Device Data

The card issuer uses Device Data Collection (DDC) to fingerprint the customer's device.

Along with the risk data in the authentication request, it's used to decide if a challenge is needed or if the authentication can be frictionless (no challenge displayed to your customer).

Important

Invoke this process immediately upon the customer providing their payment credentials. This ensures that device data collection processes asynchronously behind the scenes as the customer completes the remaining checkout process. If a customer changes their card number after the device data collection process is started or completed, re-execute the entire DDC process.

Device data initialization

POST your device data initialization request to the 3ds:deviceDataInitialize action link.

This request creates a JSON Web Token (JWT) that is used as part of the Device Data Collection (DDC) form. The DDC form also requires the first six digits of your customer's card number (BIN). The BIN can be returned if a token resource is provided, see JWT + BIN (token) request.

For consistency of integration you can also provide the full card number JWT + BIN (card). It will be truncated to become the BIN in the response.

Device data initialization example request

POST https://try.access.worldpay.com/verifications/customers/3ds/deviceDataInitialization

{
    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "default"
    }
}

{
    "transactionReference": "Memory265-13/08/1876",
    "merchant": {
        "entity": "MindPalaceLtd"
    },
    "paymentInstrument": {
        "type": "card/tokenized",
        "href": "https://try.access.worldpay.com/tokens/MTIzNDU2Nzg5MDEyMzQ1Ng"
    }
}

{
    "transactionReference": "unique-transactionReference",
    "merchant": {
        "entity": "default"
    },
    "paymentInstrument": {
        "type": "card/front",
        "cardHolderName": "John Appleseed",
        "cardNumber": "4444333322221111",
        "cardExpiryDate": {
            "month": 5,
            "year": 2035
        }
    }
}

Parameter

Mandatory

Description

transactionReference

A unique reference for device data JWT request. for example, e-commerce order code. Use the same transactionReference across all 3 potential request types (deviceDataInitialization, authentication, verification).

merchant.entity

Used to route the request in Access Worldpay, created as part of on-boarding.

paymentInstrument.type

An identifier for the paymentInstrument being used. type : card/front

See JWT + BIN (card) above

type : card/tokenized

See JWT + BIN (token) above

Device data initialization response

Best Practice

Access Worldpay returns a WP-CorrelationId in the headers of service responses. We highly recommend you log this. The WP-CorrelationId is used by us to examine individual service requests.

To understand what these outcomes mean and how to reproduce them for testing purposes see 3DS testing

{
    "outcome": "initialized",
    "transactionReference": "Memory265-13/08/1876",
    "deviceDataCollection": {
        "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ",
        "url": "https://ddcUrl.example.com",
        "bin": "555555"
    },
    "_links": {
        "3ds:authenticate": {
            "href": "https://try.access.worldpay.com/verifications/customers/3ds/authentication"
        },
        "curies": [{
            "href": "https://try.access.worldpay.com/rels/verifications/customers/3ds/{rel}",
            "templated": true,
            "name": "3ds"
        }]
    }
}

Parameter

Description

deviceDataCollection.jwt

A digitally signed token that contains additional details required for DDC. Expires in 10 minutes for both Try and Production.

deviceDataCollection.url

A POST action on the DDC form. Used to redirect to the issuers DDC page.

deviceDataCollection.bin

First six digits of the card number (Bank Identification Number), used as part of DDC. Returned if a token resource or card number is included in the request.

Device Data Collection (DDC)

Once you have the JWT, URL and BIN you can create and submit the DDC form.

A SessionId representing this collection is then used as part of the risk analysis by the issuer in the authentication request.

Device Data Collection form

Here's an example of how you would set-up the DDC form in an iframe.

Create a hidden iframe and set the src attribute with the URL of the page that will POST the DDC form. This URL should contain in query string parameters the deviceDataCollection.jwt, deviceDataCollection.bin and deviceDataCollection.url as those will be used in the DDC form.

<iframe height="1" width="1" style="display: none;" src="replace-this-with-the-url-of-your-page-that-posts-the-ddc-form"></iframe>

Create and host the page that POSTs the DDC form.

<html>
<head>
</head>
<body>
<!-- Using your preferred programming language, set the 'action' attribute with the value of the query string parameter containing the 'deviceDataCollection.url' from the device data initialization response -->
<form id="collectionForm" name="devicedata" method="POST" action="https://ddcUrl.example.com">

<!-- Using your preferred programming language, set the 'value' attribute with the value of the query string parameter containing the 'deviceDataCollection.bin' from the device data initialization response -->
<input type="hidden" name="Bin" value="555555" />


<!-- Using your preferred programming language, set the 'value' attribute with the value of the query string parameter containing the 'deviceDataCollection.jwt' from the device data initialization response -->

 <input type="hidden" name="JWT" value="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ" />

</form>

<script>
window.onload = function() {
  document.getElementById('collectionForm').submit();
 }
</script>
</body>
</html>

Device Data Collection postMessage

Once the DDC form is submitted and is successfully sent to the card issuer, you are notified via a postMessage event.

For security, verify the sender's identity using the postMessage origin property as detailed here.

Environment

Origin

Try

https://centinelapistag.cardinalcommerce.com

Production

https://centinelapi.cardinalcommerce.com

An example postMessage response:

{
  "MessageType": "profile.completed",
  "SessionId": "0_3XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX6b5",
  "Status": true
}

Key

Value

messageType

profile.completed

SessionId

UUID, not present or undefined

Status

true - Use the SessionId value in deviceData.collectionReference as part of the Authentication request
false - SessionId is empty. Either retry DDC or send the authentication request without the deviceData.collectionReference.

The DDC call typically takes 1-2 seconds, depending on the latency between the customer's device, the Cardinal servers and, in part, the type of device data collection performed by the different issuers. The 3DS specification has the maximum response time at 10 seconds.

PreviousCreate sessions to pay with a card and CVC NextChallenge display & Verification

Last updated 1 year ago