**Last updated**: 22 April 2025 | [**Change log**](/access/products/3ds/changelog/)

# Challenge display and verification

Use a self submitting form within an iframe to display the issuers challenge screen.

To display the issuers challenge screen within the iframe, use the following parameters from the authentication response:

- `challenge.reference`
- `challenge.url`
- `challenge.jwt`


The content within the iframe is from the issuing bank. The bank performs an identity check on your customer.

#### Optional MD field

Pass data specific to your checkout session and it will be echoed back in the `challenge.returnUrl` originally provided in the [authentication request](/access/products/3ds/web/authentication). This could for example be a checkout sessionId. Any value provided must be URL encoded with a maximum of 1024 characters.

## Challenge form

Once you have the `JWT` and `URL` you can create and submit the Challenge form.

Here's an example of how you would set-up the challenge form in an iframe.

1. Create an iframe and set the `src` attribute with the URL of the page that will POST the Challenge form.
This URL should contain in query string parameters the `challenge.jwt`, `challenge.url` and optionally `MD` as those will be used in the Challenge form.


iframe for challenge form

```html iframe for challenge form
<iframe height= "400" width= "390" src="replace-this-with-the-url-of-your-page-that-posts-the-challenge-form"></iframe>
```

The size you specify for the iframe depends on whether you have provided a `challenge.windowSize` in the [authentication request](/access/products/3ds/web/authentication).

1. Create and host the page that POSTs the Challenge form.


iframe for challenge form

```html iframe for challenge form
<html>
<head>
</head>
<body>

  <!-- Using your preferred programming language, set the 'action' attribute with the value of the query string parameter containing the 'challenge.url' from the authentication response -->
  <form id="challengeForm" method= "POST" action="https://challengeUrl.example.com">

    <!-- Using your preferred programming language, set the 'value' attribute with the value of the query string parameter containing the 'challenge.jwt' from the authentication response -->
    <input type = "hidden" name= "JWT" value= "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqdGkiOiI1NDQzOGIzYS1iYjUzLTEyY2QtODY0My0xNTM2YmU3M2ZmMzUiLCJpYXQiOiIzODU2NzI5NDgyIiwiaXNzIjoiNWJkOWUwZTQ0NDRkY2UxNTM0MjhjOTQwIiwiT3JnVW5pdElkIjoiNWJkOWI1NWU0NDQ0NzYxYWMwYWYxYzgwIiwiUmV0dXJuVXJsIjoiaHR0cDovL21lcmNoYW50LmV4YW1wbGUuY29tL3RocmVlZHNjaGFsbGVuZ2Vjb21wbGV0ZSIsIlBheWxvYWQiOnsiQUNTVXJsIjoiaHR0cHM6Ly9hY3MuZXhhbXBsZS5jb20vM2RzMi9jaGFsbGVuZ2U_aWQ9MTIzNDU2Nzg5IiwiUGF5bG9hZCI6IlZHaHBjeUJwY3lCaElHSmhjMlVnTmpRZ1pXNWpiMlJsWkNCbGVHRnRjR3hsSUc5bUlHRWdNMFJUSUNKd1lYbHNiMkZrSWc9PSIsIlRyYW5zYWN0aW9uSWQiOiJzUk1QV0NRb1FyRWlWeGVoVG51MCJ9LCJPYmplY3RpZnlQYXlsb2FkIjp0cnVlfQ.3Dqjr5MuEC9AG7uvsJCft94-d70NmgR94zIeru8fAYE" />

    <!-- Optional field (max 1024 characters) for you to pass url parameters in the challenge form that will be included/echoed in the response url (`challenge.returnUrl`) after the challenge is complete -->
    <input type="hidden" name="MD" value="merchantSessionId=1234567890" />

  </form>

  <script>
    window.onload = function() {
      // Auto submit form on page load
      document.getElementById('challengeForm').submit();
    }
  </script>

</body>
</html>
```

### Test challenge form

The form below allows you to submit the 3DS challenge details provided in the API response and display the [issuer challenge](/access/products/3ds/web/challenge-verification). This is useful if using tools such as postman/insomnia to test your integration.

Access 3ds - Device Data Collection form
Note
If you get a 400 response on POST of the challenge form ensure:The JWT has not expired (10 minutes)Element/form data names are upper case e.g. `JWT` as shown in the example

### Challenge returnUrl

Once the issuer challenge is complete there is a `POST` to the `challenge.returnUrl` (you provide in the [authentication request](/access/products/3ds/web/authentication)). This should go to your backend where you can retrieve any of the form data, initiate the verification request and display a page in the iframe depending on the outcome in the verification response.

Form data in returnUrl POST:

* `TransactionId` - same value as `challenge.reference` from the authentication response and used in the [verification request](#verification).
* `MD` - If included as part of the [challenge form](#challenge-form).


# Verification

Once the challenge form has been completed, you must make a verification request to verify the result of the challenge form.

POST your verification request to our `3ds:verify` action link received in your authentication response if your outcome is `challenged`.

## Verification example request

POST  `https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/verification`

Verification request body:

## Verification responses

Best practice
Access Worldpay returns a `WP-CorrelationId` in the headers of service responses. We **highly recommend** you log this. The `WP-CorrelationId` is used by us to examine individual service requests.

Here are examples of the verification responses you would receive. To understand what these outcomes mean and how to reproduce them for testing purposes see [3DS testing](/access/products/3ds/testing).

Authenticated
Successful authentication following a challenge

authenticated

```json authenticated
  {
      "outcome": "authenticated",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "Y",
      "enrolled": "Y",
      "authentication": {
          "version": "2.1.0",
          "authenticationValue": "MAAAAAAAAAAAAAAAAAAAAAAAAAA=",
          "eci": "05",
          "transactionId": "c5b808e7-1de1-4069"
      }
  }
```

authenticated - Cartes Bancaires

```json authenticated - Cartes Bancaires
    "transactionReference": "Memory265-13/08/1876",
    "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
    "status": "Y",
    "enrolled": "Y",
    "authentication": {
        "version": "2.1.0",
        "authenticationValue": "AAIBBYNoEwAAACcKhAJkdQAAAAA=",
        "eci": "05",
        "transactionId": "1be85590-d6f9-4a0b-93c9-3a7188d9a463",
        "cryptogramAlgorithm": "1",
        "challengePreference": "challengeMandated",
        "authenticationFlow": "challenge",
        "brand": "cartesBancaires"
    }
}
```

Authentication Failed
Issuer failed the authentication following the challenge

authenticationFailed

```json authenticationFailed
  {
      "outcome": "authenticationFailed",
      "transactionReference": "Memory265-13/08/1876",
      "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
      "status": "N",
      "enrolled": "Y",
      "authentication": {
          "version": "2.2.0",
          "eci": "00",
          "transactionId": "N+en2I5+ZK/kQqk69wXdI8XIPg8="
      },
      "_links": {
          "3ds:authenticate": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
```

authenticationFailed - Cartes Bancaires

```json authenticationFailed - Cartes Bancaires
    "transactionReference": "Memory265-13/08/1876",
    "acsTransactionId": "fe007a6e-315f-4cdf-98ca-28a9e40e3581",
    "status": "N",
    "enrolled": "Y",
    "authentication": {
        "version": "2.1.0",
        "eci": "07",
        "transactionId": "424c464d-3b04-4101-950a-8a71cd1f9dc6",
        "cryptogramAlgorithm": "1",
        "challengePreference": "challengeMandated",
        "authenticationFlow": "frictionless",
        "statusReason": "01",
        "brand": "cartesBancaires"
    },
    "_links": {
        "3ds:authenticate": {
            "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
        },
        "curies": [
            {
                "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                "name": "3ds",
                "templated": true
            }
        ]
    }
}
```

Signature Failed
signatureFailed

```json signatureFailed
  {
      "outcome": "signatureFailed",
      "transactionReference": "Memory265-13/08/1876",
      "authentication": {
          "version": "1.0.2",
          "eci": "02"
      },
      "_links": {
          "3ds:authenticate": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
```

Unavailable
Error/Timeout whilst attempting authentication.

unavailable

```json unavailable
  {
      "outcome": "unavailable",
      "transactionReference": "Memory265-13/08/1876",
      "_links": {
          "3ds:authenticate": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication"
          },
          "3ds:verify": {
              "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/verification"
          },
          "curies": [
              {
                  "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}",
                  "templated": true,
                  "name": "3ds"
              }
          ]
      }
  }
```

Best practice
The `authenticationValue` cannot be re-used in multiple authorisation requests. Re-using the `authenticationValue` in this way will result in issuer declines and may incur fees.

Apply the details (such as `eci`, `version`, `authenticationValue`, `transactionId`) required by [Card Payments](/access/products/card-payments/) in the [authorization request](/access/products/card-payments/authorize-a-payment#3ds). See [Testing](/access/products/3ds/testing) for details.

**Next steps**

[Take a payment](/access/products/card-payments/authorize-a-payment#3ds)
[Testing](/access/products/3ds/testing)