3DS 2.0 in Checkout


This page aims to describe the flow of 3DS 2.0 to merchants who are using the PXP Financial Hosted Payment Pages (Checkout).


Merchants using Checkout and Backend2Backend

The information on this page is relevant for merchants using the PXP Financial Checkout (getRedirectData). In case that the merchant also uses Backend2Backend (initiatePayment) for example for card on file transactions or merchant initiated transactions as recurring, also the other section of the 3DS 2.0 Information Hub.

In general, the PXP Financial Checkout handles the 3DS 2.0 process without any additional interference with the merchant and the merchant needs not do any implementation changes.

But, to take advantage of 3DS 2.0, redirect merchants should consider sending additional information for risk assessment by Issuers. The more information is sent, the higher the chance for frictionless authentication, without further user interaction, to complete authentication.

Process Overview

  1. Merchant sends getRedirectData (and if applicable includes new optional 3DS 2.0 relevant parameters)
  2. Merchant redirects the customer to the PXP Checkout page
  3. Customer enters his card details and confirms the payment
  4. PXP Checkout collects Browser information and performs Device Fingerprinting
  5. PXP Checkout communicates with PXP backend
  6. Depending on the card enrollment the 3DS 2.0 or 1.0 process is applied and Checkout asks the customer for the authentication data (in case of 2DS2 and a frictionless flow, then the challenge is not done and the payment is authenticated immediately)
  7. Authentication is done and if successful payment will be authorised
  8. Customer is redirected as usual to the merchant success or error page


  1. You must have a test account set up for use with PXP Financial
  2. If you are an existing merchant you should already have a fully integrated redirect integration in place (using the PXP Financial Checkout)
  3. If you are a new merchant please refer to the Initiate New Payment (Redirect) section

Additional Information in getRedirectData

The getRedirectData request has been extended with new fields applicable to 3DS 2.0. Existing merchants should consider to extend their existing integration and send these fields in addition to those that they usually send. The more information is sent and provided to the Issuer, the higher the chance for frictionless authentication.


Browser information

Issuers require also different Browser information to be transmitted. This information is collected by the Checkout and cannot/need not be sent by the merchant in the getRedirectData request.

The table below lists the optional 3DS 2.0 fields that can be sent in getRedirectData. All these fields should be provided in getRedirectDataRequest.additionalData.

CardholderEmailEmail address of the cardholder
CardholderHomePhoneHome phone number provided by the cardholder.
Expected format:

<country_code>-<telephone_number>. <country_code> must be up to 3 digits. <telephone_number> is up to 15 digits.
CardholderMobilePhoneMobile phone number provided by the cardholder
CardholderWorkPhoneWork phone number provided by the cardholder

Example getRedirectDataRequest using the new parameters correctly:

<getRedirectDataRequest xmlns="http://www.cqrpayments.com/PaymentProcessing"
         <redirectParameters xsi:type="paymentMethodDetailsRedirectParameters">
                          <detail xsi:type="keyStringValuePair">
                          <detail xsi:type="keyStringValuePair">
                                   <value>Order Description</value>
                          <detail xsi:type="keyStringValuePair">
                         <detail xsi:type="keyStringValuePair">
                         <detail xsi:type="keyStringValuePair">
                        <detail xsi:type="keyStringValuePair">
                                <value>[email protected]</value>
                          <lastname >Doe</lastname>
                          <email>[email protected]</email>

Device Fingerprinting handled by Checkout

As part of the 3DS2 flow, device fingerprinting information has to be provided to the Issuers. This is done automatically by the PXP Financial Checkout.
The Issuer’s ACS should usually respond to the Checkout Fingerprinting request within 10 seconds.
If the response is not received within that time frame, checkout considers the fingerprinting as not successful and will continue with the 3DS process without that information.


Do not use Sandbox attribute in iFrame

If the merchant is displaying the PXP Financial Checkout in an iFrame, then the merchant iFrame must not use the Sandbox attribute!

To test the fingerprinting time-out situation in Checkout, the following card numbers can be used:

ScenarioCard NumberDetails
10 seconds delay4268845149926716A simulated ACS response will be received in Checkout after 10 seconds, this will lead to a time-out situation and the 3DS check would be done in Checkout without fingerprinting information.
9 seconds delay4268845149926708A simulated ACS response will be received in Checkout after 9 seconds. This should not cause a time-out situation and 3DS would be done with fingerprinting information.
11 seconds delay4268845149926690A simulated ACS response will be received in Checkout after 11 seconds, this will lead to a time-out situation and the 3DS check would be done in Checkout without fingerprinting information.