3-D Secure parameters
To process 3-D Secure transactions, you must send all the necessary parameters.
Although numerous request parameters are optional, Peach Payments recommends that you send as many parameters as possible. This improves the success rate of risk checks during risk-based authentication and increases the number of frictionless flows.
For more information about the request and response parameters, refer to the API reference guide.
Request parameters
Basic payment data
| Parameter | Format and length | Condition |
|---|---|---|
card.expiryMonth | Length: 2 characters Format: Numeric | Required |
card.expiryYear | Length: 4 characters Format: Numeric | Required |
card.number | Length: Variable, 13-19 Format: Numeric | Required |
amount | Length: Variable, maximum 12 characters Format: Numeric with 2 minor units after the decimal point Example: 123.00 | Required |
currency | Length: 3 characters Format: ISO 4217 A3 currency code | Required |
card.holder | Length: Variable, 2 - 45 characters Format: String | Required unless market or regional mandate restricts sending this information |
Browser data
| Parameter | Format and length | Condition |
|---|---|---|
customer.browser.acceptHeader | Length: Variable, maximum 2048 characters Format: String | Required |
customer.browser.language | Length: Variable, 1–8 characters Format: String Returned from navigator.language | Required |
customer.browser.screenHeight | Length: Variable, 1–6 Format: Numeric Value returned from screen.height | Required |
customer.browser.screenWidth | Length: Variable, 1–6 Format: Numeric Value returned from screen.width | Required |
customer.browser.timezone | Length: Variable, 1–5 characters Format: Numeric Value returned from getTimezoneOffset() | Required |
customer.browser.userAgent | Length: Variable, maximum 2048 characters Format: String | Required |
customer.browser.javascriptEnabled | Values accepted: • true- false | Required |
customer.ip | Length: Variable, maximum 45 characters Format: IPv4 address Example: 1.12.123.255 | Required unless market or regional mandate restricts sending this information |
customer.browser.javaEnabled | Values accepted: • true- falseValue returned from navigator.javaEnabled | Required when customer.browser.javascriptEnabled = true; otherwise optional |
customer.browser.screenColorDepth | Length: 1–2 characters Format: String Values accepted: - 1 = 1 bit- 4 = 4 bits- 8 = 8 bits- 15 = 15 bits- 16 = 16 bits- 24 = 24 bits- 32 = 32 bits- 48 = 48 bits | Optional |
customer.browser.challengeWindow | Length: 2 characters Values accepted: • 01 = 250 x 400• 02 = 390 x 400• 03 = 500 x 600• 04 = 600 x 400• 05 = Full screen | Optional |
Customer and address details
| Parameter | Format and length | Condition |
|---|---|---|
customer.email | Length: Variable, maximum 128 characters Format: String | Required unless market or regional mandate restricts sending this information |
billing.city | Length: Variable, 2–45 characters Format: String | Required unless market or regional mandate restricts sending this information |
billing.country | Length: 2 characters Format: ISO 3166-1 A2 country code | Required unless market or regional mandate restricts sending this information |
billing.street1 | Length: Variable, maximum 50 characters Format: String | Required unless market or regional mandate restricts sending this information |
billing.postcode | Length: Variable, maximum 50 characters Format: String | Required unless market or regional mandate restricts sending this information |
customer.phone | Length: Variable, maximum 20 characters Format: +ccc-nnnnnnnnWhere: - + sign is optional- cc = country code, maximum 3 characters- "-" = mandatory character- nnnnnnnnnn = phone number without the country code, maximum 15 characters | You must provide one of customer.phone/customer.workPhone/customer.mobile |
customer.workPhone | Length: Variable, maximum 20 characters Format: +ccc-nnnnnnnnWhere: - + sign is optional- cc = country code, maximum 3 characters- "-" = mandatory character- nnnnnnnnnn = phone number without the country code, maximum 15 characters | You must provide one of customer.phone/customer.workPhone/customer.mobile |
customer.mobile | Length: Variable, maximum 20 characters Format: +ccc-nnnnnnnnWhere: - + sign is optional- cc = country code, maximum 3 characters- "-" = mandatory character- nnnnnnnnnn = phone number without the country code, maximum 15 characters | You must provide one of customer.phone/customer.workPhone/customer.mobile |
billing.street2 | Length: Variable, maximum 50 characters Format: String | Optional |
billing.state | Length: Variable, maximum 3 characters Format: Should be the country subdivision code defined in ISO 3166-2 | Optional |
shipping.city | Length: Variable, maximum 50 characters Format: String | Optional |
shipping.country | Length: 2 characters Format: ISO 3166-1 A2 country code | Optional |
shipping.street1 | Length: Variable, maximum 50 characters Format: String | Optional |
shipping.street2 | Length: Variable, maximum 50 characters Format: String | Optional |
shipping.postcode | Length: Variable, maximum 16 characters Format: String | Optional |
shipping.state | Length: Variable, maximum 3 characters Format: Should be the country subdivision code defined in ISO 3166-2 | Optional |
3-D Secure specific data
| Parameter | Format and length | Condition |
|---|---|---|
threeDSecure.amount | Length: Variable, maximum 12 characters Format: Numeric with 2 minor units after the decimal point Example: 123.00 | Optional |
threeDSecure.currency | Length: 3 characters Format: ISO 4217 A3 currency code | Optional |
threeDSecure.challengeIndicator | Length: 2 characters Format: Refer to the table below | Optional |
threeDSecure.exemptionFlag | Length: 2 characters Format: Follow the exemption management guide | Optional |
Authentication amount and currency
Sometimes, the amount, currency, or both used in the authentication can differ from the one used in the payment later. For example, you might not know the payment amount at the time of the authentication, or you might want to authenticate the customer for the full amount when the customer plans to pay in multiple instalments.
If the authentication amount and the payment amount differ, then you can send the authentication amount and currency in separate fields:
threeDSecure.amount: Amount for which you are authenticating the customer.threeDSecure.currency: Currency for which you are authenticating the customer.
The payment amount and currency are still mandatory fields for any payment request. If you don't define the authentication amount and currency, the customer authenticates with the payment amount and currency.
3-D Secure challenge indicator and MIT agreements
Merchants have the option to specify a preference for whether to challenge for a transaction or not. This does not guarantee that the issuer requests or does not request a challenge from the cardholder. Issuers may consider the merchant's preference during the risk assessment of the transaction. For example, regional mandates might require the challenging of transactions, and the merchant should request a mandated challenge.
Merchants can send the field threeDSecure.challengeIndicator with one of the following values:
| Value | Challenge preference | Description |
|---|---|---|
01 | No preference | The merchant has no preference and fully trusts the issuer to decide whether to challenge the cardholder. |
02 | No challenge requested | The merchant prefers that the cardholder is not authenticated by the issuer, and only the frictionless flow applies. |
03 | Challenge requested: 3-D Secure requestor Preference | The merchant prefers that the issuer authenticate the cardholder. |
04 | Challenge requested: Mandate | You must authenticate the cardholder (for example, by regional mandates).* |
05 | No challenge requested | Transactional risk analysis is already performed. |
06 | No challenge requested | Data share only. |
07 | No challenge requested | Strong consumer authentication is already performed. |
08 | No challenge requested | Use allowlist exemption if you don't have to challenge the customer. |
09 | Challenge requested | Allowlist prompt requested if you have to challenge the customer. |
* For 04:
- Merchants performing recurring payments must have a merchant-initiated transaction (MIT) agreement with the cardholder. This grants the merchant permission to store the cardholder's card data for future transactions when the cardholder is not present.
- The following requirements apply to MIT agreements:
- MIT agreements must have an originating cardholder-initiated transaction (CIT).
- The initial CIT payment request must go through strong customer authentication (SCA).
- Scheme regulations mandate that merchants must populate
threeDSecure.challengeIndicatorwith the value04when sending the initial CIT; this forces the issuer to apply SCA. - If these requirements are not met, you could experience payment failures for future MIT requests due to not applying SCA.
For initial 3-D Secure 2 CIT payment requests and any 3-D Secure 2 transactions with the
createRegistrationparameter set totrue, theChallengeIndicatorparameter gets populated with the default value of04 - Challenge Requested Mandate. This default value gets populated if the merchant has not provided a value for this field; merchant-provided values are not overridden.
Information about the cardholder's account and history with the merchant
The following parameters are not required, but it is strongly recommended that you send them. They affect the accuracy of the issuer's risk check, resulting in more frictionless flows.
The 3-D Secure requestor (the merchant) can collect the parameter values below about the cardholder's activity on their website.
| Parameter | Description |
|---|---|
customParameters[ReqAuthMethod] | Method used by the Cardholder to authenticate to the 3-D Secure requestor. Possible values: 01 - No authentication occurred 02 - Login using cardholder's own credentials 03 - Login using federated ID 04 - Login using issuer credentials 05 - Login using third-party authentication 06 - Login using FIDO Authenticator. |
customParameters[ReqAuthTimestamp] | Date and time in UTC of the cardholder authentication. Accepted date format is YYYYMMDDHHMM. |
customParameters[PriorAuthMethod] | Mechanism used by the cardholder to authenticate to the 3-D Secure Requestor. Possible values: 01 - Frictionless authentication occurred by ACS 02 - Cardholder challenge occurred by ACS 03 - ACS verified 04 - Other issuer methods. |
customParameters[PriorAuthTimestamp] | Date and time in UTC of the prior cardholder authentication. Accepted date format is YYYYMMDDHHMM. |
customParameters[PriorReference] | Provides extra information to the ACS to determine the best approach for handling a request. Contains an ACS transaction ID for a prior authenticated transaction. |
customParameters[PriorAuthData] | Contains directory server transaction ID for a prior authenticated transaction as part of a 3DS Requestor Initiated (3RI) transaction and an AAV Refresh transaction. Example: customParameters[PriorAuthData]=dsTransID: 9aed2dc3-4473-4bb8-a763-7bac4b40de3a. Allows up to 2048 characters. |
customParameters[AAVRefresh] | Indicates whether to request a refreshed Account holder Authentication Value (AAV). Possible values: true/false. |
customParameters[AccountId] | Extra information about the account optionally provided by the 3-D Secure requestor in AReq messages. |
customParameters[AccountAgeIndicator] | Length of time the cardholder has had the account. Possible values: 01 - No account (guest check-out) 02 - Created during this transaction 03 - Less than 30 days 04 - 30-60 days 05 - More than 60 days. |
customParameters[AccountChangeDate] | Date the cardholder's account was last changed. Format: YYYYMMDD. |
customParameters[AccountChangeIndicator] | Length of time since the account information was last changed. Possible values are the same as for AccountAgeIndicator. |
customParameters[AccountDate] | Date the cardholder opened the account. Format: YYYYMMDD. |
customParameters[AccountPasswordChangeDate] | Date of the last password change or account reset. Format: YYYYMMDD. |
customParameters[AccountPasswordChangeIndicator] | Indicates the length of time since the last password change or reset. Possible values are the same as for AccountAgeIndicator. |
customParameters[AccountPurchaseCount] | Number of purchases with this account in the last six months. |
customParameters[AccountProvisioningAttempts] | Number of Add Card attempts for the account in the last 24 hours. |
customParameters[AccountDayTransactions] | Number of transactions (successful and abandoned) in the last 24 hours. |
customParameters[AccountYearTransactions] | Number of transactions (successful and abandoned) in the last year. |
customParameters[PaymentAccountAge] | Date of enrolment for the payment account. Format: YYYYMMDD. |
customParameters[PaymentAccountAgeIndicator] | Indicates the length of enrolment for the payment account. Possible values are the same as for AccountAgeIndicator. |
customParameters[ShipAddressUsageDate] | Date the shipping address was first used. Format: YYYYMMDD. |
customParameters[ShipAddressUsageIndicator] | Length of time since the shipping address was first used. Possible values are the same as for AccountAgeIndicator. |
customParameters[ShipIndicator] | Shipping method chosen. Possible values: 01 - Ship to billing address 02 - Ship to verified address 03 - Ship to different address 04 - "Ship to Store" 05 - Digital goods 06 - Travel/Event tickets 07 - Other. |
customParameters[ShipNameIndicator] | Indicates if the account name matches the shipping name. Possible values: 01 - Account name matches 02 - Account name differs. |
customParameters[SuspiciousAccountActivity] | Indicates the observation of suspicious activity. Possible values: 01 - No suspicious activity 02 - Suspicious activity observed. |
customParameters[TransactionType] | Transaction type. Possible values: 01 - Goods/Service Purchase 03 - Check Acceptance 10 - Account Funding 11 - Quasi-Cash Transaction 28 - Prepaid Activation and Load. |
customParameters[DeliveryTimeframe] | Indicates merchandise delivery time. Possible values: 01 - Electronic Delivery 02 - Same Day Shipping 03 - Overnight Shipping 04 - Two-day or more. |
customParameters[DeliveryEmailAddress] | Email address for electronic delivery. |
customParameters[ReorderItemsIndicator] | Indicates whether the cardholder is reordering merchandise. Possible values: 01 - First-time order 02 - Reordered. |
customParameters[PreOrderPurchaseIndicator] | Indicates whether the order is for future availability. Possible values: 01 - Merchandise available 02 - Future availability. |
customParameters[PreOrderDate] | Expected date of availability for pre-ordered merchandise. Format: YYYYMMDD. |
customParameters[GiftCardAmount] | Total amount of prepaid or gift cards purchased in major units. |
customParameters[GiftCardCurrency] | Currency of the gift card (ISO 4217 three-digit code). |
customParameters[GiftCardCount] | Total count of individual prepaid or gift cards purchased. |
Response parameters
In the returned response, there are two places where 3-D Secure-related response values can be present:
threeDSecureobject: Stores values that are not brand-specific and that any card brand or issuer can return.resultDetailsobject: Stores brand-specific values if the scheme directory server returns such values.
Parameters returned in the threeDSecure object
threeDSecure object| Parameter | Description |
|---|---|
eci | Payment System-specific value provided by the ACS or DS to show the results of the authentication attempt. |
verificationId | Payment System-specific value provided by the ACS or DS using an algorithm defined by the Payment System. |
version | Version of the 3-D Secure protocol used for authentication. |
flow | Indicates the user flow applied during the authentication: challenge or frictionless. |
dsTransactionId | Universally unique transaction identifier assigned by the DS for a single transaction. |
challengeMandatedIndicator | Indicates if the transaction requires a challenge due to regional mandates or other factors. |
authenticationType | Authentication approach used by the ACS to authenticate the Cardholder for this transaction. |
acsTransactionId | Universally unique transaction identifier assigned by the ACS for a single transaction. |
cardHolderInfo | Information text provided by the ACS/Issuer to the cardholder, useful in case of transaction declines. |
errorCode | Code indicating the problem type identified in the message (returned in case of an error). |
errorDescription | Describes the problem identified in the message (returned in case of an error). |
errorSource | Indicates the component causing the issue (returned in case of an error). |
"threeDSecure": {
"eci": "05",
"verificationId": "MTIzNDU2Nzg5MDEyMzQ1Njc4OTA=",
"version": "2.2.0",
"flow": "challenge",
"dsTransactionId": "1231-2342-3453-4564",
"challengeMandatedIndicator": "Y",
"authenticationType": "2",
"acsTransactionId": "7777-8797-4645-1233"
}"threeDSecure":{
"version":"2.2.0",
"errorCode":"101",
"errorDescription":"MerchantCategoryCode must be specified.",
"errorSource":"3DS Server"
},Parameters returned in the resultDetails object
resultDetails object| Parameter | Returned for brand | Description |
|---|---|---|
CB_Authentication_value_algorithm | Cartes Bancaires | Identifies the algorithm used by the ACS to calculate the Authentication Value. For example: 0 = HMAC (per SET stain) 1 = CVV 2 = CVV with ATN 3 = SPA AAC A = AV-CB |
CB_Score | Cartes Bancaires | Global score calculated by the Cartes Bancaires Scoring platform. |
"resultDetails": {
"ExtendedDescription": "Approved or completed successfully",
"clearingInstituteName": "Clearing_Institute",
"ConnectorTxID1": "12345",
"AcquirerResponse": "00",
"reconciliationId": "132499881",
"CB_Authentication_value_algorithm": "2",
"CB_Score": "55"
}Response codes
Refer to the response codes section for information about the possible response codes.
Updated about 7 hours ago