Skip to main content

3-D Secure 2

PayWay is a simple, secure, internet-based solution to collect and manage customer payments. 3-D Secure is designed to prevent fraud by allowing the card issuer to authenticate your customer before you process a payment.

The PayWay REST API supports 3-D Secure version 2.

Benefits of 3-D Secure

The benefits of 3-D Secure version 2 are:

  • Improved risk analysis - card issuers have the information they need to perform risk analysis
  • Make it easy for your customers to pay - customers who are judged low-risk enjoy a frictionless flow
  • Lower costs - less fraud and fewer chargebacks

For more information, see:

How it works

  1. Your customer enters their credit card details
  2. You send additional information through PayWay to your customer's bank
  3. Your customer's bank decides if processing should stop, go ahead, or if a challenge is required
  4. If a challenge is required, your customer must pass the challenge before continuing
  5. The payment is processed or credit card is stored in the PayWay Vault

What additional information is sent?

The additional information includes the customer's contact details, shipping address, and type of goods being purchased. This allows your customer's bank to decide if a challenge is required.

For a full list of fields, see authenticate in the PayWay REST API.

What is a challenge?

A challenge allows your customer's bank to authenticate your customer. A challenge window is displayed on your website. The customer enters information into the challenge window. For example, their bank may send an SMS verification code and require the customer to type it in.

What is a frictionless flow?

In a frictionless flow, the customer does not need to complete a challenge.

How to implement 3-D Secure Version 2

To enable 3-D Secure version 2, you will need:

  • someone with Client Administrator access to enable 3-D Secure version 2
  • a software developer to make changes to your website
Developer? Get a PayWay test facility.

Enable 3-D Secure Version 2

To enable 3-D Secure version 2:

  1. Sign in to PayWay
  2. Click Settings
  3. Click 3-D Secure Version 2
  4. Agree to terms and conditions and click Confirm.

To add modules, you need Client Administrator access.

Trusted Frame and REST API

These steps assume you have already implemented a Trusted Frame solution.

Step 1: Pre-Authentication

To opt-in to 3-D Secure version 2, when you call createCreditCardFrame pass option threeDS2: true.

PayWay will check if the credit card is enrolled in 3-D Secure version 2.

When PayWay sends the singleUseTokenId to your site, check field threeDS2AuthRequired.

threeDS2AuthRequired Next action
true Send an Authentication request
false Process a payment, create a customer or update a customer

Step 2: Authentication

To authenticate the cardholder, your server must send a POST to the PayWay REST API. This allows you to pass information, such as your customer's email address, billing address, etc.

The response will contain a transStatus to indicate if you should:

  • process a payment, create a customer of update a customer (A or Y) or,
  • present a challenge window (C) or,
  • stop processing (any other value)

Step 3: Challenge

To present a challenge window, call Javascript function payway.createChallengeFrame.

PayWay will send your site an updated transStatus to indicate if the customer has now passed the challenge.

Step 4: Process Payment or Store Credit Card

If transStatus is A or Y after the authentication or the challenge, you should send a request to:

Send parameter threeDS2 set to true.

Classic API

You must integrate with third party 3-D Secure Server Software to perform the authentication.

To process a transaction, you must send additional fields.

Contact us

For sales, help and technical support contact us.


The information contained in this publication is provided for learning purposes only and is subject to change. Revisions may be issued from time to time that encompass changes or additions to this module.

This is a guide only and it is not comprehensive. It does not impinge on or overrule any formal arrangement you may enter into with the Bank. The Bank and its officers shall not have any liability for any losses of any kind incurred in connection with any action, inaction or decision taken in reliance on the information herein or for any inaccuracies, errors or omissions. In this publication references to the "Bank" are to Westpac Banking Corporation ABN 33 007 457 141 and to any of its operating Divisions, including BankSA and St.George.