PSD2 is the short name for Payment Service Directive 2, a set of regulations introduced by the European Banking Authority aimed at combating the rising costs of fraud by requiring Strong Customer Authentication (SCA) for online transactions of greater than 30 euros. To learn more about PSD2, SCA, and dynamic linking check out this post.
Twilio Verify can already enable you to quickly verify phone number ownership with one-time passwords (OTP) over SMS. In a few easy steps, we can extend these capabilities to help us comply with PSD2 by verifying transactions using dynamic linking and Strong Customer Authentication (SCA).
Before using Twilio Verify for transaction verification, we need to need to create a new Service with PSD2 mode enabled. When PSD2 mode is enabled requests to start and complete verifications will require that the Payee and Amount parameters. Enabling PSD2 mode for Service can be done through the Verify API.
To verify a transaction, you will start by requesting to send a verification code to the user. Each verification code is dynamically-linked to the Amount and Payee of each transaction. This means that the verification code is unique to the phone number, amount and payee combination. This ensures that if the verification code is intercepted or the transaction is mutated the verification will fail.
Each verification code is valid for 10 minutes. Subsequent calls to the API before the code has expired will send the same verification code.
Please note: For some regions, we are unable to return carrier and cellphone data by default. You need to contact our support team to switch on those regions. More information on our support site.
To check if a verification code is correct, pass the code along with the phone number, amount and payee to the API.
In some instances, the details of a transaction may change before it can be completed. When that occurs, you can cancel an in-progress transaction verification by updating the status. This will prevent a user from verifying an out-of-date transaction. Note that transactions that have been successfully verified cannot be canceled.