Skip to content
Global Payments Oceania API Global Payments Oceania API

3Dsecure

Our API provides advanced fraud protection by supporting 3D Secure 2.0 (3DS2) natively. 3DS2 adds a layer of authentication in the online Card-Not-Present checkout process to verify cardholders’ identity prior to authorisation. 3DS2 evaluates the relative risk of each transaction based on exchange of robust data between the merchant, issuer and card scheme. Based on the risk score, transactions can be challenged or declined as part of the checkout process by the cardholder’s bank.

For low-risk transactions, these will be seamlessly verified and approved by the cardholder’s bank without any additional verification steps.

Step 1: POST to the /transactions endpoint with the category.authenticationType parameter set as 3d_secure and providing a redirectUrl for the customer to be temporarily redirected to after the 3DS2 verification.

Important: You’ll need to pass a reference or identifier in the redirectUrl (e.g. as a URL parameter or via session cookies) so you can later retrieve the associated transaction ID after the customer returns.

Note: 3DS2 also requires that the payer object be passed, as this metadata is used to help verify the cardholder.

Step 2: Redirect the customer to the authenticateUrl returned in the API response. This will be where the verification takes place. Once the customer is verified, a redirect to your specified redirectUrl will be triggered.

Step 3: After the customer is redirected back, use the reference or identifier to look up the transaction ID. Process the transaction by doing a PUT request to /transactions/{id}. This will submit the transaction, along with the 3DS verification results, to the banking network to process.

A sequence diagram is shown below to help visualise this process.

sequenceDiagram
    participant CB as Customer's Browser
    participant MS as Merchant Server
    participant GP as Global Payments
    participant 3D as 3D Secure Service
    participant BN as Banking Network

    
    CB ->> MS: Customer enters card <br>details at checkout
    activate CB
    activate MS
    MS ->> GP: Call /transactions endpoint with <br>category.authenticationType <br>as 3d_secure

    activate GP
    GP ->> 3D: Check the card is enrolled <br>in 3D Secure

    activate 3D
    3D ->> GP: Respond back confirming <br>the card is enrolled

    GP ->> MS: API responds back with the authenticateUrl <br>for the customer to complete the <br>3DS authentication

    MS ->> CB: Redirect the customer to <br>the authenticateURL

    CB -->> 3D: Metadata is collected from the device and the customer is prompted to enter a One Time Code if <br>the issuing bank requires a challenge to verify the cardholder
    deactivate 3D
    
    CB ->> CB: After verification is completed, the browser <br>redirects the customer to the merchant's <br>designated webpage

    CB -->> MS: The redirect notifies the <br>merchant that the <br>verification is complete

    MS ->> GP: Call the PUT operation of the /transactions <br>endpoint using the transactionId to <br>complete the payment processing

    GP ->> BN: Transaction is submitted for processing along with <br>the 3D Secure verification results
    activate BN

    BN ->> GP: The banking network responds <br>back with the transaction results
    deactivate BN

    GP ->> MS: Return transaction results either via the API <br>response or via a webhook
    deactivate GP
    
    MS ->> CB: Redirect customer to order <br>confirmation screen
    deactivate MS
    deactivate CB