SDK Configuration

This section describes how the Netcetera iOS 3DS SDK should be configured.

Directory Server Configuration

When a transaction is initiated, the SDK gets the information about the Directory Server that will participate in the message flow through the passed DS ID. From this ID value the SDK determines which DS public key to use for the data encryption, the root certificate used for ACS signed content validation and which DS logo to be shown when processing the transaction. They should be configured in the SDK. There are two ways to configure these values.

Configuring with property list file

When configuring with property list configuration file it should be named DSsConfiguration.plist. In the DSsConfiguration.plist keys that need to be defined are:

  1. Schemes - Which schemes can be used.
  2. DS IDs - DS IDs that belong to a certain scheme.
  3. Schemes public key - Public key for each scheme used for encryption of the device data.
  4. Schemes root public key - Public key for each scheme used for verification of the certificate chain in the acsSignedContent during a challenge flow.
  5. Schemes logo names - Logo image name for the scheme.

Some of the values can be omitted, please check Pre-configured Directory Servers for the pre-configured values that will be used instead.

Configuring Schemes Directory Servers

To define a scheme DS, simply create a dictionary from the root of the DSsConfiguration.plist where the name of the scheme is the dictionary key. Each scheme DS dictionary contains the following:

  • dsPublicKey - public key in PEM format, certificate in PEM format, or filename of certificate.
  • dsRootCertificate - certificate in PEM format, or filename of certificate.
  • IDs - an array containing String representations of the DS IDs.
  • logoImageName - string value representation of the scheme logo image name.

Please note that the key names shall be set exactly as stated above for the configuration to be valid.

Configuring DS IDs

To define the DS IDs that belong to a certain scheme DS, create a new array named IDs containing string values of the DS IDs. Repeat for each scheme DS.

parentScheme Dictionary
valueID of the scheme, each in a new row

The 3DS Requestor App uses the Cardholder Account Number and optionally other cardholder information to identify the DS ID. A DS ID is the Scheme's Card RID (Registered application provider identifier). The identifier, usually 5 bytes in length, is issued by the ISO/IEC 7816-5 registration authority and is used to address an application in the card. For example, an RID could be: A000000003. Please refer to the configuration file for more RID values.

Configuring Scheme public key

To define the public key that will be used for encryption of Device Info, create a new element in the selected scheme name. The key should be dsPublicKey while the value can be the filename of the DS certificate, a PEM string of the certificate or a PEM string of the key.

DS Public Key
parentScheme Dictionary
valueFilename, certificate or public key PEM string.

Note: If public keys are provided, the keys can be either EC or RSA in PEM format and in ASN1 notation. If certificates are provided, they need to be in the X.509 standard in either PEM or DER format. In case a Certificate chain is provided, the leaf certificate will be used. Make sure that the certificate is part of the application bundle.

Configuring DS Root Certificate name

To define the root certificate that will be used for a certain scheme DS, create a new element in the selected scheme name. The key should be dsRootCertificate while the value should be the filename of the DS Root certificate or a PEM string of the certificate.

DS Root Certificate
parentScheme Dictionary
valueFilename of certificate or PEM string.

Note: The certificate file needs to be in the X.509 standard in either PEM or DER format. Make sure that the certificate is part of the application bundle. To ensure a higher percentage of successful transactions, in the event where the configured root certificate cannot verify the acsSignedContent, the Netcetera 3DS SDK will try to use the corresponding Pre-configured DS Root Public Key instead.

Configuring Logos

To define the logo that will be used for a certain scheme DS, create a new element in the scheme DS dictionary. The key should be logoImageName, while the value should be the name of the logo image for the scheme DS. Make sure that the logo image is in the application bundle. Repeat the process for each scheme DS.

DS Logo image
parentScheme Dictionary
valueName of image filename.

DSsConfiguration.plist example:

Pre-configured Directory Servers

The Netcetera iOS 3DS SDK comes bundled with configuration for the following directory servers, listed in the table below.

DS Public Key
DS Root Public Key
DS Logo
Expiry: 15.06.2024

PRD MasterCard Identity Check Root CA
Expiry: 15.07.2030

Expiry: 22.08.2024

Visa Public RSA Root CA
Expiry: 15.03.2041

Expiry: 19.08.2023

American Express Private Certification Authority
Expiry: 11.08.2029


Discover SDK Key

ProtectBuy Root
Expiry: 03.02.2027

Expiry: 03.03.2051

JCB DS Root CA EMV 3-D Secure
Expiry: 09.01.2036



CFCA@UnionPay International@N9131000005455878X6@1
Expiry: 08.07.2025

Expiry: 28.09.2035


CartesBancaires SDK Key

Root 3DS CB CA
Expiry: 31.07.2048


The binding between the configuration and the pre-configured values is done with the RID value of the Directory Server.

The configuration has precedence over pre-configured values and overwrites them i.e. if a configuration is provided for a parameter, that one will be used, instead of the pre-configured one.

Note: The pre-configured DS Public Key and DS Root Public Key serve for convenience, while the integrators have to verify their compatibility to the Directory Server. The integrators are encouraged to complete the configuration.

DS RID Values

The Netcetera iOS 3DS SDK has a utility API DsRidValues that contains the DS RIDs for the SDK Pre-configured schemes.


Configuring Logo Appearances

Some logos might not be easily visible in dark mode on iOS. If light mode logo is configured, it is recommended to configure a dark mode appearance of the logo as well for a better visual experience. To add different appearances for a logo, insert the default logo into the Assets catalog (Assets.xcassets) and change the Appearances property of the Image Set to Any, Dark or Any, Light, Dark.

Note: The Any appearance is the only appearance supported for older iOS versions (below iOS 13), therefore it is recommended to use the Any appearance for the default logo and the optional Dark appearance for the dark mode logo.

UI Customization

The Netcetera iOS 3DS SDK supports customization of the UI elements that are being shown by the SDK itself. For this purpose UiCustomization is used.

The integrator shall use the default UiCustomization methods to set light mode colors.

Additionally, for every integrator supporting iOS 13 and later, Netcetera iOS 3DS SDK has defined additional methods for setting color alternatives for dark mode. If no UI customization colors are provided, then Dark Mode is supported by default. However, if different UI customizations are specified, remember to provide dark mode alternatives for the colors.

CustomizationsetDarkTextColor(hexColorCode: String)Sets the dark mode text color
as hex string value
ButtonCustomizationsetDarkBackgroundColor(hexColorCode: String)Sets the dark mode background color
as hex string value
ToolbarCustomizationsetDarkBackgroundColor(hexColorCode: String)Sets the dark mode background color
as hex string value
LabelCustomizationsetHeadingDarkTextColor(hexColorCode: String)Sets the dark mode heading text color
as hex string value
TextBoxCustomizationsetDarkBorderColor(hexColorCode: String)Sets the dark mode border color
as hex string value


Note: If only a light color is set, the same will be used in dark mode.

For detailed information about UiCustomization and how to use it, please refer to section 4.5 in the EMVCo 3DS SDK Specification.

Restricted Device Info Parameters Configuration

Using ConfigParameters

To define which device info parameters shall be considered as restricted and thus not collected, use the ConfigParameters.addParam(...) with the following arguments:

paramValueComma separated values of IDs of the device info parameters.

List of device info parameters and their corresponding IDs can be found in EMVCo's 3DS SDK Device Info specification. If a entry in the restricted device info parameters configuration has value that doesn't correspond to any predefined device info parameter ID, an InvalidInput error is thrown.


Weak Validation of Challenge Response

The Netcetera iOS 3DS SDK provides a method that loosens the level of validation of the challenge response parameters received by the ACS. If enabled, the weak validation removes the mandatory status and the string length validation of several challenge response parameters. By default, weak validation is not enabled and it is recommended not to be changed. This configuration should only be used temporary and preferably while developing or testing, when SDK integrators have problems with the ACS CRes returning values not reflecting the latest EMVCo bulletins rules that the SDK supports. In that case the end users are blocked and cannot complete a transaction. If such problems arise please inform the issuers which version of the SDK you are using and what is the latest bulletin supported by the SDK.

Note: By enabling weak validation, the Netcetera iOS 3DS SDK will no longer be compliant with the latest bulletin of the EMVCo Protocol and Core Functions Specification. If any legal actions or consequences arise, the responsibility for using this feature falls on the integrator of the Netcetera iOS 3DS SDK.

Configuration with ConfigParameters

To enable or disable the weak validation, call ConfigParameters.addParam(...) with the following arguments:

paramValueBoolean value as string, such as "true" or "false"


Log level

There are 4 log levels defined in the SDK:

  • debug
  • info
  • error (default log level)
  • noLog

You can change the log level of the SDK by setting the parameter in ConfigurationBuilder.



This section describes which iOS Permissions should be granted.

LocationNoNeeded during the device info collection process, for better risk calculation. Request permission from the user before calling initialize.

Scheme Specific Requirements

This section lists additional requirements that the integrator of the Netcetera iOS 3DS SDK needs to fulfill in order to be compliant with the requirements of a specific scheme.


TypeDescriptionEMVCo RequirementAmexEnforceability
ModificationMaximum duration of the challenge process provided in Transaction.doChallenge(..., timeout)Minimum 5 minutesRecommended 10 minutesRecommended