A 3D-Secure Authentication Challenge authenticates the identity of the customer. This page describes how to perform a challenge when the merchant is using REST 2.0 3D-Secure Server-to-Server Integration and result.status=”challenge” appears in the response to a /payments/{payment-id}/fingerprint request.

To perform a challenge, follow these steps:

1. Post the cReq value to the acsUrl (the issuer’s challenge page), as shown in the example below.
   The cReq value and acsUrl appear in the paymentOption.card.threeD class of the response to the /payments/{payment-id}/fingerprint request.
   
   The challenge request is case-sensitive.

   Example Challenge Request – Posting cReq to acsUrl

   <form method="POST" action="https://3dsn.sandbox.nuvei.com/ThreeDSACSEmulatorChallenge/api/ThreeDSACSChallengeController/ChallengePage?eyJub3RpZmljYXRpb25VUkwiOiJodHRwczovLzNkc2VjdXJlc2FmZWNoYXJnZS4wMDB3ZWJob3N0YXBwLmNvbS8zRHYyL25vdGlmaWNhdGlvblVybC5waHAiLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjE0MDI2NzdmLWI5NjUtNDQ5Zi1hNzVkLTdhNDBjMGNkZjhhMyIsImFjc1RyYW5zSUQiOiI1NGU1ZWU1Ny1iMDJmLTQ5MzItYjNlMy1mNTk3ZGZlYTdkMjQiLCJkc1RyYW5zSUQiOiJiNzFhN2Q1ZC1jYzM4LTRjZTktODBjMy01MGE3ZDUzMjcxZjcifQ==">
   
     creq:<input type="area" id="creq" name="creq" value="eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjE0MDI2NzdmLWI5NjUtNDQ5Zi1hNzVkLTdhNDBjMGNkZjhhMyIsImFjc1RyYW5zSUQiOiI1NGU1ZWU1Ny1iMDJmLTQ5MzItYjNlMy1mNTk3ZGZlYTdkMjQiLCJjaGFsbGVuZ2VXaW5kb3dTaXplIjoiMDUiLCJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMS4wIn0=" />;
   
     <input type="submit" value="proceed to issuer">
   </form>

2. The customer is redirected to the issuer’s challenge page and performs the challenge.
3. Upon completion of the challenge, the issuer sends a base64-encoded CRes response to the challengeNotificationUrl the merchant provided in the initial /payments request.
   

   Example Encoded CRes Response After Challenge

   ewoidGhyZWVEU1NlcnZlclRyYW5zSUQiOiI4YTg4MGRjMC1kMmQyLTQwNjctYmNiMS1iMDhkMTY5MGIyNmUiLAoiYWNzVHJhbnNJRCI6ImQ3YzFlZTk5LTk0NzgtNDRhNi1iMWYyLTM5MWUyOWM2YjM0MCIsCiJtZXNzYWdlVHlwZSI6IkNSZXMiLAoibWVzc2FnZVZlcnNpb24iOiIyLjEuMCIsCiJ0cmFuc1N0YXR1cyI6IlkiLAoibWVzc2FnZUV4dGVuc2lvbiI6CiAgICBbewogICAgIm5hbWUiOiJtc2dleHRuYW1lIiwKICAgICJpZCI6IjUwMTM0MTU5MkJfMDAwMV80NTY4IiwKICAgICJjcml0aWNhbGl0eUluZGljYXRvciI6ZmFsc2UsCiAgICAiZGF0YSI6CiAgICAgICAgewogICAgICAgICJ2YWx1ZU9uZSI6Im1lc3NhZ2VleHRlbnNpb25kYXRhIiwKICAgICAgICAidmFsdWVUd28iOiJtb3JlbWVzc2FnZWV4dGVuc2lvbmRhdGEiCiAgICAgICAgfQogICAgfV0KfQ==
4. (Optional) Decode the base64-encoded CRes response.
   If you do not decode the CRes response, you can provide the encoded CRes in the final /payments/{payment-id}/challenge request.

   Example Decoded CRes Response After Challenge

   {
   "threeDSServerTransId":"8a880dc0-d2d2-4067-bcb1-b08d1690b26e",
   "acsTransId":"d7c1ee99-9478-44a6-b1f2-391e29c6b340",
   "messageType":"CRes",
   "messageVersion":"2.1.0",
   "transStatus":"Y",
   "messageExtension":
       [{
       "name":"msgextname",
       "id":"501341592B_0001_4568",
       "criticalityIndicator":false,
       "data":
           {
           "valueOne":"messageextensiondata",
           "valueTwo":"moremessageextensiondata"
           }
       }]
   }

   Parameter	Description
   threeDSServerTransID	The 3DS server transaction ID, from the response to the initial payment request.
   acsTransID	The ACS transaction ID, as generated by the issuer.
   messageExtension	Optional data necessary to support requirements not otherwise defined in 3D-Secure.
   messageType	The message type (CRes).
   messageVersion	The 3DS protocol version used for the authentication.
   transStatus	The transaction status. Possible values: Y – challenge/authentication succeeded. N – challenge/authentication failed.

5. Continue with the next step in REST 2.0 3D-Secure Server-to-Server Integration: 6. Final Payment Request.