SDK appendix

SCA events and exemptions

The table below identifies which customer actions require SCA. Contis as the regulated entity has full control over the use of exemptions and implements these where applicable.

CUSTOMER ACTIONCROSS REFERENCE TO TABLE BELOWIS SCA REQUIRED?SCA EXEMPTIONS AVAILABLE?NOTES
Account login*

ID1

ID2

YesYesIf can only see balance or <90 days transactions, then SCA not required but 2FA SCA on login must have been performed in the last 90 days to use this exemption
Change address onlineID12YesNo 
Change mobile onlineID13YesNo 
Card Spend – Contactlessn/aYesYesLimited by amount of all consecutive Contactless transactions
Card Spend – Online (includes stored card details)ID8YesYesTransactional Risk Analysis

Bank transfer/

Payment out of account

P2P/Internal Transfers – Send via mobile no, email or username

ID3

ID4

ID5

ID6

ID7

ID14

YesYesTrusted Beneficiary, Low Value Limit
Creation/changing a standing order

ID9

ID10

YesNo 
Trusted beneficiary added/changed/removed for payments/transfersID11YesNoOne payment to be made, before functionality available to customer

It won’t be possible to predict for all transactions whether SCA will apply (or not), or if an exemption is available. For example, the low-value limit is set to EUR30, but not all amounts less than this will be exempted.

The use of exemptions is discretionary and also certain exemptions are only permissible where fraud levels remain under prescribed limits. Therefore, the use of exemptions is always subject to change by Contis.

The SDK has been made available to ensure that the friction introduced by PSD2 can be mitigated into quick-and-easy steps for the customer.

SCA events and SDK screen content

The below table details for each SCA event what will be shown in the SDK screen by way of Title and Description. Please refer the API reference section for a cross reference to each API linked to the SCA event.

IDSCA EVENTTITLE DISPLAYED IN SDKDESCRIPTION DISPLAYED IN SDK – SAMPLE
ID1Account login*LoginAuthorise login
ID2Historical transactions (> 90 days)LoginAuthorise login
ID3Send moneyPaymentAuthorise £5.00 payment to John Smith
ID4Bank transferPaymentAuthorise £5.00 payment to John Smith
ID5Internal or Third-Party transferPaymentAuthorise £5.00 payment to John Smith
ID6Pay request moneyPaymentAuthorise £5.00 payment to John Smith
ID7Withdraw moneyPaymentAuthorise £5.00 payment to John Smith
ID8Card spend onlineCard PaymentAuthorise payment £5.00 to Emirates Airlines
card ending 4567
ID9Add standing orderStanding OrderAuthorise standing order of £5.00 to British Gas
1D10Edit standing orderStanding OrderAmend standing order to British Gas
ID11Edit beneficiary statusTrustedChange to trusted status
ID12Change address onlineChange DetailsChange your address
ID13Change mobile number onlineChange DetailsChange your mobile number to *******789
ID14TransferTransferAuthorise your transfer of £5.00
ID15Pay your feesPay your FeesAuthorise £5.00 to pay fee
ID16Device registrationRegister Your DeviceAuthorise device registration

*SDK is only available for 2nd FA (not 1st FA) for login to a client app.

SDK screen library

The following screen examples use a payment journey, e.g. ID3-ID7 in the table above:

‘Tap on the App’

Facial Recognition

Fingerprint

OTP

mPIN

Password

Customer Push Notification: Please note that the biometric images are supplied by Contis and cannot at this time be themed, i.e. face recognition and fingerprint ID images.

Inactivity Timer

Basics of the inactivity timer

  • Contis needs to end the API session after 5 minutes (300 seconds) of inactivity from account holder in the app/portal – this will log the customer out of the Contis elements of the app/portal.
  • The SDK_PostLoginDetails API method allows clients to tell Contis that the account holder is still active within the app/portal in order to refresh the 5-minute inactivity timer to allow the customer continued access.
  • If the customer has been inactive for 5 minutes (300 secs), they are timed out and clients have to make a call again using the same method.
  • Trigger the refresh timer – 4 mins 30 seconds (270 seconds) maximum of 4-times only
  • Maximum inactivity per session – 25 mins (1500 seconds)