Hahn Air NDC 2017.2 API – Strong Customer Authentication (SCA) – 3DS 2.x

 

The documentation below applies to all payment card transactions in scope of Strong Customer Authentication (SCA) requirements, which covers all EEA issued cards regardless of the customer or Seller’s location.

What is Strong Customer Authentication (SCA)?

 

Strong Customer Authentication (SCA) is a mandatory requirement of the EU Revised Directive on Payment Services (PSD2) within the European Economic Area (EEA). It became effective in most EEA countries on 31st of December 2020 and will become effective in the United Kingdom on 14th of September 2021.

The SCA requirement ensures that electronic payments are performed with multi-factor authentication to increase their security, including at least 2 of the 3 factors of authentication below:

  • Something that only the payer knows (password, pin)
  • Something that only the payer has (card, mobile phone, wearable device)
  • Something that only the payer is (biometrics such as facial recognition, fingerprint)

To comply with these mandatory requirements, we have introduced 3D Secure 2.x payments in our Hahn Air NDC platform.

It is important to note that our NDC platform does not accept 3D Secure 1 payments.

 

Which payment transactions are in scope?

 

For Hahn Air NDC, the SCA requirement applies to all electronic payment transactions where the customer payment card is used, and this card has been issued in the EEA, regardless of the customer or Seller’s location.

For all these transactions, authentication data should be transmitted along with the payment card details, otherwise the payment transaction may not be authorized by the card issuer.

Some transactions are out of scope or can be exempt from SCA:

  • Mail Order – Telephone Order transactions (MOTO)
  • Low risk transactions
  • Low value transactions
  • Corporate payments (includes UATP cards)

For all transactions that are out of scope of SCA, authentication data is not required for the authorization to be successful. However, we do require that you send information about your interaction with the customer (ecommerce, mail order, telephone order or face-to-face) so we can better categorize the exemption.

Please note that it is the card issuer which will make the decision whether the payment transaction can be authorized or whether authentication data is required.

 

Impacts on the OrderCreate / Payment flow

 

When the customer performs an electronic payment and Hahn Air NDC platform receives these payment details, it is highly recommended that authentication data be sent along with the payment details. If the authentication data is not sent, the risk is that the payment transaction will not be authorized.

Note: UATP cards are an exception: no authentication data should be sent.

As Hahn Air NDC platform never interacts directly with the customer, Hahn Air is not able to perform this authentication. Therefore, we require that all our partners that are interacting with the customer take care of the authentication step. This can be done using the merchant plug-in (MPI) of your choice.

All details about how to send authentication data can be found in our OrderCreateRQ documentation, under the section:

OrderCreateRQ.AugmentationPoint

An updated WSDL specification is available at: https://hhnapi-pre.2e-systems.com/api/ndc/v172/ws?wsdl (IP whitelisting and credentials required).

Once the authentication has been completed, our Hahn Air NDC platform is then able to receive the OrderCreate with:

  • Payment card details (encrypted)
  • Authentication data

We will transmit this information to our Payment Service Provider (PSP) so that the payment authorization can be requested.

If the authorization is granted by the Issuer Bank with the authentication data transmitted, we will proceed with the Order creation and Ticketing.

If the authentication data is not accepted by the Issuer Bank or if the authorization is rejected for a different reason, a relevant error message will be returned, and the Order will not be created.

 

 

Payments without Authentication Data

 

It is still possible for Hahn Air NDC platform to receive card payments without authentication data. This applies to payment transactions that are out of scope or exempt from SCA.

In such cases, the payment card details (encrypted) should be sent to our Hahn Air NDC platform and we will transmit this information to our PSP so that the payment authorization can be requested.

Ultimately, it is the Issuer Bank that will decide whether the payment can be authorized without authentication data or not.

If the authorization is granted without authentication data, we will proceed with the Order creation and Ticketing.

 

 

If the authorization is soft declined because authentication data is required by the Issuer Bank, a relevant error message will be returned so that authentication is performed. The Order will not be created at this point. After authentication is completed, a new OrderCreate request can be sent to Hahn Air NDC platform including payment card details (encrypted) and authentication data.

 

 

If the authorization is declined by the Issuer Bank for another reason, a relevant error message will be returned, and the Order will not be created.

 

Test Values

You can use the following test credit cards in our test system:

Card CodeCard NumberSecurity Code
VI (Visa)4444333322221111123
CA (MasterCard)5555555555554444123
AX (American Express)3434343434343431234
DC (Diners Club)36148900647913*NONE*
TP (Airplus/UATP)122000000000003*NONE*

You can use any expiry date within 7 years in the future for these test credit cards.

 

Along with the test credit cards, you can also force a specific behavior in our test system with the following cardholder names:

Cardholder NameExpected behavior
AUTHORISEDAuthorization successful (any other cardholder name will have the same result)
REFUSEDAuthorization refused
ERRORAuthorization error
EE.REJ_HIGH_RISK.SDSoft decline due to high-risk transaction (no authentication data should be sent in the RQ)
EE.REJ_ISSUER_REJECTED.SDSoft decline due to rejection from card issuer (no authentication data should be sent in the RQ)

 

You can use the following authentication values in our test system:

NDC ElementTest Value(s)
AuthenticationValueMAAAAAAAAAAAAAAAAAAAAAAAAAA=
DirectoryServerTrxIDc5b808e7-1de1-4069-a17b-f70d3b3b1645
ElectronicCommerceInd
  • Successful authentication:
    • 05 (Visa, Amex, Diners)
    • 02 (Mastercard)
  • Attempted authentication:
    • 06 (Visa, Amex, Diners)
    • 01 (Mastercard)
  • Failed authentication:
    • 07 (Visa, Amex, Diners)
    • 00 (Mastercard)
PaymentTrxChannelCode
  • EC (Ecommerce)
  • FA (Face-to-face)
  • MO (Mail order)
  • TO (Telephone order)
ProgramProtocolText
  • 2.2.0
  • 2.1.0

 

Assistance

 

In case you have any questions or need assistance with your SCA integration, please contact us at: ndc@hahnair.com