3DS2 Data Only Flow
Optionally enhance authorisations with additional data using 3DS2 rails
Introduction
This page aims to describe the 3DS2 data only flow to merchants with a backend-to-backend integration to the PXP Financial Payment Service.
The data only flow has been introduced by Visa and MasterCard as the Visa Data-Only (VDO) program and "Data Share Only" respectively. Using the capabilities of EMV 3DS 2.2 and higher, this service allows for additional data to be provided by merchants in authorisation, allowing issuers to perform more accurate risk-based decisioning. The key difference between a data only transaction and a normal 3DS2 authentication, is that there is no challenge step for a data only transaction. Consequently as a frictionless flow, cardholder drop off during authentication should not be an issue.
Usage of the data only flow should result in higher approval rates as well as a reduction in fraud.
Process Overview
A data only browser-based 3DS2 flow will be initiated from a merchant front-end, via a backend-to-backend call to PXP Financial.
When the payment is received and 3DS authentication is initiated, the user experience is identical to that described in the Browser-based flow for 3DS 2.0 page, minus the challenge flow.
The diagram below illustrates the flow:
Pre-requisites
- You must have a test account set up for use with PXP Financial
- If you are an existing merchant you should already have a fully integrated backend-to-backend integration in place
- If you are a new merchant please refer to the Initiate New Payment (Backend2Backend) section
- Ensure you have reviewed the 3DS Authorisation Policies information and be aware that by default Authorisation Policy '2' must be submitted in the data only request
- Ensure you are configured to be enabled for data only
Constraints and Considerations
-
Data only is currently only supported for the following Providers:
Acquirer Data-only available? PXP Yes Vantiv Yes
-
PSD2 requirements will take priority over data only in cases where cardholder and provider are within the EEA
-
The authentication outcome for a VDO transaction versus a MasterCard Data Share Only transaction is slightly different
-
The data only flow will only work for Visa and MasterCard payment methods as well as the standalone 3DS Authentication-Only method (as described here: Browser-based flow for 3DS 2.0 - Authentication-Only payments)
-
A data only flow is not guaranteed to work. There could be scenarios where connectivity could not be established or where issuer support is not available leading to a failure scenario
Data Only is designed to be used outside of PSD2 jurisdictions
Data Only is optional and as such, will not apply where PSD2 SCA is mandated. If a data only attempt is made in a PSD2 jurisdiction, normal 3DS2 will be applied and as per Scheme requirements, successful SCA must be obtained if an exemption is not used in authorisation. Not following these rules will result in potential fines.
Integration Steps
Step 1: Create a new payment
Submit initiatePaymentRequest
initiatePaymentRequestThe initiatePaymentRequest should be submitted as described respectively in Step 1 of either:
- The Browser-based flow for 3DS 2.0 page which lists the 3DS 2.0 fields that should be sent in the initiatePaymentRequest (API documentation about initiatePaymentRequest can be located here
- Or the Browser-based flow for 3DS 2.0 - Authentication-Only payments page
In addition, the following fields should also be submitted:
IsThreeDSecureRequiredmust be set to 'true'- Submit the new field
ChallengeIndicatorwith value set to '06' (note: Existing fieldscaChallengeIndicatorcan also be used but it is highly recommended to use the new field instead) ThreeDSecureAuthorisationPolicyIDshould be set to '2'
Example initiatePaymentRequest:
<?xml version="1.0" encoding="utf-8"?>
<initiatePaymentRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.cqrpayments.com/PaymentProcessing">
<merchantID>YOUR_MERCHANT_ID</merchantID>
<shopID>YOUR_SHOP_ID</shopID>
<merchantTransactionID>YOUR_MERCHANT_TRANSACTION_ID</merchantTransactionID>
<paymentMethodID>2</paymentMethodID>
<amount currencyCode="USD">12.43</amount>
<userID>YOUR_USER_ID</userID>
<userData>
<address>
<countryCode2>US</countryCode2>
</address>
</userData>
<userIP>127.0.0.1</userIP>
<userSessionID>16e8a3f7-70e2-4c3e-a771-c4d3ce99c26c</userSessionID>
<creationTypeID>1</creationTypeID>
<specificPaymentData>
<data xsi:type="keyStringValuePair">
<key>PaymentDescription</key>
<value>YOUR_PAYMENT_DESCRIPTION</value>
</data>
<data xsi:type="keyStringValuePair">
<key>PaymentDescriptionLanguageCode</key>
<value>en</value>
</data>
<data xsi:type="keyBooleanValuePair">
<key>IsThreeDSecureRequired</key>
<value>true</value>
</data>
<data xsi:type="keyStringValuePair">
<key>SuccessPageUrl</key>
<value>YOUR_SUCCESS_PAGE</value>
</data>
<data xsi:type="keyStringValuePair">
<key>ErrorPageUrl</key>
<value>YOUR_ERROR_PAGE</value>
</data>
<data xsi:type="keyStringValuePair">
<key>BrowserHeaderUserAgent</key>
<value>BrowserHeaderUserAgent</value>
</data>
<data xsi:type="keyStringValuePair">
<key>BrowserVerificationNotificationURL</key>
<value>https://www.notification.com</value>
</data>
<data xsi:type="keyIntValuePair">
<key>BrowserScreenHeight</key>
<value>768</value>
</data>
<data xsi:type="keyIntValuePair">
<key>BrowserScreenWidth</key>
<value>1024</value>
</data>
<data xsi:type="keyStringValuePair">
<key>BrowserLanguage</key>
<value>en</value>
</data>
<data xsi:type="keyStringValuePair">
<key>BrowserHeaderAccept</key>
<value>BrowserHeaderAccept</value>
</data>
<data xsi:type="keyStringValuePair">
<key>UserVerificationNotificationURL</key>
<value>https://userverificationnotificationurl.com</value>
</data>
<data xsi:type="keyStringValuePair">
<key>CardholderEmail</key>
<value>[email protected]</value>
</data>
<data xsi:type="keyIntValuePair">
<key>BrowserScreenColorDepth</key>
<value>32</value>
</data>
<data xsi:type="keyStringValuePair">
<key>BrowserTimeZone</key>
<value>-60</value>
</data>
<data xsi:type="keyBooleanValuePair">
<key>BrowserJavaEnabled</key>
<value>true</value>
</data>
<data xsi:type="keyBooleanValuePair">
<key>BrowserJavaScriptEnabled</key>
<value>true</value>
</data>
<data xsi:type="keyIntValuePair">
<key>PaymentProviderID</key>
<value>124</value>
</data>
<data xsi:type="keyIntValuePair">
<key>ChallengeIndicator</key>
<value>6</value>
</data>
<data xsi:type="keyIntValuePair">
<key>ThreeDSecureAuthorisationPolicyID</key>
<value>2</value>
</data>
</specificPaymentData>
<paymentAccount>
<specificPaymentAccountData>
<data xsi:type="keyStringValuePair">
<key>HolderName</key>
<value>HOLDER_NAME</value>
</data>
<data xsi:type="keyIntValuePair">
<key>ExpiryMonth</key>
<value>10</value>
</data>
<data xsi:type="keyIntValuePair">
<key>ExpiryYear</key>
<value>2030</value>
</data>
<data xsi:type="keyStringValuePair">
<key>CardNumber</key>
<value>4570010000000100</value>
</data>
<data xsi:type="keyStringValuePair">
<key>CardVerificationCode</key>
<value>658</value>
</data>
</specificPaymentAccountData>
</paymentAccount>
</initiatePaymentRequest>
Receive initiatePaymentResponse
initiatePaymentResponseInformation about the 3DS related fields returned in initiatePaymentResponse can be found here.
Further details on initiatePaymentResponse can be found here.
Example initiatePaymentResponse:
<initiatePaymentResponse xmlns="http://www.cqrpayments.com/PaymentProcessing" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<payment xsi:type="paymentWithPaymentAccount">
<merchantID>YOUR_MERCHANT_ID</merchantID>
<shopID>YOUR_SHOP_ID</shopID>
<paymentMethod>
<key>2</key>
<value>VISA Deposit</value>
</paymentMethod>
<merchantTransactionID>YOUR_MERCHANT_TRANSACTION_ID</merchantTransactionID>
<paymentID>fe19f0df-f959-42bf-b1a7-583e163b6042</paymentID>
<userID>YOUR_USER_ID</userID>
<paymentProvider>
<key>124</key>
<value>Vantiv</value>
</paymentProvider>
<amount currencyCode="USD">12.43</amount>
<creationType>
<key>1</key>
<value>User</value>
</creationType>
<userIP>127.0.0.1</userIP>
<state>
<id>798a116d-ccab-4116-8884-7acb224338a2</id>
<definition>
<key>13</key>
<value>AuthorisedByProvider</value>
</definition>
<createdOn>2025-01-21T14:19:50.8743581Z</createdOn>
<description>APPROVAL</description>
<paymentStateDetails>
<detail xsi:type="keyStringValuePair">
<key>AVSResponse</key>
<value>Z</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>AVSResponseCode</key>
<value>Z</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>AVSResponseMessage</key>
<value>ZIP matches, address does not</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>CVCResponse</key>
<value>M</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>ApprovalCode</key>
<value>302116</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>ProviderResponseCode</key>
<value>00</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>ProviderResponseMessage</key>
<value>APPROVAL</value>
</detail>
</paymentStateDetails>
</state>
<isExecuted>true</isExecuted>
<baseAmount currencyCode="EUR">9.34</baseAmount>
<paymentDetails>
<detail xsi:type="keyStringValuePair">
<key>ElectronicCommerceIndicator</key>
<value>07</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>ThreeDSecureVersion</key>
<value>2.2.0</value>
</detail>
</paymentDetails>
<paymentAccount>
<paymentAccountID>17483a82-cc1d-495f-ba2c-282c051cd4d4</paymentAccountID>
<details>
<detail xsi:type="keyStringValuePair">
<key>IssuerCountry</key>
<value>US</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>AccountFundingSource</key>
<value>Unknown</value>
</detail>
<detail xsi:type="keyBooleanValuePair">
<key>FastFunds</key>
<value>false</value>
</detail>
<detail xsi:type="keyStringValuePair">
<key>IssuerName</key>
<value></value>
</detail>
</details>
</paymentAccount>
</payment>
</initiatePaymentResponse>
Further details on initiatePaymentResponse can be found here.
Step 2: Perform device fingerprinting
Integration steps for performing device fingerprinting are described here.
Step 3: Perform authorisation
With 3DS Authorisation Policy '2' configured or submitted in initiatePayment
initiatePaymentAuthorisation will continue automatically.
Without 3DS Authorisation Policy '2' configured
If other 3DS Authorisation Policy behaviour is configured, then additional actions may be required.
The outcome of the data only attempt can be one of the following:
- UserAuthenticationSuccessful (586)
- UserAuthenticationFailed (587)
- UserAuthenticationErrorOccurred (600)
- UserAuthenticationRejected (597)
- UserAuthenticationCommunicationErrorOccurred (588)
- NotEnrolledInThreeDSecure (284)
In this case to proceed with authorisation the following request should be submitted.
Example executePaymentAction:
<executePaymentActionRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.cqrpayments.com/PaymentProcessing">
<merchantID>YOUR_MERCHANT_ID</merchantID>
<shopID>YOUR_SHOP_ID</shopID>
<paymentID>YOUR_PAYMENT_ID</paymentID>
<actionID>120</actionID>
<remark>Test</remark>
</executePaymentActionRequest>
Pass-through payments
The following fields should specifically be taken note of:
| Outcome | Field Name | Visa | MasterCard |
|---|---|---|---|
| Success | ThreeDSecureTransactionStatus | I | I |
| ElectronicCommerceIndicator | 07 | 06 | |
| CardholderAuthenticationVerificationValue | As provided | As provided | |
| Failure | ThreeDSecureTransactionStatus | N | N |
| ElectronicCommerceIndicator | 07 | 07 |
In the case of an authentication only payment, the above fields should be used in conjunction with those specified here when performing the subsequent authorisation.
Testing
Use the following card numbers for testing the data only flow:
- Visa: 4570010000000100
- Mastercard: 5266001056000116
Please note that your testing account will need to be configured correctly.
3DS 2.0 Data Only Integration Summary
In order to integrate with PXP Financial for 3DS 2.0 you will need to:
- Send additional data in
initiatePaymentRequest- Perform Device Fingerprinting using a listener you have implemented
- Notify PXP Financial of the result
- In a frictionless flow, PXP Financial will proceed the payment according to the specific 3DS Authorisation Policy behaviour, then notify you
Version History
| Date | Description |
|---|---|
| 21.01.2025 | Initial version |
Updated about 13 hours ago