INTEGRATION

Getting Started

TRANSACTION ASSURANCE

3D-Secure

INTEGRATION

3D-Secure

Silverflow's API for 3DS authentications (3D-Secure 2.x) is designed with simplicity in mind. It provides a straightforward abstraction over the 3DS protocol while exposing all the necessary data from the card network. By delivering the correct type of transaction, along with other mandatory data such as the amount and card number, Silverflow handles the construction of the 3DS protocol messages and the interaction with the card network, making the process seamless for developers.

The 3DS protocol offers developers two distinct flows: the frictionless flow and the challenge flow. The frictionless flow is triggered when the issuer deems the transaction to have a low risk of fraud, such as for low amounts. In cases where the transaction carries a higher risk of fraud, the challenge flow, requiring additional cardholder interaction, is initiated. Developers have the control to manage these flows based on their specific needs. The result of the 3DS process is an authentication value, which must be provided to the issuer through the card networks during authorization. PIN, CVC, and AVS authentication are performed during the authorization process, giving developers the power to ensure secure transactions.

Frictionless Flow

The 3DS frictionless flow is the most straightforward 3DS flow. A 3DS call is made, and if the flow property is frictionless and the result property is authenticated, the authentication is completed.

The ares.authenticationValue and ares.dsTransID can be used for authorization; the values of these properties need to be passed in threeDsAuthenticationResult.authenticationValue and threeDsAuthenticationResult.directoryServerTransId of the charge request, respectively.

Challenge Flow

The challenge flow is more involved. A challenge flow is observed when the flow and result properties contain a challenge. The initial call succeeded, but the cardholder must still perform a challenge. A cardholder challenge can be initiated by creating a CReq and filling it in with the data received in the 3DS response:

This CReq must be encoded using the base64 URL and sent to the area.acsURL through the cardholder browser. The HTTP method must be POST, and the Content-Type must be application/x-www-form-urlencoded.

Note that the CReq must be encoded by base64 URL, not base64 encoded. Some issuers might return an error if this requirement is not satisfied. For more information, please look at the EMV 3-D Secure Protocol and Core Functions Specification (2018), section A.5.4 (Browser CReq and CRes POST).

Attempts

If the result in the first call is a 3DS attempt or non-authenticated, the flow property will be none, and the result property will be attempt or non-authenticated.

3RI Flow

3DS requester-initiated authentications (3RI), also known as merchant-initiated authentications, allow merchants to authenticate a transaction without the direct involvement of the cardholder. 3RI is a 3DS authentication message enabling merchants to submit data to the issuer to assess and authorize a payment when the buyer is absent.

The merchant must store the cardholder's information from a previous transaction to generate the authentication data necessary for authorization.

3DS Method URL

To allow an issuer to gather additional browser information before the regular 3DS authentication flow, Silverflow provides the possibility of using the 3DS Method URL to facilitate this risk assessment.

Using the 3DS Method is optional, and not all account ranges support 3DS and the Method URL. To assess whether a 3DS Method URL is available, a POST call can be made to the /3ds/cardRanges endpoint, returning, among other things, the threeDSMethodURL.

After obtaining the information on the Method URL, a hidden iFrame can be generated on the checkout page. Through this, a POST call to the threeDSMethodURL should be made, which includes the threeDSMethodNotificationURL and the threeDSServerTransID generated by the 3DS Requestor.

When the issuer is finished, the 3DS Requestor will receive a notification on the threeDSMethodNotificationURL that was provided, and the normal 3DS authentication flow can be completed.

The threeDSServerTransID used in the Method URL flow should be a parameter in the POST/3DS call.

Cryptogram Validity

According to the Mastercard Rules, a UCAF/AAV cryptogram has a specific validity limit, and the Visa 3D Secure guides make no mention of this, but generally, it is advised to use a UCAF/AAV within the first 90 days.

After this point, an issuer might still approve an authorization request with the provided UCAF/AAV. An authorization can still be attempted without the AAV or UCAF data, but the merchant becomes liable in case of fraud (loss of liability shift).

Transaction Status Reason Code Descriptions

3DS transaction status and reason codes can be found in the response of a 3DS authentication request, ares.transStatusReason and ares.transStatus. It provides information, in the form of a letter, on the transStatus and the reason, in the form of a number, why the particular transStatus has been returned.

The table below maps the transStatus to the actual reason written out in plaintext.

ares.transStatus

Transaction Status Description

Y

Authentication Verification Successful.

N

Not Authenticated

U

Authentication Could Not Be Performed; Technical or other problem, as indicated in ARes or RReq.

A

Attempts Processing Performed, but a proof of attempted authentication is provided.

C

Challenge Required; Additional authentication is required using the CReq/CRes.

D

Challenge Required; Decoupled Authentication confirmed.

R

Authentication; Issuer is rejecting authentication and request that authorisation not be attempted.

I

Informational Only; 3DS Requestor challenge preference acknowledged.

The table below maps the transStatusReason number to the actual reason written out in plaintext.

ares.transStatusReason

Transaction Status Reason Description

1

Card authentication failed

2

Unknown Device

3

Unsupported Device

4

Exceeds authentication frequency limit

5

Expired card

6

Invalid card number

7

Invalid transaction

8

No Card record

9

Security failure

10

Stolen card

11

Suspected fraud

12

Transaction not permitted to cardholder

13

Cardholder not enrolled in service

14

Transaction timed out at the ACS

15

Low confidence

16

Medium confidence

17

High confidence

18

Very High confidence

19

Exceeds ACS maximum challenges

20

Non-Payment transaction not supported

21

3RI transaction not supported

22

ACS technical issue

23

Decoupled Authentication required by ACS but not requested by 3DS Requestor

24

3DS Requestor Decoupled Max Expiry Time exceeded

25

Decoupled Authentication was provided insufficient time to authenticate cardholder. ACS will not make attempt

26

Authentication attempted but not performed by the cardholder

27–79

Reserved for EMVCo future use (values invalid until defined by EMVCo)

80–99

Reserved for DS use