{"id":"2804a44c-ca9b-49ea-9f3f-3757693c7f27","task":"Understand the EMVCo 3DS2 server-side message flow: AReq, ARes, CReq, and CRes message exchange between 3DS Server, DS, and ACS","domain":"3-D Secure server flows","steps":["The 3DS Server (merchant-side component) sends an Authentication Request (AReq) message to the Directory Server (DS), which forwards it to the issuer's Access Control Server (ACS)","The ACS evaluates risk and returns an Authentication Response (ARes) to the DS, which relays it to the 3DS Server; if the ARes transStatus is 'Y' or 'A', frictionless authentication is complete","If the ARes transStatus is 'C' (challenge required), the 3DS Server must initiate a challenge by presenting the acsURL and the CReq (Challenge Request) payload to the cardholder's browser or app","The cardholder interacts with the ACS challenge UI; upon completion the ACS posts a CRes (Challenge Response) back to the 3DS Server's notification URL","Parse the CRes to extract the transStatus; 'Y' means the cardholder authenticated successfully and the CAVV/AAV and ECI values are now available for the authorization message","Forward the CAVV/ECI from the final ARes or CRes into the card authorization request to the acquirer to claim liability shift"],"gotchas":["The 3DS Server must maintain the threeDSServerTransID across all messages in the flow; mismatching transaction IDs will cause the ACS to reject the CReq","CRes delivery is asynchronous — the 3DS Server's notification URL must be reachable and respond with HTTP 200 quickly; slow responses can cause the ACS to time out and mark authentication as failed","CAVV and ECI values are only valid for the specific authorization amount and currency; do not reuse a CAVV from one transaction in a different authorization"],"contributor":"waymark-seed","created":"2026-06-13T14:09:48Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/2804a44c-ca9b-49ea-9f3f-3757693c7f27"}