3DS Method Invocation
Note: This step is only used for browser‑based authentication.
The 3DS Method is an optional step that allows issuers to collect browser fingerprint data using JavaScript.
It works by loading a specific URL in a hidden <iframe> before the authentication begins.
Within this iframe, JavaScript code runs to gather device information, then it sends the result to a callback URL specified by the requestor.
The result of this fingerprinting is linked to the authentication process through the threeDSServerTransID.
If a threeDSMethodURL is provided in the pre‑authentication response, you must perform the 3DS Method as described below.
If the response does not include a threeDSMethodURL, skip this step and continue to the authentication stage, setting the 3DS Completion Indicator to "U", which indicates that the 3DS Method was unavailable.
Initiating the 3DS Method
Start by creating a JSON object containing:
- The
threeDSServerTransIDvalue received from the pre‑authentication call. - The URL where you want to receive the POST callback, referred to as
threeDSMethodNotificationURL.
Example JSON:
{
"threeDSServerTransID": "60be2571-0d8d-4c27-874b-9dc99aafd06c",
"threeDSMethodNotificationURL": "<Requestor callback URL>"
}
Procedure
- Render a hidden HTML iframe in the cardholder’s browser.
- Create a form that contains an input field named
threeDSMethodData. - The value of this field must be the JSON object shown above, encoded using Base64‑URL (without padding).
- Post the form to the
threeDSMethodURL, targeting the hidden iframe.
Example Implementation
1. Add a Hidden Iframe
let displayBox = document.getElementById('displayBox');
let iframe = document.createElement('iframe');
iframe.classList.add('hidden');
iframe.name = "threeDSMethodIframe";
displayBox.appendChild(iframe);
This results in the following HTML:
<iframe name="threeDSMethodIframe" class="hidden"></iframe>
2. Create the Form
<form id="threeDSMethodForm">
<input type="hidden" name="threeDSMethodData" id="threeDSMethodData" />
</form>
3. Populate and Send the Form
// Example JavaScript for submitting the 3DS Method form
let threeDSMethodData = {
threeDSServerTransID: '<3DS_SERVER_ID>',
threeDSMethodNotificationURL: '<REQUESTOR_URL>'
};
let form = document.getElementById('threeDSMethodForm');
// Serialize the data, encode to Base64-URL (without trailing '='), and fill in the input field
// INFO: You have to implement base64url() yourself or use an external package.
document.getElementById('threeDSMethodData').value = base64url(JSON.stringify(threeDSMethodData));
// Configure and submit the form
form.action = '<threeDSMethodURL>';
form.target = 'threeDSMethodIframe';
form.method = 'post';
form.submit();
Completion
Once the 3DS Method completes, the hidden iframe makes an HTTP FORM POST request to your threeDSMethodNotificationURL.
The request body includes a parameter named threeDSMethodData, which allows you to identify the related transaction.
Example POST body (application/x-www-form-urlencoded):
threeDSMethodData=eyJ0aHJlZURTTWV0aG9kRGF0YSI6ICI2MGJlMjU3MS0wZDhkLTRjMjctODc0Yi05ZGM5OWFhZmQwNmMifQ
Decoded JSON:
{"threeDSServerTransID": "60be2571-0d8d-4c27-874b-9dc99aafd06c"}
After receiving this callback, continue with the normal authentication process and set the 3DS Completion Indicator to "Y" (meaning the 3DS Method succeeded).
Your implementation must handle both padded and unpadded Base64‑URL encoded values in the callback.
Handling 3DS Method Failure
If your system does not receive a callback to threeDSMethodNotificationURL within 10 seconds after the POST request, consider the 3DS Method to have failed.
In this case:
- Close the hidden iframe.
- Continue with the authentication step.
- Set the 3DS Completion Indicator to
"N", indicating that the 3DS Method failed.