This specification defines a way to leverage 3DS2 in conjunction with [[payment-request]].

The working group maintains a list of all bug reports that the group has not yet addressed. Pull requests with proposed specification text for outstanding issues are strongly encouraged.

Introduction

EMV 3-D Secure is a messaging protocol developed by EMVCo to enable users to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. It is designed to prevent unauthorized CNP transactions and to protect the payment ecosystem from CNP-related fraud.

There are several reasons a merchant may wish to support 3DS 2.x (3DS2), including (but not limited to):

This specification defines a way to leverage 3DS2 in conjunction with [[payment-request]]. At a high level, it works as follows:

See how to use this specification within a payment method specification below.

Examples

The following example illustrates how the Tokenized Card Payment Specification [[tokenized-card]] could be enhanced to include support for the current specification.

Request Example

const methodData = [{
  supportedMethods: ["tokenized-card"],
  data: {
    supportedNetworks: ['mastercard', 'visa', 'amex', 'discover', 'jcb', 'unionpay'],
    supportedTypes: ['credit','debit'],
    keyProviderURL: 'https://pspKeyProvider.example/tokenizedCardPublicKey',
    requestLevel: required
    // Not yet shown: payeeData or whatever form it takes
  }
}];

const details = { ...total, etc.... };

new PaymentRequest(methodData, details);
        

The value required for requestLevel means that the payee requires that for this payment method, a payment handler must support 3DS2.

Response Example

{
 displayLast4: "***6789",
 displayExpiryMonth: "02",
 displayExpiryYear: "22",
 displayNetwork: "mastercard",
 encryptedDetails: "QWxobHZ4bU4yWkt1QUFFU05GWjRHb0FCRkE9PQ==",
 eci: "242", // for 3DS2
 av: "...28 character authentication value ...", // for 3DS2
 transStatus: "Y" // for 3DS2
}
        

ThreeDSRequest dictionary

This section describes payment method specific data that is supplied as part of the data argument to the PaymentRequest constructor.

        dictionary ThreeDSRequest{
                   ThreeDSRequestLevel          requestLevel;
        };
      

The ThreeDSRequest dictionary contains the following members:

requestLevel
This optional member represents the payee's requirements regarding 3DS flows for this payment method and this transaction. Absence of this member indicates the payee's preference that the payment handler not initiate 3DS2 flows.

payeeData

Need to specify required merchant/payee data and the form this should take (in terms of a dictionary).

ThreeDSRequestLevel enum

          enum ThreeDSRequestLevel { "required", "optional", "nostepup" };
        
"required"
The payee requires that, for this payment method and this transaction, the payment handler MUST conduct a 3DS2 flow.
"optional"
The payee signals that, for this payment method and this transaction, the payment handler MAY conduct a 3DS2 flow but is not required to do so.
"nostepup"
The payee signals that, for this payment method and this transaction, the payment handler SHOULD NOT conduct a 3DS2 challenge flow.

ThreeDSResponse dictionary

        dictionary ThreeDSResponse {
                       DOMString       av;
                       DOMString       eci;
                       DOMString       transStatus;
                       DOMString       transStatusReason;
           required    DOMString       dsTransID;
         };
      
av member
This optional member is a Payment Network-specific cryptographic value generated by the Access Control Server (ACS) to provide a way, during authorisation processing, for the authorisation system to validate the integrity of the authentication result. The value is a 28-character string. The value may be a 20-byte value that has been Base64 encoded, giving a 28-byte result.
eci member
This optional member is an Electronic Commerce Indicator, a Payment Network-specific string to indicate the results of user authentication.
transStatus member
This optional member indicates whether a transaction qualifies as an authenticated transaction or account verification. It is a 1-character string whose transaction status values are defined in [[EMVCO-3DS]].
transStatusReason member
In a failure scenario, this optional member explains why the transStatus member has the specified value (for example "01" means "card authentication failed"). It is a 2-character string whose values are defined in [[EMVCO-3DS]].
dsTransID member
This member is a universally unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction. It is a 36-character string defined in [[EMVCO-3DS]].

How to Use this Specification within a Payment Method Specification

@@Todo: Describe how to reference this specification from within a payment method specification.@@

Security and Privacy Considerations

Data Gathered by the Payment Handler

The Working Group is discussing privacy implications related to payment handler data gathering.

User Privacy Preference for Strong Authentication

Dependencies

This specification relies on several other underlying specifications.

Payment Request
The PaymentRequest and PaymentResponse interfaces are defined in [[!payment-handler]]. That specification also defines these terms: data.
Payment Handler
The term payment handler is defined in [[!payment-handler]].
EMVCo 3-D Secure
The terms Electronic Commerce Indicator, Access Control Server, Directory Server, challenge flow, transaction status, and Payment Networks are defined in [[EMVCO-3DS]].