Step 1: Submit transaction request
The process of obtaining a 3-D Secured authentication for a transaction begins in the same manner as a normal transaction. You will need to generate a merchantSessionKey and a cardIdentifier and then submit a transaction registration POST.
When you make the transaction registration POST you can override the MySagePay settings for that transaction by using the apply3DSecure field, otherwise the MySagePay settings will be used.
If we receive a transaction POST which requires 3-D Secure authentication, we will check if the card and the card issuer are enrolled in the 3-D Secure scheme. If they are not enrolled, and you have set rules requiring that they are, the transaction will be rejected and we will provide you with the appropriate response via the status in the 3-D Secure object.
Here is an example response for this scenario:
"statusDetail": "3D-Authentication failed. This vendor's rules require a successful 3D-Authentication.",
If those rules aren't in place the transaction will proceed for authorisation without going through 3-D Secure and you will receive the normal transaction response. You will be able to see the outcome of the 3-D Secure via the status field under the 3DSecure object as per the example below:
"statusDetail": "The Authorisation was Successful.",
Step 2: Handling the response and customer redirection
If the card and the card issuer are enrolled in the 3-D Secure scheme we will respond with the information needed to complete the 3-D Secure authentication.
Here is an example response to a transaction where 3-D Secure authentication is required:
"statusCode" : "2007",
"statusDetail" : "Please redirect your customer to the ACSURL to complete the 3DS Transaction",
"transactionId" : "DFAF9D9A-CD17-A4DF-B5A0-D9A9D88E4468",
"acsUrl" : "https://test.sagepay.com/mpitools/accesscontroler?action=pareq",
"paReq" : "eJxVUstuwjAQvPcrolwrxXaeCC1GtBwaJEpUqlbqzXKsEkQeOElD/r7rkBTq087serw7a1he8pP1o3SdlcXCZg61l/wB3g9aqfVeyVYrDltV1+JbWVm6sF3KfD8MIopBFPrMC5lvc0hWb+rMYRTiqOMwIBNEBS0Pomg4CHl+il+5T2eB5wIZIeRKx2se+NT3woBdD6avNBQiV9y0UIk+VXkJZGBAlm3R6J7P3BDIBKDVJ35ommpOSNd1znjPkWUOxOSA3NpJWhPVqHXJUt7JD/+4kY+7NZOfdbQ76qSPN5vTV7FdADEVkIpGcZwdm6SexaI59eYujjrwIHLTBGeUUpztCqAyb6zuM/cMoMdaFXKaYkKgLlVZKKxAH/5iSFUt+d5sIxG9tU1ifNpQQG6jPL8Yn2WD1jFj8RAZvQztwd7ZIGgAEFNLxu2RcdEY/fsAv12RstM=",
"status" : "3DAuth"
When you receive our response with a status of 3DAuth you must return to the customer a page or iFrame containing a form with hidden attributes which POSTs the paReq and two additional fields called TermUrl and MD to the 3-D Secure provider located at the acsUrl.
Here is an example a self-submitting version of this form: