Professional Documents
Culture Documents
Worldpay-Tpac2017 PPSX
Worldpay-Tpac2017 PPSX
Worldpay-Tpac2017 PPSX
1
1. Context
UK Open Banking Implementation
2. Implementation Progress
Worldpay’s Role
Merchant Payment
Shopper Merchant Processor Method
This is where the Payment Application authenticates and executes the payment, returning a receipt Yes Yes Yes
to the merchant.
2. Use ‘payee-credit-transfer’
Yes Yes No
This is where the Payment Application authenticates the user and authorises the payment, passing a
token to the merchant for execution.
This is where the Payment Application provides the Shopper’s account details to the Merchant for
the merchant to facilitate authentication & execution
4. Use a bespoke OpenBanking method, e.g. ‘https://www.worldpay.com/pay/openbanking’ ? ? ?
Would provide the maximum flexibility around data and flows, though less a less ‘standard’ approach
No No No
5. Don’t use PaymentRequest API
This would have been even easier, but not of much interest! (to this group at least)
Demo
5
CreditTransferRequest OB Request
6 …and
© Worldpay 2017. All rights reserved. some
There…and bits we
are…some
some
lastly couldn’t
easy bitsbits…
aharder
securitytoconcern
deal with…
CreditTransferResponse OB Response
Challenges
• For Open Banking API, it works but;
• …. and only if the Payment App comes from the Merchants PSP. So we don’t have interop!
• Either a specific SupportedNetwork (e.g. ‘Worldpay OB’ or PMI (https://www.worldpay.com/pay/openbanking) is needed.
• Make progress on securing push payments? E.g. receipts and/or signatures. Issue 31 & Issue 291
• Provision of Shipping Address (and basket info) to (authorised) Payment Apps. Issue 123
• Consideration of the approach for Polyfill to reduce need for fall-back flows
• Liaison with Open Banking (and other emerging payment API) organisations
Appendices
9
Open Banking UK - Specifications
Security Profile - https://www.openbanking.org.uk/read-write-apis/security-profile/id1-0-1/
Open Banking Directory - https://www.openbanking.org.uk/directory/
Account Transaction API (AISP Read only) - https://www.openbanking.org.uk/read-write-apis/account-transaction-api/v1-1-0/
Payment Initiation API (PISP Write) - https://www.openbanking.org.uk/read-write-apis/payment-initiation-api/v1-1-0/
Initiation of payments from personal and business current accounts (Version 1.0 of the Payment API only caters for the setup and submission of a single, immediate, domestic payment)
• Step 1: Request Payment Initiation - PSU
• Step 2: Setup Single Payment Initiation – PISP to ASPSP
• Step 3: Authorise Consent - PSU to ASPSP
• Step 4: Create Payment Execution submission – PISP to ASPSP
• Step 5: Get Payment Submission Status – ASPSP to PISP
Important considerations
• API’s adhere to RESTful API concepts where possible and sensible to do so and API requests and responses must use a UTF-8 character encoding.
• POST operations on both the /payments and /payment-submissions endpoint are designed to be idempotent
• HTTP Status Code reflects the outcome of API calls
• OAuth 2.0 will be the foundational framework for API Security in Open Banking.
• Open Banking, in conjunction with major IAM vendors, is ruling out the use of JWT Request objects by reference due a number of delivery risks and remaining security concerns
• The authorisation code is bound to the PISP that initiates the payment and is not portable across PISPs, whether Bank or 3rd party initiated
• Creditor and Debtor account details can be submitted in the Payment Initiation request
• No securing of funds on Payment Initiation, unlike credit card model
• Payment Initiation and Payment Execution are Asynchronous
• Payment Execution provides a status that the request has been received by the PSU ASPSP, not that the Payee ASPSP has received settlement
10
10 © Worldpay 2017. All rights reserved.
Sequence diagrams
11
11 © Worldpay 2017. All rights reserved.