3DS (3D Secure)
UQPAY supports dynamic 3D Secure (3DS) behavior to help merchants balance fraud prevention and user experience. Merchants can configure whether to allow 3DS challenge flows or enforce a frictionless experience through a dedicated risk control setting.
Supported configuration options may differ depending on the card BIN.
For more information, please refer to Supported BINs for Risk Control Configurations
Overview
By default, UQPAY handles 3DS decisions based on real-time risk evaluations.
However, merchants have the option to override this behavior by explicitly enabling or bypassing the challenge step during 3DS authentication.
This level of control is particularly useful for optimizing user experience in low-risk scenario.
3DS Flowchart
graph TD
A[Start: 3DS Authentication Request] --> B{Is card BIN supported 3DS?}
B -->|No| C[Proceed with Standard Transaction Processing]
B -->|Yes| D{Is allow_3ds_transactions set?}
D -->|Not Set, Card Creation: Default 'Y'| E[UQPAY Risk Engine Evaluation]
D -->|"'allow_3ds_transactions' flag is set to 'Y'"| E
D -->|"'allow_3ds_transactions' flag is set to 'N'<br> (bypass risk evaluation)"| F[Frictionless Flow]
E --> G{Risk Level Assessment}
G -->|Low Risk| F
G -->|High Risk| H[Trigger 3DS Challenge Flow]
F --> I[Transaction Proceed]
H --> J[Transaction Requires Verification]
J --> init[User identity verification step to ensure the legitimacy of the cardholder]
init --> |OTP Delivery| veri{If user passed the 3DS challenge?}
veri --> |User passed 3DS Challenge| I
Enabling or Disabling 3DS Challenge
Merchants can control whether a card participates in 3DS challenge flows using the allow_3ds_transactions flag under the risk_controls object. This flag accepts two values: Y or N.
When set to Y, UQPAY will evaluate each 3DS authentication request using its risk engine. A challenge flow may be triggered based on the assessed risk level.
When set to N, the transaction will bypass risk evaluation and proceed directly through a frictionless flow, even if a 3DS request is triggered.
If the allow_3ds_transactions field is omitted during card creation, it defaults to Y, enabling challenge flows as determined by the risk engine. However, when updating a card, this field has no default value. If it is not provided, the existing setting remains unchanged.
The allow_3ds_transactions flag can be set during both card creation and card update processes.
Note: This setting is only applicable to cards with the BIN 49372410.
Example during card creation
{
"card_limit": 2100.02,
"card_currency": "USD",
"cardholder_id": "7c4ff2cd-1bf6-4aaa-bf16-266771425011",
"card_product_id": "7c4ff2cd-1bf6-4aaa-bf16-266771425011",
"spending_controls": [
{
"amount": 100.03,
"interval": "PER_TRANSACTION"
}
],
"risk_controls": {
"allow_3ds_transactions": "N"
}
}Example during card update
{
"risk_controls": {
"allow_3ds_transactions": "N"
}
}Upon successful activation of a physical card, the allow_3ds_transactions flag is automatically enabled (Y).
Note: This setting affects only 3DS behavior. It does not disable other fraud checks.
Example Use Cases
| Scenario | Configuration | Behavior |
|---|---|---|
| Standard transaction with risk-based decisioning | allow_3ds_transactions = Y | May result in either 3DS challenge or frictionless flow, based on risk evaluation |
| Trusted customer with low transaction risk | allow_3ds_transactions = N | Always proceeds via frictionless flow, challenge is skipped |
3DS Challenge Behavior
When a 3DS challenge is triggered during a transaction, UQPAY initiates a user identity verification step to ensure the legitimacy of the cardholder. The following behavior applies:
OTP Delivery
A one-time password (OTP) will be sent to the cardholder's registered email address. The user must enter the correct OTP on the authentication page to complete the 3DS verification. This mechanism helps reduce fraud while maintaining a smooth user experience.
Note: Ensure that the cardholder's email is accurately provided during card issuance or update. OTPs are typically valid for few minutes.
Webhook Notification
UQPAY provides a webhook event to notify the merchant when an OTP is generated.
Notification example
{
"version": "V1.6.0",
"event_name": "ISSUING",
"event_type": "card.3ds.otp",
"event_id": "26de83a5-cea5-4f84-ab11-48813025e40a",
"source_id": "12ea604d-5899-43d6-8c2d-618c9ce8eae3",
"data": {
"reference_code": "4868798",
"otp": "12344444",
"customer_id": "67f006f4-d593-49f4-be0e-f1f894e8933b",
"card_id": "1d749d10-511e-469f-9a83-0560a602ac37",
"card_number": "1234********3381",
"transaction_currency": "USD",
"transaction_amount": "100",
"merchant_name": "Example Merchant"
}
}Related API links:
Updated 3 days ago