3-D Secure with 3rd-Party Merchant Plug-ins

Merchants not enrolled in the Payflow Buyer Authentication Service can use a 3rd-party Merchant Plug-in (MPI), such as CardinalCommerce, to perform the 3-D Secure authentication and verification of the credit card. Once authenticated, you pass this data to Payflow in your standard authorization or sale transaction.

How 3-D Secure works with an MPI

When you, as a merchant, have 3-D Secure enabled on your website and your customer uses the card that is enrolled in the 3-D Secure program, the authentication and transaction process looks as follows:

  1. The customer enters their credit or debit card information on your checkout page.
  2. Your website uses your Merchant Plug-In (MPI), such as CardinalCommerce, to call a directory server and determine whether the card is registered in the 3-D Secure program.
  3. The customer sees the 3-D Secure page where they authenticate themselves to the card-issuing bank by entering the password or a one-time PIN.
  4. You send the result of the 3-D Secure authentication to Payflow in the authorization or sale request, then PayPal submits transaction details to your processor.
  5. The transaction is authorized or declined by the acquirer.
  6. The customer can see the response about whether the transaction is successful or failed.

How to send 3-D Secure authentication data

After you've integrated with an MPI and can use the plug-in for cardholder authentication, you send the data you receive back from the MPI to Payflow during a sale or authorization request. The information you pass to Payflow varies depending on whether the cardholder is enrolled in a 3-D Secure program or not. Use the developer documentation provided by your MPI to map the Payflow fields to the MPI-returned fields.

Payflow fields

Field Description Data type/max length
AUTHENTICATION_ID Unique identifier for this authentication validation. alphanumeric, 64
AUTHENTICATION_STATUS Value returned by MPI indicating if authentication was successful, attempted or failed. alphanumeric, 1
CAVV Cardholder authentication verification value, also known as AAV. The value generated by the card-issuing bank proving the cardholder has been authenticated with a particular transaction. Returned if the AUTHENTICATION_STATUS is Successful or Attempted. alphanumeric, 64
ECI E-Commerce Indicator. The ECI value indicates the level of security supported by the merchant when the cardholder provides payment card data for online purchase. numeric, 1
XID 3-D Secure transaction ID. Returned if Successful or Attempted. Required. alphanumeric, 64
THREEDSVERSION This field is for 3-D Secure 2.0. Contains the 3-D Secure version that was used to process the transaction. Possible values:
  • 1.0.2
  • 2.1.0
  • 2.2.0
Default = 1.0.2
alphanumeric, 10
DSTRANSACTIONID This field is for 3-D Secure 2.0. Unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction. Conditional.
Note: Required for MasterCard Identity Check transaction in Authorization.
alphanumeric, 36

Note: PayPal is the only supported processor for 3-D Secure 2.0. While you can pass THREEDVERSION and DSTRANSACTIONID now, these will be ignored by other processors until support for 3-D Secure 2.0 is implemented.

The following table provides guidance on which fields to pass depending on cardholder enrollment in a 3-D Secure program:

Cardholder is enrolled Cardholder is not enrolled
AUTHENTICATION_ID AUTHENTICATION_ID
AUTHENTICATION_STATUS AUTHENTICATION_STATUS
CAVV  
ECI ECI
XID  
THREEDSVERSON THREEDSVERSON
DSTRANSACTIONID  

Sample request - cardholder is enrolled

Note: Set VERBOSITY to HIGH to make sure you receive all the data returned in the response.

VENDOR=MerchantUserID&PARTNER=PayPal&USER=UserIDIfAvailOrSameAsVendor&PWD=Pwd4Payflow&TENDER=C&TRXTYPE=S&TENDER=C&ACCT=5555555555554444&EXPDATE=0325&AMT=123.00&AUTHENTICATION_ID[20]=8d4d5ed66ac6e6faac6d&CAVV[28]=OTJlMzViODhiOTllMjBhYmVkMGU=&AUTHENTICATION_STATUS[1]=1&ECI[1]=5&XID[28]=YjM0YTkwNGFkZTI5YmZmZWE1ZmY&THREEDSVERSION[5]=1.0.2&VERBOSITY=HIGH

Sample request - cardholder is not enrolled

VENDOR=MerchantUserID&PARTNER=PayPal&USER=UserIDIfAvailOrSameAsVendor&PWD=Pwd4Payflow&TENDER=C&TRXTYPE=S&ACCT=5555555555554444&EXPDATE=0308&AMT=123.00&AUTHENTICATION_ID[20]=8d4d5ed66ac6e6faac6d&AUTHENTICATION_STATUS[1]=O&ECI[1]=7&THREEDSVERSION[5]=1.0.2