3DS Status Codes

EMV® Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo (Europay, Mastercard, Visa and some other card schemes) to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud.

3DSecure v2.1

Payment Network Status Codes

VISA v2.0

Transaction StatusECIAuthentication ValueDescription
Y05PresentAuthentication Successful
A06PresentAttempts Processing
I07PresentInformational Only; 3DS
Requestor challenge
preference acknowledged
N07NoneAuthentication Failed;
Not Authenticated;
Transaction Denied
U07NoneAuthentication Could Not Be
Performed; Technical or Other
C07NoneChallenge Required to
authenticate the cardholder
R07NoneAuthentication Rejected

How to proceed based on the status received


How to proceed based on the status received

  • Y, N, U, or A, the merchant can proceed to authorization using the ECI value and CAVV (CAVV is only applicable for Y or A) provided by the Issuer ACS/Attempts Server.
  • R, it is not recommended to proceed to authorization.
  • C, the frictionless flow transitions to the Challenge flow.

Mastercard ECI

The Electronic Commerce Indicator is provided by the ACS (the credit card's bank, or a partner of the bank) that indicates the 3DS authentication results.

The value of the ECI determines the liability shift - the burden of fraudulent chargebacks shifts from you to the card issuer.

Below are possible ECI values, and if they shift liability or not:

Liability Shift Conditions
ECIECI for MasterCardDescriptionResult
52This value indicates the cardholder wasauthenticatedby the issuer with the cardholders identity informationLiability Shift
61This value means that the merchantattemptedto authenticate the cardholder, but either the cardholder or issuer was not participatingLiability Shift
70This value is returned when the payment transaction is conducted over a secure channel, but payment authentication is not performedNo Liability Shift

3DSecure v1.0

3D Secure Transaction Flow

The 3D Secure process involves a number of steps which are summarized below:

  1. Verify if the cardholder's card is enrolled in 3D Secure
  • If enrolled, redirect the cardholder to their bank's Access Control Server (ACS) to enter their passphrase
  • If NOT enrolled and their card type is Visa or MasterCard, proceed directly to pull transaction authorization
  • If NOT enrolled and their card type is American Express, do not proceed to pull transaction
  1. Take the response values from the ACS and send back to Pungle to be verified
  2. Based on Authentication result and if chargeback protection applies, continue on to Pull Transaction

Create 3D Secure Authentication

The first step is to verify if the customer's card supports 3D Secure.

Send a Request to create a 3D Secure Authentication

POST /api/v1/transactions/pull/3D-Secure


  "currency": "CAD",
  "amount": 1000,
  "financial_account": "visa_2_pctk_co_h_l8xKdiHbUPatyRUUAsC360C81FD1D873551"

The following response will be returned

  data: {
    "url": "https://pit.3dsecure.net/VbVTestSuiteService/pit1/acsService/paReq?summary=YzZhZDFkYzMtYTI0My00NzQzLWI5ZjUtZjE0MWM4YjA3ZmM1",
    "status": "cardholder_enrolled",
    "pareq": "eJxVUU1vwjAMve9XVL1OI20pUJAbVL7GJsHQBtJ2zFIXOmha0nSw/folUMaWQ+RnW+/Zz9A/ZjvrE2WZ5iK03YZjWyh4HqdiHdqr5eQusPv0BpYbiTh6QV5JpDDDsmRrtNI4tFnQxqTdese41fH1302QB53ATzqBw4N2YlNYRM+4p1CrUC3S8IBcoGaTfMOEosD4fvAwp37Hd7sBkBpChvJhRLv1A3LGIFiGtKjEeodATgB4Xgklv6jr+UAuACq5oxulih4hh8OhobBUDZ5nQEwByFV/UZmo1ETHNKbFZMpG1Yp/J83b7jCJmHp7XE+T/VZsQyCmA2KmkHqOG7ie61ue13P8nqt3O+WBZWYCs6+jlzkDKIxGVFdM4W8CtL9S+3/Z4IIAj0UuUHdo8t8YyHXg4dTYx5U2ZppOluNqvL3/WL3KpjuvssHsKQpDY+ipwbCl2hg9uHOiMwCIoSD1rUh9Yh39O/0P8W24mw==",
    "id": "2631b12d-2494-4454-8ca7-0d1e0afdc035",
    "chargeback_protection_available": false    

The response will provide a status as to whether the cardholder is enrolled in 3D Secure, and whether chargeback protection applies at this point.
The status field can contain one of the following values:

cardholder_enrolledThe card is enrolled in 3D Secure and you should continue with 3D Secure flow; chargeback protection applies
cardholder_not_enrolledThe card is not enrolled in 3D Secure and you should continue to Pull transaction authorization; chargeback protection applies
unable_to_verify_enrollmentUnable to verify if the card is enrolled in 3D Secure; chargeback protection doesn't apply
verify_enrollment_failedFailure to verify if the card is enrolled in 3D Secure

The response will also contain a value chargeback_protection_available that you can use to determine if charge back_protection is available at this point.

If the status is cardholder_not_enrolled then chargeback protection applies and you are able to proceed to the Pull transaction at this point.

  • Note: Transaction is not eligible for chargebacks because the merchant did attempt to authenticate the cardholder.

If the status is cardholder_enrolled then you will need to continue with the next steps in the process.

Verify 3D Secure Authentication Attempt

Using the values returned in the previous request, the client must then issue a POST request to the url with the following values. This can be done in the main app view or through an iframe or WebView.

Where the following values must be injected dynamically

urlReturned in Response from Pungle
PaReqReturned in Response from Pungle
TermUrlRedirect URL that will be contacted after the User has completed the 3D Secure Flow (must be https)
MDThe first 17 characters of the id field returned in response from Pungle

Here is an example redirect page that can be loaded in order to create the POST request with the correct parameters.

<!DOCTYPE html>

        <title>3DSecure Page</title>
        <script type="text/javascript">
            function OnLoadEvent() {

    <body onload="OnLoadEvent()">
        <form action="< url >" method="POST">
            <input type="hidden" name="PaReq" value="< pares >" />
            <input type="hidden" name="TermUrl" value="< redirect_url >" />
            <input type="hidden" name="MD" value="< id >" />
                <input type="submit" />

Once the 3D Secure flow with the card issuer has completed the user will be redirected to the value supplied in the TermUrl key.

Included in the URL params of the redirect will be a `PaRes` Value. You will need to capture this value and send the value in another request along with the id from the previous request to the 3D Secure Verify endpoint in order to verify the status of the 3D Secure Authentication

POST /api/v1/transactions/pull/3D-Secure/verify

  "id": "123-456"
  "pares": "abc123"

If the 3D Secure Validation was successful and chargeback protection applies to this transaction. A successful response will be returned and it will contain an id that can then be passed into the pull transaction request.

  "data": {
    "id": "123-456",
    "status": "authenticated",
    "chargeback_protection_available": true
authenticatedThe cardholder has been authenticated and chargeback protection applies
not_authenticatedCardholder authentication failed and chargeback protection does not apply
authentication_attempt_acknowledgedAuthentication has been acknowledged by the bank and chargeback protection applies
verify_signature_failedFailed to verify the authentication attempt

The value of the chargeback_protection_available key in the response will tell you whether chargeback protection is available for this transaction.

Once you have completed the 3D Secure flow you will be able to use the Pull Transaction Endpoint with the three_d_secure_id key included in the request to ensure chargeback protection.


Related pages

3DS Status Codes
3DS Test Cards
DirectSend User Guide