F: 3D Secure Workflows

3D Secure Workflow

3D Secure 2.1 Frictionless Flow (Issuer supports 3D Secure 2)

3D Secure 2 Frictionless Workflow

1. Check-enrollment: This first step initiates the payment session and checks if the consumer’s card is enrolled in the 3D Secure 2 program.
1.1 Consumer (cardholder) checkout on your payment page.
1.2 Initiate the payment session with Wirecard Payment Gateway using the check-enrollment transaction type. Provide additional fields for 3D Secure 2 transactions. 3D Secure 2 fields can be found in the 3D Secure 2 field table and are included in the REST API payment XSD.
1.3 Wirecard Payment Gateway checks the 3D Secure version supported by the issuer with the 3D Secure server.
1.4 Wirecard Payment Gateway returns the check-enrollment response. It includes the PAReq, the ACS URL, and the 3D Secure version.

2. Redirect the consumer to the ACS URL
2.1 Send an HTTPS POST request including the ACS URL, the <PAReq>, the <TermUrl> and <MD>.
2.2 The ACS URL points to the public endpoint of the Wirecard 3D Secure Router which decodes the <PAReq>.
2.3 The Wirecard 3D Secure Router returns an HTML with the scheme logo and a "processing" screen which is displayed in the consumer’s browser.
2.4 The Wirecard 3D Secure Router redirects the consumer to the 3DSMethodURL for device fingerprinting.
2.5 The Issuer ACS gathers the information and redirects the 3D Secure method completion information to the Wirecard 3D Secure Router URL.
2.6 The Wirecard 3D Secure Router initiates authentication with the issuer’s ACS via the scheme directory server.
2.7 The Wirecard 3D Secure Router posts the SSL-encrypted and digitally signed PARes (Payment Authentication response) to the TermURL via the consumer’s browser.

3. Check-payer-response (optional) and PARes verification: Use this request to receive, analyze and store authentication values on your side or use your connection to the Wirecard Payment Gateway. The check-payer-response provides the authentication values needed later for completion of the payment transaction. It is executed after you receive the check-enrollment response and the PARes.
3.1 Send a POST request with transaction type check-payer-response to Wirecard Payment Gateway. Provide the parent-transaction-id using the transaction-id from the check-enrollment response, and the PARes.
3.2 Wirecard Payment Gateway decodes the PARes, checks the signature and retrieves the final authentication values.
3.3 Wirecard Payment Gateway returns the final authentication values in the response of the check-payer-response transaction. These include the dsTransId, CAAV/AVV, ECI, and authenticationStatus.

4. Complete the payment transaction: Proceed with the payment transaction with the relevant transaction-type (e.g. authorization, purchase, authorization-only). Use the final authentication values received either from the check-enrollment response(e.g. PARes and parent-transaction-id), or from step 3.3 (check-payer-response response).

3D Secure 2.1 Challenge Flow (Issuer supports 3D Secure 2)

3D Secure 2 Challenge Workflow

1. Check-enrollment: This first step initiates the payment session and checks if the consumer’s card is enrolled in the 3D Secure 2 program.
1.1 Consumer (cardholder) checkout on your payment page.
1.2 Initiate the payment session with Wirecard Payment Gateway using the check-enrollment transaction type. Provide additional fields for 3D Secure 2 transactions. 3D Secure 2 fields can be found in the 3D Secure 2 field table and are included in the REST API payment XSD.
1.3 Wirecard Payment Gateway checks the 3D Secure version supported by the issuer with the 3D Secure server.
1.4 Wirecard Payment Gateway returns the check-enrollment response. It includes the PAReq, the ACS URL, and the 3D Secure version.

2. Redirect the consumer to the ACS URL
2.1 Send an HTTPS POST request including the ACS URL, the <PAReq>, the <TermUrl> and <MD>.
2.2 The ACS URL points to the public endpoint of the Wirecard 3D Secure Router which decodes the <PAReq>.
2.3 The Wirecard 3D Secure Router returns an HTML with the scheme logo and a "processing" screen which is displayed in the consumer’s browser.
2.4 The Wirecard 3D Secure Router redirects the consumer to the 3DSMethodURL for device fingerprinting.
2.5 The Issuer ACS gathers the information and redirects the 3D Secure method completion information to the Wirecard 3D Secure Router URL.
2.6 The Wirecard 3D Secure Router initiates authentication with the issuer’s ACS via the scheme directory server.
2.7 The Wirecard 3D Secure Router redirects the consumer to the ACS which displays a challenge window (either a page or an iframe).
2.8 The consumer enters their data. After successful authentication, the ACS sends the challenge response to the Wirecard 3D Secure Router.
2.9 The Wirecard 3D Secure Router posts the SSL-encrypted and digitally signed PARes (Payment Authentication response) to the TermURL via the consumer’s browser.

3. Check-payer-response (optional) and PARes verification: Use this request to receive, analyze and store authentication values on your side or use your connection to the Wirecard Payment Gateway. The check-payer-response provides the authentication values needed later for completion of the payment transaction. It is executed after you receive the check-enrollment response and the PARes.
3.1 Send a POST request with transaction type check-payer-response to Wirecard Payment Gateway. Provide the parent-transaction-id using the transaction-id from the check-enrollment response, and the PARes.
3.2 Wirecard Payment Gateway decodes the PARes, checks the signature and retrieves the final authentication values.
3.3 Wirecard Payment Gateway returns the final authentication values in the response of the check-payer-response transaction. These include the dsTransId, CAAV/AVV, ECI, and authenticationStatus.

4. Complete the payment transaction: Proceed with the payment transaction with the relevant transaction-type (e.g. authorization, purchase, authorization-only). Use the final authentication values received either from the check-enrollment response (e.g. PARes and parent-transaction-id), or from step 3.3 (check-payer-response response).

3D Secure 2.1 Flow with Fallback to 3D Secure 1 (Issuer does not support 3D Secure 2)

3D Secure 2 Fallback Workflow

1. Check-enrollment: This first step initiates the payment session and checks if the consumer’s card is enrolled in the 3D Secure 2 program.
1.1 Consumer (cardholder) checkout on your payment page.
1.2 Initiate the payment session with Wirecard Payment Gateway using the check-enrollment transaction type. Provide additional fields for 3D Secure 2 transactions. 3D Secure 2 fields can be found in the 3D Secure 2 field table and are included in the REST API payment XSD.
1.3 Wirecard Payment Gateway checks the 3D Secure version supported by the issuer with the 3D Secure server. If 3D Secure 2 is not supported then the 3D Secure server initiates the fallback to version 1 via the 3D Secure MPI.
1.4 Wirecard Payment Gateway returns the check-enrollment response. It includes the PAReq, the ACS URL, and the 3D Secure version.

2. Redirect the consumer to the ACS URL
2.1 Send an HTTPS POST request including the ACS URL, the <PAReq>, the <TermUrl> and <MD>.
2.2 The ACS URL points to the public endpoint of the issuer ACS, which decodes the <PAReq>. The ACS displays the authentication window for the cardholder.
2.3 The consumer enters their data in the authentication window displayed by the ACS.
2.4 The issuer ACS verifies the authentication credentials and posts the SSL-encrypted and digitally signed PARes (Payment Authentication response), as well as the <MD> to the TermURL via the consumer’s browser.

3. Check-payer-response (optional) and PARes verification: Use this request to receive, analyze and store authentication values on your side or use your connection to the Wirecard Payment Gateway. The check-payer-response provides the authentication values needed later for completion of the payment transaction. It is executed after you receive the check-enrollment response and the PARes.
3.1 Send a POST request with transaction type check-payer-response to Wirecard Payment Gateway. Provide the parent-transaction-id using the transaction-id from the check-enrollment response, and the PARes.
3.2 Wirecard Payment Gateway verifies the PARes with the 3D Secure MPI and receives the final authentication values.
3.3 Wirecard Payment Gateway returns the final authentication values in the response of the check-payer-response transaction. These include the XID, CAAV/AVV, ECI, and authenticationStatus.

4. Complete the payment transaction: Proceed with the payment transaction with the relevant transaction-type (e.g. authorization, purchase, authorization-only). Use the final authentication values received either from the check-enrollment response (e.g. PARes and parent-transaction-id), or from step 3.3 (check-payer-response response).

Custom URL: