Skip to content

Instantly share code, notes, and snippets.

@jondanao
Forked from soltveit/3dsecure-flow.md
Created April 14, 2021 07:42
Show Gist options
  • Save jondanao/38f980137a567867953e9c40f1600aa5 to your computer and use it in GitHub Desktop.
Save jondanao/38f980137a567867953e9c40f1600aa5 to your computer and use it in GitHub Desktop.
3D Secure flow

3D Secure flow

Verify cardholder is enrolled in 3D Secure program

Submit card and merchant information to https://mpi.3dsecure.io (MPI) according to:

The response will include:

  • pareq
  • acs_url
  • enrolled

Possible enrolled values:

Y when cardholder is enrolled
N when cardholder is not enrolled
U when unknown

Redirect cardholder to ACS

The following must be submitted to an ACS (acs_url) that then facilitates a Two-Factor Authentication of cardholder:

Attribute Mandatory Value
PaReq Y pareq value
TermUrl Y Client callback URL
MD N Merchant data (submitted back to client)

Above must be submitted using a HTTP POST request (content type: application/x-www-form-urlencoded).

Examle

<html>
 <body OnLoad='OnLoadEvent();'>
  <form name=myForm action="ACS_URL" method="POST">
   <input type=hidden name=PaReq value="PaReq">
   <input type=hidden name=TermUrl value="TermUrl">
   <input type=hidden name=MD value="MD">
  </form>
  <script language=Javascript>
   document.myForm.submit();
  </script>
 </body>
</html>

Verify response from ACS

Upon cardholder authentication ACS will redirect cardholder to TermUrl using a HTTP POST request and include following attributes.

Attribute Value
PaRes Must be submitted to MPI
MD Merchant data (sent by client)

To verify that cardholder has been successfully authenticated submit PaRes to MPI according to:

The response will include:

  • cavv
  • cavv_algorithm
  • xid
  • eci
  • status

Above attributes might be included in authorization messages (e.g. ISO-8583 authorization messages).

The status attribute indicate whether cardholder successfully authenticated at ACS:

Y when cardholder successfully authenticated
N when cardholder failed or cancelled authentication
A when cardholder attempted to authenticate (proof of authentication attempt)
U when unknown (possible some system component unavailable)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment