lyra.com
Search
Categories
Tags
Europe (English)
France
Spain
Europe (English)
India
Home
Implementation
Embedded form
Hosted payment page
REST payment API
Webservices implementation guide
File exchange payment
Mobile payment
Marketplace
Helpers and tools
Free payment plugins
Snippets
Back Office
Back Office Expert
Back Office Merchant
Guides
Help
FAQ
Support

Cardholder authentication service

The activation of these features is subject to prior approval by PayZen .

The purpose of this Web Service is to authenticate the holder of the payment card using v1 3DS or v2 3DS protocols (other authentication protocols can be potentially added to this list). The service offers automatic selection of protocol, with transparent fallback to v1 3DS if v2 3DS is not possible.

The service authenticates the cardholder and returns the authentication information at the end of the process.

General principle

The service adopts an operating principle that ignores the underlying protocol to provide a unique integration experience, and not integration by protocol.

The generic process of complete authentication consists of several stages:

  • An initial call to the PCI/Charge/Authenticate service with a response of AuthenticationResult or AuthenticationInstruction type.
  • If the return belongs to the AuthenticationInstruction type, the operation must be performed on the merchant side:
    • Creation of a visible or invisible iFrame.
    • In the iFrame, browser redirection to a target page after submitting a form that respects the definition specified in the instruction.
    • Potential interaction with the cardholder or the browser.
    • Return page of the remote server that will emit a JavaScript event containing the result of the instruction.
    • Interception of the instruction result in the form of a JavaScript event in the parent window.
    • New call to the PCI/Charge/Authenticate service with the signed result of the instruction obtained via the browser.
    • Then, the PCI/Charge/Authenticate service once again returns either an instruction or a result.
  • If the return is of AuthenticationResult type, it will contain the final authentication result and the process is complete.

Detailed flowchart

The following flowchart presents a generic payment scenario with authentication: the initial call to the service, an instruction, an interaction, the final authentication result and the end of payment.

The payment scenario is indicated here as an example of possible use of the PCI/Charge/Authenticate service. The authentication scenario starts at step 3 and ends at step 17 .

Client

Browser

iFrame

Merchant server

Payment gateway server

Remote server (e.g.: ACS)

The return with the instruction result to the PCI/Charge/Authenticate service (steps 16 and 17 ) allows to check the integrity of the data that has passed through the buyer's browser and to interpret the results according to the protocol in use.

We will present the different steps of the integration in the following paragraphs.

Integration Steps
Actions to perform on the merchant server side Steps 3 , 4 , 16 and 17
Actions to perform on the JavaScript side Steps 5 , 6 , 7 and 15

Steps 1 and 2: Initiation (payment or adding a card)

A payment or card registration action has been initiated and requires authentication. The PCI/Charge/Authenticate service is now ready to be called.

Step 3: Call to the PCI/Charge/Authenticate service

The initial request allows to transmit the data required for authentication.

Among this information, it is necessary to fill in some information about the client's browser or mobile device in the device object.

This information is mostly technical and must be retrieved from the browser or the mobile device (in JavaScript for example).

The goal is to facilitate customer identification (IP address) and their payment medium (browser size) for a more suitable authentication process.

See the integration documentation of the PCI/Charge/Authenticate service for more information on this field.

Here is an example describing the initial request:

{     
  "amount": 1230,
  "currency": "EUR",
  "transactionCategory": "PAYMENT",
  "productType": "GOODS_OR_SERVICE_PURCHASE",
  "merchant": {
    "mid": "1234567"
  },
  "paymentForm":{
    "pan": "4970110000000013",
    "expiryMonth": "02",
    "expiryYear": "24",
	  "networkPreference": "VISA"
  },
  "device": {
    "deviceType": "BROWSER",
    "acceptHeader": "application/json",
    "ip": "89.249.65.28", 
    "javaEnabled": true,
    "language": "en",
    "colorDepth": "1",
    "screenHeight": 1024,
    "screenWidth": 768,
    "timeZoneOffset": 0,
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
  },  
  "protocolRequest": {
    "name": "THREEDS",
    "version": "2",
    "challengePreference": "NO_PREFERENCE"
  }
}
/**
 * I initialize the PHP SDK
 */
require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/keys.php';
require_once __DIR__ . '/helpers.php';

/** 
 * Initialize the SDK 
 * see keys.php
 */
$client = new Lyra\Client();

/**
 * I create a formToken
 */
$store = array("amount" => 250, 
"currency" => "EUR", 
"orderId" => uniqid("MyOrderId"),
"customer" => array(
  "email" => "sample@example.com"
));
$response = $client->post("V4/Charge/CreatePayment", $store);

/* I check if there are some errors */
if ($response['status'] != 'SUCCESS') {
    /* an error occurs, I throw an exception */
    display_error($response);
    $error = $response['answer'];
    throw new Exception("error " . $error['errorCode'] . ": " . $error['errorMessage']);
}

/* everything is fine, I extract the formToken */
$formToken = $response["answer"]["formToken"];

?>

Step 4: Full response with an instruction

The response will contain an instruction presented as follows (this example presents v1 3DS authentication):

{
  "answer": {
	  "id": "c82794e9-9c20-44a8-9297-b70e1e7c4006",
	  "protocol": {
			"name": "THREEDS",
			"version": "1.0.2",
			"network": "VISA",
			"challengePreference":"NO_PREFERENCE",
			"simulation":false,
			"_type": "V4/PCI/Charge/Authenticate/Protocol"
		},
		
	  "value": {  		
			"instructionType": "FORM",
			"name": "CHALLENGE",
			"timeout" : "15",
			"target": {
				"element": "IFRAME",
				"visible": true,
				"width": 400,
				"height": 400,
				"_type": "V4/PCI/Charge/Authenticate/InstructionTarget"
			},

			"http": {
				"method": "POST",
				"url": "https://acs.sg.com/1.0.2",
				"headers": {
					"Accept": "text/html"
				},
				"body": {
					"termUrl": "https://pass.sample-acs.net/v1/notify/threeds/v1/pares",
					"MD": "eJwljEmSokAAAL8yd2O6imLVCA+oINAKCLLekALZd2ggePz0dF/ylJnEB/xAG8GQLLcRiKRoZgtWnHtkwniZfw2qontZg4mvIv2SrOOGIMERCDJ/CHSg2QMkNpqEcNt/52iDEP1/bdVYFFsyDM0BgKIOgyKp++HAQQ6CKcD93yZYyqgawK/4A6VlbYPzWv0OZu3Gj04+rf6LMlQP8db81Tm7JXBxyrM3cKIYaV7GedZVQdLkWAo6W+ufqbUMjQxLQvkUIG8k384FpmsJfG2fQ0qzI3rulyLFqkPMYD9No8B48rkcrmI59ar3Yk29l6k8EQJPDlc9p+OqPzuxhul33WZx2TvmyNBxswb2U9OmCHFhelH8WI6e3nV2xVACYrHwadbjVpKbxxjWjywfgi7EK3ZWGTMnsSl2baxnlWKWhmXuqpOXX2JBhDDUebZccWyNOagnJHKm+kgz//4OF8oyrWig5hIAw1LL7jNTTkiw76DgJDl2VXKxGc4h0O1W9e4k1b4LPeRfzsh6H4//ANdloIQ=",
					"paReq": "eJxVUslu2zAQ/RVBd5mLLZk2RgzSBlkOCYLGPqSXgss4VmNJDkkHdr4+pKosPXHezPDN4xvC2bHdZa/ofNN3dc4mNM+wM71tuqc6X68uC5FnPqjOql3fYZ2f0OdnElZbh3jxgObgUMIteq+eMGtsnf8RSghqDS0st7yY0WpeaKNZoamwrFpQzSvMJdyf/8IXCeNoGSdPOJAPGCmd2aouSFDm5cfNnWTVdC6AjAhadDcXkvHprKyA/EPQqRblrRpu2hX6AGRIgekPXXAnyUsK5APAwe3kNoS9XxLSjrcmpm+BpAqQLw33hxT5yHRsrFRv9vlxuq0e//6+Ut3O6XV4sFeXpb5e10BSB1gVUHLKBOO0yhhflvMlZUCGPKg2SZDllEY5I4B9mnH+vfI9A9FpFzdzkotkwycCPO7jYmJHdO8zBovexBeMx5f8n9fJUBOSdxsurFa0VJrPNqg0ZTjb2LnhJU8+D02JvoleMUEXA38CQBINGTdIxu3H6L9f8Q7HNMYj"
				},
				"_type": "V4/PCI/Charge/Authenticate/HttpRequest"
			},
			"_type": "V4/PCI/Charge/Authenticate/AuthenticationInstruction"
	  }
  }
}

It consists of:

Object Function
id Unique identifier of authentication transaction in progress. It must be transmitted upon each new call.
protocol Indicates which protocol will be eventually applied during the authentication.
value Represents the authentication result or the instruction to follow. If value is of AuthenticationInstruction type, it is an instruction to be executed, if it is of AuthenticationResult type, it is the authentication result.

The authentication generally occurs over several calls to the PCI/Charge/Authenticate service. In order to maintain the transaction, during each call it is necessary to transmit the id attribute received in this response.

Step 5: Preparation of the instruction handling page

If an instruction was returned in the previous step, the page displayed in this step must allow:

  • To set up a listener for the type of event returned by the iFrame, which will trigger a POST to the merchant server with the instruction result (see step 15 ).
  • To create a hidden or visible iFrame (see steps 6 and 7 ).

Step 6: Creation of an iFrame

The instruction received in step 4 is as follows:

{
    
    "instructionType": "FORM",
    "name": "CHALLENGE",
    "timeout" : "15",
    "target": {
        "element": "IFRAME",
        "visible": true,
        "width": 400,
        "height": 400,
        "_type": "V4/PCI/Charge/Authenticate/InstructionTarget"
    },

    "http": {
        "method": "POST",
        "url": "https://acs.sg.com/1.0.2",
        "headers": {
            "Accept": "text/html"
        },
        "body": {
            "termUrl": "https://pass.sample-acs.net/v1/notify/threeds/v1/pares",
            "MD": "eJwljEmSokAAAL8yd2O6imLVCA+oINAKCLLekALZd2ggePz0dF/ylJnEB/xAG8GQLLcRiKRoZgtWnHtkwniZfw2qontZg4mvIv2SrOOGIMERCDJ/CHSg2QMkNpqEcNt/52iDEP1/bdVYFFsyDM0BgKIOgyKp++HAQQ6CKcD93yZYyqgawK/4A6VlbYPzWv0OZu3Gj04+rf6LMlQP8db81Tm7JXBxyrM3cKIYaV7GedZVQdLkWAo6W+ufqbUMjQxLQvkUIG8k384FpmsJfG2fQ0qzI3rulyLFqkPMYD9No8B48rkcrmI59ar3Yk29l6k8EQJPDlc9p+OqPzuxhul33WZx2TvmyNBxswb2U9OmCHFhelH8WI6e3nV2xVACYrHwadbjVpKbxxjWjywfgi7EK3ZWGTMnsSl2baxnlWKWhmXuqpOXX2JBhDDUebZccWyNOagnJHKm+kgz//4OF8oyrWig5hIAw1LL7jNTTkiw76DgJDl2VXKxGc4h0O1W9e4k1b4LPeRfzsh6H4//ANdloIQ=",
            "paReq": "eJxVUslu2zAQ/RVBd5mLLZk2RgzSBlkOCYLGPqSXgss4VmNJDkkHdr4+pKosPXHezPDN4xvC2bHdZa/ofNN3dc4mNM+wM71tuqc6X68uC5FnPqjOql3fYZ2f0OdnElZbh3jxgObgUMIteq+eMGtsnf8RSghqDS0st7yY0WpeaKNZoamwrFpQzSvMJdyf/8IXCeNoGSdPOJAPGCmd2aouSFDm5cfNnWTVdC6AjAhadDcXkvHprKyA/EPQqRblrRpu2hX6AGRIgekPXXAnyUsK5APAwe3kNoS9XxLSjrcmpm+BpAqQLw33hxT5yHRsrFRv9vlxuq0e//6+Ut3O6XV4sFeXpb5e10BSB1gVUHLKBOO0yhhflvMlZUCGPKg2SZDllEY5I4B9mnH+vfI9A9FpFzdzkotkwycCPO7jYmJHdO8zBovexBeMx5f8n9fJUBOSdxsurFa0VJrPNqg0ZTjb2LnhJU8+D02JvoleMUEXA38CQBINGTdIxu3H6L9f8Q7HNMYj"
        },
        "_type": "V4/PCI/Charge/Authenticate/HttpRequest"
    },
    "_type": "V4/PCI/Charge/Authenticate/AuthenticationInstruction"
}

The different properties of the iFrame to be created can be found in the target element:

		"target": {
		  "element": "IFRAME",
		  "visible": true,
		  "width": 400,
		  "height": 400
		}

If it must be visible ( value.target.visible attribute set to true ), create the iFrame with these parameters (using width and height ) and display it, or create a hidden iFrame.

Handling the iframe display timeout

It is also necessary to manage the maximum display time of the iframe if the value.timeout attribute is present in the instruction (timeout defined in seconds). To do so, it will be necessary to allow to trigger an event of LYRA_AUTH_INSTRUCTION_RESULT type populated as follows:

{
    eventName: 'LYRA_AUTH_INSTRUCTION_RESULT',
    value: {
        name: "Add here the instruction name you have received in the answer",
        value: 'TIMEOUT',
        protocol: "Add here the protocol object you have received in the answer"
    }
}

Example of implementation:

    function createInstructionIframe(instruction) {
        // Get instruction container element
        container = document.getElementById('instructionContainer');

        // Clean instruction container
        container.innerHTML = '';

        // Create iframe element
        var iframe = document.createElement('iframe');
        iframe.id = 'instructionIframe';
        iframe.name = 'instructionIframe';
        iframe.src = 'about:blank';
        iframe.style.width = instruction.value.target.width+"px";
        iframe.style.height = instruction.value.target.height+"px";
        iframe.style.visibility = instruction.value.target.visible ? 'visible' : 'hidden';

        // Handle timeout
        if(instruction.value.timeout){
            setTimeout(() => {
                const instructionResultTimeout = {
                    eventName: 'LYRA_AUTH_INSTRUCTION_RESULT',
                    value: {
                        name: instruction.value.name,
                        value: 'TIMEOUT',
                        protocol: {
                            name: instruction.protocol.name,
                            version: instruction.protocol.version,
                            network: instruction.protocol.network,
                            challengePreference: instruction.protocol.challengePreference,
                            simulation: instruction.protocol.simulation
                        },
                    },
                };
                window.postMessage(JSON.stringify(instructionResultTimeout), '*');
            }, instruction.value.timeout * 1000);
        }

        // Add iframe to container
        container.appendChild(iframe);

        // Create form to post
        var form = document.createElement('form');
        form.id = 'instructionForm';
        form.name = 'instructionForm';
        form.target = 'instructionIframe';
        form.method = instruction.value.http.method;
        form.action = instruction.value.http.url;
        form.style = 'visibility: hidden';

        // Create form body
        Object.keys(instruction.value.http.body).forEach(function (name) {
            form.innerHTML += '<input name="' + name + '" value="' + instruction.value.http.body[name] + '">';
        });
        var body = document.createElement('form');

        // Add form to container
        container.appendChild(form);

        // Triger form submit
        form.submit();
    }

Step 7: Form submission

Once the iFrame has been created, it must be filled with a form following the instructions of the ‘http’ tag:

"http": {
	"method": "POST",
	"url": "https://acs.sg.com/1.0.2",
	"headers": {
		"Accept": "text/html"
	},
	"body": {
		"termUrl": "https://pass.sample-acs.net/v1/notify/threeds/v1/pares",
		"MD": "eJwljEmSokAAAL8yd2O6imLVCA+oINAKCLLekALZd2ggePz0dF/ylJnEB/xAG8GQLLcRiKRoZgtWnHtkwniZfw2qontZg4mvIv2SrOOGIMERCDJ/CHSg2QMkNpqEcNt/52iDEP1/bdVYFFsyDM0BgKIOgyKp++HAQQ6CKcD93yZYyqgawK/4A6VlbYPzWv0OZu3Gj04+rf6LMlQP8db81Tm7JXBxyrM3cKIYaV7GedZVQdLkWAo6W+ufqbUMjQxLQvkUIG8k384FpmsJfG2fQ0qzI3rulyLFqkPMYD9No8B48rkcrmI59ar3Yk29l6k8EQJPDlc9p+OqPzuxhul33WZx2TvmyNBxswb2U9OmCHFhelH8WI6e3nV2xVACYrHwadbjVpKbxxjWjywfgi7EK3ZWGTMnsSl2baxnlWKWhmXuqpOXX2JBhDDUebZccWyNOagnJHKm+kgz//4OF8oyrWig5hIAw1LL7jNTTkiw76DgJDl2VXKxGc4h0O1W9e4k1b4LPeRfzsh6H4//ANdloIQ=",
		"paReq": "eJxVUslu2zAQ/RVBd5mLLZk2RgzSBlkOCYLGPqSXgss4VmNJDkkHdr4+pKosPXHezPDN4xvC2bHdZa/ofNN3dc4mNM+wM71tuqc6X68uC5FnPqjOql3fYZ2f0OdnElZbh3jxgObgUMIteq+eMGtsnf8RSghqDS0st7yY0WpeaKNZoamwrFpQzSvMJdyf/8IXCeNoGSdPOJAPGCmd2aouSFDm5cfNnWTVdC6AjAhadDcXkvHprKyA/EPQqRblrRpu2hX6AGRIgekPXXAnyUsK5APAwe3kNoS9XxLSjrcmpm+BpAqQLw33hxT5yHRsrFRv9vlxuq0e//6+Ut3O6XV4sFeXpb5e10BSB1gVUHLKBOO0yhhflvMlZUCGPKg2SZDllEY5I4B9mnH+vfI9A9FpFzdzkotkwycCPO7jYmJHdO8zBovexBeMx5f8n9fJUBOSdxsurFa0VJrPNqg0ZTjb2LnhJU8+D02JvoleMUEXA38CQBINGTdIxu3H6L9f8Q7HNMYj"
	},
	"_type": "V4/PCI/Charge/Authenticate/HttpRequest"
}
  • The method property indicates the HTTP verb to be associated with the form.
  • url indicates which server is targeted by the form action.
  • The HTTP request headers in headers .
  • The form parameters in body (e.g. termUrl, MD and paReq).

Once the form has been generated and placed in the iFrame, all you need to do is trigger it when the page is loading.

In case the timeout configured in the iframe creation code is triggered, the event of LYRA_AUTH_INSTRUCTION_RESULT type will be captured by the listener described in step 15 . This will allow to continue the process and to have a final result.

Steps 8 to 14: User authentication

Once the form has been posted, the code of the issuing bank will take over the process to allow secure authentication (silent or interactive). At the end of this step, the LYRA_AUTH_INSTRUCTION_RESULT event will be issued from the iFrame to indicate the end of the process. Example:

{
    "eventName": "LYRA_AUTH_INSTRUCTION_RESULT",
    "value" : {
        "value": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
        "name": "CHALLENGE",
        "protocol": {
            "name": "THREEDS",
            "version": "2.1.0",
            "network": "VISA",
            "challengePreference" : "NO_PREFERENCE",
            "simulation": "false"
        }
    }
}

Step 15: Retrieval of the JavaScript event emitted in step 14

In order to interpret the LYRA_AUTH_INSTRUCTION_RESULT event, it is necessary to implement a listener on the main page. It must be capable of parsing JSON code and must be written as follows:

window.addEventListener('message', function (messageEvent) {
    
    var data = messageEvent.data;
    try {
        var messageData = JSON.parse(data);
        if (messageData.eventName === 'LYRA_AUTH_INSTRUCTION_RESULT') {
            try {
                // callback call with messageData.value content
                container = document.getElementById('instructionContainer');
                var form = document.createElement('form');
                
                form.method = 'POST';
                form.action = "https://myhost.com/payment/authentication/result.php";
                form.style = 'visibility: hidden';					
                    
                form.innerHTML += "<input name='messageData' value='" + data + "'>";  
                                
                var body = document.createElement('form');
                
                container.appendChild(form);
                form.submit();
            } catch (err) {
                // error callback call
            } finally {
                // always close the iFrame/popin
                container = document.getElementById('instructionContainer');
                container.remove();
            }
        }
    } catch (err) {
        // process eventual exceptions during callbacks
    }
    
}, false);

After that, you must return this data to the merchant server.

Step 16: Returning the instruction result to the merchant server

Once the instruction result is retrieved on the merchant server side, it must be sent via a new call to the PCI/Charge/Authenticate service. The instructionResult object must be added to the initial request:

{
  "amount": 1230,
  "currency": "EUR",
  "transactionCategory": "PAYMENT",
  "productType": "GOODS_OR_SERVICE_PURCHASE",
  "merchant": {
    "mid": "1234567"
  },
  "paymentForm":{
    "pan": "4970110000000013",
    "expiryMonth": "02",
    "expiryYear": "24",
	  "networkPreference": "VISA"
  },
  "device": {
    "deviceType": "BROWSER",
    "acceptHeader": "application/json",
    "ip": "89.249.65.28", 
    "javaEnabled": true,
    "language": "en",
    "colorDepth": "1",
    "screenHeight": 1024,
    "screenWidth": 768,
    "timeZoneOffset": 0,
    "userAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0"
  },  
  "protocolRequest": {
    "name": "THREEDS",
    "version": "2",
    "challengePreference": "NO_PREFERENCE"
  },  
  "id": "c82794e9-9c20-44a8-9297-b70e1e7c4006",  
  "instructionResult": {
    "name" : "CHALLENGE",    
    "protocol" : {
      "name" : "THREEDS",
      "version" : "1.0.2",
      "network" : "VISA",
      "challengePreference": "NO_PREFERENCE",
      "simulation": false
    },
    "value": "eyJhbGciOiJIUz..."
  }
}
/**
 * I initialize the PHP SDK
 */
require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/keys.php';
require_once __DIR__ . '/helpers.php';

/** 
 * Initialize the SDK 
 * see keys.php
 */
$client = new Lyra\Client();

/**
 * I create a formToken
 */
$store = array("amount" => 250, 
"currency" => "EUR", 
"orderId" => uniqid("MyOrderId"),
"customer" => array(
  "email" => "sample@example.com"
));
$response = $client->post("V4/Charge/CreatePayment", $store);

/* I check if there are some errors */
if ($response['status'] != 'SUCCESS') {
    /* an error occurs, I throw an exception */
    display_error($response);
    $error = $response['answer'];
    throw new Exception("error " . $error['errorCode'] . ": " . $error['errorMessage']);
}

/* everything is fine, I extract the formToken */
$formToken = $response["answer"]["formToken"];

?>

Step 17: Receiving the response from the payment gateway server

As in step 4 , the merchant server receives a new response, which can either be final ( AuthenticationResult ) or request a new instruction ( AuthenticationInstruction ). In the latter case, the flow resumes at step 5 . Here is an example of the final message:

{
    "answer": {
        "id": "c82794e9-9c20-44a8-9297-b70e1e7c4006",
  
        "protocol": {
          "name": "THREEDS",
          "version": "1.0.2",
          "network": "VISA",
          "challengePreference":"NO_PREFERENCE",
          "simulation":false
        },
  
        "value": {         
          "authenticationId":{
            "authenticationIdType":"xid",
            "value":"c82794e99c2044a89297b70e1e7c4006",
            "_type": "V4/PCI/Charge/Authenticate/AuthenticationId"
          },
          "status": "SUCCESS",
          "authenticationType": "CHALLENGE",
          "authenticationValue":{
              "authenticationValueType": "CAVV",
              "value": "FsXD4Ox0VEI2MseoR0VhN5pX952I",
              "_type": "V4/PCI/Charge/Authenticate/AuthenticationValue"
          },
          "commerceIndicator": "05",
          "extension": {
            "enrolled": "Y",
            "algorithm": "2",
            "signatureValid": true,
            "_type": "V4/PCI/Charge/Authenticate/AuthenticationResultExtensionThreedsV1"
          },
          "_type": "V4/PCI/Charge/Authenticate/AuthenticationResult"
        },
        "_type": "V4/Charge/AuthenticationResponseData"
      }
  }

Step 18: The merchant server resumes operations

If the previous response is a final result, the merchant server must analyze the status of the result (‘value.status’ property) in order to resume the operation in progress (e.g. authorization if ‘SUCCESS’ of end of payment or card registration if ‘FAILED’ …).

Appendix

Example: v1 3DS authentication with ACS authentication

  • An initial call to the PCI/Charge/Authenticate service with a card enrolled to v1 3DS.
  • A return with a CHALLENGE instruction of redirection to the ACS with a paReq (visible iFrame).
  • A redirection to the ACS in the iFrame, cardholder authentication.
  • A return via the browser with an instruction result.
  • A new call to the PCI/Charge/Authenticate service by transmitting this result.
  • A return of the payment gateway server with the final authentication result.

Example: v2 3DS authentication with ACS authentication

  • An initial call to the PCI/Charge/Authenticate service with a card enrolled to v2 3DS.
  • A return with a FINGERPRINT instruction (3DS Method).
  • A redirection to the ACS in the invisible iFrame, loading and execution of the JavaScript code of the ACS fingerprint.
  • A return via the browser with an instruction result.
  • A new call to the PCI/Charge/Authenticate service by transmitting this result.
  • A return of the payment gateway server with a CHALLENGE instruction of redirection to the ACS with a CReq (visible iFrame).
  • The instruction has occurred (redirection to the ACS with a CReq and user interaction).
  • The browser return is an instruction result: new call to the PCI/Charge/Authenticate service by transmitting this result.
  • The server return is the final result of the authentication.

Glossary

3DS Method JavaScript code of the ACS executed in the Buyer’s browser for the purpose of making fingerprints.
3DS Requestor The requestor upon 3DS authentication, usually the Merchant or their payment gateway.
3DS Server 3DS Server. Component of the 3DS Requestor domain that initiates the 3DS v2 process and communicates with the DS or the ACS during transaction authentications. It facilitates the interaction between the 3DS Requestor and the DS.
ACS Access Control Server. Component that checks whether authentication is available for a card number and authenticates specific transactions.
Application 3DS Requestor Application on the Buyer’s mobile device that can process a 3DS transaction thanks to the use of 3DS SDK. The application is available by means of integration with 3DS SDK.
Challenge Interactive authentication phase between the Buyer and their bank (ACS).
CReq v2 3DS request message of cardholder authentication, sent to the ACS.
DS Directory Server. Component that maintains the list of intervals for cards with possible authentication allowing MPIs / 3DS Servers / ACS to communicate with each other during authentications.
Fingerprinting Corresponds to getting a fingerprint. Unique Buyer identification using browser data.
MPI Merchant Plug-In. Component that initiates the v1 3DS process and communicates with the DS or the ACS during transaction authentications.
paReq v1 3DS request message of cardholder authentication, sent to the ACS.
SDK 3DS 3D Secure development kit. Software component included in a 3DS Requestor Application.

List of supported protocols

Protocol Version
3D Secure 1.0.2
3D Secure 2.1.0
Procesos Diners 1.0.0

Test cards

The test card reference page can be found here .

Recruitment

Head Office :

LYRA NETWORK
109, rue de l’innovation
31670 Labège
FRANCE