3D Secure version 1 is being phased out and is already no longer available for Mastercard, American Express, and Visa. For Bancontact 3D Secure version will be switched off at July 1, 2024.
Migration from 3DS version 1 to version 2 envolves primairily how the returned URL(s) are handled. The authentication flow for the shopper does not change, except, depending on the issuer, that the flow can be frictionless.
Further, is the migration process is the same for the Rest API as for the SOAP API (1.3). Both APIs return in the start-request response the authentication URL and optionally the ACS-method URL, including the order in which URLs should be handled.
The URLs are normally handled inside the browser, as described on Credit Card Browser Authentication, as information about the browser and screensize is required. Below is a short description on how to handle the URLs, based on the responses returned by the SOAP API 1.3 and Rest API.
<startResponse xmlns="http://www.docdatapayments.com/services/paymentservice/1_3/" ddpXsdVersion="1.3.32">
<startSuccess>
<success code="SUCCESS">Operation successful.</success>
<paymentResponse>
<paymentSuccess>
<status>REDIRECTED_FOR_AUTHENTICATION</status>
<id>4915876394</id>
</paymentSuccess>
</paymentResponse>
<redirectInformation>
<redirect>
<method>POST</method>
<url>https://acceptsecure.docdatapayments.com/ps/api/public/3dsv2/v1/transactions/3ds-method-notification</url>
<parameters>
<parameter name="threeDSMethodData">eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9zZWN1cmUuc2FuZGJveC5wYXkuY20uY29tL3BzL2FwaS9wdWJsaWMvM2RzdjIvdjEvdHJhbnNhY3Rpb25zLzNkcy1tZXRob2Qtbm90aWZpY2F0aW9uIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiI5NzYwZjUxNi1iMGFiLTQzMGMtYmM0My03ZWI4YmU0MDlmNzkifQ</parameter>
</parameters>
<purpose>HIDDEN_IFRAME</purpose>
<order>1</order>
</redirect>
<redirect>
<method>POST</method>
<url>https://secure.sandbox.pay.cm.com/ps/api/public/3dsv2/v1/transactions/9760f516-b0ab-430c-bc43-7eb8be409f79/references/4915876394/authenticate</url>
<parameters/>
<purpose>IFRAME</purpose>
<order>2</order>
</redirect>
</redirectInformation>
</startSuccess>
</startResponse>
{
"id": "pid4915876445t",
"status": "REDIRECTED_FOR_AUTHENTICATION",
"urls": [
{
"purpose": "HIDDEN_IFRAME",
"method": "POST",
"url": "https://secure.sandbox.pay.cm.com/ps/api/public/3dsv2/v1/transactions/3ds-method-notification",
"order": 1,
"parameters": {
"threeDSMethodData": "eyJ0aHJlZURTTWV0aG9kTm90aWZpY2F0aW9uVVJMIjoiaHR0cHM6Ly9zZWN1cmUuc2FuZGJveC5wYXkuY20uY29tL3BzL2FwaS9wdWJsaWMvM2RzdjIvdjEvdHJhbnNhY3Rpb25zLzNkcy1tZXRob2Qtbm90aWZpY2F0aW9uIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiI0ZGI5OTEzOS03Y2JlLTQxNmUtOWVhMS1mMzkwZmRkOWRjNmQifQ"
}
},
{
"purpose": "IFRAME",
"method": "POST",
"url": "https://secure.sandbox.pay.cm.com/ps/api/public/3dsv2/v1/transactions/4db99139-7cbe-416e-9ea1-f390fdd9dc6d/references/4915876445/authenticate",
"order": 2
}
]
}
For both APIs there is a section that contains the URLs that need to be handled (either redirectInformation
-section for the SOAP API or the urls
-block for the Rest API).
The first URL (purose == HIDDEN_IFRAME
) is the ACS/Issuer method URL that gathers data about the device the shopper is paying from. This URL needs to be loaded inside an i-frame that is not visible for the shopper, via an HTTP-post. The second URL (purpose == IFRAME
) is the actual authentication URL that needs to be called inside an i-frame that starts the authentication process with the issuer. This is also an HTTP-POST that requires some additional post-data, like the browser screen size.
The page Credit Card Browser Authentication contains, towards the bottom, a sample script that can handle the above URLs, but it does not unpack the SOAP API start-response nor the Rest API start-response.