3D Secure Glossary
Brand IDs#
| ID | Nome |
|---|---|
1 | Visa |
2 | Mastercard |
41 | Elo |
3DS Server transaction status#
| Code | Name | Description |
|---|---|---|
NEW | New | Transaction created recently. |
INV | Invalid | Merchant sent an invalid parameter. |
ERR | Communication error | DS communication failure. |
EXP | Expired | New transaction has exceeded its validity period. |
ERM | Error message | 3DS Server received an error message from DS. |
AUY | 3DS Status Y | Authentication Verification Successful. |
AUN | 3DS Status N | Not Authenticated/Account Not Verified; Transaction denied. |
AUU | 3DS Status U | Authentication/Account Verification Could Not Be Performed; Technical or other problem. |
AUA | 3DS Status A | Attempts Processing Performed; Not Authenticated/Verified, but a proof of attempted authentication/verification is provided. |
AUC | 3DS Status C | Challenge Required; following the "challenge" flow. |
AUR | 3DS Status R | Authentication/ Account Verification Rejected; Issuer is rejecting authentication/verification. |
AUD | 3DS Status D | Challenge Required; Decoupled Authentication confirmed. |
Error codes#
| Code | Description |
|---|---|
1 | Invalid credentials (merchant_id & merchant_key) |
2 | Transaction not found |
3 | Invalid transaction status |
101 | Unknown message type |
201 | Empty parameter (see error.detail for further details) |
202 | message.extension not recognized |
203 | Invalid parameter (see error.detail for further details) |
301 | Transaction ID received is not valid for the receiving component. |
305 | Card not supported by the issuer for 3DS 2.0 authentications. |
402 | Timeout when communicating with DS |
404 | Unexpected error |
405 | DS communication error |
device_channel field#
| Code | Description |
|---|---|
01 | App-based |
02 | Browser |
03 | 3DS Requestor Initiated (3RI) |
04-79 | Reserved for future use by EMVCo |
80-99 | Reserved for future use by DS |
Glossary#
- 3DS Requestor: Store or gateway (such as Carat)
- 3D-Secure: Also known as Visa Secure, Mastercard Identity Check, American Express SafeKey, Discover ProtectCode or Elo SecureCode, is a security protocol used by card brands to authenticate online transactions and reduce fraud.
- ACS (Access Control Server): The server responsible for provide the authentication interface on behalf of the issuer during the 3D-Secure transaction process. It interacts with the issuer and cardholder to verify the authenticity of the transaction.
- DS (Directory Server): Represents the flag
- AReq: Authentication Request, according to the 3DS 2.0 protocol
- ARes: Authentication Response, according to the 3DS 2.0 protocol
- CReq: Challenge Request, according to the 3DS 2.0 protocol
- CRes: Challenge Response, according to the 3DS 2.0 protocol
- RReq: Results Request, according to the 3DS 2.0 protocol
- RRes: Results Response, according to the 3DS 2.0 protocol
- Challenge/Step-up Flow: Also known as "challenge flow". It is a form of 3D-Secure authentication in which the cardholder is directed to a page or application to provide additional information or enter a security code to confirm the transaction.
- Frictionless Flow: Also known as "frictionless flow". It is a form of 3D-Secure authentication in which the transaction is automatically authenticated based on available data, without the need for intervention by the cardholder. This usually occurs when the issuer has sufficient information (such as data about the holder or the device used) to confirm the identity of the holder.
- 3DS Server Id: ID that identifies the transaction on the 3DS Server (
three_ds_server.trans_idfield of the transaction creation or authentication response) - DS Id: ID that identifies the transaction on the Bandeira server (
ds.trans_idfield of the transaction authentication response) - ACS ID: ID that identifies the transaction at the Issuer (
acs.trans_idfield of the transaction authentication response) - 3DS Method URL: Issuer URL to send a post to collect information from the buyer's device in web transactions
- reference_id: Field to be used in the Carat payment rest API (the
ds.trans_idvalue of the transaction authentication response must be passed) - ECI (or “e-commerce indicator”): Code returned to the MPI by the brands, which indicates the result of the bearer’s 3DS authentication with the issuer
- CAVV or IAV: Cryptogram code used in transaction authentication and sent by the establishment's MPI (
authentication.valuefield in the transaction authentication response or in the transaction query). - Authentication: The process of verifying the identity of the cardholder during an online transaction. 3D-Secure requires authentication additional information, usually through a security code, PIN or biometrics by the requesting business.
- Issuer: The financial institution (bank or credit card company) who issues the credit card, debit card to the holder.
- Commerce/Merchant: A company or website that accepts online payments via credit or debit cards.
- Enrollment: The process of registering a card for use in 3D-Secure. The cardholder normally carries out the enrollment process when using the card for the first time on a 3D-Secure compatible website.
- Liability Shift: The transfer of responsibility from the merchant to the issuer occurs in the case of a fraudulent transaction, provided that the transaction has been authenticated by 3D-Secure, and the merchant is enabled on 3DS, allowing them to win the "Reversal of Responsibility.".
- RBA (Risk-Based Analysis): It is an approach within 3D-Secure in which the card issuer assesses the risk of a transaction to determine if additional verification is necessary. Based on factors such as transaction value, device identification, and the cardholder's history, low-risk transactions may be approved without additional validation, while medium or high-risk transactions may require extra steps to ensure security. This enhances the customer experience by reducing friction in low-risk transactions while simultaneously safeguarding against fraudulent transactions.
- MPI (Merchant Plug-In): The software or service used by a merchant to connect to the 3D-Secure authentication system. It facilitates communication between the merchant, the issuer and the card brand.
Carat provides support for 3D-Secure 2.0 transactions through its 3DS Server
And to learn more about these nomenclatures (Bin, Software Express, Carat, e-Sitef) Learn more