Xecure3D 3DS
Xecure3D 3DS
Xecure3D 3DS
com
100+
Payment methods
& bank partners PCI DSS Level 1
Certified 3-D Secure
Compliant since 2006
Acquiring Banks
Internet Merchant Website
Card Capture
Processors
Mobile
PayDollar
PayCart / HRMS / ORMS
Payment Gateway
Smart POS e.g. MIGS, CyberSource
IOT
Card Tokenization
• Multi-currency
(Cash Counter)
• Multi-lingual
• Multi-user entitlement
• Transaction handling
• Flexible settlement
• Dynamic reportings
• Access control
• Web / Mobile API
ePayment ePayment Functionality Expansion
Capabilities
www.asiapay.com
Travel & Transportation Digital & Electronic Goods Fashion & Apparel Marketplace & Other Retail
5
Payment Gateway : Product – PayDollar
PayGate 2.0 www.asiapay.com
9 China CITIC Bank International Hong Kong 2016 Whitelabeled hosted model
13 OCBC Wing Hang Bank Hong Kong 2016 Whitelabeled hosted model
- VISA introduces 3DS 1.0 protocol at year 1999 and other major
card schemes joined to use this protocol at 2002 up to now.
More contextual data of the consumers to verify the cardholder’s identity, avoiding the
need for every shopper to actively authenticate with a password.
Following are some of the key data elements captured for risk decision:
Data Categories Data Fields
Customer Information Name, Email, Home Phone, Mobile Phone
Browser or Device Device Channel, Device Info, UI Type, Screen Size, Color Depth, Time
Information Zone, Language, IP, Accept Header, JavaScript enabled, User-Agent
Transaction Information Address match indicator, Card/Token Number, expiry date, Billing and
Shipping address, Currency, Amount, Date, Delivery Timeframe
Merchant Information 3DS requestor URL, Acquirer MID, MCC, Merchant Country Code,
Merchant Name, Merchant Risk Indicator
ACS Migration from 3DS 1.0 to 3DS 2.0
www.asiapay.com
AReq/ARes
3DS Server Directory Server
RReq/RRes
Authentication Flow
Areq/ARes
RRes/RRes
3DS Requestor App
Authentication Challenge
Interaction Interaction ACS
15
3D Secure 2.0: Flow (Challenge by OTP)
www.asiapay.com
Read OTP
3DS Client 3DS Requestor Environment
Requestor App with 3DS SDK for App-based / 3DS Server
Browser for Browser-based
Results Req/Res
Directory
Auth Req/Res Server
OTP
HSM
Server
Send OTP Send OTP
• Watch
• Mobile APP
• Web
AsiaPay Xecure3D Product www.asiapay.com
Enhanced Security for online 3-D Able to Authenticate Cardholders Flexible to Support
Secure 2.0 transactions for Confirm their identities by
Either Or
Answer personal Managed Service License Model
security questions
Provide extra
password
(Static or One-time
password)
3DS Server and SDK are the system designed for Merchant/PSP/Acquiring Bank
Component Description
3DS SDK The 3DS SDK provides API calls within the mobile application
(For App-Based authentication) to collect device information. It also acts as a connector and
message handler with ACS during the 3DS 2.1.0 challenge
flow.
3DS Server The 3DS Server is a system to provide the functional interface
between the 3DS Requestor Environment flows and the
Directory Server (DS). It provides API calls for 3DS Requestor
App or 3DS Requestor website to initiate 3DS authentication
process.
3DS Server and MPI
www.asiapay.com
This flow elaborates the components that within the system after
upgrading to support 3DS 2.0
Message Flow (Card Not Support 3DS 2.0)
www.asiapay.com
This flow elaborates the message flow when 3DS 2.0 is not supported by
the issuing bank of the customer's payment card and fallback to 3DS 1.0
1. Customer submit payment request through merchant website to PayGate and go through the pages that need
customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can
make through 3DS 2.0.
(In this case, No)
3. Since 3DS 2.0 is not supported, PayGate go back to use 3DS 1.0 method to verify the customer.
i.e. VE and PA process of MPI to ACS.
4. After 3DS 1.0 complete, PayGate will then connect to bank host system for authorization with 3DS 1.0 result.
Message Flow (3DS 2.0 Frictionless)
www.asiapay.com
This flow elaborates the message flow when using 3DS 2.0, and the
payment is using Frictionless flow, i.e. no challenge is needed.
1. Customer submit payment request through merchant website to PayGate, and go through the pages that need
customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can
make through 3DS 2.0.
(In this case, YES)
3. PayGate send the payment info and 3DS 2.0 related info to 3DS Server and 3DS Server will generate the AReq message to DS
and ACS and obtain back the ARes response.
(In this case, ACS confirm NO need to challenge).
4. Since no challenge flow is needed, PayGate will then connect to bank host system for authorization with 3DS 2.0 result.
Message Flow (3DS 2.0 Challenge)
www.asiapay.com
This flow elaborates the message flow when using 3DS 2.0, and the
payment is using Challenge flow, i.e. challenge is needed.
1. Customer submit payment request through merchant website to PayGate, and go through the pages that need customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can make through 3DS 2.0.
(In this case, YES)
3. PayGate send the payment info and 3DS 2.0 related info to 3DS Server and 3DS Server will generate the AReq message to DS and ACS and
obtain back the ARes response. (In this case, ACS confirm need to challenge).
4. PayGate provides info to 3DS Server for formatting an encoded CReq message to proceed with the challenge.
5. An ACS connection page will be returned back to customer's browser.
Customer browser will connect to the ACS page with the CReq and ACS will show the challenge page (e.g. OTP page) to customer to
complete the authentication. Afterward, ACS will feedback the result (Rreq) to DS and 3DS Server and redirect the customer back to
PayGate notification URL.
6. Upon PayGate received the challenge result, PayGate will send the content to 3DS Server for verification.
7. PayGate will then connect to bank host system for authorization with 3DS 2.0 result.
3DS Server and SDK
www.asiapay.com
3DS Server
3D Secure 2.0: SDK Flow
www.asiapay.com
Read OTP
3DS Requestor Environment
3DS Client 3DS Server
Requestor App with 3DS SDK
3DS Requestor APIs / 3DS Server APIs
3DS 3DS 3DS
SDK 1. Collect and encrypt device data for DS and ACS
Requestor Server
2. Generate Encryption component to ACS
Send OTP
Directory
Auth Req/Res
Server
ACS
Send OTP
3DS SDK Steps
www.asiapay.com
1. SDK Initiation
• SDK settings are loaded (configuration parameters,
locale, UI customization)
• Security checks are performed
• Device data is collected for all protocol versions that the
SDK supports
2. Create Transaction Session
• Return Device Parameter and ACS encryption key
components to Requestor APP (App Based Crypto is
required)
3. Challenges (Not available for Frictionless flow)
• Handle the challenges flow session with ACS directly
• (App Based Crypto is required)
4. Clean up transaction session
Native UI in CRes – Render UI Components
www.asiapay.com
<!DOCTYPE html><html><head><meta
charset="ISO-8859-1"><title>ACS
challenge</title></head><body><form
action="HTTPS://emv3ds/challenge"
method="post"><input type="text"
name="password" id="text" /><input type="submit"
value="submit"
id="submit"/></form></body></html>