Authenticate payments

This guide shows you how to integrate 3D Secure (3DS) into your payment flows.

Information

Checkout.com supports all versions of the 3DS protocol up to and including 2.2.0.

You can authenticate online payments using any of the following integration options:

Integrated authentication
Standalone Sessions authentication
Third-party authentication

With the integrated authentication solution, Checkout.com automatically routes the customer to 3DS authentication or Google Secure Payment Authentication (SPA), depending on which is most likely to result in a successful completion. Google SPA enables cardholders to complete biometric authentication directly from your domain, which enhances the user experience.

For the automatic routing to function, you must provide 3DS authentication data in all of your payment requests.

If the initial authentication experience fails or is declined by the customer, we automatically fall back to the alternative authentication experience to prevent a lost transaction.

When you submit a payment request with the 3ds.enabled field set to true, we redirect the customer to a Checkout.com page to gather the data required for 3DS authentication. We automatically add the required fields to your payment request.

If you host the payment page in an iframe, you must explicitly add payment permission to the iframe to allow payments to complete. Include the allow="payment *" attribute in all parent frames:


1<iframe src="https://example.com" allow="payment *"></iframe>

Follow these steps:

Create a card token.
Request a card token payment
Redirect your customer.
Verify the payment.

To exchange the customer's card details for a card token, call the Request a token endpoint.

post

https://api.checkout.com/tokens


1{
2  "type": "applepay",
3  "token_data": {
4    "version": "EC_v1",
5    "data": "t7GeajLB9skXB6QSWfEpPA4WPhDqB7ekdd+F7588arLzvebKp3P0TekUslSQ8nkuacUgLdks2IKyCm7U3OL/PEYLXE7w60VkQ8WE6FXs/cqHkwtSW9vkzZNDxSLDg9slgLYxAH2/iztdipPpyIYKl0Kb6Rn9rboF+lwgRxM1B3n84miApwF5Pxl8ZOOXGY6F+3DsDo7sMCUTaJK74DUJJcjIXrigtINWKW6RFa/4qmPEC/Y+syg04x7B99mbLQQzWFm7z6HfRmynPM9/GA0kbsqd/Kn5Mkqssfhn/m6LuNKsqEmbKi85FF6kip+F17LRawG48bF/lT8wj/QEuDY0G7t/ryOnGLtKteXmAf0oJnwkelIyfyj2KI8GChBuTJonGlXKr5klPE89/ycmkgDl+T6Ms7PhiNZpuGEE2QE=",
6    "signature": "MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIID5jCCA4ugAwIBAgIIaGD2mdnMpw8wCgYIKoZIzj0EAwIwejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE2MDYwMzE4MTY0MFoXDTIxMDYwMjE4MTY0MFowYjEoMCYGA1UEAwwfZWNjLXNtcC1icm9rZXItc2lnbl9VQzQtU0FOREJPWDEUMBIGA1UECwwLaU9TIFN5c3RlbXMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgjD9q8Oc914gLFDZm0US5jfiqQHdbLPgsc1LUmeY+M9OvegaJajCHkwz3c6OKpbC9q+hkwNFxOh6RCbOlRsSlaOCAhEwggINMEUGCCsGAQUFBwEBBDkwNzA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwNC1hcHBsZWFpY2EzMDIwHQYDVR0OBBYEFAIkMAua7u1GMZekplopnkJxghxFMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUI/JJxE+T5O8n5sT2KGw/orv9LkswggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxlYWljYTMuY3JsMA4GA1UdDwEB/wQEAwIHgDAPBgkqhkiG92NkBh0EAgUAMAoGCCqGSM49BAMCA0kAMEYCIQDaHGOui+X2T44R6GVpN7m2nEcr6T6sMjOhZ5NuSo1egwIhAL1a+/hp88DKJ0sv3eT3FxWcs71xmbLKD/QJ3mWagrJNMIIC7jCCAnWgAwIBAgIISW0vvzqY2pcwCgYIKoZIzj0EAwIwZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMTQwNTA2MjM0NjMwWhcNMjkwNTA2MjM0NjMwWjB6MS4wLAYDVQQDDCVBcHBsZSBBcHBsaWNhdGlvbiBJbnRlZ3JhdGlvbiBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATwFxGEGddkhdUaXiWBB3bogKLv3nuuTeCN/EuT4TNW1WZbNa4i0Jd2DSJOe7oI/XYXzojLdrtmcL7I6CmE/1RFo4H3MIH0MEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAYYqaHR0cDovL29jc3AuYXBwbGUuY29tL29jc3AwNC1hcHBsZXJvb3RjYWczMB0GA1UdDgQWBBQj8knET5Pk7yfmxPYobD+iu/0uSzAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFLuw3qFYM4iapIqZ3r6966/ayySrMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxlcm9vdGNhZzMuY3JsMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIOBAIFADAKBggqhkjOPQQDAgNnADBkAjA6z3KDURaZsYb7NcNWymK/9Bft2Q91TaKOvvGcgV5Ct4n4mPebWZ+Y1UENj53pwv4CMDIt1UQhsKMFd2xd8zg7kGf9F3wsIW2WT8ZyaYISb1T4en0bmcubCYkhYQaZDwmSHQAAMYIBjTCCAYkCAQEwgYYwejEuMCwGA1UEAwwlQXBwbGUgQXBwbGljYXRpb24gSW50ZWdyYXRpb24gQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTAghoYPaZ2cynDzANBglghkgBZQMEAgEFAKCBlTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA4MDIxNjA5NDZaMCoGCSqGSIb3DQEJNDEdMBswDQYJYIZIAWUDBAIBBQChCgYIKoZIzj0EAwIwLwYJKoZIhvcNAQkEMSIEIGEfVr+4x9RQXyfF8IYA0kraoK0pcZEaBlINo6EGrOReMAoGCCqGSM49BAMCBEgwRgIhAKunK47QEr/ZjxPlVl+etzVzbKA41xPLWtO01oUOlulmAiEAiaFH9F9LK6uqTFAUW/WIDkHWiFuSm5a3NVox7DlyIf0AAAAAAAA=",
7    "header": {
8      "ephemeralPublicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEX1ievoT8DRB8T5zGkhHZHeDr0oBmYEgsDSxyT0MD0IZ2Mpfjz2LdWq6LUwSH9EmxdPEzMunsZKWMyOr3K/zlsw==",
9      "publicKeyHash": "tqYV+tmG9aMh+l/K6cicUnPqkb1gUiLjSTM9gEz6Nl0=",
10      "transactionId": "3cee89679130a4b2617c76118a1c62fd400cd45b49dc0916d5b951b560cd17b4"
11    }
12  }
13}


1{
2  "type": "applepay",
3  "token": "tok_ymu4qlccztkedmd6b7c3hcf6ae",
4  "expires_on": "2024-10-21T10:48:35Z",
5  "expiry_month": 1,
6  "expiry_year": 2025,
7  "scheme": "VISA",
8  "last4": "6222",
9  "bin": "481891",
10  "card_type": "DEBIT",
11  "card_category": "CONSUMER",
12  "issuer": "Test Bank",
13  "issuer_country": "GB",
14  "product_id": "F",
15  "product_type": "CLASSIC"
16}

The response returns the token, which you need for the payment request.

Call the Request a payment or payout endpoint, and set source.type to token.

To request 3DS authentication for the payment, set the 3ds.enabled field in your request to true.

Information

You can automatically downgrade your payment to a non-3DS payment if there are any technical issues during the 3DS authentication process that would otherwise cause the payment to fail. Set the attempt_n3d field in the request to true and we automatically attempt to process the payment without 3DS authentication.

post

https://api.checkout.com/payments


1{
2  "source": {
3    "type": "token",
4    "token": "tok_f6z4mnoububudpqnvhwa5ff27u"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": true
10  },
11  "success_url": "https://example.com/payments/success",
12  "failure_url": "https://example.com/payments/failure"
13}


1{
2  "id": "pay_hehfmlkpykeupofyxf7nbr6yyy",
3  "status": "Pending",
4  "customer": {
5    "id": "cus_u4a4zosnrw7ehhzr7jipbkdzo4"
6  },
7  "3ds": {
8    "downgraded": false,
9    "enrolled": "Y"
10  },
11  "_links": {
12    "self": {
13      "href": "https://api.sandbox.checkout.com/payments/pay_hehfmlkpykeupofyxf7nbr6yyy"
14    },
15    "redirect": {
16      "href": "https://api.sandbox.checkout.com/sessions-interceptor/sid_feixbit6us3utfedjulm6egnsu"
17    }
18  }
19}

The response returns the URL to redirect your customer to in the _links.redirect.href field.

If the card is enrolled for 3DS or eligible for Google SPA, you receive a 202 - Accepted response.

Information

Use test cards in the sandbox environment to simulate 3DS and Google SPA authentication flows, and test transactions statuses.

Redirect the customer to the URL returned in the Request a payment response.

In a 3DS authentication experience, the customer may be prompted to verify their identity on a 3DS challenge screen. For example, using a password.

In a Google SPA authentication experience, the customer is prompted to verify their identity on their device using biometric authentication.

If the customer successfully completes the 3DS challenge or Google SPA biometric authentication, they are redirected back to your site.

The success URL contains a cko-session-id query string. For example:

http://example.com/success?cko-session-id=sid_ubfj2q76miwundwlk72vxt2i7q

If you've set up your webhook receiver, you can verify the status of the payment using the following webhooks:

Successful payment – You receive a Payment approved webhook.
Unsuccessful payment – You receive a Payment declined webhook.

Alternatively, you can check if the payment was authenticated and authorized by calling the Get payment details endpoint. Provide the cko-session-id query string from the Redirect your customer step as the {id} path parameter.

get

https://api.checkout.com/payments/{id}


1{
2  "id": "pay_5o3zluz2oh2u7gbonujy33765e",
3  "requested_on": "2024-01-23T14:45:55.1258Z",
4  "source": {
5    "type": "card",
6    "expiry_month": 12,
7    "expiry_year": 2029,
8    "name": "Jia Tsang",
9    "scheme": "Visa",
10    "last4": "6584",
11    "fingerprint": "B16D9C2EF0C861A8825C9BD59CCE9171D84EBC45E89CC792B5D1D2D0DDE3DAB7",
12    "bin": "448504",
13    "card_type": "CREDIT",
14    "card_category": "COMMERCIAL",
15    "issuer": "GE CAPITAL FINANCIAL, INC.",
16    "issuer_country": "US"
17  },
18  "amount": 100,
19  "currency": "EUR",
20  "payment_type": "Regular",
21  "reference": "a19c5c40-a5be-4307-a14c-d8ebd9ef995a",
22  "status": "Pending",
23  "3ds": {
24    "downgraded": false,
25    "enrolled": "Y",
26    "version": "2.2.0"
27  },
28  "risk": {
29    "flagged": false,
30    "score": 0
31  },
32  "customer": {
33    "id": "cus_gd2oabkekwru3fckbb2b5xdqbe",
34    "email": "[email protected]",
35    "name": "Jia Tsang"
36  },
37  "_links": {
38    "self": {
39      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e"
40    },
41    "actions": {
42      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e/actions"
43    },
44    "redirect": {
45      "href": "https://api.checkout.com/sessions-interceptor/sid_6jih2nadzfvevi655gysadzkyq"
46    }
47  }
48}


1{
2  "id": "pay_5o3zluz2oh2u7gbonujy33765e",
3  "requested_on": "2024-01-23T14:45:55.1258Z",
4  "source": {
5    "id": "src_aqqoqgffnbqehoqekvttwfrr3a",
6    "type": "card",
7    "expiry_month": 12,
8    "expiry_year": 2029,
9    "name": "Jia Tsang",
10    "scheme": "Visa",
11    "last4": "6584",
12    "fingerprint": "B16D9C2EF0C861A8825C9BD59CCE9171D84EBC45E89CC792B5D1D2D0DDE3DAB7",
13    "bin": "448504",
14    "card_type": "CREDIT",
15    "card_category": "COMMERCIAL",
16    "issuer": "GE CAPITAL FINANCIAL, INC.",
17    "issuer_country": "US",
18    "product_type": "PURCHASING",
19    "avs_check": "G",
20    "cvv_check": "Y",
21    "payment_account_reference": "V001345447391180899"
22  },
23  "expires_on": "2024-01-24T14:46:26.6329548Z",
24  "amount": 100,
25  "currency": "EUR",
26  "payment_type": "Regular",
27  "reference": "a19c5c40-a5be-4307-a14c-d8ebd9ef995a",
28  "status": "Authorized",
29  "approved": true,
30  "3ds": {
31    "downgraded": false,
32    "enrolled": "Y",
33    "authentication_response": "Y",
34    "cryptogram": "AAABAVIREQAAAAAAAAAAAAAAAAA=",
35    "xid": "347d50f2-c903-4a6a-a3dd-e9b1200f2ac4",
36    "eci": "05",
37    "version": "2.2.0",
38    "exemption": "none",
39    "challenged": false,
40    "exemption_applied": "none"
41  },
42  "balances": {
43    "total_authorized": 100,
44    "total_voided": 0,
45    "available_to_void": 100,
46    "total_captured": 0,
47    "available_to_capture": 100,
48    "total_refunded": 0,
49    "available_to_refund": 0
50  },
51  "risk": {
52    "flagged": false,
53    "score": 0
54  },
55  "customer": {
56    "id": "cus_gd2oabkekwru3fckbb2b5xdqbe",
57    "email": "[email protected]",
58    "name": "Jia Tsang"
59  },
60  "processing": {
61    "acquirer_transaction_id": "226009856104463057233",
62    "retrieval_reference_number": "049179801690",
63    "merchant_category_code": "0742",
64    "scheme_merchant_id": "502177",
65    "scheme": "VISA",
66    "partner_response_code": "00",
67    "acquirer_name": "Checkout Visa",
68    "acquirer_country_code": "GB",
69    "aft": false,
70    "pan_type_processed": "fpan",
71    "cko_network_token_available": false
72  },
73  "eci": "05",
74  "scheme_id": "661856082822182",
75  "actions": [
76    {
77      "id": "act_wl5dv2xperdu5canyu2jz72mom",
78      "type": "Authorization",
79      "response_code": "10000",
80      "response_summary": "Approved"
81    }
82  ],
83  "_links": {
84    "self": {
85      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e"
86    },
87    "actions": {
88      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e/actions"
89    },
90    "capture": {
91      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e/captures"
92    },
93    "void": {
94      "href": "https://api.checkout.com/gateway/payments/pay_5o3zluz2oh2u7gbonujy33765e/voids"
95    }
96  }
97}


1{
2  "id": "pay_ggiqdmmp7m6ehl5rcjxzw46hgq",
3  "requested_on": "2024-01-23T14:49:25.2151969Z",
4  "source": {
5    "id": "src_h2xxsn5unfzedlrbmxnh3s7n2m",
6    "type": "card",
7    "expiry_month": 12,
8    "expiry_year": 2029,
9    "name": "Jia Tsang",
10    "scheme": "Visa",
11    "last4": "7863",
12    "fingerprint": "3D91433E7E3218ED2447E8EA0E8CDEA03085786D0DE7746EB6EA4E513C684CD6",
13    "bin": "453962",
14    "card_type": "DEBIT",
15    "card_category": "CONSUMER",
16    "issuer": "BANC INTERNACIONAL DANDORRA, S.A.",
17    "issuer_country": "AD",
18    "product_type": "ELECTRON"
19  },
20  "amount": 100,
21  "currency": "EUR",
22  "payment_type": "Regular",
23  "reference": "a19c5c40-a5be-4307-a14c-d8ebd9ef995a",
24  "status": "Declined",
25  "approved": false,
26  "3ds": {
27    "downgraded": false,
28    "enrolled": "Y",
29    "authentication_response": "N",
30    "authentication_status_reason": "01",
31    "eci": "07",
32    "version": "2.2.0"
33  },
34  "risk": {
35    "flagged": false,
36    "score": 0
37  },
38  "customer": {
39    "id": "cus_gd2oabkekwru3fckbb2b5xdqbe",
40    "email": "[email protected]",
41    "name": "Jia Tsang"
42  },
43  "actions": [
44    {
45      "id": "act_7dkwh4uflaeuvhdjwrnhnpc7c4",
46      "type": "Authorization",
47      "response_code": "20151",
48      "response_summary": "Cardholder failed 3D-Secure authentication"
49    }
50  ],
51  "_links": {
52    "self": {
53      "href": "https://api.checkout.com/gateway/payments/pay_ggiqdmmp7m6ehl5rcjxzw46hgq"
54    },
55    "actions": {
56      "href": "https://api.checkout.com/gateway/payments/pay_ggiqdmmp7m6ehl5rcjxzw46hgq/actions"
57    }
58  }
59}

The result of the 3DS authentication is returned in the 3ds.authentication_response field. This can be one of:

Y – The cardholder was successfully authenticated.
A – The authentication was processed by a stand-in service, and is classed as successful.
N – The authentication failed.
U – The authentication could not be completed due to technical or other problems.

The result of the authorization is returned in the approved boolean. This can be one of:

true – The payment was successfully authorized.
false – The payment was not authorized. The card may be invalid, expired, or have an insufficient balance.

You receive separate Electronic Commerce Indicator (ECI) values for the authorization and authentication in the response, which indicate the transaction's security level and liability shift:

Authorization – The eci field represents the final ECI security level received from the issuer to authorize the payment.
Authentication – The 3ds.eci field represents the final ECI security level received from the issuer to authenticate the payment.

Information

To retrieve a summary of all actions performed during a payment's lifecycle, call the Get payment actions endpoint.

If you make a payment request without the 3ds object, or with "3ds.enabled": false, and the issuer does not require 3DS authorization for the transaction, the payment completes successfully.

If you make a payment request without the 3ds object, or with "3ds.enabled": false, and the issuer does require 3DS authorization for the transaction, you receive soft decline response code 20154. You must re-request the payment with 3DS.

If the customer's card is not enrolled for any version of 3DS, you can set the attempt_n3d field to true to downgrade the transaction to non-3DS. This means that if the customer's bank does not support 3DS, we automatically attempt to process the payment without 3DS authentication instead.

Note

If you downgrade the payment to non-3DS, liability shift no longer applies. This means you're not be protected against potentially fraudulent payments or chargebacks.


1{
2  "source": {
3    "type": "token",
4    "token": "tok_vtvlbgpyoaaubmldynpm32bali"
5  },
6  "amount": 2000,
7  "currency": "USD",
8  "3ds": {
9    "enabled": true,
10    "attempt_n3d": true
11  }
12}

Standalone Sessions authentication enables you to authenticate online transactions with the EMV 3DS protocol and helps you fulfil Strong Customer Authentication (SCA) requirements.

You can authorize payments using the identifier returned in the API response.

This simplified integration reduces the maintenance effort caused by regular 3DS protocol updates. It also ensures you do not need to handle any differences between local and global scheme requirements to perform a successful authorization.

Payments requested using this integration display as a single payment transaction line in your Dashboard.

If you want to authorize payments using fields in the 3ds object (such as eci, cryptogram, xid, version), you can do so using the authentication data from a third-party provider. You can also use Standalone Sessions as a third-party provider for authorizing payments.

Call the Request a session endpoint.

post

https://api.checkout.com/sessions


1{
2  "source": {
3    "type": "card",
4    "scheme": "amex",
5    "number": "4242424242424242",
6    "expiry_month": 12,
7    "expiry_year": 2077
8  },
9  "amount": 257,
10  "currency": "USD",
11  "3ds": {
12    "enabled": true,
13    "authentication_id": "sid_y3oqhf46pyzuxjbcn2giaqnb441"
14  }
15}


1{
2  "id": "pay_7a4355cden2upo2pkve6sxzzwm",
3  "action_id": "act_rkzwx7sagtyuxnqnu3hbyld2ay",
4  "amount": 100,
5  "currency": "GBP",
6  "approved": true,
7  "status": "Authorized",
8  "auth_code": "124203",
9  "response_code": "10000",
10  "response_summary": "Approved",
11  "balances": {
12    "total_authorized": 100,
13    "total_voided": 0,
14    "available_to_void": 100,
15    "total_captured": 0,
16    "available_to_capture": 100,
17    "total_refunded": 0,
18    "available_to_refund": 0
19  },
20  "risk": {
21    "flagged": false
22  },
23  "source": {
24    "id": "src_lflzuabkdlkevaopjpk27ex3w4",
25    "type": "card",
26    "expiry_month": 12,
27    "expiry_year": 2023,
28    "scheme": "Mastercard",
29    "last4": "3276",
30    "fingerprint": "CF79B91401CB4BF771BD423DBE275C2D85C39728874D15528B06F75D4B63C7C6",
31    "bin": "539704",
32    "card_type": "CREDIT",
33    "card_category": "CONSUMER",
34    "issuer": "Test Bank",
35    "issuer_country": "US",
36    "product_id": "MCG",
37    "product_type": "Gold MasterCard(r) Card",
38    "avs_check": "S",
39    "cvv_check": "Y",
40    "payment_account_reference": ""
41  },
42  "customer": {
43    "id": "cus_xoar4xyvwbpeph2m2besbp52rq",
44    "email": "[email protected]",
45    "name": "John Smith"
46  },
47  "processed_on": "2022-08-02T14:48:34.371324Z",
48  "reference": "Reference",
49  "scheme_id": "435166469706885",
50  "processing": {
51    "acquirer_transaction_id": "067757716527430582022",
52    "retrieval_reference_number": "456111356278"
53  },
54  "expires_on": "2022-09-01T14:48:34.371324Z",
55  "_links": {
56    "self": {
57      "href": "https://api.sandbox.checkout.com/payments/pay_7a4355cden2upo2pkve6sxzzwm"
58    },
59    "actions": {
60      "href": "https://api.sandbox.checkout.com/payments/pay_7a4355cden2upo2pkve6sxzzwm/actions"
61    },
62    "capture": {
63      "href": "https://api.sandbox.checkout.com/payments/pay_7a4355cden2upo2pkve6sxzzwm/captures"
64    },
65    "void": {
66      "href": "https://api.sandbox.checkout.com/payments/pay_7a4355cden2upo2pkve6sxzzwm/voids"
67    }
68  }
69}

If the approved field returns:

true – The authorization was successful.
false – The authorization was unsuccessful. The card may be invalid, expired, have insufficient funds.

If you receive a 422 Unprocessable entity response, the authentication was not successfully completed. For more information, see the error_codes object.

Authenticate a payment using a third-party provider and authorize it with Checkout.com.

Call the Request a payment or payout endpoint.

In the request body:

Parameter	Description
`3ds` required object	Information required for 3D Secure payments.
`3ds.challenge_indicator` optional string	Indicates your preference for whether or not a 3DS challenge should be performed. The customer’s bank has the final say on whether the customer is challenged. If `3ds.exemption` and `3ds.challenge_indicator` are provided, then `3ds.exemption` overrides `3ds.challenge_indicator`. For more information about exemptions, see our SCA compliance guide.
`3ds.cryptogram` required string	Base-64 cryptographic identifier used by card schemes to validate the token verification result. Required unless the `previous_payment_id` is specified. For more information, see Pay with stored card details.
`3ds.eci` required string	The Electronic Commerce Indicator security level associated with the token. Required unless the `previous_payment_id` is specified. For 3D Secure payments the ECI must be provided in the `3ds` payment field. For more information, see Pay with stored card details.
`3ds.enabled` required boolean	Whether to process this payment as a 3D Secure. Set this to `true`.
`3ds.exemption` optional string	Requests an SCA exemption for the transaction. The customer’s bank has the final say on whether or not it applies. If the requested `3ds.exemption` is not supported or enabled, `3ds.challenge_indicator` is used as a fallback. For more information about exemptions, see our SCA compliance guide.
`3ds.version` required string	Indicates the version of 3D Secure used for authentication. Defaults to `1.0.2` if not provided.
`3ds.xid` required (for Mastercard and American Express requests) optional (for Visa requests) string	The 3D Secure transaction identifier. In 3DS with Mastercard, the value is the directory server transaction ID.

post

https://api.checkout.com/payments


1{
2  "source": {
3    "type": "card",
4    "number": "5436031030606378",
5    "expiry_month": 12,
6    "expiry_year": 2025
7  },
8  "amount": 257,
9  "currency": "USD",
10  "3ds": {
11    "enabled": true,
12    "eci": "06",
13    "cryptogram": "AgAAAAAAAIR8CQrXcIhbQAAAAAA=",
14    "xid": "79f6205c-ff5c-4a4c-8fca-90f67f3a6470",
15    "version": "2.0.1"
16  }
17}

If the approved field returns:

true – The authorization was successful.
false – The authorization was unsuccessful. The card may be invalid, expired, have insufficient funds.

If you receive a 202 response, the payment requires a redirect.

Information

If the card scheme provided us with an eci value, it is returned in the response. The value indicates the security level that the card scheme decided to authorize the payment with.

Authenticate payments

Information

Integrated authentication

Create a card token

Request example

Response example

Request a card token payment

Information

Request example

Response example

Information

Redirect your customer

Verify the payment

Response example

Information

Successful non-3DS authorization request

Non-3DS authorization request flow with soft decline

Handle non-enrolled cards

Note

Request example

Standalone Sessions authentication

Request example

Response example

Third-party authentication

Request example

Response example

Information

Related topics

Google Secure Payment Authentication

3D Secure

Verify a card

Flagged payments

Manage SCA compliance