📘Access Control Server (ACS)
Last updated
Last updated
EMV 3D Secure is an authentication protocol that enables cardholder verification during e-commerce transactions. It operates through data exchange between three domains: Acquirer/3DS Server, Interoperability/Directory Server, and Issuer/ACS.
A 3D Secure transaction can be initiated through three channels:
Browser: Transactions initiated from the merchant's website
App: Transactions initiated from a merchant mobile app that includes a 3DS SDK
3DS Requestor Initiated (3RI): Transactions initiated by the merchant without cardholder interaction
3D Secure Transaction Categories:
A 3D Secure transaction can be one of two message categories:
Payment Authentication: E-commerce transactions where a payment is made
Non-payment Authentication: Authentication transactions that do not involve payment, such as adding a card or checking card status
Cardholder Authentication Methods:
The following authentication methods can be used for transactions requiring cardholder authentication:
FIDO: Authentication using the WebAuthn capability of modern browsers
Out-of-Band (OOB): Authentication using a mobile application on the Issuer domain to authenticate the cardholder via a push notification.
OTP: Entering a verification code shared via SMS or a 3rd party application into the ACS challenge page.
3D Secure Transaction Flow:
The Authentication Request (AReq) message, generated by the 3DS Server and containing transaction information, is sent to the Directory Server and from there to the ACS.
The ACS sends transaction and risk information to the Issuer's Verify Account service.
If no response is received from the Issuer within a sufficient time, an Authentication Response (ARes) message with the transaction status Attempt (A) is returned to the DS.
The Issuer checks the card status and whether the transaction is eligible for 3D Secure and shares with the ACS how it wants the transaction to proceed through the Verify Account Response message.
If the Transaction Status value is other than C or D, the ACS returns an ARes with appropriate values and ends the transaction.
If the Transaction Status value is either C or D, the transaction proceeds according to the Authentication Method. Check Integration Manuals to learn more on how the transaction proceeds based on the authentication method.
