3D Secure with PayGate’s MPI

PayGate’s Direct API (PayHost) fully supports 3D Secure 2.0, including both challenge and frictionless flows — without any need for developers to implement the technical complexity of 3D Secure.

📘
PayGate acts as theMPI (Merchant Plug-In), handling the full 3D Secure authentication process on your behalf.

You don’t need to manage ACS redirections, protocol versions, device fingerprinting, or challenge handling. You simply submit a CardPaymentRequest, and PayGate orchestrates the 3D Secure flow from start to finish.

What is 3D Secure?

3D Secure is an industry-standard protocol (often branded as Verified by Visa, Mastercard Identity Check, or Amex SafeKey) that adds an authentication step during online payments. It helps reduce fraud by confirming the cardholder’s identity before a transaction is authorised.

3D Secure 2.0 improves the experience by allowing for both frictionless (no visible challenge) and challenge (step-up verification) flows — depending on the risk profile.

How PayGate’s MPI Helps

Many gateways require developers to integrate directly with a 3D Secure MPI (Merchant Plug-In), which adds technical overhead:

Parsing 3DS requests and responses
Implementing the challenge UI flow
Handling browser-based redirects
Complying with protocol nuances across issuers

With PayGate, none of that is needed. We act as the MPI for you.

You just send a CardPaymentRequest to the API, and we:

Check if 3D Secure is required (based on acquirer/issuer rules)
Handle device fingerprinting and authentication requests
Redirect the cardholder if a challenge is needed
Process the result and return it to you via:
- Redirect return URL, and/or
- Notify URL

Developer Flow

flowchart TD
  A[Send CardPayment Request] --> B{3D Secure Required?}
  B -- No --> C[Auth Done - Frictionless Flow]
  C --> D[PayGate returns result]
  B -- Yes --> E[PayGate redirects cardholder to ACS]
  E --> F[Customer completes challenge]
  F --> G[Cardholder redirected back to ReturnUrl]
  G --> H[PayGate sends result to NotifyUrl]
  H --> I[Merchant displays final outcome]

Example Request (with Notify and Return URLs)

<CardPaymentRequest>
  <Account>
    <PayGateId>10011072130</PayGateId>
    <Password>test</Password>
  </Account>
  <Customer>
    <Email>test@example.com</Email>
  </Customer>
  <CardNumber>4242424242424242</CardNumber>
  <CardExpiryDate>122025</CardExpiryDate>
  <CVV>123</CVV>
  <Order>
    <MerchantOrderId>INV-001</MerchantOrderId>
    <Currency>ZAR</Currency>
    <Amount>100</Amount>
  </Order>
  <Redirect>
    <NotifyUrl>https://merchant.site/notify</NotifyUrl>
    <ReturnUrl>https://merchant.site/return</ReturnUrl>
  </Redirect>
</CardPaymentRequest>

Typical Responses

Frictionless Flow (No Challenge)

<TransactionStatusDescription>Approved</TransactionStatusDescription>
<ResultDescription>Auth Done</ResultDescription>
<PaymentType>
  <Method>CC</Method>
  <Detail>Visa</Detail>
</PaymentType>

Challenge Flow (With Redirect)

<Redirect>
  <Url>https://acs.issuerdomain.com/authenticate?...</Url>
  <Method>POST</Method>
  <Params>
    <!-- PayerAuthRequest data -->
  </Params>
</Redirect>

NotifyUrl Behaviour

When you include a NotifyUrl, PayGate sends the final result once the 3D Secure flow (if any) completes:

Your server should respond with OK
We retry up to 2 times (30 min intervals) if no response
If the cardholder abandons the flow, we notify after a timeout

Summary

With PayGate, you get fully managed 3D Secure with no need to build or maintain MPI logic. You can focus on building your checkout — and we’ll handle the acquirer rules, issuer quirks, redirects, and security flows.

If you’re ready to try it out, grab a test card and fire up our API collection on Postman.