SDK Configuration

This section describes how the Netcetera Android 3DS SDK should be configured.

API Key Configuration

An API key is distributed along with the SDK. In order to be able to use the Netcetera Android 3DS SDK, the API key must be added in the ConfigParameters which are passed in the Initialization of the ThreeDS2Service.

Configuration with ConfigParameters

To define the API key without the use of a ConfigurationBuilder, use ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
groupnull
paramName"api_key"
paramValueThe provided API key as a String

Example:

Directory Server Configuration

When a transaction is initiated, the SDK gets the information about the Directory Server that will participate in the message flow. With that, the SDK determines which DS public key should be used for data encryption and which DS logo should be shown.

The SDK uses the DS public key and the DS logo. These are configured in the ConfigParameters in Initialization.

The encryption key or certificate and the root certificate can be obtained from each scheme respectively.

Following are the steps for the DS configuration:

  1. Schemes - Which schemes can be used.
  2. DS IDs - DS IDs that belong to a certain scheme.
  3. Schemes public key - Public key for each scheme used for encryption of the device data.
  4. Schemes root public key - Public key for each scheme used for verification of the certificate chain in the acsSignedContent during a challenge flow.
  5. Scheme logo Resource ID - Drawable Resource ID for each scheme that will be used as logo.
  6. Scheme dark logo Resource ID - Drawable Resource ID for each scheme that will be used as dark mode logo.

If public keys are provided, the keys can be either EC or RSA in PEM format. If certificates are provided, they need to be in the X.509 standard in either PEM or DER format.

Integrator defined schemes will take priority over Pre-configured Directory Server Configurations (which are subject to automatic updates).

If the integrator wishes to utilise the automatic updates of the Pre-configured Directory Servers, they should not be updated/overridden.

Configuration with ConfigParameters

Configuring Schemes Directory Servers

To define the scheme DS, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
groupnull
paramName"schema_names"
paramValueComma separated values of schemes.

Example:

Configuring DS IDs

To define the DS IDs that belong to certain scheme, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
group"schema_ds_ids"
paramNameThe name of the scheme to define for.
paramValueComma separated values of each DS id for the scheme.

The 3DS Requestor App uses the Cardholder Account Number and optionally other cardholder information to identify the DS ID. A DS ID is the Scheme's Card RID (Registered application provider identifier). The identifier, usually 5 bytes in length, is issued by the ISO/IEC 7816-5 registration authority and is used to address an application in the card. For example, an RID could be: A000000003. Please refer to the configuration for more RID values.

Example:

Configuring DS Public Keys

To define the public key that will be used for certain scheme, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
group"schema_public_key"
paramNameThe name of the scheme to define for.
paramValueASN.1 encoding of the public key or the certificate (DER/PEM) in Base64 encoded format.

Example:

Configuring DS Root Public Keys

To define the root public key that will be used for certain scheme, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
group"schema_root_public_key"
paramNameThe name of the scheme to define for.
paramValueASN.1 encoding of the public key or the certificate (DER/PEM) in Base64 encoded format.

Note: To ensure a higher percentage of successful transactions, in the event where the configured root certificate cannot verify the acsSignedContent, the Netcetera 3DS SDK will try to use the corresponding Pre-configured DS Root Public Key instead.

Example:

Configuring Logos

A scheme can have 2 logos configured - standard and dark logo. The standard logo is mandatory for each scheme and therefore must be present either in the 3DS SDK preconfigured data or configured by the Requestor Application. On the other hand, the dark logo is optional and will only be used in case the Requestor Application enables dark mode on the 3DS SDK and necessary system conditions are met. If the 3DS SDK needs to use a dark logo that is missing, it will use the standard logo displayed under white surface as a fallback instead.

To define the standard logo that will be used for a certain scheme, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
group"schema_logo"
paramNameThe name of the scheme to define for.
paramValueString value of Drawable Resource ID.

To define the dark logo that will be used for a certain scheme, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
group"schema_logo_dark"
paramNameThe name of the scheme to define for.
paramValueString value of Drawable Resource ID.

Example:

Pre-configured Directory Servers

The Netcetera Android 3DS SDK comes bundled with configuration for the following directory servers, listed in the tables below.

Pre-configured certificates:

Scheme
RIDs
DS Public Key
DS Root Public Key
Mastercard
A000000004

3ds2.directory.mastercard.com
Expiry: 15.06.2024

PRD MasterCard Identity Check Root CA
Expiry: 15.07.2030
Visa
A000000003

3ds2.rsa.encryption.visa.com
Expiry: 22.08.2024

Visa Public RSA Root CA
Expiry: 15.03.2041
Amex
A000000025

sdk.safekey.encryptkey.com
Expiry: 24.05.2025

American Express Private Certification Authority
Expiry: 11.08.2029
Diners
A000000152

Discover SDK Key

ProtectBuy Root
Expiry: 03.02.2027
JCB
A000000065

ds2apr.jcb-tds.com
Expiry: 03.03.2051

JCB DS Root CA EMV 3-D Secure
Expiry: 09.01.2036
MIR
Union
A000000333

CFCA@UnionPay International@N9131000005455878X6@1
Expiry: 08.07.2025

CFCA ACS CA
Expiry: 28.09.2035
Cartes Bancaires
A000000042

CartesBancaires SDK Key

Root 3DS CB CA
Expiry: 31.07.2048
EFTPOS
A000000384

EFTPOS SDK Key
Expiry: 31.08.2025

eftpos Prod Root CA
Expiry: 06.10.2030

Pre-configured logos:

Scheme
DS Logo
DS Dark Logo
Mastercard

R.drawable.ds_logo_mastercard

R.drawable.ds_logo_mastercard_dark
Visa

R.drawable.ds_logo_visa

R.drawable.ds_logo_visa
Amex

R.drawable.ds_logo_amex

R.drawable.ds_logo_amex_dark
Diners

R.drawable.ds_logo_diners

R.drawable.ds_logo_diners
JCB

R.drawable.ds_logo_jcb

R.drawable.ds_logo_jcb
MIR

R.drawable.ds_logo_mir

R.drawable.ds_logo_mir
Union

R.drawable.ds_logo_union

R.drawable.ds_logo_union
Cartes Bancaires

R.drawable.ds_logo_cb

R.drawable.ds_logo_cb
EFTPOS

R.drawable.ds_logo_eftpos

R.drawable.ds_logo_eftpos

The binding between the configuration and the pre-configured values is done with the RID value of the Directory Server.

The configuration has precedence over pre-configured values and overwrites them i.e. if a configuration is provided for a parameter, that one will be used, instead of the pre-configured one.

Note: The pre-configured DS Public Key and DS Root Public Key serve for convenience, while the integrators have to verify their compatibility to the Directory Server. The integrators are encouraged to complete the configuration.

DS RID Values

The Netcetera Android 3DS SDK has a utility API DsRidValues that contains the DS RIDs for the SDK Preconfigured Schemes.

UI Customization

The EMV 3DS 2.0 protocol defines API for the SDK for customization of the UI that is shown to the user during the challenge flow. This includes text color, fonts, background color, etc. A list of all methods is available in section 4.5 in the EMV 3-D Secure SDK Specification.

Example:

Note: The "UiCustomizationType.DARK" customization will only be applied when the device is running Android 10 or higher, and dark mode is active in the system settings.

Accessibility Recommendation

The Netcetera Android 3DS SDK follows the latest guidelines and best practices defined by Google for building accessible apps. If a custom UiCustomization is provided to the 3DS SDK, we recommend that a tool such as the Accessibility Scanner is used to check for any accessibility improvements on the custom UI.

Restricted Device Info Parameters Configuration

Configuration with ConfigParameters

To define which device info parameters shall be considered as restricted and thus not collected, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
groupnull
paramName"restricted_device_info_parameters"
paramValueComma separated values of IDs of the device info parameters.

Example:

Bridging Message Extension Configuration

The Bridging Message Extension describes how existing EMV® 3-D Secure v2.1 and v2.2 components can provide or consume additional data related to the EMV® 3-D Secure Protocol and Core Functions Specification v2.3.1.

Due to inconsistencies in the Bridging Message Extension Specification, different providers might have different implementations on the Bridging Message Extension API, which might lead to failed transactions.

If support for the Bridging Message Extension is enabled, the 3DS SDK will process the Bridging Message Extension, and if the required elements are present it will enable the OOB Automatic Switching Feature for Out of Band v2.2 challenges and masking of the challenge input for TEXT v2.2 challenges.

Support for the Bridging Message Extension is disabled by default.

Configuration with ConfigParameters

To define if the Netcetera Android 3DS SDK should support the Bridging Message Extension, use the ConfigParameters.addParam(...) with the following arguments:

ArgumentValue
groupnull
paramName"bridging_message_extension_support"
paramValueString representation of boolean value "true" or "false".

Example:

Logging Configuration

The Netcetera Android 3DS SDK uses SLF4J for logging purposes, logging only messages on level WARN and ERROR. The logging of these log levels can be configured by using any logging implementation on top of SLF4J.

Sample implementation that uses logback-android can be found in the guide for the demo reference application and the source code itself.

Permissions

This section describes which Android permissions are required to be granted and which are optional.

PermissionMandatoryDescription
android.permission.INTERNETYesRequired for communication with the ACS in Challenge Flow. Must be permitted before Starting of Challenge Flow.
android.permission.ACCESS_COARSE_LOCATIONNoRequired for collecting the device coarse location that will be provided as device info parameter. Should be permitted before Initialization.
android.permission.ACCESS_FINE_LOCATIONNoRequired for collecting the device fine location that will be provided as device info parameter. Should be permitted before Initialization.
android.permissions.ACCESS_NETWORK_STATENoRequired for collecting device's IP Address that will be provided as device info parameter. Should be permitted before Initialization.
android.permission.BLUETOOTHNoRequired for collecting bluetooth hardware info that will be provided as device info parameter. Should be permitted before Initialization.
android.permission.READ_PHONE_STATENoRequired for collecting Telephony information that will be provided as device info parameters. Should be permitted before Initialization.
android.permission.SEND_SMSNoRequired for collecting Telephony information that will be provided as device info parameters. Should be permitted before Initialization.
android.permission.ACCESS_WIFI_STATENoRequired for collecting WiFi and Network related information that will be provided as device info parameters. Should be permitted before Initialization.

Scheme Specific Requirements

This section lists additional requirements that the integrator of the Netcetera Android 3DS SDK needs to fulfill in order to be compliant with the requirements of a specific scheme.

Amex

TypeDescriptionEMVCo RequirementAmexEnforceability
ModificationMaximum duration of the challenge process provided in Transaction.doChallenge(..., timeout)Minimum 5 minutesRecommended 10 minutesRecommended