# Server-to-Server Payments with 3D Secure
## Step 1: (Client-side) Set up your front-end
Set up your front-end to include the .JS scripts for card encryption and Cardinal Commerce (3DS):
**Card encryption**:
**3DS**:
* PROD:
* TEST:
{% hint style="info" %}
Throughout the documentation we are using the CST environment. Use the appropriate environment for your account. See more in [Getting started](/online-payments/api-integration-methods-auth-and-endpoints.md).
{% endhint %}
**HTML Example**:
```html
```
## Step 2: (Server-side) Collect a JWT Token
**API Reference**:
Make a Post request using your 3D Secure Contract ID to collect a JWT token. This is used later for initializing the 3D Secure script client side.
**Request Method**: POST
**URL**:
**Body**:
```json
{
"threeds_contract_id":"{Your 3D-Secure Contract ID}"
}
```
**Response**:
```json
{
"threeds_contract_id": " {Your 3D-Secure Contract ID}",
"jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIzNjUzMTU0Yy1jNzczLTRhNjAtYWNkMi04MTc5YmJmNjllMjMiLCJpc3MiOiI1ZDEyMmU1OGMxYjQxMjI5M2MwYTUwZDIiLCJPcmdVbml0SWQiOiI1ZDExMmJjMWJiODc2ODIyNDBmOGRjMGQiLCJQYXlsb2FkIjp7fSwiaWF0IjoxNzA4Mzg5ODA2fQ.L1o-KrhFT6HqX5FbKEpC3CU5sDB4oA3yYRXzog0gAv1"
}
```
{% hint style="info" %}
The JWT will expire after 2 hours and it is a single time use only.
{% endhint %}
Pass the JWT token to your front-end for later use.
## Step 3: (Client-Side) Initiate your Card Form
Once you have a JWT token, you should generate your card collection form/page to begin the 3D Secure assessment and allow the customer to enter their credit card details at the same time.
## Step 4: (Client-side) Configure the 3D Secure Script
Run the Cardinal.configure() function with your desired configuration options. For example:
```javascript
Cardinal.configure({
timeout: 6000,
maxRequestRetries: 3,
logging:{
level: 'verbose'
}
});
```
{% tabs %}
{% tab title="Root Level Object" %}
| Field | Type | Default | Description |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---- | ------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `timeout` | int | 8000 | The time in milliseconds to wait before a request to Centinel API is considered a timeout. |
| `extendedTimeout` | int | |
extendedTimeout is only used in the event of the first request timing out. This configuration allows the merchant to set the timeout (in milliseconds) for subsequent retry attempts. |
| (This configuration would be useful when the merchant wants to set higher timeout values on requests). | | | |
| If the value for the extendedTimeout is set to less than 4000 milliseconds, then the value will be automatically reset to 4000 milliseconds.
| | | |
| `maxRequestRetries` | int | 1 | How many times a request should be retried before giving up as a failure. |
| {% endtab %} | | | |
{% tab title="Logging Object" %}
| Field | Type | Default | Description |
| ------------ | ------ | ------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `level` | string | off |
The level of logging to the browser console. Enable this feature to help debug and implement Songbird. Possible Values:
off - No logging to console enabled. This is the setting to use for production systems.
on - Similar to info level logging, this value will provide some information about whats occurring during a transaction. This is recommended setting for merchants implementing Songbird.
verbose - All logs are output to console. This method can be thought of as debug level logging and will be very loud when implementing Songbird, but is the level needed when getting support from the Cardinal team.
|
| {% endtab %} | | | |
{% tab title="Button Object" %}
| | | | |
| ------------- | ------ | ----------------- | ---------------------------------------------------------------------- |
| `containerId` | string | Cardinal-Payments | The HTML Id value of the container to inject all payment buttons into. |
| {% endtab %} | | | |
{% tab title="Payment Object" %}
| Field | Type | Default | Description |
| ------------------- | ------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `view` | string | modal |
What type of UI experience to use when Songbird injects payment brand UI elements into the page. Possible Values:
modal - Render as a modal window. This view type renders the payment brand over your page, making it feel separate from your page.
|
| `framework` | string | Cardinal |
What kind of view framework should be used to render the payment brand. If your site is using a supported framework and you have custom styles applied to it, we will use that framework to make keep the consistent look and feel of your site. When using any other frameworks than 'cardinal' your site is responsible for including the framework assets including CSS, JavaScript, and any other additional files needed. Possible Values:
cardinal - Use the custom Cardinal view framework built and maintained by CardinalCommerce. Songbird will handle all UI rendering and styles, no additional work is needed.
inline - Render inline to the page. This view type embeds the payment brand into the page making it feel like it's a part of your website. View the guide for implementation here: Inline Display Method for 3D Secure
bootstrap3 - Use bootstrap 3 modal to render the UI elements. Please note that you are responsible for importing any necessary files for that framework.
|
| `displayLoading` | boolean | false |
A flag to enable / disable a loading screen while requests are being made to 3DS Server API services. This can provide feedback to the end user that processing is taking place and they should not try to reload the page, or navigate away. Possible Values:
false - Disables the loading screen
true – Enables the loading screen
|
| `displayExitButton` | boolean | false |
Will display an X icon in the corner of the modal window to allow for end users to close the authentication modal without completing it. Clicking the close button will result in the payments.validated event to be triggered with a “10011 error, Canceled by user". Possible Values:
false - Disables the exit icon on the modal
true - Enables the exit icon on the modal
|
| {% endtab %} | | | |
| {% endtabs %} | | | |
## Step 5: (Client-side) Setup Event Listeners
**payments.setupComplete()**
This listener will run after the payment setup has successfully been completed. SetupCompleteData will contain a session ID to be used for the 3DS lookup.
```javascript
Cardinal.on('payments.setupComplete', function(setupCompleteData){
// pass setupCompleteData.sessionId server side to make the lookup API call
});
```
**payments.validated()**
Payments Validated allows you to capture the different outcomes of the flow and handle them accordingly.
```javascript
Cardinal.on("payments.validated", function (data, jwt) {
switch(data.ActionCode){
case "SUCCESS":
// Handle successful transaction, send JWT to backend to verify
break;
case "NOACTION":
// Handle no actionable outcome
break;
case "FAILURE":
// Handle failed transaction attempt
break;
case "ERROR":
// Handle service level error
break;
}
});
```
**Response Data and Outcome definitions**
| Type | Description |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ActionCode |
The resulting state of the transaction. Possible values:
SUCCESS - The authentication was successful. Details from the “Payment” Object can be used to perform a payment.
NOACTION - The API calls were completed and there is no further actionable items to complete. This can indicate that the card holder is not enrolled in 3D Secure or it could indicate a validation error was encountered. It is recommended that the rest of the response is reviewed to determine what has occurred.
FAILURE - The authentication resulted in an error. For example, this would indicate that the user failed authentication or an error was encountered while processing the transaction.
ERROR - A service level error was encountered. These are generally reserved for connectivity or API authentication issues. For example, if your JWT was from the wrong environment, or 3DS services are unavailable.
|
| Validated | This value represents whether the authentication was successful or not. |
| ErrorNumber | Application error number. A non-zero value represents the error encountered while attempting the process the message request. |
| ErrorDescription | Application error description for the associated error number. |
| Payment | Payment Object, see below for details. |
In the case of a SUCCESS outcome, the details returned from data.Payment.ExtendedData are used for payment in [step 12](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step12).
**Example for SUCCESS outcome**:
```javascript
{
"Type": "CCA",
"ExtendedData": {
"Amount": "1000",
"AuthorizationPayload": "eyJjb250YWluZXJWZXJzaW9uIjoiMSIsImVjaSI6IjA1IiwiYXV0aGVudGljYXRpb25WYWx1ZSI6IkFBSUJCWU5vRXdBQUFDY0toQUprZFFBQUFBQT0iLCJlZmZlY3RpdmVBdXRoVHlwZSI6IkNIIiwiYWNzT3BlcmF0b3JJRCI6Ik1lcmNoYW50QUNTIiwidGhyZWVEU1JlcXVlc3RvckNoYWxsZW5nZUluZCI6IjAxIiwidHJhbnNTdGF0dXMiOiJZIiwiZHNUcmFuc0lEIjoiYTl4OTNiNzAtOGIyMS00MTI4LWExNzctZjRhNDM0YzAwOWZjIiwiYWNzVHJhbnNJRCI6IjhiYWFhZTMwLWFjY2EtNDYyZC04NzY3LWM0NDdlMWEwYmUwMCIsIm1lc3NhZ2VWZXJzaW9uIjoiMi4yLjAiLCJtZXJjaGFudE5hbWUiOiJWZXJpRm9uZSIsInB1cmNoYXNlRGF0ZSI6IjIwMjQwNTEyMjMyMTExIiwicHVyY2hhc4VBbW91bnQiOiIxMDAwIiwiYnJvd3NlcklQIjoiMjQwMTo3MDAwOmNiMDQ6ZmUwMDpiNTFjOjY2M2U6ZmM0ZDoxNGM5IiwibWVyY2hhbnRDb3VudHJ5Q29kZSI6Ijg0MCIsImFjcXVpcmVyQklOIjoiMTIzNDU2NzgiLCJhY3F1aXJlck1lcmNoYW50SUQiOiIxMjM0NTYiLCJ0aHJlZURTUmVxdWVzdG9yTmFtZSI6InZlcmlmb25lIiwidGhyZWVEU1JlcXVlc3RvcklEIjoidmVyaWZvbmUyMCIsImNhcmRCcmFuZCI6IlZJU0EifQ==",
"CAVV": "AAIBYYNoEwAAACcKhAJKdQAAAAA=",
"CurrencyCode": "554",
"ECIFlag": "05",
"ThreeDSVersion": "2.2.0",
"PAResStatus": "Y",
"SignatureVerification": "Y"
},
"ProcessorTransactionId": "LUj6k3aJ51K6pUh2UeV1"
}
```
## Step 6: (Client-side) Initialize the 3D Secure Script
Initialize the 3D Secure Script using the JWT Token generated from [step 2](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step2).
This will begin the 3D Secure process:
```json
Cardinal.setup('init', { jwt:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiIzNjUzMTU0Yy1jNzczLTRhNjAtYWNkMi04MTc5YmJmNjllMjMiLCJpc3MiOiI1ZDEyMmU1OGMxYjQxMjI5M2MwYTUwZDIiLCJPcmdVbml0SWQiOiI1ZDExMmJjMWJiODc2ODIyNDBmOGRjMGQiLCJQYXlsb2FkIjp7fSwiaWF0IjoxNzA4Mzg5ODA2fQ.L1o-KrhFT6HqX5FbKEpC3CU5sDB4oA3yYRXzog0gAv1
});
```
## Step 7: (Client-side) Card Number detection
While the customer is entering their card number, use one of the following “BIN detection” methods to positively impact authentication success rates, increase the opportunity for frictionless authentication, and reduce customer abandonment.
### Option 1 (Recommended): Field Decorator
This implementation is the simplest and recommended approach and requires the least amount of work to complete. Simply add a new attribute to the input field to identify which field it maps to within the Order Object. The credit card number is mapped to the AccountNumber field, so for bin detection we would pass AccountNumber to the attibute data-cardinal-field.
**Example**:
```html
```
### Option 2: Event Based
The bin.process event is the recommended BIN Detection implementation. It provides you, or integrator, the greatest flexibility to initiate device profiling wherever they prefer in their purchase flow. It is best practice to initiate bin.process immediately upon receiving the customer’s card number. Whenever possible, provide a minimum of the first 9 BIN digits of the customer’s card number on bin.process. Merchants that provide fewer than the first 9 digits are at risk of running the incorrect issuer Method URL.
**Example**:
```javascript
Cardinal.trigger("bin.process", '1234567894561237')
.then(function(results){
if(results.Status) {
// Bin profiling was successful. Some merchants may want to only move forward with authentication if profiling was successful
} else {
// Bin profiling failed
}
// Bin profiling, if this is the card the end user is paying with you may start the CCA flow at this point or send the lookup request
Cardinal.start('cca', myOrderObject);
})
.catch(function(error){
// An error occurred during profiling
})
```
{% hint style="info" %}
You may have to trigger the bin events more than once if the end user is able to change their card number at the point where Songbird is integrated. Songbird will only profile any given bin a single time, once profiling is completed Songbird will return a success status. It is important that BIN Detection is completed on the final card used for the purchase.
{% endhint %}
The event will resolve when bin profiling was successful or failed with a JSON object describing the outcome.
## Step 8: (Client-side) Collect the sessionId
The sessionId is a unique ID which represents the device profile of the web user. This is used as part of the 3D Secure Authentication process.
If the setup was successful, the event listener in [step 4](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step4), payments.setupComplete(), will be triggered, and return the session ID.
Within the response of setupCompleteData, there will be a value called sessionId:
setupCompleteData.sessionId
**Returns**:
0\_6e0fedb-d642-47d1-88e2-b12a59ffe39e
## Step 9: (Client-side) Collect Card Details with Verifone.JS
Use the [Verifone.js](/online-payments/api-integration/card-encryption-verifone.js.md) script to securely encrypt the card details before transmitting it to Verifone.
Collect your [Secure card capture key](/online-payments/api-integration-methods-auth-and-endpoints/secure-card-capture-key.md#generate-a-secure-card-capture-key-via-verifone-central), and set this to a variable, for example:
const encryptionKey = '{Secure Card Capture Key}';
Capture the cardholder details from the front-end and set this up as an object:
```json
const card = {
"cardNumber": form.cardNumber.value,
"expiryMonth": form.expiryMonth.value,
"expiryYear": form.expiryYear.value,
"cvv": form.cvv.value,
};
```
Then call the verifone encryption method, passing in both the cardDetails and encryptionKey as parameters.
**Calling the method**:
```javascript
verifone.getEncryptedCardDetails(card, encryptionKey)
```
This method returns a Promise containing the encryptedCard field.
```javascript
verifone.getEncryptedCardDetails(card, encryptionKey).then(data => console.log(data.encryptedCard));
```
**Response**:
```javascript
Ls0LS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBPcGVuUEdQLmpzIHY0LjEwLjkNCkNvbW1lbnQ6IGh0dHBzOi8vb3BlbnBncGpzLm9yZw0KDQp3WDREWGtJZjFmWDdHOUlTQWdNRWIxSEZUNytUbXNDc2k3aDNmeW02eEtDblNzK0RYZFNnblNDaFNsZEENClJLcXRsSmlJNmtpeU9JYzdnRmdBV3J3eVlCL1l1REI3S2R3TG0xdU5LbzhYYkREOWNBaFZTcFBrOEpvcg0KaFpLa09ERXhSaWJEeFBWQnM0czVVV2NubllHOVBOZzI2VXgxeXRRMGxxVVo4dTBLVm03U3JRRjRHZHYwDQpNeXA2NnAvNmJlc3cwT09iTU85TlBqd3ZFRldtWG9yTnhQM2tVZ0xYU1JJN2s4M01XNjd1TVErMFBUdTUNCjNGZG5LcjQyb1JTaHdYSE1FZ1pUckZmbkxGUE9ha3N1Y1NKd016WGVRTUZKSVhzQVFLYlN6RVhJYmZFeg0Ka2JUWm91TEFWTjhmd0RoUHRMaS9UcGI4NGVtZ04zY3UyNjNoVDlLQmRqcGd4bCtIQXNEekVtUjBncUR5DQpzRFovVDU1bHVhTjhTUzJ6cHJEWXNyOWcyV0Jhem10Yk8xYU80Y3lnMzk3RQ0KPVdZdTINCi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0tLS0NCg==
```
These are the card details encrypted . Pass this to your back end for processing payments.
## Step 10: (Server-side) Perform a 3DS Lookup
**API Reference**:
Make a POST request to Verifone using the encrypted card, device info (sessionId) and other data points to receive the 3D Secure Response.
{% hint style="info" %}
The device\_info\_id is the same value as the sessionId returned from [step 8](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step8).
{% endhint %}
**Request Method**: POST
**URL**:
**Body**:
```javascript
{
"amount": 100,
"billing_first_name": "first_name",
"billing_last_name": "last_name",
"billing_address_1": address line 1",
"billing_city": "City",
"billing_country_code": "AU",
"encrypted_card": "{{EncryptedCardValue==}}",
"public_key_alias": "{{public_key}}",
"currency_code": "{{currency}}",
"device_info_id": "0_6e00fedb-d944-47d1-89e2-b12a59ffe39x",
"email": "email@verifone.com",
"merchant_reference": "Order number 1234",
"threeds_contract_id": "{{3DS Contract ID}}"
}
```
**Response**:
```javascript
{
"acs_transaction_id": "9d08e1ba-0240-4283-813a-a3772d80de0e",
"acs_url": "{ACS_URL},
"authentication_id": "c923575f-86e4-45cf-9a43-d1ede3da3ac1",
"challenge_required": "N",
"card_brand": "Visa",
"ds_transaction_id": "e3b59e11-5863-4c4a-aa34-cc13bab4f320",
"eci_flag": "07",
"enrolled": "Y",
"error_no": "0",
"order_id": "8001840452769160",
"pares_status": "C",
"payload": "eyJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMi4wIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiJiZDYwNjk0OC0yNzFlLTQ3MGEtYTI2OC0zOWNjZWJmMmQzNTEiLCJhY3NUcmFuc0lEIjoiOWQwOGU2YmEtMDI0MC00MjgzLTgxM2EtYTM3NzJkODBkZTBlIiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjAyIn0",
"signature_verification": "Y",
"threeds_version": "2.2.0",
"transaction_id": "mm1WQNPXlhUnAYGyjNY1"
}
```
## Step 11A: (Server-side) Successful 3D Secure Lookup
If the lookup attempt was successful, and the details provided match the card holder details on record, the field **“pares\_status” will be “Y”**.
You can proceed directly to [step 12](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step12) to perform a payment using the details from the lookup request.
## Step 11B: (Client-side) Pares\_status = “C” Continue to the authentication step
In some cases, a one-time pin or “Step-up” challenge is required to authenticate the customer.
Cardinal.continue will only work after the payments.setupComplete event has been triggered.
Cardinal.continue is suggested to be run later in the flow if payments.setupComplete is not triggered yet.
**Example**:
```javascript
Cardinal.continue('cca',
{
"AcsUrl": “{ACS_URL}”,
"Payload": "eyJtZXNzYWdlVHlwZSI6IkNSZXEiLCJtZXNzYWdlVmVyc2lvbiI6IjIuMi4wIiwidGhyZWVEU1NlcnZlclRyYW5zSUQiOiJiZDYwNjk0OC0yNzFlLTQ3MGEtYTI2OC0zOWNjZWJmMmQzNTEiLCJhY3NUcmFuc0lEIjoiOWQwOGU2YmEtMDI0MC00MjgzLTgxM2EtYTM3NzJkODBkZTBlIiwiY2hhbGxlbmdlV2luZG93U2l6ZSI6IjAyIn0"
},
{
"OrderDetails":{
"TransactionId" : "mm1WQNPXlhUnAYGyjNY1"
}
}
);
```
**This will present the 3D Secure modal window to the customer**:
{% hint style="info" %}
For Sandbox testing, the code will always be 1234 and not sent to a phone number.
{% endhint %}
After completion of the one-time pin challenge, the 3D Secure plugin will return an outcome from one of the **SUCCESS** Event Listener setup in [step 5](/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md#step5), for example:
```javascript
{
"Type": "CCA",
"ExtendedData": {
"Amount": "1000",
"AuthorizationPayload": "eyJjb250YWluZXJWZXJzaW9uIjoiMSIsImVjaSI6IjA1IiwiYXV0aGVudGljYXRpb25WYWx1ZSI6IkFBSUJCWU5vRXdBQUFDY0toQUprZFFBQUFBQT0iLCJlZmZlY3RpdmVBdXRoVHlwZSI6IkNIIiwiYWNzT3BlcmF0b3JJRCI6Ik1lcmNoYW50QUNTIiwidGhyZWVEU1JlcXVlc3RvckNoYWxsZW5nZUluZCI6IjAxIiwidHJhbnNTdGF0dXMiOiJZIiwiZHNUcmFuc0lEIjoiYTl4OTNiNzAtOGIyMS00MTI4LWExNzctZjRhNDM0YzAwOWZjIiwiYWNzVHJhbnNJRCI6IjhiYWFhZTMwLWFjY2EtNDYyZC04NzY3LWM0NDdlMWEwYmUwMCIsIm1lc3NhZ2VWZXJzaW9uIjoiMi4yLjAiLCJtZXJjaGFudE5hbWUiOiJWZXJpRm9uZSIsInB1cmNoYXNlRGF0ZSI6IjIwMjQwNTEyMjMyMTExIiwicHVyY2hhc4VBbW91bnQiOiIxMDAwIiwiYnJvd3NlcklQIjoiMjQwMTo3MDAwOmNiMDQ6ZmUwMDpiNTFjOjY2M2U6ZmM0ZDoxNGM5IiwibWVyY2hhbnRDb3VudHJ5Q29kZSI6Ijg0MCIsImFjcXVpcmVyQklOIjoiMTIzNDU2NzgiLCJhY3F1aXJlck1lcmNoYW50SUQiOiIxMjM0NTYiLCJ0aHJlZURTUmVxdWVzdG9yTmFtZSI6InZlcmlmb25lIiwidGhyZWVEU1JlcXVlc3RvcklEIjoidmVyaWZvbmUyMCIsImNhcmRCcmFuZCI6IlZJU0EifQ==",
"CAVV": "AAIBYYNoEwAAACcKhAJKdQAAAAA=",
"CurrencyCode": "554",
"ECIFlag": "05",
"ThreeDSVersion": "2.2.0",
"PAResStatus": "Y",
"SignatureVerification": "Y"
},
"ProcessorTransactionId": "LUj6k3aJ51K6pUh2UeV1"
}
```
**Understanding the Impact of the different 3D Secure Responses**
If **"PAResStatus"** is one of the following:\
\&#xNAN;**“Y"** – 3DS is Successful\
\&#xNAN;**“A”** – 3DS was Attempted
And **“SignatureVerification”** is:\
\&#xNAN;**“Y”** - Contents of the message can be trusted
And **“enrolled”** is:\
\&#xNAN;**“Y”** - Cardholders bank is participating in 3D Secure Process.
This will result in a liability shift off the merchant.
If **"PAResStatus”** is one of the following:\
\&#xNAN;**“N”** - Failed\
\&#xNAN;**“U”** - Unavailable\
\&#xNAN;**“R”** - Rejected\
\&#xNAN;**“C”** - Challenge required (Temporary status)
Or a blank value
Or **“SignatureVerification”** is:\
\&#xNAN;**“N”** - Signature verification is invalid
OR **“enrolled”** is:\
\&#xNAN;**“N”** - Cardholders bank is not participating in 3D Secure\
\&#xNAN;**“U”** - Enrollments status unavailable\
\&#xNAN;**“B”** - Enrollment status was bypassed
The liability of the transaction will remain with the merchant.
{% hint style="info" %}
This is not a complete guarantee of liability shift. The information presented in this document is based on published Card Associations (Visa, Mastercard, AMEX, ProtectBuy, and JCB) Operating Rules and Regulations, and may be subject to change.
{% endhint %}
## Step 12: (Server-side) Perform a Server-To-Server Payment with 3D Secure
Using the data from the lookup and if applicable, the step-up challenge response, you may perform a 3D Secure authenticated payment. See the example API request below:
**API Reference**:
**Request method**: POST
**URL**:
**Example API Request**:
```javascript
{
"currency_code": "{{currency}}",
"amount": 1000,
"merchant_reference": "VF Test",
"payment_provider_contract": "{{ppc}}",
"card_brand": "VISA",
"public_key_alias": "{{key_alias}}",
"encrypted_card": "LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQpWZXJzaW9uOiBPcGVuUEdQLmpzIHY0LjEwLjkNCkNvbW1lbnQ6IGh0dHBzOi8vb3BlbnBncGpzLm9yZw0KDQp3WDREcTIvejFNVU0rTTRTQWdNRW1tUTN0UERDMUVGVThHb3l5a2sxMnBQS1Q2ZVkxUisveU1PTWhNZVUNCmkyd1BlYWd0ZU4vRXVoazRYYVV6WHQ1Q29BU2JubmkvK1A2bG5vRUVQcC9wYlREcFNZMEIvTnJaOWU4RQ0KTm91a0dSUkdLRDBpQUdUek01Z0RRRk1BU3UydHZsSkNPR1lrRUFESzhlOUVmRkt0ZTdyU3JRRk90ajlVDQpaQXN1Nkc2b3RPYVI4NGtobi9VMjArMmQrQnoxVGM2TWZBeHBVTFRQOHpwUVJsWWh2Y3ZMWjNQUDBBK1gNCmhpckdUQnJCYzViWDlRNnhQalRmcFlqQ0U0Y0NnTEFCcmdzNkhFZ1J3ZElURXBmR0hBZ2V0c0xpcVRkYQ0KTGxxZmVtQW4rUWdRUDZCeTdNSXZTZWE3WTM3MXVqRUYxaW1RMCt0NlhBb09zTjMrb1lMRkZPeFRkSkc5DQpDM3FZYm1QRlVWUFFsVHB2VlZ4S0dNVlRmV1hLdEttLy9kMklqa3lONkI4ag0KPVZseGwNCi0tLS0tRU5EIFBHUCBNRVNTQUdFLS0tLS0NCg==",
"threed_authentication": {
"eci_flag": "05",
"enrolled": "Y",
"cavv": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
"pares_status": "Y",
"threeds_version": "2.2.0",
"ds_transaction_id": "4eaa10ef-e5e4-4b4c-8aef-29439e450b60",
"signature_verification": "Y",
"error_desc": "Success",
"error_no": "0"
}
}
```
**Response**:
```json
{
"id": "3e5baa3a-cdcd-4b0a-b23d-9b4c0528ca62",
"payment_provider_contract": "d1f0f6ab-1d40-44ae-b16b-8f09fe6fd77f",
"amount": 1000,
"blocked": false,
"merchant_reference": "VF Test",
"payment_product": "CARD",
"status": "AUTHORIZED",
"arn": "SIMULATORBCLDCG4DGS5MSDEV46JV",
"scheme_reference": "170320243e5baa3acdcd4b0ab23d9b4c0528ca62",
"created_by": "7b360b69-1787-40dd-ac56-fb3b8b93f230",
"cvv_present": true,
"cvv_result": "4",
"stored_credential": { },
"details": {
"auto_capture": true
},
"reason_code": "00",
"shopper_interaction": "ECOMMERCE",
"stan": "157449",
"threed_authentication": {
"eci_flag": "05",
"enrolled": "Y",
"cavv": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
"pares_status": "Y",
"threeds_version": "2.2.0",
"ds_transaction_id": "4eaa10ef-e5e4-4b4c-8aef-29439e450b60"
},
"reversal_status": "NONE",
"additional_data": {
"initiator_trace_id": "157449"
},
"card_details": { lia
"masked_card_number": "411111****1111",
"expiry_year": 2030,
"expiry_month": 12
},
"balance_amount": 0
}
```
Your Server-to-server, 3D Secure Authenticated transaction is now complete.
## Additional steps
### Refund a transaction
Depending on your [supported acquirer](/online-payments/supported-acquirers.md) and according to the settlement time. A payment can be [refunded fully or partially](/online-payments/payment-actions/refunds.md) via Verifone Central, or via the [eCommerce](/api-reference/open-api-references/ecommerce.md) API using the refund payment API call.
### Notification methods
Set up [notifications](/verifone-central-getting-started/verifone-central/administration-tools/notifications-and-webhooks.md) in Verifone Central to receive transaction events via email or webhook URL’s. Leverage notifications to receive transaction results to different systems at the time of payment.
### Advanced Payment flow with Preauthorization
To perform a preauthorization, two fields need to be specified in the payment request in Step 12:
* capture\_now : false
* auth\_type : “PRE\_AUTH”
Once the Preauth is authorized, it can be [captured](/online-payments/payment-actions/capturing-an-authorization.md) for settlement, or [cancelled (voided)](/online-payments/payment-actions/void.md) using payment actions through Verifone Central or the [eCommerce](/api-reference/open-api-references/ecommerce.md) API.
### Adding Tokenization
Set up a [token scope](/online-payments/tokenization.md#creating-a-token-scope-in-verifone-central) in Verifone Central to set up a “Vault” with Verifone to store tokens. Request [a token](/online-payments/tokenization.md#requesting) by adding the “Token\_preference” object to your API request.
### Adding Stored credentials
After setting up Tokenization, use the [Stored Credential](/online-payments/stored-credentials.md) Framework to send MIT or CIT-approved transactions.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.verifone.com/online-payments/api-integration/server-to-server-payments-with-3d-secure-setup-guide/server-to-server-payments-with-3d-secure.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
