Integration Guides
3DS2 Guide
Implement 3D Secure 2 for Strong Customer Authentication and liability shift.
3D Secure 2 (3DS2) is a cardholder authentication protocol that shifts chargeback liability from you to the card issuer when authentication succeeds.
Why use 3DS2
- Liability shift — when 3DS2 authentication succeeds, the card issuer (not you) bears liability for fraud chargebacks
- Required in some regions — Strong Customer Authentication (SCA) is required by regulation in the EU and UK
- Reduced fraud — additional authentication reduces card-not-present fraud
3DS2 flows
| Flow | Description | User experience |
|---|---|---|
| Frictionless | Issuer approves silently based on risk signals | No additional step |
| Challenge | Issuer requires customer verification | OTP, biometric, or question prompt |
Enable 3DS2 on a payment
Pass three_d_secure.enabled: true on any card payment:
curl -X POST https://sandbox-api.cresoracommerce.com/api/v1/transactions/sale \
-H "Authorization: Bearer csk_test_xxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"amount": "50.00",
"currency": "USD",
"payment_method": "card",
"merchant_id": "mrch_xxxxxxxxxx",
"card": { "number": "4111111111111111", "exp_month": 12, "exp_year": 2028, "cvv": "123" },
"three_d_secure": {
"enabled": true,
"return_url": "https://yourapp.com/3ds/complete"
}
}'When a challenge is required, the API returns status: "requires_action" with a next_action.redirect_url to send the customer to:
{
"id": "pay_xxxxxxxxxxxx",
"status": "requires_action",
"next_action": {
"type": "redirect",
"redirect_url": "https://pay.cresoracommerce.com/3ds/pay_xxxxxxxxxxxx"
}
}After authentication, Cresora redirects to your return_url and the payment proceeds automatically.
Sandbox simulation
Trigger specific 3DS2 flows in the sandbox:
"three_d_secure": {
"enabled": true,
"simulate": "challenge_required"
}simulate value | Result |
|---|---|
frictionless_success | Silent approval, no redirect |
challenge_required | Challenge flow triggered |
challenge_failed | Authentication fails, payment declined |
not_enrolled | Issuer doesn't support 3DS2 |
💡Tip
Test both frictionless_success and challenge_required flows before going live. The frictionless path is most common but challenge flows require a working redirect handler.