www.asiapay.

com

AsiaPay 3DS 2.0 Solution

 About AsiaPay
www.asiapay.com

World-class Provider of ePayment Services & Technologies in Asia since 2000.

13+ 12+ 144+

Countries Languages Currencies

100+
Payment methods
& bank partners PCI DSS Level 1
Certified 3-D Secure
Compliant since 2006

Head Office Hong Kong

Operative Offices in Asia 14

Professional Workforce 150

Our Vision
Business Stream To be the leading ELECTRONIC PAYMENT SERVICE AND
TECHNOLOGY player in Asia and beyond.
• Payment Service Provider (TPP / ISO / PF)
• Payment Gateway Solution Provider Our Mission
• Payment Security Solution Product Vendor To help our business partners grow their business through online by
providing innovative, secure and cost-effective solutions that will
• eBusiness System Development and Consultancy
make them competitive in the eCommerce landscape.
 Omni-Channel Payment Infrastructure (Merchant)
www.asiapay.com

Customers Merchants Payment Gateway Acquirer / Card Schemes

Acquiring Banks
Internet Merchant Website
Card Capture
Processors
Mobile
PayDollar
PayCart / HRMS / ORMS
Payment Gateway
Smart POS e.g. MIGS, CyberSource

API / Plugins 3-D Secure

mPOS Direct Connection
Processing
Credit & Debit Cards
(Coming Soon)
Offline
eWallet
Processing Bank Account & Net Banking
eMOTO
Currency
Processing
IVRS

Retail Fraud Control Others

Payment

IOT
Card Tokenization

• Multi-currency
(Cash Counter)
• Multi-lingual
• Multi-user entitlement
• Transaction handling
• Flexible settlement
• Dynamic reportings
• Access control
• Web / Mobile API
 ePayment ePayment Functionality Expansion
Capabilities
www.asiapay.com

Regional Processing On-Us Processing

Multi-bank, Multi-payment PayBooth Installment Payment
Support up to 100+ payment types / acquirers Real-time direct payment to merchant Real-time installment payment processing
and close to 144 currencies account

Payment Link Card Promotion Discount

Multi-level Report Parameterized discount payment promotion
Payment request URL and QR code
Multiple user level user access and processing
generation
reporting controls
Loyalty Point Redemption
Recurring Payment On-Us bonus point redemption along payment
DCC / MCP Multiple schedule automated recurring
payment charging
Currency conversion with choice of card Module
currency and consumer preference
Batch Payment Shopping Cart
Batch payment submission for processing Integrated shopping cart management and
payment
Anti-fraud and Security
Voucher Payment Hotel Reservation System
Anti-fraud Multi-channel voucher generation, fulfillment Integrated reservation management and
Real-time anti-fraud filters and alerts with and reconciliation payment
customizable rules
Event Payment
Payment logging for parameterized events Event Enrollment System
Customized Payment Page Integrated enrollment management and
Customized and hosted payment page at payment
gateway API Library
Support sophisticated integration via API Channel
library integration
Member Payment mPOS
Expressed payment check out with member Mobile payment acceptance via App
authentication and credit card tokenization Big Data through smart phones and tablets

Payment Analyzer Smart POS

Card Tokenization Real-time payment analysis MIS and charting Integrated seamless multiple payment
Card tokenized processed and stored at tool. Payment type, channel and rejection acceptance via App through smart POS
gateway to avoid risk analysis.
eMOTO
Real-time mail order and telephone order
payment capture
4
 About
AsiaPay
Regional Client References
www.asiapay.com
Hotel Airlines Insurance Telecommunication

Travel & Transportation Digital & Electronic Goods Fashion & Apparel Marketplace & Other Retail

Food & Beverage Media & Entertainment Ticketing

Cosmetic & Health Product Professional Service Education Non-Profit Organization

5
 Payment Gateway : Product – PayDollar
PayGate 2.0 www.asiapay.com

ID Bank Country Year Model

1 Citibank Hong Kong 2003 Co-operation model

2 Wing Hang Bank Hong Kong 2003 Whitelabeled hosted model

3 Fubon Bank Hong Kong 2003 Whitelabeled hosted model

4 JCB International Hong Kong 2005 Co-operation model

5 American Express Hong Kong 2005 Co-operation model

6 Banco Nacional Ultramarino Bank Macau 2006 Whitelabeled hosted model

7 Banco De Oro Philippines 2007 Whitelabeled hosted model

8 Banco Wing Heng Macau 2007 Whitelabeled hosted model

9 TechComBank Vietnam 2007 Co-operation model

10 Bangkok Bank Thailand 2007 Licensed Solution model

11 Krungthai Card Thailand 2009 Licensed Solution model

12 BankMed Lebanon 2010 Whitelabeled hosted model

13 Banque Franco-Lao Laos 2014 Whitelabeled hosted model

14 BRED Bank Fiji Fuji 2014 Whitelabeled hosted model

15 BRED (Vanuatu) Vanuatu 2014 Whitelabeled hosted model

16 Thai Military Bank Thailand 2017 Whitelabeled hosted model

17 Krungthai Bank Thailand 2017 Licensed Solution model

 3D-Secure MPI : Product - PayDollar MPI 1.0
www.asiapay.com

ID Bank Country Year Model

1 Citibank Hong Kong 2003 Co-operation model

2 Wing Hang Bank Hong Kong 2003 Whitelabeled hosted model

3 Fubon Bank Hong Kong 2003 Whitelabeled hosted model

4 JCB International Hong Kong 2005 Co-operation model

5 Banco Nacional Ultramarino Macau 2006 Whitelabeled hosted model

6 Banco De Oro Philippines 2007 Whitelabeled hosted model

7 Banco Wing Heng Macau 2007 Whitelabeled hosted model

8 TechComBank Vietnam 2007 Co-operation model

9 Bangkok Bank Thailand 2007 Solution model

10 Krungthai Card Thailand 2009 Solution model

11 BankMed Lebanon 2010 Whitelabeled hosted model

12 Banque Franco-Lao Laos 2014 Whitelabeled hosted model

13 BRED Bank Fiji Fuji 2014 Whitelabeled hosted model

14 BRED (Vanuatu) Vanuatu 2014 Whitelabeled hosted model

15 Thai Military Bank Thailand 2017 Whitelabeled hosted model

16 Krungthai Bank Thailand 2017 Licensed Solution model

 3D-Secure ACS : Xecure3D ACS
www.asiapay.com

ID Bank Country Year Model

1 Krungthai Card Thailand 2009 Solution model

2 Krungthai Card Thailand 2013 Solution model (OTP version)

3 Dah Sing Bank Hong Kong 2015 Whitelabeled hosted model

4 Banque Franco-Lao Laos 2016 Whitelabeled hosted model

5 BRED (Vanuatu) Vanuatu 2016 Whitelabeled hosted model

6 Philippine National Bank Philippines 2016 Whitelabeled hosted model

7 BCM Bank Macau 2016 Whitelabeled hosted model

8 Bank of Communications Hong Kong 2016 Whitelabeled hosted model

9 China CITIC Bank International Hong Kong 2016 Whitelabeled hosted model

10 Wing Lung Bank Hong Kong 2016 Whitelabeled hosted model

11 Chong Hing Bank Hong Kong 2016 Whitelabeled hosted model

12 Public Bank Hong Kong 2016 Whitelabeled hosted model

13 OCBC Wing Hang Bank Hong Kong 2016 Whitelabeled hosted model

14 Bank in the Philippines (NDA) Philippines 2017 Whitelabeled hosted model

15 BRED (Cambodia) Cambodia 2018 Whitelabeled hosted model

 www.asiapay.com

3DS 2.0 Overview

 History of 3DS 1.0 and 2.0
www.asiapay.com

- 3-D Secure is a messaging protocol enabling authentication of

cardholder for online e-commerce transactions.

- VISA introduces 3DS 1.0 protocol at year 1999 and other major
card schemes joined to use this protocol at 2002 up to now.

- At 2014, VISA and MasterCard developed and contributed a draft

of the 3DS 2.0 specification to EMVCo and EMVCo announced the
new 3-D Secure 2.0 protocol specification in October 2016.
 New Features of 3DS 2.0
www.asiapay.com

- Support both Mobile App and Browser base authentication

- Support multiple authentication types such as token-based,

biometric and OTP

- Support risk-based decisions for Frictionless Flow or Challenge

Flow base on the data obtained through 3DS Client. Target to
challenge only the riskiest transaction (~5 %)

- Support payment and non-payment authentication

- Extensions to support proprietary Out-of-Band (OOB)

authentication used by card issuers
 Increase in data exchange
www.asiapay.com

More contextual data of the consumers to verify the cardholder’s identity, avoiding the
need for every shopper to actively authenticate with a password.

Following are some of the key data elements captured for risk decision:
Data Categories Data Fields
Customer Information Name, Email, Home Phone, Mobile Phone
Browser or Device Device Channel, Device Info, UI Type, Screen Size, Color Depth, Time
Information Zone, Language, IP, Accept Header, JavaScript enabled, User-Agent

Transaction Information Address match indicator, Card/Token Number, expiry date, Billing and
Shipping address, Currency, Amount, Date, Delivery Timeframe

Merchant Information 3DS requestor URL, Acquirer MID, MCC, Merchant Country Code,
Merchant Name, Merchant Risk Indicator
 ACS Migration from 3DS 1.0 to 3DS 2.0
www.asiapay.com

For 3DS 1.0:

• There are 3 types of XML messages are exchanged between different
components
– CRReq/CRRes
– VEReq/VERes
– PAReq/PARes

For 3DS 2.0:

• There are 4 types of JSON messages are exchanged between different
components
– PReq/PRes
– AReq/ARes
– CReq/CRes
– RReq/RRes
 3D Secure 2.1.0: App-Based Authentication
www.asiapay.com

3DS Component Architecture

3DS Requestor Environment

AReq/ARes
3DS Server Directory Server
RReq/RRes

Authentication Flow

Areq/ARes

RRes/RRes
3DS Requestor App

3DS Requestor App Code

Authentication Challenge
Interaction Interaction ACS

3DS SDK CReq/CRes

3D Secure 2.1.0: Browser-Based Authentication
www.asiapay.com

15
 3D Secure 2.0: Flow (Challenge by OTP)
www.asiapay.com

Read OTP
3DS Client 3DS Requestor Environment
Requestor App with 3DS SDK for App-based / 3DS Server
Browser for Browser-based

3DS 3DS Requestor APIs / 3DS Server APIs / Browser Interaction

3DS 3DS
SDK Requestor Server
Send OTP

Challenge Req/Res Auth Req/Res

Results Req/Res

Directory
Auth Req/Res Server

ACS Results Req/Res Payment Req/Res

OTP
HSM
Server
Send OTP Send OTP

Authorization Req/Res Payment Authorization Req/Res

Issuer Acquirer
Network
 3D Secure 2.0: Channel Handling
www.asiapay.com

• Watch

• Mobile APP

• Web
 AsiaPay Xecure3D Product www.asiapay.com

Enhanced Security for online 3-D Able to Authenticate Cardholders Flexible to Support
Secure 2.0 transactions for Confirm their identities by

Either Or
Answer personal Managed Service License Model
security questions

Provide extra
password
(Static or One-time
password)

Other such as Biometric

 AsiaPay Xecure3D Solution Components
www.asiapay.com

For Issuing Domain For Acquiring Domain

(Issuing Bank) (Merchant / PSP / Acquiring Bank)

Xecure3D ACS Xecure3D 3DS Server

EMVCo Approval No: 3DS_LOA_SER_ASLI_020100_00145
EMVCo Approval No: 3DS_LOA_ACS_ASLI_020100_00159
The 3DS Server is a system to provide the
functional interface between the 3DS Requestor
The ACS manages and provide authentication Environment flows and the Directory Server (DS).
process for the cardholder. Support risk-based It provides API calls for 3DS Requestor App or
decisions for Frictionless Flow or Challenge Flow. 3DS Requestor website to initiate 3DS
authentication process.
A Cardholder Management System (CMS) which
is an online administrative portal to manage the
ACS will be included.
Xecure3D 3DS SDK
EMVCo Approval No: 3DS_LOA_SDK_ASLI_020100_00157

The 3DS SDK provides API calls within the mobile

application to collect device information. It also
acts as a connector and message handler with
ACS during the 3DS 2.1.0 challenge flow.
 www.asiapay.com

Xecure3D 3DS Server and SDK

 Solution Components
www.asiapay.com

3DS Server and SDK are the system designed for Merchant/PSP/Acquiring Bank

Component Description

3DS SDK The 3DS SDK provides API calls within the mobile application
(For App-Based authentication) to collect device information. It also acts as a connector and
message handler with ACS during the 3DS 2.1.0 challenge
flow.
3DS Server The 3DS Server is a system to provide the functional interface
between the 3DS Requestor Environment flows and the
Directory Server (DS). It provides API calls for 3DS Requestor
App or 3DS Requestor website to initiate 3DS authentication
process.
 3DS Server and MPI
www.asiapay.com

This flow elaborates the components that within the system after
upgrading to support 3DS 2.0
 Message Flow (Card Not Support 3DS 2.0)
www.asiapay.com

This flow elaborates the message flow when 3DS 2.0 is not supported by
the issuing bank of the customer's payment card and fallback to 3DS 1.0

1. Customer submit payment request through merchant website to PayGate and go through the pages that need
customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can
make through 3DS 2.0.
(In this case, No)
3. Since 3DS 2.0 is not supported, PayGate go back to use 3DS 1.0 method to verify the customer.
i.e. VE and PA process of MPI to ACS.
4. After 3DS 1.0 complete, PayGate will then connect to bank host system for authorization with 3DS 1.0 result.
 Message Flow (3DS 2.0 Frictionless)
www.asiapay.com

This flow elaborates the message flow when using 3DS 2.0, and the
payment is using Frictionless flow, i.e. no challenge is needed.

1. Customer submit payment request through merchant website to PayGate, and go through the pages that need
customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can
make through 3DS 2.0.
(In this case, YES)
3. PayGate send the payment info and 3DS 2.0 related info to 3DS Server and 3DS Server will generate the AReq message to DS
and ACS and obtain back the ARes response.
(In this case, ACS confirm NO need to challenge).
4. Since no challenge flow is needed, PayGate will then connect to bank host system for authorization with 3DS 2.0 result.
 Message Flow (3DS 2.0 Challenge)
www.asiapay.com

This flow elaborates the message flow when using 3DS 2.0, and the
payment is using Challenge flow, i.e. challenge is needed.

1. Customer submit payment request through merchant website to PayGate, and go through the pages that need customer input.
2. After collected all payment related info in PayGate, the system will call API to 3DS Server to check if the payment can make through 3DS 2.0.
(In this case, YES)
3. PayGate send the payment info and 3DS 2.0 related info to 3DS Server and 3DS Server will generate the AReq message to DS and ACS and
obtain back the ARes response. (In this case, ACS confirm need to challenge).
4. PayGate provides info to 3DS Server for formatting an encoded CReq message to proceed with the challenge.
5. An ACS connection page will be returned back to customer's browser.
Customer browser will connect to the ACS page with the CReq and ACS will show the challenge page (e.g. OTP page) to customer to
complete the authentication. Afterward, ACS will feedback the result (Rreq) to DS and 3DS Server and redirect the customer back to
PayGate notification URL.
6. Upon PayGate received the challenge result, PayGate will send the content to 3DS Server for verification.
7. PayGate will then connect to bank host system for authorization with 3DS 2.0 result.
3DS Server and SDK
www.asiapay.com

Support Multiple Channel

Watch Mobile APP Web

3DS SDK 3DS SDK 3DS SDK

3DS Server
 3D Secure 2.0: SDK Flow
www.asiapay.com

Read OTP
3DS Requestor Environment
3DS Client 3DS Server
Requestor App with 3DS SDK
3DS Requestor APIs / 3DS Server APIs
3DS 3DS 3DS
SDK 1. Collect and encrypt device data for DS and ACS
Requestor Server
2. Generate Encryption component to ACS
Send OTP

Challenge Req/Res Auth Req/Res

Directory
Auth Req/Res
Server

ACS

Send OTP
 3DS SDK Steps
www.asiapay.com

1. SDK Initiation
• SDK settings are loaded (configuration parameters,
locale, UI customization)
• Security checks are performed
• Device data is collected for all protocol versions that the
SDK supports
2. Create Transaction Session
• Return Device Parameter and ACS encryption key
components to Requestor APP (App Based Crypto is
required)
3. Challenges (Not available for Frictionless flow)
• Handle the challenges flow session with ACS directly
• (App Based Crypto is required)
4. Clean up transaction session
 Native UI in CRes – Render UI Components
www.asiapay.com

SDK Render the Challenge

flow UI in Native App base
on ACS return data
 Web UI in CRes – Webview display HTML
www.asiapay.com

SDK display the Challenge flow by App

Webview to display the HTML from ACS

<!DOCTYPE html><html><head><meta
charset="ISO-8859-1"><title>ACS
challenge</title></head><body><form
action="HTTPS://emv3ds/challenge"
method="post"><input type="text"
name="password" id="text" /><input type="submit"
value="submit"
id="submit"/></form></body></html>