• Documentation
  • API Reference
  • Documentation
  • API Reference
Expand All Collapse All
< BACK TO HOME
  • Online Payments
    • Introduction
    • Choosing an Integration Method
    • Payment Scenarios
    • Flow Diagrams
  • Accept Payment
    • Payment Page (Cashier)
      • Quick Start
      • Input Parameters
      • Output Parameters
      • Payment Page Features
      • Cashier
        • Cashier Events Guide
        • Cashier Features
        • Withdrawal Guide
    • Web SDK
      • Quick Start
      • Nuvei Fields
        • Styling
      • Additional Functions
      • APM Payments
      • Tokenization-Only Flow
      • Scenarios
      • Using ReactJS
        • Full Samples
        • Sandbox Examples
      • FAQs
    • Simply Connect
      • Quick Start
        • UI Customization
        • Payment Customization
        • Advanced Controls
        • Simply Connect Examples
      • Server-to-Server
        • REST 1.0
        • Server SDKs
          • Java SDK
          • .NET SDK
          • PHP SDK
          • Node.JS SDK
      • Mobile SDKs (Beta Release)
        • Android Mobile SDK (Beta Release)
        • iOS Mobile SDK (Beta Release)
      • Marketplaces
      • Self Track
    • Features
      • Authentication
      • Financial Operations
        • Refund
        • Void
        • Auth and Settle
        • Partial Approval
        • Currency Conversion: DCC and MCP
          • Multiple Currency Pricing (MCP)
          • Dynamic Currency Conversion (DCC)
            • DCC in Cashier or Payment Page
            • DCC in REST API Workflows
            • DCC in Web SDK Workflows
        • Payout
        • AFT (Account Funding Transactions)
      • Card Operations
        • Card-on-File
        • PCI and Tokenization
        • Zero-Authorization
        • Merchant-Initiated Transactions (MIT)
        • Blocking Cards
      • Subscriptions (Rebilling)
      • 3D-Secure
        • 3D-Secure Explained
        • 3DS Implementations
          • 3DS MPI-Only Web SDK
          • 3DS MPI-Only REST
          • 3DS External MPI
          • 3DS Responses
          • Challenges and Exemptions
        • 3DS Functions
          • 3D-Secure Fingerprinting
          • 3D-Secure Authentication Challenge
      • Addendums
        • Airline
          • External Authorization
        • Local Payment (Installments)
    • Integration
      • Testing Cards, APIs and APMs
        • Testing Cards
        • Testing APMs
        • Testing APIs with Postman
      • Response Handling
      • Webhooks (DMNs)
        • Payment Transaction Requests
        • Control Panel Events API
      • Payment Facilitators (PayFac)
    • Additional Links
      • FAQs
      • API Reference
      • Release Notes
      • Country and Currency Codes

    3D-Secure Authentication Challenge

    Home    3D-Secure    3DS Functions    3D-Secure Authentication Challenge

    On this page:
    • Introduction
    • Challenge for 3D-Secure v2

    Introduction

    A 3D-Secure Authentication Challenge authenticates the identity of the customer, which is a step in the 3D-Secure Authentication process of a:

    • Payment flow of a Server-to-Server integration.
    • Authorize3d flow of a 3DS MPI-Only REST integration.

    Only perform a challenge when: transactionStatus = "REDIRECT" (returned from the payment (or authorize3d) request).

    Challenge for 3D-Secure v2

    Request the issuer to perform a challenge as follows:

    1. Post the creq value to the acsUrl URL (the Issuer Authentication URL) as shown in the example below (case-sensitive!):
      (The creq and acsUrl fields were received in the paymentOption.card.threeD block in the previous payment (or authorize3d) response step.)
      Example Challenge – Posting the creq value in the acsUrl URL
      <form method="POST" action="https://3dsn.sandbox.nuvei.com/ThreeDSACSEmulatorChallenge/api/ThreeDSACSChallengeController/ChallengePage?eyJub3RpZmljYXRpb25VUkwiOiJodHRwczovLzNkc2VjdXJlc2FmZWNoYXJnZS4wMDB3ZWJob3N0YXBwLmNvbS8zRHYyL25vdGlmaWNhdGlvblVybC5waHAiLCJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjE0MDI2NzdmLWI5NjUtNDQ5Zi1hNzVkLTdhNDBjMGNkZjhhMyIsImFjc1RyYW5zSUQiOiI1NGU1ZWU1Ny1iMDJmLTQ5MzItYjNlMy1mNTk3ZGZlYTdkMjQiLCJkc1RyYW5zSUQiOiJiNzFhN2Q1ZC1jYzM4LTRjZTktODBjMy01MGE3ZDUzMjcxZjcifQ==">
      
        creq:<input type="area" id="creq" name="creq" value="eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6IjE0MDI2NzdmLWI5NjUtNDQ5Zi1hNzVkLTdhNDBjMGNkZjhhMyIsImFjc1RyYW5zSUQiOiI1NGU1ZWU1Ny1iMDJmLTQ5MzItYjNlMy1mNTk3ZGZlYTdkMjQiLCJjaGFsbGVuZ2VXaW5kb3dTaXplIjoiMDUiLCJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMS4wIn0=" />;
      
        <input type="submit" value="proceed to issuer">
      </form>
    2. The customer is redirected to the issuer’s challenge page and performs the challenge.
      Upon completion of the challenge process, the issuer returns a base64-encoded CRes response to the notificationUrl on your server:
      Example of the Encoded CRes Response Returned after the Challenge
      ewoidGhyZWVEU1NlcnZlclRyYW5zSUQiOiI4YTg4MGRjMC1kMmQyLTQwNjctYmNiMS1iMDhkMTY5MGIyNmUiLAoiYWNzVHJhbnNJRCI6ImQ3YzFlZTk5LTk0NzgtNDRhNi1iMWYyLTM5MWUyOWM2YjM0MCIsCiJtZXNzYWdlVHlwZSI6IkNSZXMiLAoibWVzc2FnZVZlcnNpb24iOiIyLjEuMCIsCiJ0cmFuc1N0YXR1cyI6IlkiLAoibWVzc2FnZUV4dGVuc2lvbiI6CiAgICBbewogICAgIm5hbWUiOiJtc2dleHRuYW1lIiwKICAgICJpZCI6IjUwMTM0MTU5MkJfMDAwMV80NTY4IiwKICAgICJjcml0aWNhbGl0eUluZGljYXRvciI6ZmFsc2UsCiAgICAiZGF0YSI6CiAgICAgICAgewogICAgICAgICJ2YWx1ZU9uZSI6Im1lc3NhZ2VleHRlbnNpb25kYXRhIiwKICAgICAgICAidmFsdWVUd28iOiJtb3JlbWVzc2FnZWV4dGVuc2lvbmRhdGEiCiAgICAgICAgfQogICAgfV0KfQ==
    3. Decode the base64-encoded CRes response.
      Example of the Decoded CRes Response from the Challenge
      {
      "threeDServerTransId":"8a880dc0-d2d2-4067-bcb1-b08d1690b26e",
      "acsTransId":"d7c1ee99-9478-44a6-b1f2-391e29c6b340",
      "messageType":"CRes",
      "messageVersion":"2.1.0",
      "transStatus":"Y",
      "messageExtension":
          [{
          "name":"msgextname",
          "id":"501341592B_0001_4568",
          "criticalityIndicator":false,
          "data":
              {
              "valueOne":"messageextensiondata",
              "valueTwo":"moremessageextensiondata"
              }
          }]
      }
      ParameterDescription
      threeDSServerTransIDThe 3DS server transaction ID, returned in the InitAuth3D response.
      acsTransIDThe ACS transaction ID, as generated by the issuer.
      messageExtensionOptional data necessary to support requirements not otherwise defined in 3D-Secure.
      messageTypeThe message type (CRes).
      messageVersionThe 3DS protocol version used for the authentication.
      transStatusThe transaction status. Possible values:
      Y – challenge/authentication succeeded.
      N – challenge/authentication failed.
    4. Continue to the next step:
      • For a payment flow: Final Payment Request.
      • For an authorize3d flow: Verify the 3D-Secure Authorization Result.
    Parameter Description
    Parameter
    Description
    threeDSServerTransID The 3DS server transaction ID, returned in the InitAuth3D response.
    acsTransID The ACS transaction ID, as generated by the issuer.
    messageExtension Optional data necessary to support requirements not otherwise defined in 3D-Secure.
    messageType The message type (CRes).
    messageVersion The 3DS protocol version used for the authentication.
    transStatus The transaction status. Possible values:
    Y – challenge/authentication succeeded.
    N – challenge/authentication failed.

     

    • Terms of use
    • Privacy Policy
    Nuvei. All rights reserved.