Last Updated: 17 January 2024 | Change Log

Challenge display & Verification

If the authentication response outcome is challenged you can use the SDK to provide the improved 3DS2 Challenge display for mobile devices.

3DS Challenge display

You will need the following values from the authentication response to use in the SDK.

Access NameValue fromCardinal SDK Name
challenge.referenceauthentication responsetransactionId
challenge.payloadauthentication responsepayload

The Access 3DS API is periodically tested against the latest version of the Cardinal SDK. You can see the latest tested version in the change log

SDK challenge display:

Customize Challenge Interface

As part of SDK setup you can customise the challenge user interface


Once the challenge has been completed, you must make a verification request to verify the result of the challenge.


You should only request the verification API from your backend system. You should not call it directly from the mobile application using the Access credentials.

POST your verification request to our 3ds:verify action link received in your authentication response.

Verification example request

You must use v3 of the API for the Android/iOS SDK


Verification request body:

    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "default"
    "challenge": {
        "reference": "123456789"

Verification responses

Best Practice

Access Worldpay returns a WP-CorrelationId in the headers of service responses. We highly recommend you log this. The WP-CorrelationId is used by us to examine individual service requests.

Here are examples of the verification responses you would receive. To understand what these outcomes mean and how to reproduce them for testing purposes see 3DS testing.

  1. Authenticated
  2. Authentication Failed
  3. Signature Failed
  4. Unavailable
    "outcome": "authenticated",
    "transactionReference": "Memory265-13/08/1876",
    "authentication": {
        "version": "2.1.0",
        "authenticationValue": "MAAAAAAAAAAAAAAAAAAAAAAAAAA=",
        "eci": "05",
        "transactionId": "c5b808e7-1de1-4069"

Use the values: version, authenticationValue, eci, transactionId from the request when authorizing a payment. The values prove that the verification was successful, and that the fraud liability has shifted to the issuer.

authentication.versionThe version of 3DS used to process the transaction.
Required for Mastercard's Identity Check transactions in Authorization.
authentication.authenticationValueA cryptographic value that provides evidence of the outcome of a 3DS verification.
  • Visa - Cardholder Authentication Verification Value (CAVV)
  • Mastercard - Universal Cardholder Authentication Field (UCAF)

Used when authorizing a payment.
authentication.eciElectronic Commerce Indicator (ECI).
Indicates the outcome of the 3DS authentication.
  • 02 or 05 - Fully Authenticated Transaction
  • 01 or 06 - Attempted Authentication Transaction
  • 00 or 07 - Non 3-D Secure Transaction
  • Mastercard - 02, 01, 00
  • Visa - 05, 06, 07
  • Amex - 05, 06, 07
  • JCB - 05, 06, 07
  • Diners - 05, 06, 07

You will need to use this when you are authorizing a payment.
authentication.transactionIdA transaction identifier.
If provided, you should use it as part of your payment authorization.
If the authentication.version has a major version of:
  • 1 - value returned known as xid
  • 2 - value returned known as dsTransactionId

Next steps

Take a payment