PCI Watch

Tracking changes across the Payment Card Industry
ℹ️
Tracked metadata: Sourced from EMVCo's public document index. PCI Watch records each document's details and its extracted text so changes can be tracked over time; the document PDF itself is hosted by EMVCo.
View on EMVCo.com →

SB n° 279 EMV® 3-D Secure Protocol and Core Functions Specification v2.2.0–2.3.1.1

Specification Bulletins
3-D Secure
Extracted document text

EMVCo's index flattens the document's layout, so this text is best used for searching and comparing versions rather than reading end-to-end.

This document is large; EMVCo's index truncates its extracted text, so the excerpt below is partial.

EMV® Specification Bulletin No. 279 Second Edition August 2025 EMV® 3-D Secure Protocol and Core Functions Specification version 2.3.1.1 This Specification Bulletin No. 279 provides the updates, clarifications and errata incorporated into the EMV® 3-D Secure Protocol and Core Functions Specification since version 2.2.0 (as amended by Specification Bulletin No. 214v3). The purpose of this Specification Bulletin is to document all the differences between version 2.2.0 (as amended by Specification Bulletin No. 214v3) and version 2.3.1.1 of the EMV® 3-D Secure Protocol and Core Functions Specification for ease of reference. Applicability This Specification Bulletin applies to: • EMV® 3-D Secure Protocol and Core Functions Specification, Version 2.3.1.1 Updates are provided in the order in which they appear in the specification. Deleted text is identified using strikethrough, and red font is used to identify changed text. Green double underline is used to indicate moved text. Unedited text is provided only for context. Related Documents • EMV® 3-D Secure Protocol and Core Functions Specifications Version 2.2.0 (as amended by Specification Bulletin No. 214v3) • EMV® 3-D Secure Protocol and Core Functions Specifications Version2.3.1.1 Effective Date • August 2025 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 Contents EMV® 3-D Secure Protocol and Core Functions Specification version 2.3.1.1 ..................................... 1 Applicability......................................................................................................................................... 1 Related Documents ............................................................................................................................ 1 Effective Date ..................................................................................................................................... 1 Throughout Specification ..................................................................................................................... 13 Chapter 1 Introduction......................................................................................................................... 14 1.3 Normative References............................................................................................................... 14 Table 1.1 Normative References ................................................................................................. 14 1.4 Acknowledgements ................................................................................................................... 14 Table 1.2 ISO Standards ............................................................................................................. 15 1.5 Definitions .................................................................................................................................. 15 Table 1.3 Definitions .................................................................................................................... 15 1.6 Abbreviations ............................................................................................................................. 17 Table 1.4 Abbreviations ............................................................................................................... 17 1.7 3-D Secure Protocol Version Number ....................................................................................... 18 1.8 Supporting Documentation ........................................................................................................ 18 1.9 Terminology and Conventions................................................................................................... 18 1.10 Constraints .............................................................................................................................. 19 Chapter 2 EMV 3-D Secure Overview ................................................................................................ 20 2.1 Acquirer Domain........................................................................................................................ 20 2.1.1 3DS Requestor Environment .............................................................................................. 20 2.1.2 3DS Integrator (3DS Server and 3DS Client) ..................................................................... 20 2.2 Interoperability Domain ............................................................................................................. 20 2.2.1 Directory Server .................................................................................................................. 20 2.2.2 Directory Server Certificate—Authority............................................................................... 20 2.4 3-D Secure Messages ............................................................................................................... 20 2.4.1 Authentication Request Message (AReq) .......................................................................... 20 2.4.2 Authentication Response Message (ARes) ........................................................................ 20 2.4.3 Challenge Request Message (CReq) ................................................................................. 21 2.4.5 Results Request Message (RReq) ..................................................................................... 21 2.4.9 Operation Request Message (OReq) ................................................................................. 21 2.4.10 Operation Response Message (ORes) ............................................................................ 21 2.6 Frictionless Flow Outline ........................................................................................................... 21 2.6.2 3DS Requestor Environment—Browser-based .................................................................. 21 2.7 Challenge Flow Outline ............................................................................................................. 21 Chapter 3 EMV 3-D Secure Authentication Flow Requirements ........................................................ 22 3.1 App-based Requirements.......................................................................................................... 22 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 Step 2: The 3DS Requestor App ................................................................................................. 22 [Req 11] ........................................................................................................................................ 22 [Req 419] ...................................................................................................................................... 22 Step 4: The 3DS Requestor Environment ................................................................................... 22 [Req 2]........................................................................................................................................... 23 Step 5: The 3DS Server............................................................................................................... 23 [Req 11] ........................................................................................................................................ 23 [Req 12] ........................................................................................................................................ 23 Step 6: The DS ............................................................................................................................ 23 [Req 15] ........................................................................................................................................ 23 [Req 390] ...................................................................................................................................... 23 [Req 394] ...................................................................................................................................... 23 [Req 16] ........................................................................................................................................ 24 [Req 420] ...................................................................................................................................... 24 [Req 17] ........................................................................................................................................ 24 [Req 18] ........................................................................................................................................ 24 [Req 19] ........................................................................................................................................ 24 Step 7: The ACS .......................................................................................................................... 24 [Req 386] ...................................................................................................................................... 24 [Req 32] ........................................................................................................................................ 25 [Req 321] ...................................................................................................................................... 25 Step 8: The DS ............................................................................................................................ 25 [Req 305] ...................................................................................................................................... 25 [Req 421] ...................................................................................................................................... 25 Step 9: The 3DS Server............................................................................................................... 25 [Req 355] ...................................................................................................................................... 25 Step 10: The 3DS Requestor App ............................................................................................... 26 Step 14: The 3DS SDK ................................................................................................................ 26 [Req 55] ........................................................................................................................................ 26 Step 15: The Cardholder Interaction with the 3DS SDK.............................................................. 26 [Req 59] ........................................................................................................................................ 26 Step 16: The 3DS SDK ................................................................................................................ 26 [Req 58] ........................................................................................................................................ 26 Step 17: The ACS ........................................................................................................................ 26 [Req 461] ...................................................................................................................................... 26 [Req 61] ........................................................................................................................................ 26 Step 18: The ACS ........................................................................................................................ 27 [Req 462] ...................................................................................................................................... 27 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 Step 20: The 3DS Server............................................................................................................. 27 [Req 463] ...................................................................................................................................... 27 Step 23: The ACS ........................................................................................................................ 28 [Req 470] ...................................................................................................................................... 28 3.2 Challenge Flow with OOB Authentication Requirements.......................................................... 28 3.2.1 OOB Requirements............................................................................................................. 29 Step 15: The Cardholder Interaction with the 3DS SDK.............................................................. 29 [Req 399] ...................................................................................................................................... 29 [Req 400] ...................................................................................................................................... 29 3.2.2 OOB Automatic Switching Features ................................................................................... 29 Step 13: The ACS ........................................................................................................................ 30 [Req 401] ...................................................................................................................................... 30 [Req 402] ...................................................................................................................................... 30 Step 14: The 3DS SDK ................................................................................................................ 30 [Req 403] ...................................................................................................................................... 30 Step 15: The Cardholder Interaction with the 3DS SDK.............................................................. 30 [Req 472] ...................................................................................................................................... 30 [Req 404] ...................................................................................................................................... 30 [Req 405] ...................................................................................................................................... 31 [Req 406] ...................................................................................................................................... 31 [Req 407] ...................................................................................................................................... 31 [Req 475] ...................................................................................................................................... 31 [Req 408] ...................................................................................................................................... 31 [Req 409] ...................................................................................................................................... 31 3.3 Browser-based Requirements ................................................................................................... 32 Step 2: The 3DS Server/3DS Requestor ..................................................................................... 32 [Req 80] ........................................................................................................................................ 32 [Req 82] ........................................................................................................................................ 32 Step 3: The 3DS Requestor Environment ................................................................................... 32 [Req 84] ........................................................................................................................................ 32 Step 6: The 3DS Server............................................................................................................... 32 [Req 441] ...................................................................................................................................... 32 [Req 422] ...................................................................................................................................... 32 Step 7: The DS ............................................................................................................................ 33 Step 8: The ACS .......................................................................................................................... 33 [Req 410] ...................................................................................................................................... 33 [Req 325] ...................................................................................................................................... 33 Step 9: The DS ............................................................................................................................ 33 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 [Req 411] ...................................................................................................................................... 34 Step 10: The 3DS Server............................................................................................................. 34 [Req 356] ...................................................................................................................................... 34 Step 12: The ACS and Browser................................................................................................... 34 Step 13: The Cardholder ............................................................................................................. 34 Step 14: The Browser .................................................................................................................. 34 Step 15: The ACS ........................................................................................................................ 34 [Req 464] ...................................................................................................................................... 35 [Req 123] ...................................................................................................................................... 35 Step 16: The ACS ........................................................................................................................ 35 [Req 465] ...................................................................................................................................... 36 Step 18: The 3DS Server............................................................................................................. 36 [Req 466] ...................................................................................................................................... 36 Step 21: The ACS ........................................................................................................................ 36 [Req 471] ...................................................................................................................................... 36 [Req 138] ...................................................................................................................................... 36 [Req 139] ...................................................................................................................................... 36 3.4 3RI-based Requirements ........................................................................................................... 36 Step 2: The 3DS Server............................................................................................................... 36 [Req 423] ...................................................................................................................................... 36 [Req 467] ...................................................................................................................................... 37 Step 3: The DS ............................................................................................................................ 37 [Req 427] ...................................................................................................................................... 37 Step 4: The ACS .......................................................................................................................... 37 [Req 291] ...................................................................................................................................... 37 Step 5: The DS ............................................................................................................................ 37 [Req 412] ...................................................................................................................................... 38 3.5 SPC-based Authentication Requirements................................................................................. 38 Chapter 4 EMV 3-D Secure User Interface Templates, Requirements and Guidelines ..................... 39 4.1 3-D Secure User Interface Templates....................................................................................... 39 [Req 395] ...................................................................................................................................... 39 [Req 418] ...................................................................................................................................... 39 [Req 391] ...................................................................................................................................... 39 [Req 342] ...................................................................................................................................... 39 4.2 App-based User interface Overview.......................................................................................... 40 [Req 142] ...................................................................................................................................... 40 [Req 145] ...................................................................................................................................... 40 [Req 147] ...................................................................................................................................... 40 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 5 Figure 4.11 Sample OOB Template (OOB App and 3DS Requestor App on same device)— w/o OOB App launch button—App-based Processing Flow......................................................... 40 Figure 4.12 Sample OOB Template (OOB App and 3DS Requestor App on same device with OOB App launch button)—App-based Processing Flow .............................................................. 40 Figure 4.13 Sample Decoupled Authentication Template—App-based Processing Flow .......... 41 4.2.2 Native UI Display Requirements ......................................................................................... 41 [Req 362] ...................................................................................................................................... 41 [Req 398] ...................................................................................................................................... 41 [Req 366] ...................................................................................................................................... 41 [Req 392] ...................................................................................................................................... 41 [Req 446] ...................................................................................................................................... 41 [Req 387] ...................................................................................................................................... 41 [Req 370] ...................................................................................................................................... 42 [Req 445] ...................................................................................................................................... 42 [Req 429] ...................................................................................................................................... 42 4.2.3 Native UI Templates ........................................................................................................... 42 Figure 4.124.14: Sample Native UI OTP/Text Template—PA—Portrait ...................................... 42 Figure 4.134.15: Sample Native UI OTP/Text Template—PA—Landscape ................................ 42 Figure 4.16: Sample Native UI with Optional Second OTP/Text entries Template—PA— Portrait........................................................................................................................................... 42 Figure 4.17: Sample Native UI with Optional Second OTP/Text entries Template—PA— Landscape .................................................................................................................................... 42 Figure 4.144.18: Sample Native UI/OTP/Text Template—NPA .................................................. 42 Figure 4.154.19: Sample Native UI—Single-select Information—PA—Portrait .......................... 42 Figure 4.164.20: Sample Native UI—Single-select Information—PA—Landscape .................... 42 Figure 4.194.23 Sample OOB Native UI Template with Complete button—PA—Portrait........... 43 Figure 4.204.24: Sample OOB Native UI Template with Complete button—PA—Landscape.... 43 Figure 4.25: Sample OOB Native UI Template with Automatic OOB App URL link—Portrait .... 43 Figure 4.26: Sample OOB Native UI Template with Automatic OOB App URL link— Landscape .................................................................................................................................... 43 Figure 4.214.27: Sample Challenge Information Text Indicator—PA.......................................... 43 Figure 4.224.28: Sample WhitelistingTrust List/Device Binding Information Text—PA— Portrait........................................................................................................................................... 43 Figure 4.234.29: Sample Whitelisting Trust List/Device Binding Information Text—PA— LandscapePortrait......................................................................................................................... 43 Figure 4.30: Sample Trust List/Device Binding Information Text—PA—Landscape .................. 43 Figure 4.31: Sample Trust List/Device Binding Information Text—PA—Landscape .................. 43 Figure 4.32: Sample Information Native UI Template—PA—Portrait.......................................... 43 Figure 4.33: Sample Information Native UI Template—PA—Landscape.................................... 43 Figure 4.34: Sample Challenge Data Entry Masking—PA .......................................................... 44 Figure 4.35: Sample Data Entry Masking with Toggle ................................................................ 44 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 6 Figure 4.36: Sample Native UI OTP/Text Template with Challenge Additional Label—PA— Portrait........................................................................................................................................... 44 Figure 4.37: Sample Native UI OTP/Text Template with Challenge Additional Label—PA— Landscape .................................................................................................................................... 44 4.2.4 Native UI Message Exchange Requirements ..................................................................... 44 [Req 154] ...................................................................................................................................... 44 [Req 473] ...................................................................................................................................... 44 4.2.5 HTML UI Display Requirements ......................................................................................... 44 [Req 376] ...................................................................................................................................... 44 [Req 378] ...................................................................................................................................... 45 4.2.6 HTML UI Templates............................................................................................................. 45 Figure 4.41: Sample OOB HTML UI Template with Complete button—PA—Portrait ................. 45 Figure 4.42: Sample OOB HTML UI Template with Complete button—PA—Landscape ........... 45 Figure 4.43: Sample OOB HTML UI Template with OOB App URL button—PA—Portrait ......... 45 Figure 4.44: Sample OOB HTML UI Template with OOB App URL button—PA—Landscape... 45 Figure 4.45: Sample Information HTML UI Template—Portrait................................................... 45 Figure 4.46: Sample Information HTML UI Template—Landscape ............................................ 45 4.2.7 HTML Message Exchange Requirements .......................................................................... 46 [Req 164] ...................................................................................................................................... 46 [Req 171] ...................................................................................................................................... 46 [Req 413] ...................................................................................................................................... 46 [Req 393] ...................................................................................................................................... 46 [Req 474] ...................................................................................................................................... 46 4.3 Browser-based User Interface Overview................................................................................... 47 4.3.1 Processing Screen Requirements ...................................................................................... 47 [Req 173] ...................................................................................................................................... 47 [Req 174] ...................................................................................................................................... 47 [Req 175] ...................................................................................................................................... 47 [Req 177] ...................................................................................................................................... 47 [Req 178] ...................................................................................................................................... 47 [Req 181] ...................................................................................................................................... 47 [Req 180] ...................................................................................................................................... 47 4.3.2 Browser Display Requirements .......................................................................................... 48 [Req 382] ...................................................................................................................................... 48 [Req 384] ...................................................................................................................................... 48 4.3.3 Browser UI Templates ........................................................................................................ 48 Figure 4.50: Sample Browser Lightbox Processing Screen without White Box .......................... 48 Figure 4.51: Sample Browser Lightbox Processing Screen with White Box ............................... 48 Chapter 5 EMV 3-D Secure Message Handling Requirements.......................................................... 49 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 7 5.1 General Message Handling ....................................................................................................... 49 5.1.1 HTTP POST........................................................................................................................ 49 [Req 186] ...................................................................................................................................... 49 5.1.2 HTTP Header—Content Type ............................................................................................ 49 [Req 190] ...................................................................................................................................... 49 [Req 191] ...................................................................................................................................... 49 [Req 468] ...................................................................................................................................... 49 [Req 469] ...................................................................................................................................... 49 5.1.4 Protocol and Message Version Numbers ........................................................................... 50 [Req 194] ...................................................................................................................................... 50 [Req 195] ...................................................................................................................................... 50 [Req 320] ...................................................................................................................................... 50 [Req 311] ...................................................................................................................................... 50 5.1.5 Data Version Numbers ....................................................................................................... 50 [Req 396] ...................................................................................................................................... 50 [Req 397] ...................................................................................................................................... 50 5.1.6 Message Parsing ................................................................................................................ 51 [Req 201] ...................................................................................................................................... 51 [Req 202] ...................................................................................................................................... 51 [Req 203] ...................................................................................................................................... 51 [Req 430] ...................................................................................................................................... 51 [Req 431] ...................................................................................................................................... 51 [Req 432] ...................................................................................................................................... 51 [Req 433] ...................................................................................................................................... 51 5.1.7 Message Content Validation ............................................................................................... 51 [Req 210] ...................................................................................................................................... 51 [Req 434] ...................................................................................................................................... 51 5.2 Partial System Outages............................................................................................................. 52 5.5 Timeouts .................................................................................................................................... 52 5.5.1 Transaction Timeouts ......................................................................................................... 52 [Req 221] ...................................................................................................................................... 52 [Req 222] ...................................................................................................................................... 52 [Req 223] ...................................................................................................................................... 52 [Req 224] ...................................................................................................................................... 52 [Req 227] ...................................................................................................................................... 52 [Req 343] ...................................................................................................................................... 53 [Req 344] ...................................................................................................................................... 53 [Req 452] ...................................................................................................................................... 53 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 8 [Req 453] ...................................................................................................................................... 53 [Req 454] ...................................................................................................................................... 53 [Req 455] ...................................................................................................................................... 53 5.5.2 Read Timeouts.................................................................................................................... 53 [Req 229] ...................................................................................................................................... 54 [Req 424] ...................................................................................................................................... 54 [Req 235] ...................................................................................................................................... 54 [Req 236] ...................................................................................................................................... 54 [Req 242] ...................................................................................................................................... 54 [Req 243] ...................................................................................................................................... 54 [Req 244] ...................................................................................................................................... 55 [Req 245] ...................................................................................................................................... 55 5.6 PReq/PRes Message Handling Requirements ......................................................................... 55 [Req 246] ...................................................................................................................................... 56 [Req 425] ...................................................................................................................................... 56 [Req 456] ...................................................................................................................................... 56 [Req 428] ...................................................................................................................................... 56 [Req 303] ...................................................................................................................................... 56 [Req 457] ...................................................................................................................................... 57 [Req 458] ...................................................................................................................................... 57 [Req 459] ...................................................................................................................................... 57 [Req 460] ...................................................................................................................................... 57 [Req 426] ...................................................................................................................................... 57 [Req 250] ...................................................................................................................................... 57 [Req 251] ...................................................................................................................................... 58 [Req 385] ...................................................................................................................................... 58 5.7 App/SDK-based Message Handling.......................................................................................... 58 5.7.1 App-based CReq/CRes Message Handling ....................................................................... 59 5.8 Browser-based Message Handling ........................................................................................... 59 5.8.1 3DS Method Handling......................................................................................................... 59 [Req 256] ...................................................................................................................................... 59 [Req 257] ...................................................................................................................................... 59 [Req 258] ...................................................................................................................................... 59 [Req 315] ...................................................................................................................................... 60 [Req 415] ...................................................................................................................................... 60 5.9 Message Error Handling............................................................................................................ 60 5.9.5 ACS CReq Message Error Handling—01-APP .................................................................. 60 5.9.6 ACS CReq Message Error Handling—02-BRW ................................................................. 61 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 9 5.9.8 DS RReq Message Error Handling..................................................................................... 62 5.9.10 DS RRes Message Error Handling ................................................................................... 62 5.9.13 ACS RRes Message Error Handling—03-3RI .................................................................. 63 5.10 UTC Date and Time................................................................................................................. 63 [Req 416] ...................................................................................................................................... 63 [Req 417] ...................................................................................................................................... 63 5.11 OReq/ORes Message Handling Requirements ...................................................................... 64 [Req 435] ...................................................................................................................................... 64 [Req 436] ...................................................................................................................................... 64 [Req 437] ...................................................................................................................................... 64 [Req 438] ...................................................................................................................................... 64 [Req 439] ...................................................................................................................................... 65 [Req 440] ...................................................................................................................................... 65 Chapter 6 EMV 3-D Secure Security Requirements............................................................................ 66 6.1 Link ............................................................................................................................................ 66 6.1.1 Link a: Consumer Device—3DS Requestor ....................................................................... 66 6.1.8 Link h: Browser—ACS (for 3DS Method) ........................................................................... 66 6.2 Security Functions ..................................................................................................................... 66 6.2.1 Function H: Authenticity of the 3DS SDK ........................................................................... 66 6.2.2 Function I: 3DS SDK Device Information Encryption and Split-SDK Server Signature to DS ............................................................................................................................................. 66 6.2.3 Function J: 3DS SDK—ACS Secure Channel Set-Up........................................................ 68 6.2.4 Function K: 3DS SDK—ACS (CReq/CRes) ...................................................................... 69 Annex A 3-D Secure Data Elements ............................................................................................ 71 A.4 EMV 3-D Secure Data Elements .............................................................................................. 71 Table A.1 EMV 3-D Secure Data Elements................................................................................. 71 A.5 Detailed Field Values .............................................................................................................. 144 A.5.1A.5 Device Information—01-APP Only ............................................................................. 144 A.5.2A.6 Browser Information—02-BRW Only .......................................................................... 144 A.5.3A.7 3DS Method Data ........................................................................................................... 144 Table A.2: 3DS Method Data ..................................................................................................... 145 A.5.4A.8 Browser CReq and CRes POST .................................................................................... 146 Table A.3: 3DS CReq/CRes POST Data................................................................................... 146 Browser CReq–CRes Data Examples ........................................................................................ 146 • Example 1: threeDSSessionData sent by the 3DS Requestor in the CReq message to the ACS................................................................................................................................... 146 • Example 2: threeDSSessionData sent by the ACS in the CRes message to the 3DS Requestor ................................................................................................................................... 148 A.5.5A.9 Error Code, Error Description, and Error Detail.............................................................. 149 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 10 Table A.4 Error Code, Error Description, and Error Detail ........................................................ 149 A.5.6A.10 Excluded ISO Currency and Country Code Values ................................................... 152 A.5.7A.11 Card Range Data.......................................................................................................... 153 Table A.6 Card Range Data ...................................................................................................... 153 Card Range Data Example ......................................................................................................... 157 Table A.7: DS URL List.............................................................................................................. 159 DS URL List Data Example ........................................................................................................ 159 A.11.1: Supported Message Extension Data Element .............................................................. 159 Table A.8 Supported Message Extension ................................................................................. 159 Supported Message Extension Data Example ........................................................................... 159 A.6A.12 Message Extension Data................................................................................................. 159 A.6.1A.12.1 Message Extension Attributes ............................................................................... 159 A.6.2A.12.2 Identification ........................................................................................................... 159 A.6.3A.12.3 Criticality................................................................................................................. 159 A.7A.13 3DS Requestor Risk Information ..................................................................................... 160 A.7.1A.13.1 Cardholder Account Information ............................................................................ 160 Table A.8A.10: Cardholder Account Information ....................................................................... 160 A.7.2A.13.2 Merchant Risk Indicator ......................................................................................... 161 Table A.9A.11: Merchant Risk Indicator .................................................................................... 161 A.7.3A.13.3 3DS Requestor Authentication Information ........................................................... 161 Table A.10A.12: 3DS Requestor Authentication Information .................................................... 162 A.7.4A.13.4 3DS Requestor Prior Transaction Authentication Information............................... 163 Table A.13: 3DS Requestor Prior Transaction Authentication Information ............................... 164 A.13.5 ACS Rendering Type ..................................................................................................... 165 Table A.14: ACS Rendering Type ............................................................................................. 165 JSON Object Example ................................................................................................................ 166 A.13.6 Device Rendering Options Supported............................................................................ 166 Table A.13A.15: Device Rendering Options Supported ............................................................ 166 JSON Object Example: ............................................................................................................... 167 A.13.7 Challenge Data Entry ..................................................................................................... 167 Table A.14A.16 Challenge Data Entry....................................................................................... 168 A.7.8A.13.8 Transaction Status Conditions ............................................................................... 169 Table A.15A.17: Transaction Status Conditions ........................................................................ 169 A.13.9 Multi-Transaction ............................................................................................................ 170 A.13.10 Seller Information ......................................................................................................... 170 A.8A.14 UI Data Elements ........................................................................................................... 170 Table A.18A.20 UI Data Elements ............................................................................................. 170 A.14.1 Issuer Image................................................................................................................... 171 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 11 Table A.16A.21 Issuer Image ..................................................................................................... 171 A.13.10A.14.2 Payment System Image..................................................................................... 172 Table A.17A.22 Payment System Image................................................................................... 172 A.15 iframe and Sandbox Attributes.............................................................................................. 173 A.16 3-D Secure Array Fields........................................................................................................ 173 A.17 EMV Payment Token Information ......................................................................................... 173 A.18 Challenge Text Box Settings................................................................................................. 173 A.19 Broadcast Information ........................................................................................................... 173 A.20 Cardholder Information Text ................................................................................................. 173 A.21 SPC Transaction Data .......................................................................................................... 173 A.22 HTTP Headers ...................................................................................................................... 173 Annex B Message Format.................................................................................................................. 175 B.1 AReq Message Data Elements ............................................................................................... 175 Table B.1 AReq Data Elements ................................................................................................. 175 B.2 ARes Message Data Elements ............................................................................................... 177 Table B.2 ARes Data Elements ................................................................................................. 177 B.3 CReq Message Data Elements............................................................................................... 178 Table B.3 CReq Data Elements................................................................................................. 178 B.4 CRes Message Data Elements ............................................................................................... 178 Table B.4 CRes Data Elements ................................................................................................. 178 B.6 PReq Message Data Elements ............................................................................................... 178 Table B.6: PReq Data Elements ................................................................................................ 178 B.7 PRes Message Data Elements ............................................................................................... 179 Table B.7 PRes Data Elements ................................................................................................. 179 B.8 RReq Message Data Elements............................................................................................... 179 Table B.8 RReq Data Elements................................................................................................. 179 B.10 OReq Message Data Elements ............................................................................................ 179 B.11 ORes Message Data Elements............................................................................................. 179 © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 12 Throughout Specification • To facilitate enhanced version number management, a fourth digit was added to the 3-D Secure Protocol and Core Functions Specification version number: 2.3.1.x. • Data element name/terminology updates: o ACS Start Protocol Version/ACS End Protocol Version data elements were updated to a single element: ACS Protocol Version o DS Start Protocol Version/DS End Protocol Version were updated to a single element: DS Protocol Version o BIN range was changed to card range. o All instances of White List, whitelisted, whitelisting were updated to Trust List. Figure 4.26 and Figure 4.27 were updated to include this data element update. o All instances of challenge window were changed to challenge iframe. o Annex A Section and Table references may be updated throughout the specification to reflect changes made in Annex A for version 2.3.1.0. o Instances of SDK were replaced with 3DS SDK. • In Section 5.9, references to Section 5.1.6 were replaced with references to Section 5.1.7. • Revisions added to improve grammar, consistency, clarity and readability without any effect on the meaning or interpretation of the specification are not included in this bulletin. • Updates made to defined abbreviations, such as EC(C) and DH (Diffie–Hellman), have no substantive effect on the use of the underlying specification and are not reflected in this bulletin. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 13 Chapter 1 Introduction The 3-D Secure authentication protocol can be initiated through three Device Channels: • Browser-based—Authentication during a transaction on a Consumer Device that originates from a website utilising a browser Browser as defined in Table 1.3. 1.3 Normative References Table 1.1 Normative References Reference Publication Name Bookmark IETF BCP 47 Tags for Identifying Languages https://tools.ietf.org/html/bc p47 RFC 2397 The "data" URL scheme https://datatracker.ietf.org/ doc/html/rfc2397 RFC 3986 Uniform Resource Identifier (URI): Generic Syntax https://tools.ietf.org/html/rfc 3986 RFC 791 INTERNET PROTOCOL https://tools.ietf.org/html/rfc 791 RFC 4291 IP Version 6 Addressing Architecture https://tools.ietf.org/html/rfc 4291 RFC 7233 Hypertext Transfer Protocol (HTTP/1.1): Range Requests https://datatracker.ietf.org/ doc/html/rfc7233 1.4 Acknowledgements The following ISO Standards are referenced in this specification. The latest version including all published amendments shall apply unless a publication date is explicitly stated. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 14 Table 1.2 ISO Standards Reference Publication Name Bookmark ISO/IEC 7812-1:2015 ISO/IEC 7812-1:2015 Identification cards—Identification of issuers—Part 1: Numbering system ISO/IEC 7813:2016 ISO/IEC 7813:2016 Information technology— Identification cards—Financial transaction cards ISO/IEC 7816-5:2004 ISO/IEC 7816-5:2004 Identification cards—Integrated circuit cards—Part 5: Registration of application providers ISO 8583-1 ISO 8583-1 Financial transaction card originated messages — Interchange message specifications — Part 1: Messages, data elements and code values https://www.iso. org/standard/31 628.html 1.5 Definitions Table 1.3 Definitions Term Definition 3DS SDK 3-D Secure Software Development Kit (SDK). A component that is incorporated intointeracts with the 3DS Requestor App. The 3DS SDK performs functions related to 3-D Secure on behalf of the 3DS Server. Access Control The ACS UI is generated during a Cardholder challenge and is rendered Server User Interface by the ACS within a Browser challenge windowiframe. (ACS UI) App Screen Orientation The orientation of the app screen display on the device, which may differ from the device orientation (for example, if the app supports Portrait-only or Landscape-only display, or if the device is in multi-window or splitscreen mode). The orientation is considered Landscape if the display is wider than it is tall, and Portrait otherwise. Bank Identification Number (BIN) The first six or eight digits of a payment card account number that uniquely identifies the issuing financial institution. Base64url Encoding applied to the 3DS Method Data, Device Information, WebAuthn Credential List and the CReq/CRes messages as defined in RFC 7515. Card Range Data File The file containing the JSON Card Range Data object. The Card Range Data provides to the 3DS Server the 3DS protocol versions supported by the card ranges hosted by the ACS, and other optional information (e.g. 3DS Method, Message Extension). © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 15 Term Definition Decoupled Authentication Fallback An additional challenge option for an ACS during the Challenge process. By returning Transaction Status = D in the RReq message, the ACS requests that the 3DS Server initiate a subsequent 3DS authentication using Decoupled Authentication. Device Binding In this specification, the process to link the Consumer Device used for a transaction to the Cardholder Account and/or Cardholder. Ends processing In the 3-D Secure processing flow, this indicates that an error has been found by a specific 3-D Secure component, which reports the error via the appropriate Error Message as defined in Section A.5.5A.9 or RReq message as defined in Table B.8. Fully Qualified URL A Fully Qualified URL contains all the information necessary to locate a web resource using the following format: scheme://server/path/resource, and is defined as an ‘Absolute-URL string’ with scheme ‘https’, encoded in 'UTF-8' using 'url-code-points' from https://whatwg.org/. Refer to https://url.spec.whatwg.org/#absolute-url-string and to https://url.spec.whatwg.org/#url-code-points A Fully Qualified URL does not contain credentials (https://url.spec.whatwg.org/#include-credentials). Example: https://server.domainname.com/acs/auth.htmlhttps://server.domainname.c om/acs/auth(*ret iframe An iframe (short for inline frame) is a frame within a frame. It is used to embed a piece of HTML content from other sources in an HTML document. Refer to: w3c: https://www.w3.org/html/wg/spec/the-iframe-element.html#theiframe-element OR whatwg: https://html.spec.whatwg.org/#the-iframe-element OOB Authentication App App on a Consumer Device that is used by the ACS to authenticate the Cardholder as part of the 3-D Secure flow, for example, a mobile banking app. See Section 3.2 for details of the OOB flow. Operation Request (OReq) Message The OReq message sequence is created to communicate operational information serving as an alert, a reminder, report, or call to action. This message is not part of the 3-D Secure authentication message flow. Operation Response (ORes) Message The ORes message acknowledges receipt of the OReq message sequence. The message is created by the recipient of the OReq message and sent to the source of the OReq message. Platform Provider An entity that provides a digital ecosystem consisting of an operating system and/or hardware components, capable of uniquely identifying the consumer and their device through a user ID and a hardware-derived device ID, and sharing these IDs for the purposes of risk assessment and fraud prevention. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 16 Term Definition Preparation Response (PRes) Message Response to the PReq message that contains the DS Card Ranges, active Protocol Versions for the ACS and DS and 3DS Method URL, or a Card Range Data File URL to download this information, so that updates can be made to the 3DS Server’s internal storage. Protocol Version Refers to the version of the EMV 3-D Secure specification that the component supports. The protocol version for this specification is 2.1.0. Defines the message interoperability between the EMV 3-D Secure components. Responsive Design Responsive design is an approach to make the web page content adjust to the dimensions of the device's screen for a better user experience. The approach is based on the use of three web techniques when designing the web pages: • Flexible grid to create the web page layout that dynamically adapt to the screen width. • Media queries to allow the page to adopt different CSS styles depending on the Browser and device screen. • Flexible media to make images scalable to the size of the viewport. Secure Payment Confirmation FIDO-based authentication to securely confirm payments initiated via the Payment Request API on a Browser (refer to w3.org for additional information). Token Service Provider A role within the Payment Tokenisation ecosystem that is authorised by a Token Programme to provide Payment Tokens to registered Token Requestors. Refer to the EMV® Payment Tokenisation Specification Technical Framework. Trust List Whitelisting In this specification, the process of an ACS enabling the Cardholder to place the 3DS Requestor on their trusted beneficiaries list. WebAuthn Defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Refer to https://www.w3.org/TR/webauthn-2/ 1.6 Abbreviations Table 1.4 Abbreviations Abbreviation Description AOC Attestation of Compliance CA DS Certificate Authority Directory Server CEK Content Encryption Key DH Diffie–Hellman © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 17 Abbreviation Description DS CA Directory Server Certificate Authority ECC Elliptic Curve Cryptography LOA Letter of Approval OReq Operation Request Message ORes Operation Response Message SPC Secure Payment Confirmation 1.7 3-D Secure Protocol Version Number The following table provides the Protocol Version Number status for the EMV 3-D Secure Protocol and Core Functions Specification. Refer to EMV® Specification Bulletin 255 for the list of active Protocol Version Numbers. Table 1.5 Protocol Version Numbers was removed from the specification. 1.8 Supporting Documentation • EMV® 3-D Secure—Split-SDK Specification • EMV® 3-D Secure Message Extensions o EMV® 3-D Secure Bridging Message Extension o EMV® 3-D Secure Device Acknowledgement Message Extension o EMV® 3-D Secure Payment Token Message Extension o EMV® 3-D Secure Travel Industry Message Extension • EMV® Specification Bulletin 255—3-D Secure Protocol Version Numbers 1.9 Terminology and Conventions 3DS SDK When this specification refers to the 3DS SDK, EMVCo has defined two options for a 3DS SDK implementation. The options are as follows: 1. Default SDK—Software component designed as an SDK that is integrated into a 3DS Requestor App. This SDK option is defined in the EMV 3-D Secure—SDK Specification, in which it is referred to as the 3DS SDK. In earlier versions of this Core Specification, this is referred to as the 3DS SDK. 2. Split-SDK—Client-server implementation of the 3DS SDK. Some functions of the SplitSDK entity can be performed by either a Split-SDK Client or a Split-SDK Server or, in some situations, both. The Split-SDK has multiple variants depending on the Consumer Device and the 3DS Requestor Environment. These variants include the SplitSDK/Native, Split-SDK/Shell and Split-SDK/Browser, and each is defined in the EMV 3-D Secure—Split-SDK Specification. Unless explicitly noted otherwise, the term 3DS SDK applies as identified above. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 18 Refer to the applicable 3DS SDK specification for detailed information regarding the SDK options. Activate(s) the 3DS SDK Detailed information about the 3DS SDK activation can be obtained in the applicable 3DS SDK specification. Perform(s) the Challenge Detailed information about the 3DS SDK performing the challenge can be obtained in the applicable 3DS SDK specification. 1.10 Constraints The Core Specification or any implementation of the Core Specification is not intended to replace or interfere with any international, regional, national or local laws and regulations; those governing requirements supersede any industry standards. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 19 Chapter 2 EMV 3-D Secure Overview 2.1 Acquirer Domain 2.1.1 3DS Requestor Environment 2.1.1.1 3DS Requestor To process 3-D Secure transactions: • App-based—3DS Requestor App integrates with the 3DS SDK as defined in the applicable EMV 3-D Secure 3DS SDK Specificationspecification. The 3DS SDK displays the User Interface (UI) to Cardholders. 2.1.2 3DS Integrator (3DS Server and 3DS Client) The 3DS Integrator provides the approved 3DS SDK component or the 3DS Method functionality to 3DS Requestors for integration into with their 3DS Requestor App and/or website. 2.2 Interop