How does Online Dataprovisioning work?

This method allows for the most up-to-date check results. Each time SurePay receives a request for one of your accounts we fetch the account data in real time via your data provisioning API. The data will be as up-to-date as you present it to SurePay. However, this method requires some extra work on the ASPSP side, as a data provisioning API needs to be created.

Functional Overview

  1. API Request Initiation: The process begins when a request is sent through either the IBAN Name Check API or the VoP Gateway API. This request is made to verify the payee’s identity by matching the entered account details.
  2. Routing: The request is routed based on the IBAN to the appropriate Data Provisioning API implemented by the PSP holding the account.
  3. Account Data Retrieval: The PSPs Data Provisioning API retrieves relevant account information from its data lake. The API then returns the available information back to SurePay services where it will be processed by our algorithm.
  4. Verification and Response: With the available account data, the SurePay algorithm verifies the payee’s information. Based on the matching results, SurePay provides feedback on whether the entered details align with the account data, enabling the requesting PSP to inform its Payment Service User (PSU).

Non functional aspects & security

The Online Provisioning API should include the following security controls:

  • TLS (minimum TLS 1.2) or MTLS
  • OAuth 2.0 client credentials grant flow
  • IP whitelisting (optional)

OAuth 2.0

The application layer security should be implemented according to OAuth 2.0 standard with the client credentials grant type. The standard specification of this type of flow is available online: https://tools.ietf.org/html/rfc6749#section-4.4.

Technical Details

SurePay expects to get the following from the API provider:

  • The exact endpoints for both production and test environment
  • Client credentials (either via dynamic registration or manually)
  • /token endpoint to be used with the above client credentials, to retrieve the access token

Performance and availability

  • The Online Provisioning API should comply with the highest availability standards, as it should be available 24/7, allowing the SurePay solution to function without interruption. Such extreme availability requirement implies at least active-active infrastructure setup on the API provider side which should be abstracted by highly available DNS service towards consumers.
  • In case of any downtime of the Online Data Provisioning API, SurePay will respond to requests with an internal server error.
  • The latency of the Online Data Provisioning API determines the overall latency to a large degree. The response time target is 150ms. From our experience a fast, yet realistic, response time is between 50 and 100ms..
  • Service Level Agreements (SLA) for support, resolution time and availability, etc will be defined in a separate agreement with the PSP providing the Data Provisioning service.

Encoding & Special Characters

The API requests and responses must use a UTF-8 character encoding. This is the default character encoding for JSON (RFC 7158 - Section 8.1).

From a SurePay solution perspective, all special characters provided by the API are excluded or replaced during the matching phase. However, in case of name suggestions, SurePay will provide the exact data that was provided by Online Data Provisioning API.

image