EMV® Three-Domain Secure (3DS) is a messaging protocol developed by EMVCo (Europay, Mastercard, Visa and some other card schemes) to enable consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protects the merchant from CNP exposure to fraud.
3DSecure v2.1
Payment Network Status Codes
VISA v2.0
| Transaction Status | ECI | Authentication Value | Description |
| Y | 05 | Present | Authentication Successful |
| A | 06 | Present | Attempts Processing Performed |
| I | 07 | Present | Informational Only; 3DS Requestor challenge preference acknowledged |
| N | 07 | None | Authentication Failed; Not Authenticated; Transaction Denied |
| U | 07 | None | Authentication Could Not Be Performed; Technical or Other Problem |
| C | 07 | None | Challenge Required to authenticate the cardholder |
| R | 07 | None | Authentication Rejected |
How to proceed based on the status received
How to proceed based on the status received
- Y, N, U, or A, the merchant can proceed to authorization using the ECI value and CAVV (CAVV is only applicable for Y or A) provided by the Issuer ACS/Attempts Server.
- R, it is not recommended to proceed to authorization.
- C, the frictionless flow transitions to the Challenge flow.
Mastercard ECI
The Electronic Commerce Indicator is provided by the ACS (the credit card's bank, or a partner of the bank) that indicates the 3DS authentication results.
The value of the ECI determines the liability shift - the burden of fraudulent chargebacks shifts from you to the card issuer.
Below are possible ECI values, and if they shift liability or not:
Liability Shift Conditions
| ECI | ECI for MasterCard | Description | Result |
| 5 | 2 | This value indicates the cardholder wasauthenticatedby the issuer with the cardholders identity information | Liability Shift |
| 6 | 1 | This value means that the merchantattemptedto authenticate the cardholder, but either the cardholder or issuer was not participating | Liability Shift |
| 7 | 0 | This value is returned when the payment transaction is conducted over a secure channel, but payment authentication is not performed | No Liability Shift |
3DSecure v1.0
3D Secure Transaction Flow
The 3D Secure process involves a number of steps which are summarized below:
- Verify if the cardholder's card is enrolled in 3D Secure
- If enrolled, redirect the cardholder to their bank's Access Control Server (ACS) to enter their passphrase
- If NOT enrolled and their card type is Visa or MasterCard, proceed directly to pull transaction authorization
- If NOT enrolled and their card type is American Express, do not proceed to pull transaction
- Take the response values from the ACS and send back to Pungle to be verified
- Based on Authentication result and if chargeback protection applies, continue on to Pull Transaction
Create 3D Secure Authentication
The first step is to verify if the customer's card supports 3D Secure.
Send a Request to create a 3D Secure Authentication
POST /api/v1/transactions/pull/3D-Secure
Body:
{
"currency": "CAD",
"amount": 1000,
"financial_account": "visa_2_pctk_co_h_l8xKdiHbUPatyRUUAsC360C81FD1D873551"
}
The following response will be returned
{
data: {
"url": "https://pit.3dsecure.net/VbVTestSuiteService/pit1/acsService/paReq?summary=YzZhZDFkYzMtYTI0My00NzQzLWI5ZjUtZjE0MWM4YjA3ZmM1",
"status": "cardholder_enrolled",
"pareq": "eJxVUU1vwjAMve9XVL1OI20pUJAbVL7GJsHQBtJ2zFIXOmha0nSw/folUMaWQ+RnW+/Zz9A/ZjvrE2WZ5iK03YZjWyh4HqdiHdqr5eQusPv0BpYbiTh6QV5JpDDDsmRrtNI4tFnQxqTdese41fH1302QB53ATzqBw4N2YlNYRM+4p1CrUC3S8IBcoGaTfMOEosD4fvAwp37Hd7sBkBpChvJhRLv1A3LGIFiGtKjEeodATgB4Xgklv6jr+UAuACq5oxulih4hh8OhobBUDZ5nQEwByFV/UZmo1ETHNKbFZMpG1Yp/J83b7jCJmHp7XE+T/VZsQyCmA2KmkHqOG7ie61ue13P8nqt3O+WBZWYCs6+jlzkDKIxGVFdM4W8CtL9S+3/Z4IIAj0UuUHdo8t8YyHXg4dTYx5U2ZppOluNqvL3/WL3KpjuvssHsKQpDY+ipwbCl2hg9uHOiMwCIoSD1rUh9Yh39O/0P8W24mw==",
"id": "2631b12d-2494-4454-8ca7-0d1e0afdc035",
"chargeback_protection_available": false
}
}
The response will provide a status as to whether the cardholder is enrolled in 3D Secure, and whether chargeback protection applies at this point.
The status field can contain one of the following values:
| Status | Description |
| cardholder_enrolled | The card is enrolled in 3D Secure and you should continue with 3D Secure flow; chargeback protection applies |
| cardholder_not_enrolled | The card is not enrolled in 3D Secure and you should continue to Pull transaction authorization; chargeback protection applies |
| unable_to_verify_enrollment | Unable to verify if the card is enrolled in 3D Secure; chargeback protection doesn't apply |
| verify_enrollment_failed | Failure to verify if the card is enrolled in 3D Secure |
The response will also contain a value chargeback_protection_available that you can use to determine if charge back_protection is available at this point.
If the status is cardholder_not_enrolled then chargeback protection applies and you are able to proceed to the Pull transaction at this point.
- Note: Transaction is not eligible for chargebacks because the merchant did attempt to authenticate the cardholder.
If the status is cardholder_enrolled then you will need to continue with the next steps in the process.
Verify 3D Secure Authentication Attempt
Using the values returned in the previous request, the client must then issue a POST request to the url with the following values. This can be done in the main app view or through an iframe or WebView.
Where the following values must be injected dynamically
| Value | Description |
| url | Returned in Response from Pungle |
| PaReq | Returned in Response from Pungle |
| TermUrl | Redirect URL that will be contacted after the User has completed the 3D Secure Flow (must be https) |
| MD | The first 17 characters of the id field returned in response from Pungle |
Here is an example redirect page that can be loaded in order to create the POST request with the correct parameters.
<!DOCTYPE html>
<html>
<head>
<title>3DSecure Page</title>
<script type="text/javascript">
function OnLoadEvent() {
document.form.submit();
}
</script>
</head>
<body onload="OnLoadEvent()">
<form action="< url >" method="POST">
<input type="hidden" name="PaReq" value="< pares >" />
<input type="hidden" name="TermUrl" value="< redirect_url >" />
<input type="hidden" name="MD" value="< id >" />
<noscript>
<input type="submit" />
</noscript>
</form>
</body>
</html>
Once the 3D Secure flow with the card issuer has completed the user will be redirected to the value supplied in the TermUrl key.
Included in the URL params of the redirect will be a `PaRes` Value. You will need to capture this value and send the value in another request along with the id from the previous request to the 3D Secure Verify endpoint in order to verify the status of the 3D Secure Authentication
POST /api/v1/transactions/pull/3D-Secure/verify
Body:
{
"id": "123-456"
"pares": "abc123"
}
If the 3D Secure Validation was successful and chargeback protection applies to this transaction. A successful response will be returned and it will contain an id that can then be passed into the pull transaction request.
{
"data": {
"id": "123-456",
"status": "authenticated",
"chargeback_protection_available": true
}
}
| Status | Description |
| authenticated | The cardholder has been authenticated and chargeback protection applies |
| not_authenticated | Cardholder authentication failed and chargeback protection does not apply |
| authentication_attempt_acknowledged | Authentication has been acknowledged by the bank and chargeback protection applies |
| verify_signature_failed | Failed to verify the authentication attempt |
The value of the chargeback_protection_available key in the response will tell you whether chargeback protection is available for this transaction.
Once you have completed the 3D Secure flow you will be able to use the Pull Transaction Endpoint with the three_d_secure_id key included in the request to ensure chargeback protection.
drive.google.comRelated pages