5.2. 3-D Secure (3DS)¶
3-D Secure (3DS) technology implies the pre-authentication of the participants. The particular technology supposes that the liability for authenticated transaction refusal is shifted from the internet shop to the issuer bank, then, to the cardholder. In the 3-D Secure technology, the transactions require the special password known only to the customer (cardholder) and to the issuer bank. This allows to reduce the number of Internet transaction refusals.
3-D Secure is based on the Tree-Domain Model in which the process of online transaction authentication is subdivided into three domains: Issuer Domain, Acquirer Domain and Interoperability Domain.
Issuer Domain includes: bank that issued the credit card, Access Control Server (ACS), customer intending to make a purchase by credit card, software on the customer computer (Web Browser).
Acquirer Domain includes: merchant or Internet shop (whose WEB-site is used for the purchase), Internet shop server software which creates and processes the payment authentication messages and acquirer – financial institution which interacts with the authorization system (such as VisaNet/Europay Payment System Net) according to the agreement concluded with the Internet shop and informs the shop of the authorization results.
Interoperability Domain. Visa or MasterCard domain provides communication between customer, Internet-shop and Banks. At that, the domain ensures strict privacy of the information. To authenticate the customer, system sends an authentication request to the issuer bank. The issuer establishes connection to the customer, presents a secret phrase and inquires the customer password. Once the customer password is verified, the issuer bank generates response. Then, the acquirer bank authenticates the Internet shop.
5.2.1. 3-D Secure flow Diagram¶
- The Cardholder specifies the card number and CVV2;
- The Merchants Application requests Industra via MPI (Merchant Plugin Interface) billing system in order to get the address of ACS Server (Access Control Server) bank issuer;
- Industra system redirects the Cardholder to ACS Server bank issuer;
- The Cardholder is authenticated at the Issuer then is redirected to the system Industra with the results of authentication;
- Industra system authorizes the transaction in the Acquirer, if the result of the authentication was successful.
5.2.2. Verify Enrollment Response Error message¶
Error message | Error code |
---|---|
Error message | Error code |
Acquirer not participating | 50 |
Merchant not participating | 51 |
Password Missing | 52 |
Incorrect password | 53 |
Incorrect Common Name value in Client Certificate | 54 |
5.2.3. Verify Enrollment Response Values¶
Enrollment Response | Description | VERes Status |
---|---|---|
Authentication Available | Cardholder is enrolled, Activation During Shopping is supported, or proof of attempted authentication available. The merchant uses the URL of issuer ACS included in VERes to create the Payer Authentication Request | Y |
Cardholder Not Participating | Cardholder Not Participating - Cardholder is not enrolled | N |
Unable to Authenticate or Card Not Eligible for Attempts | Unable to Authenticate or Card Not Eligible for Attempts (such as a Commercial or anonymous Prepaid card) | U |
5.2.4. Issuer Authentication Results Values¶
Authentication Result | Authentication Result Determined by Issuer ACS | PARes Status |
---|---|---|
Authentication Successful | The issuer has authenticated the cardholder by verifying the password or other identity information | Y |
Attempts Processing Performed | Authentication was not available, but functionality was available (through the issuer, the Visa Attempts Service, or a third party) to generate a proof the merchant attempted VbV authentication | A |
Authentication Failed | The cardholder’s password (or other authentication information) failed validation, thus, the issuer is not able to authenticate the cardholder. The following are reasons to fail an authentication:
Merchants are not permitted to submit these transactions for authorization processing |
N |
Authentication Could Not Be Performed | The issuer ACS is not able to complete the authentication request – possible reasons include:
Merchants may proceed with the above purchases as non-authenticated and retain liability if the cardholder later disputes making the purchase. These are non-Verified by Visa electronic commerce transactions When the PARes has a U and an Invalid Request Code of 55, this indicates that the Account Identifier in the PAReq did not match the value returned by the ACS in the VERes. Merchants must view this as an invalid transaction |
U |
5.2.5. Visa Electronic Commerce Indicator (ECI)¶
Name | ECI | Description |
---|---|---|
Cardholder was authenticated | 5 | This value means that the cardholder was authenticated by the issuer by verifying the cardholder’s password or identity information. The value is returned by the ACS in the Payer Authentication Response message when the cardholder successfully passed 3-D Secure payment authentication |
Merchant attempted to authenticate the cardholder | 6 | This value means that the merchant attempted to authenticate the cardholder, but either the cardholder or issuer was not participating. The value should be returned by the ACS in the Authentication Response message for an Attempt Response. Additionally, merchants may use an ECI 6 in the authorization request when a Verify Enrollment of N is received from the Visa Directory Server |
Payment authentication was not performed | 7 | This value is set by the merchant when the payment transaction was conducted over a secure channel (for example, SSL/TLS), but payment authentication was not performed, or when the issuer responded that authentication could not be performed. An ECI 7 applies when either the Verify Enrollment or the Payer Authentication Response contains a U for Unable to Authenticate |
5.2.6. MasterCard E-Commerce Commerce Indicator (ECI)¶
Name | ECI | Description |
---|---|---|
Merchant attempted to authenticate the cardholder | 01 | Authentication could not be completed but a proof of authentication attempt was provided |
Cardholder was authenticated | 02 | Cardholder was successfully authenticated |
5.2.7. 3-D Secure authentication Result¶
UI Information | VERes Status | PARes Status | CAVV/AAV | ECI Visa | ECI MasterCard | Description | MasterCard recommended Name |
---|---|---|---|---|---|---|---|
Merchant Not SecureCode-enabled | - | - | - | - | - | Merchant Not SecureCode-enabled | Merchant Not SecureCode-enabled |
DS Error (%d) | Error | - | - | 7 | - | The merchant was unable to provide the appropriate credentials to the Directory Server | Error on VERes |
Not Eligible | U | - | - | 7 | - | Unable to Authenticate | Unable to Authenticate |
Not Participating | N | - | - | 6 | - | Cardholder Not Participating | Cardholder Not Participating |
3-D Secure Error | Y | Error | - | - | - | PARes validation failed. Merchant should not submit authorization request | Error on PARes |
3-D Secure Failed | Y | N | - | - | - | Authentication Failed. Merchant should not submit authorization request | Auth Failure (SecureCode failure or Signature verification incorrect) |
3-D Secure ACS Error | Y | U | - | 7 | - | The issuer ACS is not able to complete the authentication request | Unable to Authenticate |
3-D Secure Attempt | Y | A | No | - | 01 | - | Attempt (without AAV) |
Full 3-D Secure Attempt | Y | A | Yes | 6 | 01 | Merchant attempted to authenticate the cardholder, but either the cardholder or issuer was not participating | Attempt |
3-D Secure Successful | Y | Y | No | - | 02 | Authentication Successful without AAV | Auth Success (without AAV) |
Full 3-D Secure Successful | Y | Y | Yes | 5 | 02 | Authentication Successful | Auth Success |