Authentication
What is 3D Secure?

The Payment Services Directive (PSD2), introduced a new regulatory requirement: Strong Customer Authentication (SCA). The aim of SCA is to add an increased layer of security for card not present transactions, when making mobile and online payments. 
To be compliant with SCA, 3D Secure 2 transactions have additional authentication and transaction information within the payment flow.
This new version of 3D Secure, offers a better user experience and helps to minimise some of the friction the authentication adds to the checkout flow.
﻿
Under no circumstances should merchants store or log any credit card details unless they are fully PCI-DSS compliant.
This falls under your responsibility to ensure you do not produce code which circumvents our toolkits. We do not accept any liability for this.
﻿
Authenticating Requests
Each request to Judopay’s Transaction API requires authentication.
Depending on how you integrate with Judopay, the following methods are recommended to authenticate requests:
Using our SDKs:
/paymentsession
Calling directly to our Transaction API:
/paymentsession, or
TokenSecretAuth
The token and secret pair
For more information on authenticating requests, see Authentication Methods﻿.
﻿
Authenticating with Payment Session
The following example takes you through the payment flow using /paymentsession to authenticate the transaction.
﻿
1
Create a /paymentsession.
Use the reference returned from the response to populate the request header in Step 2.
2
Send the authorisation request with the /payments request header, populated with the reference received in the /paymentsession response.
This step:
Checks if the card is enrolled to support 3D Secure 2.
Gathers the Device and Card Details.
3
The response will determine whether:
The consumer is challenged for additional information.
The consumer is not challenged, the transaction continues and the consumer is re-directed to the outcome screen.
4
If the consumer is challenged in order to process the transaction, the 3D Secure 2 challenge screen is presented to the consumer to enter a code or password.
You will be notified via your webhook URL when the consumer has successfully completed the challenge screen.
Resume the transaction flow by calling the /resume3ds endpoint.
5
Authorisation complete.
The consumer is redirected to the outcome screen.
﻿
3D Secure Pass Through
You can use your own 3D Secure authentication provider to perform authentication outside of Judopay. 
Pass the authentication data from your external provider to us, using the /preauths or /payments endpoint.  
Enter the authentication data into the threeDSecureMpi block and we will send the result to the gateway as part of the transaction payload.
ThreeDSecure2PaymentWithExternalMpi Example
{
  "cardNumber": "4111111111111111",
  "cv2": "123",
  "expiryDate": "01/25",
  "cardAddress": {
    "address1": "CardHolder House",
    "address2": "1 CardHolder Street",
    "town": "CardHolder Town",
    "postCode": "AB1 2CD",
    "countryCode": "826"
  },
  "judoId": "100100100",
  "yourConsumerReference": "2b45fd3f-cee5-4e7e-874f-28051db65408",
  "yourPaymentReference": "6482c678-cad3-4efd-b081-aeae7a89a134",
  "yourPaymentMetaData": {
    "internalLocationRef": "Example",
    "internalId": 99
  },
  "amount": 1.01,
  "currency": "GBP",
  "cardHolderName": "John Doe",
  "threeDSecureMpi": {
    "dsTransId": "41aadf4c-e73f-4bd1-a0c4-acb2615a32af",
    "cavv": "AJkBCWUyZwAAAABugmKTdAAAAAA=",
    "eci": "02",
    "threeDSecureVersion": "2.3.0"
  }
}
{
  "cardNumber": "4111111111111111",
  "cv2": "123",
  "expiryDate": "01/25",
  "cardAddress": {
    "address1": "CardHolder House",
    "address2": "1 CardHolder Street",
    "town": "CardHolder Town",
    "postCode": "AB1 2CD",
    "countryCode": "826"
  },
  "judoId": "100100100",
  "yourConsumerReference": "2b45fd3f-cee5-4e7e-874f-28051db65408",
  "yourPaymentReference": "6482c678-cad3-4efd-b081-aeae7a89a134",
  "yourPaymentMetaData": {
    "internalLocationRef": "Example",
    "internalId": 99
  },
  "amount": 1.01,
  "currency": "GBP",
  "cardHolderName": "John Doe",
  "threeDSecureMpi": {
    "dsTransId": "41aadf4c-e73f-4bd1-a0c4-acb2615a32af",
    "cavv": "AJkBCWUyZwAAAABugmKTdAAAAAA=",
    "eci": "02",
    "threeDSecureVersion": "2.3.0"
  }
}
﻿
For more information, see our API Reference Documentation.
﻿
Complete Payment Flow
The complete end-to-end 3D Secure payment flow:
﻿
Within the 3D Secure 2 payment flow, once the 3D Secure payment is initiated the Issuer will make a decision on whether they have enough authentication data to proceed with the transaction.
The response will determine whether:
The consumer is not challenged, the authentication is successful and the transaction continues (frictionless flow). 
The consumer is challenged for additional information (challenge flow).
For more information on the frictionless and challenge flows, see To challenge or not to challenge?﻿﻿
Updated 24 Feb 2025
Did this page help you?
Managing SCA Compliance
How 3D Secure Works