cc3ds.pml (2797B)
1 # FROM: https://github.com/w3c/webpayments/tree/gh-pages/PaymentFlows 2 3 @startuml 4 5 Participant "Payee (Merchant) PSP [Acquirer]" as MPSP 6 Participant "Payee (Merchant) [Acceptor] Site " as Payee 7 Actor "Payer (Shopper) [Cardholder] Browser" as Payer 8 participant "Browser Form Filler" as UA 9 participant "Card Scheme Directory" as CSD 10 participant "Issuing Bank [Issuer] Website" as CPSPW 11 participant "Issuing Bank [Issuer]" as CPSP 12 13 note over Payee, Payer: HTTPS 14 15 title 16 <b>Legacy Merchant Hosted Card Payment with Acquirer Supported 3DS (Current)</b> 17 18 <i>3DS is used to add confidence that the payer is who they say they are and importantly in the event of a dispute liability shift to the Issuer.</i> 19 end title 20 21 == Establish Payment Obligation == 22 23 Payee->Payer: Present Check-out page with Pay Button 24 Payer->Payer: Select Card Payment Method 25 26 alt 27 UA->Payer: Form Fill 28 ' Note right: fields are PAN & Expiry Date with optional CVV, & Address, Also Card Valid Date and Issue Number are required for some Schemes 29 else 30 Payer->Payer: User Fills Form 31 End 32 33 == Card Payment Initiation == 34 35 Payer->Payee: Payment Initiation 36 ' Note right: Custom code on merchant webpage can encrypt payload to reduce PCI burden from SAQ D to SAQ A-EP 37 38 opt 39 Payee->Payee: Store Card 40 ' note right: Merchant can store card details apart from CVV (even if encrypted) for future use (a.k.a. Card on File) 41 end 42 43 Payee-\MPSP: Authorise 44 45 46 == 3DS part of flow == 47 48 ' Note over MPSP, Payee: At this point, the Merchant or Merchant's PSP can decide if it wishes to invoke 3DS. This might be based on transaction value (i.e. low value -> low risk) or other factors, e.g. if the Shopper is a repeat purchaser. 49 50 MPSP –> CSD: BIN to URL lookup (VAReq message) 51 CSD -> CSD: Lookup URL from BIN 52 CSD –> CPSPW : “PING” 53 'note right: verify URL validity 54 CPSPW –> CSD: “PING” response 55 CSD –> MPSP: URL 56 57 MPSP-/Payee: 3DS redirect (PAReq message) 58 Payee->Payer: 3DS redirect (PAReq message) 59 Payer->CPSPW: 3DS invoke 60 CPSPW-\Payer: 3DS challenge 61 Payer-/CPSPW: 3DS response (PARes message) 62 CPSPW->Payer: 3DS response (PARes message) 63 Payer->Payee: 3DS response (PARes message) 64 Payee-\MPSP: 3DS response (PARes message) 65 66 MPSP->MPSP: Verification of PARes signature 67 68 == End of 3DS == 69 70 71 MPSP-\CPSP: Authorisation Request 72 CPSP-/MPSP: Authorisation Response 73 74 MPSP-/Payee: Authorisation Response 75 76 == Notification == 77 78 Payee->Payer: Result Page 79 80 == Request for Settlement process (could be immediate, batch (e.g. daily) or after some days) == 81 82 Alt 83 Payee -> MPSP : Capture 84 'note right: Later Capture may be called, for example after good shipped or tickets pickedup 85 Else 86 MPSP -> MPSP : Auto Capture in batch processing at end-of-day 87 End 88 89 MPSP->CPSP: Capture 90 91 == Fulfilment == 92 93 Payee->Payer: Provide products or services 94 95 @enduml