We have upgraded our 3D Secure integration in preparation for 3DS 2 and PSD2 Strong Consumer Authentication (SCA) compliance requirements in 2019.

This guide shows our legacy integration for 3D Secure. To use 3DS 2 instead:

Payment flow

  • If the authentication is completed successfully or none was required, use the returned nonce to create a transaction.

Create a transaction

To create a 3D Secure transaction, make a server-side sale call using the payment method nonce you received from your client when you verified the credit card.

Collect device data from the client and include the deviceDataFromTheClient in the transaction.

TransactionRequest request = new TransactionRequest()
  .amount(new BigDecimal("10.00"))

Result<Transaction> result = gateway.transaction().sale(request);

3D Secure information is lost when a 3D Secured paymentMethodNonce is used outside of a call.

Vaulted credit card nonces

When creating a 3D Secure transaction with a vaulted card, the process is essentially the same as above – just use the payment method token associated with the vaulted card to create the payment method nonce.

Result<PaymentMethodNonce> result = gateway.paymentMethodNonce().create("PAYMENT_METHOD_TOKEN");
String nonce = result.getTarget().getNonce();

Server-side details

Payment method nonces will include 3D Secure information such as liabilityShifted and liabilityShiftPossible. This can be used for server-side risk checking before creating transactions.

PaymentMethodNonce paymentMethodNonce = gateway.paymentMethodNonce().find("nonce_string");
ThreeDSecureInfo info = paymentMethodNonce.getThreeDSecureInfo();
if (info == null) {
  return; // This means that the nonce was not 3D Secured


Transactions also expose 3D Secure info. This can be used for reporting on the details of a 3D Secured transaction after creating it.

Transaction transaction = gateway.transaction().find("the_transaction_token");
ThreeDSecureInfo info = transaction.getThreeDSecureInfo();
if (info == null) {
  return; // This means that the nonce was not 3D Secured


Status codes

Below are the possible 3D secure statuses, along with their liability shifts and 3D Secure enrolled values. This table also shows whether a transaction will be rejected by the Braintree gateway when options().threeDSecure().required() is set to true when creating a transaction, or when creating or updating a subscription.

Status Liability Shift Possible Liability Shifted Reject if 3DS is required Enrolled Value
The associated card brand authenticated this 3D Secure transaction using its Attempts server because the card issuer's authentication server was unavailable.
true true No Y
An error occurred within the 3D Secure authentication system; have the customer attempt the transaction again. Contact our Support team if most attempted 3D Secure transactions receive this error message.
true false Yes Y
The customer entered an incorrect 3D Secure password or they took too long to enter in a password value and the 3D Secure authentication timed out. Have the customer attempt the transaction again.
true false Yes Y
An error occurred during the lookup and the returned authentication message is no longer secure. Have the customer attempt the transaction again.
true false Yes Y
The transaction was successfully authenticated with 3D Secure.
true true No Y
Your customer’s card-issuing bank is domiciled outside of the US and is not certified by the associated card brand to allow 3D Secure transactions.
true true No N
A downstream error occurred with the card-issuing bank that caused the 3D Secure authentication to fail. Have the customer attempt the transaction again.
true false Yes Y
The card network is unavailable to verify the customer's card using 3D Secure. Your Braintree gateway may not be set up to accept the customer’s provided card type; 3D Secure transactions on this card type will be unavailable until the setup process is complete. If you have just enabled 3D Secure, the setup process for Mastercard can take 2-3 business days and American Express can take up to 7 business days. If you continue to see this status for all 3D Secure transactions for a particular card type after the setup process is complete, please Contact our Support team. This status could also indicate the 3D Secure authentication timed out; if you believe this to be the case, have the customer attempt the transaction again.
false false No U
The customer's card was issued by a bank where 3D Secure verifications are bypassed and opportunity for liability shift is negated. If you prefer not to continue transactions with this status, ask the customer for a different payment method.
false false No B
Your customer clicked on the Braintree-provided cancel button in the 3D Secure authentication window. This can only occur if your setup allows customers to cancel the 3D Secure flow.
true false Yes Y
An error occurred during the lookup and caused 3D Secure authentication to fail.
false false No Null
Your customer is not enrolled in 3D Secure.
false false No N
Your account is not set up to authenticate the customer’s provided card brand with 3D Secure. Only the following card brands are currently supported: Visa, MasterCard, American Express, and Maestro. Contact our Support team to confirm your 3D Secure configuration.
false false No Null
3D Secure 2 Only The issuer is requiring a challenge to complete the 3D Secure authentication.
true false Yes Y
3D Secure 2 Only The issuer has rejected the 3D Secure authentication without issuing a challenge.
false false Yes Y

For American Express SafeKey, liabilityShifted may be returned as true but Amex may later revoke the liability shift for the transaction based on your merchant behavior and fraud rate.

Server-side errors

A transaction result may contain a validation error when processing a 3D Secure transaction.

Additionally, if you specify that 3D Secure is required but the customer did not pass 3D Secure authentication or 3D Secure authentication was not attempted, the transaction will be rejected by the Braintree gateway. If the customer’s card is not enrolled in a 3D Secure program but you used a nonce generated from a 3D Secure client-side verification, then the transaction will not be gateway rejected.

Advanced server-side options

We expose additional information about the authentication request that you can use for more advanced UI flows or risk assessment. You should be aware that making such assessments may result in accepting the liability for fraudulent transactions.

The gateway uses a boolean to indicate whether or not you expect 3D Secure authentication to have succeeded on a transaction. When you create a transaction with a 3D Secure enriched nonce, the options().threeDSecure().required() parameter defaults to true. This only allows transactions to go through if authentication has been attempted and succeeded, or has been attempted and not been possible (in the case of cards not participating in 3D Secure).

We strongly recommend you allow this parameter to default to true, as it helps protect you against malicious users tampering with your front-end code and bypassing 3D Secure completely. That being said, you do have the option of determining your own level of risk and pushing the transaction through regardless of its 3D Secure status by setting required to false on a per-transaction basis.


If you pass required as true on transactions that do not go through 3D Secure, those transactions will be gateway rejected.

Next Page: Testing and Go Live →