Skip to main content
This page is part of the Payments Library Guides. Using the REST API instead? See REST API 3D Secure.
Prerequisites: Complete the Library Setup with a 3DS-capable PSP. 3D Secure (3DS) adds an authentication step during card payments. The Payments Library handles 3DS challenges automatically. No additional code required.
For general setup instructions, see Library Setup.

How It Works

  1. Card form opens
  2. Customer enters card details
  3. Library detects 3DS requirement based on CardPay eWallet specification and PSP integration status
  4. Authentication challenge displays (popup or iframe)
  5. Customer completes verification (password, SMS code, biometric, or app confirmation)
  6. Orchestra completes the requested operation
  7. On completion, the transaction results, including the 3DS data, are returned to the client, ready to be sent to your server for validation
The library handles the entire flow automatically.

When to Trigger 3DS?

You may want to use 3D Secure on your transactions in any of the following use cases:
Use CaseDescription
Card issuer requirementBank requires authentication for this card/amount
Regional regulationsPSD2/SCA in Europe, similar rules in other regions
Transaction amountHigh-value transactions often require 3DS
Risk assessmentIssuer flags transaction as requiring verification
Gateway configurationYour PSP settings may require 3DS
We recommend using 3DS to authenticate all transactions, even when not required. 3DS provides merchants with liability shift protection and peace of mind knowing that the payer has been fully and properly authenticated.

Supported Payment Methods

Method3DS Support
CardPayYes (automatically by Orchestra)
ApplePayYes (automatically by ApplePay)
GooglePayPartial, depending on device type (automatically by GooglePay)
PayPalN/A (uses own authentication)
BankPayN/A (uses bank authentication)
UPIN/A

3DS Data in Results

After successful 3DS authentication and completion of the transaction, the result includes authentication data in tokenAndMaskedCardModel.threeDs: 
const [data] = engine.parseResultToken(result.token);

if (data.tokenAndMaskedCardModel?.threeDs) {
  const tds = data.tokenAndMaskedCardModel.threeDs;

  console.log('Version:', tds.version);           // "2.1.0", "2.2.0", etc.
  console.log('ECI:', tds.eci);                   // Electronic Commerce Indicator
  console.log('Auth value:', tds.authenticationValue);  // CAVV/AAV
  console.log('XID:', tds.xid);                   // Transaction ID
  console.log('SLI:', tds.sli);                   // Service Level Indicator (Mastercard)
}

ThreeDS Fields

FieldDescription
version3DS protocol version (e.g., “2.1.0”, “2.2.0”)
eciElectronic Commerce Indicator - liability shift indicator
authenticationValueCardholder Authentication Verification Value (CAVV/AAV)
xidTransaction identifier
sliService Level Indicator (Mastercard only)

ECI Values

The ECI indicates the authentication result and liability:
ECIVisa/AmexMastercardMeaning
0502Fully authenticatedLiability shift to issuer
0601Attempted (issuer not enrolled)Liability shift to issuer
0700Not authenticatedNo liability shift

Handling 3DS Failures

If 3DS authentication fails, the payment will not complete. The callback receives a result with clientSuccess: false: 
function handleResult(result) {
  if (!result) {
    // User cancelled
    return;
  }

  const [data] = engine.parseResultToken(result.token);

  if (!data.clientSuccess) {
    // Payment failed - could be 3DS failure
    console.error('Payment failed:', data.clientErrorMessage);
    return;
  }

  // Payment successful
}

PSP Requirements

3DS requires a payment processor that supports 3DS connections. Not all PSPs support 3DS for all card types. See the list of integrations that support 3DS. When configuring your PSP in Orchestra, ensure:
  1. PSP supports 3DS (check with your provider)
  2. 3DS credentials are configured in your PSP account
  3. threeDsAccountName is set when creating sessions (if using a separate 3DS provider)
// Server-side session creation with 3DS account
const session = {
  operation: 'CHARGE',
  amount: 100.00,
  currencyCode: 'USD',
  mode: 'LIVE',
  paymentGatewayAccountId: 'your-psp',
  threeDsAccountName: 'your-3ds-account'  // Optional: if using separate 3DS provider
};

Frictionless vs. Challenge Flow

3DS 2.x supports two flows:
FlowDescriptionUser Experience
FrictionlessRisk-based authentication passes silentlyNo interruption
ChallengeUser must complete verificationPopup/redirect
The library handles both flows automatically. Frictionless authentication completes without user interaction when the issuer’s risk assessment allows it.

Supported Payment Methods

CardPay, ApplePay, GooglePay, PayPal, BankPay, UPI

Result Handling

Parse and validate payment results

Library Reference

Full API reference

PSP Setup

Configure payment processor