FAQs

3DS v2

If you use our eCommerce page, Worldline will take care of all mandatory fields.

If you are integrated in DirectLink, meaning that you have your own payment page, we have a Javascript example available on the support page to collect the mandatory data.

For the optional information collection, refer to our support page on how to integrate with Worldline.

COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

  • subsequent transactions of an initial CIT 
  • CIT was done with a mandatory authentication
  • A dynamic ID linking is made between initial CIT and the subsequent MITs

After initial authentication, exemptions/exclusions can apply:

  • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
  • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
    • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
    • Industry practices: incremental, no show, etc...

For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:

Comply with PSD2 

First, you need to make sure that 3-DS is enabled on your online store for all your payment methods (Visa, MasterCard, American Express, Carte Bancaire, JCB). Make sure it's done. If not, please ask our support to activate it.

As 3-D Secure version 2 (3DSv2) aims to grant the Strong Customer Authentication (SCA) trigger to the issuing bank, the issuing bank needs to better assess the risk involved within transaction. As a consequence the 3DSv2 specification contains a lot of data elements. Good news if you are using our fraud tool, since some of them are already commonly used in our fraud screening!  Of course, some are new and specific to 3-D Secure v2. In summary the data elements can be categorized as follows:

  • Mandatory information - browser data:
      • Card holder name (CN)
      • Integration with Shopping Carts?
        You are kindly invited to go onto the shopping cart market place to install the latest version of the Worldline plugin or take contact with your supplier directly. 
      • If you are using our eCommerce page, mandatory information are collected by Worldline. You can directly go to the recommended information below.
      • If you are using your own payment page, you will need to collect mandatory information yourself as per below. We advise you to consult our support page to find out how and take a look at the example of java script.
    • Read more in the Directlink 3D guide
  • Recommended information - these could possibly be used as part of fraud prevention screening:
      • Email (EMAIL)
      • IP address (REMOTE_ADDR)
      • Phone number (Mpi.WorkPhone.subscriber, Mpi.HomePhone.subscriber ...)
      • Billing address (ECOM_BILLTO_POSTAL_CITY, ECOM_BILLTO_POSTAL_COUNTRYCODE, ECOM_BILLTO_POSTAL_STREET_LINE1 ...)
      • Shipping address (ECOM_SHIPTO_POSTAL_CITY, ECOM_SHIPTO_POSTAL_COUNTRYCODE, ECOM_SHIPTO_POSTAL_STREET_LINE1 ...)
    • Note that the recommended/optional parameters should be provided to benefit from the friction less flow which can increase your conversion.
  • Optional information – extended cardholder/account data as introduced by EMVCo:
      • Mpi.cardholderAccountAgeIndicator
      • Mpi.cardholderAccountChange
      • Mpi.cardholderAccountPasswordChange
      • Mpi.suspiciousAccountActivityDetected
      • Mpi.threeDSRequestorChallengeIndicator
    • Read more in the full list

Our existing APIs already capture a lot of the data elements, but we are adding a lot of new data elements. The reason is that we believe that everybody in the payments ecosystem benefits from increased security, with the least amount of negative impact to the experience of the consumer. Payments are based on trust and by providing more data it becomes easier for parties to trust one-another, without requiring additional challenges to authenticate the consumer. Almost all of the newly added data elements are optional, but we advise you to supply as much of them as possible. This increases the likelihood of your transactions following the frictionless flow, while you benefit from liability shift. In case you use the Worldline hosted payment page, we will capture the browser related data automatically.

The level of required changes will differ based on the type of integration you have with Worldline.

Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

  • Mail order/telephone order
  • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
  • Anonymous prepaid cards up to 150€ (article 63)
  • MIT - merchant initiated transactions

Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

  • Low value transactions
  • Subscriptions
  • Risk analysis
  • Whitelisting

Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

Separately the Strong Customer Authentication (SCA) required from 1st January 2021 for Europe and from 14th September 2021 for UK, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before January 1st, 2021 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

Add Card value refers to the case when a wallet provider uses 3DS protocol to add a card to their wallet. This will be implemented by the respective wallet provider.

From 1st January 2020 for Europe and from 14th September 2021 for UK, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after January 1st you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

We recommend you to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From January 1st 2020 it will also be a requirement for accepting the payments from major cards.

Along with the platform release in July we have enhanced our transaction overview details. Individual transactions accessible now contain detailed information on which flow (legacy 3DS v1  or 3Dsv2) was applied. More information can be found in our notes for Release 04.133 in the Backoffice via Support > Platform Releases > Release 04.133

In addition to that we have added the new parameter VERSION_3DS to our electronic reporting tool.

The possible values for VERSION_3DS are

V1  (for 3DS v1)
V2C (for 3DS v2 challenge flow)
V2F (for 3DS v2 frictionless flow) 

To add this parameter to your transaction file downloads, follow the instructions as shown in this video:


Our test platform is ready for you to start testing. A simulator will support all different scenarios.

Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

Please contact us should you wish to start using 3-D Secure version 2 (3DSv2) in production. 

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, we pride ourselves on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st January 2021 for Europe and from 14th September 2021 for UK. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

  • Something they know (PIN, password, …)
  • Something they possess (card reader, mobile. …)
  • Something they are (voice recognition, fingerprint, …

This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf

This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in Worldline hosted payment page page, Worldline is collecting the mandatory data.

First of all, Worldline will identifiy the flow to be directed to v1 or v2 based on the card numbers.

If the card is enrolled V2, there are the following possible scenarios:

Mandatory data:

  • If the wrong data is passed, transaction is blocked
  • If some data is missing, Worldline will direct your transaction to v1 flow
  • If no data is passed, transaction is NOT blocked but diverted to flow v1

Recommended or optional data:

  • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 
Unless the authentication is an obligatory step (i.e. in case of a card registration or an initial transaction of a series of recurring transactions), issuers can decide to pass on the authentication. In such a scenario the issuer will be liable in case of a charge back.
As 3DSv2 introduces frictionless authentication, the time for processing a transaction may be reduced. Conversely, if Strong Customer Authentication is requested, the processing time may be longer.

If the issuer is applying new PSD2 ruleset and 3DS is not active in the merchant's account, the transaction will be rejected with a new error code - soft decline. Therefore, please make sure to have 3DS active for each brand in your account(s). If you are integrated with DirectLink (Server to Server), you will need to implement the soft decline mechanism.

In a case like this, Worldline will automatically manage a fallback to 3-D Secure v1.

With the introduction of the PSD2 guideline, all your customers will have to pass a 3-D Secure authentication check (apart from some clearly defined exclusions and exemptions). To make sure 3-D Secure is correctly rolled out for your transactions whenever necessary, go through this checklist:

  1. Confirm that 3-D Secure is active for all credit card payment methods in your Back Office via Advanced > Fraud Detection > 3D-Secure

    BO-3DS-active.png
    The image above shows where to find the 3-D Secure activation status for your payment methods in the Back Office

    If any of your payment methods is not “Active” as stated in column “3-D Secure status”, contact us

  2. Check that your integration implements the 3-D Secure step correctly. For Hosted Payment Page, we take care of this, but for DirectLink you need to implement it yourself

  3. Understand when exclusions and exemptions from 3-D Secure apply. Learn how to implement it correctly for Hosted Payment Page and DirectLink

  4. Know when to skip 3-D Secure using our Soft Decline feature and how to recover them via DirectLink

If a transaction reaches status 2, it is important for you to know whether this is related to a PSD2 violation. Our platform offers you multiple sources of information that will help you. Use them to confirm your integration takes the PSD2 guideline into account:

  1. Look up the transaction’s error code. The most common PSD2-related errors are:
    NCERROR Root cause/Possible solutions
    40001137
      • You advised our platform to perform the authorisation step although there was no 3-D Secure check 
      • As your customer’s bank rejected the transaction, this is out of your control
    40001139
    40001134
      • Your customer was unable to pass the 3-D Secure check
      • Contact your customer to learn why s/he was unable to pass the check
    40001135
      • Your customer’s issuer was not available to roll the 3-D Secure check
      • As your customer’s bank failed to roll out 3-D Secure, this is out of your control. Consider offering alternative payment methods for retries

    Check our dedicated Transaction error codes guide for detailed information about these decline reasons

  2. Receive parameter CH_AUTHENTICATION_INFO in your transaction feedback for Hosted Payment Page and DirectLink. It contains information about decline reasons from your customers’ issuers

  3. Consult our dedicated 3-D Secure status guide to get fully familiar with 3-D Secure. Understand all 3-D Secure statuses and learn how to read the authentication log

Co-badging

If you are using the URL redirect (eCom) and accepting brands which could be potentially impacted by the regulation or potentially co-badged with another brand impacted by the regulation, we need to be sure payer will be able to make a choice of brand and then we need to present a selection page. The way to avoid the selection page is to always send the brand under which the transaction must be processed.

Compliancy is already required, but not fully put in place by all stakeholders, and each EU member states is free to decide when penalties should enter into force. We advise merchants to be compliant as soon as possible, notably on markets where co-badged cards are heavily used (ex: France for merchants accepting the Carte Bancaire brand).

If you are accepting local brands available on EU issued cards, you are impacted.

You need to be compliant if you are accepting Carte Bancaire (France), Bancontact (Belgium) or Dankort (Denmark). The regulation is not naming “brands” but providing a cumulative scope:

  1. Card should be issued in EU.
  2. Brand should not be limited (limited card can be brand issued by one retailer, to buy limited goods or services, only provided to be use on local sectors, etc.)
  3. Merchant should already accept the brand. If merchant is accepting a payment by brand X and brand Y, merchant should allow payer to decide which brand to use when payer is using a card including both brands X and Y.

When compliancy is legally required (merchant is accepting brands included on EU issued cards covered by the regulation), but merchant is not compliant, Member States local authority can fine the merchant. Fine may differ from one country to another.

This page is only presented for eCom merchants accepting brands outside Visa, MasterCard or Amex, an not sending the brand to be used to processed with the transaction. Sending the brand under which the transaction should be processed will remove the page.

Configuration

Please contact the administrator of your account in order to log in the Back Office and add a new contact person. They can do it by going to Configuration > Account > Your administrative details. If they cannot log in, they can contact our Customer Care department .

Back Office contact

You can easily change your e-mail address yourself in our Back Office. After logging in, please go to Configuration > Account > Your administrative details.

Back Office email





In order to erase your account, as it contains personal data, please contact us.

Our Customer Care department will handle your request. It may be the case that due to legal obligations a minimum retention period must be observed with the impossibility to erase your account immediately.

If your VAT number has changed, you need a new PSPID / account. Please contact your account manager to create a new account.

 

The time to activate a payment method depends on the following factors:

  • It generally takes the acquirer or bank about a week to complete your affiliation. If you already have an affiliation, the activation takes a few days.
  • Some payment methods require additional checks before they can be activated, e.g. in case of 3-D Secure, which is requested directly at VISA or MasterCard (and not at the acquirer). 

With Worldline Collect, you can activate several payment methods in one go.


In the Test Environment you can easily add a dummy number e.g. 123456789.

To have your bank account number changed, please contact our Customer Care department.

Our team will take care of your request. 

You can easily change your phone number in our Back Office. After logging in, please go to Configuration > Account > Your administrative details.

Back Office phone

To change your company name, we would firstly like to know whether your VAT also changes. If this is the case, please contact your account manager. If only your company name changes, you can easily send an e-mail to our Customer Care department or reach them by phone.


If you want to change the PSPID name for an existing production account, please contact your Worldline Account Manager who will open a new account for you.

The PSPID name of your existing production account cannot be changed, but a new account with a new name can be opened for you.

Please note there will be a fee for this service.

You can do so by reaching out to our Customer Care department via phone or by sending an e-mail.

 

 

 

If you want a production account, please send an e-mail to your account manager. If you do not have an account manager assigned to your account yet, please contact us

 

You can send an e-mail to our Customer Care department with your PSPID and the new address. Your address will be updated as soon as possible.

Even though we advise against using it since this feature will no longer be supported from 25 August 2020, you can configure the so-called referrer check, in addition to the SHA signature authentication. With this setting, our system checks the origin of the transaction request which is the URL the request comes from (the referrer). The aim is so that unauthorised URLs (that were not configured in your account) will not be able to call the payment page.

In order to set it up or remove it, simply go to Technical Information > Data and origin verification. Under Checks for e-Commerce & Alias Gateway, you can enter one or more URLs that you want to enable to call the payment page: orderstandard.asp / orderstandard_utf8.asp.

Possible errors related to the referrer are "unknown order/1/r" and "unknown order/0/r". Go to Possible errors for more information about these errors.

Important: We strongly advise against it and therefore to leave it blank.

However, if you would still like to use it,

  • The URL(s) must always start with http:// or https://
  • You must enter the ‘origin’ of the URL being accepted (Origin: <scheme> "://" <hostname> [ ":" <port> ])’ (For example: https://www.mysite.net)
  • If you have several domains, multiple URLs can be entered. For example, http://www.mysite.com;http://www.mysite.net;https://www.secure.mysite.com. The URLs must be separated by a semicolon, with no spaces before or after the semicolon.
  • If you perform a test transaction from our test page, please remember to enter our site’s origin URL as a referrer, otherwise you will receive an error.

We also would like to take the opportunity to remind you that although the referrer allows our system to identify the origin of an order, SHA signature authentication remains the most trusted way to secure your transactions on your PSPID. You can find more information on that in our SHA signature integration guide.

Contract

You can contact your account manager by phone/e-mail to request this option. After signing your upgrade/downgrade form, please send it to our Customer Care department.

Please send an e-mail to our Customer Care department  stating your PSPID, requested option and its  price (if known). Our team will activate this option for you.

You can deactivate your option (except for 3-D Secure option) by sending an e-mail to our Customer Care department with the request of deactivating that option.

In order to activate Direct Debits on your account, please send your IBAN and BIC or the RIB-form to our Customer Care department. Our team will then create a form for you to sign. After receiving the signed form, we can easily activate Direct debits on your account.





To get your subscription changed, please contact your account manager.

If you do not have an account manager assigned to your account yet, please contact us.



Please send us either a signed letter (as pdf) or an email containing

  • The name of the person requesting the termination
  • Your company's e-mail signature (company name, address etc.)
  • The explicit request to terminate your contract with us
  • The PSPID (the name of your account on our platform)

Use our email template to help you with this

If you send your cancellation by e-mail, the sender e-mail address domain must be identical to the one in the Back Office (Configuration > Account > Your administrative details > Administrative e-mail address).





Getting started

Find a list of supported payment methods here

On this support site you can find all manuals presenting our products. Feel free to browse these documents.

With the activation of your account, our Reconciliation tool is automatically available to you if you have a Full Service account or you benefit from Collect acquiring. This enables you to easily reconcile the payments you receive on your bank account with the orders/transactions in your Worldline account. To read more about Reconciliation tool click here.

Worldline delivers payments services that are compliant with state of the art data security standards in the payment industry: PCI DSS.

PCI DSS includes a large set of security requirements and controls which are implemented and run on a regular basis.

These security controls aim to keep a constant high security level on the payment platform, which leads to optimal protection for transactions and data.
 

To register with Worldline, simply click "Open a free test account" on our website and fill in a short form. 

As soon as we have checked your details, we will e-mail you a temporary password. 

Once you have received your temporary password, you will be able to log in using the ID you chose when you first registered. To complete your registration and fully activate your account, please complete the steps listed on your account’s home page. 

Glossary

Payment processing is a service that allows websites to sell online by accepting payment via electronic methods such as credit cards, debit cards and bank transfers.

Provided by payment service providers, payment processing is the technical connection or 'gateway' between a website and the financial institutions or 'acquirers' that govern different payment methods. To put it simply, without a payment service provider you won't get paid.

Working with Worldline, you will benefit in three key ways. Firstly, our payment gateway is connected over 200 domestic and international acquirers. So, whether you want to take online, mobile or phone payments, we're ideally placed to help you find the right acquirers for your market and offer the payment methods that are preferred by your customers.

Secondly, we can collect your payments too. We can help you activate several payment methods from different acquirers with just one contract so you can offer your customers more of the local payment methods they know and trust.

And finally, as well as processing and collecting payments, we also offer advanced fraud prevention solutions to help businesses accept more safe orders and block more fraudulent transactions.



To learn more about ways we can help your business, see our solutions page.

A RIB-form is the original document received from the bank in France.

PayPal Seller Protection is a way to make accepting payments through PayPal even more secure and hassle-free. It safeguards your business against losses from charge backs and payment reversals, so that you can:

  • Spend less time dealing with claims of items not received
  • Protect yourself from losing money to payments made with stolen credit cards
  • This enhanced protection is available free of charge when you connect your Magento webshop to Worldline ePayments's payment processing services, using the latest Worldline ePayments Magento Extension.

To qualify for the Seller Protection guarantee, all you need to do is ensure your PayPal transactions include the following shipping details:

  • First name
  • Last name
  • Address
  • City
  • Post code
  • Country code
  • Whenever a buyer makes a claim, chargeback or payment reversal, you simply provide PayPal with proof of delivery or proof of shipment and they will release any held funds.

You can find out more about our free Magento plug-in and how to accept PayPal and other payment methods through your Magento webshop here.

A User ID identifies the specific user of an account.

If your account has more than one user, you log in by filling in your USERID, your payment service provider ID (PSPID), if needed, and your password. Please make sure you click on the 'Log in as user' link so that all three fields are displayed.

If your account only has one user, you will not need a USERID. You will log in using only your PSPID and password, so please make sure your login screen only displays two fields. If you can see three fields, click on the 'Log in as PSPID' link on the bottom left of the screen to log in as a merchant.

 

For a DirectLink or Batch integration, the parameter USERID corresponds to the API user set up on your PSPID. Please note that the API user is not able to log in to the Worldline Back Office.

An acquirer is a financial institution that processes payments from certain credit and debit cards. The acquirer is responsible for the financial part of transaction processing and Worldline is responsible for the technical part. In other words, without an acquirer the money will not be transferred to your bank account.

For every online payment method you want to add, you need an acceptance contract with an acquirer. If you’d like advice on which acquirer would be best suited for you and your region, please contact us. If you know which acquirer you want to work with, you can simply select them from the drown down list when adding a payment method in your account. 

But why not let us take care of it for you? Full Service allows you to activate many local payment methods, all at once and in several different countries – with one single contract. If you trade internationally, it could be the ideal way to accept payments from all across Europe. It saves you time-consuming administration and because you can offer more payment methods, it can also increase your revenues. 

Find out more about Full Service here and by contacting us and asking for contract information.

PSPID stands for payment service provider ID. It is the name you chose when you first registered  to identify the business your account is linked to. You need your PSPID and password to log in to your account. 

Please always have your PSPID ready when contacting our Customer Care department.

Full Service allows you to activate many local payment methods all at once, and in several countries, with one single contract. If you trade internationally, it could be the ideal way to accept payments from all across Europe. It saves you time-consuming administration and because you can offer more payment methods, it can also increase your revenue.

Through our affiliate Worldline Financial Solutions, we are able to collect the payments from your customers via their local acquirers and send them directly to your merchant account once they have been authorised.

In your Worldline account, your Full Service payment methods will be preconfigured with the affiliation details of Worldline FS so for each transaction received, they will be able to route the money directly into your merchant account.

As the payment process with Full Service is the same as the normal payment process, transactions with Full Service will work perfectly with any shopping carts that support Worldline ePayments e-Commerce.

Elevate is a Business Intelligence solution for payments and chargebacks, specifically built for international eCommerce companies. Elevate translates raw payment data into interactive and easy-to-read dashboards that let you quickly identify and act on payment problems and opportunities, as well as benchmark your performance against your industry peers. 

Using our customizable Business Intelligence solution, merchants gain insights into their payments, authorization rates, chargebacks, refunds, disputes, industry benchmarks, commercial insights and more.

Phishing is a derivative of the word "fishing". The replacement of the 'f' by 'ph' is probably based on an abbreviation of the expression "password harvesting fishing".

Phishing operators use e-mails, hypertext links and Internet pages to redirect you to fake websites where you will be asked to disclose confidential data such as your bank account details or credit card number. A malicious e-mail generally asks you to confirm your password, bank details, account numbers, credit card details or other similar data by clicking on a link contained in the message. This link then directs you to a fake page with an address that is almost identical to that of the original site.

Prevention:

  • Be careful with e-mails.
  • It is very easy to fake a sender's address: the author of the e-mail you receive is not necessarily the service provider you believe it to be.
  • Do not reply to e-mails asking you to enter personal data. Service providers such as Worldline, banks, credit card issuers, etc. will never ask you to disclose your password, credit card number or other personal information by e-mail.
  • Enter links manually. Do not click on any links contained in suspicious messages: enter the URL address manually (for example, the address of your bank, the Worldline platform) or look for it in your Favourites. Links contained in fraudulent e-mails can direct you to fake websites. The differences in the URL addresses are often very difficult to spot. The appearance of the site can also be deceptive.
  • Check the encryption of Web pages. Before entering any of your personal details in a website, check that the site encrypts personal data by looking for https ("s" for secure) in the Web address and a closed padlock or non-broken key icon in your browser. Unfortunately, the padlock icon (and the key) can be forged on certain systems. Check that you are actually on the site you think you are on by double-clicking on the padlock icon to display the site's certificate. Make sure that the name on the certificate and the name in the address bar are the same. If the names are different, you could be on a fake site.
  • Check your bank and credit card statements regularly.
  • Upgrade your computer's security: Enable an anti-phishing filter to identify fraudulent sites before you visit them. Some browsers (e.g. Internet Explorer) have this kind of filter. Otherwise, you can install it as a toolbar. Regularly apply the latest security fixes for your operating system and the software installed on your computer. Install a firewall. Install anti-virus software and keep it up to date.

What should you do if you become a victim of phishing?

If you think you have received a phishing e-mail, proceed as follows:

  • IMMEDIATELY change the passwords and/or PIN codes for the online account with the company whose identity has been usurped.
  • SEND the fraudulent message to the company in question. It will generally have a special e-mail address to notify any such attacks. For example, if you receive a phishing e-mail relating to Worldline e-Commerce Solutions, send it to us via our contact form.
  • NOTIFY the phishing attempt to the relevant authorities (local police, Internet Fraud Complaint Center, Anti-phishing working group).
  • RETAIN all PROOF of the fraud. In particular, in the event of a phishing attempt using an e-mail, do not delete the e-mail, since it contains, hidden in the header, the information required to trace the source of the attempt.

Worldline and communications:

  • Worldline e-Commerce Solutions (previously Worldline ePayments) non-commercial e-mails are always sent from the Worldline domain.
  •  
  • Worldline will never ask you to disclose your personal financial data or other personal information (password, credit card number, bank account number, etc.) by email.
  • Worldline will never request any merchant to perform a payment operation (please note, however, that in some specific cases when you have reached out to us for an ongoing transaction issue, we can ask you to perform again the failed operation).
  • Worldline will never disclose by e-mail any full credit card number.

Payment Confirmation e-mails sent by the Worldline platform will never contain any attachment.

For further information:

When processing transactions online, dealing with Interchange fees (IC) and Scheme fees (SC) can be challenging: It's not always clear for what exactly acquirers and card brands charge that money. Moreover, the trend of increasing these fees might add to that confusion. 

Worldline is happy to help you manage these fees by offering two models. Depending on your business model, either the IC++ or the Blended pricing will suit your needs best. Our colleagues from our Sales department are at your service to help choose the best option for you:

  • IC++ combines the Interchange fee, the Scheme fee and an additional percentage of the transaction amount value to one fixed price per transaction. IC++ is a passthrough model and therefore subject to cost swings.
  • Blended Pricing applies a fixed percentage of the transaction amount value. All Interchange, network dues and assessment fees are covered, the Blended Pricing protects you against cost swings (especially IC & SF price increase) and card mix.

Interchange fees cover the cardholder’s bank (the issuer) cost related to lines of credit and fraud mitigation. The merchant bank, your bank, (the acquirer) pays this fee to the issuer. For each transaction, the total amount due depends on various factors, among others:

  • The geographical location of your company and the cardholder's bank
  • The Average Transaction Value (ATV)
  • Payment method used (debit / credit card)
  • Card type (consumer / commercial card)

Please note that these rates apply for the EEA region. For other regions, different fees may apply.

Interchange fees are not negotiable, but are capped for European consumer* card (not corporate cards) by EU regulations (to 0.3% for credit cards payments and to 0.2% for debit cards).

Due to the Interchange Fee Regulation (IFR) and other recent developments such as Brexit and the introduction of PSD2, the general trend is that both fees are prone to changes (ie. Scheme fees are expected to increase in the future). To help you manage these fees, we offer Interchange+ and Blended pricing via our Full service model.

Although this fee is defined by the card brands (i.e. Visa, MasterCard who are also known as schemes), you should not confuse it with the scheme fee. Your acquirer pays scheme fees to the card brands to cover their maintenance costs for providing their payment network. The total amount is composed of assessment fees, cross-border fees, clearing and settlement fees. Similarly, to the Interchange fee, the total amount depends on the card type used and the geographical location of your acquirer.

Invoicing

Yes, this is possible.

Log in to the Back Office and go to “Configuration > Account > Your administrative details”.

Enter an email address or multiple ones (up to five separated by a semicolon “;”) in “Finance e-mail address”.

The first email entered in this field will also be automatically added to Order2Cash. If you have more than one address and want to add them to Order2Cash as well, please logon to the Order2Cash platform. There you can indicate up to 5 additional email addresses for delivery. Their dedicated service will gladly assist you for setting this up.

If the field “Finance e-mail address” is empty, we send the invoices to the email address(es) configured in the field “Administrative e-mail address”.

You can register through the invoice delivery email by following these steps: Open the notification e-mail -> Click on the ‘View invoice’ button -> Click on the ‘Register’ button when the browser window has loaded. Your user name is the email address that receives the invoice.
For any questions regarding the registration on Order2Cash, please review the FAQs on the Order2Cash website, or contact the Order2Cash Support using their contact form.

Your invoices for the last 24 months are available in your Worldline account. Log in to the Back Office and go to “Configuration > Billing”. Select the invoice you wish to download.

BOinvoices

You can access invoices older than 24 months via the Order2Cash platform.

To change your bank account in our system, please send the new IBAN/BIC or RIB form to our Customer Care department in order to create a new form for you to sign.

A SEPA mandate is easier to arrange and you as a merchant would not be burdened by paying our invoices manually.

If you want to change your invoicing address or the way you pay your invoices, please send an email with your PSPID to our Customer Care department

Our Customer Care team will take care of your request.

The invoices will be delivered in pdf format. As before, you can access them in pdf or csv format on the Platform. Now, they are also accessible in the following formats on the Order2Cash platform: xml UBL, xml IFF and xls.

You can reconcile the amount of charged transactions from your invoice with the Back Office transaction list by following these steps:

  • In the Back Office, go to “Configuration > Users > Edit on your user > Electronic Reporting for this User”.
  • Check the following settings are set as follow:
    • Structure: Select either Extended / File management / Dynamic
    • Thick the box “With Column Headers”
  • Click on SUBMIT

    ElectronicReporting
  • Go to “Operations > Financial History
    A transaction may have undergone different operations. You may perform several maintenance operations on a single transaction (ie refused, authorisation and refund).
    As you are charged per billable operations (see below) and not per transaction, “View transaction” is not the right choice (which will only list the last operation performed on a transaction).
  • Fill in the following fields in the form
    • Payment date: Enter the first and the last day of the month the invoice has been issued for
    • Charging method / Card type: Select “All”
    • Status: Flag “Refused”, “Authorised”, “Requested”, “Refunds”
    • Detailed list: YES

      TxOverview
  • Click on DOWNLOAD LIST
  • In the resulting list, apply the following filters for the respective column to keep the billable operations:
    • STATUS: Filter for only 2, 5, 8 and 9. These are the equivalents to “Refused”, “Authorised”, “Refunds” and “Requested”
    • ACTION: Filter out values "DCP", "SAL" and "SAS". These refer to data capture operations on status 5 transactions that we do not charge.

      The resulting amount of operations per transaction should match with the amount on your invoice.

If you cannot reach a match, please contact our customer care team. They are happy to resolve the inconsistency for you, as pricing specific to your contract and / or subscription might impact the calculation method.

Please note that we archive transactions older than 540 days (= 18 months). Therefore, make sure to perform your reconciliation before transactions have been archived.

PCI certification

It is the Merchant acquirer that has the authority of defining the merchant level based on the number of annual transactions. Depending on the merchant level (being a level 2, 3 or 4) the merchant might be eligible for using a Self Assessment Questionnaire (SAQ). The type of SAQ is strongly linked to the payment flow and whether the merchant captures, processes, stores or transmits card holder data such as the card number.

PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Does PCI DSS apply to entity using a third-party service provider (TPSP)?

Yes. The use of a third-party service provider (TPSP) does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data (CHD) and card data environment (CDE) are secure. However, the use of a third-party service provider may decrease the risk exposure and reduce the effort for validating and maintaining PCI DSS compliance.

The effort for a merchant is strongly dependent on a number of factors such as the merchant level, type of integration, supporting infrastructure, the usage of PCI DSS certified service providers, etc.

The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you as a merchant may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.

The comparison of the applicability for the SAQ A and SAQ A-EP is depicted in the table below.

 

SAQ A
All Cardholder Data Functions Completely Outsourced

SAQ A-EP
Partially Outsourced E-Commerce Payment Channel

Applies to:

Card-not-present merchants (e-commerce or mail/telephone-order)* E-commerce merchants

Functions Outsourced

All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor

Control of Cardholder Data

Merchant's e-commerce website does not receive cardholder data and has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored Merchant's e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor

Payment pages

The entirety of all payment pages delivered to the consumer’s browser originates directly from a PCI DSS validated third-party service provider(s) All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s)

Third-Party Compliance

Merchant confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant Merchant confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant

Merchant Systems

Merchant does not electronically store, process, or transmit any cardholder data on their systems or premises, but relies entirely on a third party(s) to handle all these functions

Data Retention

Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically

For more information the merchant can always contact his acquiring bank.

All PCI related information can be found on the PCI Security Standard council website.

The only fully PCI compliant way is to use the POST method. That way you are sure not to expose any sensitive data of your customers.
It can also help you manage GDPR obligations by keeping personal data under your control.

Our platform will block every request sent with a non-compliant method.

Please contact your IT department to make sure your system sends POST requests only.

Shopper

In case you forgot to mention the Payment Reference when transferring the payment to our account, we would advise you to contact the merchant directly. The merchant is able to assist you further with locating the payment and making sure the payment will end up in the right place.

This means the bank or financial organization where your card was issued requires you to verify your ID to prevent anyone else from using your credit card - for instance if your card was lost or stolen.

If you experience any difficulties during this verification process or if you have any further questions, we advise you to contact your bank or the company who issued your credit card. As it’s your bank that requires you to verify your identity, Worldline ePayments has no involvement in this process.

If you have paid but haven’t received your order within a reasonable time frame, the first step is to contact the merchant.

If you're unable to receive a satisfactory response from the merchant, you could under certain conditions ask your bank to reimburse your payment.

Please be aware that this might create additional costs for you and the merchant. 

Another option would be to contact a consumer organization to check your rights.

Please note, the Worldline entities cannot give you any information regarding your transaction – only the merchant involved can do that.

To get the status of your order, you have to contact the website where you placed the order. The Worldline entities do not hold any details about your order so cannot provide you with this information.

Any queries related to ordering and making payments to the appropriate bank accounts should be addressed to the company relevant to your purchase.

Worldline ePayments does not accept or decline payments, we merely transmit the information to the bank or credit card company used by the website where you placed your order. If your transaction is unsuccessful, it's because your bank or credit card company has declined the transaction.

Possible reasons why your payment was declined:

  • Your type of card is not accepted by this website
  • Your card is expired
  • There is no more credit available on your card

Possible actions you can take:

  • Choose another payment method
  • Re-enter your information
  • Contact the website for more information, making sure you give them your order details

Please note, no money gets transferred through Worldline e-Commerce Solutions legal entities when making a payment to a website. We simply make sure the transaction data reaches the banks and credit card companies securely.

After you've entered your payment details, you'll normally get an order confirmation message on the screen and/or by email.
If you haven't received any confirmation, you should contact the web shop where you placed your order to find out if your transaction was successful.
Please note, the Worldline entities are not authorized to provide you with this information. 

To cancel your order or get a refund, you need to contact the website you placed your order with. The Worldline entities cannot cancel your order or refund your payment, only the company you placed your order with can do this. 

Transactions

NCERROR and NCSTATUS are complementary statuses that will provide extra information in case of transaction failure.

NCERROR is an 8-digit code. Find a full list of all possible errors in your Back Office: Operations > View Transactions. Look up the impacted transaction and click on "?", as shown in the overview:

BCfaq_BOnav

NCfaq_BOtarget

For eTerminal transactions we display the fields in the transaction overview as shown above in "NC ST/ER" (ST = NCSTATUS / ER = NCERROR). We also provide both fields in our transaction feedback for all other integration modes. Learn here how to receive it for the channel you use:

3-D Secure is a way to authenticate online transactions, similar to enter a PIN code or writing a signature for a transaction on a physical terminal in a shop or restaurant. It was initially developed by VISA under the name "Verified by VISA" and was soon adopted by MasterCard (SecureCode), JCB (J/Secure) and American Express (Safekey®).

There are several forms of 3-D Secure authentication. Depending on the customer's bank and originating country, it can be using a card reader or digipass, entering a PIN-code, or entering a piece of data that only the cardholder can know. 3-D Secure allows merchants selling online to verify that their customers are the genuine cardholder in order to reduce instances of fraud.

Learn more about our fraud prevention solutions.

If you want to check specific details of an order/transaction or perform maintenance on transactions, you should use View transactions. "Financial history" is the most convenient to periodically check incoming and outgoing funds.

For more information, go to View transactions vs Financial history.

You can only perform refunds on transactions which have already received status 9 for at least 24 hours. A cancellation or deletion can be done within approximately 24 hours after final status has been received (status 9 or 5).

To know the cut-off time of the acquirer, we recommend you to check directly with our Customer Care department.

A full green thumbs-up icon means that the transaction was completed with a 3-D Secure authentication method, such as Digipass or a card reader. However, it doesn't necessarily mean the payment itself was processed successfully. Therefore, you should always check the transaction status to know whether you'll receive your money.

Go to Transaction statuses for more information.

By default you can send goods or deliver your service once a transaction has reached the status "9 - Payment requested". However, although status 5 is a successful status, it's only a temporary reservation of an amount of money on the customer's card. A transaction in status 5 still needs to be confirmed (manually or automatically) to proceed to the status 9, which is the final successful status for most payment methods.

Go to Transaction statuses for more information.

Worldline offers a complete suite of flexible products, sophisticated technologies and dedicated expertise to help you manage and optimize your online fraud prevention practices. Our industry-leading fraud detection tools and experts bring over 20 years of industry and regional expertise, and we will work closely with you to develop, implement and manage a holistic fraud solution that includes prevention, detection and management. We also offer comprehensive chargeback management and dispute management solutions. 

By working with Worldline, you can pick the solutions that best fit your needs and customize our services to either outsource fraud management functionalities or keep them in-house with our ongoing support.

You can easily refund a payment with the "Refund" button in the order overview of a transaction (via View transactions). If your account supports it, you can also make refunds with a DirectLink request or with a Batch file upload (for multiple transactions).

Please note that the Refunds option has to be enabled in your account.

Go to Maintain your transactions for more information.

In your Worldline account menu, you can easily lookup your transactions by choosing "Operations" and then clicking either "View transactions" or "Financial history", depending on the type of transaction results you're looking for.

Go to Consult your transactions for more information.

Troubleshooting

If you're unable to log in to your account using your payment service provider ID (PSPID) and password, it may be due to one of the following reasons:

  • You could be using your test PSPID and/or password in the production environment, or your production PSPID and/or password in the test environment. You can check the environment at the top of the login screen – it will say either: "Identification Production" or "Identification TEST". To switch environments, use the link under the login fields.
  • You could be logging in as a merchant on the user screen or as a user on the merchant screen. If you're logging in as a merchant, you'll see two fields: PSPID and Password. If you're logging in as a user, you'll see three fields: USERID, PSPID (optional) and Password. To switch the login screen, click the "Log in as user" or "Log in as PSPID" button on the bottom left of the screen.
  • Perhaps you've typed in your password in the wrong case? Passwords are case sensitive. Try typing your password into a text editor such as Word or Notepad to check the spelling and the case, then copy/paste the result in the password field.
  • When you submit your login details, if the login page reappears and the information you entered is gone it means your browser is not accepting session cookies. To enable session cookies, go to your browser's settings. If you're unsure how to do this for your operating system and browser version, please check with an IT specialist. 

If you forgot your password, please click on the "Lost your password?" button on the bottom of the screen.


There are different reasons why you can't refund a transaction. You need to consider the following (with the condition that the Refund option is enabled in your account):

  • The transaction is in an "incomplete" status, such as a pending or erroneous status (9192 etc.) that doesn't allow the refund operation.
  • If the transaction is authorised (status 5), at which point no payment has been made yet. In this case you have to cancel the authorisation instead of refund.
  • The used payment method doesn't support the refund functionality, which can be the case with certain debit cards, web banking methods and "offline" payment methods such as Bank transfer.
Please send our Customer Care department the signed contract. In order to activate your account, at least one payment method must be activated. If you want more information regarding payment methods, please contact your account manager.

To ensure you will still be compliant with Payment Card Industry Data Security Standard (PCI DSS) and save from potential security breaches, we kindly invite you to migrate to Magento 2 or another eCommerce Platform.
As such a step can be quite complex, our Magento integration experts are happy to support you – for free! Please contact us to learn more about this offer.

Request another admin user on your PSPID to deactivate the 2-Factor authentication for you or contact our Customer Care department for help.

Sometimes it happens that an affiliation number has been put inactive on the side of the acquirer. We suggest you contact your acquirer for this.

The message "An error has occurred; please try again later. If you are the owner or the integrator of this website, please log into the Worldline back office to see the details of the error." is a generic error message which is returned if a specific technical issue occurs at the moment the payment page is called. We don't display the actual error on the payment page, mainly because of security reasons, but also not to confuse your customers.

In your Worldline account, via "Configuration" > "Error logs", you can easily look up the errors that occurred when the generic error message was displayed. The actual meaning of these errors are described on the Possible errors page.

If your mandate is not working, you should contact your bank to ask why the mandate has been refused.

You can reinitiate your password via the  "Lost your password?" button on the bottom of the login screen.