A server component operated in the Interoperability Domain; it performs a number of functions that include:
authenticating the 3DS Server
routing messages between the 3DS Server and the ACS
validating the 3DS Server, the 3DS SDK, and the 3DS Requestor.
A financial institution that issues payment cards, contracts with Cardholders to provide card services, determines eligibility of Cardholders to participate in 3-D Secure, and identifies for the Directory Server card number ranges eligible to participate in 3-D Secure.
A component that operates in the Issuer Domain, that verifies whether authentication is available for a card number and device type, and authenticates specific Cardholders.
The ACS contains the authentication rules and is controlled by the Issuer. ACS functions include:
Verifying whether a card number is eligible for 3-D Secure authentication
Verifying whether a Consumer Device type is eligible for 3-D Secure authentication
Authenticating the Cardholder or confirming account information.
The ACS UI is generated during a Cardholder challenge and is rendered by the ACS within a Browser challenge window.
Entity that contracts with an Acquirer to accept payment cards. Manages the online shopping experience with the Cardholder, obtains card number, and then transfers control to the 3DS Server, which conducts payment authentication.
In this specification, used to indicate the process by which proof of an authentication attempt is generated when payment authentication is not available. Support for Attempts is determined by each DS.
The process of authentication achieved without Cardholder interaction.
A 3-D Secure flow that involves Cardholder interaction
A process by which an Issuer, or a processor on the Issuer's behalf, approves a transaction for payment.
The AReq message is the initial message in the 3-D Secure authentication flow. The 3DS Server forms the AReq message when requesting authentication of the Cardholder. It can contain Cardholder, payment, and Device information for the transaction. There is only one AReq message per authentication.
The ARes message is the Issuer’s ACS response to the AReq message. It can indicate that the Cardholder has been authenticated, or that further Cardholder interaction is required to complete the authentication. There is only one ARes message per transaction.
An EMV 3-D Secure message sent by the 3DS SDK or 3DS Server where additional information is sent from the Cardholder to the ACS to support the authentication process and to carry the authentication data from the Cardholder.
The ACS response to the CReq message. It can indicate the result of the Cardholder authentication or, in the case of an App-based model, also signal that further Cardholder interaction is required to complete the authentication.
The RReq message communicates the results of the authentication or verification. The message is sent by the ACS through the DS to the 3DS Server. There is only one RReq message per AReq message. The RReq message is not present in a Frictionless transaction.
Message sent by the 3DS Server to the ACS via the DS to acknowledge receipt of the Results Request message. This message is not part of the 3-D Secure authentication message flow.
The Frictionless Flow initiates a 3-D Secure authentication flow and consists of an AReq message and an ARes message. The Frictionless Flow does not require further Cardholder interaction to achieve a successful authentication and complete the 3-D Secure authentication process. Frictionless flow allows the issuer to approve a transaction without cardholder interaction based on risk-based-authentication performed in the ACS.
The frictionless flow comprises these following steps:
The cardholder initiates a transaction and provides the necessary information for the authentication.
Within the 3DS Requestor Environment, the necessary 3-D Secure information is gathered and provided to the 3DS Server for inclusion in the AReq message.
3DS Server through DS to ACS—Using the information provided by the Cardholder and data gathered within the 3DS Requestor Environment, the 3DS Server creates and sends an AReq message to the DS, which then forwards the message to the appropriate ACS.
ACS through DS to 3DS Server—In response to the AReq message, the ACS returns an ARes message to the DS, which then forwards the message to the initiating 3DS Server. Before returning the response, the ACS evaluates the data provided in the AReq message. In a Frictionless Flow, the ACS determines that further Cardholder interaction is not required to complete the authentication.
3DS Requestor Environment—The 3DS Server communicates the result of the ARes message to the 3DS Requestor Environment which then informs the Cardholder.
If the ACS determines that further Cardholder interaction is required to complete the authentication, the Frictionless Flow transitions into the Challenge Flow. For example, a challenge may be necessary because the transaction is deemed high-risk, is above certain thresholds, or requires a higher level of authentication due to country mandates (or regulations). 3DS Requestors decide whether to proceed with the challenge, or to terminate the 3-D Secure authentication process.
The challenge flow comprises the following steps:
The cardholder initiates a transaction and provides the information necessary for the authentication.
Within the 3DS Requestor Environment, the necessary 3-D Secure information is gathered and provided to the 3DS Server for inclusion in the AReq message.
3DS Server through DS to ACS—Using the information provided by the Cardholder and data gathered within the 3DS Requestor Environment, the 3DS Server creates and sends an AReq message to the DS, which then forwards the message to the appropriate ACS.
ACS through DS to 3DS Server—In response to the AReq message, the ACS returns an ARes message to the DS, which then forwards the message to the initiating 3DS Server. Before returning the response, the ACS evaluates the data provided in the AReq message. The ARes message indicates that further Cardholder interaction is required to complete the authentication.
3DS Requestor Environment—The 3DS Server communicates the result of the ARes message to the 3DS Requestor Environment; further Cardholder interaction is required to complete the authentication.
3DS Client to ACS—The 3DS Client initiates a CReq message based on information received in the ARes message. CReq message is formed by the 3DS Server and is posted through the Cardholder’s browser by the 3DS Requestor to the ACS URL received from the ARes message.
ACS to 3DS Client - The ACS receives the CReq message and interfaces with the 3DS Client to facilitate Cardholder interaction. The ACS sends the authentication user interface to the Cardholder browser. The Cardholder enters the authentication data via the browser to be checked by the ACS. In response to the CReq message, the CRes message is formed by the ACS and sent to the 3DS Server to indicate the result of the authentication.
ACS through DS to 3DS Server—The ACS sends an RReq message that can include the Authentication Value (AV) to the DS, which then routes the message to the appropriate 3DS Server using the 3DS Server URL received from the AReq message.
3DS Server through DS to ACS—The 3DS Server receives an RReq message and in response, returns an RRes message to the DS, which then routes the message to the ACS.
Acquiring institution identification code as assigned by the DS receiving the AReq message.
Length: Variable, maximum 11 characters
Data type: string
Acquirer-assigned Merchant identifier. This may be the same value that is used in authorisation requests sent on behalf of the 3DS Requestor and is represented in ISO 8583 formatting requirements.
Length: Variable, maximum 35 characters
Data type: string
DS-specific code describing the Merchant’s type of business, product or service.
Length: 4 characters
Data Type: String
This value correlates to the Merchant Category Code as defined by each Payment System or DS.
Merchant name assigned by the Acquirer or Payment System.
Length: Variable, maximum 40 characters
Data Type: String
Payment System-specific value provided by the ACS or the DS using an algorithm defined by Payment System. Authentication Value may be used to provide proof of authentication.
Length: 28 characters
Data type: String
Value accepted: A 20-byte value that has been Base64 encoded, giving a 28-byte result.
Universally unique transaction identifier assigned by the DS to identify a single transaction.
Length: 36 characters
Data type: String
Value accepted: Canonical format as defined in IETF RFC 4122. May utilise any of the specified versions as long as the output meets specified requirements.
Protocol version identifier This shall be the Protocol Version Number of the specification utilised by the system creating this message. The Message Version Number is set by the 3DS Server which originates the protocol with the AReq message. The Message Version Number does not change during a 3DS transaction.
Length: Variable, 5–8 characters
Data type: String
Indicates whether a transaction qualifies as an authenticated transaction or account verification. Note: The Final CRes message can contain only a value of Y or N. Note: If the 3DS Requestor Challenge Indicator = 06 (No challenge requested; Data share only), then a Transaction Status of C is not valid.
Length: 1 character
Data type: String
Possible values:
Y = Authentication Verification Successful.
N = Not Authenticated/Account Not Verified; Transaction denied.
U = Authentication/Account Verification Could Not Be Performed; Technical or other problem, as indicated in ARes or RReq.
A = Attempts Processing Performed; Not Authenticated/Verified, but a proof of attempted authentication/verification is provided.
C = Challenge Required; Additional authentication is required using the CReq/CRes.
R = Authentication/Account Verification Rejected; Issuer is rejecting authentication/verification and request that authorisation not be attempted.
Universally unique transaction identifier assigned by the 3DS Server to identify a single transaction.
Length: 36 characters
Data type: String
Value accepted: Canonical format as defined in IETF RFC 4122.
Text provided by the ACS/Issuer to Cardholder during a Frictionless or Decoupled transaction. The Issuer can provide information to Cardholder. For example, “Additional authentication is needed for this transaction, please contact (Issuer Name) at xxx-xxx-xxxx.”
Length: Variable, maximum 128 characters
Data Type: String
Note: If field is populated this information is required to be conveyed to the cardholder by the merchant.
Provides information on why the Transaction Status field has the specified value.
Length: 2 characters
Data Type: String
Values accepted:
01 = Card authentication failed
02 = Unknown Device
03 = Unsupported Device
04 = Exceeds authentication frequency limit
05 = Expired card
06 = Invalid card number
07 = Invalid transaction
08 = No Card record
09 = Security failure
10 = Stolen card
11 = Suspected fraud
12 = Transaction not permitted to cardholder
13 = Cardholder not enrolled in service
14 = Transaction timed out at the ACS
15 = Low confidence
16 = Medium confidence
17 = High confidence
18 = Very High confidence
19 = Exceeds ACS maximum challenges
20 = Non-Payment transaction not supported
21 = 3RI transaction not supported
22 = ACS technical issue
23 = Decoupled Authentication required by ACS but not requested by 3DS Requestor
24 = 3DS Requestor Decoupled Max Expiry Time exceeded
25 = Decoupled Authentication was provided insufficient time to authenticate cardholder. ACS will not make attempt
26 = Authentication attempted but not performed by the cardholder
27–79 = Reserved for EMVCo future use (values invalid until defined by EMVCo)
80–99 = Reserved for DS use
The Electronic Commerce Indicator is a Payment System-specific value provided by the ACS or DS to indicate the results of the attempt to authenticate the Cardholder.
Length: 2 characters
Data Type: String
Source: The official EMVCo 3D specification 2.2.0 https://www.emvco.com/emv-technologies/3d-secure/