On This Page
Simple Order API
Step 4: Step-Up Iframe
Initiate step-up authentication on the front end after you receive the response as
discussed in Step 3: Payer Authentication Check Enrollment Service. Note that frictionless
authentication does not require this step-up iframe step. This step is only for step-up
authentication when the issuing bank wants to challenge the cardholder.
When a challenge is needed to prove a customer's identity, a JSON Web Token is returned
to the merchant that contains a step-up URL. The merchant opens an iframe where the
access token to the step-up URL (also known as the endpoint) is posted. The iframe must
be sized appropriately to enable the cardholder to complete the challenge. The iframe
manages customer interaction with the card-issuing bank’s access control server. The
bank asks the customer to provide identifying information. Once the customer completes
the challenge, the process moves to validating the information that the customer
sent.
Process Flow for Step-Up Authentication
Best Practices
These practices should be followed for this step to achieve optimal performance and
to minimize potential operating issues.
- When a transaction requires a challenge, according to EMVCo protocol, the challenge must be issued within 30 seconds of the Enrollment Check response. When more than 30 seconds elapses the ACS times out.