Authenticating UnionPay Cards
You need to redirect the customer to the UPOP Endpoint an HTTP form POST that contains the ACPReq. To do so, create a Web page with hidden content:
POST Form
This code has two functions: a page that receives the reply fields for the enrollment check service and a form containing the required data for the card-issuing bank. The page typically includes JavaScript (an onLoad script) that automatically posts the form. In your implementation, you would replace the variables and values by your own values.
<body onload="document.PAEnrollForm.submit ();">
<form id="PAEnrollForm" action="UPOP_Endpoint value" method="post” target="paInlineFrame">
<input type="hidden" name="ACPReq" value="UPOP_ACPReq value" />
</form>
</body>
Use of Authentication Page
Merchant or its payment gateway can show this webpage as a framed inline, pop-up window or a browser redirection to UPOP’s authentication webpage. The authentication page is 500×600px. To implement a framed inline page, the frame opened for the Authentication window must be large enough to present the entire 500 pixel width by 600 pixel length authentication page, without scrolling.
<h2>Payer Authentication Inline Window</h2>
<iframe name="paInlineFrame" height="600px" width="500px">
</iframe>
Timing between Authentication and Authorization
Upon receipt of the authentication response, less than 3 minutes. Otherwise, the authorization may fail.
Failed Authentication Processing
Merchant could terminate transaction or submit ElectronicCommerceIndicator value 10 for authorization request for failed authentication request.
Data Required in Authentication Messages
Merchant must accurately populate the data in authentication request message. Certain authorization request field values must exactly match corresponding values in the original authentication request message.
Full Transaction Flow
This section describes the transaction flow of messages between UPI systems and external systems.
Steps 1 and 2 involve the Cardholder placing an order with the Merchant and the Merchant making an authorization request. Steps 3 – 6 involve UPOP authenticating the Cardholder.
*Note: For credit card, you can skip Steps 2 – 3 and collect card CVN2 and Expiration date to initial authorization request directly3.
Step 1–The Cardholder submits an order
The Cardholder submits an online order to the Merchant and chooses the UnionPay online payment (UPOP) method. After the Cardholder enters the card number4, the Merchant server or gateway determines whether or not it is UnionPay card.
Example dialog where Cardholder chooses a UnionPay card to pay online.
Step 2 –The Merchant server sends an authentication request
The Merchant server sends an authentication request to the UPOP server via the Cardholder’s device (PC, tablet, or smart phone), using the URL provided by UPI. For more information, see 3. Authentication Messages
Step 3 –The Cardholder’s device displays an authentication webpage
The Cardholder’s device displays a webpage that contains purchase details and prompts the cardholder to enter their SMS verification code and card information as necessary. This webpage may be on a framed inline, a pop-up window or a browser redirection to UPOP’s authentication webpage.
UPOP Authentication Page where Cardholder chooses a UnionPay card to pay
UPOP Authentication Page where Cardholder chooses a UnionPay debit card to pay
Step 4 –The Cardholder enters the SMS verification code
The Cardholder receives a verification code by SMS. The Cardholder enters their SMS verification code and additional credit card information as necessary and then clicks the Submit button.
Step 5 –The UPOP server builds and forwards the authentication request
The UPOP server builds an authentication request with the entered information and forwards the request to the Issuer server.
Step 6 –The Issuer server responds and the UPOP server builds an authentication response
The Issuer server responds by sending the authentication result to the UPOP server, which displays the authentication result to the Cardholder. If successfully authenticated, the UPOP server builds an authentication response.
Step 7–The Merchant server receives and processes the authentication response
UPOP sends to the merchant server both a back-end notification via system interaction and a front-end notification via the cardholder’s device. a POST that contains the results of the authentication in a ACPRes message.
variable acpRes = <signedACPRes replied field>
The base 64 string contains this information:
ACPRes Digitally signed ACPRes message that contains the authentication result.
Step 8 –The Merchant server sends the received Authentication Response message to iVeri
The merchant sends the ACPRes back to iVeri in the field:
UPOP_ACPRes
UPOP_RequestID
UPOP_TransactionTime