Appendix 3: Biometric/OOB Fields

Pubtoken

Thredd 9-digit public token linked to the card.

Number

Up to 9 characters

GPSInitiateActionID

36-character unique identifier of the NotifyInitiateAction request.

String

36 characters

MessageVersion3DS

3D Secure message version (e.g., 1.0.2).

String

Up to 8 characters

Credential

Object

ID

Unique credential identifier which Thredd generates during enrolment.

String

36 characters

Type

Credential type:

• BIOMETRIC

• OUTOFBAND

SMSOTP is not sent to Program Managers; Thredd sends OTP messages directly to cardholders.

Note: Please discuss with your Implementation Manager before implementing OOB authentication.

String

ENUM

Text

Credential value. For example, when type is OTPSMS value is “+447654123456” and when type is BIOMETRIC, value is
“YOUR BANK MOBILE APP”

String

Up to 254 characters

ChannelCreated

How the request was created:

• GA - Thredd auto-enrolment process.

• PM -Program Manager calling Thredd Hyperion API Credential Call

Note: Thredd recommends you store credentials upon receiving the NotifyInitiateAction request.

String

ENUM

MerchantInfo

Object

AcquirerID

Identifier of the merchant acquirer.

String

Up to 11 characters

MerchantID

Identifier of the merchant performing the purchase request.

String

Up to 35 characters

MerchantName

Merchant name.

String

Up to 40 characters

MerchantURL

URL or name of the merchant's website or app. (Also known as the RequestorAppUrl field; this is optional data, which the merchant may provide)

String

Up to 2048 characters

MerchantCategory
Code

Category code describing the type of merchant business.

String

4 characters

MerchantCountry
Code

Country code of the merchant. For 3DS1 transactions this value is the 2-letter format (e.g., US). For 3DS2 transactions this value is the 3-digit number format (e.g., 840).

String

Up to 3 characters

MerchantAppRedirectURL

The callback URL for the merchant's app, which your authentication app should use to enable the merchant app to redirect the cardholder back to the checkout page once they have authenticated.1 In the challenge flow, the merchant app, through the 3DS software development kit (SDK), interacts with the Access Control Server (ACS) and declares its URL, thus enabling the authentication app to call the merchant app after the OOB authentication has occurred.

If this field is empty, your app does not need to initiate a callback to the merchant's app.

String

Up to 256 characters

TransactionInfo

Object

TransactionTime
Stamp

Transaction timestamp in UTC, as per the ISO 8601 UTC specification (e.g., 2019-03-21T20:55:49.000Z).

String

24 characters

TransactionAmount

Transaction amount in minor currency units (e.g., 1000 for $10.00).

Number

Up to 48 characters

TransactionCurrency

3-digit numeric ISO 4217 currency code.

String

3 characters

Pubtoken

The 9-digit Thredd public token (must be copied from the NotifyInitiateAction request).

Number

9 characters

GPSInitiateActionID

The unique identifier of the NotifyInitiateAction request (must be copied from the NotifyInitiateAction request).

String

36 character

PMReferenceID

Optional biometric or out of band validation reference for referencing purposes. Generated by the Program Manager.

String

Up to 36 characters

ProgMgrCode

Program Manager code for the issuer.

String

4 characters

Status

One of the following status values must be returned:

• SUCCESS – the cardholder was successfully authenticated

• FAILURE – the cardholder could not be successfully authenticated. The cardholder will be shown the standard feedback message defined in Cardinal.

• ERROR – used for any internal or technical failures

• STEPUP – triggers your fallback authentication option (e.g., SMSOTP)

• FAILWITHFEEDBACK – when authentication fails, this option allows you to display a customised feedback message to the cardholder, as sent in the error object.

String

ENUM

Error

Object

Reference number

Program Manager reference number for the error. Used by Thredd for referencing purpose.

Used for FAILURE, ERROR and FAILWITHFEEDBACK status.

String

Up to 15 characters

Description

Short description of the error. Used by Thredd for referencing purposes.

Used for FAILURE, ERROR and FAILWITHFEEDBACK status.

String

Up to 50 characters

Pubtoken

Thredd 9-digit Thredd public token.

Number

9 characters

GPSInitiateActionID

A unique identifier for each NotifyInitiateAction request.

String

36 character

PMReferenceID

Optional biometric / out of band validation reference ID for referencing purposes.

String

Up to 36 characters

Status

The authentication status:

• SUCCESS –the 3DS result was received before the timeout period

• TIMEOUT – the 3DS result was received after the timeout period

• ERROR- In case of any internal technical failures

• FAILURE - In case of any validation failures.

String

ENUM

Error

Object

Reference number

Program Manager reference number for the error. Used by Thredd for referencing purposes.

Used for ERROR status only.

String

Up to 15 characters