3D Secure 2.0
3D Secure for Card Payments — Overview and Integration Guide
What is 3D Secure (3DS)?
3D Secure (3DS) is an authentication protocol for card-not-present (CNP) payments. It lets the card issuer verify that the person paying is the legitimate cardholder before the payment is authorized.
3DS 2.0 is the current version of the protocol (EMVCo). Compared with 3DS 1.0, it improves the shopper experience and gives issuers more data for risk-based authentication (RBA) — so many low-risk payments can be approved without a visible challenge.
Why it matters?
| Benefit | Description |
|---|---|
| Fraud Reduction | Issuer validates identity using device, transaction, and cardholder data |
| Regulatory compliance | Supports Strong Customer Authentication (SCA) under PSD2 (EEA/UK) and similar mandates |
| Liability shift | When authentication succeeds with the right ECI/CAVV, chargeback liability often shifts from merchant to issuer (scheme-dependent) |
| Higher authorization rates | Correct 3DS data helps acquirers and issuers approve legitimate e-commerce payments |
How 3DS works?
When a shopper makes a purchase on a 3DS 2.0-enabled website or app, the payment flow generally follows these steps:
- Payment initiation: The customer starts the process by entering their credit or debit card information at checkout.
- Data sharing: The merchant quietly and securely transmits key background information (such as transaction details, device metrics, and cardholder data) to the card-issuing bank.
- Risk assessment: The issuer analyzes this data in real-time to gauge the likelihood of fraud. If the payment is deemed low-risk, it is approved immediately without interrupting the user's checkout experience.
- Challenge: If the system flags the purchase as potentially high-risk, the user is prompted to prove their identity. This extra security measure might involve entering a one-time password (OTP), providing a biometric scan (like Face ID or a fingerprint), or typing in a personal password.
- Payment completion: Once the user successfully completes the authentication challenge, the bank authorizes the transaction and the payment is finalized.
Integration options with PPRO
A. PPRO-hosted 3DS authentication
PPRO manages the 3DS authentication flow. The merchant redirects the customer to PPRO's Hosted Authentication Page (HAP). Once authentication is complete, PPRO redirects the customer back to the return URL specified in the transaction request.
B. 3DS Passthrough (External 3DS)
Designed for merchants who handle authentication through an external provider, or who need to pass 3DS parameters obtained during a Customer-Initiated Transaction (CIT) into a Merchant-Initiated Transaction (MIT).
Create a payment by using either of the options
A. PPRO-hosted 3DS authentication (Redirect)
To implement PPRO-hosted authentication, follow these steps:
- Initiate the request: Send a payment request with authenticationSettings.type = "REDIRECT" and provide your returnURL. This tells PPRO to manage the 3DS authentication.
- Redirect the customer: If the authentication flow is successfully initiated, the API returns a status of "AUTHENTICATION_PENDING". Extract the target URL from authenticationMethods.details.requestUrl and redirect the customer to that page.
- Await the outcome: After the customer completes the authentication (whether frictionless or via a challenge), PPRO evaluates the result. If the authentication is successful, PPRO automatically attempts to authorize the transaction with the acquirer. PPRO then redirects the customer back to your returnURL. The transaction status will update to either AUTHORIZED or FAILED, and you will receive a webhook notification with the final payment status.
Sequence Diagram
sequenceDiagram
participant Shopper
participant Merchant
participant PPRO as PPRO
participant DS as 3DS Server
participant ACS as Issuer ACS
Shopper->>Merchant: Clicks to checkout
Merchant->>PPRO: Create payment charge
PPRO->>DS: Versioning + Authentication (AReq)
DS->>ACS: Forward authentication request
alt Frictionless
ACS-->>PPRO: Authenticated (Y)
else Challenge
ACS-->>Shopper: Challenge (OTP / biometrics)
Shopper-->>ACS: Verification
ACS-->>PPRO: Result (Y / N)
end
PPRO->>Merchant: Authentication outcome + authorize
Example: PPRO-hosted 3DS authentication (Redirect)
POST /v1/payment-charges
{
"paymentMethod": "CARD",
"autoCapture": false,
"initiator": "CONSUMER",
"scheduleType": "UNSCHEDULED",
"instrument": {
"type": "RAW_CARD",
"details": {
"number": "5424184049821670",
"brand":"VISA",
"holderName": "Tony Stark",
"expiryMonth": 12,
"expiryYear": 2035,
"cvv": "571"
}
},
"authenticationSettings": [
{
"type": "REDIRECT",
"settings": {
"returnUrl": "https://merchant.example.com/checkout/3ds-return"
}
}
],
"amount": {
"value": 1000,
"currency": "EUR"
},
"order": {
"orderItems": [],
"industryData": [],
"installmentPlan": {
"numberOfInstallments": 1
}
},
"consumer": {
"name": "Tony Stark",
"email": "[email protected]",
"country": "US",
"taxIdentification": "12345678",
"billingAddress": {
"firstName": "Tony",
"lastName": "Stark",
"phoneNumber": "01522113356",
"street": "890 5th Avenue",
"postalCode": "10075",
"city": "New York",
"region": "NY",
"country": "US"
}
},
"paymentDescriptor": "PPRO*Avengers"
}Response
{
"id": "charge_WMGrN2m9k2sYW5HS8tqIb",
"paymentMethod": "CARD",
"paymentMedium": "ECOMMERCE",
"initiator": "CONSUMER",
"scheduleType": "UNSCHEDULED",
"instrumentId": "instr_iYeoWaal7MB8jMK1uOEYl",
"instrumentUpdated": false,
"currency": "EUR",
"country": "US",
"paymentDescriptor": "PPRO*Avengers",
"status": "AUTHENTICATION_PENDING",
"consumer": {
"name": "Tony Stark",
"email": "[email protected]",
"country": "US",
"taxIdentification": "12345678",
"billingAddress": {
"firstName": "Tony",
"lastName": "Stark",
"phoneNumber": "01522113356",
"street": "890 5th Avenue",
"postalCode": "10075",
"city": "New York",
"region": "NY",
"country": "US"
}
},
"order": {
"orderItems": [],
"industryData": [],
"installmentPlan": {
"numberOfInstallments": 1,
"feePaidBy": "MERCHANT"
}
},
"authenticationMethods": [
{
"details": {
"requestUrl": "https://3ds.qa.cp-int.ppro.com?t=eyJhbGciOiJFUzI1NiJ9.eyJmaW5nZXJwcmludFJlcXVpcmVkIjp0cnVlLCJ0aHJlZURzU2VydmVyVHJhbnNhY3Rpb25JZCI6IjVkYzI2MGNkLWQ4MTYtNDk3YS1hM2ExLTljZDk0YjM1MjhmZiIsInRocmVlRFNNZXRob2REYXRhIjoiZXlKMGFISmxaVVJUVFdWMGFHOWtUbTkwYVdacFkyRjBhVzl1VlZKTUlqb2lhSFIwY0hNNkx5OWxlR0Z0Y0d4bExtTnZiUzh6WkhNdGJXVjBhRzlrTFc1dmRHbG1hV05oZEdsdmJpMTFjbXdpTENKMGFISmxaVVJUVTJWeWRtVnlWSEpoYm5OSlJDSTZJalZrWXpJMk1HTmtMV1E0TVRZdE5EazNZUzFoTTJFeExUbGpaRGswWWpNMU1qaG1aaUo5Iiwic2Vzc2lvbiI6ImNoYXJnZV9XTUdyTjJtOWsyc1lXNUhTOHRxSWIiLCJ0aHJlZURzTWV0aG9kVXJsIjoiaHR0cHM6Ly9leGFtcGxlLmNvbS8zZHMtbWV0aG9kLW5vdGlmaWNhdGlvbi11cmwiLCJpZCI6ImNoYXJnZV9XTUdyTjJtOWsyc1lXNUhTOHRxSWIiLCJleHAiOjE3ODEyNzI1NzEsInJldHVyblVybCI6Imh0dHBzOi8vbWVyY2hhbnQuZXhhbXBsZS5jb20vY2hlY2tvdXQvM2RzLXJldHVybiJ9.Q0XrEx_tI62UBKFys71DqusQhnmbwkLwo0IMvamci0LkUshYQJkrA0w26pwAF5QPiW8ok_4vkKrmY5m1rvO7ow",
"requestMethod": "GET"
},
"type": "REDIRECT"
}
],
"authorizations": [
{
"id": "authz_u4PTnLoiywzOYpMmVY9T8",
"amount": 1000,
"status": "AUTHENTICATION_PENDING",
"createdAt": "2026-06-12T13:41:11.705Z",
"updatedAt": "2026-06-12T13:41:11.705Z"
}
],
"captures": [],
"refunds": [],
"discards": [],
"voids": [],
"createdAt": "2026-06-12T13:41:10.942Z",
"updatedAt": "2026-06-12T13:41:11.705Z",
"merchantId": "8a8394c4-3d09-b72d-013d-36f1bfaa6c99",
"autoCapture": false
},
"_links": {
"authorizations": {
"href": "/v1/payment-charges/charge_WMGrN2m9k2sYW5HS8tqIb/authorizations"
},
"captures": {
"href": "/v1/payment-charges/charge_WMGrN2m9k2sYW5HS8tqIb/captures"
},
"refunds": {
"href": "/v1/payment-charges/charge_WMGrN2m9k2sYW5HS8tqIb/refunds"
},
"discards": {
"href": "/v1/payment-charges/charge_WMGrN2m9k2sYW5HS8tqIb/discards"
},
"voids": {
"href": "/v1/payment-charges/charge_WMGrN2m9k2sYW5HS8tqIb/voids"
}
}
}Test Cards
| Card Number | Expiry Date | CVV | 3DS flow | Transaction Result |
|---|---|---|---|---|
| 4487680000001234 | Any | Any | Frictioneless | Approved |
| 5424184049821670 | Any | Any | Challenge | Approved |
B. 3DS Passthrough (External 3DS)
For the passthrough flow, the merchant must forward the fields received from your external 3DS provider after the authentication is completed.
Sequence Diagram
sequenceDiagram
participant Shopper
participant Merchant
participant PPRO as PPRO
participant DS as 3DS Server
participant ACS as Issuer ACS
Shopper->>Merchant: Clicks to checkout
Merchant->>DS: Versioning + Authentication (AReq)
DS->>ACS: Forward authentication request
alt Frictionless
ACS-->>PPRO: Authenticated (Y)
else Challenge
ACS-->>Shopper: Challenge (OTP / biometrics)
Shopper-->>ACS: Verification
ACS-->>PPRO: Result (Y / N)
end
PPRO->>Merchant: Authentication outcome
Merchant->>PPRO: Create payment charge with approved 3DS parameters
Example: 3DS Passthrough (External 3DS)
...
"authenticationSettings": [
{
"type": "EXTERNAL_3DS",
"settings": {
"authenticationStatus": "SUCCESS",
"authenticationValue": "AAIBAkl0NwmHglFBAXQ3AAAAAAA",
"eci": "05",
"version": "2",
"externalId": "BBIBAkl0NwmHglFBAXQ3AAAAAAA",
"externalAcsId": "aefd0ad3-697d-46b2-97fe-f5594f4edf80"
}
}
],
...Test Cards
The Sandbox only validates the payload format of 3DS fields, not their content. As a result, any card from our testing cards page will return the corresponding transaction response.