7. Your site POSTs the 3D Secure results to Opayo

On this page:


With your customer returned to your site and when you are ready, send the completed 3D-Authentication data to Opayo. We will decode the results and when necessary, obtain a card authorisation from your acquiring bank.

Format the POST

The code in your ThreeDSNotificationURL  call-back page should format a simple HTTPS and server-side POST to send to the Opayo Direct 3D-Callback page. The POST must contain:

  • VPSTxId 
  • CRes 

No other data is necessary because the Opayo system can use these values to retrieve all the transaction information you supplied in Step 2.

Important: The CRes and cres data field names are case sensitive:

  • The encoded results of your customer’s 3D-authentication (the CRes) will be returned to you from the ACS in a field named cres (lower case ‘cr’).
  • You must forward the cres value to Opayo in a field named CRes (upper case ‘CR’).

3D-Authentication Results

Transactions that are not sent for authorisation are returned with a REJECTED Status and the 3DSecureStatus.

3D-Authentication Success

When the CRes confirms the 3D-Authentication is successful, the Opayo gateway obtains authorisation.

3D-Authentication Fails

When the CRes confirm the 3D-Authentication is not successful, the system checks whether your 3D-Secure rule base directs authentication to be attempted. By default, 3D-Authentication failures are not sent for authorisation and all other message types are. Refer to our Fraud Prevention Guide available on your region’s Opayo by Elavon website.


❮ Back to Step 6.Next: Step 8. ❯