Documentation
WebsiteHelp

3D Secure

3D Secure is a security protocol that adds an extra layer of customer authentication to online credit and debit card transactions, helping to reduce fraud.

Suggest Edits

The Secure3DLookup API method abstracts the complexity of the underlying details of the interaction with the bank's Access Control Server (ACS) so that merchants are only required to provide the essential information needed for customer authentication.


Step 1: Check if the card is enrolled

The first step is to query if the customer's card is enrolled for 3D Secure by using the Secure3DLookup method.

Important request parameters:

  • ReconIDis the reference number for the transaction and is used to tie the 3DS request to the payment. If a merchant does not supply the ReconID then the TransactionID (required) will be sent to the ACS.
  • TermURL(required) this is the URL of the merchant’s website where the customer will be redirected after the authentication process is completed by the bank.

Important response parameters:

  • Enrolledis a boolean true/false value that indicates if the customer's card is enrolled.
  • AcsUrlis used in the next step to POST a request to the ACS to authenticate a customer.
  • PAReqPayloadcontains the payload value that is sent to the ACS in the next step.
  • MdStatuscontains an important code that indicates the status of a 3D Secure authentication process and if applicable, what the next steps should be.

Step 2: Authenticate the cardholder

If the card is not enrolled, then a merchant should not proceed with the transaction unless they are willing to take on the financial liability for the transaction in the event of fraud or charge-back.

If the card is enrolled for 3DS (i.e. Enrolled= true):

  • If MdStatus = 1 (Authenticated) then a merchant can proceed straight to performing an authorization or payment.
  • If MdStatus = 9 or 50 (or in rare cases 4) then a merchant should redirect the cardholder to the AcsUrl for authentication by performing an HTML form POST request.


    Example of cardholder authentication HTML POST: 
    <HTML>
  <BODY onload="document.frmLaunch.submit();">
    <FORM name="frmLaunch" method="POST" action="ACSUrl Value">
      <input type=hidden name="PaReq" value="Payload Value">
    </FORM>
  </BODY>
</HTML>
    Note:
    • the action attribute is populated with the value in the AcsUrl element in the Secure3DLookup response message
    • the PaReq is populated with the value in the PAReqPayload element

  • Other MdStatuses indicate various failure states as described below in the MDStatus list.

Once the cardholder has been authenticated, the ACS will perform a POST to the merchant's website specified by the TermURL with the following parameters:

  • PAResthis value is required in the PAResPayload of the subsequent Authorize or Payment request
  • MDthis is the merchant data (reference number) returned by the ACS that allows the merchant to tie the request/response pairs together

Authorization Matrix

An Electronic Commerce Indicator (ECI) is included in the response from Bankserv and is used to determine the final status of the transaction. (These can be found on the Online Payments Portal under the 3D Secure Details tab in Transaction Management).

Please take note of the following authentication scenarios where the liability is tabulated below. Liability is subject to change based on the card scheme.

Updated 25 days ago