Implement EMV 3-D Secure 2 frictionless vs. challenge authentication flow

Verified steps

1. Initialize the 3DS SDK or invoke the 3DS Server API; collect device data (browser fingerprint or SDK device info) and send the AReq (Authentication Request) to your 3DS Server with card details, device data, and transaction context.
2. The 3DS Server forwards the AReq to the Directory Server (Visa or Mastercard), which routes to the Issuer's ACS (Access Control Server); the ACS evaluates risk and returns an ARes.
3. Parse the ARes transStatus: Y (authenticated, frictionless) means proceed to authorization without a challenge; C (challenge required) means you must present the challenge flow to the cardholder.
4. For challenge flows, redirect or display the challenge URL from the ARes in an iframe or the 3DS SDK challenge screen; the cardholder completes the challenge (OTP, biometric, or out-of-band approval) and the ACS sends a CReq/CRes exchange.
5. On challenge completion, retrieve the final authentication result via your 3DS Server; extract the CAVV (Cardholder Authentication Verification Value), ECI (Electronic Commerce Indicator), and authentication version.
6. Submit the authorization with CAVV and ECI in the appropriate fields; ECI 5 (Visa) or 2 (Mastercard) indicates fully authenticated with liability shift; ECI 6 or 1 indicates attempted authentication without full liability shift.