5. You redirect your customer to their Issuing Bank

On this page:


To complete this step, the Registration page code on your server should check for a 3DAUTH status. If present, build an auto-submitting form to send the creq and the recommended threeDSSessionData field to the ACSURL. We recommend that the threeDSSessionData value contains the value of VPSTxId. You can then keep track of your customer and the Opayo Direct transaction request when your customer returns from the Access Control Server (ACS).

Your server will submit the data to the address specified in the ACSURL, and send the form to your customer’s browser. This redirects your customer to their card Issuer’s 3D-Authentication site (ACS authentication page) with all the data needed to perform authentication.


  • Opayo will issue the CReq value, which must remain unchanged and be sent in the creq  field.
  • The creq  field is case sensitive. The ACS cannot accept the data if you pass the wrong case.
  • You must submit the creq to the ACSURL within 30 seconds or the ACS will time-out the authentication request.
  • Time-out by the ACS will also occur when your customer fails to enter two-factor authorisation (2FA) within 10 minutes of being re-directed to the ACS’s authentication page.

Example Code

The following example inline frame (iframe) size is set in the ChallengeWindowSize field in Step 2.  The values are extracted from the Opayo response and built by your script.

Please use threeDSSessionData to pass your session specific data to the card issuers 3D Secure provider (ACS provider) when submitting the cReq  to the acsURL. This data will be returned to your system by the ACS provider when they return the cardholder and cres to your ThreeDSNotificationURL value. The threeDSSessionData helps you to recognise your customer and allows you to continue the transaction flow when they return from the ACS provider. If you don’t have your own session data and need a way to recognise your customer when they return, then it is advisable to use the VPSTxId value that Opayo returns to you with the CReq and that you send to Opayo with the CRes. threeDSSessionData is optional, however this can help prevent ACS redirection issues with specific ACS providers, this can only be used during a 3DSv2 authentication flow. 

The threeDSSessionData must be BASE64 URL encoded with no padding, and is limited 1024 bytes in length.

<iframe src="/3DRedirect.jsp" name="3Diframe">
<form action="/%24%7Bacsurl%7D" method="post">  
<input type="hidden" name="creq" value="${creq}" />  
<input type="hidden" name="threeDSSessionData" value="${threeDSSessionData}" />  
<p>Click Go to proceed to 3D secure.</p>  <button type="submit">Go</button>  

Communicating with the ACS

Once the form is submitted, the customer must visit the Issuing Bank site addressed by the ACSURL. You must wait for them to be returned to your site by the ACS.

You can choose to direct the customer to their Issuing Bank ACSURL by:

  • Redirecting the customer’s browser to the bank’s page.
  • Using the recommended inline frame or lightbox method to display the bank’s URL within a contiguous experience.
    Note: What page your customer is returned to following 3D-authentication is addressed by the ThreeDSNotificationURL field that you set in Step 2.



    ❮ Back to Step 4.Next: Step 6. ❯