used is compatible with FIDO before inviting the user to register or authenticate with it. To ensure that the Web context supports the use of FIDO, you can use

isWebAuthnSupported(): boolean

And to check that the device supports a Platform Authenticator you can use

async checkPlatformAuthenticatorAvailable(): Promise<boolean>

Note that a Cross-Device (such as Yubikey) or Roaming (mobile) authenticator cannot be used if the device doesn't have Platform Authenticator and you use this check.

OS Specific check​

As mentionned in our FIDO Wording Guidelines page, when inviting the user to register or authenticate, it is recommended to show a biometric icon related to the platform. To do so, we have a simple isAppleHardware()that can be used to switch between Apple and generic icons.

Worldline FIDO enrolment

async waflRegistration(username: string, displayName: string, friendlyName: string): Promise<boolean>

To be able to provide FIDO authentication for transactions to your users, they first need to register the devices they want to use. This can be done by calling the above method with parameters :

• username : the technical username of the user account.

• displayName : the name that will appear in the FIDO authentication request shown by the browser.

• friendlyName : the name of the registered authenticator, to be displayed in Self-care interface.

It will return whether the registration succeeded or not.

Worldline FIDO Authentication

async waflAuthentication(username: string): Promise<boolean>

To authenticate a user, simply call this method with :

• username : the technical username of the user account.

It will return whether the authentication succeeded or not.

Self-care​

Our small API wrapper also provides the necessary APIs to allow the users to manage their authenticators from their account settings in your website.

Describing an Authenticator​

Our API file exposes the class AuthenticatorDescriptor which maps the data retrieved from the server to an object with following members :

id: string;  // The internal/technical ID of the authenticator
createdAt: string;  // The creation Date as a YYYY-MM-DD HH:MM:SS.XXXXXX
description: string;  // The official description of the Authenticator
                      // ex: "Windows Hello Hardware Authenticator"
friendlyName: string;  // The friendly name choosen by the user

Listing Authenticators

async getAuthenticators(username: string): Promise<AuthenticatorDescriptor[]>

Calling this method will return a all registered authenticators for the specified user as an array of AuthenticatorDescriptor.
If the user did not register at least one authenticator (ie: the user is not know on the WAFL backend yet) or if there is any issue in processing the request, it will throw an Error.

Renaming an authenticator

async renameAuthenticator(username: string, friendlyName: string, authId: string): Promise<boolean>

To rename an authenticator, use this method with parameters :

• username : the technical username of the user account.

• friendlyName : the new name of the authenticator.

• authId: the technical ID of the authenticator, as provided by the getAuthenticators() API.

It will return whether the renaming succeeded or not.

Deleting an authenticator

async deleteAuthenticator(username: string, authId: string): Promise<boolean>

To delete, or unregister, un authenticator for a user, call this method with parameters :

• username : the technical username of the user account.

• authId: the technical ID of the authenticator, as provided by the getAuthenticators() API.

It will return whether the deletion succeeded or not.

In today's fast-paced digital world, financial institutions are constantly looking for innovative ways to enhance their customers' experience and add value. One such way is to leverage APIs that enable seamless integration between different systems and applications. In this context, discover how our APIs can help you create value for your cardholders and provide them with a more comprehensive and personalized service.

Discover how you can utilize our APIs to generate benefits for your cardholders :

Introduction Acquiring Processing Product Services

Worldline Financial (WL FS) is the largest payment processor in Europe with over 12 billion acquiring processing transactions per year and continues to scale-up rapidly.

Acquiring Processing

Worldline Financial Services offers acquirers a full set of product services to outsource acquiring processing for international brands.

Our products cover the complete acquiring processing value chain from card Acceptance & Authorization Switching, to Clearing and Merchant Settlement.

Modular outsourcing concept

Base Transaction processing has the following main product modules:

• Front Office - Host Acceptance & Authorization Switching to the Issuer
• Back Office - Card Scheme: Clearing, Settlement and Reconciliation

• Scheme & Regulatory Compliance services - Worldline FS offers its acquirers services to help comply with scheme rules and regulatory requirements.

On top of Acquiring Base Transaction Processing services Worldline (WL) Financial Services (FS) offers a comprehensive set of Modular Processing services.

• Merchant Management - Merchant level
• Acquiring Data Services - Acquirer level
• Dispute Management
• Fraud and Risk Management
• Value Added Services

BASE TRANSACTION PROCESSING

Front Office: Acceptance & Authorization (CNP & POS)

Worldline FS offers a variety of card transaction processing products that enable Acquirers and their customers to accept a wide range of card products and brands. Payment channels include: Chip & PIN, Mobile & Contactless, Credential-On-File. Security standards include magstripe, EMV (uses EMV chip and NFC chip), Tokenization (MDES), EMV 3-D Secure v2.0.

The processing of card transactions is divided into two basic generic product services that cover the main volumes of card transactions: Acceptance on the host and Authorization switching to the Issuer. Transaction acceptance processing includes online & offline for eCommerce (Card Not Present) and POS card transactions on the host. Authorization Switching is via the card scheme network to the Issuer (unless otherwise stated in the services).

In addition to the basic card processing products, Worldline FS offers additional services to support extra functionalities. These services comprise the support of additional network protocols, terminal-to-host protocols, host-to-host protocols, offline transactions, premium brands (AMEX, etc.), non-standard transactions (Cash Advance, DCC, etc.).

ATM processing products are part of Value Added Services.

Supported card brands

Scheme: Clearing, Settlement and Reconciliation (Back Office)

The Acquiring clearing portfolio is a comprehensive portfolio of services that offer Acquirers an efficient means of processing card payment transactions into actual Merchant bookings.

As an Acquiring processor, Worldline FS offers Acquirers a range of services geared towards settlement with both the Merchant and the Schemes or Issuers.
In-cloud transaction settlement between the Acquirer and Issuer can be performed if both parties are directly connected to Worldline FS and a bilateral agreement is made between those parties.
Out-cloud transaction settlement between Acquirers and Issuers must be performed by a third-party. Worldline FS provides a clearing file to the Schemes or third-parties for the settlement of these transactions.

Scheme and Regulatory Compliance

In the fast-paced payments industry schemes and regulators are continuously changing regulations and reporting requirements.

Worldline FS offers its acquirers many services to help comply with scheme rules and regulatory requirements.

MODULAR PROCESSING SERVICES

On top of Acquiring Base Transaction Processing services Worldline (WL) Financial Services (FS) offers a comprehensive set of Modular Processing services.

Merchant Management - Merchant level

The Worldline FS (Back Office) Merchant Management cluster offers full and final merchant settlement based on WL FS: scheme clearing, scheme settlement files, merchant pricing engine, and merchant configuration as stored in the merchant contract system.

The Merchant Settlement module is where WL FS converts scheme clearing and settlement input files into a booking per merchant account in SCT/SDD format for the acquirer.

The Merchant Pricing Engine calculates transaction & service fees based on different pricing models.

The Worldline FS merchant contract management system stores Merchant Information such as merchant contract configuration, applicable pricing model, configured fees, and merchant settlement account.

Acquiring Data Services - Acquirer level

The Worldline FS Acquiring Data Service cluster offers RESTful API services to facilitate speedy direct integration of acquirers and their third party customers such as PSPs or large merchants.

The Accept Transactions API enables CNP and POS acceptance via a host-to-host connection to the WLP FO Front Office services. In addition, there is an API service to retrieve near real-time the transaction acceptance status (authorized, captured etc.).

Merchant Management (contract API) allows you to manage and retrieve your own merchant contracts in the Worldline FS acquiring merchant contract database. For third party customer's (e.g. PSP, PayFac, Merchant) retrieval and limited updating is available in agreement with your acquirer.

Back Office retrieval APIs are available for the following types of data: Transactions, Merchant Payments, Merchant contracts, Interchange, Statements (Merchant Reconciliation), Analytics.

To facilitate human interaction with the data, Worldline FS has several User Interfaces that give insight into different types of data: Acquirer Portal, Merchant Portal.

Bulk data is provided to acquirers via 3 main omni-channel Data Warehouse feeds: Authorizations, Clearing, Merchant Payments.

Worldline FS also offers Accounting and Reporting services such as: General Ledger, Financial reports, Custom reports. Regulatory reports and Scheme reports can be found in scheme and regulatory compliance.

Dispute Management

As Acquirer processor Worldline offers acquirers several services to support the different dispute resolution processes of the supported Schemes.

Risk and Fraud management

Worldline FS Risk and Fraud management cluster offers fraud analysis, investigation and monitoring for suspicious behavior.

Value Added Services

Value Added Services cluster includes: ATM, Merchant VAS, DCC, Mobile Top-up, Loyalty programs, Acquirer and Merchant Support, POS Terminal Package, Partnership Models.

Worldline Open Banking products are developed on top of Worldline Open Banking Platform.

All products wrapped up on one central interface supported by user friendly bank selection dialogue - we offer simplified access to 3500 banks.

Want to learn more on Open Banking Products? Switch to Open Banking Products

The Open Banking Platform consists of several components, that you might use depending on the product:

• Access Management Module to define who can access Open Banking Services. We setup your access rights during onboarding phase while you can manage the access rights of your clients (aka initiating parties) if applicable.

• Authorization Module to provide your public certificate and retrieve authorization token.

• Open Banking API to pull account data and initiate payments using your or Worldline's PSD2 license.

• Reach directory to review a list of supported banks and implementation differences between the banks.

• Predefined Bank Selection Interface for better user experience and faster go live.

• Push Notifications API to get notified on events that you subscribed for (e.g. payment status change).

• Back Office allowing to onboard and manage your clients, view transactions and create refunds.

• Credit Scoring Dashboard allowing to search credit scoring requests and view data used for the calculation. 

• Refund API helping merchants to issue account based refunds for a payment processed via Open Banking API.

You already had a closer look on our Open Banking products and would like to learn more on the SEPA Payment Suite?

Single European Payment Area (SEPA) Payments are managed in Worldline by SEPA Payment Suite (SPS) and Payment Gateway. Non-SEPA Payments are managed by Payment Gateway. SPS is the component managing the SEPA relevant transactions and interacts mostly with IBO and Payment Gateway. SPS only manages the SEPA Payments as the name suggests. The main functions of SPS are:

• Mandate Management

• SEPA Direct Debit Management

• SEPA Credit Transfer Management

• SEPA Payment Collection

• Aggregation of SDDs into PAIN 008 and SCTs in PAIN 001 files

• R-Transaction Management

Learn more? Please consult the API description.  

You already had a closer look on our Open Banking products and would like to learn more on iDEAL?

iDEAL is a direct online transfer from account holder's bank account to the bank account of an entrepreneur or merchant.

iDEAL business transactions are based on the 4-Corner-Model which refers to four main actors, who participate in the business process. 
Please note: The iDeal website has an excellent Video and also the European Payments Council has a very good explanation of the four-corner-model that you can find here. 

The Customer, the Initiating Party, the Customer’s Bank and the Initiating Party’s Bank. These business transactions normally consist of two requests: The Transaction Request and the Status Request. 

The Transaction Request: The Initiating Party starts the transaction for the service, selected by the Customer (via the Initiating Party’s web shop). For the Webshop there are three possible ways of integration:

Direct API implementation, via Initiation Service or via Check out Service of Service Providers.

The Customer calls the Routing Service via one of the Initiating Party’s connections. The Routing Service checks the transaction request and forwards the request to the Customer’s Bank. The response message from the Customer’s Bank contains a redirect URL, which is used by the Initiating Party to redirect the customer to the Customer’s Bank. The Customer confirms the request in his well-known online banking application (this could be as example: start a credit transfer, sign an eMandate or provide an identity information). After that, the Customer is redirected to the Initiating Party. Normally this triggers the Initiating Party to perform a status request (see below). Meanwhile the complete request is forwarded from the Routing Service to the Backoffice by JMS (Java Message Service) queue.

The Status Request: The Initiating Party sends a Status Request to the Routing Service and the Routing Service forwards the request to the Customer’s Bank. The Customer Bank checks, whether the transaction has been confirmed by the Customer and provides information in the response. The Routing Service forwards the result of the Status Request to the Initiating Party. Meanwhile the complete request is forwarded from the Routing Service to the back office by JMS queue.

iDEAL 2.0

In the iDEAL 2.0 flow the Merchants have the possibility to directly initiate payments towards the iDEAL 2.0 Hub. Here you see an overview on the participating parties - the TPP Solution (green coloured) is provided by Worldline. 

The iDEAL Hub is a solution owned by Currence which provides a unified iDEAL experience. It is connected to the ASPSP's which provide the iDEAL 2.0 product. The PSU (Payment Service User) / Consumer is account holder by one or more ASPSPs and allows other parties to initiate payments requests. The TPP (Third Party Provider) / Acquirer is an intermediate between multiple Initiating Parties and ASPSPs and provides an interface used by the Initiating Party (as provided by Worldline, routing iDEAL payments).The Initiating Party / Merchant / cPSP  contracts the TPP for the iDEAL service and can sent an iDEAL payment request to the TPP Solution on behalf of a PSU. The ASPSP (Account Servicing Payment Service Provider) /Issuer is the Issuer bank, who is responsible for the Consumer's account.

To check Ideal implementation, please refer to iDEAL 2.0 section 

 Additionally you should also check the following sections: 

• Access Management Module

• Payment API - to learn how to create an Ideal payment transaction

• Push Notifications API (optional) - to learn how you can get notified on payment status changes instead of polling the status by yourself 

• Back Office (optional) - to manage merchant subscriptions, view transactions and issue refunds.

You already had a closer look on our Open Banking products and would like to learn more on Worldline Credit Insight?

Credit Insight, is an Open Banking Product which is based on an AIS collection of transaction data for the selected client. The Credit Insights Service takes the raw balance and transaction data from the bank and transforms this into an insightful financial report. All of the transactions are categorized with a specific focus credit, important data is flagged (e.g. loans, payment rejections) and useful metrics are calculated. All of this is delivered by API to provide  an instant analysis based on data retrieved directly from the consumer’s bank. There are some prerequisites to be consider, if an Credit Insight analysis should be provided:

At least one CHECKING account is provided, 20 transactions within the last 90 days, the transaction currency must be Euro and -an URL for callback must be provided in advance. 

Workflow: 

The Initiating Party (you) posts and initiates a registration for the client, and chooses the relevant product option. Worldline responds with the appropriate URL for the consent and AIS session, and the client is then redirected to Worldline bank selection pages. Once the client has selected its bank(s) and accounts, Worldline collects the transactions and balances for the last three months from the bank(s). The Credit Insight analysis is performed, and once the results are available, they are sent to the Initiating Party's callback URL.

For Credit Insight the relevant and usable endpoints are within the Account Information extended service. 

Learn more? Please consult the Credit Insight section

Additionally you should also check the following sections: 

• Access Management Module

• Reach directory - to consult what banks are connected to our platform and how you can identify implementation differences across banks

• Bank Selection Interface - to implement Worldline's predefined screens for bank selection and redirection to/from the bank 

• Back Office (optional) - in case you would like to manually check your transactions or manage setup of your clients in Worldline's systems

• Credit Scoring dashboard (optional) - to check balances and transactions used for credit score calculation