3D Secure

3D secure 2 is the latest standard released by EMVCo that allows merchants and payment service providers to send additional data elements to the issuing bank of the cardholder, which in turn, makes it possible for the issuer of the card to perform frictionless authentication and offer an improved, better, user experience to the cardholder. With the additional data elements relating to the cardholder, issuers can apply Frictionless Authentication flows or “Challenged” authentication flows.

Frictionless Authentication Flows: issuers can apply risk-based decisions using the additional data received and trust that the real cardholder is making the purchase and auto authenticate the transaction in the background without requesting any additional information from the cardholder.

Challenged Authentication Flows: When the issuer cannot apply risk-based decision using the data on record, additional information to authenticate the payment is then requested from the cardholder.

Verified by VISA (VbV),
SecureCode by Mastercard,
SafeKey by American Express,
UPOP by UPI
Protect Buy by Diners

Merchant Benefits

Acceptance of authenticated transactions via 3D secure deters unauthorized card use.
Enables the merchants to receive protection, liability shift from fraudulent chargeback activity

Integrate 3D Secure

Merchants can integrated 3D secure via iVeri Gateway or use their own 3D secure vendor( MPI) both models integration models are supported.

Integrate 3D Secure functions via the iVeri Gateway

Implement a form post or pop-up with the required data
When received, the Gateway will process and handle the enrollment lookups, authentication with the 3DS provider on your behalf.
On completion, of the authentication, the merchant can submit payment instructions with 3DS 2 authentication data

Integrate 3D Secure directly with the 3DSecure MPI vendor

Contact your 3D secure Vendor
Integrate the 3D secure using the 3D secure integration specification from the MPI/3D Secure vendor
On completion of the 3D secure process, merchants, or payment service provider (PSP) can include 3D secure authentication data on the payment instructions to the iVeri Gateway.
When received, the Gateway will process the payment to the appropriate acquiring institution.

Integration Prerequisites

Merchant must request a certificate in the merchant portal - Backoffice.
- The generated certificate ID is only applicable on the Authorisation/Debit message not the 3DS process.
The merchants application ID must be enabled for 3DS 2
Merchant Profile
- A merchants test application ID must be enabled for 3DS 2. Contact iVeri support on assist@iveri.com to enable 3D secure.
- Integration testing using should use the test application and corresponding 3D secure test cards

3DS 2 Endpoint

Merchants implementing 3D secure through the iVeri Gateway can submit their 3DS requests to the following endpoints

3D secure	https:// [portal base URL]/threedsecure/EnrollmentInitial
Method:	POST
Format:	FormData

Integration Method

Implementation of 3DS 2 to the iVeri Gateway can be done by either using as a form Post or Pop-up

3D Secure Process

Initiate 3D secure - Submit 3D secure request in a Form POST or Pop-Up method
1. Post request on /threedsecure/EnrollmentInitial
2. The iVeri Gateway act as proxy and submits the 3D secure request to the 3DS MPI onbehalf of the merchant
3. 3D secure MPI returns the status to the iVeri Gateway
Handle 3D secure result - iVeri Gateway posts the status of the 3D secure authentication to the merchant ReturnURL
Proceed or Cancel transaction - If all mandatory 3D Secure parameters are present and the returned status code is “0”, the merchant should continue with the Authorisation/Debit instruction. If not, the transaction must be terminated

3DS 2 Parameters

Merchants can submit 3DS request parameters using either tokenized data or full PAN information.

Using tokenized data implies that the merchant has obtained and retained the token via PANToken command.

M	Mandatory
O	Optional
C	Conditional
blank	not relevant

To refer to the 3D secure parameters see more info

Request Parameters

The following is a list of parameters that can be included in the 3D secure requests to the 3DS endpoint.

Parameter	3D Secure with PAN	3D secure with Token
ReturnUrl	M	M
ApplicationID	M	M
MerchantReference	M	M
Amount	M	M
Currency	M	M
PAN	M	M
ExpiryDate	M	M
CardSecurityCode	O	O
PANFormat		M
TransactionIndex		M

Output Parameters that may be returned

Depending on the result of 3D secure authentication, the following fields may be returned

Y	Relevant (maybe populated)
C	Returned if supported by Acquirer
Blank	Not relevant

Parameter	3D Secure with PAN	3D secure with Token
ApplicationID	Y	Y
MerchantReference	Y	Y
Amount	Y	Y
Currency	Y	Y
JWT	Y	Y
PAN	C	C
ExpiryDate
ResultCode	Y	Y
ResultDescription	C	C
ThreeDSecure_AuthenticationType	C	C
CardHolderAuthenticationID	C	C
CardHolderAuthenticationData	C	C
ElectronicCommerceIndicator	C	C
ThreeDSecure_VEResEnrolled	C	C
ThreeDSecure_RequestID	C	C
ThreeDSecure_ProtocolVersion	C	C
ThreeDSecure_DSTransID	C	C

3D Secure 2 implementation using the Pop-Up Method

Mandatory Requirements

jQuery
Bootstrap

Step1: Initialize the popup

Include the following javascript code on your webpage that you want to initiate 3DS from:

$(document).ready(function () {

tdsboxInitialise('[portal domain]',

tdsboxComplete);

});

Step2: Load the popup and shows the modal dialog

function loadModal() {

var jsonObject = {

ApplicationID : $("#ApplicationID").val(),

MerchantReference : $("#MerchantReference").val(),

Amount : $("#Amount").val(),

Currency : $("#Currency").val(),

PAN : $("#PAN").val(),

ExpiryDate : $("#ExpiryDate").val()

};

var data = JSON.stringify(jsonObject);

tdsboxSubmit(data);

}

Step 3: Gets the response back after 3D 2 Completes

function tdsboxComplete(data) {

alert(data);

}

3D Secure 2 implementation using the Form Post

Merchants can POST form variables to the 3DS2 endpoint, which is accessed via a browser redirect. Once the 3D Secure process is completed, the Gateway returns the result to the merchant’s ReturnURL. The result provided will determine whether the merchant can continue with the authorisation/debit instruction or if the transaction should be terminated

Format: Form Data

Form Post request Sample

<br />

</form>

Authorisation/Debit with 3DS 2 Data

Merchants have the choice of doing 3D secure authentication directly with their 3DS Vendor ("MPI") or via the iVeri Gateway. In any event, when the 3D secure authentication process is completed successfully, the merchant can POST the payment instruction to the iVeri Gateway with the authentication data using the SOAP or REST webservice.

Debit/Authorisation Payment Parameters

The applicable set of 3DS 2 parameters expected in the Authorisation/Debit message are as follows:

Parameter	Description

CardHolderAuthenticationID	Optional for 3DS 2: Commonly known as an XID: Unique identifier generated during the 3D secure process, When returned in the 3D secure process the value must be included in the Auth/Debit instruction.
CardHolderAuthenticationData	Mandatory for 3DS 2: Commonly known as UCAF -(universal cardholder authentication field) for Mastercard or CAVV( cardholder authentication verification value), generated on completion of the authentication between cardholder and card issuer
ElectronicCommerceIndicator	Mandatory for 3DS 2: Commonly known as “ECI”: Indicates if the cardholder was fully authenticated, attempted or not. Possible values: ThreeDSecure (ECI “05”, “02”), ThreeDSecureAttempted (“ECI “06” or “01”) or SecureChannel (ECI “07”)
ThreeDSecure_VEResEnrolled	Optional: Possible values: Y\|N\|U - Indicates if the card is enrolled.
ThreeDSecure_RequestID	Optional: Unique identifier returned by the Gateway on completion of the 3D secure authentication process
ThreeDSecure_AuthenticationType	Optional: Possible values( not limited to) "01", "02", "03". Must be as generated on completion of the 3D secure authentication process. indicates the method of authentication used.
ThreeDSecure_ProtocolVersion	Mandatory: Indicates the version of 3D secure used
ThreeDSecure_DSTransID	Mandatory: Directory Server Transaction ID returned on completion of the 3D secure authentication process

Webservice Service Payment Samples

For submission of transactions to the Gateway the merchant can post to the existing Portal URL's . The Portal URL's are listed in the REST and SOAP sections by acquiring bank. As a note, the submission of the Debit/Authorisation message assumes the following:

3DS 2 authentication was a success.
The merchant is making use of the test application ID with mode "Test" for integration testing

REST Webservice

Format: JSON

Transaction Endpoint - https://[portal domain]/api/transactions

Request
{
"Version": "2.0",
"CertificateID": "{DE3022CE-15A2-4702-A46B-CC9710463135}", //replace with merchant certID
"ProductType": "Enterprise",
"ProductVersion": "WebAPI",
"Direction": "Request",
"Transaction": {
"ApplicationID": "{851282c8-194c-42da-a09b-333160959e39}",
"Command": "Debit",
"Mode": "Test",
"MerchantReference": "20250207_09086789031",
"MerchantTrace":"202500207_4054711",
"Currency": "ZAR",
"Amount": "10000",
"ExpiryDate": "0929",
"PAN": "4069........9137", //tokenised data
"CardHolderPresence": "COF",
"TransactionIndex": "{D4AAEDFC-6C60-4E00-8AF1-67FB760DCF49}",
"PANFormat":"TransactionIndex",
"CardHolderAuthenticationID": "+9z/hOi4392ov0GJd2AEYIPQP8g=",
"CardHolderAuthenticationData": "AAEBApN3IgAAAAPocQNYdISCkYQ=",
"ElectronicCommerceIndicator": "ThreeDSecure",
"ThreeDSecure_DSTransID": "3ee1816c-80b5-4cf3-933a-e5a258019d60",
"ThreeDSecure_AuthenticationType": "01",
"ThreeDSecure_ProtocolVersion": "2.1.0"

}
}

Response

{

"Version": "2.0",

"CertificateID": "{4c96973f-71dd-4044-802d-6e234effe8f2}",

"ProductType": "Enterprise",

"ProductVersion": "WebAPI",

"Direction": "Request",

"Transaction": {

"ApplicationID": "{ca8a6eae-a469-4b39-bef3-aa029ca3a806}",

"Command": "Debit",

"Mode": "Test",

"Amount": "1500",

"ExpiryDate": "0123",

"MerchantReference": "3DS2:20210920.004",

"Currency": "ZAR",

"PAN": "4069425217889137",

"ThreeDSecure_ProtocolVersion": "2.1.0",

"CardHolderAuthenticationID": "xVyRZy0bYuN69j1pZi/zlmC68Vw=",

"CardHolderAuthenticationData": "AJkBCWhygQAAAAEDhXKBAAAAAAA=",

"ElectronicCommerceIndicator": "ThreeDSecure",

"ThreeDSecure_DSTransID": "2e962032-0499-4fb6-9cf3-e640ceebeb63",

"ThreeDSecure_AuthenticationType": "01"

"ThreeDSecure_VEResEnrolled": "Y"

}

SOAP Webservice

Format: XML

Transaction Endpoint - https://[portal domain] /iVeriWebservice/Service.asmx

Request

<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

<soap:Body>

<validateRequest>false</validateRequest>

<request><V_XML Version="2.0" CertificateID="b2fd980c-f61a-473e-a685-5e8d38595d84" ProductType="Enterprise"

ProductVersion="iVeriWebService" Direction="Request">

<ElectronicCommerceIndicator>ThreeDSecure</ElectronicCommerceIndicator>

<CardHolderAuthenticationID>nhkWtFs6DlxCbpAyOFmjjxTtZOc=</CardHolderAuthenticationID>

<CardHolderAuthenticationData>AJkBCIZ1CQAAAAfQcQADdISCkYQ=</CardHolderAuthenticationData>

<ThreeDSecure_ProtocolVersion>2.1.0</ThreeDSecure_ProtocolVersion>

<ThreeDSecure_DSTransID>c43c9d4a-3461-46e9-be29-3c7a0e033e11</ThreeDSecure_DSTransID>

<ThreeDSecure_AuthenticationType>01</ThreeDSecure_AuthenticationType>

<ThreeDSecure_VEResEnrolled>Y</ThreeDSecure_VEResEnrolled>

</Transaction>

</V_XML>

</request>

</Execute>

</soap:Body>

</soap:Envelope>

Response <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<soap:Body>

<ElectronicCommerceIndicator>ThreeDSecure</ElectronicCommerceIndicator>

<Terminal>Default</Terminal>

<MerchantName>iVeri Payment Technology</MerchantName>

<Acquirer>NBPostilionNBSouthAfrica</Acquirer>

<CardType>Unknown Card Type</CardType>

<Issuer>Unknown Issuer</Issuer>

<Jurisdiction>International</Jurisdiction>

<PANMode>Keyed,CVV</PANMode>

<CardHolderPresence>CardNotPresent,eCommerce,ThreeDSecure</CardHolderPresence>

<MerchantAddress>MERCHANT ADDRESS</MerchantAddress>

<MerchantCity>Sandton</MerchantCity>

<MerchantCountry>South Africa</MerchantCountry>

<DistributorName>Nedbank</DistributorName>

</Transaction>

</V_XML></ExecuteResult>

</ExecuteResponse>

</soap:Body>

</soap:Envelope>

3D Secure 2 Test Cases

The MPI test cases that should be used are determined by the acquiring bank that holds the merchant agreement or PSP that will be processing the payments on the Gateway on behalf of the merchant

Things to note about the test cards:

CVV not required
Expiry must be current or future date

BANKSERV

For merchants and acquiring banks in South Africa and Kenya

Frictionless Full authentication
Scenario 1	Authenticated Frictionless Transaction
Test Values	Visa:4070426536557386, 4069421358347845 MC:5163426869252246
Expected results - Lookup	THREEDSECURE_REQUESTID:{8BEB3053-16AE-4441-A3F2-B449AE6CC81D} THREEDSECURE_VERESENROLLED: Y THREEDSECURE_ProtocolVersion: 2.3.1 CardHolderAuthenticationID": "+9z/hOi4392ov0GJd2AEYIPQP8g=", CardHolderAuthenticationData": "AAEBApN3IgAAAAPocQNYdISCkYQ=", "ElectronicCommerceIndicator": "ThreeDSecure "ThreeDSecure_DSTransID": "3ee1816c-80b5-4cf3-933a-e5a258019d60", "ThreeDSecure_AuthenticationType": "01","ThreeDSecure_ProtocolVersion": "2.1.0" PAN 4070.......7386 EXPIRYDATE 092025 MERCHANTDATA
Action: Merchant should proceed with the authorization message

Frictionless Attempted authentication
Scenario 2	Authenticated Frictionless Transaction
Test Values	Visa:
	MC:5163426869252246, 518935428295934
Expected results - Lookup	THREEDSECURE_REQUESTID: {8AAA184E-FFEB-426C-A47C-0AC5509A5FBD} CardHolderAuthenticationID": 1wJE19gjUSB9c09y0af1bBlH1cA= "ElectronicCommerceIndicator" ThreeDSecureAttempted "ThreeDSecure_Versenrolled": Y "ThreeDSecure_ProtocolVersion": 2.3.1 "ThreeDSecure_DSTransID": ae434952-87f8-57fb-8000-00000f479f5b" "ResultCode"": 0 "ResultDescription": "ApplicationID": {D8B3AE1C-6E8A-41DA-8C36-7323242F7E91} "MerchantRefrence": 3DS2:20250821.0422 AMOUNT 5000 CURRENCY ZAR JWT PAN 5189.......9697 EXPIRYDATE 092025 MERCHANTDATA
Action: Merchant should proceed with the authorization message

Challenged Full authentication
Scenario 3	Authenticated Challenged Transaction
Test Values	Visa: 4070427646039018 MC:
Expected results - Lookup	"ThreeDSecure_RequestID": {87334ADD-A6DA-44BA-B754-8EC902E32AFC} "CardHolderAuthenticationID": y5EJVWPxEB8Owsisn0TaxA+XEGY= "CardHolderAuthenticationData": AAABCHIkAQAAAANWlyQBAAAAAAA= "ElectronicCommerceIndicator": ThreeDSecure "ThreeDSecure_Versenrolled": Y "ThreeDSecure_ProtocolVersion": 2.3.1 "ThreeDSecure_DSTransID": ae434952-8c32-5142-8000-00000f47a39d "ResultCode"": 0 "ResultDescription": "ApplicationID":{D8B3AE1C-6E8A-41DA-8C36-7323242F7E91} "MerchantRefrence":3DS2:20250821.0422 AMOUNT:5000 CURRENCY:ZAR JWT: PAN: 4070........9018 EXPIRYDATE: 092025 MERCHANTDATA
Action: Merchant should proceed with the authorization message

Failed Frictionless Authentication
Scenario 4	Failed Frictionless Transaction
Test Values	Visa: MC: 5178872338408971 DINERS: 36135234130393
Expected results - Lookup	"ThreeDSecure_RequestID": {448C1018-2EC3-48FC-A8B2-35E12D76B568} "CardHolderAuthenticationID": Hz4Xu+nAfppw6HLACb+5UTi7W0s= "ElectronicCommerceIndicator":ThreeDSecureAttempted "ThreeDSecure_Versenrolled": Y "ThreeDSecure_ProtocolVersion": 2.3.1 "ThreeDSecure_DSTransID": ae434952-d990-5c95-8000-00000f47a915 "ResultCode" 0 "ResultDescription": "ApplicationID": {D8B3AE1C-6E8A-41DA-8C36-7323242F7E91} "MerchantRefrence": 3DS2:20250821.0422 AMOUNT 5000 CURRENCY ZAR PAN: EXPIRYDATE 092025 MERCHANTDATA
Action: Merchant should NOT proceed with the authorization message

CYBERSOURCE

Frictionless Full Authentication
Scenario 1	Authenticated Frictionless Transaction
Test Values	Visa: 445653 00 0000 1005 MC: 520000 00 0000 1005
Expected results - Lookup	"SessionID":4baaee3a-f641-4d68-8ca5-26b8a5363faa "ThreeDSecure_RequestID": 53CD04DD-A3EF-457F-9CB5-A732F0681536} "CardHolderAuthenticationID": AJkBBkhgQQAAAE4gSEJydQAAAAA= "CardHolderAuthenticationData": AJkBBkhgQQAAAE4gSEJydQAAAAA= "ElectronicCommerceIndicator": ThreeDSecure "ThreeDSecure_Versenrolled": Y "ThreeDSecure_ProtocolVersion": 2.2.0 "ThreeDSecure_DSTransID":a76f6854-abef-45af-8edd-09f142a12c26 "ResultCode" 0 "ResultDescription": "ApplicationID":{CDF27681-7EC1-4245-8E2B-B04B9B308773} "MerchantRefrence":3DS2:20250821.0422 AMOUNT:5000 CURRENCY: ZAR JWT PAN 4456........1005 EXPIRYDATE 092025 MERCHANTDATA
Action: Merchant should proceed with the authorization message

Unsuccessful Frictionless Authentication
Scenario 2	Unsuccessful Frictionless Transaction
Test Values	Visa: 445653 00 0000 1013 MC: 520000 00 0000 1013
Expected results - Lookup	"SessionID": {22DD6053-BCB1-4D3D-BB5E-866CAB1F5CAF} "ApplicationID":{CDF27681-7EC1-4245-8E2B-B04B9B308773} "MerchantRefrence": 3DS2:20250821.0422 AMOUNT: 5000 CURRENCY: ZAR "ResultCode": -4 "ResultDescription": The customer cannot be authenticated. "ThreeDSecure_RequestID": {22DD6053-BCB1-4D3D-BB5E-866CAB1F5CAF} MERCHANTDATA:
Action: Merchant should NOT proceed with the authorization message. Ask the customer for another form of payment

Attempts Processing Frictionless Authentication
Scenario 3	Attempts Processing Frictionless Authentication
Test Values	Visa: 4456 5300 0000 1021 MC: 5200 0000 0000 1021
Expected results - Lookup	"SessionID": cc18e8bd-9c13-4414-98ce-94ad9706a47c "ThreeDSecure_RequestID": {769AE3AC-8356-4BD3-A300-A84B60BDA8C3} "CardHolderAuthenticationID": AJkBBkhgQQAAAE4gSEJydQAAAAA= "CardHolderAuthenticationData": AJkBBkhgQQAAAE4gSEJydQAAAAA= "ElectronicCommerceIndicator": ThreeDSecureAttempted "ThreeDSecure_Versenrolled": Y "ThreeDSecure_ProtocolVersion": 2.2.0 "ThreeDSecure_DSTransID" 6761b8f3-747a-4888-9f6e-7c0f3e4ab363 "ResultCode" 0 "ResultDescription": "ApplicationID": {CDF27681-7EC1-4245-8E2B-B04B9B308773} "MerchantRefrence":3DS2:20250821.0422 AMOUNT 5000 CURRENCY ZAR JWT PAN 4456........1021 EXPIRYDATE 092025 MERCHANTDATA
Action: Merchant should NOT proceed with the authorization message. Ask the customer for another form of payment