Submit a Request to the 3D Secure ACS Server and Retrieve a PaRes

If the enrollment check indicates that the card is enabled for 3D Secure, you can then redirect the cardholder to their card issuer's Access Control Server (ACS) to retrieve a payment authentication response (PaRes). This phase must be handled by your merchant system. A brief overview is provided here; for more details, consult the Verified by Visa and Mastercard SecureCode documentation available from the respective web sites.

Example Request Form Posted to ACS Server
<form action="" method="POST">
<input type="hidden" name="PaReq" value="eJxVUslOwzAQ/ZWIe2MndrZqaqkFBEiA2NRyq1xnRKMSJzhO0/49dhcW+TJvlueZNwNva4N49YqqNyjgAbtOfmBQlZMLs9nTkIbRsmrqUWuacjR0I8qWEU8LzjJO02VcxEm6zPPoQsDT9AW/BGzRdFWjReRKYyBn6JiNWkttBUj1Nbt7FJwmaZIBOUGo0dxdiSSmjPGE5ol7aQrk6AYtaxTXnZItBm9rDF4atQluejS6wz0COcRBNb22Zi/y2FWeAfTmU6ytbbsxIcMwhBrtSupdqJraJRkkqLdh+wnEJwL57fSp91bniHdVKeSisPfvs/0qfrYle7DscTGf55vVbJhOgPgMKKVFEdMopVmcBLQYUzb2rRz8IGvfkVeGurGPAFr/x/QU8YG/DnBbMajVeaIzAty1jUaX4ST+sYH8Nnx564VW1kuaRUURJQXjlGeMcy/5IeBZKidQlNEjjQdAfCk5bZOcDsJZ/w7lG2iWuLM=">
<input type="hidden" name="TermUrl" value="">
<input type="hidden" name="MD" value="MkRYRFA3UkE5TktOUzhZWjZD">
<input type="submit" value="go">

From the Enrollment Lookup request, you will need to map the 3D Secure API field names to the 3D Secure field names, and provide your own TermUrl and MD fields.

Form Field




N/A String Yes This is the URL of the card issuer's ACS server—the acsURL from the Enrollment Lookup request response. This is the URL in the <form> opening element, to which the other parameters within the form are POSTed.
PaReq String Yes This is the paReq (note the capitalization) from the Enrollment Lookup request response, containing zipped Base64-encoded data about the transaction, received from the Visa/Mastercard directory servers.
TermUrl String Yes This is the URL your customer will be returned to at the end of the 3D Secure authentication process.
MD String No This is your merchant data, which will be posted back to your TermUrl at the end of the 3D Secure authentication process.

In a test enrollment lookup, the response acsURL field contains a link to the Test ACS 3D Secure Simulator. For more information on using the Simulator, see Testing Instructions.

After 3DS authentication has taken place, the ACS server will POST a response back to your TermUrl URL using Content-Type: application/x-www-form-urlencoded, and containing the following key/value pairs.

Key Type Description Example Value
MD String This is the merchant data that was optionally POSTed to the 3D Secure ACS server. In most implementations, you will need to use the session data passed back in this field to reconnect the browser session back to the customer. MkRYRFA3UkE5TktOUzhZWjZD
PaRes String This is the payment authentication response; an encoded string, similar to the paReq but usually longer. You need to pass this string back to the 3D Secure API in an Authentications request. eJzNWFmTm0qy/isOz6PC…XzWfn7c+fu38F5lA9C0=
TermURL String This is the TermUrl from the original POST.

Constraints on these fields are undocumented and can vary based on the ACS implementation. Data sizes can exceed 64KB for the PaRes result in some instances.

Did you find this page useful?