On this page
No Headings
Last updated: May 27, 2026
Important: 3-D Secure 1.x is deprecated by both Visa and Mastercard as of October 14, 2022. All transactions authorized after that date using 3-D Secure 1.x will not be authenticated.
When you, as a merchant, have 3-D Secure enabled on your website and your customer uses the card that is enrolled in the 3-D Secure program, the authentication and transaction process looks as follows:
After you've integrated with an MPI and can use the plug-in for cardholder authentication, you send the data you receive back from the MPI to Payflow during a sale or authorization request. The information you pass to Payflow varies depending on whether the cardholder is enrolled in a 3-D Secure program or not. Use the developer documentation provided by your MPI to map the Payflow fields to the MPI-returned fields.
| Field | Description | Data type/max length |
|---|---|---|
AUTHENTICATION_STATUS | Value returned by MPI indicating if authentication was successful, attempted or failed. | alphanumeric, 1 |
CAVV | Cardholder authentication verification value, also known as AAV. The value generated by the card-issuing bank proving the cardholder has been authenticated with a particular transaction. Returned if the AUTHENTICATION_STATUS is Successful or Attempted. | alphanumeric, 64 |
ECI | E-Commerce Indicator. The ECI value indicates the level of security supported by the merchant when the cardholder provides payment card data for online purchase. | numeric, 1 |
XID | 3-D Secure transaction ID. Returned if Successful or Attempted. Required. | alphanumeric, 64 |
THREEDSVERSION | This field is for 3-D Secure 2.0. Contains the 3-D Secure version that was used to process the transaction. Possible values: 2.1.0 2.2.0 | alphanumeric, 10 |
DSTRANSACTIONID | This field is for 3-D Secure 2.0. Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction. Conditional. Note: Required for Mastercard Identity Check transaction in Authorization. | alphanumeric, 36 |
The following table provides guidance on which fields to pass depending on cardholder enrollment in a 3-D Secure program:
| Cardholder is enrolled | Cardholder is not enrolled |
|---|---|
AUTHENTICATION_ID | AUTHENTICATION_ID |
AUTHENTICATION_STATUS | AUTHENTICATION_STATUS |
CAVV | |
ECI | ECI |
XID | |
THREEDSVERSON | THREEDSVERSON |
DSTRANSACTIONID |
Note: Set VERBOSITY to HIGH to make sure you
receive all the data returned in the response.
VENDOR=MerchantUserID&PARTNER=PayPal&USER=UserIDIfAvailOrSameAsVendor&PWD=Pwd4Payflow&TENDER=C&TRXTYPE=S&TENDER=C&ACCT=5555555555554444&EXPDATE=0325&AMT=123.00&AUTHENTICATION_ID[20]=8d4d5ed66ac6e6faac6d&CAVV[28]=OTJlMzViODhiOTllMjBhYmVkMGU=&AUTHENTICATION_STATUS[1]=1&ECI[1]=5&XID[28]=YjM0YTkwNGFkZTI5YmZmZWE1ZmY&THREEDSVERSION[5]=1.0.2&VERBOSITY=HIGH&VERBOSITY=HIGHVENDOR=MerchantUserID&PARTNER=PayPal&USER=UserIDIfAvailOrSameAsVendor&PWD=Pwd4Payflow&TENDER=C&TRXTYPE=S&ACCT=5555555555554444&EXPDATE=0308&AMT=123.00&AUTHENTICATION_ID[20]=8d4d5ed66ac6e6faac6d&AUTHENTICATION_STATUS[1]=O&ECI[1]=7&THREEDSVERSION[5]=1.0.2&VERBOSITY=HIGHVENDOR=MerchantUserID&PARTNER=PayPal&USER=UserIDIfAvailOrSameAsVendor&PWD=Pwd4Payflow&TRXTYPE=S&TENDER=C&ACCT=5434XXXXXXXX5556&EXPDATE=1225&AMT=122.27&CAVV[28]=AAABBhBxKAAAAAAAAAAAAAAAAAA=BILLTO&STREET=12115 LACKLAND&BILLTOZIP=63146&ECI=6&DSTRANSACTIONID=f38e6948-5388-41a6-bca4-b49723c19437&THREEDSVERSION=2.0&VERBOSITY=HIGH