7. Your site POSTs the 3D Secure results to Opayo

On this page:


With your customer returned to your site and when you are ready, send the completed 3D-Authentication data to Opayo. We will decode the results and when necessary, obtain a card authorisation from your acquiring bank.

Format the POST

The code in your ThreeDSNotificationURL (or TermURL) call-back page should format a simple HTTPS and server-side POST to send to the Opayo Direct 3D-Callback page. The POST must contain:

  • VPSTxId (or MD)
  • CRes (or PARes).

No other data is necessary because the Opayo system can use these values to retrieve all the transaction information you supplied in Step 2.

Important: The CRes, cres, PaRes, and PARes data field names are case sensitive:

  • The encoded results of your customer’s 3D-authentication (the CRes) will be returned to you from the ACS in a field named cres (lower case ‘cr’).
  • You must forward the cres value to Opayo in a field named CRes (upper case ‘CR’).
  • For fallback scenarios, the ACS will return a field called the PaRes (lower case ‘a’) and you must forward this value to Opayo in a field named PARes (upper case ‘A’).

3D-Authentication Results

Transactions that are not sent for authorisation are returned with a REJECTED Status and the 3DSecureStatus.

3D-Authentication Success

When the CRes (or PARes) confirms the 3D-Authentication is successful, the Opayo gateway obtains authorisation.

3D-Authentication Fails

When the CRes (or PARes) confirm the 3D-Authentication is not successful, the system checks whether your 3D-Secure rule base directs authentication to be attempted. By default, 3D-Authentication failures are not sent for authorisation and all other message types are. Refer to our Fraud Prevention Guide available on your region’s Opayo by Elavon website.


❮ Back to Step 6.Next: Step 8. ❯