Security Guidance and Best Practices

Before starting development using the 3DS SDK, it is important to consider the security implications, and how to best protect sensitive data. While the SDK takes care of many security functions, as detailed in the EMVCo 3DS SDK specification, there are other considerations that need to be taken into account.

Communication with 3DS Server

While communication with the 3DS Server is outside the scope of the 3DS SDK itself, the data transmitted, both generated from the 3DS SDK and otherwise, should be properly secured according to payment system security standards. Annex D of the EMVCo Protocol and Core Functions Specification provides guidance that has been summarized below. These standards would be appropriate for communication between the 3DS SDK and 3DS Server:

TLS 1.2 or higher should be used, with key lengths as follows:

  • RSA: 2048 bits or longer.
  • ECC: 256 bits or longer.

One of the following cipher suites should be used:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Curve P-256 shall be used and indicated in the cipher suite extension.

Protection of Sensitive Cardholder Data

Much of the data used for authentication is outside the scope of the 3DS SDK, and is transmitted to the 3DS Server outside of any authentication parameters. This sensitive data includes anything from the card number itself to cardholder contact details.

Protection includes the above secure transmission, as well as protection on the device itself. This may include either not saving the data locally, or encrypting it properly if stored.

Cleanup the ThreeDS2Service Instance

Make sure to cleanup the SDK after you are finished with 3-D Secure. This can be done using the cleanup method like so:

// ... ThreeDS2Service.INSTANCE.cleanup(applicationContext);

Versioning

The 3DS SDK version is formatted as a.b.c, where a is the major version, b is the minor version, and c is the build number. Using 2.3.9048 as an example, the major version is 2, the minor version is 3, and the build number is 9048. The build number increments every day starting from a base date of January 1st, 2000.

The build number can be a 4 or 5 digit value with a maximum value of 99999. The version can be retrieved at runtime using the ThreeDS2Service object's getSDKVersion method.

Issue Reporting

Vulnerabilities and issues can be reported to our support team via email at support@nsoftware.com. When contacting us, please do not include sensitive data including, but not limited to, credit card account numbers or private customer data. If necessary, we can provide a link for secure sharing of sensitive information.

When sensitive data is shared it must be encrypted before being provided (for instance using PGP).

Updates

Updates to the 3DS SDK are made available on our website. Builds there are updated periodically, as well as when critical security updates are made. When the builds are updated, an email notification will be sent out to email addresses used when ordering, or addresses manually added to our list here: https://www.nsoftware.com/company/mlist.aspx

No updates are pushed directly to deployed applications. It would instead be required to obtain the latest builds and integrate it them into the application. When updating, care should be taken to ensure the integrity of transactions already in progress.

Changelogs

When a bug is resolved, entries for the fixes and new features are added to a changelog, which is available on our website. Each entry includes the date, build number, and details on what was changed, as well as how it might affect applications developed using our SDKs. The 3DS SDK changelog can be found on our website here: https://www.nsoftware.com/changelogs/3dsecure/sdk

This log is also available in RSS format, and can be consumed using any RSS reader. The links for this feed is the same as above, but with rss appended to the URL: https://www.nsoftware.com/changelogs/3dsecure/sdk/rss

Security Checks

The Security Checks section contains details on the security checks performed during initialization of the SDK, as well as checks made periodically at runtime. The guidance in that section should be followed to make sure the application is aware of these issues, and responds accordingly.

Getting Started

The /n software 3DS SDK can be used to support EMV® 3-D Secure authentication natively in a mobile application. This SDK is built according to the EMV 3DS (2.1.0, 2.2.0, 2.3.1) specification released by EMVCo. The EMV® 3-D Secure specification, as well as more information on EMV 3DS in general, can be found on the EMVCo website here: https://www.emvco.com/emv-technologies/3d-secure/

The below sequence diagram exhibits a typical authentication flow for the 3DS SDK.

The following sections provide guidance on getting started with the /n software 3DS SDK.

Adding to Project

The very first step is to add the 3DS SDK to the mobile application project. This is done by copying the ipworks3ds_sdk.aar to the /libs folder in the module. Import the SDK by adding the following link to the module's build.gradle file:

implementation(name: 'ipworks3ds_sdk', ext: 'aar')
The SDK is built with AndroidX which replaces the original Android Support Library. Please ensure the project is also using AndroidX instead of the older Android Support Library.

There are two versions of the 3DS SDK included with the installation: one to be used for development and one for production. The production version includes more strict security measures that would not allow for common development processes to occur, including running with attached debuggers or using simulators/emulators. The deployment version includes _deploy in the filename.

PCI 3DS SDK imposes requirements on 3DS SDKs that severly restrict development. For example, running on an emulator or debugging are forbidden in a production 3DS SDK. As such, the /n software 3DS SDKs include both development and deployment versions, with the main differences being related to the security checks performed and resulting behavior. More details can be found in the Security Checks section.

Initializing the SDK

Depending on the 3DS Requestor application implementation, a ThreeDS2Service instance is created either during startup of the 3DS Requestor app (as a background task), or when a transaction is initiated. The state of the service is maintained until the cleanup method is called. To create an instance of the ThreeDS2Service call the initialize method like so:

ThreeDS2Service.INSTANCE.initialize(applicationContext, configParameters, locale, uiCustomization, clientEventListener, securityEventListener);

Parameter NameTypeDescription
applicationContextContextAn instance of the Android application context. Use the Android getApplicationContext activity method if necessary.
configParametersConfigParametersConfiguration information that shall be used during initialization. See the Config Parameters section below.
localeStringA string that represents the locale for the app's user interface (e.g. "en-US"). This parameter is reserved for future use.
uiCustomizationUiCustomizationA class that allows the customization of the 3DS SDK UI elements (fonts, colors, etc.). See the UI Customization section for details.
clientEventListenerClientEventListenerA listener to receive SDK events (for logging, etc.) See the Client Event Listener section for details on the available events.
securityEventListenerSecurityEventListenerA listener to receive security warning events raised during SDK initialization and during runtime. See the Security Event Listener section for details.

Config Parameters

The ConfigParameters class is used to provide details required by the 3DS SDK for initialization. The ConfigParameters.Builder class helps with organizing these parameters which can be used as follows:

List<ConfigParameters.DirectoryServerInfo> directoryServerInfoList = new ArrayList<>(); directoryServerInfoList.add(new ConfigParameters.DirectoryServerInfo(DSInfo.TEST_DS_ID, DSInfo.TEST_DS_CERT, DSInfo.TEST_DS_CA)); List<String> deviceParameterBlacklist = new ArrayList<>(); deviceParameterBlacklist.add("A009"); deviceParameterBlacklist.add("A010"); List<String> maliciousApps = new ArrayList<>(); maliciousApps.add("de.robv.android.xposed"); List<String> trustedAppStores = new ArrayList<>(); trustedAppStores.add("com.xiaomi.market"); String appsignature = ParseAppSignature(HTTP.Get("https://www.example.com/signature")); List<String> clientConfigs = new ArrayList<>(); clientConfigs.add("logLevel=3"); clientConfigs.add("MaskSensitive=false"); ConfigParameters configParameters = new ConfigParameters.Builder(directoryServerInfoList, runtimeLicense) .deviceParameterBlacklist(deviceParameterBlacklist) .maliciousApps(maliciousApps) .trustedAppStores(trustedAppStores) .appSignature(appsignature) .clientConfig(clientConfigs) .OOBAppURLSupported(true) // OOBAppURLSupported is optional and only applies for message version 2.3.1.1 .build();

Parameters fall into a few groups:

Parameter NameTypeDescription
DirectoryServerInfoListList<DirectoryServerInfo>Used to specify encryption keys and certificates for various supported directory servers. More details can be found in the DirectoryServerInfo section.
RuntimeLicenseStringThe 3DS SDK license string.
DeviceParametersBlacklistList<String>A list of device parameters NOT to pull from the device. By default, the SDK will pull as many device parameters as it can. This setting group can be used to instruct the SDK not to pull certain parameters. You can add parameters to this list by specifying the identifier. A full list of parameters can be found in the EMV 3-D Secure SDK Device Information document, which can be obtained from EMVCo directly.
MaliciousAppsList<String>Apps that are recognized as malicious. If the apps are installed, a security warning (SW02) will be raised. The following apps are considered malicious by default:
  • de.robv.android.xposed
  • de.robv.android.xposed.installer
  • com.saurik.substrate
TrustedAppStoresList<String>A security warning (SW02) will be raised if the app is not installed from a trusted app store. By default, the Google Play Store (com.android.vending) is trusted. This parameter can be used to specify additional trusted app stores.
AppSignatureList<String>A security warning (SW02) is raised if this value does not match the app signature. This property should be set to the SHA256 fingerprint of the certificate used to sign the app. If this value is not specified, the SDK will see the signature as invalid. Note that this value should not be hardcoded in the app for security reasons. Instead, the fingerprint should be stored on a server, retrieved at runtime, and set here.
ClientConfigList<String>Configuration settings used for additional configuration of the SDK. A list of available options can be found in the Client Config section.
OOBAppURLSupportedBooleanUsed to indicate if the OOB App URL is supported. This is an optional setting and only valid for message version 2.3.1.1.
After building the ConfigParameters object, the addParams method can be used to add additional parameters. This method accepts a group, parameter name, and parameter value. There are no specific groups associated with the SDK at this time, so the group can be set to a null value. For example:

configParameters.addParam(null, "ParameterName", "ParameterValue"); Available additional parameters are as follows:

NameDescription
ShowWhiteBoxInProcessingScreenDisplay a white box behind the processing icon and directory server image. This takes a boolean string value ("True" or "False").
UseDefaultTrustedAppStoreListThis setting controls whether the default trusted app store list (i.e. com.android.vending) is used. This is true by default, but when set to false only those stores explicitly specified via the TrustedAppStores list during initialization will be trusted. This takes a boolean string value ("True" or "False").
ProgressBarColorThis setting controls the color of the progress bar displayed in the progress dialog returned by the getProgressView method. This accepts a hex color code value (e.g. "#b884f2").

UI Customization

The UICustomization class exposes functionality to customize the 3DS SDK UI elements. This allows the 3DS Requestor application to have its own look-and-feel in the native challenge pages. The customization of Buttons, Labels, TextBoxes, and Toolbars is enabled via the various classes and subclasses outlined below.

UICustomization

Main class for configuring the customization of UI elements.

class UiCustomization { enum ButtonType (SUBMIT, CONTINUE, NEXT, CANCEL, RESEND, ADDITIONAL, OPEN_OOB_APP) enum UICustomizationType (DEFAULT, DARK, MONOCHROME) enum LabelType (INFO_HEADER, INFO_TEXT, INFO_LABEL, WHITELIST, WHY_INFO, WHY_INFO_TEXT, EXPANDABLE_INFO, EXPANDABLE_INFO_TEXT, SELECTION_LIST, DATA_ENTRY_LABEL, DATA_ENTRY_LABEL_2) void setButtonCustomization(ButtonCustomization buttonCustomization, ButtonType buttonType) void setToolbarCustomization(ToolbarCustomization toolbarCustomization) void setLabelCustomization(LabelCustomization labelCustomization) void setTextBoxCustomization(TextBoxCustomization textboxCustomization) void setBackground(String hexColorCode) void setInformationZoneIconPosition(int position) // 0: right, 1: left, 2: hide ButtonCustomization getButtonCustomization(ButtonType buttonType) ToolbarCustomization getToolbarCustomization() LabelCustomization getLabelCustomization() TextBoxCustomization getTextBoxCustomization() TextBoxCustomization getTextBoxTwoCustomization() String getBackground(String hexColorCode) int getInformationZoneIconPosition(int position) }

ButtonCustomization

The ButtonCustomization class enables the customization of various buttons presented to the cardholder during the challenge process.

public class ButtonCustomization { void setBackgroundColor(String hexColorCode) void setCornerRadius(int cornerRadius) void setTextFontName(String fontName) void setTextFontSize(int fontSize) void setTextColor(String hexColorCode) void setHeight(int pixels) void setPadding(int start, int top, int end, int bottom) // applicable only for ButtonType of CANCEL String getBackgroundColor() int getCornerRadius() String getTextFontName() int getTextFontSize() String getTextColor() int getHeight() int[] getPadding() // applicable only for ButtonType of CANCEL }

For example, the following code will configure buttons with red backgrounds and white font:

UiCustomization uiCustomization = new UiCustomization(); ButtonCustomization customButton = new ButtonCustomization(); customButton.setTextColor("#FFFFFF"); // White customButton.setBackgroundColor("#951728"); // Dark red uiCustomization.setButtonCustomization(customButton, UiCustomization.ButtonType.CANCEL); uiCustomization.setButtonCustomization(customButton, UiCustomization.ButtonType.CONTINUE); uiCustomization.setButtonCustomization(customButton, UiCustomization.ButtonType.NEXT); uiCustomization.setButtonCustomization(customButton, UiCustomization.ButtonType.RESEND); uiCustomization.setButtonCustomization(customButton, UiCustomization.ButtonType.SUBMIT);

This results in the following Submit button for a Single-Select challenge:

LabelCustomization

The LabelCustomization class enables the customization of various labels displayed throughout the challenge process.

public class LabelCustomization { void setHeadingTextAlignment(int textAlignment) void setHeadingTextColor(String hexColorCode) void setHeadingTextFontName(String fontName) void setHeadingTextFontSize(int fontSize) void setInputTextColor(String hexColorCode) void setInputTextFontName(String fontName) void setInputTextFontSize(int fontSize) void setTextColor(String hexColorCode) void setTextColor(LabelType labelType, String hexColorCode) void setTextFontName(String fontName) void setTextFontName(LabelType labelType, String fontName) void setTextFontSize(int fontSize) void setTextFontSize(LabelType, labelType, int fontSize) void setBackgroundColor(LabelType labelType, String hexColorCode) void setPadding(LabelType labelType, int start, int top, int end, int bottom) int getHeadingTextAlignment() String getHeadingTextColor() String getHeadingTextFontName() int getHeadingTextFontSize() String getInputLabelTextColor() String getInputLabelTextFontName() int getInputLabelTextFontSize() String getTextColor() String getTextColor(LabelType labelType) String getTextFontName() String getTextFontName(LabelType labelType) int getTextFontSize() int getTextFontSize(LabelType labelType) String getBackgroundColor(LabelType labelType) int[] getPadding(LabelType labelType) }

TextBoxCustomization

The TextBoxCustomization class enables the customization of textboxes displayed throughout the challenge process.

public class TextBoxCustomization { void setBorderColor(String hexColorCode) void setBorderWidth(int borderWidth) void setCornerRadius(int cornerRadius) void setTextColor(String hexColorCode) void setTextFontName(String fontName) void setTextFontSize(int fontSize) String getBorderColor() int getBorderWidth() int getCornerRadius() String getTextColor() String getTextFontName() int getTextFontSize() }

ToolbarCustomization

The ToolbarCustomization class enables the customization of the toolbar displayed throughout the challenge process.

public class ToolbarCustomization { void setBackgroundColor(String hexColorCode) void setButtonText(String buttonText) void setHeaderText(String headerText) void setTextColor(String hexColorCode) void setTextFontName(String fontName) void setTextFontSize(int fontSize) String getBackgroundColor() String getButtonText() String getHeaderText() String getTextColor() String getTextFontName() int getTextFontSize() }

Icon Customization

Along with the customization of the look-and-feel of the UI via the UI Customization class detailed above, it may be desirable to also customize the images utilized by the SDK. There are three images used by the Android SDK for this, and they can be customized by including files with the exact names listed below in the drawable resources section of the project:

  • ipworks3ds_expand_section_indicator: The icon used to indicate a section that can be expanded.
  • ipworks3ds_collapse_section_indicator: The icon used to indicate a section that can be collapsed.
  • ipworks3ds_warning_indicator: The icon used (as indicated by the ACS) to draw attention to challenge information text being displayed.
  • ipworks3ds_ds_DSID: The directory server logo shown when the progress dialog is displayed during communication with the 3DS Server. The DSID is the lowercase directory server ID matching one configured via a DirectoryServerInfo parameter. The logo displayed by the progress dialog will be selected based on the directory server ID used when Creating a Transaction.
If these images are included in the project, the SDK will use them automatically; no additional code or configuration is required.

Client Event Listener

The ClientEventListener class exposes a number of events that are fired at certain points during the SDK's operation. Below is a list of the available events:

DataPacketIn

Fired when receiving a data packet from the server.

public class MyClientEventListener implements ClientEventListener { ... public void fireDataPacketIn(byte[] dataPacket) { Log.i("ClientDataPacketIn", new String(dataPacket)); } ... } This event fires when a packet is received. The entire data packet (including all framing and error detection characters) is contained in the dataPacket parameter. This parameter may be inspected for advanced troubleshooting, or to extract additional response properties beyond the scope of the SDK.

DataPacketOut

Fired when sending a data packet to the server.

public class MyClientEventListener implements ClientEventListener { ... public void fireDataPacketOut(byte[] dataPacket) { Log.i("ClientDataPacketOut", new String(dataPacket)); } ... } This event fires right before each data packet is sent. The entire data packet (including all framing and error detection characters) is contained in the dataPacket parameter. This parameter may be inspected for advanced troubleshooting.

Log

Fires once for each log message.

public class MyClientEventListener implements ClientEventListener { ... public void fireLog(int logLevel, String message, String logType) { Log.i("ClientLog", logType + " - " + message); } ... } Logging is handled through the Log event. This will fire any time a message is built or a response is parsed, including error messages.

When the Log event is fired, the message in question is made available via the message event parameter. The other event arguments are logType and logLevel.

The logType parameter indicates the type of the log entry. Possible values are:

  • Info
  • RequestHeaders
  • ResponseHeaders
  • RequestBody
  • ResponseBody
  • ProxyRequest
  • ProxyResponse
  • FirewallRequest
  • FirewallResponse
  • CReq
  • CRes
  • Erro
  • EphemeralKey
  • DeviceParams
  • SW

A logType of SW indicates a Security Warning. When this value is present, the message parameter will contain a code to indicate a more specific cause of the warning. Below is a list of possible warning message values and their meanings:

SW Message ValueDescription
01Tampered; not installed from a trusted store
02Tampered; internal error checking app store
03Tampered; invalid appSignature
04Tampered; suspicious app installed
05Root; suspicious files present
06Root; suspicious apk present
07Root; root permissions
08Root; root tag
09Root; hooked
10Debugging; debugger attached

The logLevel parameter in the event indicates the log level to which the current message belongs. Possible values are:

  • 0 - None
  • 1 - Info
  • 2 - Verbose
  • 3 - Debug
Info level logs are available by default. The LogLevel configuration setting, specified in the Client Config settings, can be used to instruct the SDK to raise more or less detailed logs.

It is recommended to output all messages raised in this event to a file for record keeping or troubleshooting purposes.

SSLServerAuthentication

Fired after the server presents its certificate to the client.

public class MyClientEventListener implements ClientEventListener { ... public void fireSSLServerAuthentication(byte[] certEncoded, String certSubject, String certIssuer, String status, boolean[] accept) { //... } ... } This event fires when establishing a TLS connection and provides information about the server's certificate. The accept parameter indicates whether the certificate is trusted by default.

When accept is False, status shows why the verification failed (otherwise, status contains the string "OK"). If it is decided to continue, you can override and accept the certificate by setting the accept parameter to True.

SSLStatus

Shows the progress of the secure connection.

public class MyClientEventListener implements ClientEventListener { ... public void fireSSLStatus(String message) { Log.i("ClientSSLStatus", message); } ... } The event is fired for informational and logging purposes only. Used to track the progress of the connection.

Security Event Listener

The SecurityEventListener class exposes a way to be notified of security issues that occur both during initialization of the SDK and at runtime. This is done via a single Alarm event:

Alarm

Fired when a security issue is detected.

public class MySecurityEventListener implements SecurityEventListener { ... public void alarm(Severity severity, SecurityEvent event) { TransactionManager.getInstance().showToast("[Security Alarm] Severity: " + severity + ", Event: " + event); } ... } If a security issue is detected, the Alarm event will be raised. The severity of the error will be indicated by the severity event parameter. Possible values are:

  • LOW
  • MEDIUM
  • HIGH

The event parameter will indicate which issue was encountered. Possible values are:

  • ROOT
  • TAMPERED
  • INSTALLED_FROM_UNTRUSTED_STORE
  • HOOK
  • EMULATOR
  • DEBUGGING
  • DEBUG_ENABLED

For more information on the security checks performed by the component, and recommendations on handling detected issues, see the Security Checks section below.

DirectoryServerInfo

DirectoryServerInfo parameters are used to specify certificate details for the various supported directory servers (DS).

public DirectoryServerInfo(String RID, String KID, String publicKey, String CA) public DirectoryServerInfo(String RID, String KID, String publicKey, String[] CAs) public DirectoryServerInfo(String RID, String publicKey, String CA) public DirectoryServerInfo(String RID, String publicKey, String[] CAs)

When creating a Transaction, the RID is used to specify the certificates to be used for that transaction. Each DirectoryServerInfo consists of four pieces of information:

  • RID An identifier used internally in the SDK to match the transaction with a particular DS.
  • KID Key Identifier. There may be multiple keys for each DS with the keys each having an individual identifier.
  • publicKey Encryption certificate provided by the DS. Used to encrypt the DeviceInfo and generate keys to use for Challenge security.
  • CA The root CA certificate(s) used to issue the DS cert. These are used to verify the signature on the response from the DS (ARes packet), and can include intermediate certificate(s) as well.

Preconfigured Certificates

The 3DS SDK comes preconfigured with certificates for the following Directory Servers. To use these certificates, simply pass one of the RID values below when creating the Transaction.

Card SchemeRIDKIDpublicKeyCA(s)
VisaA000000003747da056-476c-4296-a7c4-7e853e235ef0CN=3ds2.rsa.encryption.visa.com

Expires: 2027-02-26

CN=Visa Public RSA Root CA

CN=Visa eCommerce Root CA - G2

CN=Visa eCommerce Issuing CA - G2

MasterCardA000000004116f90eee124062e2ca9c8efeb54802c34d963a0CN=3ds2.directory.mastercard.com

Expires: 2026-07-15

CN=PRD MasterCard Identity Check Root CA
AmexA000000025CN=sdk.safekey.encryptkey.com

Expires: 2025-05-23

CN=American Express Private Certification Authority
DiscoverA000000152CN=Discover SDK

Expires: 2027-03-07

CN=extendedroot.protectbuy.com
JCBA000000065CN=ds2apr.jcb-tds.com

Expires: 2051-03-02

CN=JCB DS Root CA EMV 3-D Secure
UnionPayA000000333CN=CFCA@UnionPay International@N9131000005455878X6@1

Expires: 2025-07-08

CN=CFCA ACS CA
/n software will make an effort to keep the above configurations up to date. As new certificates are issued, the 3DS SDK will be updated accordingly and new builds will be pushed to the website. It is recommended that users of the SDK also monitor and be aware of changes from the card schemes. When new certificates are released, a new build can be downloaded from our site and applied to customer implementations, or new certificates can be obtained directly from the card schemes and integrated in the SDK manually without updating the SDK build in use.

Client Config

The SDK accepts additional optional configuration settings which alter the behavior of the SDK. These are set as SETTING=VALUE pairs, and set as the clientConfig when building the ConfigParameters.

LogLevel

This setting specifies the level of logging enabled in the component. Possible values include:

0 (None)No events are logged.
1 (Info - default)Informational events are logged.
2 (Verbose)Detailed data is logged.
3 (Debug)Debug data is logged.
This is set to 1 (Info) by default.

MaskSensitive

This setting controls whether sensitive data is masked in the Log event. When set to True (default) the card number value will be replaced with the value *************.

Note: DataPacketOut will always contain the raw unmasked value regardless of this setting. This setting only applies to the Log event.

The default value is True.

Security Checks

The SDK performs security checks and collects device information during initialization. Warnings produced during the 3DS SDK initialization process can be retrieved using the getWarnings method, which returns a list of Warning objects. These can be checked by the app to determine whether or not to proceed with the checkout process:

/* check warnings */ List<Warning> warnings = ThreeDS2Service.INSTANCE.getWarnings(); if (warnings.size() > 0) { // process warnings // abort the checkout if necessary } The Warning object consists of the following fields:

NameTypeDescription
idStringWarning identifier.
messageStringWarning message.
severitySeverity (enum)Warning severity level (LOW, MEDIUM, HIGH).
The following warnings are documented in the EMVCo specification:
Security Warning IDDescriptionSeverity Level
SW01The device is jailbroken.HIGH
SW02The integrity of the SDK has been tampered.HIGH
SW03An emulator is being used to run the app.HIGH
SW04A debugger is attached to the app.MEDIUM
SW05The OS or the OS version is not supported.HIGH
To be notified of security issues at runtime, it is recommended to use the Security Event Listener as well.

Security Checks Performed During Initialization

The following security checks are performed during initialization of the SDK:

  • Root detection: Several ways of detecting if the device is rooted
  • SDK tampering detection: including app signer fingerprint validation, hook detection, and malicious app detection
  • Checks to make sure the app was installed from trusted app stores
  • Emulator detection
  • Detection of an attached debugger
  • OS version detection

These initialization checks result in warnings accessible via the getWarnings detailed above. The message will contain a description of the issue encountered.

Security Checks Performed at Runtime

The following security checks are performed at runtime:

  • Emulator detection (high severity): during Transaction.getAuthenticationRequestParameters()
  • Debugging detection (medium severity): during Transaction.doChallenge()
  • Root detection (high severity): during Transaction.doChallenge()
  • Hook detection (high severity): during ThreeDS2Service.createTransaction(), and during the challenge process when the Submit/Resend/Cancel buttons are clicked.
  • Debug enabled detection (low severity): during Transaction.doChallenge()

These runtime checks result in firing of the Security Event Listener alarm event, and the activity closing for high severity issues. In the development version of the SDK (without _deploy in the file name), these checks are not performed.

Creating a Transaction

Call the createTransaction method to start a transaction. A reference should be kept for this transaction throughout the entire 3-D Secure process. This method takes the directory server ID, which points to a DirectoryServerInfo configuration parameter added during SDK initialization. The second parameter is a protocol version as a string. Supported version strings are 2.1.0, 2.2.0, and 2.3.1.

sdkTransaction = ThreeDS2Service.INSTANCE.createTransaction(DSInfo.TEST_DS_ID, "2.2.0"); Later, when the transaction is complete, it should be closed via the Transaction object's close method.

Displaying Progress

A progress dialog must be displayed to the end user at certain points in the 3-D Secure process. While performing the challenge, the 3DS SDK will automatically display a progress dialog when appropriate.

A progress dialog must also be displayed to the user while the application is communicating with the 3DS Server and waiting for the authentication request results. The dialog used by the 3DS SDK is available to be used by the application if desired, and can be obtained from the Transaction object via the getProgressView method like so:

// The progress dialog is an instance of android.app.ProgressDialog ProgressDialog sdkProgressDialog; // Retrieve the progress dialog from the transaction object instance sdkProgressDialog = sdkTransaction.getProgressView(mActivity); sdkProgressDialog.show(); // Later, to hide/dismiss: sdkProgressDialog.dismiss(); The 3DS SDK will automatically hide the dialog when starting the challenge process, so there is no need to explicitly dismiss the dialog in the application code.

Authenticating

The authentication process starts with a call to the Transaction object's getAuthenticationRequestParameters method. When this method is called, the 3DS SDK will encrypt the device information it collected during initialization and make it, along with other SDK information required by the 3DS Server, available in the returned AuthenticationRequestParameters object. This AuthenticationRequestParameters object consists of the following fields:

NameDescription
SDKTransactionIdA transaction identifier randomly generated by the SDK.
DeviceDataDevice data collected by the SDK during initialization and encrypted using the DS key.
SDKEphemeralPublicKeyThe public key component of the ephemeral key pair generated by the SDK.
SDKAppIdA UUID value, generated by the 3DS SDK, that uniquely identifies the app on the device.
SDKReferenceNumberAssigned to our SDK by EMVCo after certification.
MessageVersionFrom createTransaction, or a default value from the SDK (2.1.0).
AuthRequestPackaged authentication request data to be sent to the 3DS Server.
The AuthRequest property is a packaged form of the other properties. The app would transmit this to the 3DS Server via a communication channel outside the scope of the 3DS SDK itself. On the server side, this AuthRequest data is designed to be passed directly in to the 3DS Server component's ClientAuthRequest property prior to sending the authentication request to the directory server via its SendAuthRequest method.

When the SendAuthRequest method completes, the Server component's ClientAuthResponse property will contain data that can be sent back to the app and passed to the 3DS SDK to use if a challenge is required.

Response Handling

The 3DS Server is responsible for reading the authentication response from the directory server and indicating to the client (in this case, the app) whether or not a challenge is required. In our 3DS Server component, check the TransactionStatus property after the SendAuthRequest method completes. If this is a value of C or D, a challenge is required.

If no challenge is required (frictionless flow), or authentication cannot be performed for some reason, no further action is required from a 3-D Secure standpoint. Proceed to the Completing Authentication section for details on closing the Transaction.

If a challenge is required, the 3DS Server should return the ClientAuthResponse property value to the app for use when starting the challenge process. The Performing a Challenge section details how to perform the challenge.

Performing a Challenge

If a challenge is required, the challenge is performed by creating the Challenge Parameters (using the ClientAuthResponse from the 3DS Server component) and following the steps in the Starting the Challenge section. The SDK will take care of all communication with the ACS while performing the challenge, as well as prompting the user as needed for the required input. When the challenge process is complete, the relevant Challenge Status Receiver callback will fire.

Challenge Status Receiver

ChallengeStatusReceiver is an interface used to obtain the result of the SDK challenge process. This should be implemented in the application and passed to the doChallenge method when Starting the Challenge. When the challenge process has finished, either successfully or in error, one of the following corresponding methods will be called:

NameDescription
completedCalled when the challenge process (that is, the transaction) is completed. When a transaction is completed, a transaction status will be available.
cancelledCalled when the cardholder selects the option to cancel the transaction on the challenge screen.
timedoutCalled when the challenge process reaches or exceeds the timeout interval that is specified during the doChallenge call.
protocolErrorCalled when the 3DS SDK receives an EMV 3-D Secure protocol-defined error message from the ACS.
runtimeErrorCalled when the 3DS SDK encounters errors during the challenge process. These errors include all errors except those covered by the protocolError method.
Example implementations of these methods can be found below:

@Override public void completed(CompletionEvent completionEvent) { showToast("Challenge completed with transactionStatus " + completionEvent.getTransactionStatus()); closeTransaction(); } @Override public void cancelled() { showToast("Challenge cancelled."); closeTransaction(); } @Override public void timedout() { showToast("Challenge timed out."); closeTransaction(); } @Override public void protocolError(ProtocolErrorEvent protocolErrorEvent) { showToast("Challenge protocolError: " + protocolErrorEvent.getErrorMessage().getErrorDescription() + "\t" + protocolErrorEvent.getErrorMessage().getErrorDetails()); closeTransaction(); } @Override public void runtimeError(RuntimeErrorEvent runtimeErrorEvent) { showToast("Challenge runtimeError: " + runtimeErrorEvent.getErrorMessage()); closeTransaction(); } // Helper method public void closeTransaction() { if (sdkTransaction != null) { sdkTransaction.close(); sdkTransaction = null; } sdkProgressDialog = null; }

Challenge Parameters

The ChallengeParameters class holds parameters that are required to conduct the challenge process. This is passed to the doChallenge method when Starting the Challenge. Available properties, accessible via getters and setters, are:

Property NameTypeDescription
3DSServerTransactionIDString3DS Server Transaction ID.
AcsTransactionIDStringACS Transaction ID.
AcsRefNumberStringACS Reference Number.
AcsSignedContentStringACS signed content. This data includes the ACS URL, ACS ephemeral public key, and SDK ephemeral public key.
ThreeDSRequestorAppURLString3DS Requestor App URL.
ThreeDSServerAuthResponseStringThe Authentication Response from the 3DS Server component.
These properties can be set individually based on what comes back from the 3DS Server. If using the 3DS Server component, the ThreeDSServerAuthResponse can be set to the generated ClientAuthResponse value, and the other properties will be set automatically based on this value.

ChallengeParameters challengeParameters = new ChallengeParameters(); challengeParameters.setThreeDSServerAuthResponse(authResponse);

Starting the Challenge

If the response from the 3DS Server indicates that a challenge is required, the challenge process is initiated using the doChallenge method. When this is called, control of the UI is handed over to the 3DS SDK. The challenge will be performed by the SDK, and when finished the appropriate Challenge Status Receiver event will fire (completed, cancelled, etc.) sdkTransaction.doChallenge(currentActivity, challengeParameters, this, 5);

The doChallenge method takes the following parameters:

Parameter NameTypeDescription
currentActivityandroid.app.ActivityThe activity used by the SDK for the challenge process.
challengeParametersChallengeParametersACS details required by the 3DS SDK to conduct the challenge process during the transaction. For details, see the Challenge Parameters section.
challengeStatusReceiverChallengeStatusReceiverCallback object for notifying the 3DS Requestor App about the challenge status. For details, see the Challenge Status Receiver section.
timeoutIntegerTimeout interval (in minutes) within which the challenge process must be completed. The minimum timeout interval is 5 minutes.

Completing Authentication

If the completed callback fires, the CompletionEvent parameter will contain more details on the authentication results. This has two properties: sdkTransactionID, and transactionStatus. The transactionStatus contains the transStatus from the last CRes packet, which would be one of the values below:

  • Y: Order completed successfully / Authentication successful
  • A: Order completed successfully / Attempts processing performed
  • N: Order denied / Not authenticated (denied)
  • R: Order denied / Authentication rejected
  • U: Order failed due to technical reasons / Authentication could not be performed

Managing Resources

The cleanup method frees up resources that are used by the 3DS SDK. The cleanup method should be called only once during a single 3DS Requestor App session:

ThreeDS2Service.INSTANCE.cleanup(applicationContext);

Application Permission Notes

The SDK itself does not require any specific permissions outside of internet access, and it will use only the permissions that the application has requested. The app should require permission before the SDK is initialized. This is required by the specification and some device parameters will not be available if permission is not granted.

For a full list of required permissions for each device parameter, see the EMV® 3-D Secure SDK Device Information document, which can be obtained from EMVCo directly.