7. Sandbox Testcases

The sandbox contains a list of test cases meant to assist you in implementation.

It is also the intension that you can use the sandbox for automatic integration testing of your service. We will not modify individual test cases. If need be, we can deprecate them with a sufficient grace period.

The 3-D Secure server sandbox validates input according to the specification.

7.1. Generic Tests

Test

Trigger PAN

What’s being tested in your system

Card not enrolled

9000100111111111

Handling not enrolled response. This test only involves the preauth call.

7.2. Browser Tests

These tests involve deviceChannel: 02. This must be set in all authentication requests.

For all these tests:
  1. Perform the preauth call.

  2. Execute the 3DS Method if available.

  3. Perform a regular auth request. Use the same acctNumber as used in the preauth call.

  4. Fetch the challenge result using the postauth endpoint if relevant.

The /auth browser example input is usable for all cases. Just change the last four digit in acctNumber where needed.

Message version

This section determines the outcome of the preauth. The response is with acsEndProtocolVersion: 2.1.0, acsEndProtocolVersion: 2.2.0 and/or acsEndProtocolVersion: 2.3.1. This means your system should automatically be able to determine messageVersion. Sending a wrong messageVersion will result in an error.

Read 3-D Secure Version Determination.

Note

The last-4-digit encoding is shared across channels: the same rules apply to 3RI (deviceChannel: 03), which is frictionless only — see 3RI Tests.

Browser testcases

First digit

PAN last 4

Description

0

0xxx

Range messageVersion 2.1, 2.2 and 2.3.1

1

1xxx

messageVersion 2.1

2

2xxx

messageVersion 2.2

3

3xxx

messageVersion 2.3.1

3DS Method

If 3DS Method URL is included in the preauth endpoint response, the 3DS method must be invoked as explained in this guide 3DS Method Invocation.

Read 3DS Method failure if the 3DS method has a timeout.

Browser testcases

Second digit

PAN last 4

Description

0

x0xx

With 3DS method included

1

x1xx

With 3DS method missing

2

x2xx

With 3DS method timeout

ARes outcome

This section determines the outcome of the ARes.

Read Auth usage to understand the flow.

Browser testcases

Third digit

PAN last 4

Description

Requirements

0

xx03

Frictionless transStatus Y

n/a

1

xx13

Frictionless transStatus N

n/a

2

xx23

Frictionless transStatus A

n/a

3

xx33

Frictionless transStatus R

n/a

4

xx43

Frictionless transStatus I

only supported with messageVersion 2.2 or greater

5

xx53

Frictionless transStatus U

n/a

6

xx63

DS timeout

n/a

7

xx7x

transStatus C

Complete the Challenge flow

Challenge flow

This section determines the outcome of the challenge flow.

The challenge flow must be invoked as explained in this guide Challenge flow guide. After the challenge flow invoke /postauth to fetch the challenge result.

Read postauth usage for understanding how to fetch challenge result.

Browser testcases

Fourth digit

PAN last 4

Description

Requirements

0

xx70

Challenge flow automatically passes transStatus Y

transStatus C in ARes see ARes outcome

1

xx71

Challenge flow automatically fails transStatus N

transStatus C in ARes see ARes outcome

2

xx72

Manual challenge with transStatus Y or N

transStatus C in ARes see ARes outcome

7.3. Error

If the last four digits do not match any of the given test cases above, an error will be given.

7.4. Browser Examples

Browser testcases

Testname

PAN example

PAN last 4

Success criteria

What’s being tested in your system

3DS Method timeout messageVersion 2.1 - 2.2

5000100411110203

0203

ARes with transStatus: Y

The threeDSCompInd being set correctly

Frictionless 3DS Method messageVersion 2.2

4000100511112003

2003

ARes with transStatus: Y

Frictionless authentication with 3DS Method

Frictionless no 3DS Method messageVersion 2.1

6000100611111103

1103

ARes with transStatus: Y

Frictionless authentication without 3DS Method

Manual challenge messageVersion 2.1

3000100811111072

1072

RReq with transStatus: Y or N

Challenge authentication with 3DS method

Automatic Challenge pass messageVersion 2.2

7000100911112070

2070

RReq with transStatus: Y

Successful challenge authentication with 3DS method

The challenge will auto-submit using JavaScript

Automatic Challenge fail messageVersion 2.1

3000101011111071

1071

RReq with transStatus: N

Failed challenge authentication with 3DS Method

The challenge will auto-submit using JavaScript

7.5. 3RI Tests

These tests involve deviceChannel: 03. This must be set in all authentication requests, together with messageCategory: 02 and a valid threeRIInd.

For all these tests:
  1. Perform the preauth call.

  2. Perform a regular auth request. Use the same acctNumber as used in the preauth call.

The /auth 3RI example input is usable for all cases.

3RI uses the same last-4 PAN encoding as the Browser Tests: the first digit selects the message version and the third and fourth digits select the ARes outcome. You can therefore use any scheme test PAN (e.g. a Mastercard or Visa BIN) and vary the last four digits.

Because 3RI has no challenge flow (transStatus C is rejected for deviceChannel: 03), only the frictionless outcomes are available. The 3DS Method digit (second of the last 4) has no effect for 3RI.

Message version — first digit of the last 4:

3RI message version

First digit

PAN last 4

Description

0

0xxx

Range messageVersion 2.1, 2.2 and 2.3.1

1

1xxx

messageVersion 2.1

2

2xxx

messageVersion 2.2

3

3xxx

messageVersion 2.3.1

ARes outcome — third and fourth digits of the last 4:

3RI ARes outcome

Third digit

PAN last 4

Description

0

xx03

Frictionless transStatus Y (authenticated)

1

xx13

Frictionless transStatus N (not authenticated)

2

xx23

Frictionless transStatus A (attempted)

3

xx33

Frictionless transStatus R (rejected)

5

xx53

Frictionless transStatus U (unavailable)

6

xx63

DS timeout

For example, a Mastercard test PAN ending in 3003 returns messageVersion 2.3.1 with a frictionless transStatus Y.

Note

3RI does not support the challenge flow, decoupled authentication, or information-only requests. Those last-4 combinations (e.g. the browser challenge xx7x) are rejected for deviceChannel: 03.