> ## Documentation Index
> Fetch the complete documentation index at: https://www.marqeta.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# 3D Secure

> The 3DS API provides a decision service that accepts scoring events and evaluates whether to apply strong customer authentication (SCA) with 3DS or to exempt.

export const EndpointCard = ({method = "API", title, children, href, arrow = true}) => {
  const METHOD_STYLES = {
    GET: {
      bg: "mint-bg-green-400/20 dark:mint-bg-green-400/20",
      text: "mint-text-green-700 dark:mint-text-green-400",
      border: "mint-border-green-300 dark:mint-border-green-700"
    },
    POST: {
      bg: "mint-bg-blue-400/20 dark:mint-bg-blue-400/20",
      text: "mint-text-blue-700 dark:mint-text-blue-400"
    },
    PUT: {
      bg: "mint-bg-yellow-400/20 dark:mint-bg-yellow-400/20",
      text: "mint-text-yellow-700 dark:mint-text-yellow-400"
    },
    PATCH: {
      bg: "mint-bg-orange-400/20 dark:mint-bg-orange-400/20",
      text: "mint-text-orange-700 dark:mint-text-orange-400"
    },
    DELETE: {
      bg: "mint-bg-red-400/20 dark:mint-bg-red-400/20",
      text: "mint-text-red-700 dark:mint-text-red-400"
    },
    API: {
      bg: "mint-bg-black",
      text: "mint-text-white"
    }
  };
  const MethodBadge = ({method}) => {
    const style = METHOD_STYLES[method?.toUpperCase()] ?? METHOD_STYLES.GET;
    return <span className={`
          method-pill rounded-lg font-semibold px-1.5 py-0.5 text-xs leading-5 ${style.bg} ${style.text}`}>
        {method?.toUpperCase()}
      </span>;
  };
  const content = <div className="group flex items-center gap-4 border border-gray-200 dark:border-gray-700 rounded-xl p-5 hover:border-gray-400 dark:hover:border-gray-500 hover:shadow-md transition-all cursor-pointer">
      {}
      <div className="shrink-0">
        <MethodBadge method={method} />
      </div>
      {}
      <div className="flex-1 min-w-0">
        <p className="font-semibold text-gray-900 dark:text-white text-sm leading-snug">{title}</p>
        {children && <p className="mt-1 text-sm text-gray-500 dark:text-gray-400 line-clamp-2">{children}</p>}
      </div>
    </div>;
  if (!href) return content;
  return <a href={href} className="block no-underline border-b-0 mb-2">
      {content}
    </a>;
};

The Three-Domain Secure (3D Secure or 3DS) API provides a decision service that accepts scoring events from the Marqeta platform and evaluates whether to apply strong customer authentication (SCA) with 3DS or to exempt. This implementation is based on the *EMV 3-D Secure Protocol and Core Functions Specification*. For more information, see the specification on the [EMVCo website](https://www.emvco.com/specifications).

The 3DS API is RESTful, so it uses HTTP methods (`POST`, `PUT`, `GET`) to perform functions on objects. For example, to determine whether to send an SCA challenge, send a `POST` request to the `/three-ds/decision` endpoint. Some requests include data in their message body. The 3DS API requires that data be in JSON format.

The 3DS API provides endpoints that enable you to:

* Delegate decisioning – determine whether to send an SCA.

* Notify a 3DS completion status.

* Receive an Advanced Authentication challenge.

* Update an authentication result to Marqeta.

For more on 3D Secure, see [About 3D Secure](/developer-guides/about-3d-secure/).

<h2 id="_delegate_decisioning_determine_whether_to_send_an_sca">
  Delegate decisioning - determine whether to send an SCA
</h2>

**Action:** `POST`\
**Endpoint:** `/three-ds/decision`

Evaluate whether or not the cardholder will be prompted with a strong customer authentication (SCA) challenge to complete this authentication. To participate in the delegated decision service, your system must handle messages sent by the Marqeta platform and return the appropriate response. This is the URL of the decision service endpoint hosted in your environment, to which `POST` messages are submitted by the Marqeta platform.

<h3 id="_request_header">
  Request header
</h3>

| Fields                                        | Description                                                                                                                                                                                                                   |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| X-VERSION<br /><br />char<br /><br />Optional | Identifies the version of the service and data structures used. This value is not the same as the 3DS version. If omitted, the latest version is assumed.<br /><br />**Allowable Values:**<br /><br />A valid version number. |

<h3 id="_body_field_details">
  Body field details
</h3>

The following table describes the payload required to score an access control server (ACS) request.

<h4 id="_the_threedsdecisionrequest_object">
  The ThreeDSDecisionRequest object
</h4>

| Fields                                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acs\_transaction\_id<br /><br />string<br /><br />Required          | Universally unique transaction identifier assigned by the ACS to identify a single transaction. (EMVCo reference: `acsTransID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                               |
| type<br /><br />string<br /><br />Optional                          | Authentication type that determines the action to be taken by the receiver of this message.<br /><br />**Allowable Values:**<br /><br />`authentication.decision`                                                                                                                                                                                                                                                                                                                                                                                                     |
| state<br /><br />string<br /><br />Required                         | Status of the requested authentication.<br /><br />**Allowable Values:**<br /><br />- `PENDING` - Authentication request is pending processing<br /><br />- `SUCCESS` - Authentication completed successfully<br /><br />- `FAILED` - Authentication failed or was rejected                                                                                                                                                                                                                                                                                           |
| user\_token<br /><br />string<br /><br />Optional                   | Marqeta-assigned unique user token identifying the user.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| acting\_user\_token<br /><br />string<br /><br />Optional           | Marqeta-assigned unique user token identifying the user performing the transaction.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                           |
| card\_token<br /><br />string<br /><br />Required                   | Marqeta-assigned unique card token identifying the user.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| created\_time<br /><br />string<br /><br />Required                 | Authentication request time, expressed as an ISO-8601 UTC timestamp.<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-ddThh:mm:ss.sssZ                                                                                                                                                                                                                                                                                                                                                                                                                     |
| network<br /><br />string<br /><br />Optional                       | The card network associated with this authentication/decision request.<br /><br />**Allowable Values:**<br /><br />- `VISA` - Visa card network transactions<br /><br />- `MASTERCARD` - Mastercard network transactions                                                                                                                                                                                                                                                                                                                                              |
| message\_version<br /><br />string<br /><br />Optional              | The 3DS protocol version used by the 3DS Requestor. (EMVCo reference: `messageversion`)<br /><br />**Allowable Values:**<br /><br />minLength: 5<br />maxLength: 8                                                                                                                                                                                                                                                                                                                                                                                                    |
| message\_extension<br /><br />string<br /><br />Optional            | The 3DS message extension component. (EMVCo reference: `messageExtension`)<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_message_extension_object">The message\_extension object</a>.                                                                                                                                                                                                                                                                                                                                                                |
| authentication\_request\_type<br /><br />string<br /><br />Optional | Indicates the type of authentication request. (EMVCo reference: `threeDSRequestorAuthenticationInd`)<br /><br />**Allowable Values:**<br /><br />- `PAYMENT` - Payment transaction authentication<br /><br />- `RECURRING` - Recurring payment setup or processing<br /><br />- `INSTALLMENT` - Installment payment authentication<br /><br />- `ADD_CARD` - Adding a new card to cardholder account<br /><br />- `MAINTAIN_CARD` - Maintaining or updating existing card information<br /><br />- `EMV_CARDHOLDER_VERIFICATION` - EMV cardholder verification method |
| requester<br /><br />string<br /><br />Optional                     | The requestor details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_requester_object">The requester object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| server<br /><br />string<br /><br />Optional                        | The server details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_server_object">The server object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| client\_browser<br /><br />string<br /><br />Optional               | Client browser details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_client_browser_object">The client\_browser object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                         |
| device<br /><br />string<br /><br />Optional                        | The device details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_device_object">The device object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| cardholder\_account<br /><br />string<br /><br />Optional           | Contains additional information about the cardholder’s account, as provided by the 3DS Requestor.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_cardholder_account_object">The cardholder\_account object</a>.                                                                                                                                                                                                                                                                                                                                       |
| directory\_server<br /><br />string<br /><br />Optional             | Describes information from the Directory Services (DS) in the network.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_directory_server_object">The directory\_server object</a>.                                                                                                                                                                                                                                                                                                                                                                      |
| transaction<br /><br />string<br /><br />Required                   | Contains information about how the payment is being made.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_transaction_object">The transaction object</a>.                                                                                                                                                                                                                                                                                                                                                                                              |
| card\_acceptor<br /><br />string<br /><br />Required                | Details about the merchant with which this transaction is being conducted.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_card_acceptor_object">The card\_acceptor object</a>.                                                                                                                                                                                                                                                                                                                                                                        |
| whitelist<br /><br />string<br /><br />Optional                     | Details regarding the allow list.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_whitelist_object">The whitelist object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                          |

<h4 id="_the_message_extension_object">
  The message\_extension object
</h4>

| Fields                                                        | Description                                                                                                                                                                                                              |
| ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| name<br /><br />string<br /><br />Required                    | Name of the extension dataset, as defined by the extension owner.<br /><br />**Allowable Values:**<br /><br />64 char max                                                                                                |
| id<br /><br />string<br /><br />Required                      | A unique identifier for the extension.<br /><br />**NOTE:** Payment System Registered Application Provider Identifier (RID) is required as the prefix of the ID.<br /><br />**Allowable Values:**<br /><br />64 char max |
| criticality\_indicator<br /><br />boolean<br /><br />Required | Indicates whether the recipient must understand the contents of the extension to interpret the entire message. (EMVCo reference: `criticalityIndicator`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`     |
| data<br /><br />string<br /><br />Required                    | Data carried in the extension.<br /><br />**Allowable Values:**<br /><br />8059 char max                                                                                                                                 |

<h3 id="_the_requester_object">
  The requester object
</h3>

| Fields                                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| notification\_url<br /><br />string<br /><br />Optional                        | Fully qualified URL of the system that receives the challenge response message or error message. The challenge response message is posted by the ACS through the cardholder browser at the end of the challenge and receipt of the results response message. (EMVCo reference: `notificationURL`)<br /><br />**Allowable Values:**<br /><br />256 char max<br /><br />**Example:**<br />[https://www.example.com/path/to/resource](https://www.example.com/path/to/resource)                                                                                                                                                                                                                                                                                                                                                                                          |
| challenge\_preference<br /><br />string<br /><br />Optional                    | Indicates whether a challenge is requested for this transaction. If missing, presume no-preference. (EMVCo reference: `threeDSRequestorChallengeInd`)<br /><br />**Allowable Values:**<br /><br />- `NO_CHALLENGE` - No challenge requested<br /><br />- `CHALLENGE` - Challenge requested<br /><br />- `RISK_ALREADY_ANALYZED` - Merchant has already performed risk analysis<br /><br />- `DATA_SHARE_ONLY` - Data sharing only; no authentication required<br /><br />- `SCA_ALREADY_PERFORMED` - Strong Customer Authentication already performed<br /><br />- `WHITELIST_CHALLENGE` - Allow list prompt requested if cardholder not on the allow list<br /><br />- `WHITELIST_EXEMPT` - Allow list exemption requested<br /><br />- `MANDATE` - Challenge mandated by regulation or policy                                                                       |
| decoupled\_challenge\_preference<br /><br />string<br /><br />Optional         | Indicates whether the 3DS Requestor requests the ACS to use decoupled authentication, and agrees to use decoupled authentication if the ACS confirms its use.<br /><br />This only exists if a preference is expressed for how the challenge should be handled. It’s possible for there to be no preference on the challenge, but to have a preference on how decoupled challenges are conducted. (EMVCo reference: `threeDSRequestorDecReqInd`)<br /><br />**Allowable Values:**<br /><br />- `DECOUPLED_AUTHENTICATION_PREFERRED` - Prefer decoupled authentication method<br /><br />- `DO_NOT_USE_DECOUPLED_AUTHENTICATION` - Prefer not to use decoupled authentication method                                                                                                                                                                                   |
| name<br /><br />string<br /><br />Optional                                     | DS-assigned 3DS Requestor name. Each DS provides a unique name to each 3DS Requestor on an individual basis. (EMVCo reference: `threeDSRequestorName`)<br /><br />**Allowable Values:**<br /><br />40 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| customer\_care\_url<br /><br />string<br /><br />Optional                      | Fully qualified URL of the 3DS Requestor website or customer care site. (EMVCo reference: `threeDSRequestorURL`)<br /><br />**Allowable Values:**<br /><br />2048 char max<br /><br />**Example:**<br />[https://help.example.com/customer-service](https://help.example.com/customer-service)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| request\_type<br /><br />string<br /><br />Optional                            | Indicates the type of 3RI request. (EMVCo reference: `threeRIInd`)<br /><br />**Allowable Values:**<br /><br />- `RECURRING` - Recurring payment setup or processing<br /><br />- `INSTALLMENT` - Installment payment authentication<br /><br />- `ADD_CARD` - Add a new card to cardholder account<br /><br />- `MAINTAIN_CARD` - Maintain or update existing card information<br /><br />- `ACCOUNT_VERIFICATION` - Account verification without payment<br /><br />- `SPLIT_OR_DELAYED_SHIPMENT` - Split or delayed shipment transaction<br /><br />- `TOP_UP` - Account top-up or reload transaction<br /><br />- `MAIL_ORDER` - Mail order transaction<br /><br />- `TELEPHONE_ORDER` - Telephone order transaction<br /><br />- `WHITELIST_STATUS_CHECK` - Allow list status verification<br /><br />- `OTHER_PAYMENT` - Other payment type not specified above |
| cardholder\_authentication\_by\_merchant<br /><br />object<br /><br />Optional | Cardholder authentication details by merchant.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_cardholder_authentication_by_merchant_object">The cardholder\_authentication\_by\_merchant object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| prior\_cardholder\_authentication<br /><br />object<br /><br />Optional        | Authentication details about the prior cardholder.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_prior_cardholder_authentication_object">The prior\_cardholder\_authentication object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| sdk<br /><br />object<br /><br />Optional                                      | SDK details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_sdk_object">The sdk object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |

<h3 id="_the_cardholder_authentication_by_merchant_object">
  The cardholder\_authentication\_by\_merchant object
</h3>

| Fields                                        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| data<br /><br />string<br /><br />Optional    | Data that documents and supports a specific authentication process. (EMVCo reference: `threeDSReqAuthData`)<br /><br />**Allowable Values:**<br /><br />20,000 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| type<br /><br />string<br /><br />Optional    | Value representing the signature verification performed by the DS on the mechanism used by the cardholder to authenticate to the 3DS Requestor. (EMVCo reference: `threeDSReqAuthMethodInd`)<br /><br />**Allowable Values:**<br /><br />- `NO_AUTHENTICATION` - No authentication performed<br /><br />- `REQUESTOR_CREDENTIALS` - Authentication using requestor credentials<br /><br />- `FEDERATED_ID` - Federated identity authentication<br /><br />- `ISSUER_CREDENTIALS` - Authentication using issuer credentials<br /><br />- `THIRD_PARTY_CREDENTIALS` - Third-party authentication service<br /><br />- `FIDO` - FIDO authentication method<br /><br />- `FIDO_WITH_ASSURANCE_SIGNED` - FIDO with signed assurance data<br /><br />- `SRC_ASSURANCE_DATA` - SRC (Secure Remote Commerce) assurance data |
| time<br /><br />string<br /><br />Optional    | Date and time of the cardholder authentication, expressed in UTC. (EMVCo reference: `threeDSReqAuthTimestamp`)<br /><br />**Allowable Values:**<br /><br />yyyy-MM-dd’T’HH:mm:ss.SSSZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| status<br /><br />boolean<br /><br />Optional | Indicates whether the 3DS method successfully completed. If missing, then this data is unavailable. (EMVCo reference: `threeDSCompInd`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |

<h3 id="_the_prior_cardholder_authentication_object">
  The prior\_cardholder\_authentication object
</h3>

| Fields                                                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| data<br /><br />string<br /><br />Optional                 | Data that documents and supports a specific authentication process. (EMVCo reference: `threeDSReqPriorAuthData`)<br /><br />**Allowable Values:**<br /><br />2048 char max                                                                                                                                                                                                                                                                                                                 |
| type<br /><br />string<br /><br />Optional                 | Mechanism previously used by the cardholder to authenticate to the 3DS Requestor. (EMVCo reference: `threeDSReqPriorAuthMethod`)<br /><br />**Allowable Values:**<br /><br />- `FRICTIONLESS_AUTHENTICATION_BY_ACS` - Frictionless authentication performed by ACS<br /><br />- `CHALLENGED_BY_ACS` - Challenge authentication performed by ACS<br /><br />- `AVS_VERIFIED` - Address Verification Service (AVS) verified<br /><br />- `OTHER` - Other authentication method not specified |
| time<br /><br />string<br /><br />Optional                 | Date and time of the previous cardholder authentication, expressed in UTC. (EMVCo reference: `threeDSReqPriorAuthTimestamp`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd’T’HH:mm:ss.SSSZ                                                                                                                                                                                                                                                                                |
| acs\_transaction\_id<br /><br />string<br /><br />Optional | Provides additional information to the ACS to determine the best approach for handling a request. (EMVCo reference: `threeDSReqPriorRef`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                          |

<h3 id="_the_sdk_object">
  The sdk object
</h3>

| Fields                                                  | Description                                                                                                                                                                                                                         |
| ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| application\_id<br /><br />string<br /><br />Optional   | Universally unique ID created upon all installations of the 3DS Requestor app on a consumer device. (EMVCo reference: `sdkAppID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                           |
| reference\_number<br /><br />string<br /><br />Optional | Identifies the vendor and version of the 3DS SDK integrated in a 3DS Requestor app; assigned by EMVCo when the 3DS SDK is approved. (EMVCo reference: `sdkReferenceNumber`)<br /><br />**Allowable Values:**<br /><br />32 char max |

<h3 id="_the_server_object">
  The server object
</h3>

| Fields                                                  | Description                                                                                                                                                                                                     |
| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| reference\_number<br /><br />string<br /><br />Optional | Unique identifier assigned by the EMVCo secretariat upon testing and approval. (EMVCo reference: `threeDSServerRefNumber`)<br /><br />**Allowable Values:**<br /><br />32 char max                              |
| operator\_id<br /><br />string<br /><br />Optional      | DS-assigned 3DS Server identifier. Each DS provides a unique ID to each 3DS Server on an individual basis. (EMVCo reference: `threeDSServerOperatorID`)<br /><br />**Allowable Values:**<br /><br />32 char max |

<h3 id="_the_client_browser_object">
  The client\_browser object
</h3>

| Fields                                                                 | Description                                                                                                                                                                                                                                                                                                                                              |
| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| accept\_headers<br /><br />string<br /><br />Optional                  | Exact content of the HTTP accept headers, as sent to the 3DS Requestor from the cardholder’s browser. (EMVCo reference: `browserAcceptHeader`)<br /><br />**Allowable Values:**<br /><br />2048 char max                                                                                                                                                 |
| ip\_address<br /><br />string<br /><br />Optional                      | IPv4 or IPv6 address of the browser, as returned by the HTTP headers to the 3DS Requestor. (EMVCo reference: `browserIP`)<br /><br />**Allowable Values:**<br /><br />45 char max                                                                                                                                                                        |
| is\_java\_enabled<br /><br />boolean<br /><br />Conditionally required | Indicates the ability of the cardholder’s browser to execute Java. Value is returned from the `navigator.javaEnabled` property. Only required when Browser JavaScript Enabled = `true`. (EMVCo reference: `browserJavaEnabled`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                              |
| is\_javascript\_enabled<br /><br />boolean<br /><br />Optional         | Indicates the ability of the cardholder’s browser to execute JavaScript. (EMVCo reference: `browserJavascriptEnabled`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                       |
| language<br /><br />string<br /><br />Optional                         | Value representing the browser language, as defined in IETF BCP47. Returned from the `navigator.language` property. (EMVCo reference: `browserLanguage`)<br /><br />**Allowable Values:**<br /><br />minLength: 1<br />maxLength: 8                                                                                                                      |
| timezone\_offset\_in\_minutes<br /><br />integer<br /><br />Optional   | Time zone offset in minutes between UTC and the cardholder’s browser’s local time. Note that the offset is positive if the local time zone is behind UTC and negative if it is ahead. Only required when Browser JavaScript Enabled = `true`. (EMVCo reference: `browserTZ`)<br /><br />**Allowable Values:**<br /><br />minimum: -720<br />maximum: 720 |
| user\_agent<br /><br />string<br /><br />Optional                      | The exact contents of the HTTP user-agent header. (EMVCo reference: `browserUserAgent`)<br /><br />**Allowable Values:**<br /><br />2048 char max                                                                                                                                                                                                        |

<h3 id="_the_device_object">
  The device object
</h3>

| Fields                                                 | Description                                                                                                                                                                                                                                                                                                                                                              |
| ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| channel<br /><br />string<br /><br />Required          | Indicates the type of channel interface being used to initiate the transaction. (EMVCo reference: `deviceChannel`)<br /><br />**Allowable Values:**<br /><br />- `APP_BASED` - Native mobile application-based transaction<br /><br />- `BROWSER` - Browser-based web transaction<br /><br />- `THREEDS_REQUESTER_INITIATED` - 3DS Requestor initiated (3RI) transaction |
| additional\_data<br /><br />string<br /><br />Optional | Device information gathered by the 3DS SDK from a consumer device. This Base64url-encoded JSON name/value pair will be populated by the DS as unencrypted data to the ACS obtained from SDK-encrypted data. (EMVCo reference: `deviceInfo`)<br /><br />**Allowable Values:**<br /><br />minLength: 1<br />maxLength: 64,000                                              |

<h3 id="_the_cardholder_account_object">
  The cardholder\_account object
</h3>

| Fields                                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| identifier<br /><br />string<br /><br />Optional                               | Account ID that will be used in the authorization request for payment transactions. Can be represented by the PAN or token. (EMVCo reference: `acctID`)<br /><br />**Allowable Values:**<br /><br />minLength: 13<br />maxLength: 19                                                                                                                                                                                                                                                                                                                                                       |
| name<br /><br />string<br /><br />Optional                                     | Name of the cardholder performing the transaction. (EMVCo reference: `cardholderName`)<br /><br />**Allowable Values:**<br /><br />A valid string.                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| email<br /><br />string<br /><br />Optional                                    | Email address associated with the account: Either entered by the cardholder, or on file with the 3DS Requestor. (EMVCo reference: `email`)<br /><br />**Allowable Values:**<br /><br />254 char max                                                                                                                                                                                                                                                                                                                                                                                        |
| account\_type<br /><br />string<br /><br />Optional                            | The type of account. Required if the 3DS Requestor is asking the cardholder which account type they are using before making the purchase. (EMVCo reference: `acctType`)<br /><br />**Allowable Values:**<br /><br />- `NOT_AVAILABLE` - Account type not available or not applicable<br /><br />- `CREDIT` - Credit account or card<br /><br />- `DEBIT` - Debit account or card                                                                                                                                                                                                           |
| card\_expiry\_date<br /><br />string<br /><br />Optional                       | Expiry date of the PAN or token supplied by the cardholder to the 3DS Requestor. (EMVCo reference: `cardExpiryDate`)<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_card_expiry_date_object">The card\_expiry\_date object</a>.                                                                                                                                                                                                                                                                                                                                            |
| account\_age<br /><br />string<br /><br />Optional                             | How long the cardholder has had the account with the 3DS Requestor. (EMVCo reference: `chAccAgeInd`)<br /><br />**Allowable Values:**<br /><br />- `NO_ACCOUNT` - No account exists<br /><br />- `DURING_TRANSACTION` - Account created during this transaction<br /><br />- `FEWER_THAN_30_DAYS` - Account created less than 30 days ago<br /><br />- `BETWEEN_30_AND_60_DAYS` - Account created 30-60 days ago<br /><br />- `GREATER_THAN_60_DAYS` - Account created more than 60 days ago                                                                                               |
| last\_updated\_date<br /><br />string<br /><br />Optional                      | Date when the cardholder’s account with the 3DS Requestor was last updated, including the billing or shipping address, new payment account, or new user(s) added. (EMVCo reference: `chAccChange`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd                                                                                                                                                                                                                                                                                                                          |
| last\_updated\_duration<br /><br />string<br /><br />Optional                  | How long since the cardholder’s account information with the 3DS Requestor was last updated, including the billing or shipping address, new payment account, or new user(s) added. (EMVCo reference: `chAccChangeInd`)<br /><br />**Allowable Values:**<br /><br />- `THIS_TRANSACTION` - Updated during this transaction<br /><br />- `FEWER_THAN_30_DAYS` - Account information changed less than 30 days ago<br /><br />- `BETWEEN_30_AND_60_DAYS` - Account information changed 30-60 days ago<br /><br />- `GREATER_THAN_60_DAYS` - Account information changed more than 60 days ago |
| date\_created<br /><br />string<br /><br />Optional                            | Date when the cardholder opened the account with the 3DS Requestor. (EMVCo reference: `chAccDate`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd                                                                                                                                                                                                                                                                                                                                                                                                                          |
| password\_changed\_date<br /><br />string<br /><br />Optional                  | Date when the cardholder’s account with the 3DS Requestor last had a password change or account reset. (EMVCo reference: `chAccPwChange`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd                                                                                                                                                                                                                                                                                                                                                                                   |
| password\_changed\_duration<br /><br />string<br /><br />Optional              | How long since the cardholder’s account with the 3DS Requestor last had a password change or account reset. (EMVCo reference: `chAccPwChangeInd`)<br /><br />**Allowable Values:**<br /><br />- `NO_CHANGE` - No password change occurred<br /><br />- `THIS_TRANSACTION` - Password changed during this transaction<br /><br />- `FEWER_THAN_30_DAYS` - Password changed less than 30 days ago<br /><br />- `BETWEEN_30_AND_60_DAYS` - Password changed 30-60 days ago<br /><br />- `GREATER_THAN_60_DAYS` - Password changed more than 60 days ago                                       |
| enrolled\_date<br /><br />string<br /><br />Optional                           | Date when the payment account was enrolled in the cardholder’s account with the 3DS Requestor. (EMVCo reference: `paymentAccAge`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd                                                                                                                                                                                                                                                                                                                                                                                           |
| enrolled\_duration<br /><br />string<br /><br />Optional                       | How long since the payment account was enrolled in the cardholder’s account with the 3DS Requestor. (EMVCo reference: `paymentAccInd`)<br /><br />**Allowable Values:**<br /><br />- `NOT_ENROLLED` - Payment account not enrolled<br /><br />- `THIS_TRANSACTION` - Enrolled during this transaction<br /><br />- `FEWER_THAN_30_DAYS` - Enrolled less than 30 days ago<br /><br />- `BETWEEN_30_AND_60_DAYS` - Enrolled 30-60 days ago<br /><br />- `GREATER_THAN_60_DAYS` - Enrolled more than 60 days ago                                                                              |
| shipping\_address\_first\_used\_date<br /><br />string<br /><br />Optional     | Date when the shipping address indicated for this transaction was first used with the 3DS Requestor. (EMVCo reference: `shipAddressUsage`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd                                                                                                                                                                                                                                                                                                                                                                                  |
| shipping\_address\_first\_used\_duration<br /><br />string<br /><br />Optional | How long since the shipping address indicated for this transaction was first used with the 3DS Requestor. (EMVCo reference: `shipAddressUsageInd`)<br /><br />**Allowable Values:**<br /><br />- `THIS_TRANSACTION` - Shipping address first used during this transaction<br /><br />- `FEWER_THAN_30_DAYS` - Shipping address first used less than 30 days ago<br /><br />- `BETWEEN_30_AND_60_DAYS` - Shipping address first used 30-60 days ago<br /><br />- `GREATER_THAN_60_DAYS` - Shipping address first used more than 60 days ago                                                 |
| ship\_to\_name\_is\_cardholder\_name<br /><br />boolean<br /><br />Optional    | Indicates whether the cardholder name on the account is identical to the shipping name used for this transaction.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                              |
| experienced\_suspicious\_activity<br /><br />boolean<br /><br />Optional       | Indicates whether the 3DS Requestor has experienced suspicious activity (including previous fraud) on the cardholder account. (EMVCo reference: `suspiciousAccActivity`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                       |
| phones<br /><br />object<br /><br />Optional                                   | A list of phone numbers for this cardholder account. Keys can include `home`, `mobile`, and `work` and will be included if they are present.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_phones_object">The phones object</a>.                                                                                                                                                                                                                                                                                                                                          |
| statistics<br /><br />object<br /><br />Optional                               | Cardholder activity statistics.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_statistics_object">The statistics object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| billing\_address<br /><br />object<br /><br />Optional                         | Provides details related to the cardholder’s billing address.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_addressphysical_object">The AddressPhysical object</a>.                                                                                                                                                                                                                                                                                                                                                                                                       |
| shipping\_address<br /><br />object<br /><br />Optional                        | Provides details related to the cardholder’s shipping address.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_addressphysical_object">The AddressPhysical object</a>.                                                                                                                                                                                                                                                                                                                                                                                                      |

<h3 id="_the_phones_object">
  The phones object
</h3>

| Fields                                              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| country\_code<br /><br />number<br /><br />Required | Sometimes called the country prefix or country code, this is the international public telecommunication numbering plan that defines a numbering plan for the worldwide public switched telephone network (PSTN) and some other data networks. See also: <a href="https://en.wikipedia.org/wiki/E.164">[https://en.wikipedia.org/wiki/E.164](https://en.wikipedia.org/wiki/E.164)</a><br /><br />**Allowable Values:**<br /><br />minLength: 1<br />maxLength: 3 |
| subscriber<br /><br />string<br /><br />Required    | The phone number without the country code (i.e., the area code, prefix, and subscriber number). Do not add spaces, hyphens, or the `+` symbol.<br /><br />**Allowable Values:**<br /><br />minLength: 1<br />maxLength: 15<br /><br />**Example:**<br />5105551212                                                                                                                                                                                              |

<h3 id="_the_statistics_object">
  The statistics object
</h3>

| Fields                                                                      | Description                                                                                                                                                                                                                                      |
| --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| purchase\_count\_6\_months<br /><br />integer<br /><br />Optional           | Number of purchases made with this cardholder account during the previous six months. (EMVCo reference: `nbPurchaseAccount`)<br /><br />**Allowable Values:**<br /><br />min: 0                                                                  |
| provision\_attempt\_count\_24\_hours<br /><br />integer<br /><br />Optional | Number of add card attempts in the last 24 hours. (EMVCo reference: `provisionAttemptsDay`)<br /><br />**Allowable Values:**<br /><br />min: 0                                                                                                   |
| transactions\_count\_24\_hours<br /><br />integer<br /><br />Optional       | Number of transactions (successful or abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous 24 hours. (EMVCo reference: `txnActivityDay`)<br /><br />**Allowable Values:**<br /><br />min: 0 |
| transactions\_count\_1\_year<br /><br />integer<br /><br />Optional         | Number of transactions (successful or abandoned) for this cardholder account with the 3DS Requestor across all payment accounts in the previous year. (EMVCo reference: `txnActivityYear`)<br /><br />**Allowable Values:**<br /><br />min: 0    |

<h3 id="_the_directory_server_object">
  The directory\_server object
</h3>

This object describes information from the Directory Services (DS) in the network.

| Fields                                                            | Description                                                                                                                                                                                                                                                                     |
| ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| reference\_number<br /><br />string<br /><br />Required           | EMVCo-assigned unique identifier to track approved DS. (EMVCo reference: `dsReferenceNumber`)<br /><br />**Allowable Values:**<br /><br />minLength: 1<br />maxLength: 32                                                                                                       |
| authentication\_result\_url<br /><br />string<br /><br />Optional | URL of the DS to which the ACS will send the RReq if a challenge occurs. (EMVCo reference: `dsURL`)<br /><br />**Allowable Values:**<br /><br />A valid URL.<br />2048 char max<br /><br />**Example:**<br />[https://server.example.com/path](https://server.example.com/path) |

<h3 id="_the_recurring_object">
  The recurring object
</h3>

| Fields                                                                                      | Description                                                                                                                                                                                                                                                                    |
| ------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| expiration\_date<br /><br />string<br /><br />Conditionally required                        | Date after which no further authorizations will be performed. Required when `request_type` is set to `RECURRING` or `INSTALLMENT`. (EMVCo reference: `recurringExpiry`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd<br /><br />**Example:**<br />2024-07-21 |
| minimum\_days\_between\_authorizations<br /><br />integer<br /><br />Conditionally required | Indicates the minimum number of days between authorizations. Required when `request_type` is set to `RECURRING` or `INSTALLMENT`. (EMVCo reference: `recurringFrequency`)<br /><br />**Allowable Values:**<br /><br />minimum: 0<br />maximum: 9999                            |

<h3 id="_the_transaction_object">
  The transaction object
</h3>

Contains information about how the payment is being made.

| Fields                                                                         | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| transaction\_type<br /><br />string<br /><br />Optional                        | Identifies the category of the message for a specific use case. (EMVCo reference: `messageCategory`)<br /><br />**Allowable Values:**<br /><br />`PAYMENT` - Payment transaction requiring authorization<br />`NON_PAYMENT` - Non-payment transaction, such as account verification                                                                                                                                                                                                                     |
| sub\_type<br /><br />string<br /><br />Optional                                | Identifies the type of transaction being authenticated. (EMVCo reference: `transType`)<br /><br />**Allowable Values:**<br /><br />- `PURCHASE` - Goods or services purchase transaction<br /><br />- `ACCOUNT_VERIFICATION` - Account verification without payment<br /><br />- `ACCOUNT_FUNDING` - Loading funds to an account<br /><br />- `QUASI_CASH` - Cash-equivalent transaction, such as money orders<br /><br />- `PREPAID_ACTIVATION_AND_LOAD` - Prepaid card activation and initial loading |
| amount<br /><br />number<br /><br />Optional                                   | Purchase amount in minor units of currency with all punctuation removed. For example, a purchase for \$1.99 would be 199. (EMVCo reference: `purchaseAmount`)<br /><br />**Allowable Values:**<br /><br />A valid number.                                                                                                                                                                                                                                                                               |
| currency\_code<br /><br />number<br /><br />Optional                           | ISO 4217 three-digit currency code of the payment or purchased gift card. See <a href="https://www.iso.org/iso-4217-currency-codes.html">[https://www.iso.org/iso-4217-currency-codes.html](https://www.iso.org/iso-4217-currency-codes.html)</a><br /><br />**Allowable Values:**<br /><br />minLength: 3<br />maxLength: 3                                                                                                                                                                            |
| exponent<br /><br />integer<br /><br />Optional                                | Minor units of currency value, as specified in the ISO 4217 currency exponent. For USD, the value is 2. (EMVCo reference: `purchaseExponent`)<br /><br />**Allowable Values:**<br /><br />A valid ISO 4217 code. See <a href="https://www.iso.org/iso-4217-currency-codes.html">[https://www.iso.org/iso-4217-currency-codes.html](https://www.iso.org/iso-4217-currency-codes.html)</a>                                                                                                                |
| date<br /><br />string<br /><br />Optional                                     | Date and time of the purchase, expressed in UTC. (EMVCo reference: `purchaseDate`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd’T’HH:mm:ss.SSSZ                                                                                                                                                                                                                                                                                                                                       |
| shipping\_address\_is\_billing\_address<br /><br />boolean<br /><br />Optional | Indicates whether the cardholder shipping address and cardholder billing address are the same. (EMVCo reference: `addrMatch`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                               |
| maximum\_permitted\_installments<br /><br />integer<br /><br />Optional        | Indicates the maximum number of authorizations permitted for installment payments. (EMVCo reference: `purchaseInstalData`)<br /><br />**Allowable Values:**<br /><br />minimum: 1<br />maximum: 999                                                                                                                                                                                                                                                                                                     |
| detokenisation\_source<br /><br />string<br /><br />Optional                   | EMV Payment Token Source. This data element is populated by the system residing in the 3D Secure domain where the de-tokenization occurs. If not present, the transaction was not de-tokenized. (EMVCo reference: `payTokenSource` and `payTokenInd`)<br /><br />**Allowable Values:**<br /><br />- `3DS_SERVER` - De-tokenization performed by 3DS Server<br /><br />- `DIRECTORY_SERVER` - De-tokenization performed by Directory Server                                                              |
| recurring<br /><br />object<br /><br />Optional                                | Authorization and expiration details for transactions of the recurring type.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_recurring_object">The recurring object</a>.                                                                                                                                                                                                                                                                                                                 |

<h3 id="_the_card_acceptor_object">
  The card\_acceptor object
</h3>

<Danger>
  **Warning**\
  This object reports information as supplied by the merchant, and could contain inaccurate or unexpected values.
</Danger>

| Fields                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acquirer\_bin<br /><br />string<br /><br />Conditionally required | Acquiring institution identification code, as assigned by the DS receiving the AReq message. Required when `messageCategory = 01`; optional when `messageCategory = 02`. (EMVCo reference: `acquirerBIN`)<br /><br />**Allowable Values:**<br /><br />11 char max                                                                                                                                                                                                   |
| merchant\_id<br /><br />string<br /><br />Conditionally required  | Acquirer-assigned merchant identifier. Required when `messageCategory = 01`; optional when `messageCategory = 02`. (EMVCo reference: `acquirerMerchantID`)<br /><br />**Allowable Values:**<br /><br />35 char max                                                                                                                                                                                                                                                  |
| merchant\_category\_code<br /><br />string<br /><br />Optional    | Merchant Category Code (MCC). DS-specific code describing the merchant’s type of product or service. (EMVCo reference: `mcc`)<br /><br />**Allowable Values:**<br /><br />minLength: 4<br />maxLength: 4                                                                                                                                                                                                                                                            |
| country<br /><br />string<br /><br />Optional                     | ISO 3166-1 three-digit country code of the merchant address. See also: <a href="https://www.iso.org/iso-3166-country-codes.html">[https://www.iso.org/iso-3166-country-codes.html](https://www.iso.org/iso-3166-country-codes.html)</a> and <a href="https://en.wikipedia.org/wiki/ISO_3166-2">[https://en.wikipedia.org/wiki/ISO\_3166-2](https://en.wikipedia.org/wiki/ISO_3166-2)</a><br /><br />**Allowable Values:**<br /><br />minLength: 2<br />maxLength: 3 |
| name<br /><br />string<br /><br />Optional                        | Merchant name assigned by the acquirer or payment system. (EMVCo reference: `merchantName`)<br /><br />**Allowable Values:**<br /><br />40 char max                                                                                                                                                                                                                                                                                                                 |
| risk\_indicators<br /><br />object<br /><br />Optional            | Merchant’s assessment of the level of fraud risk for the specific authentication, as applies to both the cardholder and the authentication being performed. (EMVCo reference: `merchantRiskIndicator`)<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_risk_indicators_object">The risk\_indicators object</a>.                                                                                                                                      |

<h3 id="_the_risk_indicators_object">
  The risk\_indicators object
</h3>

| Fields                                                    | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| delivery<br /><br />object<br /><br />Optional            | Contains delivery details.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_delivery_object">The delivery object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| gift\_cards<br /><br />object<br /><br />Optional         | If the purchase included buying gift cards, this object includes information about those gift cards.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_gift_cards_object">The gift\_cards object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| pre\_order<br /><br />object<br /><br />Optional          | If a pre-order, includes information about the pre-order.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_pre_order_object">The pre\_order object</a>.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| is\_reorder<br /><br />boolean<br /><br />Optional        | Indicates whether the cardholder is reordering previously purchased merchandise. If missing, then this is not a reorder. (EMVCo reference: `reorderItemsInd`)<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| shipping\_indicator<br /><br />string<br /><br />Optional | Indicates the transaction’s shipping method. Merchants must choose the shipping indicator code that most accurately describes the cardholder’s specific transaction, and not their general business. (EMVCo reference: `shipIndicator` and `addrMatch`)<br /><br />**Allowable Values:**<br /><br />- `BILLING_ADDRESS` - Ship to cardholder’s billing address<br /><br />- `OTHER_VERIFIED_ADDRESS` - Ship to another verified address on file with the merchant<br /><br />- `UNVERIFIED_ADDRESS` - Ship to address that is different than the cardholder’s billing address<br /><br />- `SHIP_TO_STORE` - Ship to store for customer pickup<br /><br />- `DIGITAL_GOODS` - Digital goods (includes online services, electronic gift cards, and redemption codes)<br /><br />- `TRAVEL_AND_EVENT_TICKETS` - Travel and event tickets, not shipped<br /><br />- `OTHER` - Other (for example, gaming, digital services not shipped, or e-media subscriptions) |

<h3 id="_the_delivery_object">
  The delivery object
</h3>

| Fields                                          | Description                                                                                                                                                                                                                                                                                                                                           |
| ----------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| email<br /><br />string<br /><br />Optional     | For electronic delivery, the email address to which the merchandise was delivered. (EMVCo reference: `deliveryEmailAddress`)<br /><br />**Allowable Values:**<br /><br />254 char max                                                                                                                                                                 |
| timeframe<br /><br />string<br /><br />Optional | Indicates the merchandise delivery timeframe. (EMVCo reference: `deliveryTimeframe`)<br /><br />**Allowable Values:**<br /><br />- `ELECTRONIC` - Electronic delivery<br /><br />- `SAME_DAY_SHIPPING` - Same-day shipping<br /><br />- `OVERNIGHT_SHIPPING` - Overnight shipping<br /><br />- `TWO_DAYS_OR_MORE_SHIPPING` - Two-or-more day shipping |

<h3 id="_the_gift_cards_object">
  The gift\_cards object
</h3>

| Fields                                                              | Description                                                                                                                                                                                                                                                                                                                        |
| ------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| currency\_code<br /><br />number<br /><br />Optional                | ISO 4217 three-digit currency code of the payment or purchased gift card. See also: <a href="https://www.iso.org/iso-4217-currency-codes.html">[https://www.iso.org/iso-4217-currency-codes.html](https://www.iso.org/iso-4217-currency-codes.html)</a><br /><br />**Allowable Values:**<br /><br />minLength: 3<br />maxLength: 3 |
| loaded\_amount<br /><br />number<br /><br />Optional                | For a prepaid or gift card purchase, the total purchase amount of prepaid or gift cards in major units (for example, a purchase of \$123.45 is 12345). (EMVCo reference: `giftCardAmount`)<br /><br />**Allowable Values:**<br /><br />minimum: 0<br />maximum: 2147483647                                                         |
| number\_of\_cards\_purchased<br /><br />integer<br /><br />Optional | For a prepaid or gift card purchase, the total count of individual prepaid or gift cards/codes purchased. (EMVCo reference: `giftCardCount`)<br /><br />**Allowable Values:**<br /><br />minimum: 0<br />maximum: 99                                                                                                               |

<h3 id="_the_pre_order_object">
  The pre\_order object
</h3>

| Fields                                                             | Description                                                                                                                                                                                                                                                                                                                                                             |
| ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| merchandise\_available\_date<br /><br />string<br /><br />Optional | For a pre-ordered purchase, the expected date when the merchandise will be available. Merchants sometimes create pre-orders to hold an order for customers whose 3DS SCA is pending. This is why the "pre-order" exists and the merchandise availability is immediate. (EMVCo reference: `preOrderDate`)<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-dd |
| merchandise\_availability<br /><br />string<br /><br />Optional    | Indicates whether the cardholder is placing an order for merchandise with a future availability or release date. (EMVCo reference: `preOrderPurchaseInd`)<br /><br />**Allowable Values:**<br /><br />`IMMEDIATE` - Merchandise available immediately<br />`FUTURE` - Merchandise available in the future                                                               |

<h3 id="_the_whitelist_object">
  The whitelist object
</h3>

| Fields                                       | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| status<br /><br />string<br /><br />Optional | Enables the communication of trusted beneficiary/allow list status between the ACS, the DS, and the 3DS Requestor. (EMVCo reference: `whiteListStatus`)<br /><br />**Allowable Values:**<br /><br />- `WHITELISTED` - Cardholder or merchant is allow-listed for exemption<br /><br />- `NOT_WHITELISTED` - Standard authentication required<br /><br />- `NOT_ELIGIBLE` - Cardholder or merchant is not eligible for allow-listing<br /><br />- `PENDING` - Allow list status determination pending<br /><br />- `REJECTED` - Allow list request was rejected<br /><br />- `UNKNOWN` - Allow list status cannot be determined |
| source<br /><br />string<br /><br />Optional | The allow list status source. (EMVCo reference: `whiteListStatusSource`)<br /><br />**Allowable Values:**<br /><br />- `3DS_SERVER` - Allow list status provided by 3DS Server<br /><br />- `DIRECTORY_SERVER` - Allow list status provided by Directory Server<br /><br />- `ACS` - Allow list status determined by Access Control Server                                                                                                                                                                                                                                                                                     |

<h3 id="_the_addressphysical_object">
  The AddressPhysical object
</h3>

Provides details related to the cardholder’s shipping/billing address.

| Fields                                           | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| address1<br /><br />string<br /><br />Optional   | First line of the street address (or equivalent local portion) of the cardholder’s shipping/billing address.<br /><br />**Allowable Values:**<br /><br />50 char max                                                                                                                                                                                                                                                                                                                       |
| address2<br /><br />string<br /><br />Optional   | Second line of the street address (or equivalent local portion) of the cardholder’s shipping/billing address.<br /><br />**Allowable Values:**<br /><br />50 char max                                                                                                                                                                                                                                                                                                                      |
| address3<br /><br />string<br /><br />Optional   | Third line of the street address (or equivalent local portion) of the cardholder’s shipping/billing address.<br /><br />**Allowable Values:**<br /><br />50 char max                                                                                                                                                                                                                                                                                                                       |
| city<br /><br />string<br /><br />Optional       | City of the cardholder’s shipping/billing address.<br /><br />**Allowable Values:**<br /><br />50 char max                                                                                                                                                                                                                                                                                                                                                                                 |
| state<br /><br />string<br /><br />Optional      | ISO 3166-2 country subdivision code associated with the state or province of the cardholder’s shipping/billing address. See also: <a href="https://en.wikipedia.org/wiki/ISO_3166-2:US">[https://en.wikipedia.org/wiki/ISO\_3166-2:US](https://en.wikipedia.org/wiki/ISO_3166-2:US)</a><br /><br />**Allowable Values:**<br /><br />Two- or three-digit state code                                                                                                                         |
| post\_code<br /><br />string<br /><br />Optional | ZIP or postal code of the cardholder’s shipping/billing address.<br /><br />**Allowable Values:**<br /><br />16 char max                                                                                                                                                                                                                                                                                                                                                                   |
| country<br /><br />string<br /><br />Optional    | ISO 3166-1 three-digit country code of the cardholder’s shipping/billing address. See also: <a href="https://www.iso.org/iso-3166-country-codes.html">[https://www.iso.org/iso-3166-country-codes.html](https://www.iso.org/iso-3166-country-codes.html)</a> and <a href="https://en.wikipedia.org/wiki/ISO_3166-2">[https://en.wikipedia.org/wiki/ISO\_3166-2](https://en.wikipedia.org/wiki/ISO_3166-2)</a><br /><br />**Allowable Values:**<br /><br />Two- or three-digit country code |

<h3 id="_the_card_expiry_date_object">
  The card\_expiry\_date object
</h3>

| Fields                                                  | Description                                                                                                                                                                      |
| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| two\_digit\_year<br /><br />integer<br /><br />Required | Two-digit year when this card expires. For example, if the card expires in the year 2025, this value is 25.<br /><br />**Allowable Values:**<br /><br />Two-digit integer        |
| month<br /><br />integer<br /><br />Required            | Month of the year when this card expires. For example, if the card expires in February, this value is 2.<br /><br />**Allowable Values:**<br /><br />minimum: 1<br />maximum: 12 |

<h3 id="_threedsdecisionresponse_response">
  ThreeDSDecisionResponse (response)
</h3>

The response to an ACS decision request. Your decision service must respond to each delegated decision request with a decision of `CHALLENGE`, `DECLINE`, or `EXEMPT`. Ensure that your response body adheres to the specifications in this section. You must include all required fields regardless of whether you challenge or exempt the request.

| Fields                                                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acs\_transaction\_id<br /><br />string<br /><br />Required | Universally unique transaction identifier assigned by the ACS to identify a single transaction. Respond with the same value sent in the request. (EMVCo reference: `acsTransID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                          |
| type<br /><br />string<br /><br />Optional                 | Authentication type that determines the action to be taken by the receiver of this message.<br /><br />**Allowable Values:**<br /><br />`authentication.decision`                                                                                                                                                                                                                                                                                                                                                                 |
| recommended\_action<br /><br />string<br /><br />REQUIRED  | Whether the ACS system should `CHALLENGE`, `DECLINE`, or `EXEMPT` the transaction from the SCA. This field indicates whether a challenge is required in order for the transaction to be authorized. (EMVCo reference: `acsChallengeMandated`)<br /><br />**Allowable Values:**<br /><br />- `CHALLENGE` - Strong Customer Authentication (SCA) challenge required<br /><br />- `DECLINE` - Transaction should be declined due to high fraud risk<br /><br />- `EXEMPT` - Transaction qualifies for SCA exemption (low risk/value) |
| model<br /><br />string<br /><br />Optional                | Which model was used to score the request.<br /><br />**Allowable Values:**<br /><br />minLength: 2<br />maxLength: 64<br /><br />**Example:**<br />FraudModel\_inttest\_1534190172                                                                                                                                                                                                                                                                                                                                               |
| challenge\_score<br /><br />number<br /><br />Optional     | The confidence interface between \[0..1] (0 being least confident and 1 being most confident) in the `recommended_action`.<br /><br />**Allowable Values:**<br /><br />**Example:**<br />0.89                                                                                                                                                                                                                                                                                                                                     |
| reasons<br /><br />array<br /><br />Optional               | Reasons why the challenge or exemption was recommended.<br /><br />**Allowable Values:**<br /><br />A valid array.                                                                                                                                                                                                                                                                                                                                                                                                                |
| primary\_reason<br /><br />string<br /><br />Optional      | Primary reason why the challenge or exemption was recommended.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                                                                                                                                                                                                                                                                                                                                           |
| use\_otp\_challenge<br /><br />boolean<br /><br />Optional | Indicates if the Marqeta OTP challenge will be used to authenticate the cardholder. If not sent, the program-level challenge preference will be used.<br /><br />**Allowable Values:**<br /><br />`true`, `false`                                                                                                                                                                                                                                                                                                                 |
| api<br /><br />object<br /><br />Optional                  | Information regarding the API call and how it was handled.<br /><br />**Allowable Values:**<br /><br />See <a href="#_decisionserviceresponse_response">DecisionServiceResponse</a>.                                                                                                                                                                                                                                                                                                                                              |

<h3 id="_apiresponsewitherrors_response">
  APIResponseWithErrors (response)
</h3>

A list of problems with the request that the caller might be able to fix.

| Fields                                              | Description                                                                                                                                                                                                               |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| version\_used<br /><br />string<br /><br />Optional | The version of the API that the server supports and is using. Do not simply echo back the `X-VERSION` header.<br /><br />**Allowable Values:**<br /><br />Pattern: `^\d+\.\d+\.\d+$`<br /><br />**Example:**<br />31.41.5 |
| errors<br /><br />string<br /><br />Optional        | The error with a message that might be helpful when debugging.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                                   |

<h3 id="_response_codes">
  Response codes
</h3>

| Code | Description                                                                                                                   |
| ---- | ----------------------------------------------------------------------------------------------------------------------------- |
| 200  | The decision whether to exempt or to challenge. See <a href="#_threedsdecisionresponse_response">ThreeDSDecisionResponse</a>. |
| 400  | Invalid ACS payload detected. See <a href="#_apiresponsewitherrors_response">APIResponseWithErrors</a>.                       |
| 401  | Authentication information is missing or invalid headers.                                                                     |
| 500  | No model could be found or loaded, including the default.                                                                     |

<h3 id="_sample_request_body">
  Sample request body
</h3>

```json JSON expandable lines wrap theme={null}
{
  "acs_transaction_id": "acs_transaction_id",
  "type": "authentication.decision",
  "state": "PENDING",
  "user_token": "user_token",
  "acting_user_token": "acting_user_token",
  "card_token": "card_token",
  "created_time": "2025-02-12T18:16:32.123Z",
  "network": "VISA",
  "message_version": "2.1.0",
  "message_extension": [
    {
      "name": "name",
      "id": "id",
      "criticality_indicator": true,
      "data": "data"
    }
  ],
  "authentication_request_type": "PAYMENT",
  "requester": {
    "notification_url": "https://www.example.com/path/to/resource",
    "challenge_preference": "NO_CHALLENGE",
    "decoupled_challenge_preference": "DECOUPLED_AUTHENTICATION_PREFERRED",
    "name": "requestor_name",
    "customer_care_url": "https://help.example.com/customer-service",
    "request_type": "RECURRING",
    "cardholder_authentication_by_merchant": {
      "data": "data",
      "method": "FIDO",
      "time": "2025-02-11T19:16:32Z",
      "status": true
    },
    "prior_cardholder_authentication": {
      "data": "string",
      "method": "FRICTIONLESS_AUTHENTICATION_BY_ACS",
      "time": "2025-02-11T18:16:32Z",
      "acs_transaction_id": "acs_transaction_id"
    },
    "sdk": {
      "application_id": "application_id",
      "reference_number": "reference_number"
    }
  },
  "server": {
    "reference_number": "reference_number",
    "operator_id": "operator_id"
  },
  "client_browser": {
    "accept_headers": "string",
    "ip_address": "172.16.254.1",
    "is_java_enabled": true,
    "is_javascript_enabled": true,
    "language": "en-US",
    "timezone_offset_in_minutes": 0,
    "user_agent": "user_agent"
  },
  "device": {
    "channel": "APP_BASED",
    "additional_data": "data"
  },
  "cardholder_account": {
    "identifier": "cardholder_id",
    "name": "cardholder_name",
    "email": "user@example.com",
    "account_type": "NOT_AVAILABLE",
    "card_expiry_date": {
      "two_digit_year": 23,
      "month": 2
    },
    "account_age": "DURING_TRANSACTION",
    "last_updated_date": "2025-02-12T18:16:32Z",
    "last_updated_duration": "THIS_TRANSACTION",
    "date_created": "2025-02-12T18:16:32Z",
    "password_changed_date": "2025-02-12T18:16:32Z",
    "password_changed_duration": "NO_CHANGE",
    "enrolled_date": "2025-02-12T18:16:32Z",
    "enrolled_duration": "NOT_ENROLLED",
    "shipping_address_first_used_date": "2025-02-12T18:16:32Z",
    "shipping_address_first_used_duration": "THIS_TRANSACTION",
    "ship_to_name_is_cardholder_name": true,
    "experienced_suspicious_activity": true,
    "phones": {
      "additionalProp1": {
        "country_code": "1",
        "subscriber": "5105551212"
      },
      "additionalProp2": {
        "country_code": "1",
        "subscriber": "5105551212"
      },
      "additionalProp3": {
        "country_code": "1",
        "subscriber": "5105551212"
      }
    },
    "statistics": {
      "purchase_count_6_months": 0,
      "provision_attempt_count_24_hours": 0,
      "transactions_count_24_hours": 0,
      "transactions_count_1_year": 0
    },
    "billing_address": {
      "address1": "1 Address Street",
      "address2": "Apt A",
      "address3": "",
      "city": "Omaha",
      "state": "NE",
      "post_code": "68134",
      "country": "USA"
    },
    "shipping_address": {
      "address1": "Post Office Box 0",
      "address2": "",
      "address3": "",
      "city": "Omaha",
      "state": "NE",
      "post_code": "68134",
      "country": "USA"
    }
  },
  "directory_server": {
    "reference_number": "reference_number",
    "authentication_result_url": "https://server.example.com/path"
  },
  "transaction": {
    "transaction_type": "PAYMENT",
    "sub_type": "PURCHASE",
    "amount": 199,
    "currency_code": 978,
    "exponent": 2,
    "date": "2025-02-12T18:16:32Z",
    "shipping_address_is_billing_address": true,
    "maximum_permitted_installments": 0,
    "detokenisation_source": "3DS_SERVER",
    "recurring": {
      "expiration_date": "2025-07-21",
      "minimum_days_between_authorizations": 7
    }
  },
  "card_acceptor": {
    "acquirer_bin": "acquirer_bin",
    "merchant_id": "merchant_id",
    "merchant_category_code": "5734",
    "country": "826",
    "name": "Company 3DS2 Validation",
    "risk_indicators": {
      "delivery": {
        "email": "user@example.com",
        "timeframe": "ELECTRONIC"
      },
      "gift_cards": {
        "currency_code": 978,
        "loaded_amount": 0,
        "number_of_cards_purchased": 0
      },
      "pre_order": {
        "merchandise_available_date": "2025-02-21",
        "merchandise_availability": "IMMEDIATE"
      },
      "is_reorder": true,
      "shipping_indicator": "BILLING_ADDRESS"
    }
  },
  "whitelist": {
    "status": "WHITELISTED",
    "source": "3DS_SERVER"
  }
}
```

<h3 id="_sample_response_body">
  Sample response body
</h3>

```json JSON lines wrap theme={null}
{
  "acs_transaction_id": "acs_transaction_id",
  "type": "authentication.decision",
  "recommended_action": "CHALLENGE",
  "model": "FraudModel_inttest_1534190172",
  "challenge_score": 0.89,
  "reasons": [
    "Three_ds.2.2.article.14",
    "Three_ds.2.2.article.16"
  ],
  "primary_reason": "Three_ds.2.2.article.14",
  "use_otp_challenge": true,
  "api": {
    "version_used": "31.41.5"
  }
}
```

<h2 id="_notify_a_3ds_completion_status">
  Notify a 3DS completion status
</h2>

**Action:** `POST`\
**Endpoint:** `/three-ds/challenge-result`

Informs the Delegated 3DS decision service whether or not the strong customer authentication (SCA) challenge has succeeded, which is required to evaluate future transactions. This is the URL of the notification endpoint hosted in your environment, to which `POST` messages are submitted by the Marqeta platform.

<h3 id="_body_field_details_2">
  Body field details
</h3>

The following table describes the payload required to score an ACS request.

<h4 id="_the_threedschallengeresultrequest_object">
  The ThreeDSChallengeResultRequest object
</h4>

| Fields                                                       | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acs\_transaction\_id<br /><br />string<br /><br />Required   | Universally unique transaction identifier assigned by the ACS to identify a single transaction. (EMVCo reference: `acsTransID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
| type<br /><br />string<br /><br />Optional                   | Authentication type that determines the action to be taken by the receiver of this message.<br /><br />**Allowable Values:**<br /><br />`authentication.result`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| state<br /><br />string<br /><br />Optional                  | Status of the requested authentication.<br /><br />**Allowable Values:**<br /><br />- `PENDING` - Authentication request is pending processing<br /><br />- `SUCCESS` - Authentication completed successfully<br /><br />- `FAILED` - Authentication failed or was rejected                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| card\_token<br /><br />string<br /><br />Optional            | Marqeta-assigned unique card token identifying the card being used.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| user\_token<br /><br />string<br /><br />Optional            | Marqeta-assigned unique user token identifying the user.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| acting\_user\_token<br /><br />string<br /><br />Optional    | Marqeta-assigned unique user token identifying the user performing the transaction.<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| authentication\_method<br /><br />string<br /><br />Optional | Method used to authenticate the cardholder.<br /><br />**Allowable Values:**<br /><br />- `BIOMETRIC_FACE` - Facial recognition authentication<br /><br />- `BIOMETRIC_FINGERPRINT` - Fingerprint authentication<br /><br />- `VOICE_RECOGNITION` - Voice pattern recognition authentication<br /><br />- `IN_APP_LOGIN` - Authentication within the issuer’s mobile application<br /><br />- `AUDIO_CALL` - Voice call with human or automated verification<br /><br />- `VIDEO_CALL` - Video call with human verification<br /><br />- `OTP_SMS` - One-time password sent via SMS text message<br /><br />- `OTP_EMAIL` - One-time password sent via email<br /><br />- `KNOWLEDGE_BASED` - Knowledge-based authentication, such as security questions<br /><br />- `OTHER` - Other authentication method not listed above                                                                |
| authentication\_result<br /><br />string<br /><br />Optional | Result of the authentication performed.<br /><br />**Allowable Values:**<br /><br />- `SUCCESS` - Authentication was successful and the cardholder was verified<br /><br />- `FAILED` - Authentication failed due to incorrect credentials or verification<br /><br />- `CANCELLED` - Authentication was cancelled by cardholder or system timeout<br /><br />- `NOT_AUTHENTICATED` - Authentication could not be performed or completed                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
| interaction\_counter<br /><br />integer<br /><br />Optional  | Indicates the number of authentication cycles attempted by the cardholder. Value to be tracked by the ACS. (EMVCo reference: `interactionCounter`)<br /><br />**Allowable Values:**<br /><br />As provided by the ACS<br /><br />**Default Value:**<br />1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| cancel\_reason<br /><br />integer<br /><br />Optional        | Indicates to the ACS and the DS that the authentication has been cancelled. (EMVCo reference: `challengeCancel`)<br /><br />**Allowable Values:**<br /><br />- `CARDHOLDER_CANCEL` - Cardholder explicitly cancelled the authentication<br /><br />- `CHALLENGE_CANCELLED_BY_TRANSACTION_ERROR` - Challenge cancelled due to transaction error<br /><br />- `TIMED_OUT_AT_ACS` - ACS timed out during challenge processing<br /><br />- `TIMED_OUT_AT_ACS_NO_CREQ` - ACS timed out before receiving challenge request<br /><br />- `TIMED_OUT_AT_SDK` - 3DS SDK timed out during authentication<br /><br />- `TIMED_OUT_DECOUPLED_AUTHENTICATION` - Decoupled authentication timed out waiting for cardholder response<br /><br />- `TIMED_OUT_OOB_AUTHENTICATION` - OOB authentication timed out waiting for response<br /><br />- `UNKNOWN` - Cancellation reason could not be determined |

<h3 id="_decisionserviceresponse_response">
  DecisionServiceResponse (response)
</h3>

Provides information regarding the call and how it was handled.

| Fields                                              | Description                                                                                                                                                                                                               |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| version\_used<br /><br />string<br /><br />Required | The version of the API that the server supports and is using. Do not simply echo back the `X-VERSION` header.<br /><br />**Allowable Values:**<br /><br />Pattern: `^\d+\.\d+\.\d+$`<br /><br />**Example:**<br />31.41.5 |

<h3 id="_response_codes_2">
  Response codes
</h3>

| Code | Description                                                                                                                                                                 |
| ---- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 200  | The result of the 3DS verification (SCA).                                                                                                                                   |
| 400  | Invalid ACS payload detected. See <a href="#_apiresponsewitherrors_response">APIResponseWithErrors</a>.                                                                     |
| 409  | Result already processed for this ACS transaction; any subsequent responses received are ignored. See <a href="#_apiresponsewitherrors_response">APIResponseWithErrors</a>. |
| 500  | No model could be found or loaded, including the default.                                                                                                                   |

<h3 id="_sample_request_body_2">
  Sample request body
</h3>

```json JSON lines wrap theme={null}
{
  "acs_transaction_id": "acs_transaction_id",
  "type": "authentication.result",
  "state": "PENDING",
  "authentication_method": "BIOMETRIC_FACE",
  "authentication_result": "SUCCESS",
  "interaction_counter": 0,
  "cancel_reason": "CARDHOLDER_CANCEL"
}
```

<h3 id="_sample_response">
  Sample response
</h3>

```json JSON lines wrap theme={null}
200 OK
```

<h2 id="_receive_an_advanced_authentication_challenge">
  Receive an Advanced Authentication challenge
</h2>

**Action:** `POST`\
**Endpoint:** `/three-ds/authentication`

Stand up this endpoint to receive a cardholder challenge from Marqeta using Advanced Authentication. An Advanced Authentication request prompts you to challenge the cardholder using advanced methods such as biometrics or voice recognition. For details on the Advanced Authentication process, see [Advanced Authentication](/developer-guides/about-3d-secure/#_advanced_authentication) and [Advanced authentication lifecycle](/developer-guides/about-3d-secure/#_advanced_authentication_lifecycle).

<h3 id="_request_header_2">
  Request header
</h3>

| Fields                                        | Description                                                                                                                                                                                                                   |
| --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| X-VERSION<br /><br />char<br /><br />Required | Identifies the version of the service and data structures used. This value is not the same as the 3DS version. If omitted, the latest version is assumed.<br /><br />**Allowable Values:**<br /><br />A valid version number. |

<h3 id="_body_field_details_3">
  Body field details
</h3>

The following table describes the payload required to authenticate a request.

<h4 id="_the_threedsauthenticationrequest_object">
  The ThreeDSAuthenticationRequest object
</h4>

| Fields                                                               | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| -------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acs\_transaction\_id<br /><br />string<br /><br />Required           | Universally unique transaction identifier assigned by the ACS to identify a single transaction. (EMVCo reference: `acsTransID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                               |
| type<br /><br />string<br /><br />Required                           | Authentication type that determines the action to be taken by the receiver of this message.<br /><br />**Allowable Values:**<br /><br />`authentication.challenge.out_of_band`, `authentication.challenge.decoupled`                                                                                                                                                                                                                                                                                                                                                  |
| state<br /><br />string<br /><br />Required                          | Status of the requested authentication.<br /><br />**Allowable Values:**<br /><br />- `PENDING` - Authentication request is pending processing<br /><br />- `SUCCESS` - Authentication completed successfully<br /><br />- `FAILED` - Authentication failed or was rejected                                                                                                                                                                                                                                                                                           |
| user\_token<br /><br />string<br /><br />Required                    | Marqeta-assigned unique user token identifying the user.<br /><br />**Allowable Values:**<br /><br />32 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| acting\_user\_token<br /><br />string<br /><br />Required            | Marqeta-assigned unique user token identifying the user performing the transaction.<br /><br />**Allowable Values:**<br /><br />32 char max                                                                                                                                                                                                                                                                                                                                                                                                                           |
| card\_token<br /><br />string<br /><br />Required                    | Marqeta-assigned unique card token identifying the user.<br /><br />**Allowable Values:**<br /><br />32 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| created\_time<br /><br />string<br /><br />Required                  | Authentication request time, expressed as an ISO-8601 UTC timestamp.<br /><br />**Allowable Values:**<br /><br />Format: yyyy-MM-ddThh:mm:ss.sssZ                                                                                                                                                                                                                                                                                                                                                                                                                     |
| network<br /><br />string<br /><br />Required                        | The card network associated with this authentication/decision request.<br /><br />**Allowable Values:**<br /><br />- `VISA` - Visa card network transactions<br /><br />- `MASTERCARD` - Mastercard network transactions                                                                                                                                                                                                                                                                                                                                              |
| message\_version<br /><br />string<br /><br />Required               | The 3DS protocol version used by the 3DS Requestor. (EMVCo reference: `messageversion`)<br /><br />**Allowable Values:**<br /><br />minLength: 5<br />maxLength: 8                                                                                                                                                                                                                                                                                                                                                                                                    |
| authentication\_request\_type<br /><br />string<br /><br />Optional  | Indicates the type of authentication request. (EMVCo reference: `threeDSRequestorAuthenticationInd`)<br /><br />**Allowable Values:**<br /><br />- `PAYMENT` - Payment transaction authentication<br /><br />- `RECURRING` - Recurring payment setup or processing<br /><br />- `INSTALLMENT` - Installment payment authentication<br /><br />- `ADD_CARD` - Adding a new card to cardholder account<br /><br />- `MAINTAIN_CARD` - Maintaining or updating existing card information<br /><br />- `EMV_CARDHOLDER_VERIFICATION` - EMV cardholder verification method |
| max\_response\_time<br /><br />number<br /><br />Required            | Indicates the maximum period of time, in minutes, that the 3DS Requestor will wait for an ACS to provide the results of a Decoupled Authentication transaction. (EMVCo reference: `threeDSRequestorDecMaxTime`)<br /><br />**Allowable Values:**<br /><br />A five-digit number with a value between `1` and `10080`, inclusive, without leading zeros.<br /><br />**Default value:**<br />8                                                                                                                                                                          |
| transaction<br /><br />object<br /><br />Required                    | Contains information about how the payment is being made.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_transaction_object">The transaction object</a>.                                                                                                                                                                                                                                                                                                                                                                                              |
| card\_acceptor<br /><br />object<br /><br />Required                 | Details about the merchant with which this transaction is being conducted.<br /><br />**Allowable Values:**<br /><br />See <a href="#_the_card_acceptor_object">The card\_acceptor object</a>.                                                                                                                                                                                                                                                                                                                                                                        |
| three\_ds\_requester\_app\_url<br /><br />string<br /><br />Optional | The fully qualified URL of the merchant application that initiated the 3D Secure authentication request.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                                                                                                                                                                                                                                                                                                                                     |
| three\_ds\_requester\_url<br /><br />string<br /><br />Optional      | The fully qualified URL of the merchant’s website or customer care site.<br /><br />**Allowable Values:**<br /><br />255 char max                                                                                                                                                                                                                                                                                                                                                                                                                                     |

<h3 id="_the_transaction_object_2">
  The transaction object
</h3>

Contains information about how the payment is being made.

| Fields                                                  | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| ------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| transaction\_type<br /><br />string<br /><br />Optional | Identifies the category of the message for a specific use case. (EMVCo reference: `messageCategory`)<br /><br />**Allowable Values:**<br /><br />`PAYMENT` - Payment transaction requiring authorization<br />`NON_PAYMENT` - Non-payment transaction, such as account verification                                                                                                                                                                                                                     |
| sub\_type<br /><br />string<br /><br />Optional         | Identifies the type of transaction being authenticated. (EMVCo reference: `transType`)<br /><br />**Allowable Values:**<br /><br />- `PURCHASE` - Goods or services purchase transaction<br /><br />- `ACCOUNT_VERIFICATION` - Account verification without payment<br /><br />- `ACCOUNT_FUNDING` - Loading funds to an account<br /><br />- `QUASI_CASH` - Cash-equivalent transaction, such as money orders<br /><br />- `PREPAID_ACTIVATION_AND_LOAD` - Prepaid card activation and initial loading |
| amount<br /><br />number<br /><br />Optional            | Purchase amount in minor units of currency with all punctuation removed. For example, a purchase for \$1.99 would be 199. (EMVCo reference: `purchaseAmount`)<br /><br />**Allowable Values:**<br /><br />Valid number                                                                                                                                                                                                                                                                                  |
| currency\_code<br /><br />number<br /><br />Optional    | ISO 4217 three-digit currency code of the payment or purchased gift card. See <a href="https://www.iso.org/iso-4217-currency-codes.html">[https://www.iso.org/iso-4217-currency-codes.html](https://www.iso.org/iso-4217-currency-codes.html)</a><br /><br />**Allowable Values:**<br /><br />minLength: 3<br />maxLength: 3                                                                                                                                                                            |
| exponent<br /><br />integer<br /><br />Optional         | Minor units of currency value, as specified in the ISO 4217 currency exponent. For USD, the value is 2. (EMVCo reference: `purchaseExponent`)<br /><br />**Allowable Values:**<br /><br />Valid ISO 4217 code See <a href="https://www.iso.org/iso-4217-currency-codes.html">[https://www.iso.org/iso-4217-currency-codes.html](https://www.iso.org/iso-4217-currency-codes.html)</a>                                                                                                                   |

<h3 id="_the_card_acceptor_object_2">
  The card\_acceptor object
</h3>

<Danger>
  **Warning**\
  This object reports information as supplied by the merchant, and could contain inaccurate or unexpected values.
</Danger>

| Fields                                                            | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
| ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acquirer\_bin<br /><br />string<br /><br />Conditionally required | Acquiring institution identification code, as assigned by the DS receiving the AReq message. Required when `messageCategory = 01`; optional when `messageCategory = 02`. (EMVCo reference: `acquirerBIN`)<br /><br />**Allowable Values:**<br /><br />11 char max                                                                                                                                                                                                   |
| merchant\_id<br /><br />string<br /><br />Conditionally required  | Acquirer-assigned merchant identifier. Required when `messageCategory = 01`; optional when `messageCategory = 02`. (EMVCo reference: `acquirerMerchantID`)<br /><br />**Allowable Values:**<br /><br />35 char max                                                                                                                                                                                                                                                  |
| merchant\_category\_code<br /><br />string<br /><br />Optional    | Merchant Category Code (MCC). DS-specific code describing the merchant’s type of product or service. (EMVCo reference: `mcc`)<br /><br />**Allowable Values:**<br /><br />minLength: 4<br />maxLength: 4                                                                                                                                                                                                                                                            |
| country<br /><br />string<br /><br />Optional                     | ISO 3166-1 three-digit country code of the merchant address. See also: <a href="https://www.iso.org/iso-3166-country-codes.html">[https://www.iso.org/iso-3166-country-codes.html](https://www.iso.org/iso-3166-country-codes.html)</a> and <a href="https://en.wikipedia.org/wiki/ISO_3166-2">[https://en.wikipedia.org/wiki/ISO\_3166-2](https://en.wikipedia.org/wiki/ISO_3166-2)</a><br /><br />**Allowable Values:**<br /><br />minLength: 2<br />maxLength: 3 |
| name<br /><br />string<br /><br />Optional                        | Merchant name assigned by the acquirer or payment system. (EMVCo reference: `merchantName`)<br /><br />**Allowable Values:**<br /><br />40 char max                                                                                                                                                                                                                                                                                                                 |

<h3 id="_response_codes_3">
  Response codes
</h3>

| Code | Description                                                          |
| ---- | -------------------------------------------------------------------- |
| 200  | Successful acknowledgement of a 3DS Advanced Authentication request. |
| 400  | Invalid authentication payload detected.                             |
| 401  | Unauthorized 3DS Authentication request.                             |
| 403  | Forbidden 3DS Authentication request.                                |
| 500  | Internal server error, unable to process the request.                |

<h3 id="_sample_request_body_3">
  Sample request body
</h3>

```json JSON expandable lines wrap theme={null}
{
  "acs_transaction_id": "acs_transaction_id",
  "type": "authentication.challenge.out_of_band",
  "state": "PENDING",
  "user_token": "user_token",
  "acting_user_token": "acting_user_token",
  "card_token": "card_token",
  "created_time": "2025-06-08T17:49:56.594Z",
  "network": "VISA",
  "message_version": "2.1.0",
  "authentication_request_type": "PAYMENT",
  "max_response_time": 7,
  "transaction": {
    "transaction_type": "PAYMENT",
    "sub_type": "PURCHASE",
    "amount": 199,
    "currency_code": 978,
    "exponent": 2
  },
  "card_acceptor": {
    "acquirer_bin": "acquirer_bin",
    "merchant_id": "merchant_id",
    "merchant_category_code": "5734",
    "country": "826",
    "name": "acceptor_name"
  }
}
```

<h3 id="_sample_response_2">
  Sample response
</h3>

```json JSON lines wrap theme={null}
200 OK
```

<h2 id="_update_an_authentication_result_to_marqeta">
  Update an authentication result to Marqeta
</h2>

**Action:** `POST`\
**Endpoint URL:** `https://authentication-acs.marqeta.com/v3/three-ds/authentication-result`

Accepts the 3DS out-of-band/decoupled challenge result and informs the ACS of the cardholder authentication result. Use your Marqeta Core API credentials.

<h3 id="_body_field_details_4">
  Body field details
</h3>

The following table describes the response to an ACS authentication request.

<h4 id="_the_threedsauthenticationresultrequest_object">
  The ThreeDSAuthenticationResultRequest object
</h4>

| Fields                                                       | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |
| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acs\_transaction\_id<br /><br />string<br /><br />Required   | Universally unique transaction identifier assigned by the ACS to identify a single transaction. (EMVCo reference: `acsTransID`)<br /><br />**Allowable Values:**<br /><br />36 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| authentication\_method<br /><br />string<br /><br />Required | Method used to authenticate the cardholder.<br /><br />**Allowable Values:**<br /><br />- `BIOMETRIC_FACE` - Facial recognition authentication<br /><br />- `BIOMETRIC_FINGERPRINT` - Fingerprint authentication<br /><br />- `VOICE_RECOGNITION` - Voice pattern recognition authentication<br /><br />- `IN_APP_LOGIN` - Authentication within the issuer’s mobile application<br /><br />- `AUDIO_CALL` - Voice call with human or automated verification<br /><br />- `VIDEO_CALL` - Video call with human verification<br /><br />- `OTP_SMS` - One-time password sent via SMS text message<br /><br />- `OTP_EMAIL` - One-time password sent via email<br /><br />- `KNOWLEDGE_BASED` - Knowledge-based authentication, such as security questions<br /><br />- `OTHER` - Other authentication method not listed above |
| authentication\_result<br /><br />string<br /><br />Required | Result of the authentication performed.<br /><br />**Allowable Values:**<br /><br />- `SUCCESS` - Authentication was successful and the cardholder was verified<br /><br />- `FAILED` - Authentication failed due to incorrect credentials or verification<br /><br />- `CANCELLED` - Authentication was cancelled by cardholder or system timeout<br /><br />- `NOT_AUTHENTICATED` - Authentication could not be performed or completed                                                                                                                                                                                                                                                                                                                                                                                     |
| interaction\_counter<br /><br />integer<br /><br />Optional  | Indicates the number of authentication cycles attempted by the cardholder. Value to be tracked by the ACS. (EMVCo reference: `interactionCounter`)<br /><br />**Allowable Values:**<br /><br />As provided by the ACS<br /><br />**Default Value:**<br />1                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
| cancel\_reason<br /><br />string<br /><br />Optional         | Indicator informing the ACS and the DS that the authentication has been cancelled. (EMVCo reference: `challengeCancel`)<br /><br />**Allowable Values:**<br /><br />- `CARDHOLDER_CANCEL` - Cardholder explicitly cancelled authentication<br /><br />- `TIMED_OUT_DECOUPLED_AUTHENTICATION` - Decoupled/out of band (OOB) authentication timed out waiting for response<br /><br />- `TIMED_OUT_AT_ACS` - ACS timed out after receiving initial challenge request but before completion<br /><br />- `TIMED_OUT_AT_ACS_NO_CREQ` - ACS timed out waiting for first challenge request after authentication response challenge required<br /><br />- `TIMED_OUT_AT_SDK` - 3DS SDK timed out during authentication process<br /><br />- `UNKNOWN` - Cancellation reason could not be determined                                 |
| message\_version<br /><br />string<br /><br />Required       | The 3DS protocol version used by the 3DS Requestor. Echo the value from the Advanced Authentication request. (EMVCo reference: `messageversion`)<br /><br />**Allowable Values:**<br /><br />8 char max                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |

<h3 id="_response_codes_4">
  Response codes
</h3>

| Code | Description                                                            |
| ---- | ---------------------------------------------------------------------- |
| 200  | Successful acknowledgement of 3DS Authentication result.               |
| 400  | Invalid payload detected.                                              |
| 401  | Unauthorized 3DS Authentication request.                               |
| 403  | Forbidden 3DS Authentication request.                                  |
| 500  | Internal server error, unable to process the request. Please resubmit. |

<h3 id="_sample_request_body_4">
  Sample request body
</h3>

```json JSON lines wrap theme={null}
{
  "acs_transaction_id": "acs_transaction_id",
  "authentication_method": "BIOMETRIC_FACE",
  "authentication_result": "SUCCESS",
  "interaction_counter": 0,
  "cancel_reason": "CARDHOLDER_CANCEL",
  "message_version": "2.1.0"
}
```

<h3 id="_sample_response_3">
  Sample response
</h3>

```json JSON lines wrap theme={null}
200 OK
```


## Related topics

- [3D Secure Overview](/docs/developer-guides/3ds-landing-page.md)
- [About 3D Secure](/docs/developer-guides/about-3d-secure.md)
- [3D Secure Setup](/docs/developer-guides/3ds-setup.md)
- [3D Secure in Europe](/docs/developer-guides/mq-eu-3ds.md)
- [3D Secure Risk Engine Schema](/docs/developer-guides/3ds-risk-engine-schema.md)
