3DS Security

3DS is the new standard in secure payments technology, this is essential for having high acceptance rates on your payments

You must complete the essentials in the Payments API before attempting to add 3DS Secure payments onto your checkout page

The 3DS Secure Payments flow

The following are the steps needed to be taken in order to verify secure payments with 3DS Security:

1. Submit payment form to your backend (done in previous steps)

2. Send a charge request to the BreathePay API with the payment information (done in previous steps)

3. Check the response from the BreathePay API:

   • If the response is a success, handle successful transaction (done in previous steps)

   • If the response is a failure, handle the failed transaction (done in previous steps)

   • If the response is 3DS:

     1. Get the 3DS Method Data from the response

     2. Create a 3DS iframe on the frontend with the 3DS method data

     3. The iframe will the data to the 3DS Server and get a response back within the iframe, the iframe will then send the response to the backend

     4. Backend then sends frontend back with an ACS (Access Control Server held by the banks) iframe including the 3DS response

     5. ACS iframe sends the response to the ACS

     6. Access Control Server then sends a response directly to the backend

     7. Backend checks the response from the ACS and handles it the same as a response from the BreathePay API (repeat parent step 3)

The ACS servers may request multiple iterations of the 3DS loop in which they request different data from different providers, each adding more security checks making the request more secure. At any time, the ACS server may accept due to enough information being provided, or reject the transaction due to failure in the security checks

Some 3DS iframes can be hidden and others must be displayed to the user, for example, a 3DS check which instructs the user to check their banking app and approve the transaction has to be shown to the user, whereas checks on the users IP address and user agent do not have to be displayed. The following code will show you a step by step to adding this into your application: