3-D Secure

3-D Secure (Three Domain Secure) is the industry standard authentication protocol for online card transactions. It adds an extra layer of security by requiring cardholders to verify their identity before payment processing.

Benefits

Fraud Protection - Shift liability for fraudulent transactions to the card issuer
SCA Compliance - Meet Strong Customer Authentication requirements
Improved Trust - Build customer confidence with secure transactions
Flexible Authentication - Support frictionless flows when possible

Strong Customer Authentication (SCA)

Under PSD2 regulations in Europe, Strong Customer Authentication requires verification using at least two of three factors:

Factor	Type	Examples
Knowledge	Something you know	PIN, password, security question
Possession	Something you have	Phone, card reader, token
Inherence	Something you are	Fingerprint, face recognition, voice

3-D Secure Versions

3-D Secure 2

The current standard, offering:

Frictionless Authentication - Risk-based decisions without customer interaction
Mobile Optimization - Better experience on mobile devices
Rich Data Exchange - More context for issuer decisions
Exemption Handling - Request exemptions for low-risk transactions

3-D Secure 1

Legacy version being phased out. New integrations should use 3DS2.

Authentication Flows

Frictionless Flow

For low-risk transactions, authentication happens in the background:

Customer → Merchant → Platform → Issuer (risk assessment) → Approved

No additional customer action required.

Challenge Flow

For higher-risk transactions, the customer must authenticate:

Customer → Merchant → Platform → Issuer → Challenge (OTP/Biometric) → Approved

Implementation

Hosted Checkout Page

3-D Secure is handled automatically. Just include the required properties:

{
  "order": {
    "amountOfMoney": {
      "amount": 2980,
      "currencyCode": "EUR"
    },
    "customer": {
      "billingAddress": {
        "countryCode": "NL",
        "city": "Amsterdam"
      },
      "contactDetails": {
        "emailAddress": "customer@example.com"
      }
    }
  },
  "hostedCheckoutSpecificInput": {
    "returnUrl": "https://yoursite.com/return"
  }
}

Server-to-Server

Include 3-D Secure configuration in your payment request:

C#
Java

var request = new CreatePaymentRequest
{
    Order = new Order
    {
        AmountOfMoney = new AmountOfMoney
        {
            Amount = 2980,
            CurrencyCode = "EUR"
        },
        Customer = new Customer
        {
            BillingAddress = new Address
            {
                CountryCode = "NL",
                City = "Amsterdam",
                Street = "Kalverstraat 1",
                Zip = "1012 NX"
            },
            ContactDetails = new ContactDetails
            {
                EmailAddress = "customer@example.com"
            }
        }
    },
    CardPaymentMethodSpecificInput = new CardPaymentMethodSpecificInput
    {
        PaymentProductId = 1,
        Card = new Card
        {
            CardNumber = "4111111111111111",
            Cvv = "123",
            ExpiryDate = "1225",
            CardholderName = "John Doe"
        },
        ThreeDSecure = new ThreeDSecure
        {
            ChallengeIndicator = "no-preference",
            RedirectionData = new RedirectionData
            {
                ReturnUrl = "https://yoursite.com/return"
            }
        }
    }
};

var response = await merchantClient.Payments
    .CreatePaymentAsync(request);

CreatePaymentRequest request = new CreatePaymentRequest();

// Order setup
Order order = new Order();
AmountOfMoney amount = new AmountOfMoney();
amount.setAmount(2980L);
amount.setCurrencyCode("EUR");
order.setAmountOfMoney(amount);

// Customer details
Customer customer = new Customer();
Address billingAddress = new Address();
billingAddress.setCountryCode("NL");
billingAddress.setCity("Amsterdam");
customer.setBillingAddress(billingAddress);
order.setCustomer(customer);

request.setOrder(order);

// Card with 3DS
CardPaymentMethodSpecificInput cardInput = new CardPaymentMethodSpecificInput();
cardInput.setPaymentProductId(1);

Card card = new Card();
card.setCardNumber("4111111111111111");
card.setCvv("123");
card.setExpiryDate("1225");
cardInput.setCard(card);

ThreeDSecure threeDSecure = new ThreeDSecure();
RedirectionData redirectionData = new RedirectionData();
redirectionData.setReturnUrl("https://yoursite.com/return");
threeDSecure.setRedirectionData(redirectionData);
cardInput.setThreeDSecure(threeDSecure);

request.setCardPaymentMethodSpecificInput(cardInput);

CreatePaymentResponse response = merchantClient.payments()
    .createPayment(request);

Handle the Response

if (response.MerchantAction?.ActionType == "REDIRECT")
{
    // Customer must complete 3DS challenge
    string redirectUrl = response.MerchantAction.RedirectData.RedirectURL;
    // Redirect customer to this URL
}
else
{
    // Frictionless - check payment status directly
    var statusCode = response.Payment.StatusOutput.StatusCode;
}

Challenge Indicator

Control the 3DS challenge behavior:

Value	Description
`no-preference`	Let the issuer decide (default)
`no-challenge-requested`	Prefer frictionless if possible
`challenge-requested`	Request a challenge
`challenge-required`	Mandate a challenge

ThreeDSecure = new ThreeDSecure
{
    ChallengeIndicator = "no-challenge-requested",
    // ...
}

Exemptions

Request exemptions for qualifying transactions:

Low Value Exemption

For transactions under €30 (cumulative limits apply):

ThreeDSecure = new ThreeDSecure
{
    ExemptionRequest = "low-value"
}

Transaction Risk Analysis (TRA)

For merchants with low fraud rates:

ThreeDSecure = new ThreeDSecure
{
    ExemptionRequest = "transaction-risk-analysis"
}

Available Exemptions

Exemption	Condition
`low-value`	Transaction < €30
`transaction-risk-analysis`	Low fraud rate
`whitelist`	Customer whitelisted the merchant
`corporate`	Corporate/business cards
`recurring`	Subsequent recurring payments

Exemption Outcomes

Exemption requests may be accepted or declined by the issuer. If declined, the transaction falls back to standard 3DS authentication.

Exclusions

Some transactions are automatically excluded from SCA:

MOTO - Mail order/telephone order
Cross-border - Payments outside EEA
Anonymous prepaid - Cards up to €150
Merchant-initiated - MIT transactions

CardPaymentMethodSpecificInput = new CardPaymentMethodSpecificInput
{
    TransactionChannel = "MOTO"  // Excludes from SCA
}

Required Data

Include these fields for optimal authentication results:

Billing Address

BillingAddress = new Address
{
    Street = "Kalverstraat 1",
    City = "Amsterdam",
    Zip = "1012 NX",
    CountryCode = "NL"
}

Contact Details

ContactDetails = new ContactDetails
{
    EmailAddress = "customer@example.com",
    PhoneNumber = "+31612345678"
}

Browser Data (for S2S)

ThreeDSecure = new ThreeDSecure
{
    BrowserData = new BrowserData
    {
        ColorDepth = 24,
        JavaEnabled = false,
        ScreenHeight = "1080",
        ScreenWidth = "1920"
    }
}

Testing

Use test cards to simulate different 3DS scenarios:

Card Number	Scenario
4012 0000 3333 0026	3DS Challenge required
4012 0000 3333 0034	3DS Frictionless
4012 0000 3333 0042	3DS Attempted
4000 0000 0000 0002	Authentication failed

Authentication Results

The threeDSecureResults in the response contains:

Field	Description
`eci`	Electronic Commerce Indicator
`authenticationStatus`	Result of authentication
`cavv`	Cardholder Authentication Verification Value
`xid`	Transaction identifier

var threeDSecureResults = response.Payment
    .PaymentOutput
    .CardPaymentMethodSpecificOutput
    .ThreeDSecureResults;

string eci = threeDSecureResults.Eci;
string authStatus = threeDSecureResults.AuthenticationStatus;

Authentication Status Values

Status	Meaning
`Y`	Fully authenticated
`A`	Attempted authentication
`N`	Not authenticated (denied)
`U`	Authentication unavailable
`C`	Challenge required

Liability Shift

With successful 3-D Secure authentication:

Fraudulent transaction → Issuer is liable
Cardholder dispute → Chargeback protection

Best Practice

Always include comprehensive customer and address data to maximize frictionless authentication rates and liability shift coverage.

Troubleshooting

Common Issues

Issue	Cause	Solution
Challenge not showing	Missing browser data	Include all browser fields
Authentication failed	Invalid return URL	Ensure HTTPS and accessible URL
No liability shift	Exemption used	SCA exemptions don't include liability shift

Next Steps

Configure webhooks for authentication updates
Implement Hosted Checkout with automatic 3DS
Explore payment methods requiring 3DS

Benefits​

Strong Customer Authentication (SCA)​

3-D Secure Versions​

3-D Secure 2​

3-D Secure 1​

Authentication Flows​

Frictionless Flow​

Challenge Flow​

Implementation​

Hosted Checkout Page​

Server-to-Server​

Handle the Response​

Challenge Indicator​

Exemptions​

Low Value Exemption​

Transaction Risk Analysis (TRA)​

Available Exemptions​

Exclusions​

Required Data​

Billing Address​

Contact Details​

Browser Data (for S2S)​

Testing​

Authentication Results​

Authentication Status Values​

Liability Shift​

Troubleshooting​

Common Issues​

Next Steps​