# Strong Customer Authentication
New PSR2 RTS requirements have been rolled out across Europe to protect online payments. At Intergiro we proudly welcome the new regulation and endorse the mission to give users control over their payment experience and security online.
Now, some user actions require their explicit consent and authorisation:
- KYC & Onboarding
- accessing individual's payment history
- external payments
- accessing sensitive card details
# Enrollment
As part of the KYC & Onboarding process we take care of the user registration, i.e. the user creates a passcode, confirms their phone number and enrolls their biometry device. This is fully transparent and doesn't require you to store any user secrets on your end.
When it comes to Bank payments and Cards, however, the users will have to provide their explicit authorisation directly to Intergiro by means of a URL redirect.
# Consent flow
Our API provides a flexible way to initiate the consent process, whether through a web browser or directly within your mobile application using our Mobile SDKs. Upon successful initiation via the API, you will receive a method.redirect_url and a method.token in the response, enabling these two distinct approaches.
# Approach 1: the Consent Flow via Web
This approach is ideal for web applications, when you want to leverage a browser-based experience for the Consent Flow.
# How it works
The method.redirect_url provided in the API response is a pre-signed URL that, when accessed, will automatically start the Consent Flow in the user's browser. The necessary token is already embedded within this URL.
# Implementation
A pending Consent request object is returned as a 412 Precondition Failed HTTP response to an action, which requires the SCA:
HTTP 412 Precondition Failed
{
"consent": {
"id": "e1dd9cd7-1650-42b3-8496-a970fb40ed3f",
"status": "pending"
}
}
With the received consent.id make a request to the POST /consents/<consent_id> endpoint in order to initiate the consent process:
POST /v3/consents/e1dd9cd7-1650-42b3-8496-a970fb40ed3f
Content-Type: application/json
Authorization: Bearer <access_token>
{
"return_url": "https://example.com/payment_finished"
}
The response will contain a Consent Method with instructions on how to complete the process:
HTTP 200 OK
{
"method": {
"redirect_url": "https://integrate.intergiro.com/sca/consent?token=eyJjb...",
"token": "eyJjb...",
"expires_at": "2021-05-11T09:55:17.000Z"
}
}
Now you'll need to open the browser and send the user to the redirect_url received.
REQUIREMENT
To ensure the best user experience (UX), along with stable operation of the Consent Flow and biometric functions, we require the following:
- Native Applications:
- iOS: Use SFSafariViewController (opens new window) for redirect experiences.
- Android: Use Chrome Custom Tabs (opens new window) for redirect experiences.
- Standalone browsers can be used for both platforms but is not a recommended option.
- Web Applications:
- Use a standalone browser for redirect experiences.
Please note that we do not guarantee support for redirect flows integrated into your application in any manner other than those mentioned above.
Once the user finishes, they will be redirected back to the return_url provided.
# Approach 2: Starting the Consent Flow via Mobile SDK
This approach is recommended for a native, fully integrated experience for your mobile users, leveraging the full capabilities of our Mobile SDKs.
# How it works:
The method.token provided in the API response is used to initialize our mobile SDK, which then takes over the UI and flow for the consent process directly within your mobile application.
# Implementation
For more detailed implementation guides specific to the Consent Flow via Mobile SDKs, refer to the dedicated Mobile SDKs SCA section below.