(Conditional) Conduct risk control
When certain risks are detected in payment transactions, merchants initiate risk challenges to verify the user's identity. The Mobile Payment Provider (MPP) needs to handle requests such as sending one-time password (OTP) codes and verifying OTP codes to enable merchants to verify the user's identity.
Workflow
The following figure illustrates the risk challenge workflow:
Figure 1. Risk challenge workflow
The risk challenge workflow contains the following steps:
- The merchant detects risks and initiates the risk challenge to verify the user's identity (Step 1-2).
- The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to send an OTP code to the user by calling the sendOTP API with accessToken (Step 3-4).
- The MPP server sends an OTP code to the user and returns verifyRequestId to Alipay+ (Step 5-6).
- After receiving verifyRequestId, the merchant sends a request to the ACQP to verify the OTP code (Step 7-9).
- The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to verify the OTP code by calling the verifyOTP API (Step 10-11).
- The MPP verifies the OTP code and then returns the verification result (Step 12-15).
Step 1. Send an OTP code to the user
After receiving the request to verify the user's identity, Alipay+ calls the sendOTP API to request the MPP to send an OTP code to the user. After sending the OTP code, the MPP returns verifyRequestId to Alipay+.
Processing logic
When handling the sendOTP API request, take the following things into consideration:
- Handle the request properly, especially the following parameters:
- accessToken: Each access token can be used to request at least 3 OTP codes per day.
- Ensure the following parameters are configured properly in the response:
- verifyRequestId: The MPP needs to return verifyRequestId to Alipay+ when OTP sending succeeds.
- result.resultCode: The following table shows how to set the value of the result.resultCode parameter under different conditions.
Condition | Value of result.resultCode | Required or not |
The access token is invalid. |
| Recommended |
The access token is expired. |
| |
The number of times the access token is used to request OTP sending exceeds the daily limit. |
| |
The user does not exist. |
| |
The user status is abnormal. |
|
Sample
Alipay+ sends a request to the MPP.
{
"acquirerId": "1022188000000000000",
"pspId": "1022172000000000000",
"accessToken": "281010033AB2F588D14B43238637264FCA5A0000"
}
The MPP returns the result to Alipay+.
{
"result": {
"resultCode": "SUCCESS",
"resultStatus": "S",
"resultMessage": "Success"
},
"verifyRequestId": "0b9fc14b1571815309135213911****"
}
More information
For more information about how to handle the sendOTP API request and send the response, see sendOTP.
Step 2. Verify the OTP code
After receiving verifyRequestId, the merchant initiates a request to Alipay+ to verify the OTP code. Alipay+ then calls the verifyOTP API to forward the request to the MPP.
Processing logic
When handling the verifyOTP API request, ensure the following parameters are configured properly in the response:
- result.resultCode: The following table shows how to set the value of the result.resultCode parameter under different conditions.
Condition | Value of result.resultCode | Required or not |
The OTP code is invalid. |
| Recommended |
The number of times the OTP code is used for verification exceeds the limit. |
|
Sample
Alipay+ sends a request to the MPP.
{
"acquirerId": "1022188000000000000",
"pspId": "1022172000000000000",
"accessToken": "281010033AB2F588D14B43238637264FCA5A0000",
"verifyRequestId": "0b9fc14b15718153091352139110000",
"otpCode": "660000"
}
The MPP returns the result to Alipay+.
{
"result": {
"resultCode": "SUCCESS",
"resultStatus": "S",
"resultMessage": "Success"
}
}
More information
For more information about how to handle the verifyOTP API request and send the response, see verifyOTP.