Skip to main content

Challenge Flow

When a Challenge is requested, as detailed in the TransactionStatus field, you need to complete the following to allow the Cardholder to Authenticate.

Requirement
  1. HTTP form POST redirecting the Cardholder to the provided ACSUrl.
  2. Interpret the results in the returned HTTP POST from the ACSUrl.
  3. Invoke the GetResult method to receive the outcome of the challenge and the data required to proceed to authorisation.
  4. Intepret the GetResult Response.

Cardholder Redirection

The Authenticate Response will contain the values for the AcsUrl and CReq, which the you should use to perform the HTTP Post to the ACS.

An HTTPS form POST request should be sent to the AcsUrl with the following parameters:

POST ACSUrl
Field NameStateData TypeDescription
CReqMandatoryStringThis is the value as provided in the Authentication Response.

POST example code

<form name="frm" method="POST" action="AcsUrl">
    <input type="hidden" name="creq" value="CReq" />
</form>
Cardholder Redirection

During the Challenge flow, the cardholder is redirected to the ACS Url and is no longer visible to you. Should you need to, you can invoke the GetResult method and interrogate any ChallengeCancellationIndicator to identify reasons why the cardholder has not been redirected back.

Cardholder Challenge Results

After the cardholder has authenticated with the ACS, the ACS will post back the result of the challenge to the DS which in turn posts back to the ResultUrl Entrypoint Service. The cardholder is then posted back to the NotificationUrl provided by the merchant in the Authenticate Request with the CRes.

An HTTPS form POST will be sent to the NotificationUrl with the following parameters:

POST ACSUrl
Field NameStateData TypeDescription
CReqMandatoryStringThis is the result of the Challenge.
threeDSSessionDataOptionalStringThis optional field may not be returned. It is a bse64-encoded string, maximum 1024 bytes.

Example Response

<form name="frm" method="POST" action="NotificationUrl">
    <input type="hidden" name="cres" value="CRes" />
    <input type="hidden" name="threeDSSessionData" value="threeDSSessionData" />
</form>
Next Steps

Once you have received the HTTP POST response, you must invoke the GetResult method to receive the outcome of the challenge and the data required to proceed to authorisation.

Get Result Request

URL

https://ppe.optpg.com/PayerAuthEntryPoint/v1/PayerAuthEntryPoint.svc/rest/GetResult

MethodHTTP POST containing the fields below
GetResult Request
Field NameStateData TypeDescription
ReferenceOptionalStringYour payment reference for this request. The reference can be viewed in reporting and is useful for diagnostics. We recommend using a Globally Unique Identifier(GUID)

Maximum of 50 Alphanumeric Characters
AuthenticationDetailsMandatoryObjectData that the platform uses to authenticate this request. Mandatory for all requests. See AuthenticationDetails for more information.
SendAttemptMandatoryIntegerSequential increment based upon number of attempts to send,starting at 1. You should iterate this following any unsuccessful attempts, and monitor excessive attempts.
CardClassIdMandatoryIntegerIndicates the card scheme that issued the card.
ThreeDsServerTransactionIdMandatoryStringUniversally unique transaction identifier assigned by the DS to identify a single transaction.

Length: 36 characters

Value accepted: Canonical format as defined in IETF RFC 4122. May utilise any of the specified versions as long as the output meets specified requirements.

AuthenticationDetails

Authentication Details
Field NameStateData TypeDescription
MerchantSignatureKeyIdMandatoryIntegerGateway supports multiple signature keys to be stored against a merchants system. The ID for the required signature must be passed here.

Most merchants will only have one signature key and this value will be 1
RequestDateTimeUtcMandatorydateTimeDate and time of the transmission of the message, in UTC format.

YYYY-MM-DDTHH:MM:SS format.
RequestTypeMandatoryStringType of message being sent to the gateway

ThreeDSecureV2GetResultRequest should be used
MerchantStoreIdMandatoryIntegerID of the Merchant Store being used for this transaction. This will be provided as part of your test credentials.
SignatureTypeMandatoryStringType of signature used.

Hmac256 must be used.
SignatureMandatoryStringThe signature generated for this request.

Request Code Examples

{
    "Reference":"TestTransaction",
    "AuthenticationDetails":{
        "MerchantSignatureKeyId":32767,
        "RequestDateTimeUtc":"\/Date(928146000000+0100)\/",
        "RequestType":"String content",
        "MerchantStoreId":2147483647,
        "SignatureType":0,
        "Signature":"String content"
    },
    "SendAttempt":1,
    "CardClassId":8,
    "ThreeDsServerTransactionId":"String content"
}

Get Result Response

A detailed breakdown of all of the fields returned in the response are shown below.

GetResult Response
Field NameData TypeDescription
ReferenceStringGateway returns the original reference passed by the integrator

Length: Variable, max. 50 characters.
ErrorCodeIntegerIf an error has occurred during the process the relevant code will be populated in this field.
ErrorMessageStringIf an error has occurred during the process the relevant message will be populated in this field.
ResponseTimeIntegerNumber of milliseconds taken for the response to be returned
AtsDataStringAdditional Transaction Security (ATS) data

This will only be populated in the event of fallback to V1.
AuthenticationEciStringElectronic Commerce Indicator (ECI) - consists of two digits
AuthenticationTypeStringIndicates the type of authentication method the Issuer will use to challenge the Cardholder, whether in the ARes message or what was used by the ACS when in the RReq message.
01Static.
02Dynamic.
03OOB
04Decoupled.
AuthenticationValueStringCardholder Authentication Verification Value (CAVV) - a 28-byte base64 encoded value
ChallengeCancellationIndicatorString

Indicates the type of authentication method the Issuer will use to challenge the Cardholder, whether in the ARes message or what was used by the ACS when in the RReq message.

01Cardholder selected 'Cancel'.
02Reserved for future EMVCo use (values invalid until defined by EMVCo).
03Transaction Timed Out - Decoupled Authentication,
04Transaction Timed Out at ACS - other timeouts,
05Transaction Timed out at ACS - First CReq not received by ACS.
06Transaction Error.
07Unknown.
08Transaction Timed Out at SDK.
This field will only be provided if the authentication has been cancelled or is otherwise unsuccessful, as indicated.
DsTransactionIdStringUniversally unique transaction identifier assigned by the DS to identify a single transaction.

For information only, the solution uses ThreeDsServerTransactionId instead.
ThreeDsServerTransactionIdStringUniversally unique transaction identifier assigned by the 3DS Server to identify a single transaction.

Length: 36 characters.

Populated if DS interaction has taken place.
TransactionStatusString

Indicates whether a transaction qualifies as an authenticated transaction or account verification.

Note: The Final CRes message can contain only a value of Y or N.
YAuthentication Verification Successful.
NNot Authenticated/Account Not Verified; Transaction denied.
UAuthentication/Account Verification Could Not Be Performed; Technical or other problem, as indicated in ARes or RReq.
AAttempts Processing Performed; Not Authenticated/Verified, but a proof of attempted authentication/verification is provided.
CChallenge Required; Additional authentication is required using the CReq/CRes.
DChallenge Required; Decoupled Authentication confirmed.
RAuthentication/Account Verification Rejected; Issuer is rejecting authentication/verification and request that authorisation not be attempted.
IInformational Only; 3DS Requestor challenge preference acknowledged.
Populated if DS interaction has taken place.
TransactionStatusReasonStringProvides information on why the Transaction Status field has the specified value.
01Card authentication failed.
02Unknown Device.
03Unsupported Device.
04Exceeds authentication frequency limit.
05Expired card.
06Invalid card number.
07Invalid transaction.
08No Card record.
09Security failure.
10Stolen card.
11Suspected fraud.
12Transaction not permitted to cardholder.
13Cardholder not enrolled in service.
14Transaction timed out at the ACS.
15Low confidence.
16Medium confidence.
17High confidence.
18Very High confidence.
19Exceeds ACS maximum challenges.
20Non-Payment transaction not supported.
213RI transaction not supported.
22ACS technical issue.
23Decoupled Authentication required by ACS but not requested by 3DS Requestor.
243DS Requestor Decoupled Max Expiry Time exceeded.
25Decoupled Authentication was provided insufficient time to authenticate cardholder. ACS will not make attempt.
26Authentication attempted but not performed by the cardholder.
Populated if DS interaction has taken place.

Get Result Code Examples

{
    "Reference":"TestTransaction",
    "ErrorCode":00,
    "ErrorMessage":"String content",
    "ResponseTime":100,
    "AtsData":"String content",
    "AuthenticationEci":"String content",
    "AuthenticationType":"String content",
    "AuthenticationValue":"String content",
    "ChallengeCancellationIndicator":"String content",
    "DsTransactionId":"String content",
    "ThreeDsServerTransactionId":"String content",
    "TransactionStatus":"String content",
    "TransactionStatusReason":"String content"
}

Challenge Complete

When the GetResultResponse contains a TransactionStatus value you can proceed to Using your Results for guidance on the next steps.