Self-handled Flow

In the Self-handled flow, you must implement the 3D Secure flow logic yourself. There are three types of 3D Secure Self-handled flows: Data Collection, Data Collection and Challege ,and Challenge only flow.

Flow Support

This flow is supported by specific providers only. To see whether a provider supports a specific flow type, go to find your provider, filter by Transaction Type Cards, followed by Features and 3DS 2.0 Self-handled flow to find the relevant flow-supporting providers.

3D Secure Self-handled Flow

In a 3D Secure Self-handled flow, you must implement the 3D Secure flow logic yourself. There are three types of 3D Secure Self-handled flows (the response received from the issuer following your initial Create an Authorization or Create a Charge request will determine the flow that you must invoke):

3D Secure data collection flow: In this flow, data (such as device information) transmitted in the background is enough to authenticate without an extra step for the customer.
3D Secure data collection and challenge flow: This flow is the complete 3D Secure flow. It is similar to the 3D Secure data collection flow but includes an additional authentication step (challenge) that will be invoked if the information provided in the data collection step does not suffice to determine the risk-level of the transaction.
3D Secure challenge only flow: In this flow, the customer is immediately redirected to an authentication step (challenge).

Notes

In some cases you may receive a synchronous response of Succeed or Failed when invoking the initial Create Authorization or Create Charge request (for instance, if the transaction was exempted from SCA). In this case, proceed with a regular transaction flow.

Let’s take a look at each of those flows in more detail.

3D Secure Data Collection Flow

In this flow, device data is used to authenticate the customer. This flow is frictionless, in that authentication occurs under the hood and no extra authentication step is needed for the customer.

The following image illustrates the 3D Secure Data Collection flow: The flow is as follows:

Create a new authorization or charge request.

In the three_d_secure_attributes.internal object, pass in additional information that will help the card issuer assess the fraud risk level of the transaction. The response will include a redirection resource with an operation_type field whose value is data_collection, indicating that data collection is required. The authorization will have a status of Pending.
Initiate the data collection process and pass the data to the issuer, as explained in Initiating the Data Collection Process. Under the hood, a communication session will be opened to the issuer and the issuer will collect the browser or device information from the user. The device or browser information will be used in combination with the data passed in the three_d_secure_attributes.internal object to authorize the payment (see the next step).
After receiving a notification from the card issuer indicating that the analysis of the user’s device or browser information has been completed, invoke the Continue Authentication Flow or Continue Charge Flow request to continue the authentication process.

Implementing a Timeout Check

We recommend you implement a 10 second timeout for obtaining the notification response. If a timeout occurs, invoke the Continue Authentication Flow or Continue Charge Flow request and pass a three_d_secure_attributes.internal.data_collection_completed_ind value of N.

When authentication is completed, we will update the status of the Authorization or Charge request.

3D Secure Data Collection and Challenge Flow

This flow is the complete 3D Secure flow. It is similar to the 3D Secure data collection flow but includes an additional authentication step (challenge) that will be invoked if the information provided in the data collection step does not suffice to determine the risk-level of the transaction.

The following image illustrates the 3D Secure Data Collection and Challenge flow:

3D Secure Data Collection and Challenge Flow The flow is as follows:

Complete the 3D Secure data collection flow until step 3. The response of this step will indicate that a challenge is required and will include a challenge URL.
Open the challenge URL to allow the user to complete the additional authentication step. After the user completed the step, we will redirect the user to the merchant_site_url.

3D Secure Challenge Only Flow

In this flow, the customer is immediately redirected to an authentication step (challenge).

The following image illustrates the 3D Secure Challenge Only flow:

3D Secure Challenge Flow

The steps in the flow are as follows:

Create a new Create Authorization or Create Charge request. In the three_d_secure_attributes.internal object, pass in additional information that will help the card issuer assess the fraud risk level of the transaction. Also pass in a merchant_site_url, to which the user will be redirected when authentication is completed. The response will indicate that a challenge is required and will include a challenge URL. The authorization will have a status of Pending.
Open the challenge URL to allow the user to complete the additional authentication step. After the user completed the step, we will redirect the user to the merchant_site_url.

Initiating the Data Collection Process

To initiate the data collection process do the following:

Create a JSON object holding a threeDSMethodNotificationURL field (this is your notification URL to which the issuer will send the completion status of the data collection process) and a threeDSServerTransID field (this is the 3D Secure transaction ID you receive in the provider_data.three_d_secure_result.internal.three_d_secure_server_transaction_id field returned in the response of a Create Authorization or Create Charge request).
```
{
    "threeDSMethodNotificationURL": "http://urlforreceivingapproval",
    "threeDSServerTransID": "4c9a869e-2e75-4b1b-9bc4-3635edbb5973"
}
```
Format the object using Base64 encoding.
Render a hidden HTML iframe in the cardholder’s browser containing a form with a field named threeDSMethodData. Store the Base64url JSON Object in the field and send the form via HTTP POST to the redirection URL received in the redirection.url field in the response of the Create Authorization or Create Charge request.

SCA Exemptions

Exempting users from an SCA flow increases the chance that the transaction will proceed frictionless (that is, without an additional authentication step) and thus decrease user drop-outs. To exempt a user, you may need to indicate your intention to do so in the Create an Authorization or Create a Charge request request. Bear in mind that the card issuer will be the one deciding whether to grant the exemption. If granted, the chargeback liability will shift back to you (as the merchant).

Last modified September 22, 2023