Important

We have released a new version. Documentation for our latest version can be found here.

Last Updated: 17 January 2024 | Change Log

Device data

Device Data Collection (DDC) is used by the card issuer to fingerprint the customer's device. Along with the risk data in the authentication request it's used to decide if a challenge is required or if the authentication can be frictionless. This step is required for the authentication to use 3DS2.

Device data initialization

POST your device data initialization request to the 3ds:deviceDataInitialize action link.

This request creates a JSON Web Token (JWT) that is used as part of the Device Data Collection (DDC) form. The DDC form also requires the first six digits of your customers card number (BIN). The Bank Identification Number (BIN) can be returned if a token resource is provided, see JWT + BIN (token) request.

For consistency of integration you can also provide the full card number JWT + BIN (card). It will be truncated to become the BIN in the response.

Device data initialization example request

POST https://try.access.worldpay.com/verifications/customers/3ds/deviceDataInitialization

JWT only
JWT + BIN (token)
JWT + BIN (card)

{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    }
}

Parameter Mandatory Description

transactionReference ✅ A unique reference for device data JWT request. for example, e-commerce order code.

merchant.entity ✅ Used to route the request in Access Worldpay, created as part of on-boarding.

Parameter	Mandatory	Description
`transactionReference`	✅	A unique reference for device data JWT request. for example, e-commerce order code.
`merchant.entity`	✅	Used to route the request in Access Worldpay, created as part of on-boarding.
`paymentInstrument.type`	❌	An identifier for the `paymentInstrument` being used. `type` : `card/front` See JWT + BIN (card) above `type` : `card/tokenized` See JWT + BIN (token) above

paymentInstrument.type

❌

An identifier for the paymentInstrument being used.

type : card/front

See JWT + BIN (card) above

type : card/tokenized

See JWT + BIN (token) above

Device data initialization response

To understand what these outcomes mean and how to reproduce them for testing purposes see 3DS testing

{
    "outcome": "initialized",
    "transactionReference": "unique-transactionReference",
    "deviceDataCollection": {
        "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ",
        "url": "https://ddcUrl.example.com",
        "bin": "555555"
    },
    "_links": {
        "3ds:authenticate": {
            "href": "https://try.access.worldpay.com/verifications/customers/3ds/authentication"
        },
        "curies": [{
            "href": "https://try.access.worldpay.com/rels/verifications/customers/3ds/{rel}",
            "templated": true,
            "name": "3ds"
        }]
    }
}

Parameter	Description
`deviceDataCollection.jwt`	A digitally signed token that contains additional details required for DDC.
`deviceDataCollection.url`	A `POST` action on the DDC form. Used to redirect to the issuers DDC page.
`deviceDataCollection.bin`	First 6 digits of the card number (Bank Identification Number) to be used as part of DDC. Returned if a token resource or card number is included in the request.

Device Data Collection (DDC) form

Once you have the JWT and BIN you can create and submit the DDC form.

<iframe height="1" width="1" style="display: none;">

    <!-- Set the action to the value in the 'deviceDataCollection.url' from the device data initialization response --->
    <form id="collectionForm" name="devicedata" method="POST" action="https://ddcUrl.example.com">

      <input type="hidden" name="Bin" value="555555" />
      <!-- Use value from 'deviceDataCollection.bin' from the device data initialization response or add the card number -->

      <!-- Set to the value of 'deviceDataCollection.jwt' from the device data initialization response  --->
      <input type="hidden" name="JWT" value="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ" />

    </form>
</iframe>

Once the DDC form is submitted and is successfully sent to the card issuer, you are notified via a postMessage event. This value is provided for both 3DS1 & 3DS2 authentications so you always receive a value.

For security, verify the sender's identity using the postMessage origin property as detailed here.

Environment	Origin
Try	https://secure-test.worldpay.com/
Production	https://centinelapi.cardinalcommerce.com

The message itself contains a SessionId you should provide in the authentication request under deviceData.collectionReference.

{
  "MessageType": "profile.completed",
  "SessionId": "0_3XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX6b5",
  "Status": true
}

Note

If the SessionId value is not provided in the authentication Request the authentication will fallback to 3DS1

Next steps

Authentication

Device data

Device data initialization

Device data initialization example request

Device data initialization response

Device Data Collection (DDC) form

Was this helpful?