5. You redirect your customer to their Issuing Bank

On this page:


To complete this step, the Registration page code on your server should check for a 3DAUTH status. If present, build an auto-submitting form to send the creq (or PAReq) and the recommended threeDSSessionData field (or MD) to the ACSURL

  • We recommend that the threeDSSessionData value contains the value of VPSTxId. You can then keep track of your customer and the Opayo Direct transaction request when your customer returns from the Access Control Server (ACS).
  • For a fallback scenario, you will need to provide a TermUrl as well as the PAReq and MD.

Your server will submit the data to the address specified in the ACSURL, and send the form to your customer’s browser. This redirects your customer to their card Issuer’s 3D-Authentication site (ACS authentication page) with all the data needed to perform authentication.


  • Opayo will issue the CReq (or PAReq) value, which must remain unchanged and be sent in the creq or PaReq fields.
  • The creq and PaReq fields are case sensitive. The ACS cannot accept the data if you pass the wrong case.
  • You must submit the creq to the ACSURL within 30 seconds or the ACS will time-out the authentication request.
  • Time-out by the ACS will also occur when your customer fails to enter two-factor authorisation (2FA) within 10 minutes of being re-directed to the ACS’s authentication page.

Example Code

The following example inline frame (iframe) size is set in the ChallengeWindowSize field in Step 2.  The values are extracted from the Opayo response and built by your script.

You can use threeDSSessionData to pass your session specific data to the card issuers 3D Secure provider (ACS provider) when submitting the cReq  to the acsURL. This data will be returned to your system by the ACS provider when they return the cardholder and cres to your ThreeDSNotificationURL value. The threeDSSessionData helps you to recognise your customer and allows you to continue the transaction flow when they return from the ACS provider. If you don’t have your own session data and need a way to recognise your customer when they return, then it is advisable to use the VPSTxId value that Opayo returns to you with the CReq and that you send to Opayo with the CRes. threeDSSessionData is optional and can only be used during  a 3DSv2 authentication flow.

The threeDSSessionData must be BASE64 URL encoded with no padding, and is limited 1024 bytes in length.

<iframe src="/3DRedirect.asp" name="3Diframe">  <form action="/%24%7B%3Cstrong%3EacsUrl%3C/strong%3E%3C/span%3E%3Cspan%20class%3D"code">}" method="post">  <input type="hidden" name="creq" value="${creq}" />  <input type="hidden" name="threeDSSessionData" value="${threeDSSessionData}" />  <p>Click Go to proceed to 3D secure.</p>  <button type="submit">Go</button>  </form></iframe>

Communicating with the ACS

Once the form is submitted, the customer must visit the Issuing Bank site addressed by the ACSURL. You must wait for them to be returned to your site by the ACS.

You can choose to direct the customer to their Issuing Bank ACSURL by:

  • Redirecting the customer’s browser to the bank’s page.
  • Using the recommended inline frame or lightbox method to display the bank’s URL within a contiguous experience.

To connect to the ACS, use a server authenticated TLS session as follows:

  • Protocol: TLS Internet
  • ACS public key: Commercial (Certificate format: commercial)
  • CA signing ACS key: Commercial CA
Note: What page your customer is returned to following 3D-authentication is addressed by the ThreeDSNotificationURL field that you set in Step 2, or the TermURL in this step.

ACS Connection Issues

Issues with the initial connection and TLS handshake to the ACS may require a re-try.

If the connection fails a re-try, then the transaction has resulted in error. We recommend you re-submit your Transaction Request to Opayo with a new VendorTxCode. This applies to all error messages received during the communication between your payment servers and the ACS.


❮ Back to Step 4.Next: Step 6. ❯