Skip to main content

Search

Sign in

UPOP Authentication Process

  • Updated

Authenticating UnionPay Cards

You need to redirect the customer to the UPOP Endpoint an HTTP form POST that contains the ACPReq. To do so, create a Web page with hidden content

 

POST Form

This code has two functions: a page that receives the reply fields for the enrollment check service and a form containing the required data for the card-issuing bank. The page typically includes JavaScript (an onLoad script) that automatically posts the form. In your implementation, you would replace the variables and values by your own values.

<body onload="document.PAEnrollForm.submit ();">
  <form id="PAEnrollForm" action="UPOP_Endpoint value" method="post” target="paInlineFrame">
    <input type="hidden" name="ACPReq" value="UPOP_ACPReq value" />
  </form>
</body>

 

Use of Authentication Page

Merchant or its payment gateway can show this webpage as a framed inline, pop-up window or a browser redirection to UPOP’s authentication webpage. The authentication page is 500×600px. To implement a framed inline page, the frame opened for the Authentication window must be large enough to present the entire 500 pixel width by 600 pixel length authentication page, without scrolling.

<h2>Payer Authentication Inline Window</h2>
<iframe name="paInlineFrame" height="600px" width="500px">
</iframe>

 

Timing between Authentication and Authorisation

Upon receipt of the authentication response, less than 3 minutes. Otherwise, the authorization may fail.

Failed Authentication Processing

Merchant could terminate transaction or submit ElectronicCommerceIndicator value 10 for authorization request for failed authentication request.

Data Required in Authentication Messages

Merchant must accurately populate the data in authentication request message. Certain authorization request field values must exactly match corresponding values in the original authentication request message.

 

Full Transaction Flow

This section describes the transaction flow of messages between UPI systems and external systems.

transactionFlow.png

 

Steps 1 and 2 involve the Cardholder placing an order with the Merchant and the Merchant making an authorization request.

Steps 3 – 6 involve UPOP authenticating the Cardholder.

*Note: For credit card, you can skip Steps 2 – 3 and collect card CVN2 and Expiration date to initial authorization request directly3.

Step 1 - The Cardholder Submits an Order

The Cardholder submits an online order to the Merchant and chooses the UnionPay online payment (UPOP) method. After the Cardholder enters the card number4, the Merchant server or gateway determines whether or not it is UnionPay card.

paymentOptions.jpg

Example dialog where Cardholder chooses a UnionPay card to pay online

 

Step 2 - The Merchant server sends an Authentication Request

The Merchant server sends an authentication request to the UPOP server via the Cardholder’s device (PC, tablet, or smart phone), using the URL provided by UPI.

 

Step 3 - The Cardholder’s device displays an authentication webpage

The Cardholder’s device displays a webpage that contains purchase details and prompts the cardholder to enter their SMS verification code and card information as necessary. This webpage may be on a framed inline, a pop-up window or a browser redirection to UPOP’s authentication webpage.

Step3.jpg

UPOP Authentication Page where Cardholder chooses a UnionPay card to pay

 

Step_3a.png

UPOP Authentication Page where Cardholder chooses a UnionPay debit card to pay

 

Step 4 - The Cardholder enters the SMS verification code

The Cardholder receives a verification code by SMS. The Cardholder enters their SMS verification code and additional credit card information as necessary and then clicks the Submit button.

 

Step 5 - The UPOP server builds and forwards the authentication request

The UPOP server builds an authentication request with the entered information and forwards the request to the Issuer server.

 

Step 6 - The Issuer server responds and the UPOP server builds an authentication response

The Issuer server responds by sending the authentication result to the UPOP server, which displays the authentication result to the Cardholder. If successfully authenticated, the UPOP server builds an authentication response.

 

Step 7 - The Merchant server receives and processes the authentication response

UPOP sends to the merchant server both a back-end notification via system interaction and a front-end notification via the cardholders device. a POST that contains the results of the authentication in a ACPRes message.

variable acpRes = <signedACPRes replied field>

The base 64 string contains the ACPRes, a digitally signed ACPRes message that contains the authentication result.

 

Step 8 - The Merchant server sends the received Authentication Response message to iVeri

The merchant sends the ACPRes back to iVeri in the field:

  • UPOP_ACPRes
  • UPOP_RequestID
  • UPOP_TransactionTime