4 Steps in a 3D Secure Project

This section describes the steps in setting up a 3D Secure service.

4.1 Overview of Steps

A project starts once we have received your requirements. A typical project takes 4-5 weeks, but you should plan for additional time to allow for contingencies.

Figure 5 below provides an overview of the steps in a typical project.

Figure 6: Steps in a 3D Secure Project

Refer to the table below.

#	Step/Action	Approximate time needed
1	Complete your 3DS Product Setup Form (PSF) Your Thredd 3DS project manager can help you complete this form, which provides details of your 3D Secure service configuration at Thredd. To support Biometric or Out of Band, you will need to provide the endpoint for receiving the `DelegateSCANotification` API call. You will need to supply one endpoint for the UAT environment and another endpoint for the Production/Live environment. To support OTP authentication where you manage authentication (delegated SMS), you will need to provide the endpoint for receiving the `DelegateOTPNotification` API call. You will need to supply one endpoint for the UAT environment and another endpoint for the Production/Live environment.	Allow 1-2 days.
2	Thredd configures your 3D Secure account settings Thredd configures your challenge methods, challenge screens, card programs and setup all other requirements in the UAT environment. Sign off by the Program Manager is required after the configuration. Your issuer (BIN sponsor) may also request to review. A configuration review call will be arranged to walk through your Apata 3D Secure configuration for sign off. You will also need to provide your brand logo in svg (scalable vector graphics) image format if required, which will be displayed on the challenge screens.	Allow 1-2 weeks to configure your service.
3	Integrate the 3D Secure API for client-managed OTP authentication (if applicable) You will need to: Permit Thredd to access your systems for sending calls for authentication to your organisation in UAT and Production. For details of the allowed Thredd IP addresses, see Authorising Thredd IP Addresses. Provide Thredd with your `DelegateOTPNotification` endpoints for UAT and Production, and a list of IP addresses. See more details on Setting up Firewall Permissions.	Allow 1-2 weeks. This step can happen in parallel while Thredd set up your account.
3	Integrate the 3D Secure API for Biometric/ Out of Band authentication (if applicable) You will need to: Permit Thredd to access your systems for sending Biometric/OOB calls to your organisation in UAT and Production. For details of the allowed Thredd IP addresses, see Authorising Thredd IP Addresses. Provide Thredd with your `DelegateSCANotification` endpoints for UAT and Production, and a list of IP addresses for using the Biometric/OOB services. See more details on Setting up Firewall Permissions. Thredd will set up your oAuth access and provide you with credentials for the Thredd oAuth server. See more details on Using the oAuth Server.	Allow 1-2 weeks. This step can happen in parallel while Thredd set up your account.
4	Thredd provide training Thredd provide your users with training on the Apata Portal.	Allow 1 day. (Booking at least 2 weeks in advance is suggested.)
5	Enrol your test cards in 3D Secure Thredd activates a single card product in the UAT environment, so you can enrol a few cards for UAT testing. You can enrol your cards and specify the types of authentication: if using Web Services then use the 3D Secure Web service (`Ws_AddUpDelCredentials`; if using Cards API, then use the `Create 3DS Credentials` API.	It takes 1-2 hours for Thredd to activate the card product. Allow 1-2 hours to enrol cards in the Thredd UAT environment and run authentication tests. See step 6. Then repeat in Pilot production. See step 7.
6	Complete UAT testing Once 3D secure is configured, Thredd release the project into the UAT environment for you to test and sign off. You are required to provide sign-off by email. A default challenge risk profile will be created for you, with any exemptions specified in the PSF. You will be able to add conditional rules as required. You can then start testing in UAT using the Apata merchant simulator.	It will take you 1-3 hours to set up your rules (e.g., for Success, Fail/Reject or Challenge outcomes) and link your BIN range(s). Allow a week to complete UAT testing and provide sign-off.
7	Complete pilot Production testing Thredd sets up your 3D Secure configuration in the production environment: Thredd activates a single card product in the Production environment, so you can enrol a few cards for pilot testing. If you are not self-issuing, your issuer (BIN sponsor) must enrol your pilot cards to be enrolled at the Scheme (by submitting a card range file; Thredd will provide you with the Apata ACS URLs1)	The full pilot testing phase takes around 1-2 weeks: Allow a week for Thredd and Apata to release your configuration to the Production environment for Pilot testing. Mastercard takes around 3 days to set up pilot cards. Visa takes 1-2 weeks to set up pilot cards. Providing the pilot cards in advance can speed up the process. Allow 1-2 days for enrolling the pilot cards (using the web service / cards API) and for pilot card testing.
8	Roll out to Production (Live) Notify Thredd once you have completed your pilot testing. Thredd configures your card products for 3D Secure. You need to enrol all your live cards in 3D Secure and register them for your supported authentication types (e.g., Biometric or OTP SMS). Thredd also offer an auto-enrolment option. See Card Auto Enrolment. Notify Thredd that you have completed enrolment. If you are not self-issuing, your issuer (BIN sponsor) must contact the Card Scheme (payment network) to enrol the rest of your card ranges.	Allow a week to 10 days to complete the roll-out at the Card Scheme (payment network) and to enrol your cards.