Alipay+ DocsAlipay+ Docs

(Conditional) Conduct risk control

When certain risks are detected in payment transactions, merchants initiate risk challenges to verify the user's identity. The Mobile Payment Provider (MPP) needs to handle requests such as sending one-time password (OTP) codes and verifying OTP codes to enable merchants to verify the user's identity.

Workflow

The following figure illustrates the risk challenge workflow:

image

Figure 1. Risk challenge workflow

The risk challenge workflow contains the following steps:

  1. The merchant detects risks and initiates the risk challenge to verify the user's identity (Step 1-2).
  2. The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to send an OTP code to the user by calling the sendOTP API with accessToken (Step 3-4).
  3. The MPP server sends an OTP code to the user and returns verifyRequestId to Alipay+ (Step 5-6).
  4. After receiving verifyRequestId, the merchant sends a request to the ACQP to verify the OTP code (Step 7-9).
  5. The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to verify the OTP code by calling the verifyOTP API (Step 10-11).
  6. The MPP verifies the OTP code and then returns the verification result (Step 12-15).

Step 1. Send an OTP code to the user

After receiving the request to verify the user's identity, Alipay+ calls the sendOTP API to request the MPP to send an OTP code to the user. After sending the OTP code, the MPP returns verifyRequestId to Alipay+.

Processing logic

When handling the sendOTP API request, take the following things into consideration:

  • Handle the request properly, especially the following parameters:
    • accessToken: Each access token can be used to request at least 3 OTP codes per day.
  • Ensure the following parameters are configured properly in the response:
    • verifyRequestId: The MPP needs to return verifyRequestId to Alipay+ when OTP sending succeeds.
    • result.resultCode: The following table shows how to set the value of the result.resultCode parameter under different conditions.

Condition

Value of result.resultCode

Required or not

The access token is invalid.

INVALID_TOKEN

Recommended

The access token is expired.

INVALID_TOKEN/EXPIRED_ACCESS_TOKEN

The number of times the access token is used to request OTP sending exceeds the daily limit.

OTP_SEND_TIMES_EXCEED_LIMIT

The user does not exist.

USER_NOT_EXIST

The user status is abnormal.

USER_STATUS_ABNORMAL

Sample

Alipay+ sends a request to the MPP.

copy
{
  "acquirerId": "1022188000000000000",
  "pspId": "1022172000000000000",
  "accessToken": "281010033AB2F588D14B43238637264FCA5A0000"
}

The MPP returns the result to Alipay+.

copy
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "Success"
  },
  "verifyRequestId": "0b9fc14b1571815309135213911****"
}

More information

For more information about how to handle the sendOTP API request and send the response, see sendOTP.

Step 2. Verify the OTP code

After receiving verifyRequestId, the merchant initiates a request to Alipay+ to verify the OTP code. Alipay+ then calls the verifyOTP API to forward the request to the MPP.

Processing logic

When handling the verifyOTP API request, ensure the following parameters are configured properly in the response:

  • result.resultCode: The following table shows how to set the value of the result.resultCode parameter under different conditions.

Condition

Value of result.resultCode

Required or not

The OTP code is invalid.

OTP_VERIFY_UNMATCHED

Recommended

The number of times the OTP code is used for verification exceeds the limit.

OTP_VERIFY_TIMES_EXCEED_LIMIT

Sample

Alipay+ sends a request to the MPP.

copy
{
  "acquirerId": "1022188000000000000",
  "pspId": "1022172000000000000",
  "accessToken": "281010033AB2F588D14B43238637264FCA5A0000",
  "verifyRequestId": "0b9fc14b15718153091352139110000",
  "otpCode": "660000"
}

The MPP returns the result to Alipay+.

copy
{
  "result": {
    "resultCode": "SUCCESS",
    "resultStatus": "S",
    "resultMessage": "Success"
  }
}

More information

For more information about how to handle the verifyOTP API request and send the response, see verifyOTP.