5 Completing your 3DS Product Setup Form

Client Information

Your company’s name.

Your company’s legal name.

Your company’s country of residence.

The payment network for your BIN. Thredd supports cards enabled for use on Visa, Mastercard and Discover payment networks.

Your issuer’s (BIN sponsor) Visa Business Identifier (BID) A business ID, which is unique to each Visa business customer..

Your issuer’s (BIN sponsor) primary ICA The Interbank Card Association (ICA) number is a four-digit number assigned by Mastercard that identifies an issuing bank. An ICA can have multiple BINs associated with it., as registered with Mastercard.

Your issuer’s (BIN sponsor) Company Name, as registered with Mastercard.

Your issuer’s (BIN sponsor) Company ID, as registered with Mastercard.

Your Thredd Program ID or code

The default language for the 3D Secure screens.

List any additional languages you support. See Language Support.

The text that appears as the name of the sender of the SMS OTP for validation. This can be up to 11 alphanumeric characters with no spaces.

Whether your organisation is set up as an issuer (BIN sponsor). Select YES or NO.

The name of your issuer (BIN sponsor).

The Compliance Manager is a Cardinal application which provides tools to identify transactions that require Strong Customer Authentication (SCA) Authentication which is a combination of two factors of identification at checkout. Examples include something they know (such as a password or PIN), something they get (such as an OTP in a mobile phone or other device) or something they are (such as their fingerprint)., and enables you to configure rules for handling these transactions. This option is mainly relevant to Issuers (BIN sponsors) in the European Economic Area (EEA) and in other regions who want to conform to the Second Payment Services Directive (PSD2) PSD2 is a European regulation for electronic payment services. It seeks to make payments more secure, boost innovation and help banking services adapt to new technologies. The regulations are available here: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en. See Creating Rules in Compliance Manager.

In the Cardinal Access tab of the 3DS PSF, please specify the users who you want to be set up with access to Compliance Manager.

For training on how to use Compliance Manager, please contact your 3D Secure project manager.

The Customer Support phone number, including the country code, for cardholders to contact.

The regulatory country of your Issuer (BIN sponsor) Financial organisation and card scheme member, licensed by the scheme to issue cards and process transactions using the scheme’s network..

Select YES or NO. If your organisation is not PCI compliant The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards from the major Card Schemes (payment networks). All merchants who handle customer card data must be compliant with this standard. See: https://www.pcisecuritystandards.org/pci_security, this affects the type of card information, such as PAN, which your systems are allowed to process and store.

Whether you currently have a different provider of 3D Secure services/ a different Access Control Server (ACS) A system used to manage the 3D Secure authentication service for the issuer (BIN sponsor). During an authentication session, the ACS communicates with the Card Scheme and Thredd systems, and may also interact with the cardholder, by providing Challenge screens.. Select YES or NO.

If you are using a full BIN Range for your programme, select YES, else select NO.

When do you plan to launch your card programme?

Please check with your Implementation Manager to confirm that this date is feasible. For steps and indicative time scales to launch a 3D Secure service, see Steps in a 3D Secure Biometric/In-app Project.

Indicate your current production environment. For example:

• PRD1 — European Cloud production environment

• PRD2 — Asia-Pacific Cloud production environment

The AAV/CAVV Accountholder Authentication Value (AAV) and Cardholder Authentication Verification Value (CAVV) are cryptographic values returned by the Access Control Server (ACS) or Card Scheme to the Merchant after a successful cardholder authentication. The merchant includes this value in the authorisation message sent to the issuer. is a cryptographic value which is included in the authorisation message request from the Merchant1 The ACS generates the CAVV/AAV for a successful 3D secure session; if Stand-In processing is enabled at the Card SCheme (for low-risk transactions), then the Scheme can step in when ACS is down and generate this value. . It indicates that the 3D secure authentication session was successful. You can request that either Thredd or the Card Scheme (Mastercard, Visa, or Discover) validate this value. Card Scheme validation is typically required if you want the card Scheme to provide Stand-In processing.

If YES: Thredd will validate the AAV/CAVV Accountholder Authentication Value (AAV) and Cardholder Authentication Verification Value (CAVV) are cryptographic values returned by the Access Control Server (ACS) or Card Scheme to the Merchant after a successful cardholder authentication. The merchant includes this value in the authorisation message sent to the issuer.. To set this up:

• Mastercard — keys must be exchanged between Thredd and Cardinal; No action is required from the Program Manager.

• Visa — keys must be exchange between Thredd and Cardinal. Please ensure your Client Information Questionnaire (CIQ) has the correct settings (under the VisaSecure section > ABE1 > K01. Select “I”).

• Discover — keys must be exchanged between Thredd and Cardinal. Please ensure you have informed your Discover Implementation Manager that Thredd will validate the CAVV.

If NO:

• Mastercard — please ensure the BIN has been enroled with the required validation set up at Mastercard (i.e. Mastercard On-Behalf of Services (OBS) AAV Verification Service).

• Visa — please ensure your Client Information Questionnaire (CIQ) has the correct settings (under the VisaSecure section > ABE1 > K01. Select “F” or” V” as appropriate). Please request Visa to generate the CAVV key and encrypt with Cardinal ZCMK (BIN = 763641 and ZCMK KCV = 89CEE0). Share the CAVV key file securely with your Thredd Implementation Manager.

• Discover – Discover will validate the CAVV. Please request for Discover to generate the CAVV key and share it to Cardinal.

Setup Options (provide details for Test and Production separately)

Select the default authentication type to support all sub-BIN ranges. Options are:

• Biometric

• SMS OTP

• KBA

• OUTOFBAND

• ALL2 ALL includes Biometric and OTP, but not KBA. If Thredd returns ALL, then during the online transaction the cardholder is shown a screen showing all available options and can select their preferred authentication method.

This is used for the following purposes: a) to enable a card to be enroled in this type; b) to use as the default type of authentication during a real-time authentication session with Cardinal; c) to support auto-enrolment.

Note: Please discuss with your Implementation Manager before implementing OOB authentication.

Select the fallback authentication type to support all sub-BIN ranges. Options are:

• SMS OTP

• KBA

• OUTOFBAND

• ALL

• None

This is used for two purposes: a) to enable a card to be enroled in this type; b) to use as the fallback type of authentication during a real-time authentication session with Cardinal, if the default type cannot be used for any reason.

The period (in seconds) you have to respond to a request for Biometric validation before the system times out3 The request for validation is sent using the NotifyInitiateAction API to the NotifyInitiateAction endpoint you specify for this service. See Initiating a Biometric Session.. The maximum is 900 seconds.

This is the time from when we notify you to start authentication, up to your validation response.

The period (in seconds) you have to respond to a request for Out of Band validation before the system times out. The maximum is 900 seconds.

This is the time from when we notify you to start authentication, up to your validation response.

The endpoint Thredd should use to send you the Biometric validation request. (Implemented using the (NotifyInitiateAction API. See Initiating a Biometric Session

Note: Your endpoint (in both production and UAT) must resolve to a single or set of static IP addresses.

Provide details of the IP addresses you want Thredd to allow to use the Thredd oAuth server and NotifyValidate endpoint.

Select Yes or No. If you select Yes, Thredd will generate the credentials that will be used to validate the Token.

Options are:

NO— All cards must be enroled for OTP SMS and the mobile number must be registered using either Web Services or Cards API; see Using the Card Enrolment API.

YES - Initial Load — Thredd enrol the existing cards to the OTP SMS credential. Thredd use the phone number linked to the card (i.e., the phone number supplied when the card was created or updated).

YES - Continuous — Same as Initial load, however any future cards created will also have their phone numbers automatically registered for 3D Secure in the same way.

Auto-enrolment enrols all live and active cards. It is not recommended if you wish to exclude some cardholders from enrolment. If using Continuous auto-enrolment, this may restrict your ability to unenrol cards which have been previously enroled and which currently have a live status. SeeSection 8.2 Card Unenrolment.

Options are:

NO— All cards must be enroled for Biometric using either Web Services or Cards API; see Using the Card Enrolment API.

YES - Initial Load — Thredd creates a Biometric credential for all existing cardholders.

YES - Continuous — Same as Initial load, however any future cards created will also have Biometric credentials created the same way.

Auto-enrolment enrols all live and active cards. It is not recommended if you wish to exclude some cardholders from enrolment. If using Continuous auto-enrolment, this may restrict your ability to unenrol cards which have been previously enroled and which currently have a live status. See Section 8.2 Card Unenrolment.Enrol_cards_in_3DSecure.htm

KBA Setup Options (provide details for Test and Production separately)

Enter the KBA questions you want to include. For each KBA question, indicate if required. You can also provide questions in other languages. See KBA Language Support. Thredd will provide you with details of the unique KBA ID linked to each question. You will need to use the relevant KBA ID when enroling the card for KBA. For more information, see Appendix 4: KBA Questions.

Bin Ranges Low and Bin Ranges High

Provide the whole range (14, 16, or 19 digit) of the Sub-BIN or BIN. If you do not own the whole BIN, please provide the SUB-BIN range.

UAT testing cards /UAT product ID

Provide the staging cards and their product ID you want to use for staging testing.

Pilot testing cards /Production product ID