WebsiteStatusSupportPostman workspacePricingDocumentation hub survey
Documentation
RSS feedSign up
Start typing to search…
  1. Server-to-Server, Mobile SDK, and COPYandPAY
  2. Guides

3-D Secure

3-D Secure reduces the risk of unauthorised use of a cardholder account and makes online shopping better and safer for both buyers and sellers on the web.

The service enables card issuers to verify a cardholder's identity and provide results to the merchant in real-time during the checkout process. This reduces the merchant's exposure to fraud and disputes and protects the cardholder from fraudulent use of their credit card.

COPYandPAY

For COPYandPAY, the widget handles the extra communication and collects the required browser-based information automatically.

Server-to-Server

For Server-to-Server, you must follow EMVCo's guidelines on the frontend integration. Ensure you handle the 3-D Secure response, as it might differ from how you handle responses in payment transactions without 3-D Secure.

Refer to Step 2 in the Server-to-Server 3-D Secure tutorial.

Browser-based vs app-based 3-D Secure

It is important to distinguish between 3-D Secure authentication performed in a web browser and in a mobile app.

If you perform 3-D Secure in a web browser, the standard integration applies, where our 3-D Secure server handles processing.

For transactions performed in an Android or iOS app, use the 3-D Secure SDK. This SDK is specifically designed to handle the app-based authentication flow.

  • This applies even if the mobile app uses a WebView component instead of native components.
  • Performing browser-based 3-D Secure transactions inside a WebView may work in certain cases but is not officially supported by EMVCo.
  • Such integrations are not guaranteed to function and can result in an increased rate of 3-D Secure failures.

Features

Depending on your business, 3-D Secure offers numerous authentication features:

  • Exemptions: Used to reduce friction during cardholder authentication. The Open Payments Platform offers a simple way to handle these use-cases. As a passthrough, each merchant can determine which exemption to use.
  • Non-payment authentication: Offers the option to authenticate the customer even when there is no payment transaction happening and in cases when the transaction amount is not known. During card tokenisation, if there is no payment amount present, NPA applies. During a payment transaction, you can use NPA if the amount is not known of it is zero.
  • Identity Check Insights: Mastercard's has a custom authentication message category called Identity Check Insights. It provides the merchant with the flexibility to share cardholder data through the EMV 3DS rails to influence an issuer's decision to approve a transaction without requesting authentication and thus with no risk of cardholder challenge and added latency.
  • 3RI authentication: Stands for 3DS Requestor Initiated Authentication. 3RI is an authentication method where the cardholder is not present and the merchant initiates the transaction. This authentication type is mainly used to get the status of an already-authenticated transaction in case of delayed shipments, recurring transactions, or merchant-initiated transactions.
  • Decoupled authentication: An authentication method whereby authentication can occur independent from the cardholder's experience with the 3DS requestor (merchant). During decoupled authentication, the customer does not authenticate during the challenge flow in the iframe on the merchant's website, but via a separate mobile application for example. To request a decoupled authentication from the issuer, send the threeDSecure.decoupled=true field with the request. Not all issuers support decoupled authentication. In case it's not supported, the customer authenticates the transaction with the normal workflow.

Try it out

The Peach Payments test system uses an in-house 3-D Secure simulator. To ensure you test different features and scenarios, follow the 3-D Secure testing guide.

📘

For the full list of mandatory and optional parameters for 3-D Secure, see the 3-D Secure parameter reference table.

  • COPYandPAY: A JavaScript payment widget that sends sensitive payment data directly from the customer's browser to the Open Payments Platform.
  • Server-to-Server: The Server-to-Server API allows you to integrate payment acceptance services directly, offering fully flexible workflows for frontend and backend processing.
  • Standalone: Send a Server-to-Server request to the 3-D Secure endpoint.
  • Mobile SDK: The Mobile SDK for Android and iOS makes it straightforward to integrate with the Open Payments Platform for mobile devices.

Updated about 7 hours ago