Initiate Authentication

Request returning which payer authentication mechanism (e.g. 3-D Secure authentication version 2, 3-D Secure authentication version 1, RuPay PaySecure) the gateway recommends you to use for this order.

Where both 3-D Secure Authentication version 1 and version 2 are available the gateway returns 3-D Secure authentication version 2.

You must provide details about the card, the purpose of the authentication (e.g payment or card registration only), and how the payer will interact with the authentication process (e.g. via the browser or mobile app).

You can provide the actual card details, or a gateway token, scheme token or device payment details.

The response will indicate, if payer authentication is available. You can either

  • only proceed with the Authenticate Payer operation where the response indicates that payer authentication is available (transaction.authenticationStatus=AUTHENTICATION_AVAILABLE ) or
  • (to simplify your integration) always proceed with the Authenticate Payer operation. Where no payer authentication is available, the payer will simply be redirected back to your website.
When performing payer authentication we recommend you use a payment session. This will allow you to share the request data across the multiple operations required to carry out both the payer authentication and transaction processing.

When using a payment session build your integration as follows:
  • When you create the payment session, populate it with all the transaction data required for the Authenticate Payer operation.
  • As soon as you have the card number, invoke the Initiate Authentication operation with the payment session identifier. It is recommended that you perform this asynchronously, so that the payer can continue filling out payment details.
  • When the payers clicks PAY, update the payment session with the additional data entered by the payer and invoke the Authenticate Payer operation with the payment session identifier.
  • On your website, receive the POST callback from the gateway following the Authenticate Payer operation and submit the payment for processing by the gateway with the payment session identifier.
Usage Note

Using the Initiate Authenticate and Authenticate Payer operations for 3-D Secure authentication requires you to manage a variety of authentication flows and understand the 3-D Secure version 2 data flows as published by EMVCo.

A more simple alternatively is to use the gateway's threeDS.js library.

POST https://anzegate.gateway.mastercard.com/api/nvp/version/66

Authentication

This operation requires authentication via one of the following methods:


  • Certificate authentication.
  • To authenticate to the API two additional NVP parameters must be supplied in the request. Provide 'merchant.<your gateway merchant ID>' in the apiUsername field and your API password in the apiPassword field.

Request

Fields

apiOperation String = INITIATE_AUTHENTICATION FIXED

Any sequence of zero or more unicode characters.

authentication OPTIONAL

Information about how the payer's identity is verified.

For example, using 3-D Secure authentication.

This parameter group include payer authentication options available to you, parameters you need to perform payer authentication for an available method, and the results of payer authentication.

authentication.acceptVersions Comma Separated Enumeration OPTIONAL

A comma separated list of the payer authentication methods that you will accept for this payment.

You only need to provide a value if you want to restrict the authentication methods you will accept.

If you do not specify a value, then the gateway treats it as if you will accept all available authentication methods.

If you accept both 3DS2 and 3DS1, then the gateway will use 3-D Secure version 2 if supported by the issuer and fallback to use 3-D Secure version 1 if it is not.

Value must be one or more comma separated members of the following list. The values are case sensitive.

3DS1

3-D Secure Version 1

3DS2

3-D Secure Version 2

authentication.channel Enumeration REQUIRED

Indicates the channel in which the authentication request is being initiated.

Value must be a member of the following list. The values are case sensitive.

MERCHANT_REQUESTED

The merchant is requesting authentication of a cardholder without the payer being available for interaction (for example. as part of processing of a recurring payment).

PAYER_APP

Payer is interacting via an application on their device which uses an EMVCo-certified SDK.

PAYER_BROWSER

Payer is interacting via web browser (for example, with the merchant's ecommerce web-site).

authentication.purpose Enumeration OPTIONAL

Indicates the context in which payer authentication is being requested.

If you do not provide a value, the gateway will use PAYMENT_TRANSACTION as the default.

If you are authenticating the payer when establishing a payment agreement with your payer for a series of recurring, installment or unscheduled payments you must provide details about the agreement in the agreement parameter group in the AUTHENTICATE_PAYER request for this transaction.

Note:

  • • If you set this value to ADD_CARD or MAINTAIN_CARD, then set order.amount to zero and order.currency to any currency you support.
  • • If the authentication scheme that applies to the account does not support the purpose that you have requested, this call will return an authenticationStatus of AUTHENTICATION_NOT_SUPPORTED.
  • • If you set this to REFRESH_AUTHENTICATION then when you perform the subsequent Authenticate Payer operation you must provide details of the original authentication, either by providing the authentication data explicitly via the fields customer.account.history.issuerAuthentication.acsTransactionId, customer.account.history.issuerAuthentication.authenticationToken, customer.account.history.issuerAuthentication.time and customer.account.history.issuerAuthentication.type, or by providing the gateway reference of the original authentication operation in customer.account.history.issuerAuthentication.transactionId.

Value must be a member of the following list. The values are case sensitive.

ADD_CARD

Authentication performed before a payer's card is stored on file either directly by the merchant or using the gateway's tokenization feature. A payment is not being processed.

MAINTAIN_CARD

Authentication performed before updating details of a payer's card stored on file either directly by the merchant or using the gateway's tokenization feature. A payment is not being processed.

PAYMENT_TRANSACTION

Authentication performed when of processing a card payment.

REFRESH_AUTHENTICATION

Authentication performed in order to obtain a new authentication token to replace one previously obtained for the order which is no longer valid (for example, because the order amount has changed in the time between originally performing authentication and submitting the financial transaction).

correlationId String OPTIONAL

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
lineOfBusiness String OPTIONAL

Your payment service provider might have configured your merchant profile to support several lines of business.

Each line of business can have different payment parameters, such as bank account, supported cards or such.

For example, lineOfBusiness = TICKET_SALES can have a different bank account from lineOfBusiness = MERCHANDISING. One line of business on your profile might be "null". To use that, do not provide the lineOfBusiness field.

Data can consist of any characters except space

Min length: 1 Max length: 100
order.id String REQUIRED

A unique identifier for this order to distinguish it from any other order you create.

Use this identifier when referring to this order in subsequent transactions and in retrieval operations. This value must be unique for every order you create using your merchant profile.

Data can consist of any characters

Min length: 1 Max length: 40
partnerSolutionId String OPTIONAL

If, when integrating with the gateway, you are using a solution (e.g. a shopping cart or e-commerce solution) provided, supported or certified by your payment service provider, enter the solution ID issued by your payment service provider here.

If your payment service provider has not provided you with a solution ID, you should ignore this field.

Data can consist of any characters

Min length: 1 Max length: 40
session.id ASCII Text OPTIONAL

Identifier of the payment session containing values for any of the request fields to be used in this operation.

Values provided in the request will override values contained in the session.

Data consists of ASCII characters

Min length: 31 Max length: 35
session.version ASCII Text OPTIONAL

Use this field to implement optimistic locking of the session content.

Do this if you make business decisions based on data from the session and wish to ensure that the same data is being used for the request operation.

To use optimistic locking, record session.version when you make your decisions, and then pass that value in session.version when you submit your request operation to the gateway.

If session.version provided by you does not match that stored against the session, the gateway will reject the operation with error.cause=INVALID_REQUEST.

See Making Business Decisions Based on Session Content.

Data consists of ASCII characters

Min length: 10 Max length: 10
transaction OPTIONAL

Information about this transaction.

transaction.reference String OPTIONAL

An optional identifier for this transaction.

Data can consist of any characters

Min length: 1 Max length: 40
transaction.id String REQUIRED

Unique identifier for this transaction to distinguish it from any other transaction on the order.

An order can have transactions representing:

  • Movement of money. For example, payments and refunds.
  • Validations. For example, account verification or 3-D Secure authentication of the payer.
  • Undoing other transactions. For example, voiding a payment transaction.
  • Chargebacks.
  • Fees from your payment service provider.
Each transaction on the order must have a unique id that identifies that transaction. Some transactions also hold the transaction identifier of other transactions on the order. For example a void payment transaction references the original payment transaction that is being voided.

If you attempt an operation and it fails (eg you try to PAY on a card with no funds), then you need a new id for each retry.

Data can consist of any characters

Min length: 1 Max length: 40

Response

Fields

authentication CONDITIONAL

Information about how the payer's identity is verified.

For example, using 3-D Secure authentication.
This parameter group include payer authentication options available to you, parameters you need to perform payer authentication for an available method, and the results of payer authentication.

authentication.3ds1 CONDITIONAL

Information about payer authentication using 3-D Secure authentication version 1.

authentication.3ds1.veResEnrolled Alpha ALWAYS PROVIDED

Indicates whether or not payer authentication is available for the card number you provided.

This is for experts only - most users should use the response.gatewayRecommendation field.

This is the value returned in the 'enrolled' field of the Verify Enrollment Response (VERes) message from the card scheme's Directory Server. For example, Y, N, or U. Refer to the relevant documentation for Mastercard SecureCode™, Verified by Visa™, JCB J/Secure™, American Express SafeKey™, or Diners Club ProtectBuy™.

Data may consist of the characters a-z, A-Z

Min length: 1 Max length: 1
authentication.3ds2 CONDITIONAL

Information about payer authentication using 3-D Secure authentication version 2.

authentication.3ds2.directoryServerId String CONDITIONAL

Unique identifier for the Directory Server (also called Registered Application Provider Identifier or RID).

This value is applicable when you authenticate the payer in-app using 3-D Secure authentication version 2.

In this case, provide this value in the directoryServerId field on the createTransaction method request message sent from the app on the payer's device to the 3-D Secure Software Development Kit (SDK).

Data can consist of any characters

Min length: 10 Max length: 10
authentication.3ds2.methodCompleted Boolean ALWAYS PROVIDED

Indicates if the issuer's Access Control Server (ACS) completed the method call to obtain additional information about the payer's browser.

The values 'true' or 'false'. (For a complete description, see http://www.w3.org/TR/xmlschema-2/#boolean.)

authentication.3ds2.methodSupported Enumeration ALWAYS PROVIDED

Indicates if the issuer's Access Control Server (ACS) support the method call.

Value must be a member of the following list. The values are case sensitive.

NOT_SUPPORTED

The ACS does not support the method call protocol.

SUPPORTED

The ACS supports the method call protocol.

authentication.3ds2.protocolVersion Alphanumeric + additional characters CONDITIONAL

The version of the EMV 3-D Secure protocol used to perform 3-D Secure authentication, in the format specified by EMVCo.

For example, 2.1.0.

Data may consist of the characters 0-9, a-z, A-Z, '.'

Min length: 1 Max length: 20
authentication.3ds2.requestorId String ALWAYS PROVIDED

The unique identifier assigned to the merchant by the card scheme directory server when the merchant registered to use 3-D Secure authentication version 2 with their acquirer.

Provide this value only for American Express Safekey and mada secure. For other authentication schemes it will be generated by the gateway.

Data can consist of any characters

Min length: 1 Max length: 35
authentication.3ds2.requestorName String ALWAYS PROVIDED

The unique name assigned to the merchant by the card scheme directory server when the merchant registered to use 3-D Secure authentication version 2 with their acquirer.

Provide this value only for American Express Safekey and mada secure. For other authentication schemes it will be generated by the gateway.

Data can consist of any characters

Min length: 1 Max length: 40
authentication.acceptVersions Comma Separated Enumeration ALWAYS PROVIDED

A comma separated list of the payer authentication methods that you will accept for this payment.

You only need to provide a value if you want to restrict the authentication methods you will accept.

If you do not specify a value, then the gateway treats it as if you will accept all available authentication methods.

If you accept both 3DS2 and 3DS1, then the gateway will use 3-D Secure version 2 if supported by the issuer and fallback to use 3-D Secure version 1 if it is not.

Value must be one or more comma separated members of the following list. The values are case sensitive.

3DS1

3-D Secure Version 1

3DS2

3-D Secure Version 2

authentication.channel Enumeration ALWAYS PROVIDED

Indicates the channel in which the authentication request is being initiated.

Value must be a member of the following list. The values are case sensitive.

MERCHANT_REQUESTED

The merchant is requesting authentication of a cardholder without the payer being available for interaction (for example. as part of processing of a recurring payment).

PAYER_APP

Payer is interacting via an application on their device which uses an EMVCo-certified SDK.

PAYER_BROWSER

Payer is interacting via web browser (for example, with the merchant's ecommerce web-site).

authentication.method Enumeration CONDITIONAL

The method that the issuer will use to authenticate the payer.

Value must be a member of the following list. The values are case sensitive.

DYNAMIC

The payer is authenticated using dynamic data. For example, a code sent to the payer's phone.

OUT_OF_BAND

The payer is authenticated by the issuer using another method. For example, by using a bank app on the payer's mobile device.

STATIC

The payer is authenticated using static data. For example, by providing responses to security questions for the payer's account.

authentication.purpose Enumeration CONDITIONAL

Indicates the context in which payer authentication is being requested.

If you do not provide a value, the gateway will use PAYMENT_TRANSACTION as the default.

If you are authenticating the payer when establishing a payment agreement with your payer for a series of recurring, installment or unscheduled payments you must provide details about the agreement in the agreement parameter group in the AUTHENTICATE_PAYER request for this transaction.

Note:

  • • If you set this value to ADD_CARD or MAINTAIN_CARD, then set order.amount to zero and order.currency to any currency you support.
  • • If the authentication scheme that applies to the account does not support the purpose that you have requested, this call will return an authenticationStatus of AUTHENTICATION_NOT_SUPPORTED.
  • • If you set this to REFRESH_AUTHENTICATION then when you perform the subsequent Authenticate Payer operation you must provide details of the original authentication, either by providing the authentication data explicitly via the fields customer.account.history.issuerAuthentication.acsTransactionId, customer.account.history.issuerAuthentication.authenticationToken, customer.account.history.issuerAuthentication.time and customer.account.history.issuerAuthentication.type, or by providing the gateway reference of the original authentication operation in customer.account.history.issuerAuthentication.transactionId.

Value must be a member of the following list. The values are case sensitive.

ADD_CARD

Authentication performed before a payer's card is stored on file either directly by the merchant or using the gateway's tokenization feature. A payment is not being processed.

MAINTAIN_CARD

Authentication performed before updating details of a payer's card stored on file either directly by the merchant or using the gateway's tokenization feature. A payment is not being processed.

PAYMENT_TRANSACTION

Authentication performed when of processing a card payment.

REFRESH_AUTHENTICATION

Authentication performed in order to obtain a new authentication token to replace one previously obtained for the order which is no longer valid (for example, because the order amount has changed in the time between originally performing authentication and submitting the financial transaction).

authentication.redirect CONDITIONAL

A collection of parameters required to produce the UI for payer authentication.

An example of a payer authentication UI is the redirection of the payer's browser to the issuer's Access Control Server (ACS) for 3-D Secure authentication. The gateway supports two models:

  • SIMPLE: The gateway gives you content (HTML and JavaScript) to put on your payment page, and that automatically triggers the authentication user experience.
  • CUSTOMIZED: The gateway gives you the raw parameters for the authentication method, and you create the required user experience yourself.

If you selected the SIMPLE case, the gateway will provide the authenticationRedirect data, even if your authentication system does not require it. This lets you have a single flow through your code for all authentication cases.

authentication.redirect.customized CONDITIONAL

The raw parameters for the authentication method, for you to create the required user experience yourself.

authentication.redirect.customized.3DS CONDITIONAL

The raw parameters for 3-D Secure authentication.

authentication.redirect.customized.3DS.methodPostData Base64 ALWAYS PROVIDED

Base64 URL encoded frame contents to be posted to the URL provided in authentication.3ds2.methodUrl.

This is used by the issuer's Access Control Server (ACS) to obtain additional information about the payer's browser to assist their risk assessment process. See EMVCo specification for details.

Data is Base64 encoded

Min length: 3 Max length: 1000
authentication.redirect.customized.3DS.methodUrl Url CONDITIONAL

The URL provided by the issuer to which you must post the data provided in authentication.3ds2.methodPostData.

See EMVCo specification for details.

Note: To simplify your integration, the gateway will always provide a methodURL that supports the EMVCo specification (even if the issuer's Access Control Server (ACS) does not provide a real one).

Ensure that the URL begins with 'https' and is longer than 11 characters.

authentication.redirectHtml String CONDITIONAL

Code to create the authentication UI.

Write this content into an empty <DIV> element being the last element in the <BODY> of your payment page.

Data can consist of any characters

Min length: 0 Max length: 40960
authentication.version Enumeration ALWAYS PROVIDED

If online authentication of the payer is available, then this field shows the type.

If no such authentication is available, the value is NONE.

Value must be a member of the following list. The values are case sensitive.

3DS1

3-D Secure Version 1 authentication is available.

3DS2

3-D Secure Version 2 authentication is available.

RUPAY

RuPay authentication is available.

NONE

No authentication is available.

encryptedData CONDITIONAL

This group is an encrypted JSON object containing authentication data obtained during the authentication process.

You can ignore this group if you are making a subsequent payment or Verify operation with the gateway, instead just rely on the response.gatewayRecommendation field.

However this group is applicable if:

  • you want to use 3-D Secure authentication data obtained to process the payment via another channel
  • you want to interpret some details of the 3-D Secure authentication response.
The data is encrypted by the gateway using, AES256 in GCM mode. To decrypt, use the key obtained from the Create Session response and the parameters in this group.

The decryption will yield a JSON object which will contain a subset of the following fields.
  • authentication.3ds.authenticationToken
  • authentication.3ds.acsEci
  • authentication.3ds.transactionId
  • authentication.3ds2.statusReasonCode
  • authentication.3ds2.transactionStatus
  • authentication.3ds2.dsTransactionId
  • authentication.3ds1.veResEnrolled
  • authentication.3ds1.paResStatus
  • sourceOfFunds.provided.card.expiry.month
  • sourceOfFunds.provided.card.expiry.year
  • sourceOfFunds.provided.card.number
  • sourceOfFunds.token
  • order.id
  • transaction.authenticationStatus
  • transaction.id
These elements correspond to the similarly named items in the response to merchant-authenticated Authenticate Payer requests.

encryptedData.ciphertext String ALWAYS PROVIDED

Base64 encoded ciphertext.

Data can consist of any characters

Min length: 1 Max length: 10000
encryptedData.nonce String ALWAYS PROVIDED

Base64 encoded GCM nonce.

Data can consist of any characters

Min length: 16 Max length: 16
encryptedData.tag String ALWAYS PROVIDED

Base64 encoded GCM tag.

Data can consist of any characters

Min length: 24 Max length: 24
lineOfBusiness String CONDITIONAL

Your payment service provider might have configured your merchant profile to support several lines of business.

Each line of business can have different payment parameters, such as bank account, supported cards or such.

For example, lineOfBusiness = TICKET_SALES can have a different bank account from lineOfBusiness = MERCHANDISING. One line of business on your profile might be "null". To use that, do not provide the lineOfBusiness field.

Data can consist of any characters except space

Min length: 1 Max length: 100
merchant Alphanumeric + additional characters ALWAYS PROVIDED

The unique identifier issued to you by your payment provider.

This identifier can be up to 12 characters in length.

Data may consist of the characters 0-9, a-z, A-Z, '-', '_'

Min length: 1 Max length: 40
result Enumeration ALWAYS PROVIDED

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

FAILURE

The operation was declined or rejected by the gateway, acquirer or issuer

PENDING

The operation is currently in progress or pending processing

SUCCESS

The operation was successfully processed

UNKNOWN

The result of the operation is unknown

transaction ALWAYS PROVIDED

Information about this transaction.

transaction.authenticationStatus Enumeration CONDITIONAL

Indicates the result of payer authentication.

Value must be a member of the following list. The values are case sensitive.

AUTHENTICATION_ATTEMPTED

Payer authentication was attempted and a proof of authentication attempt was obtained.

AUTHENTICATION_AVAILABLE

Payer authentication is available for the payment method provided.

AUTHENTICATION_EXEMPT

Exemption from the Regulatory Technical Standards (RTS) requirements for Strong Customer Authentication (SCA) under the Payment Services Directive 2 (PSD2) regulations in the European Economic Area has been claimed or granted.

AUTHENTICATION_FAILED

The payer was not authenticated. You should not proceed with this transaction.

AUTHENTICATION_NOT_IN_EFFECT

There is no authentication information associated with this transaction.

AUTHENTICATION_NOT_SUPPORTED

The requested authentication method is not supported for this payment method.

AUTHENTICATION_PENDING

Payer authentication is pending completion of a challenge process.

AUTHENTICATION_REJECTED

The issuer rejected the authentication request and requested that you do not attempt authorization of a payment.

AUTHENTICATION_REQUIRED

Payer authentication is required for this payment, but was not provided.

AUTHENTICATION_SUCCESSFUL

The payer was successfully authenticated.

AUTHENTICATION_UNAVAILABLE

The payer was not able to be authenticated due to a technical or other issue.

transaction.id String ALWAYS PROVIDED

Unique identifier for this transaction to distinguish it from any other transaction on the order.

An order can have transactions representing:

  • Movement of money. For example, payments and refunds.
  • Validations. For example, account verification or 3-D Secure authentication of the payer.
  • Undoing other transactions. For example, voiding a payment transaction.
  • Chargebacks.
  • Fees from your payment service provider.
Each transaction on the order must have a unique id that identifies that transaction. Some transactions also hold the transaction identifier of other transactions on the order. For example a void payment transaction references the original payment transaction that is being voided.

If you attempt an operation and it fails (eg you try to PAY on a card with no funds), then you need a new id for each retry.

Data can consist of any characters

Min length: 1 Max length: 40
transaction.reference String CONDITIONAL

An optional identifier for this transaction.

Data can consist of any characters

Min length: 1 Max length: 40
transaction.type Enumeration ALWAYS PROVIDED

Indicates the type of action performed on the order.

Value must be a member of the following list. The values are case sensitive.

AUTHENTICATION

Authentication

AUTHORIZATION

Authorization

AUTHORIZATION_UPDATE

Authorization Update

CAPTURE

Capture

CHARGEBACK

Chargeback

DISBURSEMENT

Disbursement

FUNDING

The transaction transfers money to or from the merchant, without the involvement of a payer. For example, recording monthly merchant service fees from your payment service provider.

PAYMENT

Payment (Purchase)

REFUND

Refund

REFUND_REQUEST

Refund Request

VERIFICATION

Verification

VOID_AUTHORIZATION

Void Authorization

VOID_CAPTURE

Void Capture

VOID_PAYMENT

Void Payment

VOID_REFUND

Void Refund

version String CONDITIONAL

The Web Services API version that you submitted the request in.

Data can consist of any characters

Min length: 1 Max length: 8

Errors

error

Information on possible error conditions that may occur while processing an operation using the API.

error.cause Enumeration

Broadly categorizes the cause of the error.

For example, errors may occur due to invalid requests or internal system failures.

Value must be a member of the following list. The values are case sensitive.

INVALID_REQUEST

The request was rejected because it did not conform to the API protocol.

REQUEST_REJECTED

The request was rejected due to security reasons such as firewall rules, expired certificate, etc.

SERVER_BUSY

The server did not have enough resources to process the request at the moment.

SERVER_FAILED

There was an internal system failure.

error.explanation String

Textual description of the error based on the cause.

This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.

Data can consist of any characters

Min length: 1 Max length: 1000
error.field String

Indicates the name of the field that failed validation.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Data can consist of any characters

Min length: 1 Max length: 100
error.supportCode String

Indicates the code that helps the support team to quickly identify the exact cause of the error.

This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.

Data can consist of any characters

Min length: 1 Max length: 100
error.validationType Enumeration

Indicates the type of field validation error.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Value must be a member of the following list. The values are case sensitive.

INVALID

The request contained a field with a value that did not pass validation.

MISSING

The request was missing a mandatory field.

UNSUPPORTED

The request contained a field that is unsupported.

result Enumeration

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

ERROR

The operation resulted in an error and hence cannot be processed.