Skip to content

3DSDataSources

ianbjacobs edited this page Sep 10, 2018 · 18 revisions

This is a draft document with no consensus. It is for discussion purposes. Questions? Ian Jacobs <ij@w3.org>.

Background

3-D Secure (3DS) involves a frictionless flow that begins by sending data to a Directory Server. Once underway, a method_url initiates a device fingerprinting process. There is a version of this process for the Web and for native apps. EMVCo has defined a data set for the native SDK (in EMV® 3-D Secure SDK—Device Information) but there is no definition of the data gathered through JavaScript. Note in particular from the 3DS specification: "The manner in which the 3DS Method obtains Device Information and which information is gathered is outside the scope of this specification."

There have been discussions within the Web Payments Working Group about whether it would be advantageous to have a browser API to standardize this data gathering, with opportunities for increased privacy.

About this Document

This document:

  • Lists the data required to initiate a 3DS 2 flow. The purpose of this exercise was to determine how a payment handler (whether browser or third-party) might initiate a 3DS 2 flow, and the sources of the data necessary to do so.
  • Lists data that might be available through a browser API for the method_url. The purpose of this exercise was to start a discussion with browser vendors regarding sharing data through an API in a way that can be more privacy protecting than the status quo.

Mapping AREQ Data to Sources

EMVCo's 3-D Secure 2 specification defines data requirements in section "B.1 AReq Message Data Elements". The fields below were drawn directly from JSON Message Samples version 2.1.0.

In the following sections we organize the AReq Message Data Elements into their different sources (within the Payment Request API ecosystem). This intends to suggest a limited scope for a new browser API that would return some of the data elements to authorized parties.

Data Known to the Browser

Defined in Payment Request API

  • email
  • homePhone
  • mobilePhone
  • workPhone
  • shipAddrCity
  • shipAddrCountry
  • shipAddrLine1
  • shipAddrLine2
  • shipAddrLine3
  • shipAddrPostCode
  • shipAddrState
  • purchaseAmount
  • purchaseCurrency
  • purchaseExponent
  • shipIndicator (Indicates shipping method chosen for the transaction.)

Data about the browser

Note: This is the data that might be made available through a new browser API.

  • browserAcceptHeader
  • browserIP
  • browserJavaEnabled
  • browserLanguage
  • browserColorDepth
  • browserScreenHeight
  • browserScreenWidth
  • browserTZ
  • browserUserAgent

Data Potentially Known to the Browser

Data about the merchant / transaction

The following come from the merchant and should thus be considered for inclusion in "3-D Secure 2 with Payment Request API".

  • acquirerBIN
  • acquirerMerchantID
  • merchantCountryCode
  • merchantName
  • merchantRiskIndicator
  • mcc (merchant category code)
  • transType (transaction type, such as goods and services, check acceptance)
  • threeDSRequestorChallengeInd (variations on whether merchant wants a challenge flow)
  • reorderItemsInd
  • preOrderPurchaseInd
  • preOrderDate
  • recurringExpiry
  • recurringFrequency
  • purchaseInstalData (Indicates the maximum number of authorisations permitted for instalment payments.)

Data Known to the Payment Handler

Note: A browser may choose to operate as a payment handler.

Defined in Basic Card

  • cardExpiryDate
  • acctNumber
  • billAddrCity
  • billAddrCountry
  • billAddrLine1
  • billAddrLine2
  • billAddrLine3
  • billAddrPostCode
  • billAddrState
  • cardholderName
  • acctType (credit, debit; if removed from Basic Card this will be data managed by the payment handler)

3DS Protocol data

  • threeDSCompInd
  • threeDSRequestorID
  • threeDSRequestorName
  • threeDSRequestorURL
  • threeDSServerURL
  • threeDSServerTransID
  • threeDSServerRefNumber
  • messageCategory (payment or non-payment)
  • messageType (AREQ)
  • messageVersion (3DS version number)
  • threeDSRequestorAuthenticationInd (nature of this authentication request)
  • threeDSRequestorAuthenticationInfo (Information about how the 3DS Requestor authenticated the cardholder before or during the transaction)
  • threeDSRequestorPriorAuthenticationInfo (Information about how the 3DS Requestor authenticated the cardholder as part of a previous 3DS transaction.)
  • threeDSServerOperatorID
  • dsReferenceNumber (directory server info)
  • dsTransId (directory server info)
  • dsURL (directory server info)
  • broadInfo (Unstructured information sent between the 3DS Server, the DS and the ACS.)
  • payTokenInd (A value of True indicates that the transaction was de-tokenised prior to being received by the ACS.)
  • messageExtension

User account data

  • acctInfo (detailed information about the cardholder known to the payment handler)
  • acctID

Computable data

  • purchaseDate
  • addrMatch (boolean: do billing and shipping addresses match?)
  • deviceChannel (02 = browser, 03?)

Unsure

  • deliveryTimeframe. Might come from merchant or might be determined by data known to the brower.
  • deliveryEmailAddress. PR API does not yet include this.
  • giftCardAmount, giftCardCurr, giftCardCount. Some of this might be known to the browser (but depends on card type).

Browser API for data related to method_url

This data is drawn from "A.5.2 Browser Information—02-BRW Only" from 3-D Secure version 2.1.0.

  • Browser Accept Headers
  • Browser IP Address
  • Browser Java Enabled
  • Browser Language
  • Browser Screen Color Depth
  • Browser Screen Height
  • Browser Screen Width
  • Browser Time Zone
  • Browser User-Agent
Clone this wiki locally