3DS Authentication

Authentication Request Model

For more information on the ThreeDSServerAuthenticationRequest fields, visit:

Authentication Request JSON Samples

Authentication Request without merchantConfigurationId

Authentication Request with present merchantConfigurationId

Authentication Request for APPLICATION flow

Authentication Request for 3RI

Authentication Request indicating SCA exemption

The EMV 3DS 2.2 specifications are including a set of features to support the PSD2 Regulatory Technical Standards (RTS) on Strong Customer authentication (SCA) through the 3DS Requestor Challenge Indicator. This data is not available in the current 3DS 2.1 specifications. Mastercard has defined a new Mastercard Message Extension to the current EMV 3DS 2.1 specifications that will support the EMV 3DS 2.2 features listed previously.

The following table includes a list of the new merchant data elements in EMV 3DS version 2.1 (Merchant Data) that can be used in AReq:

Extension Field NameDescriptionAccepted valuesValidation
SCA ExemptionsThis will allow the same 3DS requestor challenge indicator values defined in v2.2 for PSD2 SCA exemptions; this field is used when an acquirer exemption or Merchant Initiated Transaction (MIT) applies or when SCA delegation was used (merchant participates in Authentication Express)05 (No Challenge Requested, transactional risk analysis is already performed) 06 (No Challenge Requested, Data share only) 07 (No Challenge Requested, SCA is already performed)Optional. Numeric, must have length of 2.
Merchant Fraud RateMerchant fraud rate in the EEA (all EEA card fraud divided by all EEA card volumes) calculated as per PSD2 RTS. Mastercard will not calculate or validate the merchant fraud score. Allowed for EMV 3DS 2.1 and 2.2 versions.1 (fraud rate less than or equal to 1 basis point [bp], which is 0.01%) 2 (fraud rate between 1 bp + - and 6bps) 3 (fraud rate between 6 bps + - and 13 bps) 4 (fraud rate between 13 bps + - and 25 bps) 5 (fraud rate greater than 25 bps)Optional. Numeric, maximum length of 2.
Acquirer Country CodeThe country code of the Acquirer. Allowed for EMV 3DS 2.1 and 2.2 versions.Any ISO 3166-1 numeric country code.Optional. Numeric, must have length of 3.
Secure Corporate PaymentThis field will identify and indicate transactions for "secure corporate payments". Allowed for EMV 3DS 2.1 and 2.2 versions.Y, N.Optional. Alphabetic, must have length of 1 byte.


The message extension should be sent as part of the authentication request. The Registered Application Provider Identifier (RID) is unique to a Payment System.

2.2.0 Authentication request indicating delegated authentication

Authentication Response Model

The 3DS Server prepares an initial challengeRequest (CReq) and includes it in the response only if the device channel is Browser and the the authentication response message indicates that further Cardholder interaction is required to complete the authentication. The 3DS Server also generates a base64-encoded CReq of the same initial challengeRequest.

The 3DS Server fills out the following fields of the CReq:

  • threeDSServerTransID
  • acsTransID
  • challengeWindowSize
  • messageVersion
  • messageType

Authentication Response JSON Samples

Authentication Response with Challenge Requested

Authentication Response for Frictionless flow (with authentication value)

Authentication Response with Error (error while validating ARes received from DirectoryServer)

2.2.0 Authentication Response indicating merchant whitelisted

2.2.0 Authentication Response indicating decoupled challenge