Important We have released a new version. Documentation for our latest version can be found [here](/products/3ds/). **Last updated**: 22 April 2025 | [**Change log**](/products/3ds/changelog/) # Device Data The card issuer uses Device Data Collection (DDC) to fingerprint the customer's device. Along with the risk data in the [authentication](/products/3ds/v2/web/authentication) request, it's used to decide if a [challenge](/products/3ds/v2/web/challenge-verification) is needed or if the authentication can be frictionless (no challenge displayed to your customer). This step is required for the authentication to use 3DS2. ## Device data initialization `POST` your device data initialization request to the `3ds:deviceDataInitialize` action link. This request creates a JSON Web Token (JWT) that is used as part of the Device Data Collection (DDC) form. The DDC form also requires the first six digits of your customer's card number (BIN). The BIN can be returned if a token resource is provided, see `JWT + BIN (token)` request. For consistency of integration you can also provide the full card number `JWT + BIN (card)`. It will be truncated to become the BIN in the response. ## Device data initialization example request POST `https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/deviceDataInitialization` JWT only { "transactionReference": "unique-transactionReference", "merchant": { "entity": "default" } } JWT + BIN (token) { "transactionReference": "unique-transactionReference", "merchant": { "entity": "default" }, "paymentInstrument": { "type": "card/tokenized", "href": "https://try.access.worldpay-bsh.securedataplatform.com/tokens/MTIzNDU2Nzg5MDEyMzQ1Ng" } } JWT + BIN (card) { "transactionReference": "unique-transactionReference", "merchant": { "entity": "default" }, "paymentInstrument": { "type": "card/front", "cardHolderName": "Sherlock Holmes", "cardNumber": "4444333322221111", "cardExpiryDate": { "month": 5, "year": 2035 } } } | Parameter | Mandatory | Description | | --- | --- | --- | | `transactionReference` | ✅ | A unique reference for device data JWT request. for example, e-commerce order code. | | `merchant.entity` | ✅ | Used to route the request in Access Worldpay, created as part of on-boarding. | | `paymentInstrument.type` | ❌ | An identifier for the `paymentInstrument` being used.`type` : `card/front` See [JWT + BIN (card)](#device-data-initialization-example-request) above`type` : `card/tokenized` See [JWT + BIN (token)](#device-data-initialization-example-request) above | ### Device data initialization response To understand what these outcomes mean and how to reproduce them for testing purposes see [3DS testing](/products/3ds/v2/testing) { "outcome": "initialized", "transactionReference": "unique-transactionReference", "deviceDataCollection": { "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJPcmdVbml0SWQiOiJPcmdVbml0IiwiaXNzIjoiYXBpSWQiLCJleHAiOjE1NjI5MjMzNDYsImlhdCI6MTU2MjkyMzQwNiwianRpIjoiYTAzMWVhOGEtN2E0Zi00YTQwLWI1NjMtOTUzMzYzMzVhZGNmIn0.0IK74OIXBxFsxqeOURJz1TFnz14ZTbFJTdTWo9cHUJQ", "url": "https://ddcUrl.example.com", "bin": "555555" }, "_links": { "3ds:authenticate": { "href": "https://try.access.worldpay-bsh.securedataplatform.com/verifications/customers/3ds/authentication" }, "curies": [{ "href": "https://try.access.worldpay-bsh.securedataplatform.com/rels/verifications/customers/3ds/{rel}", "templated": true, "name": "3ds" }] } } | Parameter | Description | | --- | --- | | `deviceDataCollection.jwt` | A digitally signed token that contains additional details required for DDC. Expires in 10 minutes for both Try and Production. | | `deviceDataCollection.url` | A `POST` action on the DDC form. Used to redirect to the issuers DDC page. | | `deviceDataCollection.bin` | First six digits of the card number (Bank Identification Number), used as part of DDC. Returned if a token resource or card number is included in the request. | Note In case of an error, you can get further information in our [error reference](/products/reference/worldpay-error-responses). ### Device Data Collection (DDC) Once you have the `JWT` and `BIN` you can create and submit the DDC form. Create an iframe with an automatic form post in order for the issuer to collect the customer's browser device data (fingerprint). A `SessionId` representing this collection is then used as part of the risk analysis by the issuer in the [authentication request](/products/3ds/v2/web/authentication). ### Device Data Collection form Here's an example of how you would set-up the DDC form in an iframe. ``` ``` ### Device Data Collection postMessage Once the DDC form is submitted and is successfully sent to the card issuer, you are notified via a [postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) event. For security, verify the sender's identity using the postMessage `origin` property as detailed [here](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage). | Environment | Origin | | --- | --- | | Try | https://secure-test.worldpay-bsh.securedataplatform.com/ | | Production | https://centinelapi.cardinalcommerce.com | An example postMessage response: ``` { "MessageType": "profile.completed", "SessionId": "0_3XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX6b5", "Status": true } ``` | Key | Value | | --- | --- | | `messageType` | `profile.completed` | | `SessionId` | UUID, not present or `undefined` | | `Status` | `true` - Use the `SessionId` value in `deviceData.collectionReference` as part of the [Authentication request](/products/3ds/v2/web/authentication)false - SessionId is empty. Either retry DDC or send the authentication request without the `deviceData.collectionReference`. This downgrades the authentication to 3DS1. | Note If no postMessage is provided either retry DDC or send the [Authentication request](/products/3ds/v2/web/authentication) without the `deviceData.collectionReference`. This downgrades the authentication to 3DS1. **Next steps** [Authentication](/products/3ds/v2/web/authentication)