# 3DS
3DS in Server2Server solution The Deposits that are subject to the 3DS Authentication flow, will receive as Response of the PCI Deposit Endpoint a **`payment_info.result`** with value **`PENDING_AUTHENTICATION`**. {% hint style="success" %} Deposits that are **not** subject to 3DS Authentication are synchronically approved or rejected with **`payment_info.result`** with values **`SUCCESS`** and **`REJECTED`**. {% endhint %} #### Example response 
{ 
  "deposit_id": 300854027,
  "merchant_invoice_id": "postmanTest488131304", 
  "payment_info": { 
    "type": "CREDIT_CARD", 
    "result": "PENDING_AUTHENTICATION", 
    "reason": "Require 3DS Authentication", 
    "reason_code": "PENDING_AUTHENTICATION", 
    "payment_method": "VI", 
    "payment_method_name": "Visa", 
    "created_at": "2023-10-19 16:57:55", 
    "authentication_url": "https://checkout.cc-stg.pandablue.net/authentication/MM15BgQjHVjGEpQLCYZQ1dBoMOcJuDAc" 
  } 
}
### `authentication_url` This parameter contains a URL with the 3DS Authentication challenge to be displayed to the end-user. In order to do so, you can: #### Open the `authentication_url` within an iframe The challenge can be displayed within an iframe in the case you want to keep the user on the same webpage. The iframe can be opened with a JavaScript method `EventListener` that will communicate whenever the iframe can be closed and the result of the transaction. **JavaScript** **Method** ```javascript window.addEventListener('message', handler); ``` Additionally the EventListener will include whether the transaction was successful or error within the `payment_result` object. ```json { "payment_result": "success"} ``` ```json { "payment_result": "error"} ``` #### Or, you can redirect the user into a new tab The `authentication_url` can also be opened in a new tab to the end-user. In case of opting for this flow, please make sure of including the following parameters in the Deposit request:
ParameterFormatDescription
back_urlURLURL to redirect the user in case of willing to withdraw from the payment flow.
success_urlURLURL to redirect the user after the Deposit flow came to an end.
error_urlURLURL to redirect the user in case that an error occur.
### Webhooks As you may notice, if a 3DS challenge is needed on your Server2Server integration, the response **will not be synchronous**. \ Therefore, after the authentication and payment processing, a webhook notification will be sent in order to check the deposit and retrieve the status of the transaction. :information\_source: For more information regarding webhooks please go to the [API Reference](https://docs.pandablue.com/guides/deposits/create-deposits/credit-cards/broken-reference).
Third party 3DS Server2Server It is possible to create a deposit submitting information from a third-party 3DS provider. {% hint style="success" %} Please check regional availability with your account manager as not all countries may scope this functionality :earth\_americas: {% endhint %} In order to do so, you need to include the **`three_domain_secure[]`** Object in the Server2Server integration request. ### `three_domain_secure[]` Object ```json "three_domain_secure":{ "cavv": "3q4+33t+ur5erb7vyv53vv\/\/\/\/9=", "eci": "05", "transaction_id": "HMUzFWRzOTcwOKG7PzY3Rw==", "specification_version": "2.0.0" } ```
FieldFormatDescription
cavvStringThe cardholder authentication value for the 3D Secure authentication session. The returned value is a base64-encoded 20-byte array.
eciStringThe electronic commerce indicator.
transaction_idStringThe transaction identifier assigned by the 3DS Server for v2 authentication (36 characters, commonly in UUID format).
specification_versionStringThe 3DS Authentication version.
Accepted from 2.0.0 onwards.
#### Allowed `eci` codes for Third Party 3DS flow, are: * 01 and 02 for Mastercard * 05 and 06 for Visa and Amex. #### Example PCI Deposit Creation request with third-party 3DS ```json { "invoice_id": "800000001", "amount": 1000, "country": "BR", "currency": "BRL", "payer": { "id": "11111", "document": "84932568207", "document_type": "CPF", "email": "johnSmith12@hotmail.com", "first_name": "John", "last_name": "Smith", "phone": "+233852662222", "birth_date": "19880910", "address": { "street": "Calle 13", "city": "bahia", "state": "SP", "zip_code": "12345-678" } }, "credit_card": { "cvv": "123", "card_number": "4111111111111111", "expiration_month": "10", "expiration_year": "25", "holder_name": "JOHN SMITH" }, "three_domain_secure":{ "cavv": "AJkBARglcgAAAAPohABHdQAAAAA=", "eci": "05", "transaction_id": "7e76d057-100a-4d0d-9683-5eb0ce0ee3a4", "specification_version": "2.0.0" }, "description": "Test transaction", "client_ip": "123.123.123.123", "device_id": "knakvuejffkiebyab", "fee_on_payer": false } ```
Fragments Lite Our Fragments Lite integration can scope both scenarios described above: 1. Using PandaBlue's 3DS challenge. 2. You can also send the output of your 3DS MPI (`three_domain_secure[]` object) #### Using PandaBlue's 3DS challenge The only difference with the Server2Server 3DS flow is that **instead** of sending the `credit_card[]` object, you will be sending the **`card_token`** generated with the SDK. From there, the flow is the same: you will receive the **`PENDING_AUTHENTICATION`** response with the **`authentication_url`** containing the 3DS challenge. #### Using a third party 3DS The only difference with the Server2Server 3DS flow is that instead of sending the `credit_card[]` object, you will be sending the **`card_token`** generated with the SDK. In the request you should also include the **`three_domain_secure[]`** object.
Fragments all-in-one The Fragments all-in-one integration will take care of handling the 3DS Challenge within your website.\ You won't need to make any adjustments on those terms.
OneShot redirect As the OneShot credit card integration consist in you redirecting the user to our card form checkout, we will handle the challenge experience from there.\ No changes from your end are required.