Error Codes

The following snippet gives an overview of the errors detected and reported by the 3DS Server handling 3DS 1.0 / Union Pay transactions. For every error there is an error code defined. In case the 3DS Server detects an error, the error will be logged together with the error code in the application log.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
/**
 * Error code used to denote a missing value in the MPI web-service input (e.g. no PAN passed).
 */
MISSING_INPUT_VALUE_ERROR             (hasCode("INP-MISS")),
 
/**
 * Error code used to denote an illegal value in the MPI web-service input (e.g. non-numeric
 * character used in PAN).
 */
ILLEGAL_INPUT_VALUE_ERROR             (hasCode("INP-IV")),
 
/**
 * Error code used to denote a missing value in the response of the Directory Server (VERes) or
 * the response of the ACS (PARes). I.e. a required value is absent or empty.
 */
MISSING_RESPONSE_VALUE_ERROR          (hasCode("RES-MISS")),
 
/**
 * Error code used to denote an illegal value in the response of the Directory Server (VERes) or
 * the response of the ACS (PARes). I.e. a value doesn't conform to the 3-D Secure protocol's
 * format specification.
 */
ILLEGAL_RESPONSE_VALUE_ERROR          (hasCode("RES-IV")),
 
/**
 * Error code used to denote a missing or unrecognized root element in the response returned by
 * the Directory Server.
 */
INVALID_ROOT_ERROR                    (hasCode("RES-ROOT")),
 
/**
 * Error code used to denote an invalid message received by the Directory Server or the ACS (e.g.
 * CRRes received instead of VERes).
 */
INVALID_MESSAGE_ERROR                 (hasCode("RES-MSG")),
 
/**
 * Error code used to denote a critical extension in the response from the Directory Server or the
 * ACS that is not recognized by the MPI.
 */
UNRECOGNIZED_CRITICAL_EXTENSION_ERROR (hasCode("RES-EXT")),
 
/**
 * Error code used to denote an unsupported protocol version in the response from the Directory
 * Server or the ACS.
 */
UNSUPPORTED_PROTOCOL_VERSION_ERROR    (hasCode("RES-VER")),
 
/**
 * Error code used to denote an Error Message response received from the Directory Server or the ACS.
 * Note: The error code will be suffixed with the error code received in the Error Message.
 * I.e. the error code would be ER-3 if the Error Message received contains the error code 3.
 *
 * The following table lists all the 3-D Secure error codes as defined in 3-D Secure protocol specification
 * from VISA.
 *
 *  Error code | Error description
 * -------------------------------
 *      1      | Root element invalid
 *      2      | Message element not a defined message
 *      3      | Required element missing
 *      4      | Critical element not recognized
 *      5      | Format of one or more elements is invalid according to the specification
 *      6      | Protocol version too old
 *     50      | Acquirer not participating
 *     51      | Merchant not participating
 *     52      | Password missing
 *     53      | Incorrect password
 *     58      | Incorrect Common Name value in Client Certificate
 *     98      | Transient system failure
 *     99      | Permanent system failure
 */
ERROR_RESPONSE_ERROR                  (hasCode("ER")),        // with suffix
 
/**
 * Error code used to denote an error converting the response sent by the Directory Server to a
 * 3-D Secure protocol message.
 *
 * NOTE: If there is additional directory server endpoint when this exception is thrown, MPI
 * will use the retry mechanism to contact the other directory server endpoint.
 */
DS_HTTP_MESSAGE_CONVERSION_ERROR      (hasCode("DS-MSG")),
 
/**
 * Error code used to denote an HTTP error code returned while communicating with the Directory
 * Server. Note: The error code will be suffixed with the HTTP status code. I.e. the error code
 * would be DS-HTTP-404 if the HTTP status code returned is 404.
 *
 * NOTE: If there is additional directory server endpoint when this exception is thrown, MPI
 * will use the retry mechanism to contact the other directory server endpoint.
 */
DS_HTTP_STATUS_CODE_ERROR             (hasCode("DS-HTTP")),   // with suffix
 
/**
 * Error code used to denote a timeout while communicating with the Directory Server.
 *
 * NOTE: If there is additional directory server endpoint when this exception is thrown, MPI
 * will use the retry mechanism to contact the other directory server endpoint.
 */
DS_TIMEOUT_ERROR                      (hasCode("DS-TIME")),
 
/**
 * Error code used to denote an uncategorized error while communicating with the Directory Server.
 *
 * Hint #1: Verify that a valid signed non-expired SSL client certificate is being used while connecting to the DS.
 * Hint #2: Verify that a non-expired SSL server certificate is presented by the DS.
 * Hint #3: Enable JSSE (Java Secure Socket Extension) debug output (as described in mpictl.sh) and verify that
 *          there is a common cipher suite supported by both MPI and DS.
 *
 * NOTE: If there is additional directory server endpoint when this exception is thrown, MPI
 * will use the retry mechanism to contact the other directory server endpoint.
 */
DS_REST_CLIENT_ERROR                  (hasCode("DS-REST")),
 
/**
 * Error used to denote an error while converting the encoded PaRes returned by the ACS to a 3-D
 * Secure protocol message.
 */
PARES_CONVERSION_ERROR                (hasCode("PARES-CONV")),
 
/**
 * Error used to denote a timeout while waiting for the response by the ACS.
 */
PARES_TIMEOUT_ERROR                   (hasCode("PARES-TIME")),
 
/**
 * Error code used to denote an error accessing the session when validating the PARes (e.g. no
 * such session, session expired or already consumed).
 */
SESSION_ERROR                         (hasCode("SESS")),
 
/**
 * Error code used to denote an error during the validation of certificate(s) of the returned PARes.
 *
 * Hint #1: Verify that a valid non-expired signature validation root certificate is being used.
 * Hint #2: Verify that the SignatureValidationRootCertificate and all its intermediary certificates are not expired.
 * Hint #3: Verify that all the certificates returned in PARes from the ACS are not expired and resolve to a
 *          trust anchor. The certificates can be found inside X509Certificate element in PARes and are in PEM format.
 */
INVALID_SIGNATURE_CERTIFICATE_ERROR   (hasCode("SIG-CRT")),
 
/**
 * Error code used to denote that signature element is syntactically invalid (e.g. it can't be unmarshalled
 * or the structure is not as expected.)
 */
ILLEGAL_SIGNATURE_ERROR               (hasCode("SIG-IV")),
 
/**
 * Error code used to denote an invalid signature.
 */
INVALID_SIGNATURE_ERROR               (hasCode("SIG")),
 
/**
 * Error code used to denote an invalid license.
 */
LICENSE_VALIDITY_ERROR                (hasCode("LIC")),
 
/**
 * Error code used to denote that MPI (3DS1 and UPOP) is not enabled in the configuration.
 */
MPI_DISABLED_ERROR                    (hasCode("PRO")),
 
/**
 * Error code used to denote any other uncategorized exception.
 */
SYSTEM_ERROR                          (hasCode("SYS"));