- Customer has completed adding items to their cart, and proceeds with payment by navigating to the checkout page.
- From the checkout page a POST request is sent to VPOS, with enough data for Cardlink to authenticate the merchant (MID, digest, etc).
**The Merchant’s system is only aware of the VPOS, communication between VPOS & MPI takes place internally.
- The customer gets redirected to the VPOS payment page, and inserts the card data.
- Payment page has a 30 mins timeout while the 3D page has only 15 minutes.
- On submission, a POST request is sent to VPOS, with all the parameters and their digest calculated by the merchant’s system.
- When the customer submits the card data, VPOS checks if the merchant is 3D Secure or not.
- In case merchant is 3D Secure, VPOS connects to MPI which performs the authentication:
MPI uses the card’s BIN to send a request to the corresponding Directory Server to:
- Determine if the card is enrolled to 3d
Get the card Issuer’s ACS url
The MPI sends a Request to ACS
- The ACS redirects to the 3D Secure Page. As soon as the customer passes the 3D challenge, ACS returns the control to MPI.
- MPI receives the response and sends it back to VPOS
3D secure data travel all the way, so that the bank can decline if no 3D authentication took place.
- VPOS proceeds with authorization by sending a request to PZAC in Bic Iso format.
- If the authorization is successful, then VPOS makes a POST request to the merchant’s confirmURL.
- If authentication or authorization fails then VPOS makes a POST request to the Merchant’s cancelURL.