Authenticating Enrolled Cards
You need to redirect the customer to the URL of the ACS with an HTTP form POST that contains the PAReq, TermURL, and MD. To do so, create a Web page with hidden content:
Termination URL on your Web site where the card-issuing bank posts the payer authentication response (PARes) message.
Merchant data that you can use to match the response to the customer’s order. Although iVeri recommend that you use the RequestID, you can also use an order number. This field is required, but including a value is optional. The value, which has no meaning for the bank, is returned to you as is.
<body onload="document.PAEnrollForm.submit ();">
<form id="PAEnrollForm" action="acsURL value" method="post” target="paInlineFrame">
<input type="hidden" name="PaReq" value="ThreeDSecure_PAReq value" />
<input type="hidden" name="TermUrl" value="http://myPAValidationPage.ext" />
<input type="hidden" name="MD" value="<ThreeDSecure_RequestID value>" />
When redirected to the ACS URL, the customer’s browser displays the frame that contains the card-issuing bank’s password authentication dialog or the option to sign up for the program. On the page that contains the inline frame for the ACS URL, add an HTML frame large enough to accommodate either form or text to inform your customers of the process:
- HTML code: – Card issuer's authentication form: display an inline frame in a browser page that does not contain other content, such as promotional information. The frame must be large enough to show the entire 400 x 400 pixels without scrolling. You are not allowed to use a pop-up window.
<h2>Payer Authentication Inline Window</h2>
<iframe name="paInlineFrame" height="400px" width="400px">
Outside the frame, you must provide a brief message, for example:
Please wait while we process your request. Do not click the Back button or refresh the page. Otherwise this transaction may be interrupted.
The form should be a complete Web page. Ensure that your customers can see the entire form or can scroll if necessary.
While testing your integration, verify that the frames are large enough.
To increase the security of your online purchase, <business name> has partnered with <Visa, MasterCard>.
If you have signed up for Verified by <Visa, MasterCard>, please complete your bank's form to authenticate your card. The process takes about 15 seconds. If you do not currently participate in this authentication program, you can sign up now by completing your card issuer's form. If your issuing bank does not require this service, you can cancel or bypass the service.
The card-issuing bank sends to your TermURL (http://myPAValidationPage.ext in this example) a POST that contains the results of the authentication in a PARes message.
variable paRes = <signedPARes replied field>
The base 64 string contains this information:
Digitally signed PARes message that contains the authentication result. Note that the field name has a lowercase a (PaRes), but the message name has an uppercase A (PARes).
Value included only if you provided one in the outgoing page
After authentication is completed, the customer is redirected to your TermURL.
You need to ensure that the response messages shown to your customers are accurate and complete and that they encompass all possible scenarios for enrolled cards and for cards that are not enrolled. For example, when authentication fails, display a message such as this:
Because your card issuer cannot authenticate this card, please select another
card or form of payment to complete your purchase.