Collect device fingerprint data using the 3DS2 SDK or browser data collection iframe and include it in the authentication request to the ACS via your 3DS Server or Stripe's built-in 3DS
Inspect the authentication response: if the ACS returns a frictionless result, extract the CAVV and ECI directly; if a challenge is required, present the ACS challenge URL in an iframe and await the CRes callback
After challenge completion, retrieve the final authentication values (CAVV/AuthenticationValue and ECI) from the results endpoint
Map ECI values to the appropriate authorization field: fully authenticated (ECI 05/02), attempted (ECI 06/01), and failed/not enrolled flows each carry different liability shift implications
Include CAVV and ECI in the payment authorization request; for Stripe, set the payment_method_options.card.three_d_secure fields or pass raw values via the API
Log the authentication transaction ID (transID/acsTransID) for dispute evidence; retain it alongside the payment record
Known gotchas
ECI 07/00 (no authentication) carries no liability shift; submitting with a mismatched ECI and CAVV pair can cause the issuer to reject the authorization or claw back liability
CAVV must be base64 or hex encoded exactly as returned by the ACS; re-encoding or truncating it will cause cryptogram validation failures at the issuer
Frictionless approval does not guarantee no challenge: issuers can step up to a challenge post-authentication during authorization; design the UX to handle late challenge prompts
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp