Authentication Flows

The authentication flow for a payment differs depending on whether the card selected by the payer supports 3DS1 or 3DS2 or both.

Redirect to the ACS Challenge UI

In both the 3DS1 and 3DS2 examples below, a payer may be redirected to an ACS UI at step six of the process. The redirect will happen for all users in the 3DS1 case. Users assigned to what is called the challenge flow will be redirected in the 3DS2 case.

The incorporation of the challenge versus frictionless flow model is a key feature of 3DS2. A payer is directed to the challenge flow if and only if they have been flagged as questionable. The decision is made based on data points that include location, device use, IP address etc.

3DS1 requires all payers to complete a challenge in the ACS UI. It is the backup authentication method.

You need to understand how to alter the code on your website to incorporate the ACS UI challenge. See Implementing 3-D Secure.

3DS2

The diagram below illustrates the authentication flow for a payment where the payer is authenticated using 3DS2.

3DS2
3DS2

The authentication flow for a successful authentication is as follows:

  1. A payer browses your shop site, selects one or more products, proceeds to the payment page, and chooses to pay with a card that supports 3DS1 and 3DS2.
  2. Initiate Authentication: You ask the gateway to check with the card scheme if the card is enrolled for 3DS.
  3. If 3DS authentication of the payer is available, the gateway returns the authentication details in the response.
  4. The gateway returns details of the supported ACS call. You must submit the ACS call details as a form post in a hidden iframe, so that the ACS can collect additional data.
  5. Authenticate Payer: You ask the gateway to perform the initiated authentication.
  6. The gateway provides you with details of the authentication either for a frictionless flow or a challenge flow (where the payer is required to respond to a challenge presented by the issuer).
    • Frictionless Flow: The gateway redirects the payer directly to your website.
    • (Optional) Challenge Flow: If the issuer requires the payer to respond to a challenge, you redirect the payer’s web browser to the ACS, which presents its authentication UI. The issuer returns the authentication result to the gateway. The gateway redirects the payer directly to your website.
  7. Use the 3DS Authentication Transaction ID in a Payment Operation: You submit the payment for processing.
  8. You display the order confirmation page to the payer.

Fallback Method - 3DS1

The diagram below illustrates the authentication flow for a payment where the gateway falls back to 3DS1 authentication because 3DS2 is not available for the card. The gateway will attempt 3DS1 in other cases too, for example, where you are only enabled for 3DS1, or have restricted the authentication version to only 3DS1 in the authentication request.

3DS1
3DS1

The authentication flow for a successful authentication is as follows:

  1. A payer browses your shop site, selects one or more products, proceeds to the payment page, and selects to pay with a card that supports 3DS1 but not 3DS2.

  2. Initiate Authentication: You ask the gateway to check with the card scheme if the card is enrolled for 3DS.

    If 3DS1 authentication of the payer is available, the gateway returns the card enrollment details in the response.

  3. If the card supports both 3DS1 and 3DS2, then the gateway attempts 3DS2 first. See 3DS2 flow.

  4. Authenticate Payer: You ask the gateway to perform the initiated authentication.

  5. The gateway provides you with details of the authentication for a challenge flow (where the payer is required to respond to a challenge presented by the issuer).

  6. You redirect the payer’s web browser to the ACS, which presents its authentication UI. The issuer returns the authentication result to the gateway. The gateway redirects the payer directly to your website.

  7. Use the 3DS Authentication Transaction ID in a Payment Operation: You submit the payment for processing.

  8. You display the order confirmation page to the payer.