3.4 Challenge Flow

The purpose of the 3-D Secure stream is to confirm that the genuine cardholder is a part of the approval. The test flow or challenged flow is utilized to introduce a method of validating the cardholder utilizing for example OTP or a federated identification method.

3.4.1 Browser Challenge

A test in the program is performed either in an iframe or utilizing the whole browser window.

3.4.2 Initiate the challenge

Create a challenge request, using the transaction ID’s received in the /auth response.

Add an iframe to the users browser, either statically or using JavaScript.

let displayBox = document.getElementById('displayBox');

let iframe = document.createElement('iframe');
iframe.name = "challengeIframe";


Add a form containing the appropriate input elements:

<form class="" id="challengeForm">
  <input type="hidden"

  <!-- This input can carry up to 1024 Base64-URL encoded characters -->
  <input type="hidden"

Fill out the form inputs and submit them to the ACS URL in the iframe.

// Generate the data object
let creq = JSON.stringify({
  threeDSServerTransID: "ce2809be-b5ee-425b-9382-76a72a4f495b",
  acsTransID: "7b26d24f-4275-4044-97ee-4564c1b88fde",
  messageVersion: "2.1.0",
  messageType: "CReq",
  challengeWindowSize: "01"

// Get a reference to the form
let form = document.getElementById('challengeForm');

// Set the form input value to the object,
// base64url-encode the data.
// Notice: You have to define base64url() yourself.
// Warning: The Base64-URL value must not be padded with '='
document.getElementById('creq').value =

// Fill out the form information and submit.
form.action = '<acsURL>'; // The acsURL from the ARes.
form.target = 'challengeIframe';
form.method = 'post';

3.4.3 Getting challenge results

After the challenge has finished, the iframe will POST to the notification URL. The body will contain threeDSSessionData as supplied in the request, and the challenge result in the response.

An example challenge response is:

   "acsTransID": "87791cee-2514-436c-bed8-a63a87bbdf01",
   "challengeCompletionInd": "Y",
   "messageType": "CRes",
   "messageVersion": "2.1.0",
   "threeDSServerTransID": "d41f6200-0435-49ee-aa11-f366f0661c6f",
   "transStatus": "Y"

3.4.4 Handling timeouts

  1. You have 30 seconds from receiving the authentication response to initiate the challenge.

  2. Each interaction in the challenge window has a 10 minute timeout. So the cardholder can take at least 10 minutes to complete the challenge.