7. Sandbox Testcases
The sandbox contains a list of test cases meant to assist you in implementation.
It is also the intension that you can use the sandbox for automatic integration testing of your service. We will not modify individual test cases. If need be, we can deprecate them with a sufficient grace period.
The 3-D Secure server sandbox validates input according to the specification.
7.1. Generic Tests
Test |
Trigger PAN |
What’s being tested in your system |
|---|---|---|
Card not enrolled |
|
Handling not enrolled response. This test only involves the preauth call. |
7.2. Browser Tests
These tests involve deviceChannel: 02. This must be set in all
authentication requests.
- For all these tests:
Perform the preauth call.
Execute the 3DS Method if available.
Perform a regular auth request. Use the same
acctNumberas used in thepreauthcall.Fetch the challenge result using the postauth endpoint if relevant.
The /auth browser example input is usable for all
cases. Just change the last four digit in acctNumber where needed.
Message version
This section determines the outcome of the preauth. The response is with
acsEndProtocolVersion: 2.1.0, acsEndProtocolVersion: 2.2.0 and/or acsEndProtocolVersion: 2.3.1.
This means your system should automatically be able to determine messageVersion.
Sending a wrong messageVersion will result in an error.
Read 3-D Secure Version Determination.
Note
The last-4-digit encoding is shared across channels: the same rules apply to
3RI (deviceChannel: 03), which is frictionless only — see
3RI Tests.
First digit |
PAN last 4 |
Description |
|---|---|---|
0 |
0xxx |
Range messageVersion 2.1, 2.2 and 2.3.1 |
1 |
1xxx |
messageVersion 2.1 |
2 |
2xxx |
messageVersion 2.2 |
3 |
3xxx |
messageVersion 2.3.1 |
3DS Method
If 3DS Method URL is included in the preauth endpoint response, the 3DS method must be invoked as explained in this guide 3DS Method Invocation.
Read 3DS Method failure if the 3DS method has a timeout.
Second digit |
PAN last 4 |
Description |
|---|---|---|
0 |
x0xx |
With 3DS method included |
1 |
x1xx |
With 3DS method missing |
2 |
x2xx |
With 3DS method timeout |
ARes outcome
This section determines the outcome of the ARes.
Read Auth usage to understand the flow.
Third digit |
PAN last 4 |
Description |
Requirements |
|---|---|---|---|
0 |
xx03 |
Frictionless transStatus Y |
n/a |
1 |
xx13 |
Frictionless transStatus N |
n/a |
2 |
xx23 |
Frictionless transStatus A |
n/a |
3 |
xx33 |
Frictionless transStatus R |
n/a |
4 |
xx43 |
Frictionless transStatus I |
only supported with messageVersion 2.2 or greater |
5 |
xx53 |
Frictionless transStatus U |
n/a |
6 |
xx63 |
DS timeout |
n/a |
7 |
xx7x |
transStatus C |
Complete the Challenge flow |
Challenge flow
This section determines the outcome of the challenge flow.
The challenge flow must be invoked as explained in this guide Challenge flow guide.
After the challenge flow invoke /postauth to fetch the challenge result.
Read postauth usage for understanding how to fetch challenge result.
Fourth digit |
PAN last 4 |
Description |
Requirements |
|---|---|---|---|
0 |
xx70 |
Challenge flow automatically passes transStatus Y |
transStatus C in ARes see ARes outcome |
1 |
xx71 |
Challenge flow automatically fails transStatus N |
transStatus C in ARes see ARes outcome |
2 |
xx72 |
Manual challenge with transStatus Y or N |
transStatus C in ARes see ARes outcome |
7.3. Error
If the last four digits do not match any of the given test cases above, an error will be given.
7.4. Browser Examples
Testname |
PAN example |
PAN last 4 |
Success criteria |
What’s being tested in your system |
|---|---|---|---|---|
3DS Method timeout |
|
|
|
The |
Frictionless 3DS Method |
|
|
|
Frictionless authentication with 3DS Method |
Frictionless no 3DS Method |
|
|
|
Frictionless authentication without 3DS Method |
Manual challenge |
|
|
|
Challenge authentication with 3DS method |
Automatic Challenge pass |
|
|
|
Successful challenge authentication with 3DS method The challenge will auto-submit using JavaScript |
Automatic Challenge fail |
|
|
|
Failed challenge authentication with 3DS Method The challenge will auto-submit using JavaScript |
7.5. 3RI Tests
These tests involve deviceChannel: 03. This must be set in all
authentication requests, together with messageCategory: 02 and a valid
threeRIInd.
- For all these tests:
Perform the preauth call.
Perform a regular auth request. Use the same
acctNumberas used in thepreauthcall.
The /auth 3RI example input is usable for all
cases.
3RI uses the same last-4 PAN encoding as the Browser Tests: the first digit selects the message version and the third and fourth digits select the ARes outcome. You can therefore use any scheme test PAN (e.g. a Mastercard or Visa BIN) and vary the last four digits.
Because 3RI has no challenge flow (transStatus C is rejected for
deviceChannel: 03), only the frictionless outcomes are available. The
3DS Method digit (second of the last 4) has no effect for 3RI.
Message version — first digit of the last 4:
First digit |
PAN last 4 |
Description |
|---|---|---|
0 |
0xxx |
Range messageVersion 2.1, 2.2 and 2.3.1 |
1 |
1xxx |
messageVersion 2.1 |
2 |
2xxx |
messageVersion 2.2 |
3 |
3xxx |
messageVersion 2.3.1 |
ARes outcome — third and fourth digits of the last 4:
Third digit |
PAN last 4 |
Description |
|---|---|---|
0 |
xx03 |
Frictionless transStatus Y (authenticated) |
1 |
xx13 |
Frictionless transStatus N (not authenticated) |
2 |
xx23 |
Frictionless transStatus A (attempted) |
3 |
xx33 |
Frictionless transStatus R (rejected) |
5 |
xx53 |
Frictionless transStatus U (unavailable) |
6 |
xx63 |
DS timeout |
For example, a Mastercard test PAN ending in 3003 returns
messageVersion 2.3.1 with a frictionless transStatus Y.
Note
3RI does not support the challenge flow, decoupled authentication, or
information-only requests. Those last-4 combinations (e.g. the browser
challenge xx7x) are rejected for deviceChannel: 03.