Skip to main content

Enable 3DS2 for CyberSource gateway integration

Zuora

Enable 3DS2 for CyberSource gateway integration

3D Secure 2.0 (3DS2) is a widely recommended solution for strong customer authentication (SCA) under PSD2. The CyberSource, Payment API v2.0 gateway integration provides support for 3DS2 through the embedded iFrame of Payment Pages 2.0. 

To comply with PSD2 using 3DS2, the following updates are required:

  1. Configure the gateway instance.
  2. Configure 3DS2 settings in Payment Pages.

Then you can implement and use Payment Pages 2.0 as usual. See Payment Pages 2.0 implementation overview for more information. Ensure that you adopt the Stored Credential Transaction framework by adding a way for customers to give consent for their payment credentials to be stored on file. You need to configure your Payment Pages to call the Z.setAgreement function. See Integrate Payment Pages 2.0 for details.

With 3DS2 implemented and enabled, when end customers are challenged while transacting on your Payment Page, they will get held up on the challenge window before passing the validation. The callback page is displayed only when they are authenticated. A payment method ID is also generated and returned. 

If your customers failed the strong customer authentication, the [ThreeDs2_Authentication_Exception] error code and the actual error message are returned. The error code is common across all gateways, while the error message is gateway-specific.

Configure the gateway instance

Only the CyberSource, Payment API v2.0 version supports 3DS2. If you are using an earlier version of CyberSource gateway integration, upgrade your gateway to this version. Contact Zuora Global Support to get access to the CyberSource, Payment API v2.0 gateway.

When configuring the gateway instance, you must enter the following fields on the gateway configuration page in addition to the required fields:

  • Organization ID 
  • API Identifier 
  • API Key

The values for these fields should be provided by CyberSource. Contact CyberSource Merchant Support to get this information for your merchant account.

For the Commerce Indicator field, it is strongly recommended to select Recurring to prevent the high payment decline rate due to the error code 478.

To support passing the indicator of requesting a cardholder challenge, make sure the Force SCA Challenge on 3DS Requests checkbox is selected on the gateway setting page for your ​​CyberSource gateway instance. By selecting this setting, the challengeCode=04 indicator will be passed to the CyberSource gateway. See CyberSource Payment Gateway for more information.

SCA grandfathering

CyberSource supports grandfathering saved cards. You must select Recurring for the Commerce Indicator dropdown list so that transactions made using the credit cards already saved in your Zuora tenant are highly likely to be exempted from SCA.

Configure 3DS2 settings in Payment Pages

When setting up a Payment Page, select the Enable 3D Secure 2.0 checkbox and select the created gateway instance from the Default Payment Gateway dropdown list. You can complete other settings as usual.

Zuora recommends you to enable the CAPTCHA challenge feature so that you can limit the number of times end customers can attempt to submit the form after they fail the authentication. CAPTCHA challenge can be used with the 3DS2 feature to prevent potential bot attacks and reinforce the transaction security.

For more information about enabling and configuring CAPTCHA, see Advanced Security Measures for Payment Pages 2.0.

If you select a gateway integration that does not support 3DS2, an error message is displayed when saving the Payment Page.