Device Data Collection

The Intermediary Step Between /init and /lookup

To help the Issuing Bank perform risk-based authentication, Device Data Collection must be executed prior to calling TabaPay's 3D Secure Lookup API. Failing to complete this step may result in the transaction being downgraded to 1.0, a less-secure version of 3DS.
While not required, including the Browser/Device data is strongly recommended. Doing so ensures the transaction will still be of 3DS 2.0, even if the Device Data Collection fails. The Device Data Collection may be done through the (Cardinal recommended) Songbird.js library or POSTing to the DDU returned in TabaPay’s 3D Secure Initialize.

Option 1: Cardinal Cruise Hybrid

The Cardinal Cruise Hybrid utilizes the Songbird.js library. Below are URLs a client can use to test various environments. Each build of Songbird is directly tied to an environment. To change environments simply edit the URL you are using.


Cardinal setup:

Setting up a transaction flow includes the following:

(1) Send a jwt object to Cardinal via Cardinal.setup(), which in turn...
(2) Triggers a payments.setupComplete() event:

<script src=""></script>
Cardinal.setup("init", {
jwt: “{{Please insert JWT string here}}”
Cardinal.on('payments.setupComplete', function (setupCompleteData) {
// handle set up complete event

Option 2: POSTing to the Device Data Collection URL

If you do not want to include a 3rd party library, POST the jwt object to the Device Data Collection URL that was returned in the TabaPay's 3D Secure Initialize response:

<iframe name="collectionFrame" height="10" width="10" 
           style="visibility: hidden; position: absolute; top: -1000px; left: -1000px;">
<form id="collectionForm" target='collectionFrame' name="devicedata"
<!-- POST Parameters: is the JWT 
  which is the Authentication JWT with the ReferenceId
  from the BIN Intelligence API Response -->
<input type="hidden" name="JWT" value="…" />
<script>window.onload = function () {
  // Auto submit form on page load