Security Guidance and Best Practices

Before starting development using the 3DS SDK, it is important to consider the security implications, and how to best protect sensitive data. While the SDK takes care of many security functions, as detailed in the EMVCo 3DS SDK specification, there are other considerations that need to be taken into account.

Communication with 3DS Server

While communication with the 3DS Server is outside the scope of the 3DS SDK itself, the data transmitted, both generated from the 3DS SDK and otherwise, should be properly secured according to payment system security standards. Annex D of the EMVCo Protocol and Core Functions Specification provides guidance that has been summarized below. These standards would be appropriate for communication between the 3DS SDK and 3DS Server:

TLS 1.2 or higher should be used, with key lengths as follows:

  • RSA: 2048 bits or longer.
  • ECC: 256 bits or longer.

One of the following cipher suites should be used:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Curve P-256 shall be used and indicated in the cipher suite extension.

Protection of Sensitive Cardholder Data

Much of the data used for authentication is outside the scope of the 3DS SDK, and is transmitted to the 3DS Server outside of any authentication parameters. This sensitive data includes anything from the card number itself to cardholder contact details.

Protection includes the above secure transmission, as well as protection on the device itself. This may include either not saving the data locally, or encrypting it properly if stored.

Cleanup the ThreeDS2Service Instance

Make sure to cleanup the SDK after you are finished with 3-D Secure. This can be done using the cleanup method like so:

// ... threeDS2Service.cleanup();

Versioning

The 3DS SDK version is formatted as a.b.c, where a is the major version, b is the minor version, and c is the build number. Using 2.3.9048 as an example, the major version is 2, the minor version is 3, and the build number is 9048. The build number increments every day starting from a base date of January 1st, 2000.

The build number can be a 4 or 5 digit value with a maximum value of 99999. The version can be retrieved at runtime using the ThreeDS2Service object's getSDKVersion method.

Issue Reporting

Vulnerabilities and issues can be reported to our support team via email at support@nsoftware.com. When contacting us, please do not include sensitive data including, but not limited to, credit card account numbers or private customer data. If necessary, we can provide a link for secure sharing of sensitive information.

When sensitive data is shared it must be encrypted before being provided (for instance using PGP).

Updates

Updates to the 3DS SDK are made available on our website. Builds there are updated periodically, as well as when critical security updates are made. When the builds are updated, an email notification will be sent out to email addresses used when ordering, or addresses manually added to our list here: https://www.nsoftware.com/company/mlist.aspx

No updates are pushed directly to deployed applications. It would instead be required to obtain the latest builds and integrate it them into the application. When updating, care should be taken to ensure the integrity of transactions already in progress.

Changelogs

When a bug is resolved, entries for the fixes and new features are added to a changelog, which is available on our website. Each entry includes the date, build number, and details on what was changed, as well as how it might affect applications developed using our SDKs. The 3DS SDK changelog can be found on our website here: https://www.nsoftware.com/changelogs/3dsecure/sdk

This log is also available in RSS format, and can be consumed using any RSS reader. The links for this feed is the same as above, but with rss appended to the URL: https://www.nsoftware.com/changelogs/3dsecure/sdk/rss

Security Checks

The Security Checks section contains details on the security checks performed during initialization of the SDK, as well as checks made periodically at runtime. The guidance in that section should be followed to make sure the application is aware of these issues, and responds accordingly.

Getting Started

The /n software 3DS SDK can be used to support EMV® 3-D Secure authentication natively in a mobile application. This SDK is built according to the EMV 3DS (2.1.0, 2.2.0, 2.3.1) specification released by EMVCo. The EMV® 3-D Secure specification, as well as more information on EMV 3DS in general, can be found on the EMVCo website here: https://www.emvco.com/emv-technologies/3d-secure/

The below sequence diagram exhibits a typical authentication flow for the 3DS SDK.

The following sections provide guidance on getting started with the /n software 3DS SDK.

Adding to Project

The very first step is to add the 3DS SDK to the mobile application project. This is done by dragging the framework into the Frameworks section of the application project settings.

There are two versions of the 3DS SDK included with the installation: one to be used for development and one for production. The production version includes more strict security measures that would not allow for common development processes to occur, including running with attached debuggers or using simulators/emulators. The deployment version includes _deploy in the filename.

PCI 3DS SDK imposes requirements on 3DS SDKs that severly restrict development. For example, running on an emulator or debugging are forbidden in a production 3DS SDK. As such, the /n software 3DS SDKs include both development and deployment versions, with the main differences being related to the security checks performed and resulting behavior. More details can be found in the Security Checks section.

Initializing the SDK

Depending on the 3DS Requestor application implementation, a ThreeDS2Service instance is created either during startup of the 3DS Requestor app (as a background task), or when a transaction is initiated. The state of the service is maintained until the cleanup method is called. To create an instance of the ThreeDS2Service call the initialize method like so:

try threeDS2Service.initialize( configParameters: configParameters, locale: nil, uiCustomization: uiCustom, clientEventListener: clientEventListener, securityEventListener: securityEventListener)

Parameter NameTypeDescription
configParametersConfigParametersConfiguration information that shall be used during initialization. See the Config Parameters section below.
localeStringA string that represents the locale for the app's user interface (e.g. "en-US"). This parameter is reserved for future use.
uiCustomizationUiCustomizationA class that allows the customization of the 3DS SDK UI elements (fonts, colors, etc.). See the UI Customization section for details.
clientEventListenerClientEventListenerA listener to receive SDK events (for logging, etc.) See the Client Event Listener section for details on the available events.
securityEventListenersecurityEventListenerA listener to receive security warning events raised during SDK initialization and during runtime. See the Security Event Listener section for details.

Config Parameters

The ConfigParameters class is used to provide details required by the 3DS SDK for initialization. The ConfigParametersBuilder class helps with organizing these parameters. ConfigParametersBuilder.init(directoryServerInfoList: [DirectoryServerInfo]?, runtimeLicense: String, deviceParameterBlacklist: [String]?, clientConfig: [String]?, appBundleId: String) ConfigParametersBuilder.init(directoryServerInfoList: [DirectoryServerInfo]?, runtimeLicense: String, deviceParameterBlacklist: [String]?, clientConfig: [String]?, appBundleId: String, OOBAppURLSupported: Bool) This can be used as follows:

var directoryServerInfoList = [DirectoryServerInfo]() directoryServerInfoList.append(DirectoryServerInfo(RID: DSInfo.TEST_DS_ID, publicKey: DSInfo.TEST_DS_CERT, CA: DSInfo.TEST_DS_CA)) let deviceParameterBlacklist = ["C005", "I010"] let clientConfigs = ["LogLevel=3", "MaskSensitive=false"] let builder = ConfigParametersBuilder.init(directoryServerInfoList: directoryServerInfoList, runtimeLicense: "", deviceParameterBlacklist: deviceParameterBlacklist, clientConfig: clientConfigs, appBundleId: appBundleId, OOBAppURLSupported: false) let configParameters = try builder.build() Parameters fall into a few groups:

Parameter NameTypeDescription
DirectoryServerInfoListList<DirectoryServerInfo>Used to specify encryption keys and certificates for various supported directory servers. More details can be found in the DirectoryServerInfo section.
RuntimeLicenseStringThe 3DS SDK license string.
DeviceParametersBlacklistList<String>A list of device parameters NOT to pull from the device. By default, the SDK will pull as many device parameters as it can. This setting group can be used to instruct the SDK not to pull certain parameters. You can add parameters to this list by specifying the identifier. A full list of parameters can be found in the EMV 3-D Secure SDK Device Information document, which can be obtained from EMVCo directly.
ClientConfigList<String>Configuration settings used for additional configuration of the SDK. A list of available options can be found in the Client Config section.
AppBundleIDStringThe expected bundle identifier for the application. This should match the Bundle Identifier identity setting specified when building the application. A security warning is raised if this value does not match the Bundle ID of the application at runtime. If this value is not specified, the SDK will see the Bundle ID as invalid. Note that this value should not be hardcoded in the app for security reasons. Instead, the Bundle ID should be stored on a server, retrieved at runtime, and set here.
OOBAppURLSupportedBoolUsed to indicate if the OOB App URL is supported. This is an optional setting and only valid for message version 2.3.1.1.
After building the ConfigParameters object, the addParams method can be used to add additional parameters. This method accepts a group, parameter name, and parameter value. There are no specific groups associated with the SDK at this time, so the group can be set to a null value. For example:

try configParameters.addParam(group: nil, paramName: "ParameterName", paramValue: "ParameterValue") Available additional parameters are as follows:

NameDescription
ShowWhiteBoxInProcessingScreenDisplay a white box behind the processing icon and directory server image. This takes a boolean string value ("True" or "False").
FireChallengeStatusFirstThis setting allows configuration of when the completed, cancelled, and protocolError Challenge Status Receiver events fire. By default ("False") these will fire after the challenge UI is closed. Setting this to "True" will cause these events to fire before the challenge UI closes.

UI Customization

The UICustomization class exposes functionality to customize the 3DS SDK UI elements. This allows the 3DS Requestor application to have its own look-and-feel in the native challenge pages. The customization of Buttons, Labels, TextBoxes, and Toolbars is enabled via the various classes and subclasses outlined below.

UICustomization

Main class for configuring the customization of UI elements.

class UiCustomization { enum ButtonType (SUBMIT, CONTINUE, NEXT, CANCEL, RESEND, ADDITIONAL, OPEN_OOB_APP) enum UICustomizationType (DEFAULT, DARK, MONOCHROME) enum LabelType (INFO_HEADER, INFO_TEXT, INFO_LABEL, WHITELIST, WHY_INFO, WHY_INFO_TEXT, EXPANDABLE_INFO, EXPANDABLE_INFO_TEXT, SELECTION_LIST, DATA_ENTRY_LABEL, DATA_ENTRY_LABEL_2) void setButtonCustomization(ButtonCustomization buttonCustomization, ButtonType buttonType) void setToolbarCustomization(ToolbarCustomization toolbarCustomization) void setLabelCustomization(LabelCustomization labelCustomization) void setTextBoxCustomization(TextBoxCustomization textboxCustomization) void setBackground(UIColor color) void setInformationZoneIconPosition(int position) // 0: right, 1: left, 2: hide void setBrandingZoneLogoGap(CGFloat value) ButtonCustomization getButtonCustomization(ButtonType buttonType) ToolbarCustomization getToolbarCustomization() LabelCustomization getLabelCustomization() TextBoxCustomization getTextBoxCustomization() TextBoxCustomization getTextBoxTwoCustomization() }

ButtonCustomization

The ButtonCustomization class enables the customization of various buttons presented to the cardholder during the challenge process.

public class ButtonCustomization { void setBackgroundColor(UIColor color) void setCornerRadius(int cornerRadius) void setTextFontName(String fontName) void setTextFontSize(int fontSize) void setTextColor(String hexColorCode) void setTextColor(UIColor color) void setHeight(CGFloat height) void setPadding(UIEdgeInsets edge) // applicable only for ButtonType of CANCEL UIColor getBackgroundColor() int getCornerRadius() String getTextFontName() int getTextFontSize() UIColor getTextColor() String getTextColorHex() CGFloat getHeight() }

For example, the following code will configure buttons with red backgrounds and white font:

let uiCustom = UiCustomization() let customButton = ButtonCustomization() customButton.setTextColor(color: UIColor.white) customButton.setBackgroundColor(color:UIColor.red) try uiCustom.setButtonCustomization(buttonCustomization: customButton, buttonType: .CANCEL) try uiCustom.setButtonCustomization(buttonCustomization: customButton, buttonType: .CONTINUE) try uiCustom.setButtonCustomization(buttonCustomization: customButton, buttonType: .NEXT) try uiCustom.setButtonCustomization(buttonCustomization: customButton, buttonType: .RESEND) try uiCustom.setButtonCustomization(buttonCustomization: customButton, buttonType: .SUBMIT)

This results in the following Submit button for a Single-Select challenge:

LabelCustomization

The LabelCustomization class enables the customization of various labels displayed throughout the challenge process.

public class LabelCustomization { void setHeadingTextAlignment(NSTextAlignment textAlignment) void setHeadingTextColor(UIColor color) void setHeadingTextFontName(String fontName) void setHeadingTextFontSize(int fontSize) void setTextColor(String hexColorCode) void setTextColor(UIColor color) void setTextColor(LabelType labelType, UIColor color) void setTextFontName(String fontName) void setTextFontName(LabelType labelType, String fontName) void setTextFontSize(int fontSize) void setTextFontSize(LabelType, labelType, int fontSize) void setBackgroundColor(LabelType labelType, UIColor color) void setPadding(LabelType LabelType, UIEdgeInsets edge) NSTextAlignment getHeadingTextAlignment() UIColor getHeadingTextColor() String getHeadingTextFontName() int getHeadingTextFontSize() UIColor getTextColor() String getTextColorHex() String getTextFontName() int getTextFontSize() }

TextBoxCustomization

The TextBoxCustomization class enables the customization of textboxes displayed throughout the challenge process.

public class TextBoxCustomization { void setBorderColor(UIColor color) void setBorderWidth(int borderWidth) void setCornerRadius(int cornerRadius) void setTextColor(String hexColorCode) void setTextColor(UIColor color) void setTextFontName(String fontName) void setTextFontSize(int fontSize) UIColor getBorderColor() int getBorderWidth() int getCornerRadius() UIColor getTextColor() String getTextColorHex() String getTextFontName() int getTextFontSize() }

ToolbarCustomization

The ToolbarCustomization class enables the customization of the toolbar displayed throughout the challenge process.

public class ToolbarCustomization { void setBackgroundColor(UIColor color) void setButtonText(String buttonText) void setHeaderText(String headerText) void setTextColor(String hexColorCode) void setTextColor(UIColor color) void setTextFontName(String fontName) void setTextFontSize(int fontSize) UIColor getBackgroundColor() String getButtonText() String getHeaderText() UIColor getTextColor() String getTextColorHex() String getTextFontName() int getTextFontSize() }

Icon Customization

Along with the customization of the look-and-feel of the UI via the UI Customization class detailed above, it may be desirable to also customize the images utilized by the SDK. There are seven images used by iOS which can be customized via a Bundle of images with the following names:

  • CollapsedLabelIndicator The icon used to indicate a section that can be collapsed.
  • ExpandedLabelIndicator The icon used to indicate a section that can be expanded.
  • MultiSelection The icon used for a multi selection option.
  • MultiSelectionSelected The icon used for selected multi selection option(s).
  • SingleSelection The icon used for a single selection option.
  • SingleSelectionSelected The icon used for the selected single selection option.
  • WarningIndicator: The icon used (as indicated by the ACS) to draw attention to challenge information text being displayed.
  • ipworks3ds_ds_DSID: The directory server logo shown when the progress dialog is displayed during communication with the 3DS Server. The DSID is the lowercase directory server ID matching a DS_ID configured via a DirectoryServerInfo parameter. The logo displayed by the progress dialog will be selected based on the directory server ID used when Creating a Transaction.
The bundle containing these images can be passed to the ThreeDS2Service constructor like so:

let threeDS2Service = ThreeDS2Service(bundle: Bundle.main)

Dark Mode

The 3DS SDK supports Dark Mode based on settings configured at the system level. Nothing additional needs to be done in the code. Dark mode images can be configured for each of the above as well.

Client Event Listener

The ClientEventListener class exposes a number of events that are fired at certain points during the SDK's operation. Below is a list of the available events:

DataPacketIn

Fired when receiving a data packet from the server.

class MyClientEventListener: ClientEventListener { ... func onDataPacketIn(_ dataPacket: Data) { //... } ... } This event fires when a packet is received. The entire data packet (including all framing and error detection characters) is contained in the dataPacket parameter. This parameter may be inspected for advanced troubleshooting, or to extract additional response properties beyond the scope of the SDK.

DataPacketOut

Fired when sending a data packet to the server.

class MyClientEventListener: ClientEventListener { ... func onDataPacketOut(_ dataPacket: Data) { //... } ... } This event fires right before each data packet is sent. The entire data packet (including all framing and error detection characters) is contained in the dataPacket parameter. This parameter may be inspected for advanced troubleshooting.

Log

Fires once for each log message.

class MyClientEventListener: ClientEventListener { ... func onLog(_ logLevel: Int32, _ message: String, _ logType: String) { print("[\(logType)]\(message)") } ... } Logging is handled through the Log event. This will fire any time a message is built or a response is parsed, including error messages.

When the Log event is fired, the message in question is made available via the message event parameter. The other event arguments are logType and logLevel.

The logType parameter indicates the type of the log entry. Possible values are:

  • Info
  • RequestHeaders
  • ResponseHeaders
  • RequestBody
  • ResponseBody
  • ProxyRequest
  • ProxyResponse
  • FirewallRequest
  • FirewallResponse
  • CReq
  • CRes
  • Erro
  • EphemeralKey
  • DeviceParams
  • SW

A logType of SW indicates a Security Warning. When this value is present, the message parameter will contain a code to indicate a more specific cause of the warning. Below is a list of possible warning message values and their meanings:

SW Message ValueDescription
01Tampered; installed from Ad-Hoc or XCode
02Tampered; invalid info dictionary
03Tampered; Info.plist was modified after the app was built
04Tampered; Bundle ID mismatch
05, XXJailbroken; suspicious jailbreak files present on the device
06, XXJailbroken; suspicious jailbreak library loaded
07, XXJailbroken; write permissions enabled on system directories
08Jailbroken; app has permission to fork
09, XXJailbroken; app can query jailbreak URL schemes
10Debugging; p_trace flag detected
11Debugging; internal error: cannot find sysctl
12Debugging; internal error: cannot find getpid
13Debugging; invalid PID
14, XXDebugging; reverse engineering tool detected on the device
15, XXDebugging; suspicious TCP port detected

The logLevel parameter in the event indicates the log level to which the current message belongs. Possible values are:

  • 0 - None
  • 1 - Info
  • 2 - Verbose
  • 3 - Debug
Info level logs are available by default. The LogLevel configuration setting, specified in the Client Config settings, can be used to instruct the SDK to raise more or less detailed logs.

It is recommended to output all messages raised in this event to a file for record keeping or troubleshooting purposes.

SSLServerAuthentication

Fired after the server presents its certificate to the client.

class MyClientEventListener: ClientEventListener { ... func onSSLServerAuthentication(_ certEncoded: Data, _ certSubject: String, _ certIssuer: String, _ status: String, _ accept: UnsafeMutablePointer<Int32>) { //... } ... } This event fires when establishing a TLS connection and provides information about the server's certificate. The accept parameter indicates whether the certificate is trusted by default.

When accept is False, status shows why the verification failed (otherwise, status contains the string "OK"). If it is decided to continue, you can override and accept the certificate by setting the accept parameter to True.

SSLStatus

Shows the progress of the secure connection.

class MyClientEventListener: ClientEventListener { ... func onSSLStatus(_ message: String) { //... } ... } The event is fired for informational and logging purposes only. Used to track the progress of the connection.

Security Event Listener

The SecurityEventListener class exposes a way to be notified of security issues that occur both during initialization of the SDK and at runtime. This is done via a single Alarm event:

Alarm

Fired when a security issue is detected.

class MySecurityEventListener: SecurityEventListener { ... func alarm(_ severity: Severity, _ event: SecurityEvent) { TransactionManager.transactionManager.showToast("Security alarm: [" + severity.description + "] " + event.description) } ... } If a security issue is detected, the Alarm event will be raised. The severity of the error will be indicated by the severity event parameter. Possible values are:

  • LOW
  • MEDIUM
  • HIGH

The event parameter will indicate which issue was encountered. Possible values are:

  • ROOT
  • TAMPERED
  • INSTALLED_FROM_UNTRUSTED_STORE
  • HOOK
  • EMULATOR
  • DEBUGGING
  • DEBUG_ENABLED

For more information on the security checks performed by the component, and recommendations on handling detected issues, see the Security Checks section below.

DirectoryServerInfo

DirectoryServerInfo parameters are used to specify certificate details for the various supported directory servers (DS).

DirectoryServerInfo(RID: String, KID: String, publicKey: String, CA: String) DirectoryServerInfo(RID: String, KID: String, publicKey: String, CAs: [String]) DirectoryServerInfo(RID: String, publicKey: String, CA: String) DirectoryServerInfo(RID: String, publicKey: String, CAs: [String])

When creating a Transaction, the RID is used to specify the certificates to be used for that transaction. Each DirectoryServerInfo consists of four pieces of information:

  • RID An identifier used internally in the SDK to match the transaction with a particular DS.
  • KID Key Identifier. There may be multiple keys for each DS with the keys each having an individual identifier.
  • publicKey Encryption certificate provided by the DS. Used to encrypt the DeviceInfo and generate keys to use for Challenge security.
  • CA The root CA certificate(s) used to issue the DS cert. These are used to verify the signature on the response from the DS (ARes packet), and can include intermediate certificate(s) as well.

Preconfigured Certificates

The 3DS SDK comes preconfigured with certificates for the following Directory Servers. To use these certificates, simply pass one of the RID values below when creating the Transaction.

Card SchemeRIDKIDpublicKeyCA(s)
VisaA000000003747da056-476c-4296-a7c4-7e853e235ef0CN=3ds2.rsa.encryption.visa.com

Expires: 2027-02-26

CN=Visa Public RSA Root CA

CN=Visa eCommerce Root CA - G2

CN=Visa eCommerce Issuing CA - G2

MasterCardA000000004116f90eee124062e2ca9c8efeb54802c34d963a0CN=3ds2.directory.mastercard.com

Expires: 2026-07-15

CN=PRD MasterCard Identity Check Root CA
AmexA000000025CN=sdk.safekey.encryptkey.com

Expires: 2025-05-23

CN=American Express Private Certification Authority
DiscoverA000000152CN=Discover SDK

Expires: 2027-03-07

CN=extendedroot.protectbuy.com
JCBA000000065CN=ds2apr.jcb-tds.com

Expires: 2051-03-02

CN=JCB DS Root CA EMV 3-D Secure
UnionPayA000000333CN=CFCA@UnionPay International@N9131000005455878X6@1

Expires: 2025-07-08

CN=CFCA ACS CA
/n software will make an effort to keep the above configurations up to date. As new certificates are issued, the 3DS SDK will be updated accordingly and new builds will be pushed to the website. It is recommended that users of the SDK also monitor and be aware of changes from the card schemes. When new certificates are released, a new build can be downloaded from our site and applied to customer implementations, or new certificates can be obtained directly from the card schemes and integrated in the SDK manually without updating the SDK build in use.

Client Config

The SDK accepts additional optional configuration settings which alter the behavior of the SDK. These are set as SETTING=VALUE pairs, and set as the clientConfig when building the ConfigParameters.

LogLevel

This setting specifies the level of logging enabled in the component. Possible values include:

0 (None)No events are logged.
1 (Info - default)Informational events are logged.
2 (Verbose)Detailed data is logged.
3 (Debug)Debug data is logged.
This is set to 1 (Info) by default.

MaskSensitive

This setting controls whether sensitive data is masked in the Log event. When set to True (default) the card number value will be replaced with the value *************.

Note: DataPacketOut will always contain the raw unmasked value regardless of this setting. This setting only applies to the Log event.

The default value is True.

Security Checks

The SDK performs security checks and collects device information during initialization. Warnings produced during the 3DS SDK initialization process can be retrieved using the getWarnings method, which returns a list of Warning objects. These can be checked by the app to determine whether or not to proceed with the checkout process:

// check warnings let warnings = try threeDS2Service.getWarnings() if warnings.count > 0 { // process warnings // abort the checkout if necessary } The Warning object consists of the following fields:

NameTypeDescription
idStringWarning identifier.
messageStringWarning message.
severitySeverity (enum)Warning severity level (LOW, MEDIUM, HIGH).
The following warnings are documented in the EMVCo specification:
Security Warning IDDescriptionSeverity Level
SW01The device is jailbroken.HIGH
SW02The integrity of the SDK has been tampered.HIGH
SW03An emulator is being used to run the app.HIGH
SW04A debugger is attached to the app.MEDIUM
SW05The OS or the OS version is not supported.HIGH
To be notified of security issues at runtime, it is recommended to use the Security Event Listener as well.

Security Checks Performed During Initialization

The following security checks are performed during initialization of the SDK:

  • Root detection: Several ways of detecting if the device is rooted
  • SDK tampering detection: including app signer fingerprint validation, and hook detection
  • Checks to make sure the app was installed from trusted app stores
  • Emulator detection
  • Detection of an attached debugger
  • OS version detection

These initialization checks result in warnings accessible via the getWarnings detailed above. The message will contain a description of the issue encountered.

Security Checks Performed at Runtime

The following security checks are performed at runtime:

  • Emulator detection (high severity): during Transaction.doChallenge()
  • Debugging detection (medium severity): during Transaction.doChallenge()
  • Method Swizzle Hook detection (high severity): during Transaction.getAuthenticationRequestParameters() and Transaction.doChallenge()
  • Fishhook detection (high severity): during Transaction.getAuthenticationRequestParameters() and Transaction.doChallenge()
  • Anti-debug (preventative): during Transaction.getAuthenticationRequestParameters()

These runtime checks result in firing of the Security Event Listener alarm event, and the app closing for high severity issues. In the development version of the SDK (without _deploy in the file name), these checks are not performed.

Creating a Transaction

Call the createTransaction method to start a transaction. A reference should be kept for this transaction throughout the entire 3-D Secure process. This method takes the directory server ID, which points to a DirectoryServerInfo configuration parameter added during SDK initialization. The second parameter is a protocol version as a string. Supported version strings are 2.1.0, 2.2.0, and 2.3.1.

sdkTransaction = try threeDS2Service.createTransaction(DSInfo.TEST_DS_ID, "2.2.0") Later, when the transaction is complete, it should be closed via the Transaction object's close method.

Displaying Progress

A progress dialog must be displayed to the end user at certain points in the 3-D Secure process. While performing the challenge, the 3DS SDK will automatically display a progress dialog when appropriate.

A progress dialog must also be displayed to the user while the application is communicating with the 3DS Server and waiting for the authentication request results. The dialog used by the 3DS SDK is available to be used by the application if desired, and can be obtained from the Transaction object via the getProgressView method like so:

// The progress dialog is an instance of ProgressView var sdkProgressDialog: ProgressView? // Retrieve the progress dialog from the transaction object instance sdkProgressDialog = try sdkTransaction?.getProgressView() sdkProgressDialog?.show() // Later, to hide/dismiss if desired: sdkProgressDialog?.close() The 3DS SDK will automatically hide the dialog when starting the challenge process, so there is no need to explicitly dismiss the dialog in the application code.

Authenticating

The authentication process starts with a call to the Transaction object's getAuthenticationRequestParameters method. When this method is called, the 3DS SDK will encrypt the device information it collected during initialization and make it, along with other SDK information required by the 3DS Server, available in the returned AuthenticationRequestParameters object. This AuthenticationRequestParameters object consists of the following fields:

NameDescription
SDKTransactionIdA transaction identifier randomly generated by the SDK.
DeviceDataDevice data collected by the SDK during initialization and encrypted using the DS key.
SDKEphemeralPublicKeyThe public key component of the ephemeral key pair generated by the SDK.
SDKAppIdA UUID value, generated by the 3DS SDK, that uniquely identifies the app on the device.
SDKReferenceNumberAssigned to our SDK by EMVCo after certification.
MessageVersionFrom createTransaction, or a default value from the SDK (2.1.0).
AuthRequestPackaged authentication request data to be sent to the 3DS Server.
The AuthRequest property is a packaged form of the other properties. The app would transmit this to the 3DS Server via a communication channel outside the scope of the 3DS SDK itself. On the server side, this AuthRequest data is designed to be passed directly in to the 3DS Server component's ClientAuthRequest property prior to sending the authentication request to the directory server via its SendAuthRequest method.

When the SendAuthRequest method completes, the Server component's ClientAuthResponse property will contain data that can be sent back to the app and passed to the 3DS SDK to use if a challenge is required.

Response Handling

The 3DS Server is responsible for reading the authentication response from the directory server and indicating to the client (in this case, the app) whether or not a challenge is required. In our 3DS Server component, check the TransactionStatus property after the SendAuthRequest method completes. If this is a value of C or D, a challenge is required.

If no challenge is required (frictionless flow), or authentication cannot be performed for some reason, no further action is required from a 3-D Secure standpoint. Proceed to the Completing Authentication section for details on closing the Transaction.

If a challenge is required, the 3DS Server should return the ClientAuthResponse property value to the app for use when starting the challenge process. The Performing a Challenge section details how to perform the challenge.

Performing a Challenge

If a challenge is required, the challenge is performed by creating the Challenge Parameters (using the ClientAuthResponse from the 3DS Server component) and following the steps in the Starting the Challenge section. The SDK will take care of all communication with the ACS while performing the challenge, as well as prompting the user as needed for the required input. When the challenge process is complete, the relevant Challenge Status Receiver callback will fire.

Challenge Status Receiver

ChallengeStatusReceiver is an interface used to obtain the result of the SDK challenge process. This should be implemented in the application and passed to the doChallenge method when Starting the Challenge. When the challenge process has finished, either successfully or in error, one of the following corresponding methods will be called:

NameDescription
completedCalled when the challenge process (that is, the transaction) is completed. When a transaction is completed, a transaction status will be available.
cancelledCalled when the cardholder selects the option to cancel the transaction on the challenge screen.
timedoutCalled when the challenge process reaches or exceeds the timeout interval that is specified during the doChallenge call.
protocolErrorCalled when the 3DS SDK receives an EMV 3-D Secure protocol-defined error message from the ACS.
runtimeErrorCalled when the 3DS SDK encounters errors during the challenge process. These errors include all errors except those covered by the protocolError method.
Example implementations of these methods can be found below:

func completed(_ completionEvent: CompletionEvent) { showToast("Challenge completed with transactionStatus " + completionEvent.getTransactionStatus()) try? closeTransaction() } func cancelled() { showToast("Challenge cancelled.") try? closeTransaction() } func timedout() { showToast("Challenge timed out.") try? closeTransaction() } func protocolError(_ protocolErrorEvent: ProtocolErrorEvent) { showToast("Challenge protocolError: " + protocolErrorEvent.getErrorMessage().getErrorDescription() + "\t" + protocolErrorEvent.getErrorMessage().getErrorDetails()); try? closeTransaction() } func runtimeError(_ runtimeErrorEvent: RuntimeErrorEvent) { showToast("Challenge runtimeError: " + runtimeErrorEvent.getErrorMessage()); try? closeTransaction() } // Helper method func closeTransaction() throws { if sdkTransaction != nil { try sdkTransaction?.close() sdkTransaction = nil } }

Challenge Parameters

The ChallengeParameters class holds parameters that are required to conduct the challenge process. This is passed to the doChallenge method when Starting the Challenge. Available properties, accessible via getters and setters, are:

Property NameTypeDescription
3DSServerTransactionIDString3DS Server Transaction ID.
AcsTransactionIDStringACS Transaction ID.
AcsRefNumberStringACS Reference Number.
AcsSignedContentStringACS signed content. This data includes the ACS URL, ACS ephemeral public key, and SDK ephemeral public key.
ThreeDSRequestorAppURLString3DS Requestor App URL.
ThreeDSServerAuthResponseStringThe Authentication Response from the 3DS Server component.
These properties can be set individually based on what comes back from the 3DS Server. If using the 3DS Server component, the ThreeDSServerAuthResponse can be set to the generated ClientAuthResponse value, and the other properties will be set automatically based on this value.

let challengeParameters = ChallengeParameters(threeDSServerAuthResponse: authResponse)

Starting the Challenge

If the response from the 3DS Server indicates that a challenge is required, the challenge process is initiated using the doChallenge method. When this is called, control of the UI is handed over to the 3DS SDK. The challenge will be performed by the SDK, and when finished the appropriate Challenge Status Receiver event will fire (completed, cancelled, etc.) try sdkTransaction?.doChallenge(rootViewController: navigationController, challengeParameters: challengeParameters, challengeStatusReceiver: self, timeout: 5)

The doChallenge method takes the following parameters:

Parameter NameTypeDescription
navigationControllerUINavigationControllerThe view controller used by the SDK for the challenge process.
challengeParametersChallengeParametersACS details required by the 3DS SDK to conduct the challenge process during the transaction. For details, see the Challenge Parameters section.
challengeStatusReceiverChallengeStatusReceiverCallback object for notifying the 3DS Requestor App about the challenge status. For details, see the Challenge Status Receiver section.
timeoutIntegerTimeout interval (in minutes) within which the challenge process must be completed. The minimum timeout interval is 5 minutes.

Completing Authentication

If the completed callback fires, the CompletionEvent parameter will contain more details on the authentication results. This has two properties: sdkTransactionID, and transactionStatus. The transactionStatus contains the transStatus from the last CRes packet, which would be one of the values below:

  • Y: Order completed successfully / Authentication successful
  • A: Order completed successfully / Attempts processing performed
  • N: Order denied / Not authenticated (denied)
  • R: Order denied / Authentication rejected
  • U: Order failed due to technical reasons / Authentication could not be performed

Managing Resources

The cleanup method frees up resources that are used by the 3DS SDK. The cleanup method should be called only once during a single 3DS Requestor App session:

threeDS2Service.cleanup();

Application Permission Notes

The SDK itself does not require any specific permissions outside of internet access, and it will use only the permissions that the application has requested. The app should require permission before the SDK is initialized. This is required by the specification and some device parameters will not be available if permission is not granted.

For a full list of required permissions for each device parameter, see the EMV® 3-D Secure SDK Device Information document, which can be obtained from EMVCo directly.