3D Secure Implementation Guide
3D Secure Implementation Guide
                                                                              1
     Contents
1.   Introduction                                                3
2.   General Architecture                                        4
3.   Details for the Creation of a Test Account                  6
4.   Strong Customer Authentication through 3D-Secure Wrapper    7
5.   3D-Secure Wrapper Test Cases                               25
                                                                     2
 1. Introduction
This document describes the development required for the strong authentication
of a card holder debiting their card on a website. This is the so-called “3D Secure
Version 2” or “EMV 3D-Secure” process supported through the “Visa Secure” and
“Mastercard Identity Check” services; it has to be executed prior to any card
debiting attempt initiated by the holder on a company’s website.
More specifically, where a company uses “Web Service” for card debits (see
relevant Piraeus Bank specification) made by card holders through the company’s
website, the process described herein should be implemented.
3D-Secure requires the card details (number and expiry date) which are either
entered by the user on the company’s website, or alternative the company sends
a “token” obtained at an earlier stage using the Piraeus Bank Tokenization service
(see relevant Piraeus Bank specifications).
                                                                                      3
 2. General Architecture
The following diagrams show the general architecture for executing a transaction
following the 3D Secure process. There are two alternatives:
Β) Use of a token
In this case the Piraeus Bank “Tokenization” service has been used and the
company has stored a “token” that corresponds to a card, the details of which
have been stored in Piraeus Bank. The 3D Secure process is thus executed, using
the token value and not the actual card details.
                                                                                     4
                 Diagram1.2: General architecture – use of a token
                                                                                     5
 3. Details for the Creation of a Test Account
The information to be sent to Piraeus Bank in order for the necessary technical
information to be provided (test account) for test transactions is as follows (all is
required):
             Technical data:
              IP address: IP address of the server from which calls will be made
The test account details provided by Piraeus Bank, once the above information is
sent, are as follows:
           AcquirerID
           MerchantID
           User
           Password
                                                                                        6
   4. Strong Customer Authentication through 3D-Secure
      Wrapper
https://paycenter.piraeusbank.gr/services/Wrapper3DSecure.asmx
            Caution!
              The amount and currency used in the 3D Secure process should
               be identical to those in the sale or pre-authorisation transaction
               that follows.
              The Web Service call should be made through the Server. Cross-
               origin HTTP requests via scripts are not allowed.
  The Web Service request and response parameters are described below, followed
  by a diagram of the algorithm to be used. Next to each parameter name there is
  one of the following indicators:
       M (Mandatory): The parameter must have a value
       O (Optional): It is not required to send a value to the parameter
       C (Conditional): The parameter must have a value subject to the
          conditions mentioned in the description.
                            REQUEST PARAMETERS
    Parameter name                       Description                      Type
AcquirerID (M)             The acquirer id. Provided by Piraeus String
                           Bank.                                (up    to           5
                                                                characters)
MerchantID (M)             The merchant ID. Provided by Piraeus Integer
                           Bank.
User (M)                   User name. Provided by Piraeus Bank.      String
                                                                     (up    to   50
                                                                     characters)
Password (M)               User password encrypted using the MD5 String
                           hashing algorithm. Provided by Piraeus (up   to    50
                           Bank (in non-encrypted form).          characters)
RequestType (M)            Request type (see diagram         below). String
                           Possible values:
                              EnrollmentRequestInit
                                                                                    7
                             EnrollmentRequestContinue
                             PAResValidationRequest
                                Note:
                                Most Issuers do not display this
                                description.
Pan (C)                 Card number or token value.          String
                        A     value    is    required   when (up     to   19
                        RequestType=EnrollmentRequestInit.   numeric
                                                             digits)
                                                                           8
Expiry (C)               The card expiry date in YYMM format.        String    (4
                                                                     digits)
                           When
                            RequestType=EnrollmentRequestInit
                            and the pan contains an actual card
                            number, a value is required in
                            expiry.
                           When
                            RequestType=EnrollmentRequestInit
                            and the pan contains a Paycenter
                            token, no value is sent.
MD (O)                   The content of this parameter will be String (up to
                         returned through POST in the company’s 254 bytes)
                         termURL (see parameter description
                         below).    It  should   contain    ASCII
                         characters numbered from 0x20 to 0x7E,
                         excluding “<” and “>”. If additional data
                         is   required,  Base64     encoding    is
                         necessary. The final size of the
                         parameter should be up to 254 bytes. It
                         may be assigned a value only when
                         RequestType=EnrollmentRequestInit.
Lang (O)                 ISO 639-1 language code corresponding String      (2
                         to the language used on the company’s characters)
                         website. E.g. el for Greek, en for English.
                         It may be assigned a value only when
                         RequestType=EnrollmentRequestInit.
TermURL (C)              The company’s URL to which the user is String
                         returned following the authentication
                         process in their bank (see diagram
                         below). A value is required when
                         RequestType=EnrollmentRequestInit.
Pares (C)                It may be assigned a value when String
                         RequestType= PAResValidationRequest.
                         If the company received a value in the
                         pares parameter when returning to the
                         TermURL, this value is sent here.
Cres (C)                 It may be assigned a value when String
                         RequestType= PAResValidationRequest.
                         If the company received a value in cres
                         parameter when returning to the
                         TermURL, this value is sent here.
ThreeDSMethodNotificat   The company’s URL called under certain String
ionURL (C)               conditions during the 3D Secure process,
                         in order for a subsequent call to 3D
                         Secure wrapper to follow (see diagram
                         below). A value is required when
                         RequestType=EnrollmentRequestInit.
                              Caution!
                              It is recommended that its value be
                              generated dynamically and the
                              MerchantReference      value      is
                              included as a parameter (in the
                                                                               9
                              query string), so that there is a
                              unique element to establish the link
                              to the transaction upon return (e.g.
                              https://www.test.gr?ref=abcd
                              where        ‘abcd’     is       the
                              MerchantReference value of the
                              transaction)
ThreeDSCompInd (C)       A value is sent only when RequestType= String
                         EnrollmentRequestContinue (see diagram
                         below).
                            “Y”: Sent only when the wrapper call
                             with                   RequestType=
                             EnrollmentRequestContinue follows
                             the                       company’s
                             threeDSMethodNotificationURL call.
                            “N”: Sent only when the wrapper call
                             with                   RequestType=
                             EnrollmentRequestContinue is made
                             without prior call of the company’s
                             threeDSMethodNotificationURL
                             (TIMEOUT)
PanMode (O)              For future use; no value is sent.           String
MessageCategory (O)      Used when authentication is not followed String
                         by a card transaction (non-payment
                         authentication)    and     only     when
                         RequestType= EnrollmentRequestInit.
                            For non-payment authentication,
                             value “NonPayment” is sent
                            Alternatively,     for      payment
                             authentication, value “Payment” is
                             sent.
* ChallengeWindowSize Desirable window size for card holder String
(C)                   authentication. Potential values:
                         W250H400: 250x400
                         W390H400: 390x400
                         W500H600: 500x600
                         W600H400: 600x400
                         FullScreen: Full screen
                      A   value    is   required    only when
                      RequestType=EnrollmentRequestInit.
* BrowserIP (C)          The browser’s IP. Values accepted IPv4 String
                         e.g. 1.12.123.255 or IPv6 e.g.
                         2011:0db8:85a3:0101:0101:8a2e:0370:
                         7334
                         A    value  is   required   only when
                         RequestType=EnrollmentRequestInit.
*Navigator_language      Value representing the browser language String
(C)                      as defined in IETF BCP47. Obtained from
                         navigator.language HTML property.
                         A   value    is  required  only    when
                         RequestType=EnrollmentRequestInit.
*Navigator_javaEnabled Value representing the ability of the String
(O)                    cardholder browser to execute Java.
                                                                              10
                         Obtained from the navigator.javaEnabled
                         property. Accepted values: true/false
                         A   value    is  required    only   when
                         RequestType=EnrollmentRequestInit.
*Navigator_jsEnabled     Value representing the ability of the String
(C)                      cardholder     browser      to     execute
                         JavaScript.
                         Accepted values: true/false
                         A   value   is   required     only   when
                         RequestType=EnrollmentRequestInit.
*Screen_colorDepth (C)   Value representing the bit depth of the String    (1-2
                         color palette for displaying images, in characters)
                         bits per pixel. Obtained from Cardholder
                         browser using the screen.colorDepth
                         property. Accepted values: 1, 4, 8, 15,
                         16, 24, 32, 48.
                         A    value   is   required   only  when
                         RequestType=EnrollmentRequestInit.
* Screen_height (C)      Total height of the Cardholder’s screen in String    (1-6
                         pixels. Obtained from the screen.height numeric
                         property.                                  characters)
                         A    value   is   required   only    when
                         RequestType=EnrollmentRequestInit.
* Screen_width (C)       Total width of the cardholder’s screen in String    (1-6
                         pixels. Obtained from the screen.width numeric
                         property.                                 characters)
                         A    value   is  required   only    when
                         RequestType=EnrollmentRequestInit.
* TimezoneOffset (C)     Time-zone offset in minutes between String     (1-5
                         UTC and the cardholder browser local characters)
                         time. Note that the offset is positive if
                         the local time zone is behind UTC and
                         negative if it is ahead. Value is returned
                         from the getTimezoneOffset() method.
                         Examples:        If    UTC   -5     hours,
                         TimezoneOffset=300 or +300. If UTC +5
                         hours, TimezoneOffset= -300.
                         A   value     is    required  only   when
                         RequestType=EnrollmentRequestInit.
* UserAgent (C)          Exact content of the HTTP user-agent String     (max.
                         header. If the total length of the User- 2048
                         Agent sent by the browser exceeds 2048 characters)
                         characters, the system truncates the
                         excess portion.
                         A   value    is  required   only   when
                         RequestType=EnrollmentRequestInit.
* BrowserAccept (C)      Value of the accept header field String              (max.
                         (response types acceptable by the 2048
                         browser). If the total length of the accept characters)
                         header sent by the browser exceeds
                         2048 characters, the system truncates
                         the excess portion.
                         A   value    is   required    only    when
                                                                                11
                         RequestType=EnrollmentRequestInit.
* BillAddrCity (C)       Billing address city                        String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
* BillAddrCountry (C)    ISO 3166-1 numeric country code, String (3
                         corresponding to Billing address country. numeric
                         E.g. 300 for Greece.                      digits)
                         A    value   is  required    only   when
                         RequestType=EnrollmentRequestInit.
* BillAddrLine1 (C)      Additional line 1 of the billing address    String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
BillAddrLine2 (O)        Additional line 2 of the billing address    String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin     lowercase      &      uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
BillAddrLine3 (O)        Additional line 3 of the billing address    String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin     lowercase      &      uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
* BillAddrPostCode (C)   Post code of the billing address            String (up to
                                                                     16 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
* BillAddrState (C)      ISO 3166 country subdivision code String (max. 3
                         without     the  country    name    code, characters)
                         corresponding to Billing address State (if
                         available).
                         Below     are   the    values   for   the
                         administrative regions of Greece:
                         A Eastern Macedonia and Thrace
                         B Central Macedonia
                         C Western Macedonia
                         D Epirus
                         E Thessaly
                                                                                12
                         F Ionian Islands
                         G Western Greece
                         H Central Greece
                         I Attica
                         J Peloponnese
                         K Northern Aegean
                         L Southern Aegean
                         M Crete
                         A    value   is  required only  when
                         RequestType=EnrollmentRequestInit.
* ShipAddrCity (C)       Shipping address city                       String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
* ShipAddrCountry (C)    ISO 3166-1 numeric country code, String (3
                         corresponding    to   Shipping    address numeric
                         country. E.g. 300 for Greece.             digits)
                         A   value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
* ShipAddrLine1 (C)      Additional line 1 of the shipping address   String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
ShipAddrLine2 (O)        Additional line 2 of the shipping address   String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin     lowercase      &      uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
ShipAddrLine3 (O)        Additional line 3 of the shipping address   String (up to
                                                                     50 characters)
                         The parameter contains only Greek or
                         Latin     lowercase      &      uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
* ShipAddrPostCode (C)   Post code of the shipping address           String (up to
                                                                     16 characters)
                         The parameter contains only Greek or
                         Latin      lowercase      &     uppercase
                         alphanumeric characters, space, or the
                         following special characters /:_().,+-
                         A    value    is   required   only   when
                         RequestType=EnrollmentRequestInit.
* ShipAddrState (C)      ISO 3166 country subdivision code String (max. 3
                         without the country name     code, characters)
                                                                                13
                       corresponding to Shipping address State
                       (if available).
                       Below     are    the    values    for  the
                       administrative regions of Greece:
                       A Eastern Macedonia and Thrace
                       B Central Macedonia
                       C Western Macedonia
                       D Epirus
                       E Thessaly
                       F Ionian Islands
                       G Western Greece
                       H Central Greece
                       I Attica
                       J Peloponnese
                       K Northern Aegean
                       L Southern Aegean
                       M Crete
                       A    value    is   required    only   when
                       RequestType=EnrollmentRequestInit.
* CardholderName (C)   Name of the card holder                      String (2-45
                                                                    characters)
                       The parameter contains only Latin (not
                       Greek)      lowercase      &    uppercase
                       alphanumeric characters, space, or the
                       following special characters /:_().,+-
                       A    value    is   required   only   when
                       RequestType=EnrollmentRequestInit.
* Email (C)            E-mail of the card holder              String (up to
                                                              254
                       The parameter shall meet requirements characters)
                       of Section 3.4 of IETF RFC 5322.
                       A   value    is   required   only when
                       RequestType=EnrollmentRequestInit.
* HomePhone (C)        Home phone number of the card holder, String (up to
                       in (..3-..15) format, namely (up to 3 19 characters)
                       characters dash up to 15 characters).
                       E.g. 210-3288000
                       A    value   is  required  only  when
                       RequestType=EnrollmentRequestInit.
* MobilePhone (C)      Mobile number of the card holder, in String (up to
                       (..3-..15) format, namely (up to 3 19 characters)
                       characters dash up to 15 characters).
                       E.g. +30-6972222222
                       A    value   is required only   when
                       RequestType=EnrollmentRequestInit.
WorkPhone (O)          Work phone number of the card holder, String (up to
                       in (..3-..15) format, namely (up to 3 19 characters)
                       characters dash up to 15 characters).
                       E.g. 210-3288000
RecurringInd (O)       It is only used in recurring transactions. String (1
                       It concerns the first transaction of a character)
                       recurring payment (i.e. standing order),
                       performed online by the card holder and
                                                                               14
                            is, therefore, preceded by the 3d-secure
                            process.      It   is   only  sent    when
                            RequestType= EnrollmentRequestInit.
                            Potential values:
                               R,      for    recurring   transactions
                                 (transactions performed at regular
                                 intervals)
                               C,      for    unscheduled    recurring
                                 transactions (transactions performed
                                 at irregular intervals)
                            Unless the process concerns a recurring
                            transaction, the parameter is omitted.
RecurPurchaseDate (C)       In recurring transactions, it contains the String (14
                            date of the first recurring transaction in characters)
                            YYYYMMDDHHMMSS format. It may only
                            have         a         value         when
                            RequestType=EnrollmentRequestInit and
                            provided that the RecurringInd has a
                            value, too.
RecurFreq (C)               In recurring transactions, it contains the String (max. 4
                            recurrence frequency of the transaction characters)
                            (integer number of days). It may only
                            have         a         value         when
                            RequestType=EnrollmentRequestInit and
                            provided that the RecurringInd has a
                            value, too.
RecurEnd (C)                In recurring transactions (i.e. when String(8
                            RecurringInd=R or C), it contains the characters)
                            expiry date of the recurring debit in
                            YYYYMMDD format. It may only have a
                            value                            when
                            RequestType=EnrollmentRequestInit and
                            provided that the RecurringInd has a
                            value, too.
        Attention:
        (*): The above parameters are mandatory, as Issuers may soon be
        rejecting transactions lacking this information.
                            RESPONSE PARAMETERS
   Parameter name                           Description                      Type
AcquirerID (M)              The AcquirerID value sent with the request    String
MerchantID (M)              The MerchantID      value   sent   with   the Integer
                            request
User (M)                    The User value sent with the request          String
                                                                          (up to 50
                                                                          characters)
                                                                                     15
RequestType (M)         The RequestType     value sent   with   the String
                        request
ResultCode (M)          The request result code indicating whether Integer
                        a technical issue occurred during the call.
                        Specifically:
                               Value = 0: No issue occurred and
                               the remaining parameters have
                               information on the 3D Secure
                               process carried out.
                             Note:
                             It is necessary to save the value, so
                             that it can be used as a reference in
                             the communication with Piraeus
                             Bank, as required.
MerchantReference (M)   The MerchantReference value sent with the String
                        request.                                  (up to 50
                                                                  characters)
MdStatus (C)            Unless there is some technical problem String
                        (ResultCode=0), it contains information on
                        the call outcome during execution of the
                        3D Secure process. The actions which
                        should follow in order for the process to be
                        completed depend on this value (see
                        diagram below). The possible values are:
                               0: Not authenticated
                               1: Fully authenticated
                               2: Not enrolled
                               3: Not enrolled cache (not
                                   used any more)
                                4: Attempt
                                5: U received
                                6: Error received (from Directory
                                or ACS server)
                                9: Pending
                                50: Interim status during the
                                execution of 3D Secure (see
                                                                             16
                              diagram below)
                              80: Skip device case
                              91: Network error
                              92: Directory error (read timeout)
                              93: Configuration error
                              94: Merchant input error
                              95:    No   directory   found   for
                              PAN/cardtype
                              96: No version 2 directory found
                              for PAN/cardtype
                              99: System error
                                                                           17
PAResVerifed (C)           Indicates whether signature verification String
                           during messaging for the execution of the
                           3D Secure process was successful or not.
                           Potential values: True/False. This is an
                           informative field and its value is not used
                           anywhere.
Protocol (C)               Authentication   protocol  version   used String
                           during authentication. Possible values: 1
                           and 2. Its value should be included when
                           Transaction Web Service is called for the
                           execution of the transaction (Protocol
                           parameter)
TDSMethodContent (C)       Raw html for browser rendering. May String
                           contain       a      value        when
                           RequestType=EnrollmentRequestInit (see
                           diagram below)
RedirectToACSFormData      Raw html for browser rendering. It may String
(C)                        contain       a      value        when
                           RequestType=EnrollmentRequestInit   or
                           RequestType=EnrollmentRequestContinue
                           (see diagram below)
DsTransID (C)              Directory server transaction id. Its value String
                           should be included when Transaction Web
                           Service is called for the execution of the
                           transaction (DsTransID parameter)
  The following diagram shows the algorithm for executing the 3D Secure process,
  followed by a text describing the process and the required calls.
                                                                               18
19
20
         Caution!
 2.1 If it is not 0, this means that a technical issue has occurred and the
     company will decide whether to send the transaction or not (*).
             If it is not 0, this means that a technical issue has occurred and the
             company will decide whether to send the transaction or not (*).
                                                                                   21
        If mdStatus=0 (unsuccessful authentication), no transaction is
         sent and an informative message is displayed to the user.
 If mdStatus=50, then:
                                                                             22
o If mdStatus=1, 2, 3 or 4, the transaction is sent using the
  Transaction Web Service. Caution: the values of Eci ,
  Cavv, Xid, protocol, dsTransID parameters of the 3D
  Secure wrapper in the 3D Secure wrapper response should
  be sent and the same MerchantReference should be
  used.
      o RequestType= PAResValidationRequest
      o MerchantReference: the value which had been
        used in the first 3D Secure wrapper call
      o pares the value of the pares parameter sent to
        TermURL or cres the value of cres sent to TermURL
        (one of the two parameters will be sent to
        TermURL)
                                                               23
                   − If mdStatus=1, 2, 3 or 4, the transaction is sent
                     using the Transaction Web Service. Caution: the
                     values of Eci, Cavv, Xid, protocol, dsTransID
                     parameters of the 3D Secure wrapper in the 3D
                     Secure wrapper response should be sent and
                     the same MerchantReference should be used.
Caution!
                                                                         24
5. 3D-Secure Wrapper Test Cases
Below follows a list of the test cases to be executed in order to check the
implementation of the 3D Secure process. In every test case:
   1) The process described in this document should be performed using the
      details listed below
   2) Depending on the result of the 3D Secure process and provided that the
      transaction is to be sent (see previous Section), the Transaction Web
      Service should be called with the same card details, same Merchant
      Reference, same amount and same currency. Moreover, when the
      Transaction Web Service is called:
        The CVV2 parameter (for sales and preauthorisations) must have the
         value ‘123’.
        In preauthorisations, the ExpirePreauth parameter must have the
         value ‘30’
        The Installments parameter must have the value ‘0’
Test Case 1
REQUIRED
       Input parameters:
                     Parameter                            Value
          Currency                             978
          Pan                                  4016000000002
          Expiry if a sale transaction is to   xx01 where xx the last 2
          follow (RequestType=SALE)            digits of a future year
          Expiry if a preauthorisation         xx02 where xx the last 2
          transaction is to follow             digits of a future year
          (RequestType=AUTHORIZE)
                                                                           25
    Test Case 2
REQUIRED
     Input parameters:
                   Parameter                         Value
       Currency                             978
       Pan                                  4016000000010
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             26
    Test Case 3
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            correct
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       27
    Test Case 4
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            delayed
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             28
    Test Case 5
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            attempt
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       29
    Test Case 6
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            cancel
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             30
    Test Case 7
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            wrong
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                            31
    Test Case 8
REQUIRED
     Input parameters:
                   Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            error
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             32
    Test Case 9
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  4016000000051
       Code to be entered on the            unable
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                                 33
    Test Case 10
REQUIRED
     Input parameters:
                  Parameter                          Value
       Currency                             978
       Pan                                  4012000000012003001
       Code to be entered on the            Secret33!
       display (‘Password’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       34
    Test Case 11
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4012000000012011046
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                                 35
    Test Case 12
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4012000000012011004
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       36
    Test Case 13
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4012000000012011012
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             37
    Test Case 14
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4012000000012011020
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                                 38
    Test Case 15
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4012000000012011038
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             39
    Test Case 16
REQUIRED
     Input parameters:
                   Parameter                        Value
       Currency                             978
                                            5544330000000003
       Pan
                                            5544330000000011
       Code to be entered on the
                                            unable
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       40
    Test Case 17
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  5544330000000029
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                             41
    Test Case 18
REQUIRED
     Input parameters:
                  Parameter                         Value
       Currency                             978
       Pan                                  5544330000000037
       Code to be entered on the
                                            unable
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       42
    Test Case 19
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  5544330000000045
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                                 43
    Test Case 20
REQUIRED
     Input parameters:
                   Parameter                        Value
       Currency                             978
                                            4016001000019
       Pan
                                            4016001000035
       Code to be entered on the
                                            unable
       display (‘Challenge’)
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                       44
    Test Case 21
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4016001000001
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
                                                                            45
    Test Case 22
REQUIRED
     Input parameters:
                  Parameter                            Value
       Currency                             978
       Pan                                  4016001000050
       Expiry if a sale transaction is to   xx01 where xx the last 2
       follow (RequestType=SALE)            digits of a future year
       Expiry if a preauthorisation         xx02 where xx the last 2
       transaction is to follow             digits of a future year
       (RequestType=AUTHORIZE)
46