How do CAVV and XID look like?

CAVV and XID are tokens to prove a 3D Secure transaction was authenticated. But how do they look like? If I receive one, how can I validate it really is a CAVV or XID? Can it be any 28-character long string? Or are there some rules (like the Luhn formula for credit card numbers)?

CAVV/AVV/UCAF/AEVV values can be encoded according to the merchants configuration in either Base64 encoding or Hex encoding.

• A Base64 encoding merchant configuration will produce values of 28 or 32 characters.
• A Hex encoding merchant configuration will produce values of 40 or 48 characters.
• The value when decoded will either be 20 bytes for CAVV or 20 or 24 bytes if the value is AAV (MasterCard UCAF).

Similarly XID will be encoded according to the merchants configuration in either Base64 encoding or Hex encoding as well.

• A Base64 encoding merchant configuration will produce values of 28 characters.
• A Hex encoding merchant configuration will produce values of 40 characters.