3D Secure

3D secure (Verified by Visa, MasterCard SecureCode) is an additional security step for credit card payments that helps prevent fraud.

3D secure flow is the same between charge and subscription, we are using charge as an example in this tutorial.


Enable 3D secure

By passing secure=1 as an additional parameter in your charge request, a different charge response will be returned. It includes a redirect url which allows you to redirect your customer to the 3D secure form which is provided by the card issuing banks of your customers .

In order to implement 3D secure feature, you will need to do following adjustments:


Collect secure token

Once a payment is enrolled into 3D secure payment step, the payer need to verify himself on 3D secure form, it could be his card password or a SMS message containing verification code, etc.

Displaying 3D secure form for your customers is the first step. After that, brick_secure_token and brick_charge_id would be included into the http request object once the payer has completed the 3D secure step, which are needed in second charge request.

The implementation is different depending on your payment form.

If you are using default payment form, this part is handled by default payment form itself. See re-submit charge request to continue.


For merchants who prefer custom payment form, the following steps are required:

  • Add secure_redirect_url & secure_return_method

You will need to add the above two additional parameter into your charge request

secure_redirect_url is the url where your customer will be redirected after completing the 3D secure step.

The value of secure_return_method is required to be set as url so that you will get a redirect url rather than a html form.

<?php
$chargeInfo = array(
    ... // other charge parameters
    'secure_redirect_url' => 'YOUR-SECURE-REDIRECT-URL',
    'secure_return_method' => 'url'
);
?>
//custom parameters
var custom = {
    ... // your other custome parameters
    'secure_redirect_url':'YOUR-SECURE-REDIRECT-URL',
    'secure_return_method': 'url'
};
... // your other charge parameters
chargemap.put("secure_redirect_url", "YOUR-SECURE-REDIRECT-URL");
chargemap.put("secure_return_method", "url");
curl https://api.paymentwall.com/api/brick/charge \
-H "X-ApiKey: [YOUR_PRIVATE_KEY]" \
-d "token=[TOKEN]" \
-d "amount=9.99" \
-d "currency=USD" \
-d "email=user@host.com" \
-d "fingerprint=[FINGERPRINT_BY_BRICK.JS]" \
-d "description=TestItem" \
-d "secure_redirect_url=[YOUR_SECURE_REDIRECT_URL]" \
-d "secure_return_method=url"

brick_fingerprint and brick_token of the original request should be embedded into secure_redirect_url, so that they can be subsequently passed into the second charge request. Here is a sample:

secure_redirect_url: http://your-domain/your-secure-redirect-url?brick_token=ot_4ca5cbda3D4af3444759e4934dd25717&brick_fingerprint=satiO3yvBDuPMEZUJep4vKuqVav5VxAT
  • Obtain 3D secure form and display it

With 3D secure enabled, you will get a charge response object contains the redirect url. Below is a sample charge response object.

{
  "success":0,
  "secure":{
    "redirect":"https:\/\/api.paymentwall.com\/api\/brick\/redirect\/3Ds\/fe989d17-5632-11e7-bfd3-002590852bf4\/44ea915ab53D78f96b3Dd485e7a5f8d2441572876f7a2eb88f5101cb197adcc9"
  }
}

You can then use it to redirect your customer to 3D secure page. See the next step to continue.

The following additional step are required only if you don’t have secure_return_method included in your original charge request. You will get a html form of 3D Secure instead of redirecting url.

{
  "success":0,
  "secure":{
     "formHTML":"<div><form action=\"https:\/\/api.paymentwall.com\/api\/brick\/secure-test-bank-page?public_key=t_a93Db6bffafdda5c57ab48296fdbba\" method=\"POST\"><input type=\"hidden\" name=\"PaReq\" value=\"to_validate_this\"><input type=\"hidden\" name=\"MD\" value=\"t34451493976105_test\"><input type=\"hidden\" name=\"TermUrl\" value=\"https:\/\/api.paymentwall.com\/api\/brick\/secure-payment?public_key=a3Dff98c34722f0e130a68e6b4c9da56&secure_redirect_url=http%3A%2F%2Fpaymentwall.com%2Fbrick%2F3Dsecure%3Fbrick_token%3Dot_4ca5cbda3D4af3444759e4934dd25717%26brick_fingerprint%3DsatiO3yvBDuPMEZUJep4vKuqVav5VxAT\"><\/form><\/div>"
  }
}

Simply obtian the value of formHTML attribute, embed it into your payment page and submit it directly, the 3D secure form will be displayed in a new tab as a result.

<script>
  document.getElementById("3Ds_form_container").getElementsByTagName("form")[0].submit();
  // 3Ds_form_container is the place where 3D secure form is embedded in
</script>
  • Handle 3D secure details on your backend

brick_secure_token and brick_charge_id will be sent to secure_redirect_url via POST each time a payer confirmed the 3D secure payment step, you can now continue with next step. If you server implements SameSite cookie attribute, note that Paymentwall sends brick_secure_token via POST. If authentication is required for your secure_redirect_url - cookies may be ignored when Paymentwall sends a user to you. It is advised to not require authentication for your secure_redirect_url in this case.


Re-submit charge request

Payments with 3D secure enabled requires another charge request with below two parameters included in.

Parameter Description
charge_id Charge id of your original charge request. brick_charge_id in request object.
secure_token Secure token returned by issuing bank for 3D secure purpose. brick_secure_token in request object.

As these two parameters have been passed to your backend, you can easily add them directly in second charge request.

<?php
$chargeInfo = array(
    ... // your original charge request parameters
);

if (isset($parameters['brick_charge_id']) AND isset($parameters['brick_secure_token'])) {
    $chargeInfo['charge_id'] = $parameters['brick_charge_id'];
    $chargeInfo['secure_token'] = $parameters['brick_secure_token'];
}
?>
// We are using Express framework in this sample

//custom parameters
var custom = {
    secure: 1
};

var parameters = req.body;
if (parameters.brick_charge_id&&parameters.brick_secure_token){
    custom.charge_id = parameters.brick_charge_id;
    custom.secure_token = parameters.brick_secure_token;
}

var charge = new Paymentwall.Charge(
    0.5, //price
    'USD', //currency code
    'description', //description of the product
    req.body.email, // user's email which can be gotten by req.body.email
    req.body.brick_fingerprint, // fingerprint which can be gotten by req.body.brick_fingerprint
    req.body.brick_token, //one-time token
    custom 
);
LinkedHashMap<String,String> chargemap = new LinkedHashMap<String, String>();

... // your original charge request parameters

if (request.getParameter("brick_charge_id")!=null &&request.getParameter("brick_secure_token")!=null){
    chargemap.put("charge_id", request.getParameter("brick_charge_id"));
    chargemap.put("secure_token",request.getParameter("brick_secure_token"));
}
curl https://api.paymentwall.com/api/brick/charge \
-H "X-ApiKey: [YOUR_PRIVATE_KEY]" \
-d "token=[TOKEN]" \
-d "amount=9.99" \
-d "currency=USD" \
-d "email=user@host.com" \
-d "fingerprint=[FINGERPRINT_BY_BRICK.JS]" \
-d "description=TestItem" \
-d "secure_redirect_url=[YOUR_SECURE_REDIRECT_URL]" \
-d "charge_id=[BRICK_CHARGE_ID]" \
-d "secure_token=[BRICK_SECURE_TOKEN]"

Next step

That’s it. Your payment system now should be able to handle payments with 3D secure enabled, below links might be helpful for you: