API overview
MCI Test Facility
Introduction
We've deployed a MCI Test Facility which replicates our production MCI solution. It's made up of a single proxy server and a test environment for each of the supported channels, which enables the following to be tested:
- connectivity - using either your own eIDAS (QWAC) or a test certificate we can provide, you’ll be able to test establishing a connection with our MCI proxy server;
- functionality - using dummy customer credentials to login, you’ll be able to test your screenscraping functionality against the channel you want to access.
At present, the MCI Test Facility supports the following brands:
- United Kingdom - HSBC Kinetic
- France – HSBC Business Banking
This documentation should be read in conjunction with MCI Channel Documentation, which has been produced for each brand and is available on request by sending us a message using the Contact us form found under the Help menu.
MCI Test Facility URLs
The following URLs must be used to access our MCI Test Facility:
| United Kingdom - HSBC Kinetic | https://mci.www.sandbox.hsbckinetic.co.uk |
| France – HSBC Business Banking | https://mci.sandbox.businessclients.hsbc.fr |
These URLs can only be used in the MCI Test Facility and cannot be used to connect to our production MCIs.
Test certificate generation
You can connect to our MCI Test Facilities with either your own QWAC or a test certificate provided by HSBC.
If you previously generated a test certificate on our old developer portal, you can continue to use it with our MCI Test Facilities. Please note, certificates generated on our old portal won’t be accepted by our new API Sandbox.
To generate a new test certificate, open the Dev Hub and create a new project using the guided journey provided. The project creation process will register your app on our API sandbox, but the test QWAC generated can be used to access the MCI Test Facility.
Please note that test certificates are for use in our MCI Test Facility or API Sandbox only and cannot be used to connect to any production interfaces.
Certificate presentation
The certificate must be presented as a part of a two-way HTTPS (SSL/TLS) handshake procedure.
- Initiate a HTTPS session by sending an initial request (Client Hello message) to port 443 of the respective MCI Test Facility URL.
- The MCI Test Facility proxy will reply to the handshake with a request for the certificate issued with a verified Certificate Authority (including Server Certificate and Key Exchange).
- Certificate exchange and key exchange will happen as required by SSL/TLS specifications.
- The certificate will be checked and accepted or rejected based on the certificate information. If you present your QWAC, the checks will replicate those performed in production, and if you present a test certificate, we’ll check that it was generated on our Developer Portal.
The above procedure is a standard TLS 1.2 handshake similar to what is initiated by a client browser during the browsing session.
The following TLS 1.2 ciphers should be used during the handshake procedure to complete the successful certificate exchange:
- ECDHE-RSA-AES256-GCM-SHA512
- DHE-RSA-AES256-GCM-SHA512
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
HTTP header
To replicate the production validation process, the following information must be provided in the HTTP header of every request to the MCI Test Facility proxy:
| Header | X-HSBC-SS-User-IP |
| Description | The IP address of the end-user (i.e. the customer) - this header must only pass IPv4 addresses. |
| Example value | 151.227.205.20 |
Authentication
Once a connection has successfully been established, use the dummy login credentials below to login to the test environment of the channel you want to test against.
UK – HSBC Kinetic
| User ID | Credentials |
|---|---|
| user123 | P@ssword |
France – HSBC Business Banking
| TPP Type | User ID | Credentials |
|---|---|---|
| AISP | 00031585400 | OTP - 123547 |
| 00031608625 | Memorable answer - cheval OTP - 123547 |
|
| 00008283491 | Memorable answer - cheval OTP - 123547 |
|
| PISP | 00060177013 | Memorable answer - cheval OTP - 123547 |
| 00077978735 | Memorable answer - cheval OTP - 123547 |
|
| 00008003784 | Memorable answer - cheval OTP - 123547 |
|
| 00010957333 | Memorable answer - cheval OTP - 123547 |
The test customer profile associated with each User ID has different characteristics to support a variety of test scenarios. Full details are available in the channel specific MCI Documentation.
Once you’ve successfully authenticated, you’ll have access to a test environment of the channel you want to test against. The test customer profiles are set up with applicable in-scope products e.g. current account, savings account, credit card. You’ll be able to complete account information and payment initiation journeys based on screens which replicate the production channel.
The MCI Test Facility contains only dummy data for the purposes of testing your app and is not integrated into any downstream or external systems, so whilst payment initiation journeys may complete with confirmation a payment has successfully been initiated, no payment will be executed and the balance of the account may not change.