3DS Data Sharing

3DS Data Sharing

Data sharing is an optimized 3D Secure authentication flow that can determine a successful or failed outcome without requiring the cardholder to complete an interactive challenge. It consists of two distinct phases:

  1. Initialization for device fingerprinting.

  2. Data-only request submitted via the Authentication endpoint.

Assumption: Customers card is already created with CMP and a card_id has been generated

For detailed API definitions and parameters, see the 3DS API Spec.

Initialize (Device Fingerprinting)

This is executed primarily on the Merchant Frontend to silently collect device-specific information from the cardholder’s browser. This process must be initiated when the checkout page first loads.

  1. Call the VGS Initialize Endpoint:

    • Action: The Merchant Frontend sends a POST request to the VGS method endpoint (/cards/{card_id}/3ds-initialize).

    • Data Required: Include key identifiers such as card_id, merchant_tx_id, and token_type.

    • Initialize API Spec.

  2. Embed the Hidden Iframe:

    • Action: Upon receiving the response, which contains the tDSMethodContent (an iframe payload), the Merchant Frontend must immediately embed this content into a hidden iframe on the page.

    • Purpose: This iframe executes the necessary script for silent device fingerprinting and must remain active for up to 10 seconds.

  3. Collect Browser Data:

    • Action: Concurrently, the Merchant Frontend must collect standard, non-fingerprint browser details, such as the user agent and the user's IP address. This data will be required for the subsequent Authentication request.

Authentication (Data Sharing Request)

This is triggered when the cardholder confirms the payment, typically involving the Merchant Frontend passing data to the Merchant Backend for the final API call.

  1. Trigger Authentication:

    • Action: When the user clicks the "Pay" button, the Merchant Frontend collects and transmits all necessary data (card data, purchase info, and the browser data from Phase 1, Step 3) to the Merchant Backend.

  2. Call VGS Authenticate:

    • Action: The Merchant Backend sends the core transaction request to the VGS /cards/{card_id}/3ds-authenticate endpoint.

    • Data Required: Include all collected data, transaction details (purchase_info), and crucially, set the authentication type to auth_type: "data-only".

    • Frictionless API Spec.

  3. Receive and Process Final Result:

    • Action: The Merchant Backend receives the synchronous Final Auth Result from VGS.

    • Key Data Received: Since this is a data-only flow, the response is immediate. It contains the crucial authentication status, the cryptographic value (cryptogram), and transaction_info.

  4. Authorize Payment (Proceed with Transaction):

    • Action: The Merchant Backend uses the received status to make the final risk decision. If the authentication was successful (frictionless flow achieved), the backend must immediately use the provided cryptogram to submit the final payment authorization request to the payment processor.

Previous3DSNext3DS Authentication

Last updated