Authenticate

Field Status Definitions
Required Required fields must be sent. If the data is not sent Ravelin will return an error.
Important Important fields are crucial for performance.
Optional Optional fields are additional data points that can be shared with the card schemes, issuers, and Ravelin. These fields may impact performance or dashboard usability.
Conditional Fields that may be required under certain conditions.

Jump to Response

POST 3ds.live.pci.ravelin.com/3ds/authenticate

This endpoint allows you to provide customer and transaction data related to the 3DS authentication. Ravelin will use this data to produce the AReq message and initiate 3DS authentication with the customer’s card issuer.

Authenticate Request

Show all
timestamp integer
required

A Unix timestamp preferably as an integer count of milliseconds since 1970-01-01T00:00 UTC.

Example: 1512828988826
customerId string
optional

Enterprise Merchants: the unique identifier for the customer used on the Checkout endpoint.

PSPs: the unique identifier for the customer used on the Transaction endpoint.

This is required if you want to associate the 3D Secure authentication with the customer.

Example: "123-abc-XYZ"
Minimum length: 1
transactionId string
optional

Enterprise Merchants: the unique identifier for the transaction used on the Checkout endpoint.

PSPs: the unique identifier for the transaction used on the Transaction endpoint.

Required if you want to associate the 3D Secure authentication with the transaction.

Example: "123-abc-XYZ"
Minimum length: 1
transactionStepId string
optional

The unique identifier for the transaction step within the transaction used only for PSP clients on the Transaction endpoint.

Example: "123-abc-XYZ"
Minimum length: 1
cardScheme string
optional

The card scheme to which the authentication will be routed for co-badged cards.

Required if you want to route the authentication to a domestic card scheme (e.g. Cartes Bancaires or eftpos).

Options:

American Express
BOV Cashlink
Cartes Bancaires
eftpos
Discover
JCB
Mastercard
Visa
Ravelin (sandbox only)
Ravelin Domestic (sandbox only)

paymentMethod object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The card being used for the transaction, encrypted using the Ravelin card encryption SDK.

See Submission of Encrypted Card Details for more information.

Conditions:

Either paymentMethod or areqData.pan must be provided.

Hide definition
cardCiphertext string
required

The card ciphertext produced by the Ravelin card encryption SDK.

This field constitutes cardholder data. Submission of this field requires PCI DSS SAQ-A or SAQ-AEP certification.

Please see our PCI DSS Compliance Guide for more information.

aesKeyCiphertext string
required

The AES key ciphertext produced by the Ravelin card encryption SDK .

Minimum length: 1
algorithm string
required

The algorithm used to generate the ciphertexts.

Example: "RSA_WITH_AES_256_GCM"
Minimum length: 1
ravelinSDKVersion string
optional

The version of the Ravelin mobile or JavaScript SDK that performed the encryption.

Example: "0.0.13-ravelinjs"
keyIndex integer
optional

The index of the public RSA key used to encrypt the card.

keySignature string
optional

An identifier for the public RSA key used to encrypt the card.

areqData object
required

Customer and transaction data used to perform the 3DS authentication. Although many of these fields are optional, the more you can provide, the higher the chance of receiving a Frictionless authentication.

Hide definition
messageVersion string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

The 3DS protocol version to be used for the 3DS authentication.

If the version is not provided we default to the versionRecommendation returned in the Version Response. You should populate fields according to the selected messageVersion.

See the guidance here for 3DS protocol versions supported by different card schemes.

Options:
2.1.0
2.2.0
2.3.1
Minimum length: 4
Maximum length: 8
messageCategory string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
required

Identifies whether this is a payment or non-payment 3DS authentication. For example, a non-payment 3DS authentication may be used when a customer adds a card to their account, but does not make a purchase.

Options:
01Payment authentication (PA)
02Non-payment authentication (NPA)
deviceChannel string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
required

Indicates the channel being used to initiate the authentication.

Options:
01App-based (APP)
02Browser (BRW)
033DS Requestor Initiated (3RI)
threeDSServerTransID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Universally unique transaction identifier assigned by the 3DS Server to identify a single transaction.

Example: "c5584543-b67e-5117-bb34-3567ac6a1123"
Conditions:

Required when deviceChannel is Browser, and a threeDSServerTransID has already been returned in the Version Response. In this case the same threeDSServerTransID should be used.

Length: 36
purchaseAmount string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Purchase amount in minor units of currency with all punctuation removed.

Example: "10000"
Conditions:

Required for Payment Authentications (PA). Required for Non-Payment Authentications (NPA) when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03).

purchaseCurrency string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Currency in which purchaseAmount is expressed (ISO 4217 three-digit numeric currency code).

Must be "036" (AUD) when cardScheme is eftpos.

Example: "826"
Conditions:

Required for Payment Authentications (PA). Required for Non-Payment Authentications (NPA) when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03).

purchaseExponent string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Minor units of currency as specified in the ISO 4217 currency exponent.

Example: "2"
Conditions:

Required for Payment Authentications (PA). Required for Non-Payment Authentications (NPA) when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03).

purchaseDate string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Date and time of the purchase expressed in UTC.

Format: YYYYMMDDhhmmss
Conditions:

Required for Payment Authentications (PA). Required for Non-Payment Authentications (NPA) when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03).

pan string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The Primary Account Number (PAN) of the card being used for the transaction. If EMV Tokenisation is supported, this may be an EMV Payment Token instead of a PAN.

This field is cardholder data. Submission of this field requires PCI DSS SAQ-D certification.

Please see our PCI DSS documentation for more information.

Example: "4900000000001234"
Conditions:

Either a pan or a client side encrypted payment method must be provided

cardExpiryDate string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Expiry date of the PAN or token.

Format: YYMM
Example: "2105"
Length: 4
threeDSCompInd string
2.1.0 2.2.0 2.3.1
BRW
required

Indicates whether the 3DS Method successfully completed.

This should be set to N if the method request has not completed after 10 seconds.

Options:
YSuccessfully completed
NDid not successfully complete
UUnavailable - the 3DS Method URL was not present in the Version Response
threeDSMethodId string
2.3.1
BRW
conditional

Contains the 3DS Server Transaction ID used during the previous execution of the 3DS Method.

Conditions:

Required if 3DS Requestor reuses previous 3DS Method execution.

Maximum length: 36
threeDSRequestorID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
required

The 3DS requestor identifier assigned by the card scheme. See the guidance here for the requirements of different card schemes.

For testing in sandbox account, send any string up to 26 characters long.

Example: "example-requestor-id"
threeDSRequestorName string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
required

3DS Requestor name assigned by the card scheme. See the guidance here for the requirements of different card schemes.

Example: "Example Requestor Name"
Maximum length: 40
threeDSRequestorURL string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
required

Fully qualified URL of 3DS Requestor website or customer support website.

Example: "https://www.example-requestor.com"
threeDSRequestorAuthenticationInd string
2.1.0 2.2.0 2.3.1
APP BRW
required

Indicates the type of 3DS authentication request.

Options:
01Payment transaction2.1.0 2.2.0 2.3.1
02Recurring transaction2.1.0 2.2.0 2.3.1
03Instalment transaction2.1.0 2.2.0 2.3.1
04Add card2.1.0 2.2.0 2.3.1
05Maintain card2.1.0 2.2.0 2.3.1
06Cardholder verification as part of EMV token ID&V2.1.0 2.2.0 2.3.1
07Billing Agreement2.1.0 2.2.0 2.3.1
08Split shipment2.3.1
09Delayed shipment2.3.1
10Split payment2.3.1
threeDSRequestorAuthenticationInfo array
2.1.0 2.2.0 2.3.1
APP BRW
optional

Information about how the 3DS Requestor authenticated the cardholder before or during the transaction. For 2.1.0 & 2.2.0 requests only the first element will be accepted. This field is now an array and the single element format is being deprecated.

Show definition
Maximum length: 3
threeDSRequestorChallengeInd array
2.1.0 2.2.0 2.3.1
APP BRW
optional

Indicates whether a challenge is requested for this transaction. Note When providing two preferences, the 3DS Requestor ensures that they are in preference order and are not conflicting. For example, 02 = No challenge requested and 04 = Challenge requested (Mandate) For 2.1.0 & 2.2.0 requests only the first value will be accepted. This field is now an array and the single value string format is being deprecated.

Options:
01No preference2.1.0 2.2.0 2.3.1
02No challenge requested2.1.0 2.2.0 2.3.1
03Challenge requested (3DS Requestor preference)2.1.0 2.2.0 2.3.1
04Challenge requested (mandate, e.g. required for PSD2 compliance)2.1.0 2.2.0 2.3.1
05No challenge requested (transactional risk analysis is already performed)2.2.0 2.3.1
06No challenge requested (data share only)2.2.0 2.3.1
07No challenge requested (strong consumer authentication is already performed)2.2.0 2.3.1
08No challenge requested (utilise trustlist exemption if no challenge required)2.2.0 2.3.1
09Challenge requested (trustlist prompt requested if challenge required)2.2.0 2.3.1
10No challenge requested (use low value exemption)2.3.1
11No challenge requested (Secure corporate payment exemption)2.3.1
12Challenge requested (Device Binding prompt requested if challenge required)2.3.1
13Challenge requested (Issuer requested)2.3.1
14Challenge requested (Merchant-initiated transactions)2.3.1
80-99Reserved for Directory Server use2.1.0 2.2.0 2.3.1
Maximum length: 2
threeDSRequestorDecMaxTime string
2.2.0 2.3.1
APP BRW 3RI
optional

Indicates the maximum amount of time that the 3DS Requestor will wait for an ACS to provide the results of a Decoupled Authentication transaction (in minutes). Numeric values between 00001 and 10080 are accepted.

Example: "00005"
Length: 5
threeDSRequestorDecReqInd string
2.2.0 2.3.1
APP BRW 3RI
optional

Indicates whether the 3DS Requestor requests the ACS to utilise Decoupled Authentication and agrees to utilise Decoupled Authentication if the ACS confirms its use. If the element is not provided, the expected action is for the ACS to default to a value of N (that is, to not use Decoupled Authentication).

Options:
YDecoupled Authentication is supported and preferred if challenge is necessary2.1.0 2.2.0 2.3.1
NDo not use Decoupled Authentication2.1.0 2.2.0 2.3.1
FDecoupled Authentication is supported and is to be used only as a fallback challenge method if a challenge is necessary (Transaction Status = D in RReq).
BDecoupled Authentication is supported and can be used as a primary or fallback challenge method if a challenge is necessary (Transaction Status = D in either ARes or RReq).
threeDSRequestorPriorAuthenticationInfo array
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Information about how the 3DS Requestor authenticated the cardholder as part of a previous 3DS transaction. For 2.1.0 & 2.2.0 requests only the first element will be accepted. This field is now an array and the single element format is being deprecated.

Show definition
Maximum length: 3
threeDSRequestorSpcSupport string
2.3.1
BRW
optional

Indicates whether the 3DS Requestor supports SPC authentication. If present, this field contains the value Y.

Options:
YSupported
payeeOrigin string
2.3.1
optional

The origin of the payee that will be provided in the SPC Transaction Data. Fully qualified URL.

Maximum length: 2048
threeRIInd string
2.1.0 2.2.0 2.3.1
3RI
required

Indicates the type of 3DS requestor initiated request.

Options:
01Recurring transaction2.1.0 2.2.0 2.3.1
02Instalment transaction2.1.0 2.2.0 2.3.1
03Add card2.1.0 2.2.0 2.3.1
04Maintain card information2.1.0 2.2.0 2.3.1
05Account verification2.1.0 2.2.0 2.3.1
06Split/delayed shipment2.2.0 2.3.1
07Top-up2.2.0 2.3.1
08Mail order2.2.0 2.3.1
09Telephone order2.2.0 2.3.1
10Whitelist status check2.2.0 2.3.1
11Other payment2.2.0 2.3.1
12Billing Agreement2.2.0 2.3.1
13Device Binding status check2.3.1
14Card Security Code status check2.3.1
15Delayed shipment2.3.1
16Split payment2.3.1
17FIDO credential deletion2.3.1
18FIDO credential registration2.3.1
19Decoupled Authentication Fallback2.3.1
acctType string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Indicates the type of account.

Conditions:

Required in some markets (for example, for merchants in Brazil). Otherwise optional.

Options:
01Not Applicable
02Credit
03Debit
broadInfo object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Broadcast information - structured information sent between the 3DS Server, the DS, and the ACS.

Show definition
Maximum length: 4096
acquirerMerchantID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Acquirer-assigned merchant identifier.

Conditions:

Required for Payment Authentications (PA).

Maximum length: 35
acquirerBIN string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Acquiring institution identification code as assigned by the DS receiving the AReq message.

Example: "535522"
Conditions:

Required for Payment Authentications (PA). Required for Visa Non-Payment Authentications (NPA)

Maximum length: 11
acquirerCountryCode string
2.3.1
APP BRW 3RI
optional

The code of the country where the acquiring institution is located (in accordance with ISO 3166-1).

Example: "826"
acquirerCountryCodeSource string
2.3.1
APP BRW 3RI
optional

This data element is populated by the system setting the Acquirer Country Code.

Options:
013DS Server
02DS
notificationURL string
2.1.0 2.2.0 2.3.1
BRW
required

The Challenge Notification URL that will receive the Challenge Response.

Example: "https://www.example-merchant.com/challenge-notification"
Maximum length: 256
recurringAmount string
2.3.1
APP BRW 3RI
conditional

Recurring amount in minor units of currency with all punctuation removed.

Example: "10000"
Conditions:

Required when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03) Or threeRIInd is Recurring transaction (01)

Maximum length: 48
recurringCurrency string
2.3.1
APP BRW 3RI
conditional

Currency in which recurringAmount is expressed (ISO 4217 three-digit numeric currency code).

Example: "826"
Conditions:

Required when recurringAmount is provided.

recurringExponent string
2.3.1
APP BRW 3RI
conditional

Minor units of currency as specified in the ISO 4217 currency exponent.

Example: "2"
Conditions:

Required when recurringAmount is provided.

recurringDate string
2.3.1
APP BRW 3RI
conditional

Effective date of the new authorised amount following the first/promotional payment in a recurring or instalment transaction.

Format: YYYYMMDDhhmmss
Conditions:

Required if recurringInd ('01') or / recurringFrequency ('01').

recurringExpiry string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Date after which no further authorisations shall be performed.

Format: YYYYMMDD
Conditions:

Required when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03)

recurringFrequency string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Indicates the minimum number of days between authorisations.

Example: "0031"
Conditions:

Required when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03)

Maximum length: 4
recurringInd object
2.3.1
APP BRW 3RI
conditional

Indicates whether the recurring or instalment payment has a fixed or variable amount and frequency.

Conditions:

Required when threeDSRequestorAuthenticationInd is Recurring transaction (02) or Instalment transaction (03) or threeRIInd is Recurring transaction (01) or Instalment transaction (02)

Show definition
purchaseInstalData string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Indicates the maximum number of authorisations permitted for instalment payments.

Example: "002"
Conditions:

Required if threeDSRequestorAuthenticationInd is Instalment transaction (03).

Maximum length: 3
transType string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Identifies the type of transaction being authenticated.

Conditions:

Required in some markets, when the messageCategory is Payment Authentication (PA) (01).

Options:
01Purchase of goods or services
03Check acceptance
10Account funding
11Quasi-cash transaction
28Prepaid activation and load
browserAcceptHeader string
2.1.0 2.2.0 2.3.1
BRW
conditional

Exact content of the HTTP accept headers as sent to the 3DS Requestor from the cardholder’s browser.

Example: "text/html,application/xml"
Conditions:

Required when deviceChannel is Browser.

Maximum length: 2048
browserIP string
2.1.0 2.2.0 2.3.1
BRW
optional

IP address of the browser as returned by the HTTP headers to the 3DS Requestor.

Example: "0.0.0.0"
browserJavascriptEnabled boolean
2.1.0 2.2.0 2.3.1
BRW
required

Boolean that represents the ability of the cardholder browser to execute JavaScript.

Example: true
browserJavaEnabled boolean
2.1.0 2.2.0 2.3.1
BRW
conditional

Boolean that represents the ability of the cardholder browser to execute Java. Value is returned from the navigator.javaEnabled property.

Example: true
Conditions:

Required when browserJavascriptEnabled is true.

browserLanguage string
2.1.0 2.2.0 2.3.1
BRW
conditional

The cardholder browser language as defined in IETF BCP47. Returned from navigator.language property.

Example: "en"
Conditions:

Required when browserJavascriptEnabled is true.

acceptLanguage array
2.3.1
BRW
required

Value representing the Browser language preference present in the HTTP header, as defined in IETF BCP 47.

Maximum length: 99
browserColorDepth string
2.1.0 2.2.0 2.3.1
BRW
conditional

The bit depth of the browser's colour palette for displaying images. Use the closest lower option for color depths that are not in the listed options. For example if the color depth is 30, use 24 instead.

Conditions:

Required when browserJavascriptEnabled is true.

Options:
11 bit per pixel
44 bits per pixel
88 bits per pixel
1515 bits per pixel
1616 bits per pixel
2424 bits per pixel
3232 bits per pixel
4848 bits per pixel
browserScreenHeight string
2.1.0 2.2.0 2.3.1
BRW
conditional

Total height of the cardholder’s screen (not browser window) in pixels.

Example: "1080"
Conditions:

Required when browserJavascriptEnabled is true.

Maximum length: 6
browserScreenWidth string
2.1.0 2.2.0 2.3.1
BRW
conditional

Total width of the cardholder’s screen (not browser window) in pixels.

Example: "1920"
Conditions:

Required when browserJavascriptEnabled is true.

Maximum length: 6
browserTZ string
2.1.0 2.2.0 2.3.1
BRW
conditional

Time-zone offset in minutes between UTC and the cardholder browser local time.

Example: "300"
Conditions:

Required when browserJavascriptEnabled is true.

Maximum length: 5
browserUserAgent string
2.1.0 2.2.0 2.3.1
BRW
conditional

Exact content of the HTTP user-agent header.

Example: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_0_0) AppleWebKit/0.0 (KHTML, like Gecko) Chrome/0.0.0.0 Safari/0.0"
Conditions:

Required when deviceChannel is Browser.

Maximum length: 2048
deviceBindingStatus string
2.3.1
APP BRW 3RI
optional

Enables the communication of Device Binding Status between the ACS, the DS and the 3DS Requestor. For bound devices (value = 11–14), Device Binding Status also conveys the type of binding that was performed.

Options:
01Device is not bound by Cardholder
02Not eligible as determined by Issuer
03Pending confirmation by Cardholder
04Cardholder rejected the request
05Device Binding Status unknown, unavailable, or does not apply
11= Device is bound by Cardholder (device is bound using hardware / SIM internal to the Consumer Device. For instance, keys stored in a secure element on the device)
12Device is bound by Cardholder (device is bound using hardware external to the Consumer Device. For example, an external FIDO Authenticator)
13Device is bound by Cardholder (Device is bound using data that includes dynamically generated data and could include a unique device ID)
14Device is bound by Cardholder (Device is bound using static device data that has been obtained from the Consumer Device)
15Device is bound by Cardholder (Other method)
deviceBindingStatusSource string
2.3.1
APP BRW 3RI
optional

This data element will be populated by the system setting Device Binding Status.

Options:
013DS Server
02DS
03ACS
deviceId string
2.3.1
BRW
conditional

Unique and immutable identifier linked to a device that is consistent across 3DS transactions for the specific user device. Examples - Hardware Device ID, Platform-calculated device fingerprint.

Conditions:

Required if available.

Maximum length: 64
userId string
2.3.1
BRW
conditional

Identifier of the transacting user’s Browser Account ID. This identifier is a unique immutable hash of the user’s account identifier for the given Browser, provided as a string. Cardholders may have more than one account on a given Browser.

Conditions:

Required if available.

Maximum length: 64
sdkTransID string
2.1.0 2.2.0 2.3.1
APP
required

Universally unique transaction identifier assigned by the 3DS SDK to identify a single transaction. Obtained by calling the getSDKTransactionID() SDK method. See details

Example: "a3384543-b67e-5117-bb34-4567ac6a1123"
Length: 36
sdkAppID string
2.1.0 2.2.0 2.3.1
APP
required

Universally unique ID created upon all installations of the 3DS Requestor App on a consumer device. This will be newly generated and stored by the 3DS SDK for each installation. Obtained by calling the getSDKAppID() SDK method. See details

Example: "c3994512-a99f-ab17-bb66-4566ac6b1334"
Length: 36
sdkEncData string
2.1.0 2.2.0 2.3.1
APP
required

Device data encrypted by the SDK. Obtained by calling the getDeviceData() SDK method. See details

Maximum length: 64000
sdkEphemPubKey object
2.1.0 2.2.0 2.3.1
APP
required

Public key component of the ephemeral key pair generated by the 3DS SDK and used to establish session keys between the 3DS SDK and ACS. Obtained by calling the getSDKEphemeralPublicKey() SDK method. See details

Maximum length: 256
sdkMaxTimeout string
2.1.0 2.2.0 2.3.1
APP
required

Indicates maximum amount of time (in minutes) for all exchanges.

Example: "05"
Length: 2
sdkReferenceNumber string
2.1.0 2.2.0 2.3.1
APP
required

Identifies the vendor and version of the 3DS SDK that is integrated in a 3DS Requestor App.

Example: "3DS_xxx_SDK_xxxx_020200_nnnnn"
Maximum length: 32
sdkType string
optional

Indicates the type of 3DS SDK.

Options:
01Default-SDK
02Split-SDK
defaultSdkType object
2.3.1
APP
optional

Indicates the characteristics of a Default-SDK.

Show definition
splitSdkType object
2.3.1
APP
conditional

Indicates the characteristics of a Split-SDK.

Conditions:

Required if sdkType = 02.

Show definition
sdkServerSignedContent string
conditional

Contains the JWS object (represented as a string) created by the Split-SDK Server for the AReq messages.

Conditions:

Required if SDK Type = 02.

sdkSignatureTimestamp string
optional

Date and time indicating when the 3DS SDK generated the Split-SDK Server Signed Content converted into UTC.

Format: YYYYMMDDhhmmss
Minimum length: 12
Maximum length: 14
appIp string
2.3.1
APP
optional

External IP address (i.e., the device public IP address) used by the 3DS Requestor App when it connects to the 3DS Requestor environment

Example: "0.0.0.0"
Maximum length: 45
deviceRenderOptions object
2.1.0 2.2.0 2.3.1
APP
required

Defines the SDK UI types that the device supports for displaying specific challenge user interfaces within the SDK.

Show definition
merchantName string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Merchant name assigned by the acquirer.

Conditions:

Required for Payment Authentications (PA)

Maximum length: 40
merchantCountryCode string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

ISO 3166-1 numeric three-digit country code of the merchant.

Example: "826"
Conditions:

Required for Payment Authentications (PA)

Length: 3
mcc string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Merchant category code. A card scheme specific code describing the merchant’s type of business, product or service.

Conditions:

Required for Payment Authentications (PA)

Length: 4
merchantRiskIndicator object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Optional information about the purchase.

Show definition
cardholderName string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Name of the cardholder.

As per EMV guidelines, only a specific set of common characters are allowed. Please refer to Annex B ('Common Character Set') of EMV's Book 4 for more information.

Example: "John Smith"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Minimum length: 2
Maximum length: 45
cardSecurityCode string
2.3.1
APP BRW 3RI
conditional

Three or four-digit security code printed on the card.

Conditions:

Conditional based on DS rules

cardSecurityCodeStatus string
2.3.1
APP BRW 3RI
optional

Enables the communication of Card Security Code Status between the ACS, the DS and the 3DS Requestor.

Options:
YValidated
NFailed validation
UStatus unknown, unavailable, or does not apply
cardSecurityCodeStatusSource string
2.3.1
APP BRW 3RI
optional

This data element will be populated by the system setting Card Security Code Status.

Options:
01DS
02ACS
acctID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Cardholder account identifier. The customerId may be used for this field.

Maximum length: 64
acctInfo object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Information about the cardholder's account.

Show definition
email string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The email address associated with the account that is either entered by the Cardholder, or is on file with the 3DS Requestor.

Example: "customer@example.com"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 254
homePhone object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Home phone number. Refer to ITU-E.164 for additional information on format and length.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Show definition
mobilePhone object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Mobile phone number. Refer to ITU-E.164 for additional information on format and length.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Show definition
workPhone object
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Work phone number. Refer to ITU-E.164 for additional information on format and length.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Show definition
addrMatch string
2.1.0 2.2.0 2.3.1
APP BRW
optional

Indicates whether the billing address and shipping address are the same.

Options:
YBilling address matches shipping address
NBilling address does not match shipping address
billAddrLine1 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

First line of the billing address associated with the card used for this purchase.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
billAddrLine2 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Second line of the billing address associated with the card used for this purchase.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
billAddrLine3 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Third line of the billing address associated with the card used for this purchase.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
billAddrCity string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The city of the billing address associated with the card used for this purchase.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
billAddrState string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

ISO 3166-2 country subdivision code for the state or province of the billing address associated with the card used for this purchase. For example, using the ISO entry US-CA (California, United States), the correct value for this field is CA. Note that the country and hyphen are not included in this value.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 3
billAddrPostCode string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

ZIP or other postal code of the billing address associated with the card used for this purchase.

Example: "EC1V 9BP"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 16
billAddrCountry string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The numeric country code of the billing address associated with the card used for this purchase.

Example: "826"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Length: 3
shipAddrLine1 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

First line of the shipping address requested by the cardholder.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
shipAddrLine2 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Second line of the shipping address requested by the cardholder.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
shipAddrLine3 string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Third line of the shipping address requested by the cardholder.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
shipAddrCity string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

City of the shipping address requested by the cardholder.

Example: "London"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 50
shipAddrState string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

ISO 3166-2 country subdivision code for the state or province of the shipping address requested by the cardholder.

Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 3
shipAddrPostCode string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

The ZIP or other postal code of the shipping address requested by the cardholder.

Example: "EC1V 9BP"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Maximum length: 16
shipAddrCountry string
2.1.0 2.2.0 2.3.1
APP BRW 3RI
conditional

Numeric country of the shipping address requested by the cardholder.

Example: "826"
Conditions:

Required unless a market or regional mandate restricts sending this information.

Length: 3
taxId string
2.3.1
APP BRW 3RI
optional

Cardholder’s tax identification.

Maximum length: 45
whiteListStatus string
2.2.0 2.3.1
APP BRW 3RI
deprecated
DEPRECATED

Deprecated in favour of trustListStatus.

Options:
YMerchant is trusted by cardholder
NMerchant has not yet been trusted by cardholder
ENot eligible as determined by issuer
PPending confirmation by cardholder
RCardholder rejected the request to trust the merchant
UTrusted status unknown, unavailable, or does not apply
trustListStatus string
2.2.0 2.3.1
APP BRW 3RI
optional

Indicates whether the cardholder has added the merchant to their list of trusted merchants. A cardholder can typically only choose to trust a merchant after successfully completing a challenge. A cardholder may not be required to complete a challenge with a merchant they have previously trusted.

Options:
YMerchant is trusted by cardholder
NMerchant has not yet been trusted by cardholder
ENot eligible as determined by issuer
PPending confirmation by cardholder
RCardholder rejected the request to trust the merchant
UTrusted status unknown, unavailable, or does not apply
whiteListStatusSource string
2.2.0 2.3.1
APP BRW 3RI
deprecated
DEPRECATED

Deprecated in favour of trustListStatusSource.

Options:
013DS Server
02Directory Server (DS)
03Access Control Server (ACS)
trustListStatusSource string
2.2.0 2.3.1
APP BRW 3RI
optional

Identifies the system which set the whiteListStatus value.

Options:
013DS Server
02Directory Server (DS)
03Access Control Server (ACS)
multiTransaction object
2.3.1
APP BRW 3RI
optional

Additional transaction information in case of multiple transactions or Merchants.

Show definition
sellerInfo array
2.3.1
APP BRW 3RI
optional

Additional transaction information for transactions where Merchants submit transaction details on behalf of another entity, i.e., individual sellers in a marketplace or drivers in a ridesharing platform.

Show definition
Maximum length: 50
messageExtension array
2.1.0 2.2.0 2.3.1
APP BRW 3RI
optional

Data necessary to support requirements not otherwise defined in the 3D Secure message format.

Show definition

Authenticate Response

Show all
timestamp integer

A Unix timestamp indicating when we finished handling the request.

Example: 1512828988
status integer

The HTTP response status code.

Example: 200
cardScheme string
2.1.0 2.2.0 2.3.1

The card scheme which the card uses.

Example: "Visa"
liabilityShifted boolean

Whether liability for this transaction was shifted to the issuer. See Liability Shift.

Example: true
data object

Response payload.

Hide definition
messageVersion string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

3DS protocol version identifier.

threeDSServerTransID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

The unique identifier (UUID) for tracking the transaction throughout the 3DS process.

Example: "c5584543-b67e-5117-bb34-3567ac6a1123"
sdkTransID string
2.1.0 2.2.0 2.3.1
APP

Universally unique transaction identifier assigned by the 3DS SDK to identify a single transaction.

Example: "a3384543-b67e-5117-bb34-4567ac6a1123"
acsTransID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

The unique identifier (UUID) used by the ACS for tracking the transaction throughout the 3DS process.

Must be provided in the Challenge Request.

May be provided in the threeDSReqPriorRef field in order to identify a prior authentication.

Example: "214a549e-2310-4359-b590-c53a20adcc78"
dsTransID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

The unique identifier (UUID) used by the directory server for tracking the transaction throughout the 3DS process. Provided for information only.

Example: "a3384543-b67e-5117-bb34-4567ac6a1123"
dsReferenceNumber string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

A unique identifier assigned to the directory server by EMVCo. Provided for information only.

Example: "3DS_LOA_DIS_ABCD_020200_00001"
acsReferenceNumber string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

A unique identifier assigned to the ACS by EMVCo. Provided for information only.

Example: "3DS_LOA_ACS_ABCD_020200_00001"
acsOperatorID string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

DS assigned ACS identifier. Each DS can provide a unique ID to each ACS on an individual basis.

authenticationType string
2.1.0 2.2.0
APP BRW
DEPRECATED

Deprecated in favour of authenticationMethod. For 2.3.1 requests, the first authenticationMethod is values are mapped an equivalent value in this field.

Options:
01Static, for example, a password or passcode
02Dynamic, for example, a one time password (OTP)
03Out-of-Band (OOB), for example, using the issuing bank's mobile app
04Decoupled Authentication
authenticationMethod array
2.3.1

Indicates type of authentication the issuer will use to challenge the Cardholder.

Options:
01Static Passcode
02SMS OTP
03Key fob or EMV card reader OTP
04App OTP
05OTP Other
06KBA
07OOB Biometrics
08OOB Login
09OOB Other
10Other
11Push Confirmation
12Decoupled
13WebAuthn
14SPC
15Behavioural biometrics
16Electronic ID
Maximum length: 99
authenticationValue string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

The card scheme specific value to be used for authorising the transaction. Also referred to as "CAVV" (Cardholder Authentication Verification Value) by Visa, AAV (Accountholder Authentication Value) by Mastercard and AEVV (American Express Verification Value) by American Express.

On Non-Payment Authentications (NPA) no value is returned by American Express or Mastercard, even if they are successful.

There are limitations on when and for how long the authenticationValue can be stored.

Please refer to the Payment Card Industry 3-D Secure (PCI 3DS) guide for further details.

transChallengeExemption string
2.3.1
APP BRW 3RI

Exemption applied by the ACS to authenticate the transaction without requesting a challenge.

Options:
05Transaction Risk Analysis exemption
08Trust List exemption
10Low Value exemption
11Secure Corporate Payments exemption
transStatus string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Indicates the outcome of the authenticate request, and how to proceed.

Options:
YAuthentication Successful

The transaction achieved a Frictionless authentication, continue to authorisation using the authenticationValue.

2.1.0 2.2.0 2.3.1
AAuthentication Attempted

3DS was attempted but was not possible. However the card scheme granted a successful authentication on the issuer's behalf.

2.1.0 2.2.0 2.3.1
NAuthentication Failed

The authentication failed, stop processing the transaction.

2.1.0 2.2.0 2.3.1
UAuthentication Unavailable

Authentication could not be performed. You may attempt to proceed to authorisation without an authenticationValue.

2.1.0 2.2.0 2.3.1
CChallenge Required

A challenge is required, make a Challenge Request.

2.1.0 2.2.0 2.3.1
DDecoupled Challenge Required

A challenge will be performed by the issuer without using a 3DS Challenge Request. Make a Result Request to learn the final outcome. You may need to wait the length of time set in the threeDSRequestorDecMaxTime Authenticate Request field.

2.1.0 2.2.0 2.3.1
RAuthentication Rejected

The issuer rejected the authentication attempt and requests that authorisation is not attempted.

2.1.0 2.2.0 2.3.1
IInformational Only

Authentication for the transaction was not requested. The data was sent to the ACS for informational purposes only.

2.1.0 2.2.0 2.3.1
SChallenge using SPC

Challenge using SPC

2.3.1
transStatusReason string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Provides information on the transStatus value.

Options:
01Card authentication failed2.1.0 2.2.0 2.3.1
02Unknown device2.1.0 2.2.0 2.3.1
03Unsupported device2.1.0 2.2.0 2.3.1
04Exceeds authentication frequency limit2.1.0 2.2.0 2.3.1
05Expired card2.1.0 2.2.0 2.3.1
06Invalid card number2.1.0 2.2.0 2.3.1
07Invalid transaction2.1.0 2.2.0 2.3.1
08No card record2.1.0 2.2.0 2.3.1
09Security failure2.1.0 2.2.0 2.3.1
10Stolen card2.1.0 2.2.0 2.3.1
11Suspected fraud2.1.0 2.2.0 2.3.1
12Transaction not permitted to cardholder2.1.0 2.2.0 2.3.1
13Cardholder not enrolled in service2.1.0 2.2.0 2.3.1
14Transaction timed out at the ACS2.1.0 2.2.0 2.3.1
15Low confidence2.1.0 2.2.0 2.3.1
16Medium confidence2.1.0 2.2.0 2.3.1
17High confidence2.1.0 2.2.0 2.3.1
18Very high confidence2.1.0 2.2.0 2.3.1
19Exceeds ACS maximum challenges2.1.0 2.2.0 2.3.1
20Non-payment (NPA) transaction not supported2.1.0 2.2.0 2.3.1
213RI transaction not supported2.1.0 2.2.0 2.3.1
22ACS technical issue2.1.0 2.2.0 2.3.1
23Decoupled authentication required by ACS but not requested by 3DS Requestor2.1.0 2.2.0 2.3.1
243DS Requestor decoupled authentication max expiry time exceeded2.1.0 2.2.0 2.3.1
25Insufficient time provided for decoupled authentication to authenticate cardholder. ACS will not attempt authentication2.1.0 2.2.0 2.3.1
26Authentication attempted but not performed by the cardholder2.1.0 2.2.0 2.3.1
27Preferred Authentication Method not supported2.3.1
28Validation of content security policy failed2.3.1
29Authentication attempted but not completed by the cardholder. Fall back to Decoupled Authentication2.3.1
30Authentication completed successfully but additional authentication of the Cardholder required. Reinitiate as Decoupled Authentication2.3.1
80Identity Check Insights

Mastercard

2.1.0 2.2.0 2.3.1
80Error connecting to ACS

Visa

2.1.0 2.2.0 2.3.1
81ACS Timed Out

Visa

2.1.0 2.2.0 2.3.1
82Invalid Response from ACS

Visa

2.1.0 2.2.0 2.3.1
83System Error Response from ACS

Visa

2.1.0 2.2.0 2.3.1
84Transaction not processed by Smart Authentication Stand-In due to challenge cancellation

Mastercard

2.1.0 2.2.0 2.3.1
84Internal Error While Generating CAVV

Visa

2.1.0 2.2.0 2.3.1
85VMID not eligible for requested program

Visa

2.1.0 2.2.0 2.3.1
86Protocol Version Not Supported by ACS

Visa

2.1.0 2.2.0 2.3.1
87Device Channel is 3RI therefore did not route to Smart Authentication Stand-In

Mastercard

2.1.0 2.2.0 2.3.1
87Transaction is excluded from Attempts Processing which includes non-reloadable pre-paid cards and non-payment authentications

Visa

2.1.0 2.2.0 2.3.1
883DS Requestor Prior Transaction Authentication Data was provided but not found by the ACS or it was expired

Mastercard

2.1.0 2.2.0 2.3.1
88Requested program not supported by the ACS

Visa

2.1.0 2.2.0 2.3.1
transStatusReasonInfo string
2.3.1

Transaction Status Reason Information

eci string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Electronic Commerce Indicator

Options:
00Authentication Failed

Mastercard

01Authentication attempted, but not completed

Mastercard

02Authentication Successful

Mastercard

05Authentication Successful

Visa, American Express, Discover, JCB, UnionPay, eftpos

06Authentication attempted, but not completed

Visa, American Express, Discover, JCB, UnionPay, eftpos

07Authentication Failed

Visa, American Express, Discover, JCB, UnionPay, eftpos

N0Not Authenticated (NPA)

Mastercard

N2Authenticated (NPA)

Mastercard

acsChallengeMandated string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Indicates whether regional mandates (e.g. PSD2) require a challenge to be performed. If using the 3RI device channel, a decoupled challenge must be used.

Options:
YChallenge is mandated
NChallenge is not mandated
acsDecConInd string
2.2.0 2.3.1
APP BRW 3RI

Indicates whether the ACS will use decoupled authentication.

Options:
YDecoupled authentication will be used
NDecoupled authentication will not be used
acsRenderingType object
2.1.0 2.2.0 2.3.1
APP

Indicates whether the ACS will use decoupled authentication.

Show definition
acsSignedContent string
2.1.0 2.2.0 2.3.1
APP

A JSON Web Signature (JWS) object containing the ACS URL, ACS ephemeral public key and SDK ephemeral public key. These are used by the SDK to communicate securely with the ACS when performing the challenge.

acsURL string
2.1.0 2.2.0 2.3.1
BRW

The URL of the ACS to be used for the challenge.

broadInfo object
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Broadcast information - structured information sent between the 3DS Server, the DS, and the ACS.

Show definition
Maximum length: 4096
cardholderInfo string
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Text provided by the issuer to be displayed to the cardholder.

cardholderInfoIssuerImage string
2.3.1
APP BRW 3RI

The URL of the issuer's logo or image to be displayed to the cardholder.

cardholderInfoPaymentSystemImage string
2.3.1
APP BRW 3RI

The URL of the payment system's logo or image to be displayed to the cardholder.

cardSecurityCodeStatus string
2.3.1
APP BRW 3RI

Enables the communication of Card Security Code Status between the ACS, the DS and the 3DS Requestor.

Options:
YValidated
NFailed validation
UStatus unknown, unavailable, or does not apply
cardSecurityCodeStatusSource string
2.3.1
APP BRW 3RI

This data element will be populated by the system setting Card Security Code Status.

Options:
01DS
02ACS
deviceBindingStatus string
2.3.1
APP BRW 3RI

Enables the communication of Device Binding Status between the ACS, the DS and the 3DS Requestor. For bound devices (value = 11–14), Device Binding Status also conveys the type of binding that was performed.

Options:
01Device is not bound by Cardholder
02Not eligible as determined by Issuer
03Pending confirmation by Cardholder
04Cardholder rejected the request
05Device Binding Status unknown, unavailable, or does not apply
11= Device is bound by Cardholder (device is bound using hardware / SIM internal to the Consumer Device. For instance, keys stored in a secure element on the device)
12Device is bound by Cardholder (device is bound using hardware external to the Consumer Device. For example, an external FIDO Authenticator)
13Device is bound by Cardholder (Device is bound using data that includes dynamically generated data and could include a unique device ID)
14Device is bound by Cardholder (Device is bound using static device data that has been obtained from the Consumer Device)
15Device is bound by Cardholder (Other method)
deviceBindingStatusSource string
2.3.1
APP BRW 3RI

This data element will be populated by the system setting Device Binding Status.

Options:
013DS Server
02DS
03ACS
deviceRecognisedVersion string
2.3.1
APP

Indicates the highest Data Version of the Device Information supported by the ACS.

threeDSRequestorAppURLInd string
2.3.1
APP

Indicates whether the OOB Authentication App used by the ACS during a challenge supports the 3DS Requestor App URL.

Options:
Y3DS Requestor App URL is supported by the OOB Authentication App
N3DS Requestor App URL is NOT supported by the OOB Authentication App
whiteListStatus string
2.2.0 2.3.1
APP BRW 3RI
DEPRECATED

Deprecated in favour of trustListStatus.

Options:
YMerchant is trusted by cardholder
NMerchant has not yet been trusted by cardholder
ENot eligible as determined by issuer
PPending confirmation by cardholder
RCardholder rejected the request to trust the merchant
UTrusted status unknown, unavailable, or does not apply
trustListStatus string
2.2.0 2.3.1
APP BRW 3RI

Indicates whether the cardholder has added the merchant to their list of trusted merchants. A cardholder can typically only choose to trust a merchant after successfully completing a challenge. A cardholder may not be required to complete a challenge with a merchant they have previously trusted.

Options:
YMerchant is trusted by cardholder
NMerchant has not yet been trusted by cardholder
ENot eligible as determined by issuer
PPending confirmation by cardholder
RCardholder rejected the request to trust the merchant
UTrusted status unknown, unavailable, or does not apply
whiteListStatusSource string
2.2.0 2.3.1
APP BRW 3RI
DEPRECATED

Deprecated in favour of trustListStatusSource.

Options:
013DS Server
02Directory Server (DS)
03Access Control Server (ACS)
trustListStatusSource string
2.2.0 2.3.1
APP BRW 3RI

Identifies the system which set the trustListStatus value.

Options:
013DS Server
02Directory Server (DS)
03Access Control Server (ACS)
spcTransData object
2.3.1
BRW

Information that the 3DS Requestor passes in the SPC API for display in the Smart Modal Window

Show definition
webAuthnCredList array
2.3.1
APP

List of WebAuthn credentials that the ACS can use to authenticate the cardholder.

Show definition
messageExtension array
2.1.0 2.2.0 2.3.1
APP BRW 3RI

Data necessary to support requirements not otherwise defined in the 3D Secure message format.

Show definition

Feedback