3D Secure Authentication v1.0





 

 3D Secure Authentication 1.0

 Background

What is Strong Customer Authentication?

Strong Customer Authentication is a mandatory requirement for authenticating online payments that was introduced in Europe on 14 September, 2019, under Payment Services Directive 2. It requires payments to be authenticated using at least two of the following three elements:

  • Something that only the customer knows
  • Something that only the customer has or possesses
  • Something that the customer is

Starting 14 September 2019, unauthenticated payments that require Strong Customer Authentication risk being declined by the customer’s bank.

3D Secure is the main method for authenticating card payments and meeting Strong Customer Authentication requirements.

Will all payments require Strong Customer Authentication?

Strong Customer Authentication will apply to customer-initiated online payments within the European Economic Area (EEA). Transactions in scope are those involving a customer’s card that has been issued in the EEA and where the transaction is acquired in the EEA.

How will British Airways implement Strong Customer Authentication?

British Airways has implemented 3D Secure 1.0, and is currently developing 3D Secure 2.0. It is advised you switch to the latest schemas as Strong Customer Authentication will only be available in British Airways NDC APIs schema version 17.2.  For 16.1 British Airways will no longer accept card payments.

Existing schema version 16.1 customers will be able to mix and match 16.1 and 17.2 APIs and be able to continue to make payments using BSP cash for eligible agents. British Airways will provide technical documentation for this implementation.


 Who will be Authenticated?

All ‘Online’ agents will be authenticated. The agent will tell us in the OrderCreateRQ () or OrderChangeRS (, ) whether they are 'Online' or 'Offline'.

Here is an example of this declaration:

Here is a sample request for 'Corporate via TMC' scenario to show where 'Online or 'Offline' is expected.

Limitations:

  1. The card must be enrolled for 3D Secure Authentication.
  2. Both Personal and Corporate Credit cards and Debits cards will be authenticated using the 3D Secure mechanism
  3. The journey type, Long or Short Sell, Fare Being Booked and passenger types are irrelevant. As long as the card is enrolled for 3DS and agent is ‘Online’ then 3D Secure Authentication will be prompted.
  4. For Corporate Sender (Direct Corporate scenario) – There is no placeholder in the schema to tell us whether they are “Online” or “Offline, so by default they are considered as “Online”

IATA or non-IATA agents are irrelevant. As long as the card is enrolled for 3DS and agent is ‘Online’ then 3D Secure Authentication will be prompted.


 How are British Airways planning to implement this?

The following steps outline the process for the implementation.

 Step One

The agent calls OrderCreateRQ with the itinerary, passenger and card details. (See sample below) 

Please note this is for Order Create V2, when we release V4 the seller will need to specify 3DS1 authentication

 Step Two

If the card is enrolled for 3D Secure and the Agent is ‘Online’ then BA will return OrderViewRS with an error along with the 3D Secure Authentication data listed below. (See sample below)

  • ACS_URL
  • PAReq
  • ACS_TxnReference
  • SPM_TxnReference

 Step Three

The agent will redirect the customer to the ACS_URL and the customer enters the data.

You should post ACS_URL with the following query parameters

  1. PaReq = Received in OrderViewRS
  2. TermUrl = The URL to which the PARES should be sent back (User Interface URL to where you would want to receive the PARES)

  3. MD = Merchant name. This should always be “BA” – This is an optional parameter, so you don’t need to pass
  4. Screensubmit = should always be “true” - This is an optional parameter, so you don’t need to pass

The ACS_URL includes the merchant/banks URL, and will be structured as follows: 

You must submit these values through an HTTP Form POST to the bank service. It is advised to not use querystrings in your URL ie '?MD=BA&Screensubmit=true'


Once the URL is submitted, the following screen will appear. (Please bear in mind this will vary depending on the bank).


 Step Four

The agent calls OrderCreateRQ () or OrderChangeRQ (, ) again with exactly the same details as the first call (Step 1) along with the details listed below. (See sample below)

  • SignedPARes (Obtained from Step 3)
  • ACS_TxnReference (Obtained from Step 2)
  • SPM_TxnReference (Obtained from Step 2)

 Step Five

British Airways validates the details provided. If they are valid, the booking will be created and tickets will be issued. If they are not valid, OrderViewRS is returned with an error and the agent must start again. (See sample below)


 Architecture and Workflow

The samples for the OrderCreateRQ, OrderViewRS, OrderCreateRQ and OrderViewRS are shown above.

 Web Service URLs

The OrderCreate API that contains the 3DS functionality can be connected through the following URLs (See Versioning for activation dates).


 Affected APIs, Schema Changes and Version

The following APIs will be affected by this functionality

  1. OrderCreate (Prime Sale Selling)
  2. OrderChange (Confirm Held Booking and Post Sale Ancillary Purchase)

Schema Changes

British Airways has made a schema change to the following, adding OrderCreateParameters to request the 3DS details.

British Airways has made a schema change in OrderViewRS (added AugmentationPoint to return the 3DS details.


Example:

 Test Card Numbers

Please see Test Card Numbers section for specific 3DS test cards.

 Versioning and Release Plan

VersionDescriptionRelease StatusPre-Live DateLive Date
0.1

OrderCreate (Prime Sale Selling) – This will be a new version.

The current versions of OrderCreate will still be supported and won’t have 3DS capability.
At some point, they will be decommissioned. The date is not decided but British Airways will notify you well in advance

  
0.2

3DS Authentication when confirming a held booking.

The current versions of OrderChange will still be supported and won’t have 3DS capability.  At some point, they will be decommissioned. The date is not decided but British Airways will notify you well in advance.

  
0.3

3DS Authentication when purchasing ancillaries.

The current versions of OrderChange will still be supported and won’t have 3DS capability. At some point, they will be decommissioned. The date is not decided but British Airways will notify you well in advance.

  
0.43DS Authentication when changing the booking