Firstoken API Docs
  • ⚙️API Reference
    • Firstoken API
      • Tokenization As A Service
        • Simple Tokenization
        • Simple Detokenization
        • Inspect Token
        • Delete Tokens
      • Transactions
        • Create a Transaction
        • Retrieve a Transaction
        • Inspect a Transaction
        • Delete a Transaction
        • Tokenize a Transaction
      • Proxy
        • Allowed Headers
        • Actions
        • Methods
          • POST - Proxy
          • GET - Proxy
          • PUT - Proxy
          • PATCH - Proxy
          • DELETE - Proxy
        • Get Payload Hash
        • Proxy JOSE
        • Proxy WSSEC
      • Inbound Routes
        • Create an Inbound - POST
      • Payments
        • Attributes of the Request
        • Common response
        • Endpoints
          • Authorizations
          • Reversals
          • Capture
            • Capture Refunds
            • Capture Void
          • Payments
            • Payment Refunds
            • Payment Void
          • Refunds void
          • Credit
            • Credit Void
          • Get Transaction Details
        • Decision Manager
          • How it works
          • Create decision
          • Update Decision
        • Risk Payer Authentication
          • How to use it
          • 3-D Secure Flows
            • Successful Frictionless Authentication
            • Unsuccessful Frictionless Authentication
            • Attempts Processing Frictionless Authentication
            • Unavailable Frictionless Authentication
            • Rejected Frictionless Authentication
            • Authentication not available on Lookup
            • Enrollment check error
            • Time-out
            • Bypassed Authentication
            • Successful Step-Up Authentication
            • Unsuccessful Step-Up Authentication
            • Unavailable Step-Up Authentication
            • Require Method URL
        • Point of Sale Payments
          • Authorization
          • Capture
          • Payment
          • Credit
  • 📖Guides
    • Firstoken Captures Hosted Iframe
      • How Firstoken Captures works
      • Generating a JSON Web Token
      • JSON form Schema
      • Iframe Communication
    • De-scoping Components
      • How Firstoken De-scoping Components works
      • Inbound Routes Module
        • Create an Inbound Route
        • Edit an Inbound Route
        • Delete an Inbound Route
      • Webhook Module
        • Create a Webhook
        • Edit a Webhook
        • Delete a Webhook
        • Webhook events
        • How to sign Webhooks data
      • Proxy Module
        • Create a Proxy
        • Edit a Proxy
        • Delete a Proxy
    • Firstoken Captures SDK JS
      • Getting Started
      • Functions
      • Type of Elements
      • Elements Options
      • CSS Object
      • Full Example of Usage
      • SDK versions
Powered by GitBook
On this page
  • Setup
  • Check Enrollment
  • Validate
  • Authorization

Was this helpful?

  1. API Reference
  2. Firstoken API
  3. Payments
  4. Risk Payer Authentication
  5. 3-D Secure Flows

Successful Step-Up Authentication

PreviousBypassed AuthenticationNextUnsuccessful Step-Up Authentication

Last updated 1 month ago

Was this helpful?

The steps to follow this flows are:

Setup

POST risk/authentication/setup

As we explain before, in this step, you will receive an access token that should be use to secure the connection and a URL that behind the scene we will be capturing the data.

{
  "transaction_info": {
    "type": "setup",
    "reference_code": "d47f5455-0282-46c7-b1fc-eaf7ac0d85bf"
  },
  "card": {
    "number": "4000000000002503",
    "expiration_date": "01/2027"
  }
}
{
  "status": "success",
  "message": "Payer authentication setup successful",
  "data": {
    "transaction_info": {
      "type": "setup_auth_response",
      "transactionId": "0001713185523951255635",
      "reference_code": "715b2da3-c37c-41e9-856a-f5029837d592",
      "request_id": "7131855241356783504951",
      "status": "Completed",
      "created_at": "2024-04-15T12:52:04Z"
    },
    "consumer_auth_info": {
      "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIzY2UwYWU0ZS1mMTU3LTQzMjAtYTFhMy04ZGQzZWI1MzE0ZTQiLCJpYXQiOjE3MTMxODU1MjQsImlzcyI6IjVkZDgzYmYwMGU0MjNkMTQ5OGRjYmFjYSIsImV4cCI6MTcxMzE4OTEyNCwiT3JnVW5pdElkIjoiNjU3Mjk0ZjNkZjQ4NzczOGY3MzEyNDAxIiwiUmVmZXJlbmNlSWQiOiI4NmVjYmYzNS0zNzRlLTQwY2ItOGRiZC00YjYzMjQ0YzUzZDgifQ.3uXYR5J4V54X5YHheNjxIJX8AiQxMCJu1uyNQ9X9Hpo",
      "device_data_collection_url": "https://centinelapistag.cardinalcommerce.com/V1/Cruise/Collect",
      "reference_id": "86ecbf35-374e-40cb-8dbd-4b63244c53d8",
      "token": "AxizbwSTgp5fq9NS2c43AIcBT34GzZlYAgFQyaSZejFxgH8AcAAA4Arn"
    }
  }
}

Check Enrollment

POST risk/authentication/enroll

Using the session ID obtained, in the capture process, and the data obtained in Setup step, we check the enroll of the transaction, and returns the risk level of it. In this case will be Challenge required

{
  "transaction_info": {
    "type": "check_enroll",
    "reference_code": "d47f5455-0282-46c7-b1fc-eaf7ac0d85bf"
  },
  "card": {
    "number": "4000000000002503",
    "expiration_date": "01/2027"
  },
  "order_info": {
    "amount_details": {
      "total_amount": "1000",
      "currency": "COP"
    }
  },
  "bill_to": {
    "first_name": "John",
    "last_name": "Doe",
    "country": "US",
    "address_1": "1 Market St",
    "address_2": "Suite 200",
    "city": "san francisco",
    "state": "CA",
    "phone_number": "4158880000",
    "email": "accept@gmsectec.com",
    "postal_code": "94105"
  },
  "buyer_info": {
    "mobile_phone": "4158880000"
  },
  "device_info": {
    "ip_address": "190.123.237.237",
    "http_browser_color_depth": "24",
    "http_browser_java_enabled": false,
    "http_browser_js_enabled": true,
    "http_browser_screen_height": "1050",
    "http_browser_screen_width": "1680",
    "http_browser_time_offset": "240",
    "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36",
    "cookies_accepted": true,
    "http_browser_language": "en-US"
  },
  "authentication": {
    "reference_id": "86ecbf35-374e-40cb-8dbd-4b63244c53d8",
    "return_url": "https://merchant.com/returnUrl",
    "device_channel": "Browser",
    "mode": "internet",
    "token": "AxizbwSTgp5fq9NS2c43AIcBT34GzZlYAgFQyaSZejFxgH8AcAAA4Arn"
  }
}
{
  "status": "success",
  "message": "Chech enroll successful, authentication pending",
  "data": {
    "transaction_info": {
      "type": "check_enroll_response",
      "transaction_id": "0001713185528186421492",
      "reference_code": "5983d00b-faf6-40ce-a775-8a6fcb7bd2d8",
      "request_id": "7131855283376784804951",
      "status": "Pending_authentication",
      "created_at": "2024-04-15T12:52:08Z"
    },
    "card": {
      "bin": "400000",
      "type": "VISA"
    },
    "error": {
      "reason": "Consumer_authentication_required",
      "message": "The cardholder is enrolled in Payer Authentication. Please authenticate the cardholder before continuing with the transaction."
    },
    "consumer_auth_info": {
      "token": "AxjzbwSTgp5f0greGgxXAIcBT34GzZpt5COGoEApdrSTL0YuMA/gDgAA6whi",
      "veres_enrolled": "Y",
      "acs_transaction_id": "651b5b97-92e4-424d-bea4-6ba15ea90f88",
      "acs_url": "https://0merchantacsstag.cardinalcommerce.com/MerchantACSWeb/creq.jsp",
      "authentication_transaction_id": "REte8FdwHgBwjwP3pPw0",
      "challenge_required": "N",
      "pareq": "eyJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMi4wIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiIwZDY4OWM4Ny01ZTZmLTRiZWMtODFkMy0xM2M1OGUwMTlmZjMiLCJhY3NUcmFuc0lEIjoiNjUxYjViOTctOTJlNC00MjRkLWJlYTQtNmJhMTVlYTkwZjg4IiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjAyIn0",
      "specificationVersion": "2.2.0",
      "stepup_url": "https://centinelapistag.cardinalcommerce.com/V2/Cruise/StepUp",
      "tree_dss_server_transaction_id": "0d689c87-5e6f-4bec-81d3-13c58e019ff3",
      "directory_server_transaction_id": "20d20f57-af6b-4b7f-8da4-1bcea2a8843c",
      "acs_reference_number": "Cardinal ACS"
    }
  }
}

Validate

POST risk/authentication/validate

After the modal for One time password is showed and the customer enter the one-time password, a unique identification is created and you can validate the information to resend the enrollment request for update the status.

{
  "transaction_info": {
    "type": "validate_result",
    "reference_code": "d47f5455-0282-46c7-b1fc-eaf7ac0d85bf"
  },
  "card": {
    "number": "4000000000002503",
    "expiration_date": "01/2027"
  },
  "order_info": {
    "amount_details": {
      "total_amount": "1000",
      "currency": "MXN"
    }
  },
  "bill_to": {
    "first_name": "John",
    "last_name": "Doe",
    "country": "US",
    "address_1": "1 Market St",
    "address_2": "Suite 200",
    "city": "san francisco",
    "state": "CA",
    "phone_number": "4158880000",
    "email": "accept@gmsectec.com",
    "postal_code": "94105"
  },
  "authentication": {
    "transaction_id": "REte8FdwHgBwjwP3pPw0"
  }
}

{
  "status": "success",
  "message": "Validation successful, authentication succeded",
  "data": {
    "transaction_info": {
      "type": "validate_result_response",
      "reference_code": "2676e052-6c22-4358-9892-fe5c54e9f614",
      "request_id": "7131855659966795604951",
      "status": "Authentication_successful",
      "created_at": "2024-04-15T12:52:46Z"
    },
    "card": {
      "bin": "400000",
      "type": "VISA"
    },
    "consumer_auth_info": {
      "eci": "05",
      "eci_raw": "05",
      "token": "AxjzbwSTgp5hKIyP6+PXAIcBT34GzaNB5COGoEAqGTSTL0YuMA/gDgAA4AhQ",
      "pares_status": "Y",
      "acs_transaction_id": "651b5b97-92e4-424d-bea4-6ba15ea90f88",
      "cavv": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
      "specificationVersion": "2.2.0",
      "tree_dss_server_transaction_id": "0d689c87-5e6f-4bec-81d3-13c58e019ff3",
      "xid": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
      "directory_server_transaction_id": "20d20f57-af6b-4b7f-8da4-1bcea2a8843c"
    }
  }
}

Authorization

POST /payments

This authorization is the same endpoint used in Payments API (Simple Authorization), the difference is that a new object is sent in the request, the authorization object:

This JSON object is part of the security measures taken to authenticate online transactions and protect against fraud. Each field contributes to ensuring that the person making the transaction is the legitimate cardholder.

Additional attributes of the request

  • eci: string Required: false Stands for "Electronic Commerce Indicator." The value "05" indicates that the transaction was processed using 3D Secure authentication

  • eci_raw: string Required: false This is likely the raw Electronic Commerce Indicator value

  • token: string Required: false A unique token generated for the transaction, used to create a secure channel with the merchant.

  • commerce_indicator: string Required: false Indicates the type of transaction. "vbv" refers to "Verified by Visa"

  • pares_status: string Required: false The status returned by the Payer Authentication Response (PaRes). "Y" means that the authentication was successful.

  • veres_enrolled: string Indicates whether the card is enrolled in the 3D Secure program. "Y" means yes.

  • acs_transaction_id: string Required: false A unique identifier for the transaction provided by the Access Control Server (ACS)

  • authentication_transaction_id: string Required: false Another unique identifier for the authentication transaction.

  • cavv: string Required: false Cardholder Authentication Verification Value. A value generated during the 3D Secure process that helps verify the cardholder's identity

  • specificationVersion: string Required: false The version of the 3D Secure protocol used, which in this case is "2.2.0."

  • ree_dss_server_transaction_id: string Required: false Likely an identifier for the transaction as recorded by the 3D Secure server

  • xid: string Required: false A transaction identifier used in the 3D Secure 1.0 protocol, similar to the CAVV

  • directory_server_transaction_id: string Required: false A unique identifier for the transaction as recorded by the directory server.

  • acs_reference_number: string Required: false A reference number for the Access Control Server, which in this case is "Cardinal ACS/"

{
  "transaction_info": {
    "type": "payment",
    "reference_code": "d47f5455-0282-46c7-b1fc-eaf7ac0d85bf"
  },
  "card": {
    "number": "4000000000002503",
    "expiration_date": "01/2027"
  },
  "order_info": {
    "amount_details": {
      "total_amount": "1000",
      "currency": "COP"
    },
    "installments": 1
  },
  "bill_to": {
    "first_name": "John",
    "last_name": "Doe",
    "country": "US",
    "address_1": "1 Market St",
    "address_2": "Suite 200",
    "city": "san francisco",
    "state": "CA",
    "phone_number": "4158880000",
    "email": "accept@gmsectec.com",
    "postal_code": "94105"
  },
  "authentication": {
    "eci": "05",
    "eci_raw": "05",
    "token": "AxjzbwSTgp5hKIyP6+PXAIcBT34GzaNB5COGoEAqGTSTL0YuMA/gDgAA4AhQ",
    "pares_status": "Y",
    "acs_transaction_id": "651b5b97-92e4-424d-bea4-6ba15ea90f88",
    "cavv": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
    "specificationVersion": "2.2.0",
    "tree_dss_server_transaction_id": "0d689c87-5e6f-4bec-81d3-13c58e019ff3",
    "xid": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
    "directory_server_transaction_id": "20d20f57-af6b-4b7f-8da4-1bcea2a8843c"
  }
}
{
  "status": "success",
  "message": "Payment sucessful",
  "data": {
    "transaction_info": {
      "type": "payment_response",
      "reference_code": "165bdccf-2b97-4624-b2cc-5013e820ddd3",
      "transaction_id": "0001713273721360525467",
      "request_id": "7132737227016113903954",
      "status": "Authorized",
      "response_code": "00",
      "reconciliation_id": "7132737227016113903954",
      "created_at": "2024-04-16T13:22:03Z"
    },
    "order_info": {
      "amount_details": {
        "authorized_amount": 1000,
        "currency": "COP"
      }
    },
    "processor_info": {
      "approval_code": "831000",
      "transaction_id": "016153570198200",
      "avs": {
        "code": "Y",
        "codeRaw": "Y"
      }
    }
  }
}
⚙️
Drawing
All 3-D Secure flows has the following steps, some of them don’t need validation, some of them need it.