3D Secure verification

[ { "title":"Testing", "link":"https://docs.solidgate.com/payments/testing/", "text":"Simulate payments to test your integration before launching in production.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-customizable.svg" } , { "title":"Create your payment form", "link":"https://docs.solidgate.com/payments/integrate/payment-form/create-your-payment-form/", "text":"Understand how to integrate the payment form into your product.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-payments.svg" } , { "title":"Billing", "link":"https://docs.solidgate.com/billing/", "text":"Smart billing solutions designed for diverse business models.", "imgSrc":"https://solidgate.com/wp-content/uploads/2022/06/icon-global.svg" } ]

Get in touch
Sign in
3D Secure verification
Boost payment security with 3D Secure support

Solidgate provides 3D Secure support for payments, enhancing security measures for both merchants and customers. To process a payment as a Guide
This process ensures secure, reliable payment processing using 3D Secure authentication to prevent fraud. 3D Secure payment, pass the force3ds: true value.

When implementing 3DS payments, you may need to display the issuer’s 3D Secure page (ACS URL) if the customer’s issuing bank mandates further authentication. You can set up success_url and fail_url so that your customers are redirected to the correct page when the authentication flow completes (either successfully or unsuccessfully).

For best results with 3DS 2.0, pass necessary browser details, such as user_agent and time_zone_offset, so that you can support frictionless flow.


3D Secure payment flows
anchor

Solidgate or the payment processor can trigger 3DS authentication. Whenever 3DS authentication is invoked, you can check the status through:

Common 3D Secure three_ds: flow types:

  • frictionless - Authentication is complete without additional customer interaction.
  • challenge - Customer must complete extra verification steps, such as entering a one-time passcode (OTP) or using another verification method.
  • none - Authentication was attempted, but the issuer either does not support 3D Secure or did not respond.
  • unspecified - It is unclear if the customer participated in a 3D Secure challenge.

When the flow is null , 3D Secure authentication is not initiated. Additionally, it represents the Electronic Commerce Indicator ( Guide
ECI value represents authentication, affects authorization and liability protection. ECI ) eci security level used to authorize the payment.


External MPI data
anchor

Solidgate can also accept external Merchant Plug-In (MPI) data to maintain direct control over 3D Secure authentication. In such scenarios, you initiate the 3DS process through your MPI provider and then pass the MPI results back for payment processing. Benefits of using external MPI:

  • Control over 3DS authentication
    You decide the authentication flow and gather the required data from your provider.
  • Optimal user experience
    You can tailor the authentication process, potentially reducing friction and checkout time for your customers.
  • Regulatory compliance
    You can fulfill 3DS requirements imposed by issuing banks or payment networks.

Steps for handling external MPI:

  1. Perform 3D Secure authentication
    Complete the 3DS process with your external MPI provider before you send the payment request.
  2. Capture and store MPI data
    Securely capture essential MPI data from your external provider. You will need the following required three_ds_version, three_ds_flow, ds_enrollment_response, eci, cryptogram, authentication_response, and ds_transaction_id parameters.
  3. Submit payment request
    Place the captured MPI data in the external_mpi_data object within your payment request. You can do this for a one-time payment, a one-time product or a subscription flow for charges API , recurring API charges, or resign API charges.
  4. Handle the payment response
    Review the response and process successful payments. Handle exceptions where necessary.

MPI data insights
anchor

Below is a consolidated set of parameters you should pass when supplying external MPI data. These parameters apply to 3DS 2.x flows and provide the context your payment request needs to complete with liability shift and authentication details.

Value Description
three_ds_flow frictionless - Authentication complete without additional customer interaction.
challenge - Customer must complete extra verification steps, such as entering OTP.
none - Authentication attempted, but issuer either does not support 3D Secure or did not respond, with transStatus value U or A .
ds_enrollment_response Y - Card is enrolled; authentication is possible.
N - Card is not enrolled.
U - Enrollment status is unknown.
authentication_response Y - Authentication verification successful.
N - Not authenticated / account not verified; transaction is denied.
U - Authentication / account verification could not be performed; technical or other problem, as indicated in ARes or RReq.
A - Attempts processing is performed; not authenticated or verified, but proof of the attempt is provided.
C - Challenge is required; additional authentication is needed using the CReq and CRes.
D - Challenge is required; decoupled authentication confirmed (Solidgate does not support it).
R - Authentication / account verification is rejected; the issuer rejects authentication or verification and requests that authorization is not attempted.
I - Informational only; the 3DS requestor challenge preference is acknowledged.
S - Challenge using Secure Payment Confirmation (SPC).
authentication_method 01 - Static passcode.
02 - SMS One-Time Password (OTP).
03 - Key fob or Europay, Mastercard, Visa (EMV) card reader OTP.
04 - App OTP.
05 - OTP other.
06 - Knowledge-based authentication (KBA).
07 - Out-of-band (OOB) biometrics.
08 - OOB login.
09 - OOB other.
10 - Other.
11 - Push confirmation.
12 - Decoupled authentication (Solidgate does not support it).
14 - SPC.
15 - Behavioural biometrics.
16 - Electronic ID.
17–79 - Reserved for EMVCo future use (values invalid until defined by EMVCo).
80–99 - Reserved for DS use.

Errors handling
anchor

If 3D Secure authentication via an external MPI provider returns an error (other than a declined transaction), you may proceed with a non-3DS payment request if you determine that the risk is manageable. To do so, you can submit a normal payment request without including the force3ds parameter. Common errors:

  • UUID compliance: ds_transaction_id must comply with the RFC 4122 UUID standard.
  • Missing
    • ds_transaction_id
      Required for 3DS 2 with certain eci values (e.g., 01 , 02 , 05 , or 06 ).
    • three_ds_version
      You must include a valid version when using external MPI data.
  • Unsupported 3DS Version: 3DS version 1 is deprecated; please upgrade to 3DS 2.
Looking for help? Contact us
Stay informed with Changelog