To facilitate the solution new API methods have been created and existing methods for customer actions that require SCA
(exemptions may apply – see
Appendix) have been amended.
Response Codes
The following new response codes have been added for SCA:
| CODE |
DESCRIPTION |
| 900 |
SCA needs to be performed. |
| 901 |
User blocked; Access not allowed for this user. |
| 902 |
Failed to send OTP. |
| 903 |
SCA request does not exist or expired. |
| 904 |
User blocked due to multiple fail OTP attempts. |
| 905 |
OTP verification failed; Multiple Invalid attempts will block the account. |
| 906 |
Incomplete Cardholder contact Information. Please Update the contact details and then resend the
request. |
| 907 |
Login not allowed using this method as SCA required. |
| 908 |
OTP verification is pending |
| 000 |
Exemption applies, SCA not required |
For a complete list of error codes,
click here.
API flow
The Client will need to provide the UI on their portal for the customer to input the OTP which will be submitted to
Contis by calling the new
Authorize method. If the OTP matches successfully against the original API
request Contis will provide
ReferenceID in
AuthorizeInfo.
See
OTP delivery section for information on how OTPs can be provided.
For example:
If a customer initiates a payment with no exemption applicable, the client will be required to call the
Authorize API method after getting a 900 response from
Account_BankWithdraw API
method.
Resend OTP
The Client needs to provide Resend OTP functionality to their Customer if they do not receive it or use within 5 minutes
(maximum validity) which will be achieved by calling
RegenerateSCA API. This method can be used to send
a new OTP up to a maximum of 4 times.
Account Access Block
A Customers account access will be blocked if they fail to enter an OTP correctly 5 times or exceed the maximum number
of OTP resends. Account access can be unblocked via an API if the Customer passes the Client’s own security checking
procedures.
Inactivity Timer
Basics of the inactivity timer
- Contis needs to end the API session before 5 minutes of inactivity (290 seconds) from the account holder in the
portal – this will log the customer out of the Contis elements of the portal.
- The SDK_PostLoginDetails API allows clients to tell Contis that the account holder is still
active within the portal in order to refresh the 5-minute inactivity timer to allow the customer continued
access.
- If the customer has been inactive for 5 minutes (300secs), they are timed out and clients have to make a call
again using the same method.
- Trigger the refresh timer – 4 mins 30 seconds (270 seconds) to a 4-time maximum only
- Maximum inactivity per session – 25 mins (1500 seconds)
Table of updated existing API methods
The table below details the existing API methods that now have the 900 response, i.e. SCA is required (unless exemptions
apply).
| DEV PORTAL CONTROLLER |
WEB METHOD NAME |
API DESCRIPTION |
SCA CUSTOMER EVENT |
SCA DESCRIPTION – SEE APPENDIX FOR DETAIL ON EXEMPTIONS |
| Account |
ListTransactions_Account |
Returns a list of cleared transactions. |
Historical Transactions (> 90 days) |
SCA required if more than 90 days transactions are requested and customer has not performed 2FA
login in last 90 days |
| Account |
UnloadConsumerAccount |
Debits the specified amount from the customer’s account and credits it to the programme holding or
funding account. |
Transfer |
SCA required if customers transfer money from customer account to another Contis account – programme
holding or funding account (exemptions may apply) |
| Consumer |
UpdateConsumerContactDetails_Consumer |
Updates the customer’s mobile number, email address and address. |
Update Contact Details (Mobile or Address) |
SCA required when a customer changes their mobile phone number or address |
| P2P |
PayRequestedMoney |
Enables the payment request recipient to pay the requested money to the beneficiary. |
Pay Request Money |
SCA required when a customer as the payment request recipient if paying the requested money to the
beneficiary (exemptions may apply) |
| P2P |
SendMoney |
Sends money from the customer’s account to the recipient account. |
Send Money |
SCA required when a customer sends money from their account to a recipient account (exemptions may
apply) |
| P2P |
SendMoneyByEmailAddress |
Transfer money from the customer to the payee account using the recipient’s email address. |
Send Money |
SCA required when a customer sends money to the payee using the recipient’s email address
(exemptions may apply) |
| P2P |
SendMoneyByMobileNumber |
Transfer money from the customer to the payee account using the recipient’s mobile phone number. |
Send Money |
SCA required when a customer sends money to the payee using the recipient’s mobile phone number
(exemptions may apply) |
| P2P |
SendMoneyByUserName |
Transfer money from the customer to the payee account using the recipient’s username. |
Send Money |
SCA required when a customer sends money to the payee using the recipient’s username (exemptions may
apply) |
| P2P |
SendMoneyByIBAN |
Transfer money from the customer to the payee account. The money is immediately credited in the
beneficiary account using the IBAN (International Bank Account Number ). |
Send Money |
SCA required when a customer sends money to the payee account (immediate credit) (exemptions may
apply) |
| P2P |
Transfer |
Transfers funds from the customer’s account to the recipient account if the amount is available in
the customer’s account. |
Third-Party Transfer |
SCA required when a customer sends money to the payee account (exemptions may apply) |
| StandingOrder |
SetupSOReceipent |
Create an internal or third party standing order by specifying the recipient. |
Add Standing Order |
SCA required when a customer creates a standing order |
| StandingOrder |
SetupSORecipientBank |
Create an internal or third party standing order by specifying the recipient’s bank account. |
Add Standing Order |
SCA required when a customer creates a standing order |
| StandingOrder |
UpdateSODetails |
Updates the details of an existing standing order. |
Edit Standing Order |
SCA required when a customer amends a standing order |
| Transfer |
BankTransfer |
Transfer funds from a Contis customer to an external bank account if the amount is available in the
customer’s account. |
Bank Transfer |
SCA required when a customer transfers funds from their account to an external bank account
(exemptions may apply) |
| Account |
Account_GetBalance |
Returns the latest balance of the given account. Displays balance of secondary account(s) linked to
the primary account. If a subaccount parameter is passed, then it returns the balance of the
specified account number. |
SCA required if balance is requested and customer has not performed 2FA login in last 90 days |
Table of new API methods
The table below details the new API methods that support the SCA via OTP solution.
| DEV PORTAL CONTROLLER |
WEB METHOD NAME |
API DESCRIPTION |
SCA CUSTOMER EVENT |
SCA DESCRIPTION – SEE APPENDIX FOR DETAIL ON EXEMPTIONS |
| P2P |
UpdateBeneficiaryStatus |
Enables the customer to apply or remove trusted beneficiary status to a payee account. Customer must
have made at least one successful payment to the payee before this action can be performed. |
Edit Beneficiary Status |
SCA required when a customer applies or removes trusted status to a beneficiary. Making a
beneficiary trusted means a customer does not have to undertake SCA on subsequent payments. Thus
this becomes one of the exemptions detailed against existing APIs. Customer must have made a least
one successful payment to a beneficiary before they can be made trusted. |
| Transfer |
UpdateBeneficiaryStatus |
Enables the customer to apply or remove trusted beneficiary status to a payee account. Customer must
have made at least one successful payment to the payee before this action can be performed. |
Edit Beneficiary Status |
SCA required when a customer applies or removes trusted status to a beneficiary. Making a
beneficiary trusted means a customer does not have to undertake SCA on subsequent payments. Thus
this becomes one of the exemptions detailed against existing APIs. Customer must have made a least
one successful payment to a beneficiary before they can be made trusted. |
| Security |
RegenerateSCA |
RegenerateSCA method is used to generate SCA again, if Authorize method fails to perform SCA due to
of wrongly entered data. This method authenticates the consumer and submit the earlier pending API
request. If ResponseCode = 000 (Success), then the API request has been executed successfully. If
any validation failed, Contis will return error code with error description in API response. For
more detail refer Parameter value of ResultObject mention in this document. |
For clients using API SCA solution only via OTP:
Following a customer request to re-sends an OTP this method resends an OTP specific to SCA reference
number. Customer can request a resend up to a maximum of 4 times. The initial OTP is sent in the
first 900 response. |
| Security |
Authorize |
Authorize method is used to perform 2nd factor authentication of consumer depending upon SCA type of
a consumer set at scheme settings. i.e. If SCA type of a consumer is set as OTP, SCA will be
performed using OTP. |
Authorisation |
For clients using API SCA solution only via OTP:
Method used to pass OTP back to Contis to authorize the SCA request. |
| Consumer |
UnblockConsumerLogin |
Unblocks the customer’s account access |
Customer account access must be blocked if the customer exceeds the maximum number of failed
authentication attempts to complete SCA. This API enables a client to unblock a customer account if
they pass the necessary security via clients own rules to unblock the account. |
| Security |
PostLoginDetails |
This method is used to trigger the SDK for 2nd FA of customer login to client app, advising Contis
of what SCA compliant factors have been used for customer login (where client managed) and
inactivity timer management. |
Login |
This method can do 3 things:
1) Trigger the SDK for 2nd FA of SCA for customer login to client app (optional – clients can manage
their own 2FA SCA compliant login journey)
2) Advising Contis of what 1st FA has been used for customer login to client app (mandatory) and
what 2nd FA for customer login to client app (optional)
3) Inactivity Timer – lets Contis know that a customer has successfully logged in and remains active
with the client portal/app which is required to meet inactivity criteria. See appendix for more
details |
