3D Secure Version 1
3D Secure (3DSv1) is a simple additional verification step that consists of a password screen that is displayed and subsequently controlled by the card issuer. This basic check, using just the password, does not provide Strong Customer Authentication (SCA) unlike 3DS Version 2.
When a Guest Payment or Stored Payment Card API requests is made will we suspend the transaction from authorisation. We will also return to your web service a Callback containing, the transaction id, a PaReq and a ACSUrl needed to redirect the cardholder their issuing bank to authenticate themselves.
"TransactionId": 1000002556,
"PaReq": “eJxVUttuwjAMfd9XVHxAk/RCAZmgQtHGAxuiPGy...RBz77wNUXKtcXvnrcofdDAjUpSxyhTdQ1rsNiaokj0VWnpR10CKvhKxRcCp3dqBtHFTJ4U5WM+ZV0iA4CY16SfMem/A1pP3+QPIfS8/w==”,
"AcsUrl": https://3ds.issuingbank.com/,
Note: If the payment card has not been enrolled by the card issuer for 3D Secure, then the payment request is sent for authorisation without the cardholder needing to authenticate themselves. This means the callback response could include the authorisation response and not the PaReq and AcsUrl as shown above.
Redirect the cardholder
To allow your customers to authenticate themselves they must be redirected to their card issuer, where the card issuer bank provides a page allowing the cardholder to enter an additional password.
The redirect needs to be a POST to the URL stated as ‘ACSUrl’ in both the guest payment and store card payment api callback. The data to be included in this redirect is the PaReq and the transaction id that is also provided in the payment request api callback. A ‘TermUrl’ is also required to redirect the customer to after 3D Secure processing.
<!DOCTYPE html>
<html>
<head>
<title>Sample 3DSecure Page</title>
<script type="text/javascript">
function OnLoadEvent() {
document.form.submit();
}
</script>
</head><body onload="OnLoadEvent()">
<form action="$ACSURL">
<input type="hidden" name="PaReq" value="c7fb83b8ag...73t4a827t4af8738a" />
<input type="hidden" name="TermUrl" value="https://www.mywebsite.com/process3dSecure" />
<input type="hidden" name="MD" value="Transaction ID" />
<noscript>
<input type="submit" />
</noscript>
</form>
</body>
</html>
Resume Transaction
When the cardholder completes authentication with their card issuer they will be POSTed back to the ‘TermUrl’ with a ‘PaRes’ which contains the authentication response, and the ‘MD’ value.
The next step is to resume the suspended transaction sending it for authorisation, this is made via the Resume API Request.
The Resume request contains the transaction id that you wish to resume in the request Url with the PaRes contained in the body of the request.
{
"PaRes": "eNrVWNmyozqy/AWK6kfHOYzG0OHaHWIeDDbz8IaZBzP...Yskfp2mHEABWel7jMpfspEVHEuVpQ/OREEfyGmqG//vmhH/cAf90QvF9zvt+8vm7mfr6R/R/PAx1z",
"Callback": {
"Url": "https://ourcallback.free.beeceptor.com/test124",
"AdditionalUrls": [
"https://www.api1.com",
"https://www.api2.com"]
}
}The transaction is then resumed and sent for authorisation with the result of the authorisation sent to the Callback URL in the body of the resume request. As the client you also have the option to include additional Callback URL(s) to inform your Third-Party service of the result of the transaction.
When a cardholder has been authenticated or an attempt has been successful then you are entitled to chargeback liability shift. Where a cardholder fails 3D authentication then we will automatically decline the transaction and not send the transaction for authorisation with their card issuer.