Skip to content

Issuers

person person
System Administrators and Issuer Administrators only

Issuers tab

This section is used to set issuer specific settings; maintain and upload card details; create and maintain custom pages and manage keys.
When a new issuer is created all issuer settings are set to default.
Issuers has the following menu options:

Issuers has the following sub menu options:

  • Settings

  • Upload Registration Files

  • Registration Requests

  • Custom Pages

  • Key Management

The first Issuers page is Settings.

Settings

This section is used to set up and maintain issuer system settings for displaying PARes, providing proof of authentication attempts to merchants, maximum unsuccessful authentication attempts permitted for cardholders and the automatic unlock lag time.

Note

Settings are different for Local and Remote Issuers.

Local Issuer Settings

These settings are available if the Issuer's Authentication server has been set to Local in Issuer Details.

Issuer > Settings

Use the following fields to manage Local Settings:

  • Select an Issuer from the drop down list, to display its settings.
    This field is not displayed if the user is assigned to a single issuer.

  • Issuer ID cannot be changed.

  • BINs - displays a list of BINs currently assigned to the selected issuer. The BIN list can only be changed by a user with System Admin access level from System Management > Issuer Management section.

  • Maximum authentication attempts allows the administrator to setup an upper limit for the number of successful authentications that can be performed by each cardholder (acceptable range is 0 to 999) in a specified period of time (acceptable range is 1 to 24 hours). This is particularly useful when the issuer is being charged per transaction for each authentication and it makes sense to set an upper limit for the financial liability.

    This option is disabled by default which means the number of successful authentications that can be performed by the user is not limited.

    Once a set limit is reached, issuer will reject further authentication attempts.

  • Maximum unsuccessful attempts that will be permitted for unsuccessful authentication or enrolment attempts by cardholders (acceptable range is 0 to 9).

    The default value is 3, which means that 4 unsuccessful authentication or registration attempts with a card will result in the card being locked to avoid further access for security reasons. An issuer may change to any other value to comply with their internal policy.

    Warning

    Setting this field to 0 disables the automatic locking mechanism and is not recommended.

  • Maximum interaction is used to set a maximum number of cardholder interactions as determined by the selected Challenge Flows and security requirements to allow an appropriate number of cardholder retries without going beyond the pre-set maximum (acceptable range is 0 to 10). When the limit is reached, the transaction fails but the card will not be locked.

  • Automatic unlock time in minutes (acceptable range is 0 to 1440). A currently locked card can be automatically unlocked after the amount of time specified here has passed.

    This may help to reduce helpdesk calls if set properly.

    The default value is 0, which implies that this field is disabled and as such all locked accounts have to be manually unlocked by helpdesk staff.

  • Enable Purchase date validation - checkbox to enable purchase date validation against defined Purchase date validation interval.

  • Purchase date validation interval - the acceptable time difference between the purchase date and time in AReq and when the ACS receives the AReq.

  • Specify the cardholder Password policy using the following:

    • Minimum password length between 1 and 128 chars (typically 6)

    • Maximum password length between 1 and 128 chars (typically 16)

    • Minimum password digit, the minimum number of numerical characters the password must contain. The default value is 0, which disables this field.

    • Minimum password capital letter, the minimum number of capital letters the password must contain (typically 1). The default value is 0, which disables this field.

    Note

    The sum total of the numbers entered for Minimum password digit and Minimum password capital letter must be less than or equal to the Minimum password length.

  • Time zone

    This allows administrators to set an individual time zone for the specified issuer.

    The default time zone is set when the application is installed and is displayed for reference, on the menu bar, from where it can be modified at any time, as and when appropriate. Modification of the Time zone on the menu bar does not change the Time zone for the Issuer in the Issuer Settings.

    Note

    If you modify the Time zone in the menu bar it will persist for the current session only. It will revert to the Time zone entered in the Issuer settings, the next time you login.

    All search parameters for transactions, audit logs and reports (daily, monthly and annual) will be based on the Time zone specified on the menu bar at the time of the search.

    Warning

    IMPORTANT: If the time zone in Issuers > Settings is changed, it will impact the data displayed for issuer reports (daily, monthly and annual). When attempting to change the time zone, a warning message is displayed with the following options:

    • Continue and delete report data - reports will not be available for the selected issuer until the next overnight report run, which will use the new time zone.

    NOTE :If auto archive is enabled, archived data will no longer be collected and previous report data will be lost.

    • Continue and keep report data - existing report data will be inaccurate due to the time change. Accurate reports will not be available until the next overnight report run, which will use the new time zone.

    • Cancel - time zone will not be changed.

  • Language selection during authentication

    This allows administrators to enable or disable the language selection page displayed to cardholders.

    • Disabled – Select this option to disable the language selection for the cardholder.

    • Enable language switch on all pages – Allows the cardholder to switch the language on each page using the link displayed at the top section of the page.

    • Display language page – Allows the cardholder to select the language at the start of the transaction on a separate language selection page.

    Note

    • In SDK/AppBased transactions, the selection page is used to query the preferred language of the cardholder.
    • For Remote Authentication Issuer, the language link is not supported, and the selection page will display.

  • Name on card verification

    This allows administrators to enable or disable cardholder name When it is Enabled then ACS will not compare the received cardholder name in request with saved value.

  • A link is provided to Provider Settings.

Provider Settings

There are a number of settings that can be specified per authentication scheme. You should set these parameters in accordance with the recommendation of the 3-D Secure authority of each scheme.

Issuer > Settings > Provider Settings

Use the following fields to view / edit Providers settings:

  • Select an Issuer from the drop down list

  • Select a Provider ID from the drop down list

  • Select Enabled or Disabled from the Activation during shopping drop down list to enable or disable the cardholder registration during the shopping process.

    Enabling this option allows an issuer to dynamically enrol the cardholders while they are shopping at a 3-D Secure enabled merchant site. The activation during shopping process only applies to those cardholders who have been pre-registered by their issuer in the system.

  • Select Enabled or Disabled from the Proof of authentication attempt drop down list to enable to disable providing authentication attempt guarantee to merchants.

    This option applies to SafeKey, SecureCode, ProtectBuy, J/Secure and Verified by Visa in 3-D Secure version 1.0.2 and later. An issuer may choose to provide proof of authentication attempts for non-enrolled cardholders, when an authentication is requested by the merchant. Proof of attempt processing provides guarantee of funds transfer to the merchant. This may shift the liability to the issuer despite the fact the cardholder was not enrolled and could not be authenticated. Proof of attempt is an incentive for the merchants to implement 3-D Secure.

  • Specify the value for Maximum ADS proof of attempts (acceptable range is 0 to 9). The option limits the number of times a user is allowed to opt-out of ADS processes and still receive proof of authentication attempt status code. Once the limit is reached, cancelling ADS will result in PARes status='N' to be returned to the merchant and it is likely that cardholder transaction will not be authorised by the merchant. Set this option to 0, if you wish to grant unlimited authentication attempts to cardholders.

  • Specify the value for PAReq freshness period in minutes (acceptable range is 0 to 60). The default value 0, which effectively disables this option.

    An ACS may receive duplicate PAReq messages due to cardholder actions (for example, if the cardholder clicks the Back or Refresh buttons during the authentication process). In order to provide good customer service, and minimise cardholder confusion, the 3-D Secure protocol recommends that receipt of a duplicate PAReq within a reasonable time should not be treated as an error. This is called the PAReq freshness period. According to the 3-D Secure bulletin of July 12, 2004, the recommended period should be between 10 and 15 minutes.

    Warning

    ActiveAccess sends a PARes with status code 'U' and iReqCode 56, if a duplicate PAReq is received outside the period specified by this parameter.

    Warning

    The ADS and attempt process for Visa, American Express, Diners Club International and JCB is the same but different for Mastercard. Mastercard does not currently recognise attempt processing in the sense defined by Visa specification and does not provide authentication guarantee and liability shift if the cardholder is not enrolled. However, Mastercard still requires a PARes with status 'A' to be sent when the cardholder cancels ADS up to the limit defined by the issuer. For more information refer to Visa 3-D Secure standard and Mastercard SecureCode specification.

  • Mastercard SecureCode only: Select Mastercard SecureCode or Mastercard Identity Check from the Authentication type drop down list, this option is only used for 3DS1 protocol. When Mastercard Identity Check is selected, challenge authentication does not allow static password only.

  • American Express SafeKey only: Specify the value for Maximum forgot password attempts (acceptable range is 0 to 9, default is 2 as specified in the SafeKey Issuer Implementation Guide). The option limits the number of times a user is allowed to enter an incorrect SafeKey before the card is locked. Once the limit is reached, it will result in PARes status='N' to be returned to the merchant and the cardholder transaction may not be authorised by the merchant.

  • Select A (Attempted) or N (Not approved) from the Unsupported device PARes status drop down list.

    This option specifies the PARes to be used for unsupported devices.

  • Specify any Browser Unsupported devices in the text box

    This is for specifying browsers / devices for which authentication is not supported in browser mode. It can also be used to quickly remove support if, for example, a security issue has been reported for a particular browser.

    Format of the input is JSON array.

    Example

    [{"user-agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0"}]

  • Specify any App Unsupported devices in the text box

    This is for specifying browsers / devices for which authentication is not supported in app mode. It can also be used to quickly remove support if, for example, a security issue has been reported for a particular browser.

    Format of the input is JSON array.

    Example

    [ {"DV":"1.0","DD":{"C001":"Android","C002":"HTC One_M8","C004":"5.0.1","C005":"en_US","C006":"Eastern Standard Time","C007":"06797903-fb61-41ed-94c2-4d2b74e27d18","C009":"John's Android Device",....},"DPNA":{"C010":"RE01","C011":"RE03"},"SW":["SW01","SW04"]}, {"DV":"1.0","DD":{"C001":"iOS","C002":"iPhone 5c","C003":" iPhone OS","C004":"9.2","C005":"en-US","C006":"GMT-6","C009":"John's iPhone",....}," DPNA":{"C010":"RE01","C011":"RE03"},"SW":"SW01","SW04"]}, {"DV":"1.0","DD":{"C001":"Windows","C002":"NOKIA RM-984_1006","C003":"WindowPhone","C004":"10.0.10586.11","C005":"en-US","C006":"(UTC-06:00) Central Time (US & Canada)","C007":"1bbd95da4520a6dfe7b94480d69f3cbb","C008":"1280x720","C009":"My Phone",....},"DPNA":"C010":"RE02","C011":"RE03"},"SW":["SW01","SW04"]}
    ]

  • Set the Challenge Mandated Indicator

    The ACS decides based on the ACS Challenge Mandated Indicator, the 3DS Requestor Challenge Indicator, and the ACS Rendering Type whether to perform the requested challenge.

  • Cardholder info for non-exempt authentication - Text provided by the ACS to the cardholder during a frictionless transaction that was not authenticated by the ACS.

    It is optional for issuers to provide information to the cardholder.

    Example

    “Additional authentication is needed for this transaction, please contact (Issuer Name) at xxx-xxx-xxxx.”

  • ACS Reference Number - A unique reference number provided by EMVCo to ActiveAccess.

  • ACS Operator ID - An ACS identifier assigned by the Directory Server. Each Directory Server can provide a unique ID to each ACS on an individual basis.

  • Broad Info - Unstructured information sent between the 3DS Server, the Directory Server and the ACS.

  • Add device acknowledgement in ARes: This allows administrators to enable or disable the Device Acknowledgement extension in ARes message.

  • dc_new.png support Bridging Message Extension: This allows administrators to enable or disable the Bridging Message Extension in ARes message.

  • J/Secure only: Display attempt time - The duration of displaying an attempt page for JCB cards only in case of attempt returning status. A value of 0 indicates that no attempt page should be shown.

Remote Issuer Settings

These settings are available if the Issuer's Authentication server has been set to Remote (CAAS) in Issuer Details.

Issuers > Settings

Use the following fields to view/ edit Remote Settings:

  • Issuer This field is not displayed if the user is assigned to a single issuer.

  • Issuer ID cannot be changed

  • Maximum interaction is used to set a maximum number of cardholder interactions as determined by the selected Challenge Flows and security requirements to allow an appropriate number of cardholder retries without going beyond the pre-set maximum (acceptable range is 0 to 10). When the limit is reached, the transaction fails but the card will not be locked.

  • Time zone

    This allows administrators to set an individual time zone for the specified issuer.

    The default time zone is set when the application is installed and is displayed for reference, on the menu bar, from where it can be modified at any time, as and when appropriate. Modification of the Time zone on the menu bar does not change the Time zone for the Issuer in the Issuer Settings.

    Note

    If you modify the Time zone in the menu bar it will persist for the current session only. It will revert to the Time zone entered in the Issuer settings, the next time you login. All search parameters for transactions, audit logs and reports (daily, monthly and annual) will be based on the Time zone specified on the menu bar at the time of the search.

    Warning

    IMPORTANT: If the time zone in Issuers > Settings is changed, it will impact the data displayed for issuer reports (daily, monthly and annual). When attempting to change the time zone, a warning message is displayed with the following options:

    • Continue and delete report data - reports will not be available for the selected issuer until the next overnight report run, which will use the new time zone.

    NOTE- If auto archive is enabled, archived data will no longer be collected and previous report data will be lost.

    • Continue and keep report data - existing report data will be inaccurate due to the time change. Accurate reports will not be available until the next overnight report run, which will use the new time zone.

    • Cancel - time zone will not be changed.

  • Enable Purchase date validation - checkbox to enable purchase date validation against defined Purchase date validation interval.

  • Purchase date validation interval - the acceptable time difference between the purchase date and time in AReq and when the ACS receives the AReq.

Authentication Scheme Settings

There are a number of settings that can be specified per authentication scheme including activation during shopping, attempt processing and PAReq freshness period. You should set these parameters in accordance with the recommendation of the 3-D Secure authority of each scheme.

  • Select Enabled or Disabled from the Use ACS local settings drop down list.

    Enabling this option allows issuer settings to be set locally in the ACS instead of remotely on the CAAS side.

    Note

    If Disabled, refer to Remote Messaging Specification for further information on setting these parameters.

If Enabled:

  • Select Enabled or Disabled from the Activation during shopping drop down list to enable or disable the cardholder registration during the shopping process.

    Enabling this option allows an issuer to dynamically enrol the cardholders while they are shopping at a 3-D Secure enabled merchant site. The activation during shopping process only applies to those cardholders who have been pre-registered by their issuer in the system.

  • Select Enabled or Disabled from the Proof of authentication attempt drop down list to enable to disable providing authentication attempt guarantee to merchants.

    This option applies to SafeKey, SecureCode, ProtectBuy, J/Secure and Verified by Visa in 3-D Secure version 1.0.2 and later. An issuer may choose to provide proof of authentication attempts for non-enrolled cardholders, when an authentication is requested by the merchant. Proof of attempt processing provides guarantee of funds transfer to the merchant. This may shift the liability to the issuer despite the fact the cardholder was not enrolled and could not be authenticated. Proof of attempt is an incentive for the merchants to implement 3-D Secure.

  • Specify the value for Maximum ADS proof of attempts (acceptable range is 0 to 9). The option limits the number of times a user is allowed to opt-out of ADS processes and still receive proof of authentication attempt status code. Once the limit is reached, cancelling ADS will result in PARes status='N' to be returned to the merchant and it is likely that cardholder transaction will not be authorised by the merchant. Set this option to 0, if you wish to grant unlimited authentication attempts to cardholders.

  • Specify the value for PAReq freshness period in minutes (acceptable range is 0 to 60). The default value 0, which effectively disables this option.

    An ACS may receive duplicate PAReq messages due to cardholder actions (for example, if the cardholder clicks the Back or Refresh buttons during the authentication process). In order to provide good customer service, and minimise cardholder confusion, the 3-D Secure protocol recommends that receipt of a duplicate PAReq within a reasonable time should not be treated as an error. This is called the PAReq freshness period. According to the 3-D Secure bulletin of July 12, 2004, the recommended period should be between 10 and 15 minutes.

    Warning

    ActiveAccess sends a PARes with status code 'U' and iReqCode 56, if a duplicate PAReq is received outside the period specified by this parameter.

    Warning

    The ADS and attempt process for Visa, American Express, Diners Club International and JCB is the same but different for Mastercard. Mastercard does not currently recognise attempt processing in the sense defined by Visa specification and does not provide authentication guarantee and liability shift if the cardholder is not enrolled. However, Mastercard still requires a PARes with status 'A' to be sent when the cardholder cancels ADS up to the limit defined by the issuer. For more information refer to Visa 3-D Secure standard and Mastercard SecureCode specification.

  • Mastercard SecureCode only: Select Mastercard SecureCode or Mastercard Identity Check from the Authentication type drop down list.

  • American Express SafeKey only: Specify the value for Maximum forgot password attempts (acceptable range is 0 to 9, default is 2 as specified in the SafeKey Issuer Implementation Guide). The option limits the number of times a user is allowed to enter an incorrect SafeKey before the card is locked. Once the limit is reached, it will result in PARes status='N' to be returned to the merchant and the cardholder transaction may not be authorised by the merchant.

  • Select A (Attempted) or N (Not approved) from the Unsupported device PARes status drop down list.

    This option specifies the PARes to be used for unsupported devices.

  • Specify any Unsupported devices in the text box

    This is for specifying browsers / devices for which authentication is not supported. It can also be used to quickly remove support if, for example, a security issue has been reported for a particular browser.

    Separate multiple browsers / devices using commas (,). This setting is not case sensitive.

Upload Registration Files

Issuers > Upload Registration Files

The Upload Registration Files section is used to upload card registration messages for bulk registration or pre-registration of cardholders. Files can be uploaded for an individual Issuer or for an Issuer Group.

The main page shows a report on recently performed file uploads and their status.

You can schedule uploading a card registration file using the Upload File link and, view details using the Job number link, and schedule or cancel scheduled uploads using the Edit or Cancel links.

Note

This page will not be available for remote issuers.

Uploading XML files that contain SMS devices

When uploading XML files that contain SMS devices, note that if the national trunk prefix of the mobile number has been entered (0 or 1), these digits will automatically be removed from the start of the mobile number by ActiveAccess.

Use the following fields and links for managing card uploads:

  • The first available Issuer is displayed by default. If you are assigned to an issuer group, select All or an Issuer from the drop down list and click the adjacent Refresh button.

    A list of the selected issuer's card files and their status is displayed.

  • Select All or the type of registration message from the Message Type drop down list.

    A list of the selected issuer's card files and their status is displayed.

  • The default report is for the last 10 days, but you can specify an upload Date range for the search result by entering dates in the From and To fields using dd/mm/yyyy format and clicking the Refresh button.

  • Click the Upload File link (which is only displayed when an Issuer is selected) to schedule a file upload job for the selected issuer.

    The Upload File page is displayed.

The following details are displayed for each uploaded file for the selected issuer:

  • Job Number - this number is defined by the system and links to the Job Details page, which provides full details for the job and details of any error messages or warning conditions

  • Issuer- name of the issuer that owns the card upload job

  • Group - name of the issuer group that owns the card upload job

  • Message Type- the type of registration message, e.g. card registration

  • File Name - the name of the file uploaded

  • Started - the date and time the file upload started

  • Finished - the date and time the file upload finished

  • Attempts - the number of times the file upload was attempted

  • Status - the upload status shows the current status for data upload, which can be one of the following:

    • Completed

    • Completed with warnings

    • Processing

    • Failed

    • Scheduled

    • Cancelled

  • Edit link - displayed for Scheduled uploads.

    This links to the Edit Upload Details page for updating the scheduled date and time.

  • Cancel link - displayed for Scheduled uploads.

    The administrator may cancel a scheduled upload, by clicking the Cancel link, but cannot cancel one which is in progress.

Upload File

Issuers > Upload Registration Files > Upload File

This page is used to enter the details of the card file you wish to upload and to schedule the upload date and time.

Use the following fields to upload a file:

  • Choose the appropriate radio button and select an Issuer or an Issuer group from the drop down list.

  • Select the type of registration message, Card Registration, from the Message Type drop down list

  • Click the Choose File / Browse… button adjacent to File name, to locate and select a registration file to upload.

    The No file chosen message will then be replaced by the File name of the file to be uploaded.

  • Enter Schedule Date and Time when you want the uploaded data to be processed.

    Uploaded files scheduled to run in the past are set to run immediately.

    You may also leave these fields blank if you wish to process the uploaded data as soon as possible.

Note

The data upload may take a long time to complete depending on the file size and line speed.

Job Details

Issuers > Upload Registration Files > Job Details

This page provides job details and a link to the registration request details via the Message ID link. It also provides information on any error conditions that prevented the upload from being processed successfully.

The fields displayed are:

  • Issuer name

  • Job number

  • Message ID link to Request details

  • Message type - Card Registration

  • Uploaded date and time

  • File name

  • When the upload was Started and Finished

  • Number of Attempts before the upload was finished

  • Status of the job

  • Error message

  • Error Details

  • Warnings

Edit Uploaded File

Issuers > Upload Registration Files > Edit Uploaded File

This page is used to update the scheduled processing time by specifying a new Date and Time.

Use the following fields to edit the file's scheduled upload:

  • Issuer - cannot be changed

  • Message type - cannot be changed

  • File name - cannot be changed.

    To upload a different file you must first cancel this upload using the Cancel link on the Upload Registration File page and then select the Upload File link.

  • Date using dd/mm/yyyy format

  • Time using hh:mm format

  • Apply button to save.

Registration Requests

Issuers > Registration Requests Search

The Registration Requests section is used to view requests for card registration messages

You can view registration request details using the REG ID link.

Note

This page will not be available for remote issuers.

Use the following fields to find a registration request:

  • Select from the Issuer drop down list to limit the results to the specified issuer OR

  • Select from the Group drop down list to limit the results to the specified issuer group.

  • The Request ID is the identifier entered in the registration message by the issuer. Enter all of the Request ID to search.

  • The default Creation date range is for the last 10 days, but you can specify a date and time range (inclusive) in the From and To fields. The date and time format is dd/mm/yyyy HH:MM. Leave the time field empty if you do not wish to limit your search for a particular time of day.

  • The default Completion date range is for the last 10 days, but you can specify a date and time range (inclusive) in the From and To fields. The date and time format is dd/mm/yyyy HH:MM. Leave the time field empty if you do not wish to limit your search for a particular time of day.

  • Select the Status of the registration requests from the drop down list. The options are:

    • All (default)

    • Completed

    • Completed with warnings

    • Failed

    • Processing

  • Click Search to display registration request details

A list of the selected issuer or issuer group's registered requests and their progress is displayed.

Issuers > Registration Requests displays:

The following details are displayed for each registration request

  • REG ID - this number is defined by the system and links to the Request Details page, which provides full details for the request job and details of any error messages or warning conditions

  • Issuer - name of the issuer who owns the registration request

  • Group - name of the issuer group who owns the registration request

  • Creation date - the date the request was created

  • Completion date - the date the request was completed

  • Request ID - the Request ID associated with the request message

  • Progress - the status of the request; Completed, Completed with warnings, Failed or Processing.

Custom Pages

Issuers > Custom Pages

This section is used to upload, store and manage issuer branded pages. Branded pages are displayed to cardholders during authentication processes.

Each issuer is assigned a separate space and a separate URL for their authentication pages. Issuers can modify the XSL files of the pages to include the issuer's logo and customised text. This ensures that cardholders will always be presented with their own issuer branded pages during the authentication process.

Page customisation

When customising the pages, note that the main text that appears on the page should not exceed 350 characters. In addition to this, the maximum length of card number is 19 characters, amount is 48 characters, and merchant name is 40 characters.

Authentication page customisation tip

  • To enable Automatic submission when timeout reaches: at config_ver2.xsl, to enable the automatic submission, set <xsl:variable name="auth_disable_autosubmit" select="1=0"/>; To disable the buttons and links, set <xsl:variable name="auth_disable_autosubmit" select="1=1"/>.
  • To disable forms and buttons when the timeout is reached, set: <xsl:variable name="auth_disable_buttons" select="1=1"/>; To keep them active, set:
    <xsl:variable name="auth_disable_buttons" select="1=0"/>
  • The default and second language values can be updated by changing the values of the following variables:
    <xsl:variable name="def_lang_label">English</xsl:variable>
<xsl:variable name="sec_lang_label">中文</xsl:variable>

SMS/E-mail OTP authentication page customisation tip

To remove OTP timer from the page, set <xsl:variable name="auth_enable_timer" select="1=0"/>; To enable it, set <xsl:variable name="auth_enable_timer" select="1=1"/>.

Out of Band Authentication page customisation tip

To disable the websocket, set <xsl:variable name="auth_enable_websocket" select="1=0"/>; To enable it, set <xsl:variable name="auth_enable_websocket" select="1=1"/>.

Uploading tip

For ease of upload, you can zip the files first and upload them all at once.

Sample custom pages

A set of sample custom pages, with Any Bank branding, is available in the ActiveAccess installation package: ActiveAccess/data/custompage/issuer

The naming convention for 3DS1 authentication pages is as follows:

PageFilename
J/Secure authenticationauth_jcb_index.xsl
SecureCode authenticationauth_spa_index.xsl
VbV authenticationauth_vbv_index.xsl
SafeKey authenticationauth_sk_index.xsl
ProtectBuy authenticationauth_dc_index.xsl
Two-factor device authenticationdev_index.xsl

Other resources can be uploaded to the issuer space such as help files and graphics, etc.

To avoid any run time problems or security risk, only trained personnel can upload branded pages. As such, the option to upload custom pages is available at the system administration level only.

Issuer administrators have read-only access to this function, which can be used to download custom pages and branded material.

Note

The issuer system limits issuer space to a flat file structure (i.e. all files are created at the same directory level.

You can upload new pages using the Upload File link and Delete or Download pages.

Use the following fields and links for managing the custom pages:

  • Select an Issuer from the drop down list of available issuers and click the Refresh button.

    A list of the issuer's custom pages is displayed.

    Or

  • Select a Group from the drop down list of available groups and click the Refresh button.

    A list of the group's custom pages is displayed.

  • Upload File link to upload a new file for the selected issuer or issuer group.

    The Upload File page is displayed.

  • Download Selected link, used in conjunction with the Select checkbox to download one or multiple custom pages, for the selected issuer or issuer group.

  • Delete Selected link, used in conjunction with the Select checkbox to delete one or multiple custom pages, for the selected issuer or issuer group

The following custom page details are displayed for the selected issuer:

  • File Name

  • Size - size of file in bytes

  • Date - date and time of upload

  • Delete link to delete the page

  • Download link to download the page

Upload File

Issuers > Custom Pages > Upload File

This page is used to enter the name and location of the custom page you wish to upload

Use the following fields to upload a file:

  • Select the Issuer for which you are uploading the custom pages from the drop down list

  • Alternatively a Group can be selected from the drop down list. Selecting a group allows the administrator to roll out an update to all the issuers that are a direct member of the group or a member of a group owned by the selected group.

Note

Important: Care should be taken when rolling out an update to a group as it will overwrite the corresponding files on all the member issuers. Issuers may have configuration, graphics or text files specific to their own brand. You should not upload a generic package that overwrites these issuer branded pages through this facility without carefully checking first.

  • Click the Choose File / Browse… button, adjacent to File name, to locate and select a custom page file to upload.

    The No file chosen message will then be replaced with the name of the file to be uploaded

  • Click the Apply button to upload the file.

    File upload confirmation is displayed and if uploaded pages support rules, a link is provided to allow issuer to use rules.

Key Management

The system creates a number of cryptographic keys for each issuer in order to protect sensitive and confidential information. These keys are securely stored in the ActiveAccess database by utilising a Master Key on a hardware security module (HSM) to encrypt/decrypt these keys.

This section lists keys used by the issuer and the history of any changes. The list of keys is retrieved by the MIA instance, which is currently being accessed by the user. It is the responsibility of the system administrator to keep all HSM instances synchronised at all times.

This section also allows the administrator to retire the current Signing RSA or CAVV validation keys and create new ones. Card and general encryption keys cannot be retired and replaced using this interface as a process to decrypt previously encrypted fields with an old key and re-encrypt them using a new key is required. GPayments has developed a PCIDSS Key Retiring Utility for this purpose.

Use the following fields and links for viewing keys:

  • The first available Issuer is displayed by default. Select a different Issuer from the drop down lists of available issuers and click the adjacent Refresh button.

    A list of the selected issuer's current keys is displayed.

  • Select the Group radio button to select an Issuer Group from the drop down lists of available issuer groups, and click the adjacent Refresh button.

    A list of the selected issuer group's current keys is displayed.

  • Select the General keys radio button to view the list of the general encryption keys that are used to encrypt general critical settings and configuration parameters.

  • New Key link to the New Key page

  • Import Key link to the Import Key page.

This page displays for each key;

  • Alias link to the Key Details page

  • Delete button to allow unused keys to be deleted

    Note

    Delete is only available for non-encryption keys

  • Export button to allow exporting of keys, and links to Export Data Key

    Note

    Export is only available for HMAC and CAVV keys

The following key details are displayed for the selected Issuer or Group:

  • Provider

  • Algorithm

  • Type

  • Alias

  • Creation time - date and time of upload

  • Status

  • KeyStore type - possible values: Data, HSM

The following key details are displayed for the General keys:

  • Algorithm

  • Type

  • Alias

  • Creation time - date and time of upload

  • Status

  • KeyStore type - possible values: Data, HSM

New Key

Issuers > Key Management > New Key

The New Key section is used to retire the current Signing RSA, CAVV validation, or HMAC keys, and replace them with a new key.

Alternatively, the PCIDSS Key Retiring Utility provided in the ActiveAccess installation package allows for the automatic retiring of old keys and re-generation of new ones. Refer to Key Retiring Utility for further details.

Use the following fields and links for generation of new keys:

  • Issuer or Group

  • Type

  • Provider

    Note

    SecureCode HMAC generation key and SecureCode HMAC 256 generation key are only available for the Mastercard provider.

  • Algorithm is displayed and cannot be changed

  • Old alias is displayed and cannot be changed

  • Old key size is displayed and cannot be changed

  • New alias status is displayed and cannot be changed

  • New alias

  • If the key Type is Signing RSA key, select a Key size from the drop down list. Defaults to 1024.

  • Click the Generate new key button.

Info

  • In order to use the newly created Signing RSA key, you need to create a certificate request using this key and have the certificate signed. Then the signed certificate must be installed for the key to be used in the next transaction.
  • In order to use the newly created CAVV key, you must activate it in Key Details before it can be used for the next transaction.
  • In order to use the newly created HMAC key, you must activate it in Key Details before it can be used for the next transaction.

Import Key

Issuers > Key Management > Import Key

The Import Key section is used for importing CAVV and HMAC keys.

Use the following fields and links for importing keys:

  • Issuer or Group

  • Type

  • Provider

    Note

    SecureCode HMAC generation key and SecureCode HMAC 256 generation key are only available for the Mastercard provider.

  • KEK alias (Key Encryption Key alias) - the alias of an encryption key stored in the HSM, which is required for decrypting the key that is to be imported.

    Note

    KEK must be AES or DESede.

    If this field is empty, the input Key value will be considered as clear key value.

  • Algorithm is displayed and cannot be changed

  • Old alias is displayed and cannot be changed

  • New alias status is displayed and cannot be changed

  • Key value - options include hexadecimal and base64 encoded formats

  • KCV - Optional; Key Check Value of HMAC/CAVV keys.

    Note

    KCV is calculated using the following methods:

    • HMAC keys: first three bytes of SHA-1 key hash value.
    • CAVV keys: first three octets of ciphertext produced by ECB mode encryption of a block full of zeros.

  • Click the Import key button.

    Note

    DESEde/ECB/PKCS5Padding or AES/CBC/PKCS5Padding algorithm is used for key decryption.

Key Details

Issuers > Key Management > Key Details

The Key Details section is used to list the history of the changes for the specified key.

The following key details are displayed for the selected alias:

  • Alias

  • Algorithm

  • Creation time - date and time of upload

  • Expiration time - date and time the key will expire

  • Status

    • Active - the key is being used by the system

    • Inactive - the key needs to be activated through a pre-defined process

    • Expired - the key has been retired and will no longer be used by the system

  • KeyStore type - the key has been retired and will no longer be used by the system

    • Data - the key is stored in the database

    • HSM - the key is stored in the HSM

  • Click the Activate button to activate inactive keys

  • Click the Delete button to delete unused keys.

Export Data Key

Issuers > Key Management > Export

The Export Data Key section is used to export HMAC and CAVV keys.

The following fields are displayed to view / edit:

  • Issuer or Group

  • Provider

  • Type

  • Alias - the alias of the key to be exported

  • KEK alias (Key Encryption Key alias) - the alias of an encryption key stored in the HSM, which is required for encrypting the key that is to be exported

  • Click the Export button to display the Key value in hexadecimal/base64 encoded formats and the KCV.

    Note

    DESEde/ECB/PKCS5Padding or AES/CBC/PKCS5Padding algorithm is used for key encryption.