UnionPay Online Payments Acceptance is provided through SecurePlus, a secure E-commerce payment solution designed for Merchants who want to reduce the risk of fraudulent transactions while providing a friction-free payment process for consumers. SecurePlus divides the online payment process into separate authentication and authorization transaction flows that authenticates the cardholder’s identity before the merchant submits the authorization request.
Transactions Powered by UnionPay SecurePlus
Dual Integration Options
Option #1: PIPE Payment Widget — a hosted payment form suitable for merchants who do not wish to touch cardholder data or maintain Payment Card Industry (PCI-DSS) compliance.
Option #2: Server-to-Server — a direct API option for merchants who are PCI-DSS compliant and wish to control the full payment flow and cardholder experience.
SecurePlus Features include:
- One implementation supports all UnionPay debit and credit cards in an authenticated or unauthenticated manner.
- Authentication is achieved by UnionPay sending an SMS text message to the cardholder’s mobile phone with a unique 6-digit code that is validated before the authorization. This method is used in lieu of PIN encryption for debit cards, and can also be used with credit cards to shift fraud liability to the issuer.
- Merchants can host their own payment checkout page; cardholders are not redirected to a UnionPay website to complete the payment, as is the case with the UnionPay Online Payment (UPOP) processing model, which can result in payment abandonment.
- Merchants who have their own wallet/stored payment mechanism and have a secure user authentication process (login) can process the SMS Authentication with a debit or credit card on initial entry into the consumer’s wallet, and be assured without the cardholder having to re-authenticate.
How the SMS Authentication works:
- When UnionPay cards are issued, the cardholder must register his/her mobile number with the issuer.
- The SMS code authentication works at the time of checkout by submitting the payment details (card number, expiration, CVV, amount, currency, etc.) to UnionPay along with the cardholder’s mobile number.
- The issuer verifies the card and registered mobile number, and sends an SMS code to the mobile phone.
- The cardholder enters the SMS code in the payment form and a second request is submitted to UnionPay to verify the SMS code. If approved, the final financial transaction is submitted (authorization or debit).
- The authentication process is optional for credit cards, but required for debit cards.
- Fraud liability is shifted from the merchant to the issuer when a transaction is properly authenticated.
- To accommodate an Amazon-style wallet, the card authentication has some built-in flexibility when other compensating controls are employed.
ASYNCHRONOUS TRANSACTION FLOW: SERVER-TO-SERVER WITH SMS AUTHENTICATION
- Merchant submits an AUTH (PA) or Debit (DB) payment request, including the cardholder’s mobile phone number and a shopperResultUrl.
- The Gateway sends an SMS Request message to UnionPay.
- UnionPay / card issuer checks the payment details and sends back response.
- If approved, UnionPay sends a 6-digit SMS code to the cardholder’s mobile phone, and the Gateway sends an approval response back to the merchant with a URL for a web page that the cardholder will enter the SMS code on.
- The cardholder submits the 6-digit SMS code on the web page, and the Gateway submits an SMS Verification to UnionPay to verify the SMS code, and submits the final financial transaction to UnionPay (AUTH or Debit).
- The cardholder is redirected to the merchant’s shopperResultUrl, where the merchant requests the final status of the transaction.
NOTE: Follow-up transactions, such as Reversal, Capture, and Refund all work synchronously with a real-time request and response.
PCI-DSS Level I Certified
The protection customer cardholder data is our top priority. The platform is compliant with the PCI Security Standard Council’s Data Security Standards and is annually audited and certified by an independent security assessor.
All data stored on the systems are encrypted and all communication to or from are encrypted using SSL or Triple DES. The network personnel proactively monitors the systems and network for any potential security threats.
Merchants are provided the latest in transaction encryption and cardholder data tokenization services to minimize risk.