Different card schemes may have unique requirements when it comes to 3DS. You can read more about those on this page.
The card scheme Directory Servers define these two identifiers. Guidance on how to format these fields is below.
| Card scheme | Guidance |
|---|---|
| Visa | Send the Merchant ID. This is a merchant identifier provided by the acquirer. It consists of 26 characters which can be alphanumeric but must not contain any special characters. |
| Mastercard | Send the Merchant ID. This is a merchant identifier provided by the acquirer. |
| American Express | Send the relevant 3DS Requestor Type and the Merchant ID. The MID is a merchant identifier provided by the acquirer. Example: |
| Discover | Send a unique ID with a total length of 35 characters, made up from the following:
Example: |
| Cartes Bancaires | If you are using a Cartes Bancaires acquirer to process the transaction and the payment method is a card wallet, then send the following:
For all other scenarios, send any value (e.g. the merchant name). |
| China UnionPay | Send the 3DS Requestor ID, which is assigned to the acquirer by China UnionPay on registration. |
| JCB | Send a unique ID with a total length of 26 characters, made up from the following:
Example: |
| Bov Cashlink | Send the merchant name. |
| Card scheme | Guidance |
|---|---|
| Visa | Send an identifier with a maximum of 40 characters (eg: the merchant ID). |
| Mastercard | Send Example: |
| American Express | Send the merchant ID assigned to the merchant by the acquirer or, for travel industry cases, the booking tool name. |
| Discover | Send the merchant 'Doing Business As' name, up to 40 characters in length. |
| Cartes Bancaires | Send the merchant name or commercial name of the 3DS Requestor, up to 40 characters in length. Cartes Bancaires explains that this will be the name displayed on the issuer Access Control Server challenge interface. They strongly recommend to configure a clean, well known name which corresponds to the purchase. This will help to reassure the cardholder and maximise conversion. |
| China UnionPay | Send the merchant ID assigned to the merchant by the acquirer. |
| JCB | Send the merchant ID assigned to the merchant by the acquirer. |
| Bov Cashlink | Send the merchant ID assigned to the merchant by the acquirer. |
Electronic Commerce Indicator (ECI) values provide more information about the authentication outcome. The table below outlines what the values may mean for different card schemes.
| ECI value | Description |
|---|---|
00 | Mastercard: Authentication failed, unavailable, or rejected |
01 | Mastercard: Authentication attempted |
02 | Mastercard: Authentication successful (Customer-Initiated Transactions) |
05 | Visa: Cardholder authentication successful American Express: Card member has been successfully authenticated by the issuer Discover: Fully authenticated transaction JCB: Authentication successful |
06 | Visa: Merchant attempted to authenticate the cardholder American Express: Authentication attempted by the 3DS Requestor Discover: Authentication attempted JCB: Authentication was attempted, but was not or could not be completed. Possible reasons being the card and/or issuer are not enrolled in 3DS. |
07 | Visa: Non-authenticated ecommerce transaction Mastercard: Authentication successful (Merchant-Initiated Transactions) American Express: The 3DS Requestor obtained and conveyed cardmember information, but authentication was not performed by the issuer's Access Control Server. If the PAN or token is not eligible for 3DS, Transaction Status U and Transaction Status Reason 80 will also be returned. Discover: Not authenticated JCB: Authentication either failed or could not be attempted. Possible reasons being the card and/or issuer are not enrolled in 3DS, technical errors, or incorrect configuration. |
N0 | Mastercard: Not authenticated (Non-Payment Authentication) |
N2 | Mastercard: Authenticated (Non-Payment Authentication) |
Transaction Status values provide more information about the authentication outcome. The table below outlines what the values may mean for different card schemes.
| Transaction Status | Description |
|---|---|
Y | Visa: Authentication Successful American Express: Authentication successful; all data needed for authorisation, including the authentication value, is included in the message for payment authentications Discover: The cardholder was successfully authenticated JCB: Authentication Successful |
A | Visa: Attempts Processing Performed American Express: Attempts Processing Performed;
Not authenticated, but a proof of attempted authentication is
provided. Discover: Authentication could not be completed, but proof of approval attempt is provided JCB: Attempt |
I | Visa: Informational Only; 3DS Requestor challenge preference acknowledged JCB: Information Only |
N | Visa: Authentication Failed; Not Authenticated, Transaction Denied American Express: Not authenticated; authentication failed. Authorisation should not be attempted. Discover: Cardholder authentication failed JCB: Authentication fail or cancel |
U | Visa: Authentication Could Not Be Performed; Technical or Other Problem Mastercard: Authentication / Account Verification Could Not Be Performed; Technical or other problem, as indicated in the ARes or RReq American Express: Authentication could not be performed, technical issue or business reason, as indicated in the ARes message Discover: Authentication could not be completed because of a technical or other problem JCB: Authentication could not be performed because of a technical issue |
C | Visa: Challenge Required to authenticate the cardholder American Express: Challenge required; additional interaction with the card member is required using the CReq and CRes messages for payment and non-payment authentications. Discover: Challenge required JCB: Request Challenge |
R | Visa: Authentication Rejected American Express: Authentication rejected; issuer rejected authentication and, for payment authentications, authorisation must not be attempted JCB: Authentication Reject |
D | JCB: Request Decoupled Authentication |
Transaction Status Reason codes provide more information about the authentication outcome, in addition to the Transaction Status. The table below outlines additional values may be available for different card schemes.
| Card scheme | Transaction Status Reason | Description |
|---|---|---|
| Visa | 80 | Error connecting to issuer’s Access Control Server |
| Visa | 81 | Issuer’s Access Control Server timed out |
| Visa | 82 | Invalid response from issuer’s Access Control Server |
| Visa | 83 | System error response from issuer’s Access Control Server |
| Visa | 84 | Internal error while generating Cardholder Authentication Verification Value (authentication value) |
| Visa | 85 | Visa Merchant ID (VMID) not eligible for requesting programme |
| Visa | 86 | 3DS protocol version not support by the issuer’s Access Control Server |
| Visa | 87 | Transaction is excluded from Attempts processing which includes non-reloadable pre-paid cards and Non-Payment Authentications |
| Visa | 88 | Requested programme not supported by the issuer’s Access Control Server |
| Mastercard | 80 | Identity Check Insights used |
| Mastercard | 84 | Challenge Cancellation Indicator populated and therefore did not route to Smart Authentication Stand-In Transaction not processed by Smart Authentication Stand-In because of challenge cancellation |
| Mastercard | 87 | Device Channel is 3DS Requestor Initiated (3RI) and therefore did not route to Smart Authentication Stand-in |
| Mastercard | 88 | 3DS Requestor Prior Transaction Authentication Data was provided, but was not found by the issuer’s Access Control Server or it was expired (3DS Requestor Initiated flow only) |
Our Version Response includes a field to return information about features that may be supported by the card scheme Directory Server or issuer Access Control Server for that specific card range.
Values 80 to 99 are reserved for the card schemes to specify additional information. Furthermore, some card schemes may opt not to send any information as these values are considered optional. The table below outlines additional values that some card schemes may return.
| Card scheme | Value | Description |
|---|---|---|
| Visa | 83 | The issuer and their Access Control Server support Visa’s Digital Authentication Framework |
| Mastercard | 80 | The card range is enrolled in Mastercard’s Smart Authentication Stand-In Service |
| Mastercard | 81 | The card range is enrolled in Mastercard’s Smart Authentication Direct |
| Mastercard | 90 | The card range is enrolled in Mastercard’s Identity Check Express |
| Mastercard | 91 | The card range supports Authentication Express Merchant Delegation for Identity Check Express (Type I) |
| Mastercard | 92 | The card range supports Authentication Express Low Fraud Merchant (Type II) |
| Mastercard | 93 | The card range is enrolled in Mastercard’s Authentication Express Wallet Delegation |
| Mastercard | 94 | The card range is enrolled in Mastercard’s Authentication Express Wallet Delegation |
| American Express | 80 | The card range was issued in the European Economic Area and is subject to PSD2 |
Some card scheme Directory Servers offer a service where they can act on the issuer’s behalf if their Access Control Server is unavailable. This is called ‘Attempts’ (or sometimes ‘Stand-In’).
In the Version Response, the ACS Information Indicator will be set to 02 if the card scheme Directory Server supports Attempts for that card range.
As the cardholder has not been fully authenticated, the issuer may be more likely to decline an authorisation request for transactions where Attempts have been used.
The Visa Attempts Service (VAS) is a Visa server which responds to the 3D Secure Requestor if the issuer’s Access Control Server is unavailable or cannot respond in time. Visa automatically enrols issuers into this service.
If VAS respond to an Authentication Request, it will use an ECI value of 08 (the authentication was attempted but was not or could not be completed).
If the issuer is enrolled in VAS, but the transaction does not qualify for Attempts (eg: selected prepaid cards), Visa will respond with a Transaction Status of N and a Transaction Status Reason value of 87.
For an Attempts authentication, Visa will create a Cardholder Authentication Verification Value (an authentication value).
The issuing bank assumes liability of the transaction in case a fraudulent dispute is later raised.
Issuers are automatically enrolled in Mastercard’s ‘Smart Authentication Stand-In’, but they can opt out.
If Attempts is used, the Accountholder Verification Value (authentication value) that Mastercard return will specify that their stand-in service was used.
Attempts are not available during the challenge or 3DS Requestor Initiated flows. For the latter, a Transaction Status Reason value of 87 (’Device Channel is 3RI therefore did not route to Smart Authentication Stand-In’) will be returned.
American Express’s Attempted Authentication Processing service will firstly validate if the card range used for the authentication is eligible for Attempts. If so, they will respond with a Transaction Status of A, an Electronic Commerce Indicator value of 06 or 07, and provide an authentication value.
There are some exclusions to their Attempts service:
You can read more about individual card scheme differences for Non-Payment Authentications here.
You can read more about individual card scheme requirements for merchant enrolment here.
Was this page helpful?