- Add the
threeDSobject to the payments request to enable 3DS. - A response outcome of
3dsDeviceDataRequiredwill provide details to perform the issuers Device Data Collection on the customer's browser. - Resume the payment using the
supply3dsDeviceDataaction from the response. Iffrictionlessthe payment will proceed and authorize. - If the outcome is
3dsChallengeddetails will be provided to display the issuer's challenge page. - Resume the payment using the
complete3dsChallengeaction from the response to proceed with the payment.
Web integration
API integration with a browser based client side.
iOS/Android integration (native)
API integration with a native client side SDK.
React Native
Using React Native with WebView.
The issuer uses device data and certain values in the Payments API request to decide if the transaction is likely to be fraudulent.
How this data is interpreted varies by issuer. Supplying more data increases the chances of the outcome being frictionless (without a challenge).
Some issuers may fail the authentication entirely without the recommended fields.
Below is our latest guide on what to include.
Objects used for 3DS authentication:
cardNumber,billingAddress- core payment detailsinstruction.threeDS- for 3DS specific data, some are mandatoryinstruction.customer- firstName, lastName, email, phone, dateOfBirth, ipAddress
instruction.paymentInstrument.cardHolderNameinstruction.customer.email1instruction.customer.firstName2instruction.customer.lastName2instruction.customer.phoneNumber1
1 Either customer.email or customer.phoneNumber are required.
2 Only required if instruction.paymentInstrument.cardHolderName is not provided.
The following are considered mandatory by EMVco and are already part of Device Data Collection. We recommend providing these in the API request along with other device values to maximize authentication rates if Device Data Collection fails.
instruction.threeDS.deviceData.browserScreenWidth1instruction.threeDS.deviceData.browserScreenHeight1instruction.customer.ipAddress
1 Provide for web/browser integration only.
instruction.paymentInstrument.billingAddress.cityinstruction.paymentInstrument.billingAddress.countryinstruction.paymentInstrument.billingAddress.address1instruction.paymentInstrument.billingAddress.postalCodeinstruction.paymentInstrument.billingAddress.state
In the event the device data collection fails to run (browser/native), additionally provide the following in the payment request to maintain healthy authentication rates and reduce issuer challenges:
instruction.customer.ipAddress1instruction.threeDS.deviceData.browserLanguageinstruction.threeDS.deviceData.browserScreenHeightinstruction.threeDS.deviceData.browserScreenWidthinstruction.threeDS.deviceData.browserJavaEnabledinstruction.threeDS.deviceData.browserColorDepthinstruction.threeDS.deviceData.timeZoneinstruction.threeDS.deviceData.browserJavascriptEnabledinstruction.threeDS.deviceData.channel1
1 Only these values apply to (iOS/Android), the others are not applicable.
Authentication outage exemptions are currently not part of the default merchant setup. Please speak to your Implementation Manager to enable this feature.
Once enabled, you can set threeDS.exemptionOnOutage as true in the request.
...
"threeDS": {
"exemptionOnOutage": true
}
...The exemption increases the likelihood of receiving a successful authorization but transactions are not eligible for liability shift.
The response body will contain the following if you use an authentication outage exemption.
...
"threeDS": {
"outcome": "authenticationOutage"
}
...See our testing guide for how to reproduce the response on the Try environment.
Next steps
- SCA Exemptions
- Testing (3DS tab) for scenario details and magic test values