Q: What messages are used in a 3DS2 transaction?
Answer: 


(The message are arranged in sequence)


1. AReq (Authentication Request Message):

Sent by: 3DS Server

Routed through: Directory Server (DS)

Received by: Access Control Server (ACS)


The AReq message is the initial authentication request in the 3-D Secure 2 flow. It is created by the 3DS Server and contains necessary transactional information. The DS routes it to the appropriate ACS for authentication decision-making.


2. ARes (Authentication Response Message):

Sent by: Access Control Server (ACS)

Routed through: Directory Server (DS)

Received by: 3DS Server (3DSS)


The ARes message is the response from the Issuer’s ACS to the AReq. It provides the result of the initial authentication evaluation. The message may indicate that the cardholder has been successfully authenticated, that no authentication (such as frictionless) is required, or that additional cardholder interaction (such as a challenge) is necessary to complete the authentication process.


3. CReq (Challenge Request Message):

Sent by: 3DS Server (3DSS) 

Routed through: -

Received by: Access Control Server (ACS)


The CReq message is used to initiate and continue interactive authentication between the cardholder and the issuer. It carries data needed for the challenge (like OTP input or biometric confirmation) and supports multi-step exchanges when necessary.


Note:- This message is not used in Frictionless Flows, due to the authentication is not required.


4. RReq (Results Request Message):

Sent by: Access Control Server (ACS)

Routed through: Directory Server (DS)

Received by: 3DS Server (3DSS)


The RReq message is used to communicate the final result of the authentication or verification process from the Issuer’s ACS to the 3DS Server. It is typically sent after a Challenge Flow has been completed, confirming whether the cardholder was successfully authenticated or if the attempt failed.


Note:- This message is not used in Frictionless Flows, where the authentication result is already provided in the ARes.


5. RRes (Results Response Message)

Sent by: 3DS Server (3DSS)

Routed through: Directory Server (DS)

Received by: Access Control Server (ACS)


The RRes message is the final response from the 3DS Server to the ACS, sent after receiving an RReq. It serves as an acknowledgment that the 3DS Server has received and processed the result of the authentication or challenge.

It ensures that the ACS knows the authentication result has been successfully delivered to the 3DS Server, completing the message exchange in the Challenge Flow.


6. CRes (Challenge Response Message)

Sent by: Access Control Server (ACS)  

Routed through: -

Received by: 3DS Server (3DSS)


The CRes message is issued by the ACS in reply to a CReq message during the Challenge Flow. It provides feedback on the progress or result of the cardholder challenge, guiding the next step or confirming authentication success or failure.