Skip to main content

3D Secure
Enterprise

3D Secure is an Enterprise feature. Contact support@basistheory.com to request access.

Get a Session

Get a 3DS Session by ID in the Tenant.

GET
https://api.basistheory.com/3ds/sessions/{id}
Copy

Permissions

3ds:session:read

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1" \
  -H "BT-API-KEY: <PRIVATE_API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session

Response

Returns a 3DS session with the id provided. Returns an error if the session cannot be retrieved.

{
    "id": "be3bec00-a1c3-4ffe-8971-20a30bbee031",
    "tenant_id": "9f328a79-b397-42ac-9b8d-18312157cc6b",
    "pan_token_id": "bfe0060c-a465-41a0-a620-c804952d3468",
    "card_brand": "Visa",
    "expiration_date": "2024-03-23T14:01:26.4544211+00:00",
    "created_date": "2024-03-22T14:01:26.455016+00:00",
    "created_by": "68909d60-3e1d-4b3d-bf68-166c95745c4c",
    "modified_date": "2024-03-22T14:01:45.3094992+00:00",
    "modified_by": "7da53434-d814-4bd7-a455-6a4757c5c888",
    "device": "browser",
    "device_info": {
        "browser_accept_header": "*/*",
        "browser_javascript_enabled": true,
        "browser_java_enabled": false,
        "browser_language": "en-US",
        "browser_color_depth": "24",
        "browser_screen_height": "1440",
        "browser_screen_width": "3440",
        "browser_tz": "180",
        "browser_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
    },
    "version": {
        "recommended_version": "2.2.0",
        "available_version": [
            "2.1.0",
            "2.2.0"
        ],
        "earliest_acs_supported_version": "2.1.0",
        "earliest_ds_supported_version": "2.1.0",
        "latest_acs_supported_version": "2.2.0",
        "latest_ds_supported_version": "2.2.0",
        "acs_information": []
    },
    "method": {
        "method_url": "https://acs.example.com/3ds/acs/browser/method",
        "method_completion_indicator": "Y"
    },
    "authentication": {
        "threeds_version": "2.2.0",
        "acs_transaction_id": "50b9c543-4abc-4fbd-8bed-7e1931ed862c",
        "ds_transaction_id": "497acd8d-4b50-4f55-9e56-c6dcaeff2933",
        "acs_reference_number": "mock-acs-reference-number",
        "ds_reference_number": "mock-directory-server-a",
        "authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
        "authentication_status": "successful",
        "eci": "05",
        "acs_challenge_mandated": "N",
        "authentication_challenge_type": "static",
        "acs_challenge_url": "https://acs.example.com/3ds/acs/browser/creq",
        "challenge_attempts": "01",
        "message_extensions": []
    }
}

Authenticate Session

Authenticate a 3DS Session.

POST
https://api.basistheory.com/3ds/sessions/{id}/authenticate
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1/authenticate" \
  -H "BT-API-KEY: <API_KEY>" \
  -H "Content-Type: application/json" \
  -X "POST" \
  -d '{
    "authentication_category": "payment",
    "authentication_type": "payment-transaction",
    "purchase_info": {
        "amount": "80000",
        "currency": "826",
        "exponent": "2",
        "date": "20240109141010"
    },
    "requestor_info":  {
        "id": "example-3ds-merchant",
        "name": "Example 3DS Merchant",
        "url": "https://www.example.com/example-merchant"
    },
    "merchant_info": {
        "mid": "9876543210001",
        "acquirer_bin": "000000999",
        "name": "Example 3DS Merchant",
        "category_code": "7922",
        "country_code": "826"
    },
    "cardholder_info": {
        "name": "John Doe",
        "email": "john@me.com"
    }
  }'

Request Parameters

AttributeRequiredTypeDescription
authentication_categorytruestringThe category of the 3DS authentication, see Authentication Categories for allowed values
authentication_typetruestringThe type of 3DS transaction, see Authentication Types for allowed values
challenge_preferencefalsestringThe merchant 3DS challenge preference, see Challenge Preferences for allowed values
purchase_infoconditionalPurchase InfoInformation about the purchase (If any). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
merchant_infoconditionalMerchant InfoInformation about the merchant. Required if authentication_category is payment
requestor_infotrueRequestor InfoInformation about the 3DS requestor
cardholder_infotrueCardholder InfoInformation about the cardholder
broadcast_infofalseobjectUnstructured information sent to the 3DS Server, Directory Server and Access Control Server
message_extensionsfalsearrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format.

Authentication Categories

  • payment - for any 3DS transaction that ends in a purchase / exchange of money.
  • non-payment - for just adding cards to accounts.

Authentication Types

  • payment-transaction
  • recurring-transaction
  • installment-transaction
  • add-card
  • maintain-card
  • cardholder-emv-verification
  • account-verification

Challenge Preferences

  • no-preference
  • no-challenge
  • challenge-requested
  • challenge-mandated
  • no-challenge-risk-analysis-performed
  • no-challenge-data-sharing-only
  • no-challenge-strong-consumer-auth
  • no-challenge-whitelist-exemption
  • challenge-requested-whitelist-prompt
  • cartes-bancaires

Purchase Info Object

This object contains information about the purchase itself (if the authentication category is a payment transaction).

AttributeRequiredTypeDescription
amountconditionalstringThe purchase amount without any punctuation (i.e. 80000). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
currencyconditionalstringThe purchase currency in ISO 4217 currency code. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
exponentconditionalstringMinor units of currency as specified in ISO 4217. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
dateconditionalstringThe purchase date in UTC and YYYYMMDDhhmmss format. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
transaction_typeconditionalstringThe type of purchase transaction. See Purchase Transaction Types for values. Required if authentication_category is payment
installment_countconditionalstringMaximum number of installments for installment payments. Required if authentication_type is installment-transaction
recurring_expirationconditionalstringFinal recurring authorization date in YYYYMMDD format. Required if authentication_type is recurring-transaction
recurring_frequencyconditionalstringMinimum number of days between recurring authorizations. Required if authentication_type is recurring-transaction
Purchase Transaction Types
  • purchase
  • check-acceptance
  • account-funding
  • quasi-cash
  • prepaid-activation-load

Merchant Info Object

This object contain information about the merchant (who is collecting the money from the purchase).

AttributeRequiredTypeDescription
midconditionalstringThe merchant identifier. Required if authentication_category is payment
acquirer_binconditionalstringThe merchant/acquirer BIN. Required if authentication_category is payment
nameconditionalstringThe merchant's name. Required if authentication_category is payment
country_codeconditionalstringISO 3166-1 numeric three-digit country code of the merchant. Required if authentication_category is payment
category_codeconditionalstringThe merchant's category code (mcc). Required if authentication_category is payment
risk_infofalseMerchant Risk InfoOptional information to de-risk the transaction

Merchant Risk Info Object

AttributeRequiredTypeDescription
delivery_emailfalsestringThe delivery email address for electronic delivery merchandise
delivery_time_framefalsestringThe merchandise delivery time frame. See Merchant Risk Delivery Time Frames for allowed values
gift_card_amountfalsestringThe purchase amount total of prepaid or gift card(s) as an integer
gift_card_countfalsestringThe total count of individual prepaid or gift cards/codes purchased
gift_card_currencyfalsestringThe ISO 4217 three-digit currency code of the gift card
pre_order_purchasefalseboolIf the merchandise order is a pre-order or not
pre_order_datefalsestringThe date for when the pre-ordered merchandise will be available in YYYYMMDD format
reordered_purchasefalseboolIf the cardholder is reordering previously purchase merchandise or not
shipping_methodfalsestringThe shipping method chosen. See Merchant Risk Shipping Methods for allowed values
Merchant Risk Delivery Time Frames
  • electronic-delivery
  • same-day-shipping
  • overnight-shipping
  • two-or-more-day-shipping
Merchant Risk Shipping Methods
  • ship-to-billing-address
  • ship-to-verified-address
  • ship-to-different-address
  • ship-to-store
  • digital-goods
  • travel-and-event-tickets
  • other

Requestor Info Object

This object contains information about the 3DS requestor, some of it overlap w/ the merchant but has specific rules for different card issuers and brands.

See Instructions for Different Card Brands on how to properly fill this information for the best results.

AttributeRequiredTypeDescription
idtruestringThe 3DS requestor id
nametruestringThe 3DS requestor name
urltruestringA business URL for the 3DS requestor

Instructions for Different Card Brands

See below instructions on how to fill the id and name properties of the Requestor Info Object according to different card brands:

  • Visa:
    • id: Use the merchant id
    • name: Use the merchant name
  • Mastercard:
    • id: Use the merchant id
    • name: Use Ravelin 3DS Server_{MID}
  • Discover:
    • id: Use the Client ID from enrollment with Discover. Also use the ID assigned to the 3DS requestor if any like so: Discover ClientID_Merchant Name or Discover ClientID_ID
    • name: Use the 'Merchant DBA' (Doing Business As) name
  • JCB:
    • id: Use the Acquirer BIN + 'MCT' + MID like: {BIN}MCT{MID}
    • name: Use the merchant id
  • American Express:
    • id: Use the relevant 3DS requestor type from the table below together with the merchant id:
      Requestor TypeDescription
      MERGeneral Merchant
      AGGAggregator
      JCBJCB-Acquired Merchant
      OTAOnline Travel Agency
      OPTOptBlue Seller
      WALDigital Wallet
    • name: Use the merchant id
  • Cartes Bancaires:
    • id: If you are using a Carte Bancaire acquirer and it's a wallet transaction, use the merchant SIRET Number+ 'Identifiant Wallet' for payment/enrolment - Or, just the SIRET Number for non-payment/enrolment. For all other scenarios, use merchant name.
    • name: Use the merchant name

Cardholder Info Object

This object has information about who the cardholder is. Take note that most issuers tend to request at least the name and email properties for successful transactions.

AttributeRequiredTypeDescription
account_idfalsestringThe cardholder account identifier
account_typefalsestringThe type of cardholder account. See Cardholder Account Types for allowed values
account_infofalseCardholder Account InfoInformation about the cardholder's account
authentication_infofalseCardholder Authentication InfoInformation on how the cardholder was authenticated in the merchant platform
prior_authentication_infofalseCardholder Prior Authentication InfoInformation about the cardholder's previous 3DS authentication
nametruestringThe cardholder name
emailtruestringThe cardholder email
phone_numberfalseCardholder Phone NumberThe cardholder main phone number
mobile_phone_numberfalseCardholder Phone NumberThe cardholder mobile phone number
work_phone_numberfalseCardholder Phone NumberThe cardholder work phone number
billing_shipping_address_matchfalsestringIf the billing and shipping address match or not. Use Y for yes and N for no
billing_addressfalseCardholder AddressThe cardholder billing address
shipping_addressfalseCardholder AddressThe cardholder shipping address
Cardholder Account Types
  • debit
  • credit

Cardholder Account Info Object

This object has information about the cardholder's account with the merchant platform.

AttributeRequiredTypeDescription
account_agefalsestringLength of time that the cardholder has had the account. See Cardholder Account Age for allowed values
account_last_changedfalsestringTime since the account was last changed. See Cardholder Account Last Changed for allowed values
account_change_datefalsestringDate the account was last changed in YYYYMMDD format
account_created_datefalsestringDate the account was created in YYYYMMDDD format
account_pwd_last_changedfalsestringTime since the account password was last changed. See Cardholder Account Password Last Changed for allowed values
account_pwd_change_datefalsestringThe password change date in YYYYMMDD format
purchase_count_half_yearfalsestringNumber of purchases by the cardholder in the last six months
transaction_count_dayfalsestringNumber of transactions by this cardholder in the last 24 hours
payment_account_agefalsestringDate the payment method was added to the account in YYYYMMDD format
transaction_count_yearfalsestringNumber of transactions by this cardholder in the last year
payment_account_createdfalsestringTime since the payment method was added to the account. See Cardholder Payment Account Created for allowed values
shipping_address_first_usedfalsestringTime since the shipping address was first used. See Cardholder Shipping Address First Used for allowed values
shipping_address_usage_datefalsestringDate when the shipping address was first used in YYYYMMDD format
shipping_account_name_matchfalseboolIf the cardholder name matches with the shipping name for the transaction
suspicious_activity_observedfalseboolIf any suspicious activity was ever observed in the cardholder account or not
Cardholder Account Age
  • no-account
  • created-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Account Last Changed
  • changed-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Account Password Last Changed
  • no-change
  • changed-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Payment Account Created
  • no-account
  • created-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Shipping Address First Used
  • this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days

Cardholder Authentication Info Object

This object has information on how the cardholder authenticated with the merchant platform.

AttributeRequiredTypeDescription
methodfalseAuthentication MethodsThe cardholder method of authentication. See Cardholder Authentication Methods for allowed values
timestampfalsestringThe UTC authentication timestamp in YYYYMMDDhhmm format
datafalsestringAdditional data for a specific authentication process
Cardholder Authentication Methods
  • no-login
  • username-password
  • federated-id
  • issuer-credentials
  • third-party
  • fido
  • fido-data-signed
  • src-assurance-data

Cardholder Prior Authentication Info Object

This object has information about the cardholder prior 3DS transaction authentication.

AttributeRequiredTypeDescription
methodfalsestringThe cardholder prior 3DS authentication method. See Cardholder Prior Authentication Methods for allowed values
timestampfalsestringThe UTC prior authentication timestamp in YYYYMMDDhhmm format
reference_idfalsestringAn ACS Transaction ID for a prior authenticated transaction
datafalsestringAdditional data for a specific authentication process
Cardholder Prior Authentication Methods
  • frictionless
  • challenged
  • avs-verified
  • other

Cardholder Phone Number Object

AttributeRequiredTypeDescription
country_codefalsestringPhone country code
numberfalsestringPhone subscriber number

Cardholder Address Object

AttributeRequiredTypeDescription
line1falsestringThe first line of the address
line2falsestringThe second line of the address
line3falsestringThe third line of the address
postal_codefalsestringAddress postal code
cityfalsestringAddress city
state_codefalsestringISO 3166-2 country subdivision code for the state or province of the address
country_codefalsestringISO 3166-1 numeric three-digit country code of the address

Response

Returns a 3DS authentication. Returns an error if there were validation errors, or the session failed to authenticate.

{
  "threeds_version": "2.2.0",
  "acs_transaction_id": "5657c648-6e5e-4472-aac6-5400b9dab678",
  "ds_transaction_id": "6159159e-ad57-43bf-a886-f5328583d5b2",
  "acs_reference_number": "mock-acs-reference-number",
  "ds_reference_number": "mock-directory-server-a",
  "authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
  "authentication_status": "successful",
  "eci": "05"
}

Get Challenge Result

Get the result of a 3DS Challenge for the given session id.

GET
https://api.basistheory.com/3ds/sessions/{id}/challenge-result
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1/challenge-result" \
  -H "BT-API-KEY: <PRIVATE_API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session

Response

Returns a 3DS authentication. Returns an error if the session was not found or if challenge result cannot be retrieved.

{
  "threeds_version": "2.2.0",
  "acs_transaction_id": "50b9c543-4abc-4fbd-8bed-7e1931ed862c",
  "ds_transaction_id": "497acd8d-4b50-4f55-9e56-c6dcaeff2933",
  "acs_reference_number": "mock-acs-reference-number",
  "ds_reference_number": "mock-directory-server-a",
  "authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
  "authentication_status": "successful",
  "eci": "05",
  "acs_challenge_mandated": "N",
  "authentication_challenge_type": "static",
  "acs_challenge_url": "https://acs.cardissuer.com/3ds/acs/browser/creq",
  "challenge_attempts": "01",
  "message_extensions": []
}

Session Object

AttributeTypeDescription
iduuidUnique identifier of the session
tenant_iduuidThe Tenant ID which owns the session
pan_token_idstringThe ID for the card token used in the 3DS transaction
card_brandstringThe brand for the card used in the 3DS transaction
expiration_datestringDate for when the 3DS session will expire
created_datestringCreated date of the session in ISO 8601 format
created_byuuidThe Application ID which created the session
modified_datestring(Optional) Last modified date of the session in ISO 8601 format
modified_byuuid(Optional) The Application ID which last modified the session
devicestringThe type of device used to create the 3DS session - browser or mobile
device_infoDevice InfoInformation about the device (collected by the SDKs) used to create the 3DS session
versionVersionInformation about the supported 3DS version
methodMethodInformation about the 3DS method invocation (device fingerprinting)
authenticationAuthenticationThe 3DS session authentication outcome

Device Info Object

AttributeTypeDescription
browser_accept_headerstringThe HTTP accept headers from the browser (browser device only)
browser_ip_addressstringThe browser's IP address (browser device only)
browser_javascript_enabledboolIf javascript is enabled on the browser (browser device only)
browser_java_enabledboolIf java is enabled on the browser (browser device only)
browser_color_depthstringThe bit depth of the browser's color palette for displaying images (browser device only)
browser_screen_heightstringTotal height of the device screen (not browser window) in pixels (browser device only)
browser_screen_widthstringTotal width of the device screen (not browser window) in pixels (browser device only)
browser_tzstringTimezone offset in minutes between UTC and the browser local time (browser device only)
browser_user_agentstringExact content of the browser HTTP user-agent header (browser device only)
sdk_transaction_iduuidUnique identifier for a mobile SDK transaction (mobile device only)
sdk_application_iduuidUnique identifier created upon installation of the mobile SDK (mobile device only)
sdk_encryption_datauuidDevice data encrypted by the SDK (mobile device only)
sdk_ephemeral_public_keyobjectUublic key component of the ephemeral key pair generated by the SDK (mobile device only)
sdk_max_timeoutstringMaximum amount of time (in minutes) for all exchanges (mobile device only)
sdk_reference_numberstringIdentifies the version of the 3DS SDK
sdk_render_optionsSDK Render OptionsThe SDK UI types that the device supports (mobile device only)

SDK Render Options Object

AttributeTypeDescription
sdk_interfacestringThe interface types the mobile device supports
sdk_ui_typearrayThe UI types the device supports for displaying challenge UIs

Version Object

AttributeTypeDescription
recommended_versionstringThe 3DS version that was used for the transaction
available_versionarrayThe UI types the device supports for displaying challenge UIs

Method Object

AttributeTypeDescription
method_urlstringThe URL for the Method request, used by the 3DS SDK
method_completion_indicatorstringIndicator of if the method request completed successfully or not

Authentication Object

AttributeTypeDescription
threeds_versionstringThe 3DS version used in the transaction
acs_transaction_idstringThe transaction ID from the 3DS Access Control Server (ACS)
ds_transaction_idstringThe transaction ID from the 3DS Directory Server (DS)
acs_reference_numberstringA unique identifier assigned to the DS by EMVCoD
ds_reference_numberstringA unique identifier assigned to the ACS by EMVCo
authentication_valuestringThe token value used to authorize the transaction. Also know as CAVV, AAV, AEVV, etc.
authentication_statusstringThe outcome of the 3DS authentication
authentication_status_reasonstringAdditional information about the authentication status if necessary
ecistringElectronic Commerce Indicator
acs_challenge_mandatedstringIndicates whether regional mandates (e.g. PSD2) required a challenge to be performed
authentication_challenge_typestringThe type of challenge authentication used (if challenge)
acs_challenge_urlstringThe URL to be used for the challenge
challenge_attemptsstringThe number of challenges attempted by the cardholder
challenge_cancel_reasonstringThe reason why a challenge was cancelled
cardholder_infostringInformation from the issuer to be displayed to the cardholder
whitelist_statusstringIndicates if the cardholder whitelisted the merchant
whitelist_status_sourcestringIdentifies the system that set the whitelist value
message_extensionsarrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format

Message Extension Object

AttributeTypeDescription
idstringThe id for the extensions
namestringThe name for the extension
criticalboolIf the extension is critical or not
datastringData carried in the extension