4. Opayo submits 3D Secure Authentication

On this page:


From your Transaction Registration POST:

  1. The Opayo gateway extracts and sends the card details to our Opayo 3D Secure Merchant Plug-In (MPI).
  2. The MPI formats an authentication request called the AReq
  3. The AReq is sent to the 3D Secure directory servers (DS) to determine if the card and card issuer are part of the 3D Secure scheme.

At this stage, Opayo knows:

  • When the card issuer is enrolled in the 3D Secure scheme.
  • When the cardholder is enrolled in the 3D Secure scheme.
  • When both the card issuer and cardholder are enrolled, Opayo knows the result of 3D Secure authentication.


    Your 3D Secure Rule Base

    By default, your account does not have a rule base. Transactions that cannot be 3D-authenticated are forwarded to your acquiring bank for authorisation.

    Note: For information on 3D Secure rule bases please refer to the Opayo Fraud Prevention Advice Guide, which can be downloaded from your region’s Opayo by Elavon website.

    When your rule base rejects a transaction

    When your rule base rejects a transaction the gateway responds with the:

    • REJECTED status.
    • StatusDetail indicating why.
    • Results of the 3D Secure lookup contained in the 3DSecureStatus field. 

    REJECTED transactions are not authorised and the customer’s card is not charged. Your code should redirect your customer to an Order Failure page explaining why the transaction cannot proceed.

    When your rule base disallows non-3D-authenticated transactions

    When your rule base does allow authorisation to occur for non-3D-authenticated transactions, the Opayo gateway continues as though 3D Secure is not active on your account. In this case, go to Step 8.

    When Authentication is Successful

    When the card and the card issuer are both enrolled in the 3D Secure scheme and the authentication response is authenticated, then authentication is successful and the Opayo gateway continues to authorisation.

    If Authentication is Not Successful

    If the authentication response is not authenticated, our server checks your 3D Secure rule base to determine if authorisation should occur.  

    • When authorisation should occur, the Opayo gateway continues to authorisation.
    • If authorisation should not occur, then the gateway replies with:
      • A Status of REJECTED and a StatusDetail explaining why.
      • The 3DSecureStatus withains the results of the 3D Secure authentication response.

    Authentication Challenges

    When the authentication response is a challenge the Opayo gateway continues with 3D-Authentication and responds to your POST with a Status of 3DAUTH.

    A challenge is where the card issuer wants to perform two-factor authentication with the cardholder. We expect this to happen in around 10% of cases.


    ❮ Back to Step 3Next: Step 5. ❯