EMV® 3-D Secure 3DS Server Testing
This guide provides details on the /n software 3-D Secure test server, and the various tests supported there. Below are also some notes on testing and certification with the various card schemes, which is generally a requirement prior to moving to production.
Contents
- /n software hosted tests
- Card Range Tests
- Frictionless Tests
- Frictionless Flow, PA (Result=Y)
- Frictionless Flow, PA (Result=N)
- Frictionless Flow, PA (Result=A)
- Frictionless Flow, PA (Result=U)
- Frictionless Flow, PA (Result=R)
- Frictionless Flow, NPA (Result=Y)
- Challenge Tests
- Testing and Certification with Card Schemes
/n software Hosted Tests
/n software has put together a simple test server for EMV® 3-D Secure, also known as EMV 3DS or 3DS V2. This helps to exhibit the EMV 3DS protocol flow, as well as the use of our 3DS Server component. These tests are not provided in any official capacity, and it is recommended to perform testing with the various card schemes as well, as is generally required before moving to production.
The tests supported by the /n software test server are detailed below, and are designed for the browser-based flow. App-based tests for the 3DS SDK are available in the demo application projects included with those editions. The directory server URL for testing is https://3dstest.nsoftware.com/DirectoryServer.aspx and there is no SSL client certificate authentication mechanism in place like there would be for a production directory server. It should also be noted that the validation performed by the /n software test server is limited compared to what would be experienced with an EMVCo conforming directory server.
If any issues are encountered while working with this test system, our support team can help. They can be reached by email at support@nsoftware.com.
Card Range Tests
Obtaining card ranges is an important part of the 3-D Secure process, and is performed by the 3DS Server component via the RequestCardRanges method. The returned ranges should be stored locally, and can then be queried to determine whether or not a card number is eligible for EMV 3DS. According to the EMVCo specification, stored card ranges should be updated at least once per day, and at most once per hour. The following tests exhibit this behavior.
To request card ranges, simply set the DirectoryServerURL property and any other connection information (e.g. SSLCert), and call the RequestCardRanges method. For example:
Server server = new Server();
server.DirectoryServerURL = "https://3dstest.nsoftware.com/DirectoryServer.aspx";
// ...
server.RequestCardRanges();
for (int i = 0; i < server.CardRanges.Count; ++i)
{
// Access the card range data:
// server.CardRanges[i]...
}
// Save the returned serial number for use with the next request
string serialNumber = server.SerialNumber;
No Serial Number
When no serial number is specified prior to calling the RequestCardRanges method, the DS will return the full list of ranges. The serial number returned in the response will be available in the SerialNumber property.
When no serial number is specified, the response from the test DS will include 10 card ranges.
Serial Number
When card ranges are retrieved, the response packet will include a serial number, accessible in the component via the SerialNumber property. This is used in subsequent requests so the server only returns updates made since the last response. The serial number can be set in the SerialNumber property prior to calling the RequestCardRanges method.
When a serial number is specified, the response from the test DS will include 5 card ranges. For the purposes of this test the value of the serial number does not matter, but typically the serial number returned in the last card range response would be used.
Frictionless Flow Tests
The following authentication tests exhibit the frictionless flow, and the various results that can come back in an ARes packet when no challenge is required.
The below example code demonstrates some simple configuration of the server component to send the authentication request to the directory server. The Getting Started with EMV® 3-D Secure guide provides details on other required properties, and our support team can help with providing a more complete code sample.
Server server = new Server();
server.Config("ProtocolVersion=2.2.0"); // current default is 2.1.0
server.DirectoryServerURL = "https://3dstest.nsoftware.com/DirectoryServer.aspx";
server.SSLCert = new Certificate(CertStoreTypes.cstPFXFile, Server.MapPath(SSLCERT), "test", "*");
server.Config("SSLCACerts=" + CA_INT + "\r\n" + CA_ROOT);
// other required properties
server.ResultsURL = "https://your_results_url";
server.NotificationURL = "https://your_notification_url";
server.PurchaseAmount = "1000";
server.PurchaseDate = DateTime.Now.ToString("yyyyMMddHHmmss");
server.CardNumber = "7654310000000111";
server.CardExpDate = "2105"; // YYMM
server.DeviceChannel = "02"; // Browser
server.AcquirerBIN = "400551";
server.AcquirerMerchantId = "3DSTestSuite-123456789";
server.MessageCategory = "01"; // PA
server.SendAuthRequest();
Frictionless Flow, PA (Result=Y)
This test exhibits a successful authentication via the frictionless flow. The card number for this test is 7654310000000111.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | Y |
| Authentication ECI | 05 |
| Authentication Value | Present |
Frictionless Flow, PA (Result=N)
This test exhibits a "Not Authenticated" result via the frictionless flow. The card number for this test is 7654310000000112.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | N |
| Transaction Status Reason | 01 |
Frictionless Flow, PA (Result=A)
This test exhibits a response to the authentication request with a transaction status of A, indicating that attempts processing was performed. This means the cardholder was not authenticated, but a proof of attempted authentication is provided. The card number for this test is 7654310000000113.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | A |
| Authentication ECI | 06 |
| Authentication Value | Present |
Frictionless Flow, PA (Result=U)
This test exhibits a response to the authentication request with a transaction status of U. This indicates that authentication could not be performed for some reason. The card number for this test is 7654310000000114.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | U |
| Transaction Status Reason | 01 |
Frictionless Flow, PA (Result=R)
This test exhibits a response to the authentication request with a transaction status of R, indicating that the athentication attempted was rejected. The card number for this test is 7654310000000115.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | R |
| Transaction Status Reason | 13 |
Frictionless Flow, NPA (Result=Y)
This test exhibits a successful non-payment authentication via the frictionless flow. The card number for this test is 7654310000000111.
Expected Authentication Response (ARes) values:
| Field | Value |
|---|---|
| Transaction Status | Y |
| Authentication ECI | 05 |
| Authentication Value | Not Present |
Challenge Flow Tests
In some cases, the cardholder will need to be presented with a challenge. The initial authentication request process is the same, but the Transaction Status returned will be C. The cardholder would then need to be redirected to the ACSURL to complete the challenge. When this process is complete, results information will be posted to the ResultsURL endpoint prior to the challenge response packet being posted to the NotificationURL (via cardholder browser redirect). For example:
server.SendAuthRequest();
if (server.TransactionStatus == "C") {
// a challenge is required; redirect the cardholder to the ACSURL
string creq = server.GetChallengeRequest();
form1.Controls.Clear();
ClientScript.RegisterHiddenField("creq", creq);
// data to be posted back to the NotificationURL upon challenge completion
server.Config("SessionData=" + sessionData);
ClientScript.RegisterHiddenField("threeDSSessionData", server.Config("EncodedSessionData"));
myBody.Attributes.Add("onLoad", "javascript:" + form1.ID + ".action='" + server.ACSURL + "';" + form1.ID + ".submit();");
}
Challenge Flow, PA (Result=Y)
This test exhibits a successful browser-based challenge flow. There are multiple card numbers for this test: 7654370980201119 and 7654370980203101.
For the initial ARes packet returned from the server, a Transaction Status of C is expected. The browser should then be redirected to the challenge page. A password value of password can be used to successfully complete the challenge.
If a valid, public facing ResultsURL endpoint was specified in the AReq, an RReq packet will be posted there with a Transaction Status of Y. Upon receiving the RRes, the DS will redirect the browser back to your NotificationURL endpoint with the CRes packet, which will also indicate a Transaction Status of Y.
Note: if you do not have a public facing ResultsURL endpoint configured yet, but wish to test the rest of the challenge flow, a value of https://3dstest.nsoftware.com/ can be used. This will post the RReq internally and move straight to the CRes redirection step.
Challenge Flow, PA (Result=N)
Failed challenge authentication can be tested using the same card number and process as above, but entering any incorrect password three times instead. When this is done, an RReq will be sent with a Transaction Status of N, indicating that authentication failed, and a Transaction Status Reason of 19, which means the attemps exceeded the ACS's maximum allowed challenges.
Similarly, a cancellation of the challenge process can also be tested by clicking the Cancel link on the form. This will result in an RReq sent with a Transaction Status of N that also includes a Challenge Cancellation Indicator of 01.
Testing and Certification with Card Schemes
/n software has performed certification with many of the card schemes, including Visa, American Express, Discover, and UnionPay International, but it should be noted that our 3DS Server implementation is not tied to any specific scheme. Because our component implements the EMV® 3-D Secure (EMV 3DS) protocol, it will work with any directory server that implements the EMV 3DS protocol.
Although /n software is certified, which confirms interoperability with the card scheme directory servers, this certification would not typically extend to applications developed using our tools. It is likely that our customers would need to certify with the schemes themselves prior to being granted production access to these systems.
Below is some more information regarding testing and certification with the various card schemes with which we have communicated, complete with our certification letters and links to their vendor pages, as well as some potentially helpful notes. Note that this information is provided as-is and is subject to change. The best information regarding certificaiton would be obtained directly from the card schemes themselves.
Visa
Visa hosts a Visa Secure Services page that contains a plethora of information regarding their EMV 3DS program: Visa Secure. This is the best place to get started.
/n software's most recent certification with Visa was completed in March of 2023. The certification letter can be found here. We are also listed on "Approved Products List" on their secure services site above.
MasterCard
Given /n software's designation as a reseller in MasterCard's system, we are unable to complete testing and certification with them directly. Our customers can perform certification via their Identity Check program.
American Express
American Express calls their 3-D Secure program SafeKey. More information and certification can be accessed through their AMEX Enabled program. Once registered and logged in, a representative can guide you through requesting SafeKey Test Lab access to certify your implementation.
/n software's most recent certification with AMEX was completed in March of 2021. The certification letter can be found here.
Discover
Discover calls their 3-D Secure program ProtectBuy. The process of enrolling can be started on Discover's ProtectBuy Enrollment page.
/n software's most recent certification with Discover was completed in May of 2021. The certification letter can be found here.
UnionPay
More information on UnionPay's 3-D Secure platform can be found on their developer site.
/n software's most recent certification with UnionPay was completed in January of 2021. The certification letter can be found here. We are also listed under the "Approved Third Party Institutions" listed on their developers site above.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.