Skip to main content

3D Secure
Enterprise

3D Secure is an Enterprise feature. Contact support@basistheory.com to request access.

Create a Customer Session

Create a 3DS Session for a customer initiated transaction (CIT).

Customer 3DS session creation is only supported through our web SDK.

Create a Merchant Session

Create a 3DS Session for a merchant initiated transaction (MIT).

POST
https://api.basistheory.com/3ds/sessions
Copy

Permissions

3ds:session:create

Request

curl "https://api.basistheory.com/3ds/sessions" \
-H "BT-API-KEY: <API_KEY>" \
-H "Content-Type: application/json" \
-X "POST" \
-d '{
"token_id": "bfe0060c-a465-41a0-a620-c804952d3468",
"type": "merchant"
}'

Request Parameters

AttributeRequiredTypeDescription
token_idfalsestringA card type token id
token_intent_idfalsestringA card type token intent id
panfalsestring
DEPRECATED
A card type token id
typetruestringThe 3DS session type. Use merchant for merchant initiated transactions

Either token_id or token_intent_id are required.

Response

Returns relevant information about the created 3DS session in a Create Session Response object. Returns an error if the session cannot be retrieved.

{
"id": "be3bec00-a1c3-4ffe-8971-20a30bbee031",
"type": "merchant",
"card_brand": "Visa",
"method_url": "https://acs.example.com/3ds/acs/browser/method",
"method_notification_url": "https://api.basistheory.com/3ds/sessions/be3bec00-a1c3-4ffe-8971-20a30bbee031/method-notification",
"directory_server_id": "M000000003",
"recommended_version": "2.2.0",
}

Create Session Response Object

AttributeTypeDescription
idstringThe ID of the 3DS session
typestringThe 3DS session type
card_brandstringThe brand for the card used in the 3DS transaction
method_urlstringThe URL for the Method request, used by the 3DS SDK
method_notification_urlstringThe URL for which to send the method completion notification, used by the 3DS SDK
directory_server_idstringThe 3DS directory server ID, used by the 3DS SDK
recommended_versionstringThe 3DS version that was used for the transaction

Get a Session

Get a 3DS Session by ID in the Tenant.

GET
https://api.basistheory.com/3ds/sessions/{id}
Copy

Permissions

3ds:session:read

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1" \
-H "BT-API-KEY: <PRIVATE_API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session

Response

Returns a 3DS session with the id provided. Returns an error if the session cannot be retrieved.

{
"id": "be3bec00-a1c3-4ffe-8971-20a30bbee031",
"tenant_id": "9f328a79-b397-42ac-9b8d-18312157cc6b",
"type": "customer",
"token_id": "bfe0060c-a465-41a0-a620-c804952d3468",
"card_brand": "Visa",
"expiration_date": "2024-03-23T14:01:26.4544211+00:00",
"created_date": "2024-03-22T14:01:26.455016+00:00",
"created_by": "68909d60-3e1d-4b3d-bf68-166c95745c4c",
"modified_date": "2024-03-22T14:01:45.3094992+00:00",
"modified_by": "7da53434-d814-4bd7-a455-6a4757c5c888",
"device": "browser",
"device_info": {
"browser_accept_header": "*/*",
"browser_javascript_enabled": true,
"browser_java_enabled": false,
"browser_language": "en-US",
"browser_color_depth": "24",
"browser_screen_height": "1440",
"browser_screen_width": "3440",
"browser_tz": "180",
"browser_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"
},
"version": {
"recommended_version": "2.2.0",
"available_version": [
"2.1.0",
"2.2.0"
],
"earliest_acs_supported_version": "2.1.0",
"earliest_ds_supported_version": "2.1.0",
"latest_acs_supported_version": "2.2.0",
"latest_ds_supported_version": "2.2.0",
"acs_information": []
},
"method": {
"method_url": "https://acs.example.com/3ds/acs/browser/method",
"method_completion_indicator": "Y"
},
"authentication": {
"threeds_version": "2.2.0",
"acs_transaction_id": "50b9c543-4abc-4fbd-8bed-7e1931ed862c",
"ds_transaction_id": "497acd8d-4b50-4f55-9e56-c6dcaeff2933",
"acs_reference_number": "mock-acs-reference-number",
"ds_reference_number": "mock-directory-server-a",
"authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
"authentication_status": "successful",
"eci": "05",
"acs_challenge_mandated": "N",
"authentication_challenge_type": "static",
"acs_challenge_url": "https://acs.example.com/3ds/acs/browser/creq",
"challenge_attempts": "01",
"message_extensions": []
}
}

Authenticate Session

Authenticate a 3DS Session.

POST
https://api.basistheory.com/3ds/sessions/{id}/authenticate
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1/authenticate" \
-H "BT-API-KEY: <API_KEY>" \
-H "Content-Type: application/json" \
-X "POST" \
-d '{
"authentication_category": "payment",
"authentication_type": "payment-transaction",
"purchase_info": {
"amount": "80000",
"currency": "826",
"exponent": "2",
"date": "20240109141010"
},
"requestor_info": {
"id": "example-3ds-merchant",
"name": "Example 3DS Merchant",
"url": "https://www.example.com/example-merchant"
},
"merchant_info": {
"mid": "9876543210001",
"acquirer_bin": "000000999",
"name": "Example 3DS Merchant",
"category_code": "7922",
"country_code": "826"
},
"cardholder_info": {
"name": "John Doe",
"email": "john@me.com"
}
}'

Request Parameters

AttributeRequiredTypeDescription
authentication_categorytruestringThe category of the 3DS authentication, see Authentication Categories for allowed values
authentication_typetruestringThe type of 3DS transaction, see Authentication Types for allowed values
request_decoupled_challengefalseboolIf a decoupled challenge is required in case of a challenge. Defaults to true for merchant session type.
decoupled_challenge_max_timeconditionalnumberThe maximum time in minutes for the decoupled challenge. Required if request_decoupled_challenge is true or session type is merchant.
challenge_preferencefalsestringThe merchant 3DS challenge preference, see Challenge Preferences for allowed values
purchase_infoconditionalPurchase InfoInformation about the purchase (If any). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
merchant_infoconditionalMerchant InfoInformation about the merchant. Required if authentication_category is payment
requestor_infotrueRequestor InfoInformation about the 3DS requestor
cardholder_infotrueCardholder InfoInformation about the cardholder
broadcast_infofalseobjectUnstructured information sent to the 3DS Server, Directory Server and Access Control Server
message_extensionsfalsearrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format.

Authentication Categories

  • payment - for any 3DS transaction that ends in a purchase / exchange of money.
  • non-payment - for just adding cards to accounts.

Authentication Types

The authentication type can differt depending on the 3DS session type. See table below for details.

Authentication TypeAllowed Session Type(s)
payment-transactioncustomer
cardholder-emv-verificationcustomer
split-or-delayed-shipmentmerchant
top-upmerchant
mail-ordermerchant
telephone-ordermerchant
whitelist-status-checkmerchant
other-paymentmerchant
billing-agreementmerchant
recurring-transactioncustomer, merchant
installment-transactioncustomer, merchant
add-cardcustomer, merchant
maintain-cardcustomer, merchant
account-verificationcustomer, merchant

Challenge Preferences

  • no-preference
  • no-challenge
  • challenge-requested
  • challenge-mandated
  • no-challenge-risk-analysis-performed
  • no-challenge-data-sharing-only
  • no-challenge-strong-consumer-auth
  • no-challenge-whitelist-exemption
  • challenge-requested-whitelist-prompt
  • cartes-bancaires

Purchase Info Object

This object contains information about the purchase itself (if the authentication category is a payment transaction).

AttributeRequiredTypeDescription
amountconditionalstringThe purchase amount without any punctuation (i.e. 80000). Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
currencyconditionalstringThe purchase currency in ISO 4217 currency code. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
exponentconditionalstringMinor units of currency as specified in ISO 4217. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
dateconditionalstringThe purchase date in UTC and YYYYMMDDhhmmss format. Required if authentication_category is payment or if authentication_type is recurring-transaction or installment-transaction
transaction_typeconditionalstringThe type of purchase transaction. See Purchase Transaction Types for values. Required if authentication_category is payment
installment_countconditionalstringMaximum number of installments for installment payments. Required if authentication_type is installment-transaction
recurring_expirationconditionalstringFinal recurring authorization date in YYYYMMDD format. Required if authentication_type is recurring-transaction
recurring_frequencyconditionalstringMinimum number of days between recurring authorizations. Required if authentication_type is recurring-transaction
Purchase Transaction Types
  • purchase
  • check-acceptance
  • account-funding
  • quasi-cash
  • prepaid-activation-load

Merchant Info Object

This object contain information about the merchant (who is collecting the money from the purchase).

AttributeRequiredTypeDescription
midconditionalstringThe merchant identifier. Required if authentication_category is payment
acquirer_binconditionalstringThe merchant/acquirer BIN. Required if authentication_category is payment
nameconditionalstringThe merchant's name. Required if authentication_category is payment
country_codeconditionalstringISO 3166-1 numeric three-digit country code of the merchant. Required if authentication_category is payment
category_codeconditionalstringThe merchant's category code (mcc). Required if authentication_category is payment
risk_infofalseMerchant Risk InfoOptional information to de-risk the transaction

Merchant Risk Info Object

AttributeRequiredTypeDescription
delivery_emailfalsestringThe delivery email address for electronic delivery merchandise
delivery_time_framefalsestringThe merchandise delivery time frame. See Merchant Risk Delivery Time Frames for allowed values
gift_card_amountfalsestringThe purchase amount total of prepaid or gift card(s) as an integer
gift_card_countfalsestringThe total count of individual prepaid or gift cards/codes purchased
gift_card_currencyfalsestringThe ISO 4217 three-digit currency code of the gift card
pre_order_purchasefalseboolIf the merchandise order is a pre-order or not
pre_order_datefalsestringThe date for when the pre-ordered merchandise will be available in YYYYMMDD format
reordered_purchasefalseboolIf the cardholder is reordering previously purchase merchandise or not
shipping_methodfalsestringThe shipping method chosen. See Merchant Risk Shipping Methods for allowed values
Merchant Risk Delivery Time Frames
  • electronic-delivery
  • same-day-shipping
  • overnight-shipping
  • two-or-more-day-shipping
Merchant Risk Shipping Methods
  • ship-to-billing-address
  • ship-to-verified-address
  • ship-to-different-address
  • ship-to-store
  • digital-goods
  • travel-and-event-tickets
  • other

Requestor Info Object

This object contains information about the 3DS requestor, some of it overlap w/ the merchant but has specific rules for different card issuers and brands.

See Instructions for Different Card Brands on how to properly fill this information for the best results.

AttributeRequiredTypeDescription
idtruestringThe 3DS requestor id
nametruestringThe 3DS requestor name
urltruestringA business URL for the 3DS requestor

Instructions for Different Card Brands

See below instructions on how to fill the id and name properties of the Requestor Info Object according to different card brands:

  • Visa:
    • id: Use the merchant id
    • name: Use the merchant name
  • Mastercard:
    • id: Use the merchant id
    • name: Use Ravelin 3DS Server_{MID}
  • Discover:
    • id: Use the Client ID from enrollment with Discover. Also use the ID assigned to the 3DS requestor if any like so: Discover ClientID_Merchant Name or Discover ClientID_ID
    • name: Use the 'Merchant DBA' (Doing Business As) name
  • JCB:
    • id: Use the Acquirer BIN + 'MCT' + MID like: {BIN}MCT{MID}
    • name: Use the merchant id
  • American Express:
    • id: Use the relevant 3DS requestor type from the table below together with the merchant id:
      Requestor TypeDescription
      MERGeneral Merchant
      AGGAggregator
      JCBJCB-Acquired Merchant
      OTAOnline Travel Agency
      OPTOptBlue Seller
      WALDigital Wallet
    • name: Use the merchant id
  • Cartes Bancaires:
    • id: If you are using a Carte Bancaire acquirer and it's a wallet transaction, use the merchant SIRET Number+ 'Identifiant Wallet' for payment/enrolment - Or, just the SIRET Number for non-payment/enrolment. For all other scenarios, use merchant name.
    • name: Use the merchant name

Cardholder Info Object

This object has information about who the cardholder is. Take note that most issuers tend to request at least the name and email properties for successful transactions.

AttributeRequiredTypeDescription
account_idfalsestringThe cardholder account identifier
account_typefalsestringThe type of cardholder account. See Cardholder Account Types for allowed values
account_infofalseCardholder Account InfoInformation about the cardholder's account
authentication_infofalseCardholder Authentication InfoInformation on how the cardholder was authenticated in the merchant platform
prior_authentication_infofalseCardholder Prior Authentication InfoInformation about the cardholder's previous 3DS authentication
nametruestringThe cardholder name
emailtruestringThe cardholder email
phone_numberfalseCardholder Phone NumberThe cardholder main phone number
mobile_phone_numberfalseCardholder Phone NumberThe cardholder mobile phone number
work_phone_numberfalseCardholder Phone NumberThe cardholder work phone number
billing_shipping_address_matchfalsestringIf the billing and shipping address match or not. Use Y for yes and N for no
billing_addressfalseCardholder AddressThe cardholder billing address
shipping_addressfalseCardholder AddressThe cardholder shipping address
Cardholder Account Types
  • debit
  • credit

Cardholder Account Info Object

This object has information about the cardholder's account with the merchant platform.

AttributeRequiredTypeDescription
account_agefalsestringLength of time that the cardholder has had the account. See Cardholder Account Age for allowed values
account_last_changedfalsestringTime since the account was last changed. See Cardholder Account Last Changed for allowed values
account_change_datefalsestringDate the account was last changed in YYYYMMDD format
account_created_datefalsestringDate the account was created in YYYYMMDDD format
account_pwd_last_changedfalsestringTime since the account password was last changed. See Cardholder Account Password Last Changed for allowed values
account_pwd_change_datefalsestringThe password change date in YYYYMMDD format
purchase_count_half_yearfalsestringNumber of purchases by the cardholder in the last six months
transaction_count_dayfalsestringNumber of transactions by this cardholder in the last 24 hours
payment_account_agefalsestringDate the payment method was added to the account in YYYYMMDD format
transaction_count_yearfalsestringNumber of transactions by this cardholder in the last year
payment_account_createdfalsestringTime since the payment method was added to the account. See Cardholder Payment Account Created for allowed values
shipping_address_first_usedfalsestringTime since the shipping address was first used. See Cardholder Shipping Address First Used for allowed values
shipping_address_usage_datefalsestringDate when the shipping address was first used in YYYYMMDD format
shipping_account_name_matchfalseboolIf the cardholder name matches with the shipping name for the transaction
suspicious_activity_observedfalseboolIf any suspicious activity was ever observed in the cardholder account or not
Cardholder Account Age
  • no-account
  • created-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Account Last Changed
  • changed-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Account Password Last Changed
  • no-change
  • changed-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Payment Account Created
  • no-account
  • created-this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days
Cardholder Shipping Address First Used
  • this-transaction
  • less-than-30-days
  • 30-to-60-days
  • more-than-60-days

Cardholder Authentication Info Object

This object has information on how the cardholder authenticated with the merchant platform.

AttributeRequiredTypeDescription
methodfalseAuthentication MethodsThe cardholder method of authentication. See Cardholder Authentication Methods for allowed values
timestampfalsestringThe UTC authentication timestamp in YYYYMMDDhhmm format
datafalsestringAdditional data for a specific authentication process
Cardholder Authentication Methods
  • no-login
  • username-password
  • federated-id
  • issuer-credentials
  • third-party
  • fido
  • fido-data-signed
  • src-assurance-data

Cardholder Prior Authentication Info Object

This object has information about the cardholder prior 3DS transaction authentication.

AttributeRequiredTypeDescription
methodfalsestringThe cardholder prior 3DS authentication method. See Cardholder Prior Authentication Methods for allowed values
timestampfalsestringThe UTC prior authentication timestamp in YYYYMMDDhhmm format
reference_idfalsestringAn ACS Transaction ID for a prior authenticated transaction
datafalsestringAdditional data for a specific authentication process
Cardholder Prior Authentication Methods
  • frictionless
  • challenged
  • avs-verified
  • other

Cardholder Phone Number Object

AttributeRequiredTypeDescription
country_codefalsestringPhone country code
numberfalsestringPhone subscriber number

Cardholder Address Object

AttributeRequiredTypeDescription
line1falsestringThe first line of the address
line2falsestringThe second line of the address
line3falsestringThe third line of the address
postal_codefalsestringAddress postal code
cityfalsestringAddress city
state_codefalsestringISO 3166-2 country subdivision code for the state or province of the address
country_codefalsestringISO 3166-1 numeric three-digit country code of the address

Response

Returns a 3DS authentication. Returns an error if there were validation errors, or the session failed to authenticate.

{
"threeds_version": "2.2.0",
"acs_transaction_id": "5657c648-6e5e-4472-aac6-5400b9dab678",
"ds_transaction_id": "6159159e-ad57-43bf-a886-f5328583d5b2",
"acs_reference_number": "mock-acs-reference-number",
"ds_reference_number": "mock-directory-server-a",
"authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
"authentication_status": "successful",
"eci": "05"
}

Get Challenge Result

Get the result of a 3DS Challenge for the given session id.

GET
https://api.basistheory.com/3ds/sessions/{id}/challenge-result
Copy

Permissions

3ds:session:authenticate

Request

curl "https://api.basistheory.com/3ds/sessions/c06d0789-0a38-40be-b7cc-c28a718f76f1/challenge-result" \
-H "BT-API-KEY: <PRIVATE_API_KEY>"

URI Parameters

ParameterRequiredTypeDefaultDescription
idtruestringnullThe ID of the 3DS session

Response

Returns a 3DS authentication. Returns an error if the session was not found or if challenge result cannot be retrieved.

{
"threeds_version": "2.2.0",
"acs_transaction_id": "50b9c543-4abc-4fbd-8bed-7e1931ed862c",
"ds_transaction_id": "497acd8d-4b50-4f55-9e56-c6dcaeff2933",
"acs_reference_number": "mock-acs-reference-number",
"ds_reference_number": "mock-directory-server-a",
"authentication_value": "LVJhdmVsaW4gVGVzdCBWYWx1ZS0=",
"authentication_status": "successful",
"eci": "05",
"acs_challenge_mandated": "N",
"authentication_challenge_type": "static",
"acs_challenge_url": "https://acs.cardissuer.com/3ds/acs/browser/creq",
"challenge_attempts": "01",
"message_extensions": []
}

Session Object

AttributeTypeDescription
iduuidUnique identifier of the session
tenant_iduuidThe Tenant ID which owns the session
typestringThe type of 3DS session - customer or merchant
pan_token_idstring
DEPRECATED
The ID of the card token used in the 3DS transaction
token_idstringThe ID of the card token used in the 3DS transaction
token_intent_idstringThe ID of the card token intent used in the 3DS transaction
card_brandstringThe brand for the card used in the 3DS transaction
expiration_datestringDate for when the 3DS session will expire
created_datestringCreated date of the session in ISO 8601 format
created_byuuidThe Application ID which created the session
modified_datestring(Optional) Last modified date of the session in ISO 8601 format
modified_byuuid(Optional) The Application ID which last modified the session
devicestringThe type of device used to create the 3DS session - browser or mobile
device_infoDevice InfoInformation about the device (collected by the SDKs) used to create the 3DS session
versionVersionInformation about the supported 3DS version
methodMethodInformation about the 3DS method invocation (device fingerprinting)
authenticationAuthenticationThe 3DS session authentication outcome

Device Info Object

AttributeTypeDescription
browser_accept_headerstringThe HTTP accept headers from the browser (browser device only)
browser_ip_addressstringThe browser's IP address (browser device only)
browser_javascript_enabledboolIf javascript is enabled on the browser (browser device only)
browser_java_enabledboolIf java is enabled on the browser (browser device only)
browser_color_depthstringThe bit depth of the browser's color palette for displaying images (browser device only)
browser_screen_heightstringTotal height of the device screen (not browser window) in pixels (browser device only)
browser_screen_widthstringTotal width of the device screen (not browser window) in pixels (browser device only)
browser_tzstringTimezone offset in minutes between UTC and the browser local time (browser device only)
browser_user_agentstringExact content of the browser HTTP user-agent header (browser device only)
sdk_transaction_iduuidUnique identifier for a mobile SDK transaction (mobile device only)
sdk_application_iduuidUnique identifier created upon installation of the mobile SDK (mobile device only)
sdk_encryption_datauuidDevice data encrypted by the SDK (mobile device only)
sdk_ephemeral_public_keyobjectUublic key component of the ephemeral key pair generated by the SDK (mobile device only)
sdk_max_timeoutstringMaximum amount of time (in minutes) for all exchanges (mobile device only)
sdk_reference_numberstringIdentifies the version of the 3DS SDK
sdk_render_optionsSDK Render OptionsThe SDK UI types that the device supports (mobile device only)

SDK Render Options Object

AttributeTypeDescription
sdk_interfacestringThe interface types the mobile device supports
sdk_ui_typearrayThe UI types the device supports for displaying challenge UIs

Version Object

AttributeTypeDescription
recommended_versionstringThe 3DS version that was used for the transaction
available_versionarrayThe UI types the device supports for displaying challenge UIs

Method Object

AttributeTypeDescription
method_urlstringThe URL for the Method request, used by the 3DS SDK
method_completion_indicatorstringIndicates whether the method request completed successfully or not

Method Completion Indicator

ValueDescription
YMethod request completed successfully
NMethod request did not complete successfully
UMethod request result is unavailable

Authentication Object

AttributeTypeDescription
threeds_versionstringThe 3DS version used in the transaction
acs_transaction_idstringThe transaction ID from the 3DS Access Control Server (ACS)
ds_transaction_idstringThe transaction ID from the 3DS Directory Server (DS)
acs_reference_numberstringA unique identifier assigned to the DS by EMVCoD
ds_reference_numberstringA unique identifier assigned to the ACS by EMVCo
pan_token_idstring
DEPRECATED
The ID of the card token used in the 3DS transaction
token_idstringThe ID of the card token used in the 3DS transaction
token_intent_idstringThe ID of the card token intent used in the 3DS transaction
authentication_valuestringThe token value used to authorize the transaction. Also know as CAVV, AAV, AEVV, etc.
authentication_statusstringThe outcome of the 3DS authentication. See Authentication Status
authentication_status_codestringCharacter code for the authentication status
authentication_status_reasonstringAdditional information about the authentication status if necessary. See Authentication Status Reason
ecistringElectronic Commerce Indicator
acs_challenge_mandatedstringIndicates whether regional mandates (e.g., PSD2) required a challenge to be performed. See ACS Challenge Mandated
authentication_challenge_typestringThe type of challenge authentication used (if challenge). See Authentication Challenge Type
acs_challenge_urlstringThe URL to be used for the challenge
challenge_attemptsstringThe number of challenges attempted by the cardholder
challenge_cancel_reasonstringThe reason why a challenge was cancelled. See Challenge Cancel Reason
cardholder_infostringInformation from the issuer to be displayed to the cardholder
whitelist_statusstringIndicates if the cardholder whitelisted the merchant. See Whitelist Status
whitelist_status_sourcestringIdentifies the system that set the whitelist value. See Whitelist Status Source
message_extensionsarrayArray of Message Extensions - Data necessary to support requirements not defined in the standard 3DS format

ACS Challenge Mandated

ValueDescription
YChallenge is mandated
NChallenge is not mandated

Authentication Status

ValueDescription
successful3DS authentication was successful
attempted3DS authentication was attempted but not possible. Successful authentication granted by card brand on issuer's behalf
failedAuthentication failed, stop the transaction
unavailableAuthentication could not be performed. Try to proceed without the authentication value
challengeA challenge is required, use the SDK to perform the Challenge
decoupled_challengeA challenge will be performed by the issuer. Get the Challenge Result to learn the outcome
rejectedThe issuer rejected the authentication attempt
informationalAuthentication not requested, data sent to the ACS for informational purposes

Authentication Status Reason

ValueDescription
card-authentication-failedCard authentication failed
unknown-deviceUnknown device
unsupported-deviceUnsupported device
too-many-authentication-attemptsExceeded authentication frequency limit
card-expiredExpired card
invalid-card-numberInvalid card number
invalid-transactionInvalid transaction
no-card-recordNo card record
security-failureSecurity failure
stolen-cardStolen card
suspected-fraudSuspected fraud
transaction-not-permittedTransaction not permitted to cardholder
cardholder-not-enrolledCardholder not enrolled in service
timeout-at-acsTransaction timed out at the ACS
low-confidenceLow confidence
medium-confidenceMedium confidence
high-confidenceHigh confidence
very-high-confidenceVery high confindence
max-challenges-exceededExceeded ACS maximum challenges limit
non-payment-transaction-not-supportedNon-payment transaction is not supported
3ri-not-supported3RI (requestor initiated) transaction not supported
acs-technical-issueACS technical issue
decoupled-authentication-requiredDecoupled authentication is required but not requested
decoupled-authentication-timeoutDeocupled authentication max expiration time exceeded
insufficient-decoupled-authentication-timeInsufficient time provided for decoupled authentication
authentication-attempted-but-not-performedAuthentication attempted but not performed by the cardholder

Authentication Challenge Type

ValueDescription
staticStatic challenge, for example, a password or passcode
dynamicDynamic challenge, for example, a one time password (OTP)
out-of-bandOut-of-Band challenge, for example, using the issuing bank's mobile app
decoupledDecoupled challenge

Challenge Cancel Reason

ValueDescription
cardholder-canceledCardholder selected 'Cancel' on the challenge
requestor-canceled3DS requestor cancelled authentication
transaction-abandonedTransaction was abandoned
acs-timeoutTransaction timed out at ACS
acs-timeout-request-not-receivedTransaction timed out at ACS - Challenge request not received
errorTransaction error
unknownUnknown reason

Whitelist Status

ValueDescription
merchant-trustedMerchant is trusted by the cardholder
merchant-not-trustedMerchant has not yet been trusted by the cardholder
not-eligibleNot eligible to whitelist as determined by the issuer
pending-confirmationPending confirmation by the cardholder
request-to-trust-rejectedCardholder rejected the request to trust the merchant
unknownTrusted status unknown

Whitelist Status Source

ValueDescription
3ds-server3DS Server
directory-serverDirectory Server (DS)
acsAccess Control Server (ACS)

Message Extension Object

AttributeTypeDescription
idstringThe id for the extensions
namestringThe name for the extension
criticalboolIf the extension is critical or not
datastringData carried in the extension

Test Cards

Please contact support@basistheory.com before testing the 3DS feature.

See below a pre-defined list of cards that can be used to test different 3DS scenarios.

The "Card Brand" column is meant for usage when testing Bin Details and is not reflected in 3DS responses.
Card NumberCard Brand3DS ScenarioIs Luhn Valid
4200000000000002VISASuccessful Frictionless AuthenticationNo
4200000000000003VISAAuthentication AttemptedNo
4200000000000005VISAAuthentication FailedNo
4200000000000006VISAAuthentication UnavailableNo
4200000000000007VISAAuthentication RejectedNo
4200000000000004VISASuccessful Challenge AuthenticationNo
4200000000000014VISASuccessful Challenge Authentication - Method not RequiredNo
4200000000000015VISASuccessful Mandated Challenge AuthenticationNo
4200000000000016VISASuccessful Out-of-Band Challenge AuthenticationNo
4200000000000008VISAAttempted Challenge AuthenticationNo
4200000000000009VISAFailed Challenge AuthenticationNo
4200000000000017VISAFailed Out of Band Challenge AuthenticationNo
4200000000000010VISAUnavailable Challenge AuthenticationNo
4200000000000011VISARejected Challenge AuthenticationNo
4200000000000012VISA3DS Directory Server ErrorNo
4200000000000013VISAInternal 3DS Server ErrorNo
4264281511112228VISAAuthentication FailedYes
340000000004001AMEXSuccessful Challenge AuthenticationYes
4000020000000000VISASuccessful Challenge AuthenticationYes
4111111111111111VISAAuthentication AttemptedYes
5204247750001471MASTERCARDSuccessful Frictionless AuthenticationYes
6011601160116011DISCOVERSuccessful Frictionless AuthenticationYes
370000000000002AMEXSuccessful Challenge AuthenticationYes
3566002020360505JCBSuccessful Challenge AuthenticationYes
3566006663297692JCBSuccessful Challenge AuthenticationYes
36185973325993DISCOVERSuccessful Challenge AuthenticationYes
5424180011113336MASTERCARDAuthentication AttemptedYes
5424180000000171MASTERCARDAuthentication FailedYes
5405001111111165MASTERCARDAuthentication UnavailableYes
5405001111111116MASTERCARDAuthentication RejectedYes
4005562231212123VISASuccessful Challenge Authentication - Method not RequiredYes
4761369980320253VISASuccessful Mandated Challenge AuthenticationYes
4000000000000341VISASuccessful Out-of-Band Challenge AuthenticationYes
5200000000001104MASTERCARDSuccessful Mandated Challenge AuthenticationYes
4005571701111111VISAAttempted Challenge AuthenticationYes
4055011111111111VISAFailed Challenge AuthenticationYes
5427660064241339MASTERCARDFailed Challenge AuthenticationYes
6011361011110004DISCOVERFailed Out of Band Challenge AuthenticationYes
6011361000008888DISCOVERUnavailable Challenge AuthenticationYes
6011361000001115DISCOVERRejected Challenge AuthenticationYes
4264281500003339VISA3DS Directory Server ErrorYes
4264281500001119VISAInternal 3DS Server ErrorYes
5424180011110001MASTERCARD3DS Directory Server ErrorYes