3-D Secure with 3rd-Party Merchant Plug-ins

Last updated: May 14th 2021, @ 4:07:58 pm

Merchants can use a 3rd-party Merchant Plug-in (MPI), such as Cardinal Commerce, to perform the 3-D Secure authentication and verification of the credit card. Once authenticated, you pass this data to Payflow in your standard authorization or sale transaction.

How 3-D Secure works with an MPI

When you, as a merchant, have 3-D Secure enabled on your website and your customer uses the card that is enrolled in the 3-D Secure program, the authentication and transaction process looks as follows:

  1. The customer enters their credit or debit card information on your checkout page.
  2. Your website uses your Merchant Plug-In (MPI) to call a directory server and determine whether the card is registered in the 3-D Secure program.
  3. The customer sees the 3-D Secure page where they authenticate themselves to the card-issuing bank by entering the password or a one-time PIN.
  4. You send the result of the 3-D Secure authentication to Payflow in the authorization or sale request, then PayPal submits transaction details to your processor.
  5. The transaction is authorized or declined by the acquirer.
  6. The customer can see the response about whether the transaction is successful or failed.

How to send 3-D Secure authentication data

After you've integrated with an MPI and can use the plug-in for cardholder authentication, you send the data you receive back from the MPI to Payflow during a sale or authorization request. The information you pass to Payflow varies depending on whether the cardholder is enrolled in a 3-D Secure program or not. Use the developer documentation provided by your MPI to map the Payflow fields to the MPI-returned fields.

Supported 3D-Secure 2.0 processors

  • Braintree
  • FISERV North
  • Paymentech Salem
  • PayPal
  • TSYS

Payflow fields

FieldDescription Data type/max length
AUTHENTICATION_STATUS Value returned by MPI indicating if authentication was successful, attempted or failed. alphanumeric, 1
CAVV Cardholder authentication verification value, also known as AAV. The value generated by the card-issuing bank proving the cardholder has been authenticated with a particular transaction. Returned if the AUTHENTICATION_STATUS is Successful or Attempted.alphanumeric, 64
ECI E-Commerce Indicator. The ECI value indicates the level of security supported by the merchant when the cardholder provides payment card data for online purchase. numeric, 1
XID 3-D Secure transaction ID. Returned if Successful or Attempted. Required.alphanumeric, 64
THREEDSVERSION This field is for 3-D Secure 2.0. Contains the 3-D Secure version that was used to process the transaction. Possible values:
  • 1.0.2
  • 2.1.0
  • 2.2.0
Default = 1.0.2
alphanumeric, 10
DSTRANSACTIONID This field is for 3-D Secure 2.0. Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction. Conditional.
Note: Required for Mastercard Identity Check transaction in Authorization.
alphanumeric, 36
The following table provides guidance on which fields to pass depending on cardholder enrollment in a 3-D Secure program:
Cardholder is enrolledCardholder is not enrolled

Sample request - cardholder is enrolled

Note: Set VERBOSITY to HIGH to make sure you receive all the data returned in the response.


Sample request - cardholder is not enrolled


Sample request - 3D-Secure 2.0