Defining the steps of payment with 3D Secure authentication

The process of payment with 3D Secure authentication is as follows:

Figure 1. The steps of payment with 3D Secure authentication
  1. The buyer confirms the order and enters the payment card details on the merchant website to proceed to payment.
  2. The merchant website contacts the payment gateway.

    It calls the createPayment operation. It sets the mode attribute of the threeDSRequest object to ENABLED_CREATE.

  3. The payment gateway solicits the directory server of VISA or MasterCard or AMEX (SafeKey) via its MPI.
    • If the card is not enrolled, the payment gateway proceeds to the authorization request and returns the payment result to the merchant website.
      • the threeDSEnrolled attribute of the authenticationRequestData object of threeDSResponse is set to N.
    • If the card is enrolled:
      the payment gateway returns the following information to the merchant:
      • the threeDSEnrolled attribute of the authenticationRequestData object of threeDSResponse is set to Y,
      • the URL of the cardholder’s bank website (ACS) to which the buyer will be redirected by the merchant,
      • the encrypted PAReq message (threeDSEncodedPareq),
      • the query id (threeDSRequestId).
  4. In the MD field, the merchant website stores:
    • the session id included in the HTTP header of the response (JSESSIONID),
    • the query id (threeDSRequestId) included in the response authenticationRequestData.
      MD is the abbreviation of MerchantData. It is a field created for the query.
  5. The merchant website sends an http POST to the buyer's browser including:
    • PaReq
    • TermUrl
    • MD
  6. The buyer is redirected to the website of the issuing bank (ACS) and identifies him/herself.
  7. After the authentication, the buyer is redirected to the merchant website. The buyer's browser sends a POST query to the merchant website containing the MD and PaRes fields.
  8. The merchant website retrieves these two fields and transmits them to the payment gateway to verify the authentication and create the transaction.
    To create the transaction, the merchant website must:
    • call the createPayment operation once again by setting the mode attribute of the threeDSRequest object to ENABLED_FINALIZE,
    • set the requestId attribute of the threeDSRequest object,
    • set the pares attribute of the threeDSRequest object,
  9. The MPI of the payment gateway verifies the information contained in the PaRes:
    • the buyer has not authenticated him/herself, the payment is refused.
    • the buyer has authenticated him/herself, the payment gateway proceeds to the authorization request.
  10. The payment gateway returns the result to the merchant website (authenticationResultData).