Authentication

Integration Steps

Integration Steps

This guide will take you through the steps to perform 3D Secure 2 authentication and authorisation, when integrating directly with Judopay's REST API.

Prerequisite



For the back-end server integration, make use of our:

  • Server SDKs:
    • .NET Integration (version 3.0.0 or higher)
    • PHP Integration (version 5.5 or higher) Or,
  • Call our API directly using JSON (version 6.0.0.0 or higher)


Step One: Create a Payment Request

Payments, PreAuths and CheckCard are all supported.

Once you have the card details and device information from your client-side, your back-end server will need to make a payment request to Judopay's Transaction API.

The Cv2 is not stored by Judopay's Transaction API. You will need to store the CV2 and the version for the duration of the transaction, then delete them as soon as the transaction has completed.

Storing the version will not be required in future updates.

For the full /payments endpoint schema details and descriptions, see our Transaction API Reference here.

Sample Request:

.NET
PHP
JSON


If no additional transaction checks are required, you will receive the usual paymentReceipt response.

If additional transaction checks are required, you will receive the challenge response.

Notification URLs

You will need to set up two endpoints for your client to receive event notifications from the Issuer's ACS:

  • 3DS Method Completion: Informs your client application that the ACS has completed device detail gathering.
    • methodNotifcationURL
  • ACS Challenge Completion: Informs your client application that the challenge has been completed by the customer.
    • challengeNotificationURL

Each endpoint should be configured to accept:

  • HTTP POST
  • Base64 encoded values


Step Two: (Conditional) - Device Detail Gathering

Some Issuer ACS’ support device data gathering. Skip this step if no method URL is provided in the response from the API.

Check the response from Step One: Create a Payment Request.

The following fields in the response will indicate if the device details have been requested by the issuer:

  • The result field: "Additional device data is needed for 3D Secure 2"
  • The message field: "Issuer ACS has requested additional device data gathering"
  • A methodURL will be returned in the response from the initial payment request.

In this instance, the following steps will need to be performed.

  1. Render a hidden iFrame on the client-side targeting the methodURL
Rendering a Hidden iFrame


2. POST the 3DS Method Data (md) object to it. The md is an encoded base 64 value containing the:

3. Listen for the redirect of the methodNotificationUrl

We recommend you time-out after 10 seconds if you have not received a response from any NotificationURLs or rendered the methodURL from Step Two: (Conditional) - Device Detail Gathering .



Step Three: (Conditional) - Resume Transaction

Once the device details have been gathered, the 3D Secure authentication flow needs to be resumed.

  1. Render a hidden iFrame on the client-side targeting the methodNotificationURL
  2. Listen for the redirect of the methodNotificationUrl where the method completion message is received.
  3. Resume the 3D Secure flow by submitting the results of the device detail gathering.

For the full /resume3ds endpoint schema details and descriptions, see our Transaction API Reference here.

Sample Request:

.NET
PHP
JSON


methodCompletion value:

  • methodCompletion = Yes
    • If your client received a POST to the methodNotifcationURL
  • methodCompletion = No
    • If your client did NOT receive a POST to the methodNotifcationURL
  • methodCompletion = Unavailable
    • If your client was unable to render the methodURL



primaryAccountDetails Block:

The primaryAccountDetails block is optional, however it is mandatory for merchants who have an MCC code of 6012 to submit additional Information about the primary account holder for payment pre-authorisation.

Example primaryAccountDetails Block



Step Four: (Conditional) - Render Challenge Page

After you have resumed the transaction, check the response from Step Three: (Conditional) - Resume Transaction.

Sample Response


The following fields in the response will indicate if your customer's bank may want to challenge:

  • The result field: "Challenge completion is needed for 3D Secure 2"
  • The message field: "Issuer ACS has responded with a Challenge URL"
  • A challengeURL: to render the challenge page iFrame for your customer

Render the challengeURL for your customer to complete the challenge.

Rendering challengeUrl Page Example

  • Creq: Should be set to the cReq received in the response
  • threeDSSessionData: Can be set to contain any details you would like returned in the post.

Listen for the redirect of the challengeNotificationUrl



Step Five: Complete 3DS

Upon receiving a POST back to the challengeNotificationUrl send a request to Judopay's Transaction API to complete the transaction.

If no additional transaction checks are required, you will receive the usual paymentReceipt response. If additional transaction checks are required, you will receive the completion response.

For the full /complete3dsendpoint schema details and descriptions, see our Transaction API Reference here.

Sample Request:

.NET
PHP
JSON


Judopay's Transaction API will respond with the both the:

  • Authentication
  • Authorisation status

of the transaction.

Updated 31 Jan 2025
Did this page help you?
PREVIOUS
3D Secure 2 Payment Flow
NEXT
Exemptions to SCA
Docs powered by Archbee