TabaPay APIs are agnostic of each other. If you call the 3DS APIs, but do not pass the proper values in the Create Transaction API API then the transaction will not be protected by 3DS.
Be consistent when using the APIsWhen calling the 3DS APIs, make sure you use the same card for all of the API calls and for the Create Transaction API call at then end of the process.
For example, if you decide to use an Account ID for 3DS, but then call Create Transaction API using RSA, there is a chance that the underlying card number may not match.
What are the potential timeouts?
1. How long does the JWT last before it times out?
JWT lasts 2 hours by default. Could be shorter if you include an exp claim.
2. How long does a person have to respond to a challenge before it times out?
10 minutes
3. Once we have a successful authentication (ECI, CAVV, etc.) how long do we have before these values expire?
The CAVV would be valid for up to 90 days.
4. Are there any other timeouts you need to keep in mind?
Once the lookup response is received with a challenge URL and payload you will have 30 seconds to facilitate the challenge session before it expires.
5. What's a browser?
"A Browser is a dedicated software application for accessing information on the World Wide Web, for example Chrome, Safari, Edge, Firefox. When a user requests a web page from a particular website, the Browser retrieves the necessary content from a web server and then displays the page on the consumer’s screen.
For 3DS, the Browser is a conduit to transport messages between the Acquirer Domain and the Issuer Domain utilizing Browser Fields. A Browser is distinguished from a UI component for example, a WebView, or Custom Tabs, which can be used to display content within an App on a mobile device. The Browser flowis invoked by a Browser whereas the EMVCo specification does not support a UI component within an app therefore invoking the Browser flow."
-EMV® 3-D Secure Protocol and Core Functions Specification v2.3.1.0
6. What Should I consider when implementing EMV 3DS?
Before implementing EMV 3-D Secure (3DS), TabaPay Clients should develop a clear strategy and ensure all necessary processes and monitoring are in place.
1. Define your EMV 3DS strategy and goals
Establish objectives and key performance indicators (KPIs) before implementation.
-
Example objectives: combatting fraud, complying with local, or regional regulations.
-
Example KPIs: higher authorization rates, less chargebacks, or, increased sales conversion
Defining these objectives early will drive solution design and ensure alignment with business goals.
2. Map your checkout flows
Inventory all checkout experiences (guest checkout, recurring payments, high-value purchases, etc.) to determine where EMV 3DS should be applied.
Optimize EMV 3DS implementation across each flow to minimize friction while maintaining strong authentication.
3. Strengthen fraud monitoring and data sharing
Work with your acquirer to ensure proper fraud monitoring is in place.
Acquirers may provide issuer-reported fraud data that helps measure KPIs, such as fraud-to-sales ratios and approval rates on 3DS vs. non-3DS transactions.
Submit lookup requests with as much data as possible — issuers use this to improve risk models and enable more frictionless authentications.
4. Recommended 3DS use cases
Use EMV 3DS in these key scenarios to enhance security and issuer confidence:
-
Guest checkout transactions, where the consumer is not known to the merchant.
-
First-time use or high-value and/or out-of-pattern purchases.
-
Suspected account takeover cases, such as address changes or credential updates.
7. What data must I provide with every 3DS transaction?
TabaPay Clients should ensure that the data sent into authorization is accurate and consistent with the data sent into authentication.
The more, accurate/high quality data clients can provide for 3DS, the better. The more
information Issuers have to feed their risk engines will be a driver in frictionless/challenge outcomes so any TabaPay Client interested in driving down challenge rates should be looking to supply as much data as they can.
Per EMV® 3-D Secure Protocol and Core Functions Specification v2.3.1.0 (August 2022) and Cardinal API Requirements
3DS Request Body Parameters
| JSON Name | Value | Required | Default | Description | |||
|---|---|---|---|---|---|---|---|
| 3dsID | String | R | 3dsID from 3D Secure Initialize | ||||
| authenticationIndicator | String 2 digits |
R | |||||
| transactionMode | String 1 character |
O | |||||
| transactionType | String 1 character |
R | |||||
| productCode | String 3 characters |
R | |||||
| account | object | R | Account | ||||
| accountID | String 22 characters |
R | AccountID | ||||
| owner | object | R | Owner | ||||
| String | R | Email Address | |||||
| phone | object | R - Required (if available) unless market or regional mandate restricts sending this information. | Phone Number (E.164 Numbering) | ||||
| countryCode | String 1-3 digits |
O | 1 | Country Calling Code | |||
| number | String Min: 4 digits Max: 12-14 digits |
R | Phone Number | ||||
| address | object | R - Required unless market or regional mandate restricts sending this information. | If you are using an `AccountID` you would add the address to the account using `CreateAccount`. | ||||
| line1 | String | R -
Required unless market or regional mandate restricts sending this information. |
Address Line 1
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
|
||||
| line2 | String | Conditional -
Required if information is available, unless market or regional mandate restricts sending this information. |
Address Line 2
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
|
||||
| city | String | R -
Required unless market or regional mandate restricts sending this information. |
City
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
|
||||
| state | String | Conditional -
Required if information is applicable and BillingCountryCode is present, unless market or regional mandate restricts sending this information. |
State
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
State Code must be a valid 2-character code if country is `840` or `124`.
|
||||
| zipcode | String | R -
Required unless market or regional mandate restricts sending this information. |
Zip Code
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
|
||||
| Country Code | String | R -
Required unless market or regional mandate restricts sending this information. |
Country Code (e.g. 840)
If you are using an `AccountID` you would add the address to the account using `CreateAccount`.
|
||||
| order | object | R | Order | ||||
| orderID | String 1-50 characters |
R | Order Number | ||||
| currency | String 3 digits |
O | 840 | ISO 4217 Currency Number | |||
| amount | String Amount |
R | Transaction Amount | ||||
| browser | object | R | Browser Data. Issuers fallback to data provided here if Device Data Collection fails. | ||||
| browserInfo | String | O | Concatenated Browser Data Fields. See this page for the exact format. |
||||
| javascriptEnabled | boolean | O | |||||
| userAgent | String | O | |||||
| header | String | O | |||||
| javaEnabled | boolean | O | |||||
| language | String | O | |||||
| colorDepth | String | O | |||||
| screenHeight | String | O | |||||
| screenWidth | String | O | |||||
| ipAddress | String | O | |||||
| deviceChannel | String | R | Either:
|
||||
Additional information
In the 3DS APIs OrderID is a unique identifier generated by the merchant. We recommend using the same value as your CreateTransaction ReferenceID. This is not required, but it makes it easier for the support team to find the lookup request associated with your transaction.
8. How should I think of 3DS Data consistency?
TabaPay Clients should be aware that there are two types of data:
- Systemic data (i.e. transaction amount, IP address and device) that is captured systemically
- Manually entered data that are customer input fields
- Customer input fields have been found to result in a higher rate of error at approximately 3%. When possible, implementing a drop-down menu of required fields for consumers to select their information, and ensuring card-on-file is present can greatly reduce the rate of human error.
- For addresses, not every country has the same address conventions (i.e. provinces, states, territories). Whenever possible, Merchants should use a dropdown feature to improve accuracy and reduce human error in manually entered data.
- As a best practice, Merchants should allow card-on-file and consumer pre-filled data to ensure consistent entries for returning customers. This also improves consumer experience.
Merchant Dispute Protection
9. What are guidelines for disputes for 3DS transactions?
For information on 3DS response fields, refer to Enriched TabaPay Shield Attributes
Restriction | ECI | Description |
|---|---|---|
CAVV Not Present | ECI 05 or 06 for Visa; ECI 02 or 01 for MasterCard | Merchants are not protected when CAVV is not present |
Non-Reloadable Prepaid | ECI 06 or ECI 02 | Merchants are not protected when card type is a non-reloadable Visa prepaid card. |
Network Fraud Monitoring Program | ECI 05 or 06 for Visa; ECI 02 or 01 for MasterCard | Merchants are not protected if they have been identified in the program. Merchant/acquirers in the program should submit transactions using ECI 07 with no CAVV. |
Custom Payment System (CPS) Requirements | ECI 05 or 06 for Visa; ECI 02 or 01 for MasterCard | Merchants are not protected if transaction does not meet CPS requirements. |
Merchant Restricted Merchant Category Codes (MCCs) | ECI 05 or 06 for Visa; ECI 02 or 01 for MasterCard | Merchants are not protected if they are in one of the following MCCs: • MCC 4829—Wire Transfer/Money Order • MCC 6051—Non-Financial Institution- Foreign Currency, Money Order (not Wire Transfer), Travelers’ Cheques • MCC 7995—Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting and Wagers at Race Tracks • MCC 6540 - Non-Financial Institutions: Stored Value Card Purchase / Load • MCC 7801 - Government Licensed On-Line Casinos (On-Line Gambling) |
Liability Shift
10. Does 01 or 06 guarantee liability shift?
There is no guarantee on liability shift, and TabaPay does not control liability shift. However, performing 3DS assures cardholder authentication by the Issuing bank.
11. How do I know liability shift is guaranteed?
CAVV Results Code can be found in the Create Transaction API Response. CAVV provides insight into a liability shift for 3DS transactions (i.e. transactions processed with a 3DS payload) Learn More →
3DS Decisioning
12. What does TabaPay recommend clients do at the end of 3DS and if the transaction must be processed?
We recommend looking at the following Cardinal Documentation for more information -> Consumer Authentication Matrix.
Some additional observations:
- 02 or 05 - Fully Authenticated Transaction -- TabaPay recommends going ahead with the transaction
- 01 or 06 - Attempted Authentication Transaction -- TabaPay recommends going ahead with the transaction, and monitor activity. If post-processing, it results in any untoward activity, you can tweak this logic.
- 00 or 07 - Non 3-D Secure Transaction -- TabaPay does not recommend going ahead with the transaction
13. How should we treat Enrolled = U or N?
If the Enrolled equals U or N, it is good to [assume] that the issuer does not participate and you should "not" proceed with "Authorization" because if you do, then you would be held liable, since authentication was not accepted. You can proceed with "Authorization" as that is entirely up to the merchant and how they conduct their business. These are rules that you can use on your Payment Gateway, which is separate from CardinalCommerce Authentication.
If enrollment does equal "Y", then it is best to proceed via a Frictionless Transaction or a Challenge on Authentication and from there if Authentication passes with Status Y, then proceed. If it fails, with a N or a U, then you should not proceed but again, you may do so, but liabality will be on the merchant, not the issuer.
Exceptions
14. What do I do when a 3DS transaction aborts for some reason?
When there's an error, without a CAVV at the end of 3DS, you can only proceed with ECI 07 (no CAVV) for the transaction. Or re-try.
However, if during a 3DS flow, the issuer is unavailable, the result would usually result in ECI 06 and a CAVV with issuer not present indication. You can proceed with ECI 06 and CAVV for processing.
Additional questions:
15. Can we rely on the vendor to address any issues that may arise during AND AFTER integration?
Specific issues related to the SDK and its functionality, yes. Prior to going live, we recommend the merchant completes all testing/test cases, building logic to handle responses and errors. Once the merchant moves to production, if there are any issues TabaPay would reach out to Cardinal’s support team via a support ticket with the issue and it would be handled on a case-by-case basis.
16. How would we communicate issues to the vendor?
The merchant would raise the issue with Tabapay which would then open up a support ticket with Cardinal.
17. What is the vendor’s SLA for addressing issues?
This would depend on the issue at hand. For example, if it was a bug fix needed within the SDK, those would come about/be addressed in any upcoming sprints at Cardinal (again, based on the severity or complexity of the issue). When TabaPay opens a support ticket, the SLA's would follow our Cardinal’s SLA procedures.
18. Does Vendor SDK support all platforms/OS versions currently supported by Client App?
The Cardinal Mobile SDK for iOS requires iOS 10 (at the minimum) and is compatible with any version later than that. The Cardinal Mobile SDK for Android requires an API level of 21 (Android 5.0, Lollipop, or later) and is compatible with any version later than that.
19. Can we rely on Vendor to support all future versions of platforms/OS versions?
Yes, Cardinal will continue to support all future platforms/OS versions for iOS and Android.
20. Can Cardinal also support sending 2FA code via phone call, in addition to SMS?
It depends on the Issuing bank, the cardholder would need to work with their Issuing Bank to setup their 2 Factor authentication preferences.
21. Is 2FA via email a hard requirement, or an option?
This is an option. Most user's prefer a text message.
22. Can you provide more details on error flows, if any (what they look like, and in what scenarios are they triggered)?
For 3DS test cards look at the following: https://developers.tabapay.com/reference/3ds-test-cases-and-cards
There are numerous scenarios for errors. We don't have specific error flows, but a common scenario would be 1.0 downgrades (in the case of a 1.0 downgrade, TabaPay will return a 207 response code. Please contact [email protected] if you receive any 207 response codes and DO NOT retry).
23. Is there a built-in success screen, or would the client build that?
The Issuing bank actually has the private session with their cardholder and would be controlling the challenge screen if a cardholder is successful or not.
24. Is there a max number of retries? Is that configurable on the client side?
3 attempts. If the transaction fails after 3 attempts of incorrect password being input, the cardholder would then need to re-initiate the transaction.