MySagePay
Login >

PSD2 under Direct Integration

Table 1: Direct Integration

A1.       You submit your transaction registration POST

The following additional fields are available when submitting Direct transaction registration for protocol 4.00 (VPSProtocol:4.00).

Request format

Name

Mandatory

Format

Max Length

Allowed Values

Description

VPSProtocol

Yes

0-9, .

4 chars

4.00

This is the version of the protocol you are integrating with.

Default or incorrect value is taken to be 3.00 (previous integration with 3DSv1)

Request

BrowserJavascriptEnabled

Yes

BOOLEAN

Flag

0

1

Boolean that represents the ability of the cardholder browser to execute JavaScript.

0 = False

1 = True

Request

BrowserJavaEnabled

Conditional

BOOLEAN

Flag

0

1

Boolean that represents the ability of the cardholder browser to execute Java. Value is returned from the navigator.javaEnabled property.

0 = False

1 = True

Required if BrowserJavascriptEnabled = 1

Request

BrowserColorDepth

Conditional

0-9

1-2 chars

1

4

8

15

16

24

32

48

Value representing the bit depth of the colour palette for displaying images, in bits per pixel. Obtained from Cardholder browser using the screen.colorDepth property.

1 = 1 bit

4 = 4 bits

8 = 8 bits

15 = 15 bits

16 = 16 bits

24 = 24 bits

32 = 32 bits

48 = 48 bits

Required if BrowserJavascriptEnabled = 1

Request

BrowserScreenHeight

Conditional

0-9

1-6 chars

 

Total height of the Cardholder’s screen in pixels. Value is returned from the screen.height property.

Required if BrowserJavascriptEnabled = 1

Request

BrowserScreenWidth

Conditional

0-9

1-6 chars

 

Total width of the cardholder’s screen in pixels. Value is returned from the screen.width property.

Required if BrowserJavascriptEnabled = 1

Request

BrowserTZ

Conditional

 -, +, 0-9

1-6 chars

 

Time-zone offset in minutes between UTC and the Cardholder browser local time.

Note: The offset is positive if the local time zone is behind UTC and negative if it is ahead.

Example time zone offset values in minutes:

If UTC -5 hours (-300 minutes):

300

+300

If UTC +5 hours (300 minutes): 

-300

Required if BrowserJavascriptEnabled = 1

Request

BrowserAcceptHeader

Yes

Any

2048 chars

 

Exact content of the HTTP accept headers as sent to the 3DS Requestor from the Cardholder’s browser.

Request

BrowserLanguage

Yes

Aa, 0-9, -

1–8 chars

 

Value representing the browser language as defined in IETF BCP47. Returned from navigator.language property.

Request

BrowserUserAgent

Yes

Any

2048 chars

 

Exact content of the HTTP user-agent header.

Request

ThreeDSNotificationURL

Yes

Aa, á,  /\, &, -, ., , , , 0-9, :, +, (), CR / LF

 

256 chars

 

Fully qualified URL of the system that receives the CRes message or Error Message and where your customer will be returned once they have completed their challenge. The CRes message is posted by the ACS through the Cardholder browser at the end of the challenge AND once it receives a the RRes (Result Response) message from Sage Pay.

Request

ChallengeWindowSize

Yes

0-9

2 chars

01

02

03

04

05

Dimensions of the challenge window that has been displayed to the Cardholder. The ACS shall reply with content that is formatted to appropriately render the challenge UI in this window, to provide the best possible user experience.  Preconfigured sizes are width x height in pixels of the window displayed in the Cardholder browser window.

01 = 250 x 400

02 = 390 x 400

03 = 500 x 600

04 = 600 x 400

05 = Full screen

Request

ThreeDSRequestorAuthenticationInfoXML

No

 

Object

See A1.1 in Technical Document

Information about how you authenticated the cardholder before or during the transaction. E.g. Did your customer log into their online account on your website, using two-factor authentication, or did they log in as a guest.

Request

ThreeDSRequestorPriorAuthenticationInfoXML

No

 

Object

See A1.2 in Technical Document

Information about how you authenticated the cardholder as part of a previous 3DS transaction. E.g. Were they authenticated

via frictionless authentication or did a cardholder challenge occur.

Request

AcctInfoXML

No

 

Object

See A1.3 in Technical Document

Additional information about the Cardholder’s account that has been provided by you. E.g. How long has the cardholder had the account on your website.

Request

AcctID

No

Any

64 chars

 

The account ID, if applicable, of your customers account on your website.

Request

MerchantRiskIndicatorXML

No

 

Object

See A1.4 in Technical Document

Merchant’s assessment of the level of fraud risk for the specific authentication for both the cardholder and the authentication being conducted. E.g. Are you shipping goods to the cardholder’s billing address, is this a first-time order or reorder.

Request

TransType

No

0-9

2 chars

01

03

10

11

28

Identifies the type of transaction being authenticated.

01 = Goods/ Service Purchase

03 = Check Acceptance

10 = Account Funding

11 = Quasi-Cash Transaction

28 = Prepaid Activation and Load

Values derived from the 8583 ISO Standard.

Request

ClientIPAddress

No

0-9, .

15 chars

 

The IP address of the client connecting to your server making the payment as returned by the HTTP headers.

This should be a full IP address which you can obtain from your server scripts.  We will attempt to Geolocate the IP address in your reports and fraud screening.

It is strongly recommended that this is provided for 3D-Secure Authentication, unless regional law’s mandate otherwise.

Request

CReq

Yes

BASE64

7500 chars

 

A Base64 encoded, encrypted message to be passed to the Issuing Bank as part of the 3D-Authentication.

This replaces the PAReq.

When forwarding the CReq to the ACSURL, pass it in a field called creq (note the lower case ‘cr’).  This avoids issues at the ACS which expects the fieldname to be all lowercase.

Response

CRes

Yes

BASE64

7500 chars

 

A Base64 encoded, encrypted message sent back by Issuing Bank to your Terminal URL at the end of the 3D-Authentication process.

This field must be passed back to Direct along with the MD field to allow the Sage Pay MPI to decode the result.

You will receive this value back from the Issuing Bank in a field called cres (lower case ‘cr”), but should be passed to Sage Pay as CRes (uppercase ‘CR’).

Response from ACS, Request to Sage Pay

VPSTxId

Yes

Aa, 0-9, -, {}

38 chars

 

The Sage Pay ID to uniquely identify the transaction on our system.

This replaces the MD for the 3D-Authentication attempt.

This must match the VPSTxId value passed back to you with the CReq, in response to your transaction registration POST.

Response and Request

 

Note: If browserJavascriptEnabled is ‘true’, then all of the conditional browser fields will be required.