3DS Authentication

3D secure authentication

INFO

3D Secure is an authentication protocol that provides an additional layer of verification for card-not-present (CNP) transactions. We recommend that you use 3D Secure to comply with authentication regulations for online payment, and to make use of the liability shift.

3D Secure has two available versions:

1. 3D Secure 1: Shoppers are redirected to the card issuer's site to provide additional authentication data, for example a password or an SMS verification code. The redirection might lead to lower conversion rates due to technical errors during the redirection, or shoppers dropping out of the authentication process.
2. 3D Secure 2: The card issuer performs the authentication within your website using passive, biometric, and two-factor authentication approaches. For more information, refer to 3D Secure 2 authentication flows.

Card schemes fully decommissioned 3D Secure 1. This means that you only should be to handle 3D Secure 2 authentication on your checkout page.

ThreeDS solution

A transaction that qualifies for 3D Secure 2 can go through either a frictionless flow or a challenge flow, depending on the issuer's requirements.

3D Secure 2 Frictionless Authentication Flow

In a frictionless flow, the acquirer, issuer, and card scheme exchange all necessary information in the background through passive authentication using the shopper's device fingerprint. The transaction is completed without further shopper interaction.

3D Secure 2 Challenge Authentication Flow

In a challenge flow, the issuer requires additional user interaction, either through biometrics, two-factor authentication, a one-time authentication code received on user's phone or a password.

Integration process

TIP

EVO Cloud provides the following 2 options to support both 3D Secure versions:

1. Redirect for 3D Secure 2: Implement the fastest way to support 3D Secure and redirecting the user to another site to verify the payment. It is named as threeDSPage mode, and is EVO Cloud default setting when you integrate the 3D Secure processing with EVO Cloud, unless you specify authentication.type as threeDSIntegrator to choose the other way in the following option.
2. Native for 3D Secure 2: Provide a better customer experience by performing 3D Secure 2 authentication within your website or mobile APP.

Redirect for 3D Secure 2

Step 1: Submit a payment / paymentMethod request

Submit a payment / paymentMethod request with a POST /payment or /paymentMethod call. Include the threeDSobject, authentication.returnUrl, and browserInfo object to indicate that you are ready to accept 3D Secure 2 payment.

• deviceType: web
• shopperIP: The shopper's IP address.
• browserInfo: Collect information about your shopper's browser.
• authentication.returnUrl: Calls back the address after authentication is completed.

TIP

To increase the likelihood of achieving a frictionless flow and higher authorisation rates, we also recommend that you send additional parameters, such as accountInfo object, deliveryAddress object, billingAddress object and merchantRiskIndicator object.

Step 2: Process threeDSRedirect

For the redirection solution for 3D Secure 2 (authentication.type is threeDSPage), usually the action.type you received in the response is RedirectShopper, meaning that you need to redirect the user to an EVO Cloud hosted page to complete the 3DS 2 authentication with authentication.threeDS.redirectUrl in the same response.

1. Get the redirectUrl from the paymentMethod/payment response.
2. The user will be redirected back by EVO Cloud to your returnURL with HTTP GET within 10 minutes, and then you can use the parameter merchantTransID in the response to match your initial request. If the parameter status in the response is finished, you can consider the 3D Secure authentication is successful, and you need to obtain the transaction detail by call GET interface or receive the notification from EVO Cloud.
3. If you don’t get any response within 10 minutes, or the parameter status is not finished, you can consider the 3D Secure authentication is failed, and you need to obtain the transaction detail by call GET interface or receive the notification from EVO Cloud.

Native for 3D Secure 2

Step 1: Submit a payment / paymentMethod request

This step is similar to Step 1 in Redirect for 3D Secure 2. See it for more details.

Step 2: Get 3D Secure 2 device fingerpoint

If your server receives an IdentifyShopper result.action, you are required to perform the 3D Secure 2 device fingerprinting.

1. Get the redirectUrl from the paymentMethod /payment response.
2. Render a hidden HTML iframe in the browser, and redirect to redirectUrl.

Example of redirectUrl

JavaScript
http://47.242.219.43:8050/acs-auth-web/3dsmethod/collect?threeDSMethodData=eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly93d3cuZXZlcm9uZXQuY29tP29yZGVyTnVtPVQxMDIxOTE2MTM3MjA1MzU3NzkiLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImFmOTk2MjBmLTk1NGItNDVjNC04MGViLTAyMmUzMDJiOGIwOCJ9

3. Wait for the issuer's response posted in your authentication.returnUrl within 5 seconds from sending the HTTP POST. If do not get any response within 5 seconds, also proceed to the next step.
4. Make a PUT /payment request from your server and include the threeDS.redirectData as parameters.
   • threeDS.redirectData: Pass the field {"threeDSCompInd":"Y"}.

If you received a response to authentication.returnUrl within 5 seconds, send {"threeDSCompInd": "Y"} . Otherwise, send {"threeDSCompInd": "N"}.

Step 3: Present a challenge

TIP

If your server receives a ChallengeShopper result.action, this means that the issuer would like to perform additional checks in order to verify that the shopper is indeed the cardholder.

1. Get the redirectUrl and redirectData object from the /payment response.
   • redirectData: Contains creq
2. Render an iframe in the browser, and send an HTTP POST with a creq field to redirectUrl. (Please note that the field names of 'creq' in the form post are all lowercase.)This will initiate the challenge window in the iframe.

// html
<form action="redirectUrl" method="post" target="target" id="form">
    <input name="creq" type="text" hidden>
</form>
<iframe name="target" style="display:none;"></iframe>

// js
redirectUrl = 'https://xxx.com'
document.querySelector('input[name=creq]').value = 'data'
const form = document.getElementById('form')
form.action = redirectUrl
form.submit()

3. Wait for the issuer's response posted in your authentication.returnUrl within 10 minutes from sending the HTTP POST. If do not get any response within 10 minutes, also proceed to the next step.
4. Make a PUT /payment request from your server and include the threeDS.redirectData as parameters.
   • threeDS.redirectDat: Pass the field {"threeDSFinished":"Y"}.

TIP

If you did not receive a response to authentication.returnUrl within 10 minutes, send {"threeDSCompInd": "N"} .

5. Received the result form CIL
   • payment.status: Use this to present the result to your shopper.