Solidgate provides 3D Secure support for payments, enhancing security measures for both merchants and customers. To process a payment as a
Guide
This process ensures secure, reliable payment processing using 3D Secure authentication to prevent fraud.
3D Secure
payment, pass the force3ds
true
value.
When implementing 3DS payments, you may need to display the issuer’s 3DS (ACS URL) if the customer’s issuing bank mandates further authentication. Set up success_url and fail_url to redirect customers to the correct page after the authentication flow, regardless of success or failure.
For best results with 3DS 2.0, pass necessary browser details, such as user_agent and time_zone_offset, so that you can support frictionless flow.
3D Secure
Solidgate or the payment processor can trigger 3DS authentication. Whenever 3DS authentication is invoked, you can check the status through:
- check order status API response
- updated card order Webhook notification
Common 3D Secure three_ds flow types:
- frictionless - Authentication is complete without additional customer interaction.
- challenge - Customer must complete extra verification steps, such as entering a one-time passcode (OTP) or using another verification method.
- none - Authentication was attempted, but the issuer either does not support 3D Secure or did not respond.
- unspecified - It is unclear if the customer participated in a 3D Secure challenge.
When the flow is
null
, 3D Secure authentication is not initiated.
Strong Customer Authentication (SCA) exception types:
- low_value - Low-value transaction exemption for transactions below EUR 30 or cumulative small transactions under EUR 100/five transactions.
- transaction_risk_assessment - Transaction Risk Assessment (TRA) exemption based on low-risk transaction analysis.
Additionally, it represents the Electronic Commerce Indicator
Guide
Interpret Electronic Commerce Indicator values to understand 3DS authentication outcomes, liability shifts, and authorization decisions.
(ECI)
eci security level used to authorize the payment.
External MPI data
Solidgate can also accept external Merchant Plug-In (MPI) data to maintain direct control over 3D Secure authentication. In such scenarios, you initiate the 3DS process through your MPI provider and then pass the MPI results back for payment processing. Benefits of using external MPI:
- You control the 3DS authentication flow and gather the required data from your provider.
- You can tailor the authentication process to optimize the customer experience, potentially reducing friction and checkout time.
- You can fulfill 3DS requirements imposed by issuing banks or payment networks to ensure regulatory compliance.
Steps for handling external MPI:
-
Perform 3D Secure authentication
Complete the 3DS process with your external MPI provider before you send the payment request. -
Capture and store MPI data
Securely capture the essential MPI data from your external provider. The required parameters arethree_ds_version,three_ds_flow,eci,cryptogram, andauthentication_response. You also needds_transaction_idfor 3DS 2 withecivalues 01 , 02 , 05 , or 06 . -
Submit payment request
Place the captured MPI data in theexternal_mpi_dataobject within your payment request. You can do this for a one-time payment, a one-time product or a subscription flow for charges API , recurring API charges, or resign API charges. -
Handle the payment response
Review the response and process successful payments. Handle exceptions where necessary.
MPI data insights
Below is a consolidated set of parameters you should pass when supplying external MPI data. These parameters apply to 3DS 2.x flows and provide the context your payment request needs to complete with liability shift and authentication details. Submit external_mpi_data only for successfully authenticated 3DS transactions authentication_response value
Y
or
A
.
| Value | Description |
|---|---|
| three_ds_flow | frictionless - Authentication complete without additional customer interaction. |
| challenge - Customer must complete extra verification steps, such as entering OTP. | |
| none - Provide exclusively when your MPI provider did not return authentication data. | |
| authentication_response | Y - Authentication successful. |
| A - Attempted processing performed; not authenticated or verified, but proof of the attempt is provided. | |
| authentication_method | 01 - Static passcode. |
| 02 - SMS One-Time Password (OTP). | |
| 03 - Key fob or Europay, Mastercard, Visa (EMV) card reader OTP. | |
| 04 - App OTP. | |
| 05 - OTP other. | |
| 06 - Knowledge-based authentication (KBA). | |
| 07 - Out-of-band (OOB) biometrics. | |
| 08 - OOB login. | |
| 09 - OOB other. | |
| 10 - Other. | |
| 11 - Push confirmation. | |
| 12 - Decoupled authentication (Solidgate does not support it). | |
| 14 - SPC. | |
| 15 - Behavioural biometrics. | |
| 16 - Electronic ID. | |
| 17–79 - Reserved for EMVCo future use (values invalid until defined by EMVCo). | |
| 80–99 - Reserved for DS use. |
The value comes from transStatus, returned by the card issuer’s Access Control Server (ACS) or the Scheme Directory Server (DS). Use the value from transStatus received in:
- the ARes (Authentication Response) message for the frictionless flow
- the last CRes (Challenge Response) message for the challenge flow
- the RReq (Results Request) message sent after the cardholder completes the challenge
If the transaction was frictionless, no CRes or RReq messages are produced.
Handle errors
If 3D Secure authentication via an external MPI provider does not result in a successful authentication, do not pass external_mpi_data. Submit a normal payment request without the force3ds parameter if the risk is manageable, or stop the flow otherwise. Solidgate accepts MPI data only for successful authentications with authentication_response value
Y
or
A
.
Common errors:
- UUID compliance
ds_transaction_idmust comply with the RFC 4122 Wiki UUID standard. - Invalid
authentication_response
Only Y and A are accepted. Any other value is rejected. - Missing
ds_transaction_id
Required for 3DS 2 with certainecivalues (for example, 01 , 02 , 05 , or 06 ).three_ds_version
You must include a valid version in the 2.X.X format when using external MPI data.
- Unsupported 3DS Version
3DS version 1 is deprecated, please upgrade to 3DS 2.