--- title: Money transfer journey description: The Ping Identity Marketplace includes a prebuilt money transfer journey. The journey provides secure financial transactions by applying dynamic, context-aware multi-factor authentication (MFA). By evaluating the risk of each money transfer in real time, the journey can step up security when needed, preventing fraud while maintaining a smooth user experience. component: pingoneaic page_id: pingoneaic:journeys:solution-money-transfer-journey canonical_url: https://docs.pingidentity.com/pingoneaic/journeys/solution-money-transfer-journey.html keywords: ["Authentication", "Journeys"] section_ids: about-money-transfer-journey: About the money transfer journey money-transfer-use-case: Example use case money-transfer-components: Journey components money-transfer-before-begin: Before you begin money-transfer-task1: "Task 1: Prepare your tenant environment" money-transfer-custom-attributes: Add custom attributes to the alpha_user managed object money-transfer-optional_set_an_esv_variable: (Optional) Set an ESV variable for PingOne Protect analysis money-transfer-create-email-templates: Create the email templates task_2_create_a_pingone_authorize_policy: "Task 2: Create a PingOne Authorize policy" define_the_amount_attribute: Define the amount attribute create_the_payment_check_policy: Create the payment check policy money-transfer-download-import-journey: "Task 3: Download and import the journey" download_the_journey: Download the journey import_the_journey: Import the journey configure-money-transfer-journey: "Task 4: Configure the journey components" configure-money-transfer-main-journey: Configure the money transfer main journey review-set-initialize-variables: Review and set the initialize variables configure-money-transfer-url: Configure the money transfer URL set-journey-for-all-users: Set the journey to run for all users regardless of current session configure-money-transfer-threat-detection-inner-journey: Configure the Threat Detection - Inner Journey configure-money-transfer-inner-journey: Configure the Money Transfer - Inner Journey configure-money-transfer-mfa-auth-inner-journey: Configure the MFA Authentication - Inner Journey money-transfer-validation: "Task 5: Validate the journey" money-transfer-validation-low-risk: Test a low-risk transfer money-transfer-validation-high-risk: Test a higher-risk transfer money-transfer-journey-best-practices: Best practices --- # Money transfer journey The Ping Identity Marketplace includes a prebuilt [money transfer journey](https://marketplace.pingone.com/item/money-transfer-aic-journey-template). The journey provides secure financial transactions by applying dynamic, context-aware multi-factor authentication (MFA). By evaluating the risk of each money transfer in real time, the journey can step up security when needed, preventing fraud while maintaining a smooth user experience. The journey is intended as a template. Review and adapt it to meet your organization's specific security policies and business requirements before deploying to a production environment. **Journey download** | Journey name | Version | Download | | -------------- | ------- | ----------------------------------------------------------------------------------------------------- | | Money transfer | 1.0 | [Download from Marketplace](https://marketplace.pingone.com/item/money-transfer-aic-journey-template) | ## About the money transfer journey This solution uses a main journey and inner journeys to evaluate the risk level of a user's sign-on attempt. Authenticated users can make secure money transfers between their savings and checking accounts. ### Example use case A bank wants to secure money transfer transactions and prevent fraud without creating unnecessary friction for customers. To do this, they want a journey that provides adaptive security by evaluating risk signals in real time across various end-user actions, from sign-on to financial transactions. The solution would allow routine, low-value money transfers from a known device to proceed seamlessly, while automatically triggering MFA for high-value transfers or suspicious activity to verify the user's identity. ### Journey components The money transfer journey includes one main journey and four inner journeys. | Journey | Description | Configuration required? | | ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------- | | **Money Transfer - Main Journey** | Orchestrates a secure money transfer by managing user authentication, performing risk analysis, and stepping up security when necessary.> **Collapse: Show details** > > This journey starts by checking if the user has an active session. If not, it directs them through a sign-on process by calling the **Money Transfer SignOn - Inner Journey**. It then identifies the user and confirms their account is active. > > The journey then performs the following steps: > > * **Threat detection**: Calls the **Money Transfer - Threat Detection - Inner Journey** to evaluate the real-time risk of the sign-on attempt using PingOne Protect. > > The threat detection journey sets the authentication level based on the detected risk level. A medium to high risk level increases the authentication level. > > * **Authentication step-up**: The **Auth Level Decision** node evaluates the user's current authentication level. A higher authentication level is interpreted as higher risk for subsequent steps, which triggers MFA. > > Switching the True and False outputs of the Auth Level Decision node means a higher current authentication level is interpreted as lower risk, and MFA won't be triggered. This isn't recommended for this journey. > > * **Money transfer**: After all security checks are successfully passed, the journey proceeds to the core money transfer process by calling the **Money Transfer - Inner Journey**. > > * **Finalization**: The journey concludes by logging the success or failure of the PingOne Protect evaluation. | Yes | | **Money Transfer - Threat Detection - Inner Journey** | Performs real-time threat detection using PingOne Protect to assess session risk.> **Collapse: Show details** > > Gathers behavioral data from the user's session and determines a risk level. Depending on the assessed risk, the journey takes different paths: > > * **Low risk**: The journey proceeds, but also checks for indicators such as a new device or other suspicious parameters. > > * **Medium to high risk**: Increases the required authentication level, asking for stronger user verification before continuing. > > * **Specific threats** (for example, bots or man-in-the-middle): Checks if the user's account is active. If it is, the account is disabled, and an alert email is sent to the user. > > * **Failure**: If any part of the risk evaluation fails, the journey logs the failure and terminates. | Yes | | **Money Transfer - Inner Journey** | Manages the money transfer process for an authenticated user.> **Collapse: Show details** > > The journey starts by identifying the user. After successful identification, the user can proceed to enter the details of the money transfer. > > The journey validates the input using the [PingOne Authorize node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-authorize.html) to assess the transaction risk. > > * If the transaction is permitted (low risk), the journey checks if the user has a sufficient balance, updates the balance, and displays a success message. > > * If the transaction requires approval (higher risk), an approval email is sent to the user. After the user approves the transfer through the email link, the journey proceeds as if it were a permitted transaction. > > * If the transaction is denied, the user is shown a transfer failed page. > > The journey includes paths to handle various errors, such as invalid input or insufficient balance, which typically redirect the user back to the transfer page to make corrections. | Yes | | **Money Transfer - MFA Authentication - Inner Journey** | Orchestrates the MFA process. It prompts the user to select an MFA method (such as OTP, push, or WebAuthn) and handles the subsequent verification flow.> **Collapse: Show details** > > The journey starts by identifying an existing user and then prompts them to select an authentication method. > > The journey proceeds with one of the following MFA flows: > > * **Email**: Generates a one-time passcode (OTP) and sends it to the user's email address for verification. > > * **SMS / Voice**: Uses Twilio to send a verification code to the user's registered phone number through SMS or a voice call. > > * **FIDO2** (WebAuthn): Initiates authentication using a security key or biometrics. > > * **OATH**: Asks the user to enter a verification code from an authenticator app. > > * **Push**: Sends a push notification to a registered device for approval. > > * **Magic Link**: Emails a unique link that the user clicks to sign on. > > For most methods, if the user fails to authenticate, they're given a limited number of retry attempts before the journey fails. The journey also includes paths for users to authenticate using a recovery code if other methods are unavailable. | Yes | | **Money Transfer SignOn - Inner Journey** | Manages the initial user sign-on, including credential validation, email verification, and security checks.> **Collapse: Show details** > > The journey performs the following checks: > > * **Threat analysis**: Determines if a threat analysis is required. If so, it initiates PingOne Protect for risk evaluation by calling the **Money Transfer - Threat Detection - Inner Journey**. > > The threat detection journey sets the authentication level based on the detected risk level. A medium to high risk level increases the authentication level. > > * **User authentication**: Presents a sign-on page for the user to enter their username and password. > > * **Account status check**: Checks if the user's email address has been verified. If not, it sends an email with a link to complete the verification before allowing the user to proceed. > > * **Authentication step-up**: The **Auth Level Decision** node evaluates the user's current authentication level. A higher authentication level is interpreted as higher risk for subsequent steps, which triggers MFA. > > Switching the True and False outputs of the Auth Level Decision node means a higher current authentication level is interpreted as lower risk, and MFA won't be triggered. This isn't recommended for this journey. > > * **Accept terms and conditions**: Checks if the user has accepted the latest terms and conditions. If they haven't, they're prompted to accept them. > > After all checks complete successfully, the journey concludes, and the user is granted access. | No | > **Collapse: Show the Money Transfer journey (main journey)** > > ![Money transfer main journey](_images/money-transfer-sample/sample-money-transfer-journey.png) > > * a A [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/latest/scripted-decision.html) containing the initialize variables used in the authentication flow. > > * b The first call to the PingOne Protect **Money Transfer -Threat Detection - Inner Journey** > > * c The second call to the PingOne Protect **Money Transfer -Threat Detection - Inner Journey** for risk evaluation > > * d A call to the **Money Transfer - MFA Authentication - Inner Journey** > > * e A call to the **Money Transfer SignOn - Inner Journey** ## Before you begin To implement the sample money transfer journey, you must have these prerequisites: * Tenant administrator access to your Advanced Identity Cloud development environment. * For PingOne Protect: * PingOne Protect enabled in your PingOne environment. Learn more in [Getting started with PingOne Protect](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_getting_started.html). * PingOne Protect integrated with Advanced Identity Cloud. Learn more in [Use PingOne Protect for risk-based authentication and fraud detection](../integrations/pingone-protect.html). * For PingOne Authorize: * PingOne Authorize enabled in your PingOne environment. Learn more in [Getting started with PingOne Authorize](https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_getting_started.html). * Your PingOne Authorize [decision endpoint](https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_decision_endpoints.html). * Your PingOne Worker Service ID. Learn more in [Set up PingOne workers and configure them as Advanced Identity Cloud services](../integrations/pingone-set-up-workers.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The worker application associated with the PingOne Worker Service must be granted the necessary permissions to interact with both the PingOne Protect and PingOne Authorize services. | * For MFA: * An SMTP email server. Required for email-based MFA. * If you're using Twilio for phone-based MFA, a Twilio account with access to [Twilio Verify](https://www.twilio.com). * A test user in your Alpha realm with a registered email address. It's also useful to have other MFA methods configured for testing. * A basic understanding of [journeys](journeys.html) and the [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/latest/scripted-decision.html). ## Task 1: Prepare your tenant environment To get the journey working, you must first perform some setup tasks in your Advanced Identity Cloud tenant environment. ### Add custom attributes to the `alpha_user` managed object Several additional user attributes are required by the money transfer journey. Add the following custom attributes to the `alpha_user` managed object. Learn more in [Customize user identities using custom attributes](../identities/identity-cloud-identity-schema.html#create-custom-attributes). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | When adding new attributes, use the advanced options to specify view and edit permissions:- User Editable: Select this option if you want end users to be able to edit the property value in their profile. - Viewable: Clear this option to hide the property from the user's profile. However, this hides the property from both end users and tenant administrators. | | Name | Label | Type | Description | | ----------------------------- | -------------------------------- | ------ | --------------------------------------------------------------------------------------------------------------------------------------------------- | | `custom_emailVerified` | `Email verified` | String | Confirms the user has verified their email address. | | `custom_protectActivityCity` | `PingOne Protect activity city` | String | The city from which the user attempts to authenticate. This attribute is used in the `Account Disabled` and `Suspicious Activity` email templates. | | `custom_protectActivityState` | `PingOne Protect activity state` | String | The state from which the user attempts to authenticate. This attribute is used in the `Account Disabled` and `Suspicious Activity` email templates. | | `custom_protectDeviceOS` | `PingOne Protect device OS` | String | The OS of the device from which the user attempts to authenticate. | | `custom_mfaDevices` | `MFA devices` | Array | Stores the user's registered MFA devices. | | `custom_latestMFADevice` | `Latest used MFA device` | String | The most recently used registered MFA device. | | `custom_savingsBalance` | `Latest savings balance` | Number | The user's savings account balance after money transfer. | | `custom_checkingBalance` | `Latest checking balance` | Number | The user's checking account balance after money transfer. | | `custom_currency` | `Custom currency` | String | The user's preferred currency.Select User Editable to allow end users to change this value. | ### (Optional) Set an ESV variable for PingOne Protect analysis The **Prerequisites & Init Variables** node in the parent journey contains a script that uses the `protectAnalysisRequired` variable to determine if PingOne Protect analysis is enabled. By default, this variable is set to `true` in the script. To override this variable and control how PingOne Protect analysis is performed in different environments, you can set an [Environment Secret & Variable (ESV)](../tenants/esvs.html) variable. 1. In the Advanced Identity Cloud admin console, go to [icon: cog, set=fa]Tenant Settings > Global Settings > Environment Secrets & Variables. 2. On the Variables tab, click + Add Variable. 3. In the Add a Variable modal, enter the following information: | | | | ---------------------- | ----------------------------------- | | Name | `p1-protect-analysis-required` | | Type | `string` | | Description (optional) | `PingOne Protect analysis required` | | Value | `true` | 4. Click Save to create the variable. 5. Restart Advanced Identity Cloud services by [applying updates in the Advanced Identity Cloud admin console](../tenants/esvs-manage-ui.html#apply_updates). ### Create the email templates You'll need to create the following email templates, which are used by **Scripted Decision** nodes to send emails at various points in the money transfer journey. | Email template | Description | Example email body | | ---------------------- | ---------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **accountDisabled** | Email sent when PingOne Protect detects critical risk associated with the account. | > **Collapse: Show example** > > ```html >
> Company Logo >
>
!
>

Sign-in Attempt was blocked

>

{{object.mail}}

>
>
>
>

Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. We have disabled the account for your security. If this was you, please contact support.

>

Thanks, >
The ${Brand Name} team >

>
>
> ``` | | **newDeviceDetected** | Email sent when PingOne Protect detects a sign-on from a new device. | > **Collapse: Show example** > > ```html >
> Company Logo >
>
!
>

Sign-in attempt detected

>

{{object.mail}}

>
>
>
>

Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. If this was not you, please consider resetting your password or contact support. Otherwise, ignore.

>

Thanks, >
The ${Brand Name} team >

>
>
> ``` | | **suspiciousActivity** | Email sent when PingOne Protect detects suspicious activity associated with the account. | > **Collapse: Show example** > > ```html >
> Company Logo >
>
!
>

Sign-in attempt detected

>

{{object.mail}}

>
>
>
>

Someone just attempted to sign onto your account nearby {{object.custom_protectActivityCity}}, {{object.custom_protectActivityState}}. If this was not you, please consider resetting your password or contact support. Otherwise, ignore.

>

Thanks, >
The ${Brand Name} team >

>
>
> ``` | | **welcome** | Email sent when a new user account is created. | > **Collapse: Show example** > > ```html > > > >

Welcome. Your username is '{{object.userName}}'.

> > > ``` | | **otp** | Email containing the user's one-time passcode (OTP). | > **Collapse: Show example** > > ```html > > > >
>

> Ping Identity logo >

>

Hi {{object.givenName}}

>

Here is your One Time Password. Please enter it into the login browser window:

>

{{object.otp}}

>

PingOne Advanced Identity Cloud

>
> > > ``` | Learn more about creating email templates in [Email templates](../tenants/email-templates.html). ## Task 2: Create a PingOne Authorize policy To perform risk-based authorization for transfers, you'll need to create an authorization policy in PingOne Authorize. This policy evaluates a payment's amount against the user's transaction limits. ### Define the `amount` attribute 1. In the PingOne admin console, go to Authorization > Trust Framework. 2. On the Attributes tab, click + Add new Attribute and configure it as follows. | Attribute name | Value type | | -------------- | ---------- | | `amount` | `Number` | 3. Click Save Changes. ### Create the payment check policy 1. In the PingOne admin console, go to Authorization > Policies. 2. Click the Plus icon ([icon: add, set=material, size=inline]) and select Add Policy. 3. In the Name field, enter `Payment checks`. 4. Add the following rules to the policy in order. Rule 1: Deny payments over the threshold * Name: `Deny payments over 10,000` * Applies When: `amount` `Greater Than` `10000` * Effect: `Deny` Rule 2: Permit payments under the threshold * Name: `Permit payment less than 1,000` * Applies When: `amount` `Less Than` `1000` * Effect: `Permit` Rule 3: Require approval between thresholds * Name: `Payments more than 1,000 but less than 10,000` * Applies When: * `amount` `Greater Than Or Equal` `1000` * `amount` `Less Than Or Equal` `10000` * Effect: `Permit` * Statements: Add a statement with the following values: * Name: `Approval required when amount is in this range` * Code: `APPROVAL_REQ` 5. Click **Save Changes**. ## Task 3: Download and import the journey ### Download the journey 1. Go to [Money Transfer journey](https://marketplace.pingone.com/item/money-transfer-aic-journey-template) on the Ping Identity Marketplace. 2. Click Download Integration to download the `Money Transfer - Main Journey.json` file. This JSON file contains the parent journey and inner journeys, scripts, and email templates required for the authentication flow. ### Import the journey 1. In the Advanced Identity Cloud admin console, go to Journeys, and click Import. 2. Click either Download Backup or Skip Backup. Learn more in [Import journeys](journeys.html#import-journeys). 3. On the Import Journeys page, browse to and select `Money Transfer - Main Journey.json`. 4. Select Alpha realm users because the journey is configured for the alpha realm. 5. In the Conflict Resolution section, choose how the system resolves import conflicts: * Overwrite all conflicts (default) * Manually pick conflict resolution 6. Click Next. 7. Click Start Import. 8. On the Import Complete page, click Done. 9. On the left panel of the Journeys page, click Money Transfer (5) to view the money transfer journeys and inner journeys. ## Task 4: Configure the journey components ### Configure the money transfer main journey 1. On the Journeys page, click Money Transfer - Main Journey and click Edit. 2. In the journey editor, configure the journey as follows: * [Review and set the initialize variables](#review-set-initialize-variables) * [Configure the money transfer URL](#configure-money-transfer-url) * [Set the journey to run for all users regardless of current session](#set-journey-for-all-users) 3. Click Save. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To save your progress, periodically click Save in the top right of the journey editor. If you don't save, you'll lose your work if the page reloads or if you lose your network connection. | #### Review and set the initialize variables The **Money Transfer - Main Journey** includes a [Scripted Decision node](https://docs.pingidentity.com/auth-node-ref/latest/scripted-decision.html) containing the initialize variables used later in the authentication flow. This script lets you: * Set the allowed MFA types: `FIDO2`, `OATH`, `PUSH`, `EMAIL`, `SMS`, `VOICE`. * Enable or disable PingOne Protect analysis. * Enable or disable [magic link](../am-authentication/suspended-auth.html). To review and set the initial variables: 1. Click the Prerequisites & Init Variables node. 2. In the Script field, click the Pencil icon ([icon: pencil-alt, set=fa]) to open the `Money Transfer - Initialize Variables` script. 3. Review the script and make changes if needed. 4. Click Save and Close. | | | | - | ----------------------------------------------------------------------------------------------------------- | | | You don't need to update the values in the Script Outputs field of the Prerequisites & Init Variables node. | #### Configure the money transfer URL 1. Click the Redirect To Money Transfer (Success URL) node. 2. Enter the preview URL of the Money Transfer Inner Journey. For example, `https:///am/XUI/?realm=alpha&authIndexType=service&authIndexValue=MoneyTransfer-InnerJourney`. 3. Click Save. #### Set the journey to run for all users regardless of current session 1. In the upper right of the journey editor, click the Ellipsis icon ([icon: ellipsis-h, set=fa]) and select [icon: pencil-alt, set=fa]Edit Details. 2. Select Run journey for all users regardless of current session. 3. Click Save. ### Configure the Threat Detection - Inner Journey 1. On the Journeys page click Money Transfer - Threat Detection - Inner Journey and click Edit. 2. In the journey editor, configure the journey as follows: 1. Click the PingOne Protect Initialize node. 2. In the PingOne Worker Service ID field, select the ID of the PingOne Worker Service for connecting to PingOne. Learn more in [PingOne Protect Initialize node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-initialize.html). 3. Click the Auth: PingOne Protect Evaluation node and enter the following: * PingOne Worker Service ID: Select the ID of the PingOne Worker Service for connecting to PingOne. * (Optional) Risk Policy Set ID: Enter the ID of the [risk policy](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_risk_policies.html) in PingOne. Learn more in [PingOne Protect Evaluation node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-evaluation.html) 4. Click the Reg: PingOne Protect Evaluation node and enter the following: * PingOne Worker Service ID: Enter the ID of the PingOne Worker Service for connecting to PingOne. * (Optional) Risk Policy Set ID: Enter the ID of the [risk policy](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_risk_policies.html) in PingOne. Learn more in [PingOne Protect Result node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-protect-result.html). 3. Click Save. ### Configure the Money Transfer - Inner Journey 1. On the Journeys page, click Money Transfer - Inner Journey and click Edit. 2. In the journey editor, configure the journey as follows: 1. Click the PingOne Authorize node and enter the following:. * PingOne Worker Service ID: Select the ID of the PingOne Worker Service for connecting to PingOne. * Decision Endpoint ID: Enter the decision endpoint ID from the service in PingOne Authorize. * attributelist: Enter `amount`. * Statement Codes: Enter `APPROVAL_REQ`. 3. Click Save field. 1. In the Decision Endpoint ID field, enter the decision endpoint ID from the service in PingOne Authorize Learn more about the [PingOne Authorize node](https://docs.pingidentity.com/auth-node-ref/latest/pingone/pingone-authorize.html) 4. Click Save. ### Configure the MFA Authentication - Inner Journey This configuration is required if `SMS`, or `VOICE` are opted in the `allowedMFATypes` array in the `Money Transfer - Initialize Variables` script in the [Prerequisites & Init Variables](#money-transfer-optional_set_an_esv_variable) node in the parent journey. 1. On the Journeys page, click MFA Authentication - Inner Journey and click Edit. 2. In the journey editor, update the required fields in the following nodes: * [Twilio Verify Lookup node](https://docs.pingidentity.com/auth-node-ref/latest/cloud/twilio-verify-lookup.html) * [Twilio Verify Sender node](https://docs.pingidentity.com/auth-node-ref/latest/cloud/auth-node-twilio-verify-sender.html) 3. Click Save. ## Task 5: Validate the journey After configuring the journey, validate the different paths to ensure the risk-based security policies work as expected. The following steps demonstrate a low-risk transfer and a higher-risk transfer that requires approval. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To trigger different risk evaluations, you may need to adjust your [risk policies in PingOne Protect](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_risk_policies.html) for sign-on, or your PingOne Authorize policies for the transaction itself. You can also simulate higher risk by signing in from a new device or a VPN. | Before you begin, ensure you have a test user in the `alpha` realm with a starting balance. For example, set the `custom_savingsBalance` attribute to `10000`. ### Test a low-risk transfer This test validates the user experience when a transfer is evaluated as low risk. 1. In the Advanced Identity Cloud admin console, go to Journeys. 2. Click Money Transfer - Main Journey. 3. In the Preview URL field, click the copy icon ([icon: copy, set=material, size=inline]) and paste the URL into an incognito browser window. The Advanced Identity Cloud end-user UI displays the Sign In screen. 4. Enter the test user's username and password and click Next. Because the sign-on is evaluated as low risk, the user is authenticated and redirected to the Money Transfer page. ![Make a transfer](_images/money-transfer-sample/make-a-transfer.png) 5. Enter a small amount (for example, `100`) and click Make Transfer. ![Make a transfer](_images/money-transfer-sample/successful-transfer.png) **Expected result**: The transfer is successful. The page confirms the transaction was completed, and the user's account balance is updated. ### Test a higher-risk transfer This test validates that the journey requires additional user approval for a transfer that the PingOne Authorize policy evaluates as higher risk. 1. If you're not already signed on, follow steps 1 - 4 in [Test a low-risk transfer](#money-transfer-validation-low-risk) to sign on as your test user. 2. Enter a large amount that exceeds your policy's approval threshold (for example, `5000`). 3. Click Make Transfer. **Expected result**: An email is sent to the user asking for approval. After the transfer is approved using the link in the email, the transaction is processed. This confirms that the step-up approval path is triggered for higher-risk transactions. ## Best practices This sample journey provides a strong foundation for a money transfer journey. When preparing to use it in a production environment, consider the following best practices: * **Treat as a template**: Remember that this is a sample journey. Always adapt and harden it to meet your specific security policies and business requirements before deploying to production. * **Use ESVs**: Avoid hardcoding sensitive information like API keys and IDs directly in your journey scripts. Use [ESVs](../tenants/esvs.html) to manage these values securely. * **Test extensively**: Validate all possible user paths, including low, medium, and high-risk scenarios, as different MFA registration and authentication flows. Ensure the user experience is smooth and the security responses are correct for each case. * **Review PingOne Protect policies**: Fine-tune your [risk policies in PingOne Protect](https://docs.pingidentity.com/pingone/threat_protection_using_pingone_protect/p1_protect_risk_policies.html) to align with your organization's risk tolerance.