For the purpose of carrying out a payment initiation with the XS2A APIs, it is necessary to establish a consent between the TPP, the PSU and the ASPSP. In order to do that, Commerzbank offers two different transaction flows. One follows a Redirect OAuth2 approach, the other one follows a Decoupled approach.
In this approach, the PISP has to proceed with an OAuth2 authorization. The consent is established and validated thanks to a redirection of the PSU towards the ASPSP Authentication platform.
See How to Perform a Strong Customer Authentication for details.
Note that to access payment resources, you don't need to provide an access token in requests if the payment has been initiated through a redirect Oauth2 workflow
The decoupled approach is similar to the redirect one. The difference is that the ASPSP asks the PSU to authenticate e.g. by sending a push notification with transaction details to a dedicated mobile app or via any application or device independent from the online banking frontend.
In difference to the redirection flow, there is no impact on the PSU/TPP interface during the technical processing.
See How to Perform a Strong Customer Authentication for details.
| Request Headers | Response Headers | ||||
|---|---|---|---|---|---|
| TPP-Explicit-AuthorisationPreferred | PSU-ID and PSU-ID-Type | TPP-Redirect-Preferred | TPP-Decoupled- Preferred | ASPSP-SCA-Approach (Response from ASPSP) | Explanation |
| true | Decision will be done on POST authorisations API | ||||
| false/not provided | not provided | true/false/not provided | true/false/not provided | REDIRECT | |
|
provided Currently supported PSU-ID-TYPE: "retail" as default value. "" is also accepted. |
true | false/not provided | REDIRECT | ||
| true | true | REDIRECT / DECOUPLED | 1. Decoupled workflow is the default process, if PSU is eligible. 2. If PSU is not eligible for decoupled workflow, REDIRECT will be provided. |
||
| false/not provided | true/false/not provided | REDIRECT / DECOUPLED | 1. Decoupled workflow is the default process, if PSU is eligible. 2. If PSU is not eligible for decoupled workflow, REDIRECT will be provided. |
||
| Request Headers | Response Headers | |||
|---|---|---|---|---|
| PSU-ID and PSU-ID-Type | TPP-Redirect-Preferred | TPP-Decoupled-Preferred | ASPSP-SCA-Approach(Response from ASPSP) | Explanation |
| Not provided | true/false/not provided | true/false/not provided | REDIRECT | |
|
provided Currently supported PSU-ID-TYPE: "retail" as default value. "" is also accepted. |
true | false/not provided | REDIRECT | |
| true | true | REDIRECT / DECOUPLED | 1. DECOUPLED workflow is the default process, if PSU is eligible. 2. If PSU is not eligible for decoupled workflow, REDIRECT will be provided. |
|
| false/not provided | true/false/not provided | REDIRECT / DECOUPLED | 1. DECOUPLED workflow is the default process, if PSU is eligible. 2. If PSU is not eligible for decoupled workflow, REDIRECT will be provided. |
|
Creates a payment resource at the ASPSP for a given payment service and product. Specificities for this API and available services and products are listed in the dedicated HowTo.
Create an authorisation sub-resource of the payment resource and start the authorisation process.
The usage of this access method is only necessary if the TPP has asked to start the authorisation process separately from the payment initiation (using the “TPP-Explicit-Authorisation-Preferred” Header).
Requests an authorisation from a PSU following the OAuth2 protocol. Details of the authentication workflow and user interfaces are described in the dedicated HowTo section.
Our specificities regarding the OAuth2 protocol are listed below.
response_type : code
code_challenge_method : S256
After successful authorisation, the user will be redirected to the redirect URI provided in the request with the following parameters :
The PIS with no IBAN / Combined Service is a feature of the AIS consent. It allows a PISP to retrieve the list of account through an AIS request when it should not be able to do so.
Thanks to this feature, a PISP can offer a smooth PIS workflow where the PSU select a debtor IBAN from his/her account list instead of entering the IBAN manually.
TPPs with only the PISP role can only use the global consent scope availableAccounts: allAccounts.
An AIS Combined Service Consent can be one-off.
The property combinedServiceIndicator has to be set to true in the body of the request.
Before submitting a Payment the current balance is checked. TPPs do not need to provide "TPP-Rejection-NoFunds-Preferred Flag" in the header because the current balance is verified prior to payment submission. It will be rejected if there are no funds available, no matter how the flag is set.
Our interface is supporting the "closingBooked" and the "expected" balance type. This means that also the implicit FCS is based on calculating the funds on the final booked payment as well as the expected payments. Expected payments are therefore considered to determine the availability of funds here. New SEPA payment orders initiated by the customer via Online Banking or the PIS service of the PSD2 interface are included in the displayed expected balance as well as in the closingbooked balance as soon as the funds left the customers account.Instant payments are included in the displayed closingbooked balance immediately and in real-time after payment approval.
For specific BerlinGroup Implementation on the Payment Initiation Service, please refer to specific implementation How To.