New API Version | Last Updated: 21 November 2024 | Change Log

Verify a customer's account


To verify your customer's account, you must send a verifications request to one of our supported resources.

Intelligent verification

With an Intelligent verification, Worldpay chooses the amount to use in the verification.

Intelligent verification request

You can POST your intelligent verification request to one of these resources:

oneTime intelligent verification

For a oneTime verification, POST your request to the verifications:oneTime action link received in your query the verifications root resource request.

POST https://try.access.worldpay.com/verifications/accounts/intelligent/oneTime


cardOnFile intelligent verification

cardOnFile payments are initiated by the customer using the payment instrument details that have already been stored.

For a cardOnFile verification, POST your request to the verifications:cardOnFile action link received in your query the verifications root resource request to become Cardholder Initiated Transaction (CIT) compliant.

POST https://try.access.worldpay.com/verifications/accounts/intelligent/cardOnFile


Example request body

Intelligent verification for cardOnFile and oneTime requests:

{
    "transactionReference": "{uniqueTransactionReference}",
    "currency": "GBP",
    "merchant": {
        "entity": "default"
    },
    "paymentInstrument": {
        "type": "card/plain",
        "cvc": "321",
        "cardHolderName": "John Appleseed",
        "cardNumber": "4444333322221111",
        "cardExpiryDate": {
            "month": 5,
            "year": 2035
        },
        "verificationAddress": {
            "address1": "Worldpay",
            "countryCode": "GB",
            "postalCode": "CB4 0WE",
            "city": "Cambridge"
        }
    }
}
Note

Only use the Intelligent verification request with paymentFacilitator if you are a payment facilitator.

Descriptions of your intelligent verification request parameters:

ParameterRequiredDescription
currencyThe 3-digit currency code.
See list of supported currencies.
transactionReferenceA unique reference generated by you that is used to identify a payment throughout its lifecycle. See transaction reference format, for more details and the best practices.
paymentInstrumentAn object that contains your customer's payment details.
paymentInstrument.cardHolderNameAn object that contains your customer's name.
paymentInstrument.cardNumberAn object that contains your customer's payment card number.
paymentInstrument.typeAn object that contains your customer's payment type, card/plain.
paymentInstrument.verificationAddressAn object containing the verification address information. If included you must send at least:
  • city
  • countryCode
  • postalCode
paymentInstrument.cardExpiryDateAn object that contains your customer's payment card expiry date.
paymentInstrument.cvcCVC is a unique set of 3 or 4 numbers on the back of your customer's card. Including the CVC in your request increases the chances of the verification request outcome being verified. Our API checks to see if the CVC supplied matches the CVC held by the issuing bank.
merchantAn object that contains information about the merchant.
merchant.entityDirect your verification to assist with billing, reporting and reconciliation. This is mandatory for verifications. For more information contact your Relationship Manager or Implementation Manager.
merchant.mccA Merchant Category Code (mcc) can be applied to an individual request. An mcc can only be provided if the dynamic mcc feature has been enabled during boarding. If enabled but not provided, merchant.mcc defaults to a configured value. For more information contact your Relationship Manager or Implementation Manager.
merchant.paymentFacilitatorAn object containing your payment facilitator information. If required you must send:
  • pfId
  • isoId
  • subMerchant.merchantId
  • subMerchant.postalcode
  • subMerchant.street
  • subMerchant.city
  • subMerchant.countryCode
This information is only required for verification if you are a payment facilitator.
recipientAn object that contains the details of the recipient of the payment.
  • accountReference: Partial account number
  • lastName
  • dateOfBirth.day
  • dateOfBirth.month
  • dateOfBirth.year
  • address.postalCode
Recommendation
We highly recommend you supply this, if your MCC is 6012 or 6051. Sending this field ensures you remain PSD2 compliant and avoid potential acquirer refusals.

Dynamic verification

Our Dynamic verifications service gives you granular control over the amount that is used for verification.

Dynamic verification request

You can POST your verification request to one of these resources :

dynamicOneTime verification

For a dynamicOneTime verification, POST your request to the verifications:dynamicOneTime action link received in your query the verifications root resource request.

POST https://try.access.worldpay.com/verifications/accounts/dynamic/oneTime


dynamicCardOnFile verification

cardOnFile payments are initiated by the customer using the payment instrument details that have already been stored.

For a dynamicCardOnFile verification, POST your request to the verifications:dynamicCardOnFile action link received in your query the verifications root resource request to become Cardholder Initiated Transaction (CIT) compliant.

POST https://try.access.worldpay.com/verifications/accounts/dynamic/cardOnFile


Example request body

Dynamic verification for cardOnFile and oneTime requests:

{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    },
    "instruction": {
        "value": {
            "currency": "GBP",
            "amount": 20
        },
        "paymentInstrument": {
            "type": "card/plain",
            "cvc": "321",
            "cardHolderName": "John Appleseed",
            "cardNumber": "4444333322221111",
            "cardExpiryDate": {
                "month": 5,
                "year": 2035
            },
            "verificationAddress": {
                "address1": "Worldpay",
                "countryCode": "GB",
                "postalCode": "CB4 0WE",
                "city": "Cambridge"
            }
        }
    }
}
Note

Only use the Dynamic verification request with paymentFacilitator if you are a payment facilitator.

Descriptions of your dynamic verification request parameters:

ParameterRequiredDescription
instructionAn object that contains all the information related to the payment.
value.currencyThe 3-digit currency code.
See list of supported currencies.
value.amountThe payment amount. This is a whole number with an exponent e.g. if exponent is two, 250 is 2.50. You can find the relevant exponent in our currency table.
transactionReferenceA unique reference generated by you that is used to identify a payment throughout its lifecycle. See transaction reference format, for more details and the best practices.
paymentInstrumentAn object that contains your customer's payment details.
paymentInstrument.cardHolderNameAn object that contains your customer's name.
paymentInstrument.cardNumberAn object that contains your customer's payment card number.
paymentInstrument.typeAn object that contains your customer's payment type, card/plain.
paymentInstrument.verificationAddressAn object containing the verification address information. If included you must send at least:
  • city
  • countryCode
  • postalCode
paymentInstrument.cardExpiryDateAn object that contains your customer's payment card expiry date.
paymentInstrument.cvcCVC is a unique set of 3 or 4 numbers on the back of your customer's card. Including the CVC in your request increases the chances of the verification request outcome being verified. Our API checks to see if the CVC supplied matches the CVC held by the issuing bank.
merchantAn object that contains information about the merchant.
merchant.entityDirect your verification to assist with billing, reporting and reconciliation. This is mandatory for verifications. For more information contact your Relationship Manager.
merchant.mccA Merchant Category Code (mcc) can be applied to an individual request. An mcc can only be provided if the dynamic mcc feature has been enabled during boarding. If enabled but not provided, merchant.mcc defaults to a configured value. For more information contact your Relationship Manager.
merchant.paymentFacilitatorAn object containing your payment facilitator information. If required you must send:
  • pfId
  • isoId
  • subMerchant.merchantId
  • subMerchant.postalcode
  • subMerchant.street
  • subMerchant.city
  • subMerchant.countryCode
This information is only required for verification if you are a payment facilitator.
recipientAn object that contains the details of the recipient of the payment.
  • accountReference: Partial account number
  • lastName
  • dateOfBirth.day
  • dateOfBirth.month
  • dateOfBirth.year
  • address.postalCode
Recommendation
We highly recommend you supply this, if your MCC is 6012 or 6051. Sending this field ensures you remain PSD2 compliant and avoid potential acquirer refusals.

3DS

You can optionally submit 3DS parameters for intelligent and dynamic verification requests.

To get the customer authentication object you must complete an authentication request using our 3DS API.

Intelligent verification example request
{
    "transactionReference": "{uniqueTransactionReference}",
    "currency": "GBP",
    "merchant": {
        "entity": "default",
        "mcc": "6012",
        "paymentFacilitator": {
            "pfId": "12345678901",
            "isoId": "4101",
            "subMerchant": {
                "merchantId": "873674903278364",
                "name": "Example Shop",
                "street": "123 Street",
                "state": "CA",
                "city": "San Francisco",
                "countryCode": "840",
                "postalCode": "94101",
                "taxId": "987-65-4321",
                "telephone": "800-555-9999",
                "email": "contact@example.com"
            }
        }
    },
    "paymentInstrument": {
        "type": "card/plain",
        "cvc": "321",
        "cardHolderName": "John Appleseed",
        "cardNumber": "4444333322221111",
        "cardExpiryDate": {
            "month": 5,
            "year": 2035
        },
        "verificationAddress": {
            "address1": "Worldpay",
            "countryCode": "GB",
            "postalCode": "CB4 0WE",
            "city": "Cambridge"
        }
    },
    "customer": {
        "authentication": {
            "version": "1.0.2",
            "type": "3DS",
            "eci": "05",
            "authenticationValue": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
            "transactionId": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA="
        }
    },
    "recipient": {
        "accountReference": "azAZ0123",
        "lastName": "Moriarty",
        "address": {
            "postalCode": "DH1 3LE"
        },
        "dateOfBirth": {
            "day": 1,
            "month": 2,
            "year": 2000
        }
    }
}
Dynamic verification example request
{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default",
        "mcc": "6012",
        "paymentFacilitator": {
            "pfId": "12345678901",
            "isoId": "4101",
            "subMerchant": {
                "merchantId": "873674903278364",
                "name": "Example Shop",
                "street": "123 Street",
                "state": "CA",
                "city": "San Francisco",
                "countryCode": "840",
                "postalCode": "94101",
                "taxId": "987-65-4321",
                "telephone": "800-555-9999",
                "email": "contact@example.com"
            }
        }
    },
    "instruction": {
        "value": {
            "currency": "GBP",
            "amount": 20
        },
        "paymentInstrument": {
            "type": "card/plain",
            "cvc": "321",
            "cardHolderName": "John Appleseed",
            "cardNumber": "4444333322221111",
            "cardExpiryDate": {
                "month": 5,
                "year": 2035
            },
            "verificationAddress": {
                "address1": "Worldpay",
                "countryCode": "GB",
                "postalCode": "CB4 0WE",
                "city": "Cambridge"
            }
        }
    },
    "customer": {
        "authentication": {
            "version": "1.0.2",
            "type": "3DS",
            "eci": "05",
            "authenticationValue": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
            "transactionId": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA="
        }
    },
    "recipient": {
        "accountReference": "azAZ0123",
        "lastName": "Moriarty",
        "address": {
            "postalCode": "DH1 3LE"
        },
        "dateOfBirth": {
            "day": 1,
            "month": 2,
            "year": 2000
        }
    }
}

The descriptions of parameters from your 3DS authorization request

ParameterRequiredDescription
customerAn object containing the result of your customer's verification. For more details see 3DS verification.
authentication.type3DS
authentication.versionThe version of 3DS used to process the transaction.
For 3DS1 - 1.0.2
For 3DS2 - 2.1.0 or 2.2.0
Note
Required for Mastercard's Identity Check transactions in Authorization.
authentication.eciElectronic Commerce Indicator (ECI).
Indicates the outcome of the 3DS verification.
  • 02 or 05 - Fully Authenticated Transaction
  • 01 or 06 - Attempted Authentication Transaction
  • 00 or 07 - Non 3-D Secure Transaction
  • Mastercard - 02, 01, 00
  • Visa - 05, 06, 07
  • Amex - 05, 06, 07
  • JCB - 05, 06, 07
  • Diners - 05, 06, 07
authentication.authenticationValueA cryptographic value that provides evidence of the outcome of a 3DS verification.
  • Visa - Cardholder Authentication Verification Value (CAVV)
  • Mastercard - Universal Cardholder Authentication Field (UCAF)
For version 3DS1: authentication.authenticationValue is required if authentication.eci value is 01, 02 or 05
For version 3DS2: authentication.authenticationValue is required if authentication.eci value is 01, 02, 05 or 06.
authentication.authenticationValue must be 28 digits max and must be base64-encoded.
authentication.transactionIdRequired, if authentication.eci value is 01, 02, 05 or 06.
A unique authentication transaction identifier, generated by the issuer.

For version 3DS1: transactionId must be base64-encoded and 28 digits in length.
For version 3DS2: transactionId must be a UUID and 36 characters in length.

Apple Pay decrypted

You can optionally submit Apple Pay decrypted parameters for intelligent and dynamic cardOnFile requests.

Verification example request:

{
   "currency":"EUR",
   "paymentInstrument":{
      "type":"card/networkToken+applepay",
      "cardHolderName":"Joe Bloggs",
      "cardExpiryDate":{
         "month":1,
         "year":2019
      },
      "dpan":"4444333322221111"
   },
   "merchant":{
      "entity":"default"
   },
   "transactionReference":"transactionReference",
   "customer":{
      "authentication":{
         "type":"card/networkToken",
         "eci":"05",
         "authenticationValue":"MTIzNDU2Nzg5MDEyMzQ1Njc4OTA="
      }
   },
   "recipient": {
      "accountReference": "azAZ0123",
      "lastName": "Moriarty",
      "address": {
         "postalCode": "DH1 3LE"
      },
      "dateOfBirth": {
         "day": 1,
         "month": 2,
         "year": 2000
      }
   }
}

The descriptions of parameters from your Apple Pay decrypted authorization request

ParameterRequiredDescription
paymentInstrument.typeAn object that contains your customer's payment type; card/networkToken+applepay.
paymentInstrument.dpanAn object that contains the device primary account number.
customerAn object containing the authentication information required for Apple Pay decrypted.
authentication.typecard/networkToken
authentication.eciElectronic Commerce Indicator (ECI).
Indicates the value contained in the Apple Pay decrypted response.
authentication.authenticationValueA cryptographic value that provides evidence of the outcome of a Apple Pay decrypted verification.
Important

We currently don't return action links in our response for this paymentInstrument. This is still under development. You can use our payments:migrateCardOnFileAuthorize action link to take a payment in the meantime.

Verifications response

The response is the same for both an Intelligent or Dynamic verification.

You receive:

  • a 201 HTTP response code
  • a verification outcome (either verified or not verified)
  • riskFactors
  • a paymentInstrument
Note

The paymentInstrument contains the paymentInstrument.type sent in the request at minimum. If you wish to receive more card metadata this must be enabled. For more information contact your Implementation Manager.

{
    "outcome": "verified",
    "checkedAt": "2018-09-01T10:37:36.923Z",
    "riskFactors": [{
            "risk": "matched",
            "type": "cvc"
        },
        {
            "risk": "matched",
            "detail": "postcode",
            "type": "avs"
        },
        {
            "risk": "matched",
            "detail": "address",
            "type": "avs"
        }
    ],
    "_links": {
        "verifications:verification": {
            "href": "https://try.access.worldpay.com/verifications/accounts/{resource}"
        },
        "curies": [{
            "name": "verifications",
            "href": "https://try.access.worldpay.com/rels/verifications/accounts/{rel}",
            "templated": true
        }]
    }
}

The parameter checkedAt contains a timestamp showing when the verification was performed, and the location of the verification for future access.

Best Practice

If you receive an outcome of not verified it means that your customer has failed the verification. We strongly recommend that you refuse the payment made with that payment instrument.

Action Link (resources)Description
verifications:verificationThe link to the outcome of your verification request.
payments:recurringAuthorizeA subsequent payment in a recurring agreement. This resource is only returned as a result of a successful verifications:cardOnFile, verifications:dynamicCardOnFile or payments:migrateRecurringAuthorize request.
payments:cardOnFileAuthorizeA subsequent payment in a card on file agreement. This resource is only returned as a result of a successful verifications:cardOnFile, verifications:dynamicCardOnFile or payments:migrateCardOnFileAuthorize request.
payments:recurringSaleA subsequent payment in a recurring agreement. This resource is only returned as a result of a successful verifications:cardOnFile or verifications:dynamicCardOnFile request.

Risk Factors

We recommend you supply cvc and verificationAddress to increase probability of a successful verification.

The table below describes the response parameters:

ParameterDescription
riskFactors.typeReturns avs or cvc
riskFactors.detailFor avs only.
Returns postcode or address
riskFactors.riskReturns not_checked, not_matched, not_supplied or matched

Payment Instrument

We only return the paymentInstrument card metadata if you are enabled for this feature.

The table below describes the response parameters:

ParameterDescription
paymentInstrument.typeReturns the paymentInstrument.type provided in your request. Can be either card/plain or card/tokenized.
paymentInstrument.cardAn object containing all the additional metadata for the card/token provided in the request.
paymentInstrument.card.numberAn object containing the bin and last4Digits of the card.
paymentInstrument.card.countryCodeThe country code of the card issuer.
paymentInstrument.card.expiryDateAn object that contains your customer's payment card expiry date.
paymentInstrument.card.brandThe card scheme, e.g. visa or mastercard.
paymentInstrument.card.fundingTypeCan be either debit, credit, chargeCard, prepaid, or deferredDebit.
paymentInstrument.card.issuer.nameThe name of the card issuer.
paymentInstrument.card.categoryCan be either consumer or commercial.
paymentInstrument.card.paymentAccountReferenceThe unique reference associated with the card PAN.

Location storing

You must store the returned location information. Failing to store the location information means the outcome of the verification is lost. You are not able to query a historic verification.

The location is stored in the href of the verifications:verification action link received on your verifications response.

Best Practice

We recommend you store all responses.

Query a historic verification

To query a historic verification, submit a query to the location returned in your initial response.

Query verifications request

GET https://try.access.worldpay.com/verifications/accounts/{resource}

You can query the location that was returned in the initial response to retrieve the outcome of the initial verification. You can only get the location from the initial response.

Query verifications response

In your response is a 200 HTTP response code and the historic outcome of the verification.

outcome:

  • verified
  • not verified
{
    "outcome": "verified",
    "checkedAt": "2018-09-01T10:37:36.923Z",
    "riskFactors": [{
            "risk": "matched",
            "type": "cvc"
        },
        {
            "risk": "matched",
            "detail": "postcode",
            "type": "avs"
        },
        {
            "risk": "matched",
            "detail": "address",
            "type": "avs"
        }
    ],
    "_links": {
        "verifications:verification": {
            "href": "https://try.access.worldpay.com/verifications/accounts/{resource}"
        },
        "curies": [{
            "name": "verifications",
            "href": "https://try.access.worldpay.com/rels/verifications/accounts/{rel}",
            "templated": true
        }]
    }
}
Note

Verifications are accurate at the time of the initial request. Sending another intelligent or dynamic verification request may return different results.