FAQs

3DS v2

Exclusions are transactions that are OUT of scope for PSD2 SCA regulations:

  • Mail order/telephone order
  • One leg journey - Payee's PSP (aka Merchant's acquirer) or Payer's PSP (aka Buyer's payment method issuer) is outside of EEA zone
  • Anonymous prepaid cards up to 150€ (article 63)
  • MIT - merchant initiated transactions

Exemptions are transactions that are IN the scope of PSD2 SCA regulations:

  • Low value transactions
  • Subscriptions
  • Risk analysis
  • Whitelisting

Our test platform is ready for you to start testing. A simulator will support all different scenarios.

Testing cards have been provided and can be found on the support site, as well as in the TEST environment (Configuration > Technical Information > Test info).

Please contact us should you wish to start using 3-D Secure version 2 (3DSv2) in production. 

Secure version 2 is an evolution of the existing 3-D Secure version 1 programs: Verified by Visa, Mastercard SecureCode, AmericanExpress SafeKey, Diners/Discover ProtectBuy and JCB J/Secure. It is based on a specification that has been drafted by EMVco. EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It is overseen by EMVCo’s six member organizations—American Express, Discover, JCB, Mastercard, UnionPay, and Visa—and supported by dozens of banks, merchants, processors, vendors and other industry stakeholders who participate as EMVCo Associates.

One of the core differences in version 2 is that the issuer can use a lot of data-points from the transaction to determine the risk of the transaction (risk-based analysis). For low-risk transactions, issuers will not challenge the transaction (e.g. not sending an SMS to the cardholder) although authenticating the transaction (frictionless). Inversely, for high risk transaction, issuers will require the cardholder to authenticate with an SMS or biometric means (challenge).

Separately the Strong Customer Authentication (SCA) required from 1st January 2021 for Europe and from 14th September 2021 for UK, 2019 as specified in PSD2 will result in a substantial increase in the number of transactions requiring the use of 3-D Secure authentication. The use of 3-D Secure version 2 should limit the potential negative impact on conversion as much as possible. In short 3-D Secure version 2 means:

  • You will need to implement 3-D Secure before January 1st, 2021 if your transactions fall within the EU PSD2 SCA guidelines (in case you don't already support 3-D Secure).
  • You are advised (and for some are required) to submit additional data points to support the risk assessment performed by the issuer in case of 3-D Secure version 2
  • You might need to update your privacy policy with regards to GDPR as you might be sharing additional data-points with 3rd parties
  • A much better user experience for your consumers

The expectation in the market is that a substantial percentage of transactions using 3-D Secure version 2 will follow the frictionless flow, which doesn't require anything additional from the cardholder compared to current non-3-D Secure checkout flows. This means that you benefit from the increased security and liability shift that is provided by the 3-D Secure programs, while the conversion in your checkout process shouldn't be negatively impacted.

The EBA (European Banking Authority) and national banks in each affected country agreed on a grace period (until at least March 2020). This will give every player in the eCommerce business the opportunity to clarify all details related to this new regulation. However, we still strongly recommend to activate 3DS in your account(s) as soon as possible.

Since our TEST environment is ready, we advise you to start testing your integration as soon as possible.

Click here if you’re using eCommerce. If you’re using your own page, click here.

From 1st January 2020 for Europe and from 14th September 2021 for UK, Strong Customer Authentication (SCA) rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after January 1st you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa, Mastercard and Amex, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that will facilitate the PSD2 Strong Customer Authentication requirements.

We recommend you to use 3-D Secure, since it helps prevent fraud and also protects you from liability in case of any fraud. From January 1st 2020 it will also be a requirement for accepting the payments from major cards.

3DSv2 is inviting merchants to send additional information (mandatory / recommended ... ). All you need to know as a merchant can be found here:


https://www.concardis.com/de-en/protecting-your-data
https://www.concardis.com/online-handel/psd2-starke-kundenauthentifizierung

The EU’s Second Payment Services Directive (2015/2366 PSD2) entered into force in January 2018, aiming to ensure consumer protection across all payment types, promoting an even more open, competitive payments landscape. Acting as a payment service provider, we pride ourselves on being confirmed PSD2 compliant since 29 May 2018.

One of the key requirements of PSD2 relates to Strong Customer Authentication (SCA) that will be required on all electronic transactions in the EU from 1st January 2021 for Europe and from 14th September 2021 for UK. SCA will require cardholders to authenticate themselves with at least TWO out of the following three methods:

  • Something they know (PIN, password, …)
  • Something they possess (card reader, mobile. …)
  • Something they are (voice recognition, fingerprint, …

This means your customers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

More information about PSD2 can be found here: https://www.europeanpaymentscouncil.eu/sites/default/files/infographic/2018-04/EPC_Infographic_PSD2_April%202018.pdf

COF in a nutshell: Customer initiates a first transaction with a merchant with a 3D-S (CIT). From this first transaction experience, the merchant has the possibility to do recurring transactions (subscription or with customer approval -> tokenization), flagged as MIT transactions.

MIT are one of the exemptions foreseen within the 3DSv2., if they fulfill the following cumulative conditions:

  • subsequent transactions of an initial CIT 
  • CIT was done with a mandatory authentication
  • A dynamic ID linking is made between initial CIT and the subsequent MITs

After initial authentication, exemptions/exclusions can apply:

  • Either because of legal recurring exemptions which apply to subscriptions with a fixed amount and periodicity (merchants are indeed advised to authenticate for full amount + provide details about number of agreed payments with card holders)
  • Either because other type of transactions are excluded from SCA scope... at merchant sole risk in case of chargeback (protection limited to authenticated amount) AND need for issuer to accept that risk to be taken:
    • Unscheduled COF: principle of subsequent transactions is agreed with card holder, but amount and/or periodicity is not fixed
    • Industry practices: incremental, no show, etc...

For the transitional period, schemes have defined default ID to be used for subsequent MITs created before introduction of 3DS v2.

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

This situation is only possible if you are integrated via DirectLink only (Merchant own page / FlexCheckOut), as in Nexi Payengine hosted payment page page, Nexi Payengine is collecting the mandatory data.

First of all, Nexi Payengine will identifiy the flow to be directed to v1 or v2 based on the card numbers.

If the card is enrolled V2, there are the following possible scenarios:

Mandatory data:

  • If the wrong data is passed, transaction is blocked
  • If some data is missing, Nexi Payengine will direct your transaction to v1 flow
  • If no data is passed, transaction is NOT blocked but diverted to flow v1

Recommended or optional data:

  • if no data is passed, transaction is NOT blocked, but cannot benefit from exemption. 

Configuration

 

If you want a production account, please send an e-mail to your account manager. If you do not have an account manager assigned to your account yet, please contact our commercial department at payengine-service@nexigroup.com.

 

 

 

The time to activate a payment method depends on the following factors:

  • It generally takes the acquirer or bank about a week to complete your affiliation. If you already have an affiliation, the activation takes a few days.
  • Some payment methods require additional checks before they can be activated, e.g. in case of 3-D Secure, which is requested directly at VISA or MasterCard (and not at the acquirer). 


To change your company name, we would firstly like to know whether your VAT also changes. If this is the case, please contact your account manager. If only your company name changes, you can easily send an e-mail to our Customer Care department or reach them by phone.


In the Test Environment you can easily add a dummy number e.g. 123456789.

You can send an e-mail to our Customer Care department with your PSPID and the new address. Your address will be updated as soon as possible.

Since your account contains personal data, please request its deletion by e-mail at payengine-service@nexigroup.com





Our Customer Care department will handle your request. It may be the case that due to legal obligations a minimum retention period must be observed with the impossibility to erase your account immediately.

If your VAT number has changed, you need a new PSPID / account. Please contact your account manager to create a new account.

 

To have your bank account number changed, please contact our Customer Care department.

Our team will take care of your request. 

You can do so by reaching out to our Customer Care department via phone or by sending an e-mail.

You can easily change your phone number in our Back Office. After logging in, please go to Configuration > Account > Your administrative details.

If you want to change the PSPID name for an existing production account, please contact your Nexi Payengine Account Manager who will open a new account for you.

The PSPID name of your existing production account cannot be changed, but a new account with a new name can be opened for you.

Please note there will be a fee for this service.

You can easily change your e-mail address yourself in our Back Office. After logging in, please go to Configuration > Account > Your administrative details.

Please contact the administrator of your account in order to log in the Back Office and add a new contact person. They can do it by going to Configuration > Account > Your administrative details. If they cannot log in, they can contact our Customer Care department .

Even though we advise against using it since this feature will no longer be supported from 25 August 2020, you can configure the so-called referrer check, in addition to the SHA signature authentication. With this setting, our system checks the origin of the transaction request which is the URL the request comes from (the referrer). The aim is so that unauthorised URLs (that were not configured in your account) will not be able to call the payment page.

In order to set it up or remove it, simply go to Technical Information > Data and origin verification. Under Checks for e-Commerce & Alias Gateway, you can enter one or more URLs that you want to enable to call the payment page: orderstandard.asp / orderstandard_utf8.asp.

Possible errors related to the referrer are "unknown order/1/r" and "unknown order/0/r". Go to Possible errors for more information about these errors.

Important: We strongly advise against it and therefore to leave it blank.

However, if you would still like to use it,

  • The URL(s) must always start with http:// or https://
  • You must enter the ‘origin’ of the URL being accepted (Origin: <scheme> "://" <hostname> [ ":" <port> ])’ (For example: https://www.mysite.net)
  • If you have several domains, multiple URLs can be entered. For example, http://www.mysite.com;http://www.mysite.net;https://www.secure.mysite.com. The URLs must be separated by a semicolon, with no spaces before or after the semicolon.
  • If you perform a test transaction from our test page, please remember to enter our site’s origin URL as a referrer, otherwise you will receive an error.

We also would like to take the opportunity to remind you that although the referrer allows our system to identify the origin of an order, SHA signature authentication remains the most trusted way to secure your transactions on your PSPID. You can find more information on that in our SHA signature integration guide.

Contract



To get your subscription changed, please contact your account manager.

If you do not have an account manager assigned to your account yet, please contact our commercial department at payengine-service@nexigroup.com



Please send an e-mail to our Customer Care department  stating your PSPID, requested option and its  price (if known). Our team will activate this option for you.

In order to activate Direct Debits on your account, please send your IBAN and BIC or the RIB-form to our Customer Care department. Our team will then create a form for you to sign. After receiving the signed form, we can easily activate Direct debits on your account.



You can contact your sales contact by phone/e-mail to request this termination.



You can contact your account manager by phone/e-mail to request this option. After signing your upgrade/downgrade form, please send it to our Customer Care department.


Please contact your account manager to prepare a new contract. After signing it, please send the contract to our Customer Care department.

You can deactivate your option (except for 3-D Secure option) by sending an e-mail to our Customer Care department with the request of deactivating that option.

Getting started

With the activation of your account, our Reconciliation tool is automatically available to you if you have a Full Service account or you benefit from Collect acquiring. This enables you to easily reconcile the payments you receive on your bank account with the orders/transactions in your Nexi Payengine account.

Nexi Payengine delivers payments services that are compliant with state of the art data security standards in the payment industry: PCI DSS.

PCI DSS includes a large set of security requirements and controls which are implemented and run on a regular basis.

These security controls aim to keep a constant high security level on the payment platform, which leads to optimal protection for transactions and data.
 

As soon as you've completed all the necessary steps and we've received all the relevant documents and a signed contract, we'll activate your account. The quicker you can complete these steps and send us the documentation, the quicker we can open your account.

Please note that you need at least one active payment method before we can activate your account. 

To register with Nexi Payengine please go to Easycontract on our website and fill in a short form.

As soon as we have checked your details, we will e-mail you a temporary password. 

Once you have received your temporary password, you will be able to log in using the ID you chose when you first registered. To complete your registration and fully activate your account, please complete the steps listed on your account’s home page. 

Glossary

Payment processing is a service that allows websites to sell online by accepting payment via electronic methods such as credit cards, debit cards and bank transfers.

Provided by payment service providers, payment processing is the technical connection or 'gateway' between a website and the financial institutions or 'acquirers' that govern different payment methods. To put it simply, without a payment service provider you won't get paid.



PSPID stands for payment service provider ID. It is the name you chose when you first registered  to identify the business your account is linked to. You need your PSPID and password to log in to your account. 

A RIB-form is the original document received from the bank in France.

A User ID identifies the specific user of an account.

If your account has more than one user, you log in by filling in your USERID, your payment service provider ID (PSPID), if needed, and your password. Please make sure you click on the 'Log in as user' link so that all three fields are displayed.

If your account only has one user, you will not need a USERID. You will log in using only your PSPID and password, so please make sure your login screen only displays two fields. If you can see three fields, click on the 'Log in as PSPID' link on the bottom left of the screen to log in as a merchant.

 

For a DirectLink or Batch integration, the parameter USERID corresponds to the API user set up on your PSPID. Please note that the API user is not able to log in to the Nexi Payengine Back Office.

The Back Office is the secure website where you manage your Nexi Payengine account. Once you have logged in, you can check and edit your administrative details, manage your payments, change your technical settings and much more. To log in, you simply need your payment service provider ID (PSPID) and your password.

A merchant account is a type of bank account that allows you to offer and receive the transaction funds from certain payment methods. Merchant accounts are provided by various banks and financial institutions – known as acquirers.

A merchant account enables you to authorize and accept certain payment methods before you can start distance selling. If you want to add more payment methods to increase conversion, you usually need to open additional merchant accounts with other acquirers. We can advise you on this and introduce you to the right acquirers for your business.

Depending on the market you operate in, we can also provide you with a merchant account directly. With Full Service, you're able to activate several payment methods, all at once – and with just one contract. By offering your customers more of the local payment methods they know and trust, you'll increase conversion and boost your online sales.
 

Phishing is a derivative of the word "fishing". The replacement of the 'f' by 'ph' is probably based on an abbreviation of the expression "password harvesting fishing".

Phishing operators use e-mails, hypertext links and Internet pages to redirect you to fake websites where you will be asked to disclose confidential data such as your bank account details or credit card number. A malicious e-mail generally asks you to confirm your password, bank details, account numbers, credit card details or other similar data by clicking on a link contained in the message. This link then directs you to a fake page with an address that is almost identical to that of the original site.

Prevention:

  • Be careful with e-mails.
  • It is very easy to fake a sender's address: the author of the e-mail you receive is not necessarily the service provider you believe it to be.
  • Do not reply to e-mails asking you to enter personal data. Service providers such as Nexi Payengine, banks, credit card issuers, etc. will never ask you to disclose your password, credit card number or other personal information by e-mail.
  • Enter links manually. Do not click on any links contained in suspicious messages: enter the URL address manually (for example, the address of your bank, the Nexi Payengine platform) or look for it in your Favourites. Links contained in fraudulent e-mails can direct you to fake websites. The differences in the URL addresses are often very difficult to spot. The appearance of the site can also be deceptive.
  • Check the encryption of Web pages. Before entering any of your personal details in a website, check that the site encrypts personal data by looking for https ("s" for secure) in the Web address and a closed padlock or non-broken key icon in your browser. Unfortunately, the padlock icon (and the key) can be forged on certain systems. Check that you are actually on the site you think you are on by double-clicking on the padlock icon to display the site's certificate. Make sure that the name on the certificate and the name in the address bar are the same. If the names are different, you could be on a fake site.
  • Check your bank and credit card statements regularly.
  • Upgrade your computer's security: Enable an anti-phishing filter to identify fraudulent sites before you visit them. Some browsers (e.g. Internet Explorer) have this kind of filter. Otherwise, you can install it as a toolbar. Regularly apply the latest security fixes for your operating system and the software installed on your computer. Install a firewall. Install anti-virus software and keep it up to date.

What should you do if you become a victim of phishing?

If you think you have received a phishing e-mail, proceed as follows:

  • IMMEDIATELY change the passwords and/or PIN codes for the online account with the company whose identity has been usurped.
  • SEND the fraudulent message to the company in question. It will generally have a special e-mail address to notify any such attacks.
  • NOTIFY the phishing attempt to the relevant authorities (local police, Internet Fraud Complaint Center, Anti-phishing working group).
  • RETAIN all PROOF of the fraud. In particular, in the event of a phishing attempt using an e-mail, do not delete the e-mail, since it contains, hidden in the header, the information required to trace the source of the attempt.

Invoicing

You can register through the invoice delivery email by following these steps: Open the notification e-mail -> Click on the ‘View invoice’ button -> Click on the ‘Register’ button when the browser window has loaded. Your user name is the email address that receives the invoice.
For any questions regarding the registration on Order2Cash, please review the FAQs on the Order2Cash website, or contact the Order2Cash Support using their contact form.

To change your bank account in our system, please send the new IBAN/BIC or RIB form to our Customer Care department in order to create a new form for you to sign.

If you want to change your invoicing address or the way you pay your invoices, please send an email with your PSPID to our Customer Care department

Our Customer Care team will take care of your request.

A SEPA mandate is easier to arrange and you as a merchant would not be burdened by paying our invoices manually.

To request a credit note, please send an e-mail or call our Customer Care department.

PCI certification

The only fully PCI compliant way is to use the POST method. That way you are sure not to expose any sensitive data of your customers.
It can also help you manage GDPR obligations by keeping personal data under your control.

Our platform will block every request sent with a non-compliant method.

Please contact your IT department to make sure your system sends POST requests only.

Transactions

You can only perform refunds on transactions which have already received status 9 for at least 24 hours. A cancellation or deletion can be done within approximately 24 hours after final status has been received (status 9 or 5).

To know the cut-off time of the acquirer, we recommend you to check directly with our Customer Care department.

You can easily refund a payment with the "Refund" button in the order overview of a transaction (via View transactions). If your account supports it, you can also make refunds with a DirectLink request or with a Batch file upload (for multiple transactions).

Please note that the Refunds option has to be enabled in your account.

By default you can send goods or deliver your service once a transaction has reached the status "9 - Payment requested". However, although status 5 is a successful status, it's only a temporary reservation of an amount of money on the customer's card. A transaction in status 5 still needs to be confirmed (manually or automatically) to proceed to the status 9, which is the final successful status for most payment methods.

3-D Secure is a way to authenticate online transactions, similar to enter a PIN code or writing a signature for a transaction on a physical terminal in a shop or restaurant. It was initially developed by VISA under the name "Verified by VISA" and was soon adopted by MasterCard (SecureCode), JCB (J/Secure) and American Express (Safekey®).

There are several forms of 3-D Secure authentication. Depending on the customer's bank and originating country, it can be using a card reader or digipass, entering a PIN-code, or entering a piece of data that only the cardholder can know. 3-D Secure allows merchants selling online to verify that their customers are the genuine cardholder in order to reduce instances of fraud.

If you want to check specific details of an order/transaction or perform maintenance on transactions, you should use View transactions. "Financial history" is the most convenient to periodically check incoming and outgoing funds.

A full green thumbs-up icon means that the transaction was completed with a 3-D Secure authentication method, such as Digipass or a card reader. However, it doesn't necessarily mean the payment itself was processed successfully. Therefore, you should always check the transaction status to know whether you'll receive your money.

In your Nexi Payengine account menu, you can easily lookup your transactions by choosing "Operations" and then clicking either "View transactions" or "Financial history", depending on the type of transaction results you're looking for.

Troubleshooting

There are different reasons why you can't refund a transaction. You need to consider the following (with the condition that the Refund option is enabled in your account):

  • The transaction is in an "incomplete" status, such as a pending or erroneous status (9192 etc.) that doesn't allow the refund operation.
  • If the transaction is authorised (status 5), at which point no payment has been made yet. In this case you have to cancel the authorisation instead of refund.
  • The used payment method doesn't support the refund functionality, which can be the case with certain debit cards, web banking methods and "offline" payment methods such as Bank transfer.
Please send our Customer Care department the signed contract. In order to activate your account, at least one payment method must be activated. If you want more information regarding payment methods, please contact your account manager.
MasterCard needs additional enrollment for 3-D Secure, which can take a couple of days.

The message "An error has occurred; please try again later. If you are the owner or the integrator of this website, please log into the Nexi Payengine back office to see the details of the error." is a generic error message which is returned if a specific technical issue occurs at the moment the payment page is called. We don't display the actual error on the payment page, mainly because of security reasons, but also not to confuse your customers.

In your Nexi Payengine account, via "Configuration" > "Error logs", you can easily look up the errors that occurred when the generic error message was displayed. The actual meaning of these errors are described on the Possible errors page.

Sometimes it happens that an affiliation number has been put inactive on the side of the acquirer. We suggest you contact your acquirer for this.
If your mandate is not working, you should contact your bank to ask why the mandate has been refused.

You can reinitiate your password via the  "Lost your password?" button on the bottom of the login screen.

If you're unable to log in to your account using your payment service provider ID (PSPID) and password, it may be due to one of the following reasons:

  • You could be using your test PSPID and/or password in the production environment, or your production PSPID and/or password in the test environment. You can check the environment at the top of the login screen – it will say either: "Identification Production" or "Identification TEST". To switch environments, use the link under the login fields.
  • You could be logging in as a merchant on the user screen or as a user on the merchant screen. If you're logging in as a merchant, you'll see two fields: PSPID and Password. If you're logging in as a user, you'll see three fields: USERID, PSPID (optional) and Password. To switch the login screen, click the "Log in as user" or "Log in as PSPID" button on the bottom left of the screen.
  • Perhaps you've typed in your password in the wrong case? Passwords are case sensitive. Try typing your password into a text editor such as Word or Notepad to check the spelling and the case, then copy/paste the result in the password field.
  • When you submit your login details, if the login page reappears and the information you entered is gone it means your browser is not accepting session cookies. To enable session cookies, go to your browser's settings. If you're unsure how to do this for your operating system and browser version, please check with an IT specialist. 

If you forgot your password, please click on the "Lost your password?" button on the bottom of the screen.


Once a transaction reaches status 9, meaning that the customer has paid, the acquirer or bank will deposit the money to your account. The time when this payout occurs differs per payment method and acquirer. We recommend you to check directly with the acquirer or bank, if you believe you're not receiving your money in a timely manner.