# Data-Only Authentication ## Data-Only Authentication 3-D Secure Data Only is a frictionless authentication mode that shares enriched transaction data with the card issuer — without triggering a full authentication challenge. The issuer uses this data to make better authorization decisions on future transactions. {% hint style="warning" %} **Data-Only does not provide liability shift.** Fraud liability remains with the merchant, as this is not a full cardholder authentication. {% endhint %} **Key characteristics:** * No challenge presented to the cardholder (fully frictionless) * Merchant retains fraud liability (no liability shift) * Issuer gains richer context to improve approval rates * Supported networks: **Visa** and **Mastercard** **Why use it?** * Higher approval rates by sharing behavioral and device data with the issuer * Zero friction for the cardholder — no interruption at checkout * Ideal for recurring payments, low-risk transactions, and markets where standard 3DS challenges hurt conversion *** #### Integration Workflow Data-Only skips the `return_url`, challenge modal, and Validate step entirely. > There is **no Validate step** in Data-Only mode. *** #### Changes in the Check Enrollment Request To activate Data-Only mode, send `"mode": "data_only"` in the `authentication` object. Omit the `return_url`, `token`, and `device_channel` fields that are required in standard 3DS. ```json "authentication": { "reference_id": "de47f34c-ad65-4a09-a36e-4cc375b941d5", "mode": "data_only" } ``` {% hint style="info" %} `return_url`, `device_channel`, and `token` are **not required** when using `mode: "data_only"`. {% endhint %} *** #### Full Request Example **cURL** ```bash curl --location 'https://api.firstoken.co/v1/risk/authentication/enroll' \ --header 'Content-Type: application/json' \ --header 'x-api-key: ' \ --data-raw '{ "transaction_info": { "type": "check_enroll", "reference_code": "123456789" }, "card": { "number": "{{token_id : detokenize}}", "expiration_date": "{{token_id : detokenize}}" }, "order_info": { "amount_details": { "total_amount": "1000", "currency": "MXN" } }, "bill_to": { "first_name": "John", "last_name": "Doe", "country": "US", "address_1": "1 Market St", "address_2": "Suite 200", "city": "san francisco", "state": "CA", "phone_number": "4158880000", "email": "accept@gmsectec.com", "postal_code": "94105" }, "buyer_info": { "mobile_phone": "4158880000" }, "device_info": { "ip_address": "190.123.237.237", "http_browser_color_depth": "30", "http_browser_java_enabled": false, "http_browser_js_enabled": true, "http_browser_screen_height": "1117", "http_browser_screen_width": "1728", "http_browser_time_offset": "240", "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36", "cookies_accepted": true, "http_browser_language": "en-US", "http_accept_content": "application/json" }, "authentication": { "reference_id": "de47f34c-ad65-4a09-a36e-4cc375b941d5", "mode": "data_only" } }' ``` *** #### Response Examples {% tabs %} {% tab title="Visa — Data-Only Successful" %} ```json { "status": "success", "message": "Data-only authentication successful", "data": { "transaction_info": { "type": "check_enroll_response", "transaction_id": "0001776433283853503688", "reference_code": "123456789", "request_id": "7764332849426106004805", "status": "Authentication_successful", "created_at": "2026-04-17T13:41:25Z" }, "card": { "bin": "400000", "type": "VISA" }, "consumer_auth_info": { "authentication_mode": "data_only", "eci": "07", "eci_raw": "07", "token": "AxjxbwSTpOfDhVrDjbVFAU9+yZx4hKojhqBfbhk0ky9GMjmDoAwAxRoP", "commerce_indicator": "internet", "pares_status": "I", "veres_enrolled": "Y", "acs_transaction_id": "572cc555-ee48-4594-871d-19ba5515d716", "authentication_transaction_id": "2e7JGHvf5gThFiKvgBY1", "cavv": "AJkBBkhgQQAAAE4gSEJydQAAAAA=", "specificationVersion": "2.2.0", "tree_dss_server_transaction_id": "22f5c236-ba59-4f66-9acd-b2d2a27479d3", "xid": "AJkBBkhgQQAAAE4gSEJydQAAAAA=", "directory_server_transaction_id": "7d5bd69b-b8ce-4f31-879e-b1b8d676ca08", "acs_reference_number": "CardinalACS" } } } ``` {% endtab %} {% tab title="Mastercard — Data-Only Successful" %} ```json { "status": "success", "message": "Data-only authentication successful", "data": { "transaction_info": { "type": "check_enroll_response", "transaction_id": "0001776436453292124778", "reference_code": "123456789", "request_id": "7764364535306784104806", "status": "Authentication_successful", "created_at": "2026-04-17T14:34:13Z" }, "card": { "bin": "520000", "type": "MASTERCARD" }, "consumer_auth_info": { "authentication_mode": "data_only", "eci_raw": "06", "token": "AxjxbwSTpOg0F37BxGFmAk9+yaCKNKojhqBfbhk0ky9GMjmDoBYA7xlD", "commerce_indicator": "spa", "pares_status": "I", "veres_enrolled": "Y", "acs_transaction_id": "64303fc6-6997-4950-ac1d-7237d835afae", "authentication_transaction_id": "HVKUzWTAfCALmsFwAag1", "specificationVersion": "2.2.0", "tree_dss_server_transaction_id": "0f63095b-1c3c-493c-8990-8ee41fedd370", "ucaf_authentication_data": "AJkBBkhgQQAAAE4gSEJydQAAAAA=", "ucaf_collection_indicator": "6", "directory_server_transaction_id": "544cd301-33a3-4165-9cda-a41cb831fae1", "acs_reference_number": "CardinalACS" } } } ``` {% endtab %} {% endtabs %} The `authentication_mode: "data_only"` and `pares_status: "I"` fields together confirm the transaction was processed in Data-Only mode for both Visa and Mastercard. *** #### Response Fields **transaction\_info**
FieldDescription
typeAlways "check_enroll_response"
transaction_idUnique transaction identifier
reference_codeYour original reference code
request_idUnique request identifier
status"Authentication_successful" — always for Data-Only
created_attimestamp
**consumer\_auth\_info — Common Fields**
FieldDescription
authentication_mode"data_only" — confirms the mode used
pares_statusI — Informational only. Same for Visa and Mastercard.
eci_raw07 for Visa · 06 for Mastercard
commerce_indicator"internet" for Visa · "spa" for Mastercard
veres_enrolledY
tokenAuthentication token
acs_transaction_idACS transaction identifier
authentication_transaction_idNot used for Validate in Data-Only mode
specificationVersion3DS version used
tree_dss_server_transaction_id3DS Server transaction ID
directory_server_transaction_idDirectory Server transaction ID — include in authorization
acs_reference_numberACS reference identifier
**consumer\_auth\_info — Visa Specific Fields**
FieldDescription
eci07 — Data-Only specific code, not an authentication failure
cavvCardholder Authentication Verification Value — include in authorization
xidTransaction identifier — include in authorization
**consumer\_auth\_info — Mastercard Specific Fields**
FieldDescription
ucaf_authentication_dataUniversal Cardholder Authentication Field — include in authorization
ucaf_collection_indicator6 for Mastercard Data-Only
*** #### Network Behavior **Visa Data Only** The authentication request reaches the issuer's ACS. The issuer receives all enriched transaction data and can link it to the authorization message for better risk assessment. **Expected response values:**
FieldValue
authentication_mode"data_only"
pares_statusI
eci / eci_raw07
commerce_indicator"internet"
cavvPresent — include in authorization
xidPresent — include in authorization
{% hint style="warning" %} ECI `07` in Data-Only mode does **not** indicate a failed authentication. It is the designated code for Visa Data Only transactions. Use `authentication_mode: "data_only"` and `pares_status: "I"` to identify this scenario in your integration. {% endhint %} *** **Mastercard Data Only** Mastercard offers two Data-Only variants — **Data Only** (AReq reaches the issuer) and **Identity Check Insights / IDCI** (Mastercard generates a risk score at the Directory Server level). Both variants use the same `mode: "data_only"` request and produce the same response structure in Firstoken. The distinction is handled internally by Mastercard. **Expected response values:**
FieldValue
authentication_mode"data_only"
pares_statusI
eci_raw06
commerce_indicator"spa"
ucaf_authentication_dataPresent — include in authorization
ucaf_collection_indicator6
*** #### Standard 3DS vs. Data-Only
Standard 3DSData-Only
Challenge possibleYesNo
Liability shiftYes (if authenticated)No
Validate step neededOnly if challengeNever
return_url requiredYesNo
mode value"S""data_only"
pares_statusY, N, A, C, R, UI (Visa and Mastercard)
eci_raw (Visa)05/06 success · 07 fail07 (informational)
eci_raw (Mastercard)01/02 success · 00 fail06
Authorization fields (Visa)eci, cavv, xideci, cavv, xid
Authorization fields (Mastercard)eci_raw, ucaf_authentication_dataeci_raw, ucaf_authentication_data, ucaf_collection_indicator: 6
*** #### Next Steps After a successful Data-Only response, proceed directly to payment authorization using the fields from `consumer_auth_info`. **For Visa:** include `eci`, `cavv`, `xid`, and `directory_server_transaction_id`. **For Mastercard:** include `eci_raw`, `ucaf_authentication_data`, `ucaf_collection_indicator`, and `directory_server_transaction_id`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://firstoken.gitbook.io/api-docs/api-reference/risk/payer-authentication-3d-secure/data-only-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.