Getting Started with FIDO Server by Worldline

Prerequisites​

You need to keep your client_id and secret_id that was sent to you by mail.

If you lost your secret_id, please contact us to generate a new one for you.

There is two types of credentials with different scope. The firsts credentials you received are for the administrative scope, to manage your relying parties servers. You have to use these firsts credentials to create a relying party via API, and in response you will received second credentials related to your relying party with "service" scope that will enable you to configure it and handle your users via API. 

These credentials are needed for all interactions with the Fido Server by Worldline.

You also need the audience to access generate bearer tokens.

OAuth2 Server URL  : https://access.fido.worldline-solutions.com

Audience : https://my-wafl-api-gateway-6glqflxv.ew.gateway.dev  - to update 

API access and authentication

The FIDO Server by Worldline (also called WAFL Server) API uses the OAuth Client Credentials Flow to authenticate API calls.


Request tokens

Example using curl
curl --request POST \
    --url 'https://access.fido.dev.worldline-solutions.com/oauth2/token' \
    --header 'Content-Type: application/x-www-form-urlencoded' \
    --header 'Authorization: Basic Base64Encode(concat('client_id', ':', 'client_secret'))' \
    --data 'grant_type=client_credentials' \
    --data 'audience=https://my-wafl-api-gateway-206w9c7e.ew.gateway.dev'
Parameters
  • grant_type : set this to your "client_credentials"
  • audience : the audiance for the token (see the prerequisites)
Response

If all goes well, you'll receive an HTTP 200 response with a payload containing access_token, and expires_in values:

{
  "access_token": "eyJz93a...k4laUWw",
  "expires_in": 3600
}
Access token lifetime

The lifetime of a token is set to 3600 seconds

Use the Worldline FIDO Server APIs

Declare your relying party server

Once you received your credentials by mail with the "admin" scope, you can declare your relying party server with the admin/relying-parties API, where you give the name of your relying party, and get the credentials with the "service" scope that you can configure in your relying party server to use the FIDO authentication service.

You also have to declare the origins of your relying party application with the admin/relying-parties/{id}/origins API.

Enable your users to register

You can use our Browser SDK to facilitate the integration of FIDO protocol into your web application and use the browser APIs.

The registration is a two steps action as it contains an initiation step to generate the challenge that will be used by the authenticator for cryptographic operations.

In the initiation step your relying party gives information about the registration like the username, friendlyName and authenticator properties. The Worldline FIDO server respond with a challenge to give to the authenticator.

The attestationBlob, response of the authenticator, is passed through the finalization step so that the Fido server complete the registration.   

Enable your users to authenticate

The authentication is also a two steps action as it contains an initiation step to generate the challenge that will be used by the authenticator for cryptographic operations.

The initiation step is where your relying party informs the server for which user you want to do an authentication. The response contains the challenge on which the authenticator will have to make cryptographic operations.

The result of these operations is passed through the finalization step in the assertionBlob where the Fido Server will do the authentication. 

Manage your users

Once your users are registered, you can list their authenticators, update the friendlyName of an authenticator (for the user to better identify his authenticator) and delete them via the /users APIs.

Enable "on this page" menu on doc section
On

Transactions

Transactions

Retrieve Transaction Details

The API allows the transaction details to be retrieved.

The main input fields are:

  • The issuer ID
  • The transaction for which the detail is requested: It is provided by using the transaction Id.

It is also possible to request some additional data relative to addendum (to retrieve lodging information, car rental information, air itinerary information) by using the embedded fields.

In return, the interface provides the generic information (mainly master data) relevant to the transaction.

API links

GET /api/v2/issuers/{issuerId}/transactions/{transactionId}

Search Transactions (Global)

The API provides possibility to retrieve a list of transactions (original first presentments or fee collections received from the card schemes), based on certain criteria.

To prevent overly broad searches, at least one of the following conditional search criteria must be provided :

  • PAN
  • PAN token
  • Transaction identifier
  • Acquirer reference number
  • Virtual Service Card Number
  • Card Identifier
  • Account Identifier
  • Related Transaction

To retrieve fee collections, at least one of the following criteria must be also provided :

  • acquirer member Id
  • reason code
  • event date

If requested, the API allows also to:

  • search from an issuer and optionally with sub-issuers OR search from a list of issuers (by default, the search is performed on all issuers allowed for the user depending on its rights)
  • return only certain transactions (disputed transactions, fraudulent transactions)
  • request to enrich the response with additional data relative to addendum (to retrieve lodging information, car rental information, air itinerary information) by using embedded fields

The API response contains all matched transactions sorted by descending transaction date.

API links

POST /api/v2/search-transactions

Create a Dispute from a Transaction

The API allows an issuer to create a dispute folder in the system for a given transaction. This API enables the issuer to initiate the dispute from its application.

Several actions can be performed :

  • Dispute only
  • Dispute + refund/redebit (full or partial)
  • Dispute + write-off (full or partial)
  • Dispute + fraud declaration
  • Dispute + event creation
  • Dispute + attach documents
  • Dispute + combination of above options

Main data in input are :

  • the transaction for which the dispute is requested: It is provided by using the transaction Id. The transaction can be retrieved using the API Search transactions
  • in option, several fields in the case additional actions have to be done besides the dispute folder creation (e.g. operation(s) posting, event(s) creation, add document(s)).

In response, the created dispute folder identifier is provided back systematically; then depending on the additional requests, the response includes also the posting, event creation and documents add response.

Idempotency is managed by the API; that is, if the request with the same WL-Correlation-ID is sent multiple times, it will be executed only once. The response will be retrieved directly from our system.

API links

POST /api/v2/issuers/{issuerId}/transactions/{transactionId}/dispute

Enable "on this page" menu on doc section
On

Data Export

Data Export

API Reference 
Current version 25R2-1.0 of September 4th 2025
DataExport

Data export solution description

The data export solution is a new external Push Service totally independent from the existing scoring notification request, containing a maximum of information of the transaction and the authentication process.

The platform HUB purposes two kinds connectivity with banks for this purpose.

  • The data are sent by Webservice to API REST bank Server end-point

or

  • The data are sent by file to bank file Server

1. Data export scheme

The data export solution defined is based on data conveyed in the AReq and RReq messages + Scoring and authentication process.

It takes advantage of the HUB to provide the necessary available data from those messages.

The HUB is the key module to collect and to treat those data as it is the central module involved in the 3DS authentication process. 

The messages contain most of the relevant information needed to get the context of a transaction and to provide enough information to consolidate and refine the authorization process.

HDX flow

 

Workflow of the process:

  • The HUB collect data from Areq and Rreq messages.
  • The datas are encrypted and sent through messages to the transaction export gateway.
  • The data are sent through a specific gateway to the IS bank.

2. Real-time push option

With this solution, bank will be able to receive the data just after the authentication transaction ending (after RReq/RRes message).

The data are pushed to bank through a dedicated Webservice API.

The data will be sent on a REST JSON format. The Web Services will be transmitted in HTTPS - TLS 1.2 and will be configured on the Worldline PCI-DSS Proxy as followed:

  • By default on internet with a mandatory mutualized authentication
  • If asked by the bank, on a VPN or LS

A rate limiter is defined (max TPS) on the HUB push platform and must be configured depending on Issuer Bank transaction volume and IS Bank Server capacity.

If the HUB cannot reach the bank Webservice, a retry process is forecasted. This retry flow is ordered by a FIFO rule.

Two kind of errors are defined, some are due to context and triggers a retry attempt, some are due to data or configuration error and will no triggered any retry. Cf. 3.5.1.2

The retention of data is fixed for a 4 days period. During this time laps the transactions are systematically pushed to the bank until the bank module responds.

After 4 days, the transaction and data not transmitted are deleted from the queue.

 

3. Configuration

 3.1. Data encryption 

Sensitive data should be encrypted or masked.
We define 3 types of sensitive data :

  • GDPR ; information which allows to identify a person
  • PCI-DSS ; card information 
  • PCI-3DS ; 3DS protocol sensitive information 

The configuration depends on the level of Certification of the Server platform. 
For example ; 

if the platform is certified PCI-3DS, authenticationValue can be sent encrypted otherwise it can be only sent hashed or omitted.
if the platform is certified PCI-DSS, pan can be sent encrypted otherwise it can be only sent masked or omitted.
As there is less requirement on GDPR data, data can be sent either in plain text or encrypted.
 

Table of configuration :

Security LevelField(s)Configurations Available
NONEPlain textHashed (SHA256)Encrypted
GDPRcredentials, shipAddrCity, shipAddrCountry, shipAddrPostCode, 
billAddrCity, billAddrCountry, billAddrPostCode, email, 
mobilePhone, homePhone, workPhone		XX X
PCI-DSSPAN, ExpiryDate, vPAN, vExpiryDate, binRange, cardExpiryDateX

X

PAN and vPAN 
will be masked

 

X

Except binRange always in plain text

PCI-3DSauthenticationValueX XX

 

 3.2. Credential format

The credential field have the following format

type:@type,

value:@value,

algorithm:@algorithm 

algorithm is optional and provided only if the data is hashed.

Kinds of credential currently available are:

  • SMS (mobile phone)
  • IVR (landline phone)
  • EMAIL
  • SSN
  • TA (Trusted Authentication on Mobile)
  • PWD
  • TOKEN
  • OTRC
  • USERCODE
  • OPENID – Dedicated cardholder identifier for OpenID authentication method

Notes that HUB phone number must be in international standard E.164 format.
E.164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits.

Examples:

{

"type":"SMS",

"value": "+1234567890"

}

{

"type":"IVR",

"value": "+1234567890"

}

{

"type":"EMAIL",

"value": "user@email.com"

}

{

"type":"SSN",

"value": "123456789012345"

}

{

"type":"PWD",

"value": "f2d81a260dea8a100dd517984e53c56a7523d96942a834b9cdc249bd4e8c7aa9",

"algorithm": "SHA-256"

}

{

"type":"PWD",

"value": "MyS3cr37P@55w0rd"

}

{

"type":"OTRC",

"value": "MyS3cr3707RC"

}

{

"type":"TA",

"value": "MyTAUserId"

}

{

"type":"USERCODE",

"value":"123123123"

}

 3.3. Message sample

 

Example of Json Object with testing data in PCI-DSS security level. Notes, this example is not representative of a real 3DS use case, the aim is just to provide an example of transmitted data:

   {

                "createdDateTime": "2023-08-30T19:42:07.571",
   "keyTag": "01",
          "iv": "b7f20ef725764107b29b6e29",
          "cardholder": {
            "issuerCode": "66666",
            "subIssuerCode": "66667",
            "cardID": "1609039243305",
            "tokenPan": "mckNDk3NjcwMDAwMDAwMDAxNQ==",
            "expiryDate": "3ed12aa8d824bb592440073925a309cf9730c4731b49dc",
              "credentials": [
                {
                  "type": "SMS",
                  "value": "616d41e5759d392347f127f50d4b8f1d9aea3e4249f75212c6cf7f88"
                },
                {
                  "type": "EMAIL",
                  "value": "3e3b01a72add7e5715aa71a404e493b784dfffb3f3626475611619331f828dfbbb"
                },
                {
                  "type": "PWD",
                  "value": "293b17b0759d3d2140a226fb5bf3c7badc8efa9423b793316f25df3f0231d226ba3685331484265eb0b447b5ad00c9ad566c7b001db1304f892b3b29fa4e1fd3b807b7b1ef2cf3dac911e0572aed4742",
                  "algorithm": "SHA-256"
                },
                {
                  "type": "TA",
                  "value": "7b6c41e771993d2f4bf78a224952bb2bb0b436a7316e4827ef61"
                },
                {
                  "type": "OPENID",
                  "value": "051736900deb3b2541f325fb19e86ed05547a4b7887d3cb85d2e790c"
                }
              ],

            "PAN": "38d82fadc224ba72a6bac3b5ae564bd827a8a2ac98c72eb8ff0b89f2712dd26a",
            "cardHolderID": "6873147d-b205-407e-b050-77a66bf4f7b4"
          },
          "purchaseContext": {
            "network": "MASTERCARD",
                "convertedAmount": "2200",
            "convertedExponent": "2",
            "convertedCurrencyCode": "978",
            "convertedCurrencyLabel": "EUR",
            "os": "Windows 7",
            "language": "fr",
            "dsTransID": "c036148a-616a-44b3-9c1e-2509954de092",
            "browserIP": "2a02:2788:0558:0094:1507:d510:7b4f:b303",
            "rcptCountry": "DEU",
            "threeDSRequestorURL": "www.test.url",
            "merchantName": "merchant_4558",
            "acquirerMerchantID": "123456",
            "acquirerBIN": "700004",
            "purchaseAmount": "2200",
            "purchaseExponent": "2",
            "purchaseDate": "2019-12-23T14:18:02",
            "transactionCurrencyLabel": "EUR",
            "purchaseCurrency": "978",
            "cardExpiryDate": "3ed12aa8d824bb592440073925a309cf9730c4731b49dc",
            "deviceChannel": "01",
            "browserUserAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36",
            "messageVersion": "2.2",
                "messageCategory": "01",
            "threeDSRequestorAuthenticationInd": "02",
            "threeDSRequestorChallengeInd": "07",
            "threeDSReqPriorRef": "a036148a-616a-44b3-9c1e-2509954de095",
            "whiteListStatus": "E",
            "whiteListStatusSource": "01",
            "acquirerCountryCode": "840",
            "threeDSRequestorID": "Requestor id",
            "threeDSRequestorName": "Requestor name",
            "addrMatch": true,
            "shipAddrCity": "City name",
            "shipAddrCountry": "250",
            "shipAddrPostCode": "12345",
            "billAddrCity": "Bill City name",
            "nbDeviceOnSameIpD2D180": "...", 
           "nbDeviceOnSamePhoneD2D180": "...", 
            "phoneOnOtherDeviceD2D180": "...", 
           "phoneOnSameDeviceD2D180": "...", 
           "versionDIRs": "..." 
                                                 }, 
                                         "name": "...", 
                                         "criticalityIndicator": ..., 
                                         "id": "..." 
                                         } 
                                         ] 
                 } 
         }, 
         "RBA":{ 
                 "travelIndustry":"...", 
                 "principalWhiteListed":"...", 
                 "principalBlackListed":"...", 
                 "principalExemptionListed":"...", 
                 "blackListStatus":"...", 
                 "rbaDecision":"...", 
                 "rbaLevel":"...", 
                 "rbaReason":"...", 
                 "rbaRuleSetInfo":"...", 
                 "rbaRuleName":"...", 
                 "rbaSuccessiveCounter":"...", 
                 "rbaCumulativeAmount":"...", 
                 "issuerRbaDecision":"...", 
                 "issuerRbaLevel":"...", 
                 "dsRbaDecision":"...", 
                 "dsRbaLevel":"...", 
                 "extRbaDecision":"...", 
                 "extRbaLevel":"...", 
                 "extRbaIssuerDecision":"...", 
                 "extRbaIssuerLevel":"...", 
                 "rbaExoneratingHint":"...", 
                 "rbaIncriminatingHint":"..."     
         }, 
         "authenticationResult":{ 
                 "transStatus":"...", 
                 "transStatusReason":"...", 
                 "finalStatus":"...", 
                 "failureCause":"...", 
                 "authenticationValue":"...", 
                 "threeDSWhitelistStatus":"...", 
                 "threeDSWhiteListStatusSource":"...", 
                 "authenticationMethod":"...", 
                 "challengeCancel":"...", 
                 "authenticationType":"...", 
                 "interactionCounter":"...", 
                 "authentDatas": [...] 
                 "oobAppURLInd":"...", 
         }       
 }

 

Enable "on this page" menu on doc section
On

Referential WS Client

Referential WS Client

API Reference

Referential WS Client is the standard referential interfaces exposed by the Issuers' Bank.
ACS is therefore client of the Bank Information System.

Thanks to this API ACS can  :

  • get card information from the Bank Information System ;
  • update cards/users/credentials information to the Bank Information System.

 

Enable "on this page" menu on doc section
On

Referential Batch

Referential Batch

Version 24R2-1.2 of May 14th 2024

The referential card of an issuer is required. It is used for enrollment and authentication needs of cardholders.

In mode batch the issuer sends a periodic file to the platform in order to operate the provisionning of cardholder data.

The referential management is based on a XML file. This file takes in charge the creation of cardholders, cards and authentication data.

Retro compatibility with old XML and flat file formats is managed.

Glossary :

The following list gives a description of acronyms used :

  • WLP-AHB: Worldline Product – Authentication HuB
  • PAN: Primary Account Number
  • CAP: Chip Authentication Program
  • DDN: Birthdate
  • PWD: Password
  • SSN: Social Security number
  • PAM: Personal Assurance Message
  • PGP: Pretty Good Privacy
  • GPG: GNU Privacy Guard
  • PCI: Payment Card Industry

 

1. Historic

DATEVERSIONTYPE DE UPDATEREASONS FOR THE UPDATE
20/03/2017AACreationDocument creation
    
17/08/2017ABUpdateUpdate length
19/09/2017ACUpdateAdd CSV and Positional Format
17/01/2018ADUpdate

Add missing KeyTag attribute in some XML elements

Update some French labels

Remove CSV and Positional Format (refers to old specifications)

26/03/2018AEUpdateAdd/update xml messages examples
16/05/2018AFUpdate

Update length and comments for some fields

Add TA Authentication

01/10/2018AGUpdateAdd Issuer and SubIssuer at card level
05/02/2019AHUpdateCheck rules
19/02/2019AIUpdateBetter handling of invalid inputs
03/01/2020AJUpdateAdd skipped use case
05/10/2020AKUpdate

Added the DeleteTime attribute in “Card” record and structure.

Change email control

02/12/2020ALUpdateChange profil regex
16/02/2021AMUpdate

Change field status on card Level

Update authentication means list

06/05/2021V21R2 1.0UpdateChange versioning norm
29/06/2021V21R2 1.1UpdateFix typo “deletedTime”
13/07/202121R3 1.0UpdateUpdate cardholder ID constraints
18/08/202121R3 1.1UpdateAdded QMYST example into “AuthentiactionData”
18/08/202121R3 1.1UpdateAdded “cardId” attribute in “Card” structure
10/09/202121R3 1.2UpdateAuthenticationDataUpdateMode = Update to delete a credential : definition and example
05/10/202122R1 1.0UpdatePublished version with new graphical charter
24/03/202222R2 1.0PublicationFirst 22R2 Official version
23/05/202222R2 1.1UpdateAdd cardID sample and in structure description
04/07/202222R3 1.0Publication

First 22R3 Official version

Remove DELETED card status

13/07/202223R1 1.0Update

Fix back “DeleteTime”

Fix various format controls

13/12/202223R1 1.1UpdateComplete paragraph “File reject”
20/01/202323R2 1.0UpdateAdd optional field effectiveUpdateDate
30/03/202323R2 1.0PublishFirst 23R2 official version
05/07/202323R3 1.0PublishFirst 23R2 official version – no change
11/09/202324R1 1.0UpdateRemoved references to QMYST
23/02/202424R2 1.0PublishFirst 24R2 official version – no change
03/05/202424R2 1.1UpdateThe batch does not control the field FileNumber.
14/05/202424R2 1.2UpdateUpdateMode  can be set by CREATE_OR_UPDATE and not CREATED_OR_UPDATE
Add SMS as label in AuthenticationData

 

2. Description of referential file in format xml

The structure of file is given by the following figure. The possible values of each field and potential error codes are described in the following tables.

The maximum number of cardholders in a file is limited to 999 999 records.
An example of a report with errors is also available.


 

  2.1. File transfer mode

File transfers are carried out through a VPN tunnel or on Internet. Two protocols are available FTPs or PesitSSL.


 

  2.2. Security of exchanges through file transfers

    2.2.1 File encryption/decryption

Files containing sensitive data can be encrypted using PGP.

GPG is used.

The Issuer must use an encryption program that is compatible with the free GPG program used by equensWorldline, which makes it possible to ensure the authenticity and confidentiality of the transferred file with an RSA key.

GPG is a free implementation of the RSA algorithm that complies with the OpenPGP standard (RFC2440).

A REAL NAME (e.g. IssuerName_3DSAtos), a COMMENT (e.g. Atos 3DS signature by Issuer Name) and an E-MAIL ADDRESS will be specified to generate the keys.

The encryption algorithm used is AES256.

The ISSUER and equensWorldline exchange the public keys via e-mail in ASC format.

Keys are valid for 19 months. 

To comply with PCI, the key must not be used for encryption for more than 12 consecutive months. The expiry date is set to 19 months to allow restoration for 6 months; an extra month is added to the validity period of the key.

File encryption/decryption procedure:

Exchange of keys (carried out every 12 months):

  • ISSUER generates a pair of keys: Public Key (P1) and Secret Key (S1);
  • equensWorldline generates a pair of keys: Public Key (P2) and Secret Key (S2);
  • Issuer and equensWorldline exchange their P1 and P2 public keys.

For the encryption/decryption of a file sent by ISSUER to equensWorldline, the file is encrypted with equensWorldline’s P2 key and signed with ISSUER’s S1 private key.

For the encryption/decryption of a file sent by equensWorldline to ISSUER, the file is encrypted with ISSUER’s P1 key and signed with equensWorldline’s S2 private key.

Keys are renewed through equensWorldline’s change tool. The application manager will get in touch with the customer contact appointed during the creation of the key to ask them to send the new public key; in return, they will provide equensWorldline’s new public key. The content to exchange will be the result of the export of the public key into ASCII. This will be sent via e-mail. To validate the public keys exchanged, each person involved will have to phone their appointed contract to obtain and validate the fingerprint of the key. It is imperative that the fingerprint be validated before the public key is used.

    2.2.2. Data security

The sensitive data contained in the file must be encrypted. Authentication data and card information are considered as sensitive.

For the repository file, the data to encrypt are:

  • The PAN of the Card element;
  • The value of the Authentication element (Phone number, email, date of birth, etc.).

All encrypted data will be encoded in Base64.

Symmetric encryption uses the AES algorithm.

The data are encrypted using 256-bit AES in CBC mode (Cipher Block Chaining); more precisely, it uses a Java implementation called javax.crypto.Cipher "AES/CBC/PKCS5Padding".

Upon each encryption operation, an IV (Initialization Vector) set to empty is used.

The encryption and decryption keys are identical.

The AES key is generated by the Issuer.

A different key will be used for each environment.

The exchange of such key whose generation remains at the responsibility of the issuer is not specified in this document.

 

  2.3. XML file for updating the cardholder repository

XML format è equensWorldline provides the Issuer with the .XSD file that makes it possible to generate this format.

The format will be XML in “MAJ” format according to the particularities of equensWorldline.

A different file transfer identifiers have to be defined for acceptance and production.

Description of referential file in a XML format

The structure of file is given by the following figure. The possible values of each field are described in the following tables. The maximum number of cards in a flat file is limited to 999 999 records.

  2.4. Description of fields

 

Each field must respect constraints in order not to be rejected. The following list gives a description of possible format controls:

  • AN: Alphanumeric
  • A: Alphabetic
  • N: Numeric
  • H: Hexadecimal
  • B64: Base 64

    2.4.1. Record « Header »

 NameMandatorylengthPattern / Values / ContraintsComments
Header (mandatory 1-1)IssuerY5NIssuer Code / Issuer Identifier
SubIssuerN5NSubIssuer Code / SubIssuer Identifier
FileNumberY6NSee specification below
UpdatedY8N (format YYYYMMDD)Date of generation of the file
UpdateModeY-AN (CREATE_ONLY or CREATE_OR_UPDATE)CREATE_ONLY: this mode will create only new cards. If card already exists, do nothing.CREATE_OR_UPDATE: create new cards, update existing one
CardHolderCountY1-6N (< 999 999)Number of cardholders records presents in the file

 

    2.4.2. Structure « Header »

The field FileNumber is incremental and depends on the day when the file is received. So, if this field is valued by 728502, it means that the file is the 2nd file of day 285 of the year 2007. The batch can controls that there does not exist two files with the same identifier and reject it in case of duplication. The batch does not control the field FileNumber.

 

    2.4.3. Record « CardHolder »

 NameMandatoryLengthPattern / Values / ContraintsComments
Cardholder (optional 0-999 999)IdElementYes1-6NCounter of cardholder in the file (incremental)
CardCountYes1-2NNumber of cards declared for this cardholder
IdentifierYes1-36AN + ‘-‘Cardholder identifier
NameNo1-50A – Clear valueLastname of the cardholder
-B64 – encrypted value
FirstNameNo1-50A - Clear valueFirstName of the cardholder
-B64 – encrypted value
LanguageNo2A - ISO 639-1Language
 Card (optional 0-X)IdElementYes1-2NCounter of card for the current CardHolder (incremental)
PANYes-B64 – encrypted valueCard Number (encrypted and base64 or in clear)
16-19N – clear value
OldPANNo-B64 – encrypted valueOld Card Number (encrypted and base64 or in clear)
16-19N – clear value
ExpiryDateNo24B64 – encrypted valueExpiry date (encrypted and base64 or in clear). Clear value must have the following pattern: YYYY-MM
7YYYY-MM – clear value
ProfilSetNameNo1-32AN + ‘-‘Specific profileset to assign to the card instead of bin range profileset
DeleteTimeNo14yyyyMMddHHmmss Date and time of card deletion.
AuthenticationDataUpdateModeYes-« UPDATE » or « DELETE_AND_CREATE »

When a card already exists (and UpdateMode is CREATE_OR_UPDATE), specify what to do with AuthenticationData

· UPDATE: if AuthenticationData is provided for an authentication mean, replace existing values (if any) with provided one. Other authentication means (not provided in file) will be kept.

If AuthenticationData is provided with one specific authentication mean and value = DELETED, the credential will be deleted of all the attached value.

· DELETE_AND_CREATE: Existing AuthenticationData (for all authentication means) will be deleted and replaced by provided one.

When the card doesn’t exist yet, you can provide any of the two values (result will be the same).

StatusNo6-9AACTIVE orINACTIVE. In case of null or invalid value, ACTIVE is chosen by default
IssuerNo5NIssuer Code / Issuer Identifier
SubIssuerNo5NSubIssuer Code / SubIssuer Identifier
 CardIdNo2-36AN + ‘-‘Unique Card identifier
 EffectiveUpdateDateNo14yyyyMMddHHmmss Date used to update user, card and credential. If effectiveUpdate date is superior to cardHolder/card/authenticationData updatedTime field in database, the data will be updated otherwise not. Only work with AuthenticationDataUpdateMode = UPDATE.
 AuthenticationData (optional 0-X)IdElementYes1-2NCounter of Authentication data for the current Card (incremental)
LabelYes0-20ANAuthentication data label
ValueYes1-50AN – clear valueAuthentication data value (encrypted and base64 or in clear)
B64 – encrypted value
PatternNo0-25AN + ‘-‘NONE, DD/MM/YYYY…
MiscellaneousNo0-200ANFuture use
     
CardData (optional 0-1)RIDNo-HFuture use
PIXNo-H
DKINo2H
PSNNo2H
ATCNo4H
AIPNo4H
CVNNo2N
ExpiryDateNo??
?B64 – encrypted value
ModeNo-A

 

    2.4.4. Structure « CardHolder »

 

    2.4.5. Structure « Card »

 

 

    2.4.6. Authentication Data

To process the authentication flow, several authentication data can be stored: 

  • PHONE: the phone number (Deprecated)
  • SMS : mobile phone number
  • SVI : fix phone number for IVR authentication
  • EMAIL: the email address
  • SSN: the Social Security Number, person identifier
  • PAM: the Personal Assurance Message
  • TOKEN: the identifier of the token
  • DDN: the birthdate
  • PWD: the password
  • TA: trusted authentication

HUB phone number must be in international standard E.164 format.
E.164 numbers are formatted [+] [country code] [subscriber number including area code] and can have a maximum of fifteen digits.

 

    2.4.7. Structure « CardData »

Note: CardData is not currently used.

 

    2.4.8. XML message example

Here is an example with:

  • A card where all authentication data are replaces with provided ones,
  • Another card where only EMAIL authentication data is created/updated,
  • And a last one where nothing is created/updated/deleted (since no authentication data is provided)

 

Here is another example with:

  • A card to which we delete the value of a credential,
  • A card where all authentication data are replaces with provided ones

 

    2.4.9. File processing report

During the integration process of XML, a log file can be provided by file transfer. This file contains all rejected records with an error label associated to each reject. The file describes a global report of execution of integration and each error is formatted according to the following rules:

  • If the reject happens in the section Header:
    • Format: Error on Header : Error Label
    • Example: Error on Header : Issuer is invalid
    • Signification: The issuer code mentioned in the Header has invalid format.
  • If the reject happens in the section CardHolder
    • Format: Error on CardHolder(identifier): Error Label
    • Example: Error on CardHolder(identifier=12345678901234567890123456789012345678) : The length of the identifier must be between 1 and 36
    • Signification: The Cardholder with identifier 12345678901234567890123456789012345678 has a field Identifier whose length is too long.
  • If the reject happens in the section Card
    • Format: Error on CardHolder(identifier) - Card# : Error Label
    • Example: Error on CardHolder(identifier=111447612) - Card#1 : PAN is invalid Signification: The PAN of card having the IdElement=1 in section CardHolder having identifier=111447612 is invalid or missing.

 

    2.4.10. Example file log report

 

    2.4.11. Description

For each batch, the report file starts by “start execution date” and “file name” and finishes by “returned code”, “job Id”, “end execution date” and “duration”.

Between the start and the end of execution, we have all reported data errors, as described in previous section. This is followed by a summary of the number of cards treated, and number of found records for each kind of movement.

 

3. Validation rules for xml format

 

  3.1. Header

SectionFieldPresenceControlsType of rejectError Label
Header (Mandatory)IssuerMandatory5 digitsFile

Issuer is missing

Issuer is invalid

Existing in DBFileError on Issuer/Subissuer retrieval
SubIssuerOptional5 digitsFileSubIssuer is invalid
Existing in DBFileError on Issuer/Subissuer retrieval
FileNumberMandatory6 digitsFile

File number is missing

File number is invalid

UpdatedMandatoryDate in YYYYMMDD formatFileUpdated is missing
UpdateModeMandatoryEquals to CREATE_ONLY or CREATE_OR_UPDATEFile

Update mode is missing

UpdateMode is invalid

CardHolderCountMandatoryNumeric >0File

The number of cardholder is missing

The number of cardholder cannot be less than 1

 

  3.2. CardHolder

SectionFieldPresenceControlsType of rejectError Label
CardHolderIdElementMandatoryNumeric >0CardHolder

The idElement is missing

The idElement must be numeric >0

CardCountMandatoryNumeric >0CardHolder

The cardCount is missing

The cardCount must be numeric >0

IdentifierMandatoryAlphanumeric (and ‘-‘) of length [1;36]CardHolder

The identifier is missing

The length of the identifier must be between 1 and 36

NameOptionalAlphanumeric of length [0;50]CardHolderName length cannot be more than 50 characters
FirstNameOptionalAlphanumeric of length [0;50]CardHolderFirstName length cannot be more than 50 characters
LanguageOptionalAlphabetic of length [2]CardHolderLanguage is invalid

 

  3.3. Card

SectionFieldPresenceControlsType of rejectError Label
CardIdElementMandatoryNumeric >0CardHolder

The idElement is missing

The idElement must be numeric >0

PANMandatoryNumeric of length [16;19]CardHolderPAN is invalid
OldPanOptionalNumeric of length [16;19]CardHolderOld PAN is invalid
Existing in DBCardHolderCan't replace Card because old card doesn't exist with given PAN!
ExpiryDateOptionalFormat YYYY-MMCardHolderExpiryDate is invalid
ProfilSetNameOptionalAlphanumeric (and ‘-‘) of length [1;32]CardHolderThe profilSetName is invalid
AuthenticationDataUpdateModeMandatoryEquals to UPDATE or DELETE_AND_CREATECardHolder

The authentication data update mode is missing

The authentication data update mode is invalid

IssuerOptional5 digitsCardHolderIssuer is invalid
Existing in DBCardHolderError on Issuer/Subissuer retrieval
SubIssuerOptional5 digitsCardHolderSubIssuer is invalid
Existing in DBCardHolderError on Issuer/Subissuer retrieval
StatusOptional---
CardIdOptionalAlphanumeric (and ‘-‘) of length [2;36]CardHolderThe length of the card identifier must be between 2 and 36
DeleteTimeOptionalyyyyMMddHHmmss CardHolder-
EffectiveUpdateDateOptionalyyyyMMddHHmmss CardHolder-

 

  3.4. AuthenticationData

SectionFieldPresenceControlsType of rejectError Label
AuthenticationDataIdElementMandatoryNumeric >0CardHolder

The idElement is missing

The idElement must be numeric >0

LabelMandatoryAlphanumeric (and ‘-‘) of length [0;20]CardHolder

The authentication label is missing

The authentication label is invalid

Equals to SMS, PHONE, EMAIL, PWD, SSN, TOKEN, PAM, DDN, …AuthenticationDataAn unknow authentication mean ([LABEL]) appears in the file (once or more). It will be ignored.
PatternOptionalAlphanumeric (and ‘-‘) of length [0;25]CardHolderThe pattern is invalid
ValueMandatory

PHONE, SMS, SVI: has phone number format (according to the Google API PhoneNumberUtil)

EMAIL: corresponds to regular expression: ^(\w[-.\w]*)@([-\w]+(?:\.[-\w]+)*)\.([A-Za-z]{2,20})$

 

CCP: corresponds to regular expression: ^[A-Za-z0-9]{11}$

DDN: DD/MM/YYYY

CardHolder

Authentication value format isn't correct

The value is missing

The pattern is invalid

 

4. Functional Validation rules

 

4.1.  File reject

If more than 5% of lines are in error the file is rejected with an error code 12 : “Batch KO, number of line errors greater than 5%”.

The blocking errors :

If the header is empty the file is rejected with an error code 40 : "No header specified"
If the header format is invalid the file is rejected with an error code 41 : "Specified header is incorrect"
If the header format is invalid the file is rejected with an error code 18 : "Error read input file xml"

Non-blocking errors threshold:

A skip limit can be defined for the non-blocking exceptions if this limit is reached the file is rejected.
By default the parameter is set to 100%.

Skip limit parameter : ${app-skip-limit}

 

4.2.  Skipped requests

On batch process, the skipped card are corresponding to the specific use case :

  • On ACS3 XML format
    • Record Card in UpdateMode = CREATE_ONLY but the card is already exist in Data Base, so we can’t create it , so request is skipped

  • On ACS1 XML or CSV format

    • Record Card with ModificationType = RENEWAL but the card doesn’t exist in Data Base, so we can’t renewal it, so request is skipped
    • Record Card with ModificationType = DELETION but the card doesn’t exist in Data Base, so we can’t delete it, so request is skipped
    • Record Card with ModificationType = REPLACE but the card doesn’t exist in Data Base, so we can’t replace it and retrieve the initial credentials, so request is skipped

     

Enable "on this page" menu on doc section
On

Lexical

Lexical

ACS lexical

Here below you will find the acronyms used and their meanings:

Acronym/Common NameMeaning
3DS3D-Secure – Three Domains Secure
AC / CACertification Authority
ADS3D Secure service use case 
(registration of a new authentication credential)
AESAdvanced Encryption Standard
APIApplication Programming Interface
APMAuthentication Process Management
CAPChip Authentication Program
CHCard Holder
CRCentral Repository
DSDirectory Server
GCMGalois/Counter Mode
GZipGZip is a compressed file format base on the deflate algorithm. Please refer to RFC 1952 for more information
HTTPSHyperText Transfer Protocol Secure
ISInformation System, all the data processing, organisation and human resources
ITAIdentity, Trust and Authentication
JSONJavaScript Object Notation
OOBOut Of Band
OTPOne Time Password
OTRCOne Time Registration Code
PANPrimary Account Number
PCIPayment Card Industry
RBARisk-Based Assessment
REINIT3D Secure service use case 
(update of existing authentication credential)
RESTreStructuredText
UCRUnconnected Card Reader
UPMUniversal Electronic Banking Portal
URLA Uniform Resource Locator (also known as web address, particularly when used with HTTP), is a specific character string that constitutes a reference to a resource. Please refer to RFC 3986 for more information.
UUIDUniversally Unique Identifier. Please refer to RFC 4122 for more information.
WLWorldline
Enable "on this page" menu on doc section
On
Subscribe to