In general, there are three possible categories of transactions (combinations of Merchant and cardholder status with respect to 3D Secure), and for each category there is a PA response as follows:
1) Merchant not Registered ? Merchant is not 3D Secure enabled thus doesn?t have the plug-in to support it. No messages are transferred between RSA ACS (Access Control Server), Visa/MC Directory Server and Merchant (There are no Verify Enrollment, Payment Authentication messages).
2) Merchant Registered & Cardholder is not Registered
Stage 1 ? Verify Enrollment:
If the cardholder is not registered but eligible for 3D Secure service, then during shopping at a 3D Secure enabled site, the merchant will ask via Visa or MC Directory server if the cardholder is enrolled to Issuer?s ACS by sending Verify Enrollment Request. RSA ACS will return VE response = Y and Merchant redirect the cardholder browser to registration for 3D Secure service.
Stage 2 ? Payment Authentication:
There are 2 options for the work flow of the cardholder:
a) If the cardholder opts out, RSA ACS will send PA response of A (Attempt) to the Merchant.
The response also contains the UCAF (MC) / CAVV Value (Visa). This is proof that the message is authentic and merchant tried to perform 3D Secure transaction by authenticating the cardholder.
b) If the cardholder registers successfully, RSA ACS sends PA response = Y (Successful authentication) to the Merchant.
The response also contains the UCAF (MC) / CAVV Value (Visa). This is proof that the message is authentic and not tampered with by a fraudster.
3) Merchant Registered & Cardholder is Registered
Stage 1 ? Verify Enrollment:
After registering to 3D Secure and upon subsequent shopping at 3D Secure enabled site, the Merchant will ask via Visa or MC directory server if cardholder is enrolled to Issuer?s ACS by sending Verify Enrollment Request. RSA ACS will return VE response = Y and Merchant redirect the cardholder's browser to authenticate as part of 3D Secure service, that is sign a receipt by entering the 3D Secure Password that was chosen during registration process.
Stage 2 ? Payment Authentication:
There are 2 options for the work flow of the cardholder:
a) If the cardholder enters correct PW, RSA ACS will send PA response Y (Successful authentication) to the Merchant.
The response also contains the UCAF (MC) / CAVV Value (Visa), serving as proof that the message is authentic
b) If the cardholder doesn?t authenticate successfully, RSA ACS send PA response = N to Merchant.
The response does not contain the UCAF (MC) / CAVV Value (Visa)After 3D Secure process was completed, merchant saves the receipt and performs the regular authorization process.
Related Articles
RSA Governance & Lifecycle Recipes: Chart - AD Orphan Account Summary Number of Views RSA Governance & Lifecycle Recipes: Telemetry Chart - Total Collectors Number of Views RSA Governance & Lifecycle Recipes: Chart - AD User Account Control Summary Number of Views AFX: Provisioning access to users sporadically fails yet CRs show100 percent fulfilled in RSA Identity Governance & Lifecycle Number of Views Palo Alto PA Series Firewall version 7.x prompts for passcode twice (back to back) while doing authentication from global … Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x Deploying RSA Authenticator 6.2.2 for Windows Using DISM
