3DS2 Migration Guide for Existing S2S Cards Integration
If you integrated with our APIs before October 15, 2022, you should make the following changes to your integration to accept card payments with the 3DS2 protocol.
If you integrated with our S2S APIs before October 15, 2022, you must make the following changes to your integration to accept card payments with 3DS2 authentication protocol.
Watch Out!
You must have a PCI compliance certificate to get this feature enabled on your account.
3DS2 is an authentication protocol, the successor of 3DS1, that enables businesses and payment providers to send additional information (such as customer device or browser data) to verify the transaction's authenticity. Curlec integration is compliant with the 3DS2 protocol.
Know more: Curlec supports
.The customer's bank evaluates the transaction for risk and decide on the payment flow.
- Frictionless Flow: This flow is activated if the bank determines that the transaction is from a trusted device and allows the payment to go through without any additional authentication from the customer.
- Challenge Flow: This flow is activated if the bank determines that the transaction is not from a trusted device and needs additional information. The customer needs to perform additional authentication steps.
Handy Tips
- Integration does not differ for challenge or frictionless flow.
- Frictionless flow is not applicable for payments on cards.
Given below is a diagram that explains the 3DS2 flow:
Ensure you make the following changes in your Create a Payment API request. There is no change in the response.
The following endpoint creates a payment via the redirect flow.
curl -X POST \https://api.razorpay.com/v1/payments/create/json \-u [YOUR_KEY_ID]:[YOUR_KEY_SECRET] \-H "Content-Type: application/json" \-d '{"amount": 100,"currency": "MYR","contact": "9000090000","email": "nur.aisyah@example.com","order_id": "order_DPzFe1Q1dEOKed","method": "card","card":{"number": "5272008806235704 ","name": "Nur","expiry_month": 11,"expiry_year": 23,"cvv": 100},"authentication":{"authentication_channel": "browser"},### 3DS2.0 Browser Parameters###"browser":{"java_enabled": false,"javascript_enabled": false,"timezone_offset": 11,"color_depth": 23,"screen_width": 23,"screen_height": 100},"ip": "105.106.107.108","referer": "https://merchansite.com/example/paybill","user_agent": "Mozilla/5.0"}'
Handy Tips
- The payment request and response would remain same for both frictionless and challenge scenarios.
- The payment request would remain same for both redirection and native OTP flows.
amount
mandatory
integer Payment amount in the smallest currency sub-unit. For example, if the amount to be charged is MYRÂ 299.00, then pass 29900 in this field.
currency
mandatory
string Currency code for the currency in which you want to accept the payment. For example, MYR. Refer to the list of supported currencies. Length must be of 3 characters.
order_id
mandatory
string Unique identifier of the Order generated in the first step.
mandatory
string Email address of the customer. Maximum length supported is 40 characters.
contact
mandatory
string Phone number of the customer. Maximum length supported is 15 characters, inclusive of country code.
method
mandatory
string Name of the payment method. Possible value is card.
card
mandatory
object Details associated with the card.
number
string Unformatted card number.
name
string Name of the cardholder.
expiry_month
string Expiry month for the card in MM format.
expiry_year
string Expiry year for the card in YY format.
cvv
string CVV printed on the back of the card.
notes
optional
object Key-value object used for passing tracking info. Refer to
callback_url
optional
string URL endpoint where Curlec will submit the final payment status.
referrer
optional
string Referrer header passed by the client's browser.
user-agent
mandatory
string The User-Agent header of the user's browser. Default value will be passed by Curlec if not provided by merchant.
ip
mandatory
string The customer's IP address.
authentication
optional
object Details of the authentication channel.
authentication_channel
string The authentication channel for the payment. Possible values:
browser(default)app
browser
mandatory
object Information regarding the customer's browser. This parameter need not be passed when authentication_channel=app.
java_enabled
boolean Indicates whether the customer's browser supports Java. Obtained from the navigator HTML DOM object.
javascript_enabled
boolean Indicates whether the customer's browser is able to execute JavaScript.Obtained from the navigator HTML DOM object.
timezone_offset
integer Time difference between UTC time and the cardholder browser local time. Obtained from the getTimezoneOffset() method applied to Date object.
screen_width
integer Total width of the payer's screen in pixels. Obtained from the screen.width HTML DOM property.
screen_height
integer Obtained from the navigator HTML DOM object.
color_depth
integer Obtained from payer's browser using the screen.colorDepth HTML DOM property.
language
string Obtained from payer's browser using the navigator.language HTML DOM property. Maximum limit of 8 characters.
If the payment request is valid, the response contains the following fields.
razorpay_payment_id
string Unique identifier of the payment. Present for all responses.
next
array A list of action objects available to you to continue the payment process.
action
string An indication of the next step available to you to continue the payment process. Possible value:
redirect: The payment requires the customer to be redirected to a bank page. Redirect the customer's browser to the URL returned in theurlattribute of the object.
url
string URL to be used for the action indicated. For redirect, this will be a URL that the customer's browser needs to be redirected to for authentication.
The rest of the integration steps mentioned in the
remain the same. No changes are required in those.After completing the build integration steps, you can continue with
Is this integration guide useful?