3.5 3DS Method invocation

The 3DS Method can be alternatively utilized by issuers to assemble program fingerprints utilizing JavaScript. This is finished by stacking a URL in a covered up iframe, before the verification. This iframe will at that point execute some fingerprinting JavaScript, prior to posting to the prespecified URL having a place with the requestor. The 3DS Method finger impression result is attached to the verification by the threeDSServerTransID.

If 3DS Method URL is included in the /preauth endpoint response, the 3DS method must be invoked as explained in this guide.

In the event that threeDSMethodURL is excluded from the/preauth reaction , proceed with the/auth endpoint and set 3DS Completion marker to "U", to demonstrate that the 3DS Method was not accessible.

3.5.1 Initiating 3DS Method

Create a JSON object containing threeDSServerTransID from the preauth call and the callback URL you wish to receive the POST to in threeDSMethodNotificationURL:

 "threeDSServerTransID": "d461f105-1792-407f-95ff-9a496fd918a9",
 "threeDSMethodNotificationURL": "<Requestor callback URL>"

The procedure is as follows:

Render a hidden HTML iframe in the Cardholder browser

Create a form with an input field named threeDSMethodData

This field must contain the above JSON message, Base64-URL encoded

Post the form to the threeDSMethodURL, with the HTML iframe as a target

3.5.2 Example

Add an iframe to the users browser, here using JavaScript

let display = document.getElementById('display');

let iframe = document.createElement('iframe');
iframe.name = "threeDSMethodIframe";


Resulting in the following html

<iframe name="threeDSMethodIframe" class="hidden"/>

Create a HTML form, that contains the input field:

<form class="" id="threeDSMethodForm">
  <input type="hidden" name="threeDSMethodData" id="threeDSMethodData"/>

This form can be submitted using the following JavaScript:

// Generate the data object with required input values
let threeDSMethodData = {
  threeDSServerTransID: '<TRANS ID>',
  threeDSMethodNotificationURL: '<URL>'

// Get a reference to the form
let form = document.getElementById('threeDSMethodForm');

// 1. Serialize threeDSMethodData object into JSON
// 2. Base64-URL encode it
// 3. Store the value in the form input tag
// Notice: You have to define base64url() yourself.
// Warning: The Base64-URL value must not be padded with '='
document.getElementById('threeDSMethodData').value =

// Fill out the form information and submit.
form.action = '<threeDSMethodURL>';
form.target = 'threeDSMethodIframe'; // id of iframe
form.method = 'post';

3.5.3 Completion

When the 3DS Method is finished, the hidden iframe will HTTP POST a form to the threeDSMethodNotificationURL.

The POST body will contain the value threeDSMethodData, which can used to identify the request. An example application/x-www-form-urlencoded body:


The value is Base64-URL encoded and decodes to:

{"threeDSServerTransID": "d461f105-1792-407f-95ff-9a496fd918a9"}

Continue the authentication with the /auth endpoint, setting 3DS Completion indicator to "Y".

Your system must be able to receive both padded and unpadded Base64-URL values, in the 3DS Method completion callbacks.

3.5.4 3DS Method failure

In the event that the callback to threeDSMethodNotificationURL isn't gotten inside 10 seconds from the POST call, it has failed. Close the iframe and proceed with the validation with the/auth endpoint, setting 3DS Completion marker to "N".