EMV® Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo (Europay, Mastercard, Visa and some other card schemes) to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud.

3DSecure v2.1

Payment Network Status Codes

VISA v2.0


Transaction Status	ECI	Authentication Value	Description
Y	05	Present	Authentication Successful
A	06	Present	Attempts Processing Performed
I	07	Present	Informational Only; 3DS Requestor challenge preference acknowledged
N	07	None	Authentication Failed; Not Authenticated; Transaction Denied
U	07	None	Authentication Could Not Be Performed; Technical or Other Problem
C	07	None	Challenge Required to authenticate the cardholder
R	07	None	Authentication Rejected

How to proceed based on the status received

📘
How to proceed based on the status received",
Y, N, U, or A, the merchant can proceed to authorization using the ECI value and CAVV (CAVV is only applicable for Y or A) provided by the Issuer ACS/Attempts Server.
R, it is not recommended to proceed to authorization.
C, the frictionless flow transitions to the Challenge flow.

Mastercard ECI

The Electronic Commerce Indicator is provided by the ACS (the credit card's bank, or a partner of the bank) that indicates the 3DS authentication results.

The value of the ECI determines the liability shift - the burden of fraudulent chargebacks shifts from you to the card issuer.

Below are possible ECI values, and if they shift liability or not:

Liability Shift Conditions


ECI	ECI for MasterCard	Description	Result
5	2	This value indicates the cardholder wasauthenticatedby the issuer with the cardholders identity information	Liability Shift
6	1	This value means that the merchantattemptedto authenticate the cardholder, but either the cardholder or issuer was not participating	Liability Shift
7	0	This value is returned when the payment transaction is conducted over a secure channel, but payment authentication is not performed	No Liability Shift

3DSecure v1.0

3D Secure Transaction Flow

The 3D Secure process involves a number of steps which are summarized below:

Verify if the cardholder's card is enrolled in 3D Secure

If enrolled, redirect the cardholder to their bank's Access Control Server (ACS) to enter their passphrase
If NOT enrolled and their card type is Visa or MasterCard, proceed directly to pull transaction authorization
If NOT enrolled and their card type is American Express, do not proceed to pull transaction

Take the response values from the ACS and send back to Pungle to be verified
Based on Authentication result and if chargeback protection applies, continue on to Pull Transaction

Create 3D Secure Authentication

The first step is to verify if the customer's card supports 3D Secure.

Send a Request to create a 3D Secure Authentication

POST /api/v1/transactions/pull/3D-Secure

Body:

{
  "currency": "CAD",
  "amount": 1000,
  "financial_account": "visa_2_pctk_co_h_l8xKdiHbUPatyRUUAsC360C81FD1D873551"
}

The following response will be returned

{
  data: {
    "url": "https://pit.3dsecure.net/VbVTestSuiteService/pit1/acsService/paReq?summary=YzZhZDFkYzMtYTI0My00NzQzLWI5ZjUtZjE0MWM4YjA3ZmM1",
    "status": "cardholder_enrolled",
    "pareq": "eJxVUU1vwjAMve9XVL1OI20pUJAbVL7GJsHQBtJ2zFIXOmha0nSw/folUMaWQ+RnW+/Zz9A/ZjvrE2WZ5iK03YZjWyh4HqdiHdqr5eQusPv0BpYbiTh6QV5JpDDDsmRrtNI4tFnQxqTdese41fH1302QB53ATzqBw4N2YlNYRM+4p1CrUC3S8IBcoGaTfMOEosD4fvAwp37Hd7sBkBpChvJhRLv1A3LGIFiGtKjEeodATgB4Xgklv6jr+UAuACq5oxulih4hh8OhobBUDZ5nQEwByFV/UZmo1ETHNKbFZMpG1Yp/J83b7jCJmHp7XE+T/VZsQyCmA2KmkHqOG7ie61ue13P8nqt3O+WBZWYCs6+jlzkDKIxGVFdM4W8CtL9S+3/Z4IIAj0UuUHdo8t8YyHXg4dTYx5U2ZppOluNqvL3/WL3KpjuvssHsKQpDY+ipwbCl2hg9uHOiMwCIoSD1rUh9Yh39O/0P8W24mw==",
    "id": "2631b12d-2494-4454-8ca7-0d1e0afdc035",
    "chargeback_protection_available": false    
  }
}

The response will provide a status as to whether the cardholder is enrolled in 3D Secure, and whether chargeback protection applies at this point.
The status field can contain one of the following values:


Status	Description
cardholder_enrolled	The card is enrolled in 3D Secure and you should continue with 3D Secure flow; chargeback protection applies
cardholder_not_enrolled	The card is not enrolled in 3D Secure and you should continue to Pull transaction authorization; chargeback protection applies
unable_to_verify_enrollment	Unable to verify if the card is enrolled in 3D Secure; chargeback protection doesn't apply
verify_enrollment_failed	Failure to verify if the card is enrolled in 3D Secure

The response will also contain a value chargeback_protection_available that you can use to determine if charge back_protection is available at this point.

If the status is cardholder_not_enrolled then chargeback protection applies and you are able to proceed to the Pull transaction at this point.

Note: Transaction is not eligible for chargebacks because the merchant did attempt to authenticate the cardholder.

If the status is cardholder_enrolled then you will need to continue with the next steps in the process.

Verify 3D Secure Authentication Attempt

Using the values returned in the previous request, the client must then issue a POST request to the url with the following values. This can be done in the main app view or through an iframe or WebView.

Where the following values must be injected dynamically


Value	Description
url	Returned in Response from Pungle
PaReq	Returned in Response from Pungle
TermUrl	Redirect URL that will be contacted after the User has completed the 3D Secure Flow (must be https)
MD	The first 17 characters of the id field returned in response from Pungle

Here is an example redirect page that can be loaded in order to create the POST request with the correct parameters.

<!DOCTYPE html>
<html>

	<head>
		<title>3DSecure Page</title>
		<script type="text/javascript">
			function OnLoadEvent() {
				document.form.submit();
			}
		</script>
	</head>

	<body onload="OnLoadEvent()">
		<form action="< url >" method="POST">
			<input type="hidden" name="PaReq" value="< pares >" />
			<input type="hidden" name="TermUrl" value="< redirect_url >" />
            <input type="hidden" name="MD" value="< id >" />
			<noscript>
				<input type="submit" />
			</noscript>
			</form>
		</body>
</html>

Once the 3D Secure flow with the card issuer has completed the user will be redirected to the value supplied in the TermUrl key.

Included in the URL params of the redirect will be a `PaRes` Value. You will need to capture this value and send the value in another request along with the id from the previous request to the 3D Secure Verify endpoint in order to verify the status of the 3D Secure Authentication

POST /api/v1/transactions/pull/3D-Secure/verify

Body:
{
  "id": "123-456"
  "pares": "abc123"
}

If the 3D Secure Validation was successful and chargeback protection applies to this transaction. A successful response will be returned and it will contain an id that can then be passed into the pull transaction request.

{
  "data": {
	"id": "123-456",
	"status": "authenticated",
    "chargeback_protection_available": true
  }
}


Status	Description
authenticated	The cardholder has been authenticated and chargeback protection applies
not_authenticated	Cardholder authentication failed and chargeback protection does not apply
authentication_attempt_acknowledged	Authentication has been acknowledged by the bank and chargeback protection applies
verify_signature_failed	Failed to verify the authentication attempt

The value of the chargeback_protection_available key in the response will tell you whether chargeback protection is available for this transaction.

Once you have completed the 3D Secure flow you will be able to use the Pull Transaction Endpoint with the three_d_secure_id key included in the request to ensure chargeback protection.

📘
Related pages
3DS Status Codes\n3DS Test Cards\nDirectSend User Guide