For extra fraud protection, 3D Secure (3DS) requires customers to complete an additional verification step with the card issuer when paying. Typically, you direct the custo; This action is a preventative measure to protect your e-commerce business and your customers from payment fraud.

Created by Visa and MasterCard, 3D Secure also referred to as 3DS is a technical standard that adds a layer of security in online credit and debit card transactions.

The term 3DS stands for 3 Domain Server. The technology is so named because each 3D Secure transaction involves three parties:

  • The Acquirer Domain: the merchant's bank accepting card payments.

  • The Issuer Domain: the organization that issued the card being used in the online transaction.

  • The Interoperability Domain: payment systems that act as connectors between an Acquirer Domain and an Issuer Domain.

How does a 3D Secure payment work?

When the card requires the additional validation step, our request will respond with a redirectUrl property and the INPROGRESS state to which the end user must be redirected to complete the operation. Once the end user completes that step, the payin will change to one of two possible states and the state change notification will be sent. It can go to the COMPLETED state (in case all validations are passed) or REJECTED (with an error code 835: The cardholder did not take a further authentication step)

Below you will find an example of the response to a payin with Card payment method for a card with 3DSecure activated.

Use these examples to test in Stage:

  • For 3DS 4000000000003220

  • not 3DS 4000000000003055

      "externalId": "{{$timestamp}}",
      "paymentMethod": {
        "type": "CreditCard",
        "code": "1300",
        "flow": "DIRECT"
      "country": "Country",
      "currency": "Currency",
      "amount": 1234,
      "accountNumber": "{{Account Number}}",
      "conceptCode": "0001",
      "comment": "Test order details",
      "merchant": {
        "type": "COMPANY",
        "name": "Merchant name"
      "payer": {
        "type": "INDIVIDUAL",
        "name": "Firstname",
        "lastname": "Lastname",
        "document": {
          "type": "{{document type}}",
          "id": "Document id"
        "email": "payersemail@mail.com"
      "intermediaries": [],
      "card": {
        "token": "{{token}}
        "bin": "400000",
        "brand": "VISA",
        "country": "US",
        "name": "Card Name",
        "last4": "3220",
        "expirationYear": 2025,
        "expirationMonth": 11,
        "installments": 1
      "transactionType": "PayIn",
      "clientCode": "0100",
      "file": false

We can set a static URL for the redirection. The flow is that we redirect to that URL when the 3DS process finishes with the parameters internal Id and external Id, in case of being a static page it will not do anything with those parameters and will always show the same.

In this redirection we send the internal and external data by query so that you can consult, if you wish, the current state before displaying a fixed banner. For example if you pass us a ticket web page with URL "https://cliente.com/ticket", when a 3DS process ends, we redirect you to "https://cliente.com/ticket?internalId=xxxx&externalId=yyyyy".

This allows that ticket web page to read the internal and external parameters and query the payment status to display a dynamic message depending on the final status of the payment.

If that ticket page is static there is no problem either, it will display a fixed message without reading the parameters we send it. In the request you have to include the field "redirectUrl" with the value you want. It will redirect to that URL passing as parameter the external Id and the internal Id. If this URL is not provided, it redirects to the URL of our ticket.

It is sent in this way, in the request :

redirectUrl: { "onSuccess": "This is you URL "onError": "" }

It is necessary to configure the URL to redirect the 3DS process, the management must be requested through our support team and indicate the URL to be configured.

Last updated