3D Secure Version 2

Overview

3DSv2 is the latest protocol defined by EMVCo which allows consumers to authenticate with their card issuer when making card-not-present ecommerce purchases. This security layer helps to protect the merchants from fraud.

Merchant collects all the details about the cardholder and sends to the issuer to verify. The liability shift will be depend on the authentication result after the issuer assesses the information provided by the Merchant. There could be two possible scenarios: frictionless flow or challenge flow.

The flow could be frictionless if the issuer can verify the cardholder’s identity based on the provided details. This is the case when the issuer authenticates the cardholder without any interruption in the checkout process.

The issuer can also request the cardholder to go through the Challenge flow to authenticate the cardholder. There is redirection to the issuer in order to get the authentication.

The following process outlines how you can use Bambora’s 3DSecure v2 to carry out authentication and transaction requests for a single payment.

3DSv2 Authentication flows

Frictionless

Flow Summary

After Merchant calls the 3DS Authentication Request, if the transaction is identified as low risk by the ACS, Merchant will get the Frictionless Authentication Prep response from Bambora. That means the Cardholder completes the authentication process and the Merchant can use the Authentication result to decide whether to continue/ decline processing the transaction.

Sample Frictionless Authentication Prep Response

{
    "transactionReference": "56e6cb5f-d1f4-4d22-b8d3-1384f7b17a62",
    "authenticationSessionId": "4548e709-d145-4d71-b0df-de4255d43383",
    "authenticationPreparationResponse": {
        "authenticationStatus": "Succeeded",
        "cavv": "AAABBEg0VhI0VniQEjRWAAAAAAA=",
        "eci": "05",
        "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
    }
}

Merchant need to use the details from the response in the Payment request (SRAPI)

Frictionless with Method URL

Flow Summary

Based on the BIN or BIN range, the issuer may decide to use Method URL to collect the device fingerprint from the Cardholder. If the BIN number is in the BIN range that the issuer has defined to request for method URL, Merchant will get the Method URL response from Bambora.

Sample Frictionless with Method URL Authentication Prep Response

{
  "transactionReference": "ca75295b-9d03-4294-9e97-312686884a43",
  "authenticationSessionId": "d886f14b-77c1-42b8-a632-da20d3551f4f",
  "redirectionFormData": {
    "actionUrl": "https://path.to/actionUrl",
	"methodUrl": "https://path.to/methodurl",
    "threeDSMethodData": "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImU3NjRmNjVmLWI4MTYtNDE5Zi05OWU0LWViY2QwNmM0ZTY5MCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL2VzZi1nYXRld2F5LXB1YmxpYy1kZXYuc2VydmljZXMub2dvbmUuc2IuZXUuZ2luZnJhLm5ldC8zZHMtbWV0aG9kLXJlZGlyZWN0aW9uLzcxYjA2MDYxLWViYWUtNDQ2NS05ZTA5LTBiMjlkM2VhZGVlNS9WaXNhL3JlcXVlc3QvY2FsbGJhY2sifQ",
  }
}

Merchant needs to redirect the cardholder to the ActionURL which is provided in the Authentication Prep Response.

The Cardholder is held on the Method URL page and does not require to take any action. When the process is completed, Bambora sends the Authentication Notification to the provided Merchant URL (this URL is provided by Merchant while onboarding).

Sample Authentication Notification

{
 "transactionReference": "3357bd1e-29c1-4f6a-95d4-f1936531511b",
 "authenticationSessionId": "7a96e093-ba49-43b8-8b74-dfd22ff27653",
 "authenticationMode": "MethodUrl_Frictionless",
 "authenticationPreparationResponse": {
  "authenticationStatus": "Succeeded",
  "cavv": "AAABBE****AAA=",
  "eci": "05",
  "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
 },
 "authenticationResponse": "{\"acsReferenceNumber\":\"3DS_LOA_ACS_PPFU_020100_00009\",\"acsTransID\":\"63AEEFE8-BE1F-41FA-AD52-4B5E2E16671D\",\"acsUrl\":\"https://mpi-v2-simulation.test.v-psp.com/acs-simulation/challenge?redirectUrl=https%3A%2F%2Fthreedsv2-api-nuat.bambora.net.au%2Fv1%2Fnotification\",\"cardholderInfo\":\"cardholder\",\"dsTransID\":\"f25084f0-5b16-4c0a-ae5d-b24808a95e4b\",\"Eci\":\"05\",\"transStatus\":\"Y\",\"transStatusReason\":null,\"whiteListStatus\":null,\"challengeCancel\":null,\"messageType\":\"ARes\",\"messageVersion\":\"2.2.0\",\"threeDSServerTransID\":\"73287d8b-4cc3-4bec-9efe-61f2b871a364\"}"
}

Merchant need to use the details from the response in the Payment request (SRAPI).

Challenge

Flow Summary

Sample Challenge Authentication Prep Response

{
  "transactionReference": "ca75295b-9d03-4294-9e97-312686884a43",
  "authenticationSessionId": "d886f14b-77c1-42b8-a632-da20d3551f4f",
  "redirectionFormData": {
    "actionUrl": "https://path.to/actionUrl",
    "threeDSSessionData": "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImU3NjRmNjVmLWI4MTYtNDE5Zi05OWU0LWViY2QwNmM0ZTY5MCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL2VzZi1nYXRld2F5LXB1YmxpYy1kZXYuc2VydmljZXMub2dvbmUuc2IuZXUuZ2luZnJhLm5ldC8zZHMtbWV0aG9kLXJlZGlyZWN0aW9uLzcxYjA2MDYxLWViYWUtNDQ2NS05ZTA5LTBiMjlkM2VhZGVlNS9WaXNhL3JlcXVlc3QvY2FsbGJhY2sifQ",
    "creq": "eyJhY3NUcmFuc0lEIjoiNUUwRDhFQ0UtNDU0RC00QzkwLTk2QzMtMTRERTZFNTYxNjBFIiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjA1IiwibWVzc2FnZVR5cGUiOiJDUmVxIiwibWVzc2FnZVZlcnNpb24iOiIyLjIuMCIsInRocmVlRFNTZXJ2ZXJUcmFuc0lEIjoiYTQxNzM4ZmUtM2NiNi00NmQzLTk1ZjctODcwNDVlNGRhN2YzIn0"
  },
  "authenticationPreparationResponse": {
    "authenticationStatus": "Required",
    "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
  }
}

Merchant needs to redirect the cardholder to the ActionURL which is provided in the Authentication Prep Response.

The Cardholder is required to take action based on the request on the Challenge page. When the challenge is completed, Bambora sends the Authentication Notification to the provided Merchant URL (this URL is provided by Merchant while onboarding)

Sample Authentication Notification

{
 "transactionReference": "1a5f8c45-0bce-4c8b-b951-4c5f955aff44",
 "authenticationSessionId": "beb17576-0b70-4d65-821b-d923042edfae",
 "authenticationMode": "Challenge",
 "authenticationPreparationResponse": {
  "authenticationStatus": "Succeeded",
  "cavv": "AAABBE****AAA=",
  "eci": "05",
  "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
 },
 "authenticationResponse": "{\"acsReferenceNumber\":\"3DS_LOA_ACS_PPFU_020100_00009\",\"acsTransID\":\"5E0D8ECE-454D-4C90-96C3-14DE6E56160E\",\"acsUrl\":\"https://mpi-v2-simulation.test.v-psp.com/acs-simulation/challenge?redirectUrl=https%3A%2F%2Fthreedsv2-api-nuat.bambora.net.au%2Fv1%2Fnotification\",\"cardholderInfo\":\"cardholder\",\"dsTransID\":\"f25084f0-5b16-4c0a-ae5d-b24808a95e4b\",\"Eci\":null,\"transStatus\":\"C\",\"transStatusReason\":\"16\",\"whiteListStatus\":null,\"challengeCancel\":null,\"messageType\":\"ARes\",\"messageVersion\":\"2.2.0\",\"threeDSServerTransID\":\"557c3c59-df44-4495-87d3-705f6bee1fe9\"}"
}

Merchant need to use the details from the response in the Payment request (SRAPI)

Challenge with Method URL

Flow Summary

Sample Challenge with Method URL Authentication Prep Response

{
  "transactionReference": "ca75295b-9d03-4294-9e97-312686884a43",
  "authenticationSessionId": "d886f14b-77c1-42b8-a632-da20d3551f4f",
  "redirectionFormData": {
    "actionUrl": "https://path.to/actionUrl",
	"methodUrl": "https://path.to/methodUrl",
    "threeDSMethodData": "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImU3NjRmNjVmLWI4MTYtNDE5Zi05OWU0LWViY2QwNmM0ZTY5MCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL2VzZi1nYXRld2F5LXB1YmxpYy1kZXYuc2VydmljZXMub2dvbmUuc2IuZXUuZ2luZnJhLm5ldC8zZHMtbWV0aG9kLXJlZGlyZWN0aW9uLzcxYjA2MDYxLWViYWUtNDQ2NS05ZTA5LTBiMjlkM2VhZGVlNS9WaXNhL3JlcXVlc3QvY2FsbGJhY2sifQ"
  }
}

Merchant needs to redirect the cardholder to the ActionURL which is provided in the Authentication Prep Response.

Cardholder is required to take challenge based on Issuer’s request. When the action is completed, Bambora sends the Authentication Notification to the provided Merchant URL (this URL is provided by Merchant while onboarding)

Sample Authentication Notification

{
 "transactionReference": "b0437a98-26e5-4e0b-adb0-180d91a9dbad",
 "authenticationSessionId": "8f60ba31-f413-4a97-aa00-308415d9c3a3",
 "authenticationMode": "MethodUrl_Challenge",
 "authenticationPreparationResponse": {
  "authenticationStatus": "Succeeded",
  "cavv": "AAABBE****AAA=",
  "eci": "05",
  "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
 },
 "authenticationResponse": "{\"acsReferenceNumber\":\"3DS_LOA_ACS_PPFU_020100_00009\",\"acsTransID\":\"D1096AB5-22D2-4805-B4EA-ECB53DFC3F91\",\"acsUrl\":\"https://mpi-v2-simulation.test.v-psp.com/acs-simulation/challenge?redirectUrl=https%3A%2F%2Fthreedsv2-api-nuat.bambora.net.au%2Fv1%2Fnotification\",\"cardholderInfo\":\"cardholder\",\"dsTransID\":\"f25084f0-5b16-4c0a-ae5d-b24808a95e4b\",\"Eci\":null,\"transStatus\":\"C\",\"transStatusReason\":\"16\",\"whiteListStatus\":null,\"challengeCancel\":null,\"messageType\":\"ARes\",\"messageVersion\":\"2.2.0\",\"threeDSServerTransID\":\"cf006dee-293b-4323-af4d-390cbfdf1b98\"}"
}

Specification of Authentication messages

3DS Authentication request

In order to start the Authentication, Merchant should be onboarded in the UAT (test) environment. The Merchant can start to send the Authentication preparation request to Bambora. Merchant should include as much information about the transaction and the cardholder as possible as part of authentication.

Merchant will receive the Authentication Preparation Response for their Authentication Preparation request.

UAT API Link

https://threedsv2-api-nuat.bambora.net.au/v1/authentication

Sample of the request

POSThttps://threedsv2-api-nuat.bambora.net.au/v1/authentication

Headers:

Content-Type: application/json

x-api-key: <your API key>

{
    "merchantAccountId": 7,
    "browserInformation": {
        "acceptHeader": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3",
        "ipAddress": "192.168.0.1",
        "javaEnabled": true,
        "javascriptEnabled": true,
        "language": "en-AU",
        "colorDepth": "1bit",
        "screenHeight": 999999,
        "screenWidth": 999999,
        "timeZone": 700,
        "userAgent": "string"
    },
    "card": {
        "pan": "<test card>",
        "cardholderName": "C H Name",
        "expiryDate": {
            "month": 1,
            "year": 2022
        }
    },
    "purchaseInformation": {
        "currency": "AUD",
        "amount": 10,
        "dateTime": "2021-08-12T15:32:48Z"    
    },
    "authenticationInformation": {
        "authenticationIndicator": "PaymentTransaction",
        "messageCategory": "PaymentAuthentication",
        "challengeInformation": {
            "windowSize": "fullscreen"
        }
    },    
    "threeRIIndicator": "RecurringTransaction"
}

Parameters in the request body

Conditions:

Mandatory: These are the minimum API fields required for a 3DS authentication.
Recommended: The major card schemes highly recommend including these, as they will enhance the chance of a frictionless flow.
Optional: These fields are not required for 3DS authentication. The more data the merchant send in the authentication, the better the result of risk assessment is.
Conditional: These fields must be completed if certain conditions are met.

Group	Header fields	Fields	Conditions	Type	Validation	Definitions
Browser information	BrowserInformation	acceptHeader	Mandatory	string	Max 2048 characters	Exact content of the HTTP accept headers as sent to the merchant from the Cardholder’s browser. Length: Variable, maximum 2048 characters Data Type: String Value accepted: If the total length of the accept header sent by the browser exceeds 2048 characters, the 3DS Server truncates the excess portion
Browser information	BrowserInformation	ipAddress	Mandatory	string	1- 250 characters	The cardholder’s IP address. pattern: ^([0-9A-Fa-f]{0,4}:){1,7}[0-9A-Fa-f]{1,4}\|(\d{1,3}\.){3}\d{1,3}$ example: 192.189.3.2, 2001:0db8:0000:0042:0000:8a2e:0370:7334 must follow IPV4 or IPV6 pattern
Browser information	BrowserInformation	javaEnabled	Mandatory	boolean	Values accepted: true false	Boolean that represents the ability of the cardholder browser to execute Java. Value is returned from the navigator java Enabled property.
Browser information	BrowserInformation	language	Mandatory	string	1-8 characters Format accepted: xx, xxx, xx-XX or xx-xxxx-xx.	Value representing the browser language as defined in IETF BCP47. Returned from navigator language property. (E.g. en, fr, en-US, fr-ca) It is not case-sensitive.
Browser information	BrowserInformation	colorDepth	Mandatory	string	Values accepted: 1 = 1 bit 4 = 4 bits 8 = 8 bits 15 = 15 bits 16 = 16 bits 24 = 24 bits 32 = 32 bits 48 = 48 bits	Value representing the bit depth of the color palette for displaying images, in bits per pixel. Obtained from Cardholder browser using the screen color Depth property. If JavaScript is not enabled in the cardholder’s browser, this value should be 1bit.
Browser information	BrowserInformation	screenHeight	Mandatory	integer	Between 0 and 999999	Total height of the Cardholder’s screen in pixels. Value is returned from the screen height property.
Browser information	BrowserInformation	screenWidth	Mandatory	integer	Between 0 and 999999	Total width of the cardholder’s screen in pixels. Value is returned from the screen width property.
Browser information	BrowserInformation	timeZone	Mandatory	integer	Between - 840 and 720	Time difference between UTC time and the Cardholder browser local time, in minutes. If JavaScript is not enabled in the cardholder’s browser, this value should be 0.
Browser information	BrowserInformation	userAgent	Mandatory	string	Max 2048 characters	Browser User Agent. Exact content of the HTTP user-agent header. Note: If the total length of the UserAgent sent by the browser exceeds 2048 characters, the 3DS Server truncates the excess portion
Browser information	BrowserInformation	javascriptEnabled	Mandatory	boolean	Values accepted: true false	Boolean that represents the ability of the cardholder browser to execute JavaScript
Merchant Risk &Info, Cardholder Account Info	card	cardholderName	Mandatory	string	Format validation: Accepted pattern : `[a-zA-Z]+(([',. -][a-zA-Z ])?[a-zA-Z])`	Cardholder’s name greater than 45 characters will be truncated. Special characters are allowed, but quotes must be avoided. Most acquirers don’t check the customer name since names can be written in different ways.
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountAgeIndicator	Optional	string	Values accepted: NoAccount CreatedDuringTransaction LessThan30Days Between30And60Days MoreThan60Days	Payment Account Age Indicator. Indicates the length of time that the payment account was enrolled in the cardholder’s account with the merchant.
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountDate	Optional	date	Format accepted: YYYYMMDD	Cardholder Account Date. Date that the cardholder opened the account with the merchant
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountChangeIndicator	Optional	string	Values accepted: ChangedDuringThisTransaction LessThan30Days Between30And60Days MoreThan60Days	Length of time since the cardholder’s account information with the 3DS Requestor was last changed, including Billing or Shipping address, new payment account, or new user(s) added.
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountChange	Optional	date	Date format = YYYYMMDD	Date that the cardholder’s account with the 3DS Requestor was last changed, including Billing or Shipping address, new payment account, or new user(s) added
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountPasswordChangeIndicator	Optional	string	Values accepted: ChangedDuringThisTransaction LessThan30Days Between30And60Days MoreThan60Days	Indicates the length of time since the cardholder’s account with the 3DS Requestor had a password change or account reset.
Merchant Risk &Info, Cardholder Account Info	accountInformation	accountPasswordChange	Optional	date	Date format = YYYYMMDD	Date that cardholder’s account with the 3DS Requestor had a password change or account reset.
Merchant Risk &Info, Cardholder Account Info	accountInformation	shippingAddressWasFirstUsed	Optional	string	Value accepted: ThisTransaction LessThan30Days Between30And60Days MoreThan60Days	Indicates when the shipping address used for this transaction was first used with the 3DS Requestor.
Merchant Risk &Info, Cardholder Account Info	accountInformation	shippingAddressUsage	Optional	date	Date format = YYYYMMDD	Date when the shipping address used for this transaction was first used with the merchant
Merchant Risk &Info, Cardholder Account Info	accountInformation	transactionActivityInTheLast24Hours	Optional	integer	Between 0 and 999	Number of transactions (successful and abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous 24 hours
Merchant Risk &Info, Cardholder Account Info	accountInformation	transactionActivityLastYear	Optional	integer	Between 0 and 999	Number of transactions (successful and abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous year
Merchant Risk &Info, Cardholder Account Info	accountInformation	provisionAttemptsInTheLast24Hours	Optional	integer	Between 0 and 999	Number of Add Card attempts in the last 24 hours
Merchant Risk &Info, Cardholder Account Info	accountInformation	numberOfPurchaseWithAccountInTheLastSixMonths	Optional	integer	Between 0 and 999	Number of purchases with this cardholder account during the previous six months
Merchant Risk &Info, Cardholder Account Info	accountInformation	suspiciousAccountActivityDetected	Optional	boolean	Values accepted: true false	Indicates whether the merchant has experienced suspicious activity (including previous fraud) on the cardholder account
Merchant Risk &Info, Cardholder Account Info	accountInformation	shippingNameAndCardholderNameAreIdentical	Optional	boolean	Values accepted: true false	Indicates if the Cardholder Name on the account is identical to the shipping Name used for this transaction
Merchant Risk &Info, Cardholder Account Info	accountInformation	paymentAccountIndicator	Optional	string	Values accepted: NoAccount DuringThisTransaction LessThan30Days Between30And60Days, MoreThan60Days	Indicates the length of time that the payment account was enrolled in the cardholder’s account with the 3DS Requestor.
Merchant Risk &Info, Cardholder Account Info	accountInformation	paymentAccountAge	Optional	date	Date format = YYYYMMDD	date that the payment account was enrolled in the cardholder’s account with the 3DS Requestor
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	shippingIndicator	Optional	string	Value accepted: ShipToCardholdersBillingAddress ShipToAnotherVerifiedAddressOnFileWithMerchant ShipToAddressThatIsDifferentThanTheCardholdersBillingAddress PickUpAtLocalStore DigitalGoods TravelAndEventTicketsNotShipped	Indicates shipping method chosen for the transaction. Merchants must choose the Shipping Indicator code that most accurately describes the cardholder’s specific transaction, not their general business. If one or more items are included in the sale, use the Shipping Indicator code for the physical goods, or if all digital goods, use the Shipping Indicator code that describes the most expensive item.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	deliveryTimeframe	Optional	string	Values accepted: ElectronicDelivery SameDayShipping OvernightShipping TwoDayOrMoreShipping	Indicates the merchandise delivery timeframe.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	deliveryEmailAddress	Optional	string	Max 254 characters	For electronic delivery, the email address the goods are sent to. Pattern: ^.@.…*$
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	reorderItemsIndicator	Optional	string	Values accepted: FirstTime Reordered	Indicates whether the cardholder is reordering previously purchased merchandise.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	preOrderPurchaseIndicator	Optional	string	Values accepted: MerchandiseAvailable FutureAvailablility	Indicates whether Cardholder is placing an order for merchandise with a future availability or release date.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	preOrderDate	Optional	date	Date format = YYYYMMDD	For a pre-ordered purchase, the expected date that the merchandise will be available.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	giftCardInformation.amount.currency	Conditional	string	Length 3 characters For example: AUD	For prepaid or gift card purchase, the currency code of the card as defined in ISO 4217. If you send merchantRiskIndicator.giftCardInformation.amount.amount, you must also send merchantRiskIndicator.giftCardInformation.amount.currency.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	giftCardInformation.amount.amount	Conditional	string	Between 0 and 999999999999999	amount of the gift card without the decimal part For prepaid or gift card purchase, the purchase amount total of prepaid or gift card(s) in major units. Example: $123.45 should be sent as 123 If you send merchantRiskIndicator.giftCardInformation.amount.amount, you must also send merchantRiskIndicator.giftCardInformation.amount.currency.
Merchant Risk &Info, Cardholder Account Info	merchantRiskIndicator	giftCardInformation.count	Optional	integer	Between 0 and 99	Total count of individual prepaid or gift cards/codes purchased.
Transaction & Checkout Page Info	billingAddressSameAsShippingAddress		Optional	boolean	Values accepted: true false	Indicates whether we consider the billing and shipping address to be identical.
Transaction & Checkout Page Info	card	pan	Conditional	string	13 -19 characters	The credit/debit card number. E.g. 1234 5678 9065 4321 If stt and bamboraToken fields are blank, this field is required.
Transaction & Checkout Page Info	card	expiryDate.year	Conditional	integer	Between 1970 to 2099	Year when the credit card expires. If the pan is sent, expiryDate.year is required.
Transaction & Checkout Page Info	CardExpiryDate	expiryDate.month	Conditional	integer	Between 1 to 12	Month when the credit card expires. If the pan is sent, expiryDate.month is required.
Transaction & Checkout Page Info	stt		Conditional	integer		Secure transaction token If card.pan and bamboraToken fields are blank, this field is required.
Transaction & Checkout Page Info	bamboraToken		Conditional	integer		Bambora token If card.pan and stt fields are blank, this field is required.
Transaction & Checkout Page Info	billingAddress	addressLine1	Recommended	string	Max 50 characters	First line of the street address or equivalent local portion of the Cardholder billing address associated with the card used for this purchase.
Transaction & Checkout Page Info	billingAddress	addressLine2	Recommended	string	Max 50 characters	Second line of the street address or equivalent local portion of the Cardholder billing address associated with the card used for this purchase.
Transaction & Checkout Page Info	billingAddress	addressline3	Optional	string	Max 50 characters	Third line of the street address or equivalent local portion of the Cardholder billing address associated with the card used for this purchase.
Transaction & Checkout Page Info	billingAddress	postalCode	Recommended	string	Max 16 characters	ZIP or other postal code of the Cardholder billing address associated with the card used for this purchase.
Transaction & Checkout Page Info	billingAddress	city	Recommended	string	Max 50 characters	The city of the Cardholder billing address associated with the card used for this purchase
Transaction & Checkout Page Info	billingAddress	state	Optional	string	Max 3 characters Value accepted: Should be the country subdivision code defined in ISO 3166-2	The state or province of the Cardholder billing address associated with the card used for this purchase
Transaction & Checkout Page Info	billingAddress	country	Recommended	string	Length 2 characters Value accepted: ISO 3166-1 alpha-2 country code	The country of the Cardholder billing address associated with the card used for this purchase.
Transaction & Checkout Page Info	emailAddress		Recommended	string	Max 254 characters	The email address associated with the account that is either entered by the Cardholder, or is on file with the Merchant.
Transaction & Checkout Page Info	shippingAddress	addressLine1	Optional	string	Max 50 characters	First line of the street address or equivalent local portion of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	shippingAddress	addressLine2	Optional	string	Max 50 characters	The second line of the street address or equivalent local portion of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	shippingAddress	addressline3	Optional	string	Max 50 characters	The third line of the street address or equivalent local portion of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	shippingAddress	postalCode	Optional	string	Max 16 characters	The ZIP or other postal code of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	shippingAddress	city	Optional	string	Max 50 characters	City portion of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	shippingAddress	state	Optional	string	Max 3 characters Value accepted: Should be the country subdivision code defined in ISO 3166-2	The state or province of the shipping address associated with the card being used for this purchase.
Transaction & Checkout Page Info	shippingAddress	country	Optional	string	Length 2 characters Value accepted: ISO 3166-1 alpha-2 country code	Country of the shipping address requested by the Cardholder.
Transaction & Checkout Page Info	purchaseInformation	currency	Mandatory	string	Length 3 characters ISO 4217 three-digit currency code	Currency in which purchase amount is expressed.
Transaction & Checkout Page Info	purchaseInformation	amount	Mandatory	number	Between 0 to 214000000 Example: Purchase amount is USD 123.45 Example values accepted: 12345 012345 0012345	Purchase amount.
Transaction & Checkout Page Info	purchaseInformation	dateTime	Mandatory	date/time	Format accepted: YYYYMMDDHHMMSS	Date and time of the purchase, expressed in UTC.
Transaction & Checkout Page Info	Transactiontype		Optional	string	Values accepted: GoodsOrServicePurchase CheckAcceptance AccountFunding QuasiCashTransaction PrepaidActivationAndLoad	Identifies the type of transaction being authenticated
Transaction & Checkout Page Info	homePhone	country	Conditional	string	1- 3 characters ITU-E.164 country code Example: 64	Country code of a home phone Country phone code (ITU-E.164 cc value) If you provide homePhone.country you must also provide homePhone.subscriber.
Transaction & Checkout Page Info	homePhone	subscriber	Conditional	string	Max 15 characters Example: 93568088	The rest of phone number If you provide homePhone.country you must also provide homePhone.subscriber.
Transaction & Checkout Page Info	mobilePhone	country	Conditional	string	1- 3 characters ITU-E.164 country code Example: 64	Country code of a mobile phone Country phone code (ITU-E.164 cc value) If you provide mobilePhone.country you must also provide mobilePhone.subscriber.
Transaction & Checkout Page Info	mobilePhone	subscriber	Conditional	string	Max 15 characters Example: 93568088	The rest of phone number If you provide mobilePhone.country you must also provide mobilePhone.subscriber.
Transaction & Checkout Page Info	workPhone	country	Conditional	string	1- 3 characters ITU-E.164 country code Example: 64	Country code of a work phone Country phone code (ITU-E.164 cc value) If you provide workPhone.country you must also provide workPhone.subscriber.
Transaction & Checkout Page Info	workPhone	subscriber	Conditional	string	Max 15 characters Example: 93568088	The rest of work number If you provide workPhone.country you must also provide workPhone.subscriber.
Authentication Info	authenticationInformation	disableV2MethodUrl	Optional	boolean	Values accepted: true false	In case, Merchant does not want to support the Method URL.
Authentication Info	authenticationInformation	method	Optional	string	Values accepted: No3DSRequestorAuthenticationOccurred: No 3DS Requestor authentication occurred (i.e. cardholder “logged in” as guest) LoginToTheCardholderAccountAtThe3DSRequestorSystemUsing3DSRequestorsOwncredentials: Login to the cardholder account at the 3DS Requestor system using 3DS Requestor’s own credentials LoginToTheCardholderAccountAtThe3DSRequestorSystemUsingFederatedId: Login to the cardholder account at the 3DS Requestor system using federated ID LoginToTheCardholderAccountAtThe3DSRequestorSystemUsingIssuerCredentials: Login to the cardholder account at the 3DS Requestor system using issuer credentials LoginToTheCardholderAccountAtThe3DSRequestorSystemUsingThirdPartyAuthentication: Login to the cardholder account at the 3DS Requestor system using third-party authentication LoginToTheCardholderAccountAtThe3DSRequestorSystemUsingFidoAuthenticator: Login to the cardholder account at the 3DS Requestor system using FIDO Authenticator LoginToTheCardholderAccountAtThe3DSRequestorSystemUsingFidoAuthenticatorAssuranceDataSigned: Login to the cardholder account at the 3DS Requestor system using FIDO Authenticator (FIDO assurance data signed)	Mechanism used by the Cardholder to authenticate to the merchant.
Authentication Info	authenticationInformation	timestamp	Optional	string	Date format = YYYYMMDDHHMM	Date and time in UTC of the cardholder authentication.
Authentication Info	authenticationInformation	ChallengeIndicator	Optional	string	Values accepted: NoPreference NoChallengeRequested ChallengeRequested3DSRequestorPreference ChallengeRequestedMandate NoChallengeRequestedTransactionalRiskAnalysisIsAlreadyPerformed NoChallengeRequestedDataShareOnly NoChallengeRequestedStrongConsumerAuthenticationIsAlreadyPerformed NoChallengeRequestedUtiliseWhitelistExemptionIfNoChallengeRequired ChallengeRequestedWhitelistPromptRequestedIfChallengeRequired RequestScoringWithoutConnectingToAcsForCb	Use this parameter to request exemptions of 3DS. Merchant Challenge Indicator. Indicates whether a challenge is requested for this transaction. For example: For 01-PA, a merchant may have concerns about the transaction, and request a challenge. For 02-NPA, a challenge maybe necessary when adding a new card to a wallet. For local/regional mandates or other variables.
Authentication Info	priorAuthenticationInformation	method	Optional	string	Values accepted: FrictionlessAuthenticationOccurredByAcs CardholderChallengeOccurredByAcs AvsVerified :Address Verification Service OtherIssuerMethods	Mechanism used by the Cardholder to previously authenticate to the merchant.
Authentication Info	priorAuthenticationInformation	reference	Optional	string	Max 36 characters Value accepted: This data element contains an ACS Transaction ID for a prior authenticated transaction (for example, the first recurring transaction that was authenticated with the cardholder)	Merchant Prior Transaction Reference. This data element provides additional information to the ACS to determine the best approach for handing a request.
Authentication Info	priorAuthenticationInformation	timestamp	Optional	data-time	Date format = YYYYMMDDHHMMSS	Date and time in UTC of the prior cardholder authentication.
Authentication Info	authenticationInformation	authenticationIndicator	Mandatory	string	Values accepted: PaymentTransaction RecurringTransaction, InstalmentTransaction, AddCard, MaintainCard, CardholderVerificationAsPartOfEmvTokenIdAndV, MembershipRewardsTransactionOrMembershipRewardsBalanceInquiryForAmericanExpress, AddEmvTokenAndPerformCardMemberVerificationAsPartOfEmvTokenIdAndVIssuerMustNotSendAVForAmericanExpress, MaintainEmvTokenInformationAndPerformCardMemberVerificationAsPartOfEmvTokenIdAndVIssuerMustNotSendAVForAmericanExpress, AddEmvTokenAndPerformCardMemberVerificationAsPartOfEmvTokenIdAndVIssuerMustSendAVForAmericanExpress, MaintainEmvTokenInformationAndPerformCardMemberVerificationAsPartOfEmvTokenIdAndVIssuerMustSendAVForAmericanExpress	Indicates the type of Authentication request. This data element provides additional information to the ACS to determine the best approach for handing an authentication request
Authentication Info	purchaseInstalmentData		Optional	interger	Between 2 and 999	Indicates the maximum number of authorisations permitted for instalment payments. Value must be higher than 1
Authentication Info	recurringExpiry		Conditional	Date	Format accepted: YYYYMMDD	If this transaction initiates a recurring payment, this field denotes the date of the final recurring payment. Required if 3DS Requestor Authentication Indicator = 02 or 03
Authentication Info	recurringFrequency		Conditional	integer	Bettween 0 and 9999	Indicates the minimum number of days between authorisations Required if 3DS Requestor Authentication Indicator = 02 or 03.
Authentication Info	messageCategory		Mandatory	string	Values accepted: Enum: PaymentAuthentication NonPaymentAuthentication DataOnlyProcessForMastercard	Identifies the category of the message for a specific use case.
Authentication Info	threeRIIndicator		Mandatory	string	Values accepted: RecurringTransaction InstalmentTransaction AddCard MaintainCardInformation AccountVerification SplitOrDelayedShipment, TopUp MailOrder TelephoneOrder WhitelistStatusCheck OtherPayment	Indicates the type of 3RI request. This data element provides additional information to the ACS to determine the best approach for handing a 3RI request
Authentication Info	masterCardSpecificExtensions	acquirerCountryCode	Optional	string	Length 3 characters ISO 3166-1 numeric country code	Issuers need to be aware of the acquirer country code when the acquirer country differs from the merchant country and the acquirer is in the EEA
Authentication Info	ChallengeInformation	windowSize	Mandatory	string	Values accepted: 250x400 390x400 500x600 600x400 FullScreen

Authentication Prep Response message

This is the response that Merchant receives from Bambora for their Authentication Preparation Request. Merchant will take next steps based on the Authentication result in the response message.

Code	Description
200	OK
422	Validation errors, response body is a ProblemDetails JSON Object conforming to RFC 7807 - Problem Details for HTTP APIs

Parameters in the Response body

Header fields	Fields	Conditions	Type	Definitions
TransactionReference		Mandatory	string	Unique identifier for this transaction.
AuthenticationSessionId		Mandatory	string	3DS Requestor session ID that is returned by the ACS
Frictionless response
AuthenticationPreperationResponse	authenticationStatus	Mandatory	string	Authentication status. Refer to Authentication Result section.
AuthenticationPreperationResponse	cavv	Optional	string	Cardholder Authentication Verification Value. This value will be required in the Payment request (SRAPI)
AuthenticationPreperationResponse	eci	Mandatory	string	Electronic Commerce Indicator. Options For Visa: 05 06 07 For Mastercard: 02 or N2 01 00 or N0 This value will be required in the Payment request (SRAPI)
AuthenticationPreperationResponse	xid	Mandatory	string	Transaction Identifier. This value will be required in the Payment request (SRAPI)
Challenge and Method URL response
redirectionFormData	actionURL	Mandatory	url	This could be Method URL or Challenge URL
redirectionFormData	threeDSMethodData	Mandatory	string	A unique identifier for the transaction that will be the same as the 3DS Server Transaction ID in the Authentication Prep request message
redirectionFormData	eci	Optional	string	Electronic Commerce Indicator.
redirectionFormData	xid	Mandatory	string	Transaction Identifier.

Finalise Authentication response

This is the response that the Merchant receives from Bambora after the Cardholder completes the Method URL and Challenge.

Response Code

Code	Description
200	OK
422	Validation errors, response body is a ProblemDetails JSON Object conforming to RFC 7807 - Problem Details for HTTP APIs

Parameters in the Response body

Header fields	Fields	>Conditions	Type	Definitions
TransactionReference		Mandatory	string	Unique identifier for this transaction.
AuthenticationSessionId		Mandatory	string	3DS Requestor session ID that is returned by the ACS
AuthenticationMode			enum	Frictionless Challenge MethodUrl_Frictionless MethodUrl_Challenge
AuthenticationPreperationResponse	authenticationStatus	Mandatory	string	Authentication status. Refer to Authentication Result section.
AuthenticationPreperationResponse	cavv	Optional	string	Cardholder Authentication Verification Value. This value will be required in the Payment request (SRAPI)
AuthenticationPreperationResponse	eci	Mandatory	string	Electronic Commerce Indicator. Options For Visa: 05 06 07 For Mastercard: 02 or N2 01 00 or N0 This value will be required in the Payment request (SRAPI)
AuthenticationPreperationResponse	xid	Mandatory	string	Transaction Identifier. This value will be required in the Payment request (SRAPI)
AuthenticationResponse		Mandatory	string

Authentication Result

Authentication results are the same for Frictionless and Challenge flows. However it will be provided in a different message.

For Frictionless flow, the Authentication result is provided in the Authentication Preparation Response message.

For Challenge and Method URL flows, the Authentication result is provided in the Finalise Authentication Response message

Authentication Status

Status	Description	Liability	Notes
Succeeded	The cardholder is fully authenticated. All data needed for authorization and clearing, including theauthentication value, is included in the message.	Shifts to issuer	Proceed with the Payment Request (SRAPI)
Attempted	Authentication could not complete, but a proof of theauthentication attempt is generated	Shifts to issuer	Authentication was carried out by an issuer’s attempt server, rather than their ACS. Proceed with the Payment Request (SRAPI)
Failed	The cardholder failed or cancelled authenticationThe transaction is stopped Liability shift does not apply	Remains with merchant	Merchant can request transaction processing, however, liability will be on the Merchant
Rejected	The issuer is rejecting the authentication and requesting not toproceed to authorization	Remains with merchant	Issuer has rejected the authentication request and the transaction must not be processed.
Unknown or Unavailable	The authentication could not complete due to technical or other problem	Remains with merchant	There was a technical error during authentication. Merchant may choose to continue with transaction, but will retain liability if it is fraudulent
Required	Indicates that the issuer requires the challenge flow to be initiated.	n/a	Merchant need to follow the Challenge flow

For VISA

These are the outcomes of the 3DSv2 Visa Transaction:

Scenario	Authentication Status	ECI	CAVV Present
Authentication success	Succeeded	05	Yes
Authentication attempted	Attempted	06	Optional
Authentication failure	Failed Unknown Unavailable	07	No

For Mastercard

These are the outcome of the 3DSv2 Mastercard Transaction:

Scenario	Authentication Status	ECI	CAVV Present
Authentication success	Succeeded	02	Yes
Authentication attempted	Attempted	01	Yes
Authentication failure	Failed	00	No
Unable to authenticate	Unknown Unavailable	-	No

Facilitating Redirection for Challenge and MethodURL

Bambora recommends that simple page with an HTML form is built to facilitate a POST request to the action URL returned in the initial response of the 3DSv2 flow, if the result leads to any flow other than Frictionless with no Method URL. The page does not need to display any visual elements to the cardholder but its main purpose is to assist in redirecting. The <form> element will need to have hidden fields whose values which will be obtained from the response of the initial request to Bambora 3DSv2.

It is highly recommended that the page auto-POSTs to its action attribute value upon page loading.

Example code - Frictionless with Method URL and Challenge with Method URL

Response from POST /v1/authentication

{
  "transactionReference": "ca75295b-9d03-4294-9e97-312686884a43",
  "authenticationSessionId": "d886f14b-77c1-42b8-a632-da20d3551f4f",
  "redirectionFormData": {
    "actionUrl": "https://path.to/actionUrl",
	"methodUrl": "https://path.to/methodurl",
    "threeDSMethodData": "eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImU3NjRmNjVmLWI4MTYtNDE5Zi05OWU0LWViY2QwNmM0ZTY5MCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL2VzZi1nYXRld2F5LXB1YmxpYy1kZXYuc2VydmljZXMub2dvbmUuc2IuZXUuZ2luZnJhLm5ldC8zZHMtbWV0aG9kLXJlZGlyZWN0aW9uLzcxYjA2MDYxLWViYWUtNDQ2NS05ZTA5LTBiMjlkM2VhZGVlNS9WaXNhL3JlcXVlc3QvY2FsbGJhY2sifQ",
  }
}

HTML Page:

<html>
  <body>
    <form name="EventConfirmRedirection" method="post" action="https://path.to/actionUrl">
      <input type="hidden" value="https://path.to/methodurl" id="methodUrl" name="methodUrl"/>
      <input type="hidden" value="eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6Ijk4OWQ5NzQ4LWQ1NjQtNDk5OS04Mzc0LWM1MmM0ZmMzOTY4ZiIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL2VzZi1nYXRld2F5LXB1YmxpYy1kZXYuc2VydmljZXMub2dvbmUuc2IuZXUuZ2luZnJhLm5ldC8zZHMtbWV0aG9kLXJlZGlyZWN0aW9uLzVmOTUzZmI3LTA2YjQtNDlmYy1hNDI0LWVhMzRlODIzMjM4NS9WaXNhL3JlcXVlc3QvY2FsbGJhY2sifQ" id="threeDSMethodData" name="threeDSMethodData"/>
      <input type="submit" value="Go">
    </form>
  </body>
</html>

Example code - Challenge with no Method URL

{
  "transactionReference": "ca75295b-9d03-4294-9e97-312686884a43",
  "authenticationSessionId": "d886f14b-77c1-42b8-a632-da20d3551f4f",
  "redirectionFormData": {
    "actionUrl": "https://path.to/actionUrl",
    "threeDSSessionData": "MTIzNA",
    "creq": "eyJhY3NUcmFuc0lEIjoiNUUwRDhFQ0UtNDU0RC00QzkwLTk2QzMtMTRERTZFNTYxNjBFIiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjA1IiwibWVzc2FnZVR5cGUiOiJDUmVxIiwibWVzc2FnZVZlcnNpb24iOiIyLjIuMCIsInRocmVlRFNTZXJ2ZXJUcmFuc0lEIjoiYTQxNzM4ZmUtM2NiNi00NmQzLTk1ZjctODcwNDVlNGRhN2YzIn0"
  },
  "authenticationPreparationResponse": {
    "authenticationStatus": "Required",
    "cavv": "AAABBEg0VhI0VniQEjRWAAAAAAA",
    "eci": "05",
    "xid": "f25084f0-5b16-4c0a-ae5d-b24808a95e4b"
  }
}

HTML page:

<html>
  <body>
    <form name="EventConfirmRedirection" method="post" action="https://path.to/actionUrl">
      <input type="hidden" value="eyJhY3NUcmFuc0lEIjoiNUUwRDhFQ0UtNDU0RC00QzkwLTk2QzMtMTRERTZFNTYxNjBFIiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjA1IiwibWVzc2FnZVR5cGUiOiJDUmVxIiwibWVzc2FnZVZlcnNpb24iOiIyLjIuMCIsInRocmVlRFNTZXJ2ZXJUcmFuc0lEIjoiYTQxNzM4ZmUtM2NiNi00NmQzLTk1ZjctODcwNDVlNGRhN2YzIn0" id="creq" name="creq"/>
      <input type="hidden" value="MTIzNA" id="threeDSSessionData" name="threeDSSessionData"/>
      <input type="submit" value="Go">
    </form>
  </body>
</html>

3DSv2 Authorisation Flows

After receiving the Authentication response from Bambora, Merchant need to make decision to go ahead/ not go ahead with the Authorisation (Payment) process based on the Authentication result.

Merchant need to provide extra 3DSv2 details in the existing Payment API. The Payment response remains the same.

Sample 3DSv2 Purchase

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:dts="http://www.ippayments.com.au/interface/api/dts">
  <soapenv:Header/>
  <soapenv:Body>
     
     <dts:SubmitSinglePayment>
    <!--Optional:-->
    <dts:trnXML>
    <![CDATA[
        <Transaction>
            <CustNumber>API-Purchase-Visa</CustNumber>                
            <CustRef>IPP-test</CustRef>
            <Amount>4000</Amount>
            <TrnType>1</TrnType>
            <CreditCard>		
                <CardNumber>4242424242424242</CardNumber>
                <ExpM>12</ExpM>
                <ExpY>2027</ExpY>
                <CVN>212</CVN>
                <ThreeDSv2>                  
                    <CAVV>AJkBBhgREQAAAAB4hABwcAAAAAA=</CAVV>
                    <ECI>05</ECI>
                    <TransactionReference>c4a4a0d8-832d-41d4-9560-f5dc7a2205ca</TransactionReference>
                    <XID>211c8d232-0fb9-4847-9dd8-9d6ce30ee83c</XID>
                </ThreeDSv2>
            </CreditCard>
            <PresentationType>EComm</PresentationType>
            <CredentialOnFile>
                <Type>Unscheduled</Type>
                <InitiatedBy>Customer</InitiatedBy>
            </CredentialOnFile>
            <Security>
                <UserName>auto.cofestd.api</UserName>
                <Password>Automation@123</Password>
            </Security>
        </Transaction>
    ]]>
    </dts:trnXML>
    </dts:SubmitSinglePayment>
</soapenv:Body>
</soapenv:Envelope>

Specification for 3DSv2 fields in the Payment API

Header fields	Fields	Conditions	Type	Definitions
ThreeDSv2	CAVV	Conditional	string	Provided in the Authentication Prep response (Frictionless) or Finalise Authentication response (MethodURL and Challenge)
ThreeDSv2	ECI	Conditional	string	Provided in the Authentication Prep response (Frictionless) or Finalise Authentication response (MethodURL and Challenge)
ThreeDSv2	TransactionReference	Conditional	string	Provided in the Authentication Prep response (Frictionless) or Finalise Authentication response (MethodURL and Challenge)
ThreeDSv2	XID	Conditional	string	Provided in the Authentication Prep response (Frictionless) or Finalise Authentication response (MethodURL and Challenge)

Custom Checkout

3DSv2 supports requests with an STT (Secure Transaction Token) in lieu of a PAN. With Custom Checkout you can generate a Secure Transaction Token to use.

The difference with 3D Secure Version 1 is that 3D Secure Version 2 is not called by our Payment API. Instead, there is an intermediate step which is to integrate 3DSv2 before calling our API with the outcome of the 3DSv2 flow.

API Request

The API Request is still a POST to https://threedsv2-api-nuat.bambora.net.au/v1/authentication with the same headers and largely the same request body as mentioned in the "Specification of Authentication messages" section of this document. The difference is that is no "card" root property in the request body there, so instead of the below:

"card": {
        "pan": "<test card>",
        "cardholderName": "C H Name",
        "expiryDate": {
            "month": 1,
            "year": 2022
        }
    }

you need to provide the Secure Transaction Token:

"stt":"<the Secure Transaction Token provided by Custom Checkout>"

Long Term Tokens

"card": {
        "pan": "<test card>",
        "cardholderName": "C H Name",
        "expiryDate": {
            "month": 1,
            "year": 2022
        }
    }

you need to provide the Long Term Token:

"bamboraToken": "<LTT>",

Integration summary

To call the 3DSv2 flow, before our Payment API is called to request a payment, you must call the 3DSv2 API to obtain authentication.

API Key

As mentioned, calls to 3DSv2 the API require an API Key. Please contact Bambora to receive one.

Callbacks

The outcome of the 3DSv2 flow will be communicated via a callback URL that must be provided to Bambora during onboarding. The notification will have a payload similar to the sample authentication notifications given above for any flow other than Frictionless with no Method URL. These notifications will contain the result of that flow which will determine whether to proceed with the transaction or not.