3DS Authentication

Scheme resolution logic for the Authentication Request has been updated:

  • If Scheme ID is provided in the request then the resolving of the card ranges will be done for the specified Scheme.
  • If Scheme ID is not provided in the request then the resolving of the Scheme ID will be done by using the card account number sent in the request against all available Schemes. The possible outcomes of this search are:
    • The card account number is found in only one DS card range. In this case the Scheme ID will be resolved from the Scheme the card range belongs to.
    • The card account number is found in multiple DS card ranges. In this case the Scheme ID will be resolved from the international Scheme that the card range belongs to (Visa, Mastercard, American Express or Diners).

According to the scheme resolution logic, if the card range is found in the card ranges from multiple Schemes (eg. CB and Visa), then preference is given to the international schemes (e.g. Visa). In case the intention is to use the local scheme (e.g. CB), that schemeId must be provided in the Authentication Request.

Authentication Request Model

For more information on the ThreeDSServerAuthenticationRequest fields, visit:

Authentication Request & Response Samples

Authentication Request JSON Samples

Authentication Request indicating SCA exemption

The EMV 3DS 2.2 specifications are including a set of features to support the PSD2 Regulatory Technical Standards (RTS) on Strong Customer authentication (SCA) through the 3DS Requestor Challenge Indicator. This data is not available in the current 3DS 2.1 specifications. Mastercard has defined a new Mastercard Message Extension to the current EMV 3DS 2.1 specifications that will support the EMV 3DS 2.2 features listed previously.

The following table includes a list of the new merchant data elements in EMV 3DS version 2.1 (Merchant Data) that can be used in AReq:

Extension Field NameDescriptionAccepted valuesValidation
SCA ExemptionsThis will allow the same 3DS requestor challenge indicator values defined in v2.2 for PSD2 SCA exemptions; this field is used when an acquirer exemption or Merchant Initiated Transaction (MIT) applies or when SCA delegation was used (merchant participates in Authentication Express)05 (No Challenge Requested, transactional risk analysis is already performed) 06 (No Challenge Requested, Data share only) 07 (No Challenge Requested, SCA is already performed)Optional. Numeric, must have length of 2.
Merchant Fraud RateMerchant fraud rate in the EEA (all EEA card fraud divided by all EEA card volumes) calculated as per PSD2 RTS. Mastercard will not calculate or validate the merchant fraud score. Allowed for EMV 3DS 2.1 and 2.2 versions.1 (fraud rate less than or equal to 1 basis point [bp], which is 0.01%) 2 (fraud rate between 1 bp + - and 6bps) 3 (fraud rate between 6 bps + - and 13 bps) 4 (fraud rate between 13 bps + - and 25 bps) 5 (fraud rate greater than 25 bps)Optional. Numeric, maximum length of 2.
Acquirer Country CodeThe country code of the Acquirer. Allowed for EMV 3DS 2.1 and 2.2 versions.Any ISO 3166-1 numeric country code.Optional. Numeric, must have length of 3.
Secure Corporate PaymentThis field will identify and indicate transactions for "secure corporate payments". Allowed for EMV 3DS 2.1 and 2.2 versions.Y, N.Optional. Alphabetic, must have length of 1 byte.

The message extension should be sent as part of the authentication request. The Registered Application Provider Identifier (RID) is unique to a Payment System.

Authentication Response Model

The 3DS Server prepares an initial challengeRequest (CReq) and includes it in the response only if the device channel is Browser and the the authentication response message indicates that further Cardholder interaction is required to complete the authentication. The 3DS Server also generates a base64-encoded CReq of the same initial challengeRequest.

The 3DS Server fills out the following fields of the CReq:

  • threeDSServerTransID
  • acsTransID
  • challengeWindowSize
  • messageVersion
  • messageType

Authentication Response JSON Samples