Skip to main content

Overview

Secure Fields supports two distinct 3-D Secure approaches: a Native implementation you build and control, and a Hosted solution managed by Gr4vy. Both support Dynamic 3-D Secure configuration via Flow rules.

Choose your approach

ApproachBest forImplementation
Native 3DSCustom UI, full control, embedded experienceYou build the 3DS challenge UI using Secure Fields components
Hosted 3DSMinimal setup, rapid deploymentGr4vy provides a fully managed 3DS flow

Hosted 3DS Solution

Learn how to use the hosted 3DS solution with Secure Fields.

Native 3DS implementation

Prerequisites

Native 3DS requires merchant account-level 3-D Secure configuration to be set up. This is different from the per-connection setup and must be enabled before using the native implementation.

Merchant account-level configuration

Follow the setup guide to configure 3DS at the merchant account level.

How it works

Native 3DS automatically handles all device fingerprinting requirements, including collecting the device’s IP address, user agent, and other authentication metadata needed for 3-D Secure compliance. You don’t need to manually collect or pass this data—the implementation handles it transparently.

Initialization

There are two ways to initialize the native 3-D Secure component: as a React component or through the vanilla JavaScript API (in Node or CDN scenarios). The property challengeWindowSize controls the size of the challenge window and can be set to the following values:
ValueDimensions
'01'250px × 400px
'02'390px × 400px
'03'500px × 600px
'04'600px × 400px
'05'Full container dimensions (default)
The examples use a <dialog> as the container for the 3-D Secure UI, but any container can be used.
import { useRef } from 'react';
import { ThreeDSecure } from '@gr4vy/secure-fields-react';

function ThreeDSecureWrapper() {
  const containerRef = useRef(null);
  return (
    <dialog ref={containerRef} open={false}>
      <ThreeDSecure
        ref={containerRef}
        // optional, if omitted it defaults internally to "05"
        challengeWindowSize="05"
      />
    </dialog>
  );
}

Showing the 3-D Secure UI

With the 3-D Secure start callback, the 3-D Secure process start can be detected, allowing the container UI to be displayed. 
// element is the element specified by ref.
<ThreeDSecure
  onThreeDSStart={({ element }) => element?.showModal()}
  ref={containerRef}
/>

Receiving the 3-D Secure result

With the 3-D Secure finish callback, the 3-D Secure process finish can be detected, allowing any UI element that was shown during the process to be dismissed and the outcome of the process to be received. 
<ThreeDSecure
  ref={containerRef}
  onThreeDSStart={({ element }) => element?.showModal()}
  onThreeDSFinish={({ element, tokenized, authentication }) => {
    // here you can perform operations based
    // on tokenized or authentication

    element?.close(); // you can also clear any UI container
  }}
/>
These are the arguments received by the 3-D Secure finish callback:
ArgumentTypeDescription
elementHTMLElementThe HTML container (for example, dialog) used to display the 3-D Secure UI.
tokenizedbooleanIndicates whether the card data was successfully tokenized.
authenticationObjectThe result of the 3-D Secure authentication.
The authentication object contains the following properties:
PropertyTypeDescription
transaction_status"Y"The transaction was successful
"N"The transaction failed.
nullThe transaction status is unknown
typenullThe flow failed because the card used is not enrolled
"challenge"The flow required the user to perform a challenge
"frictionless"The flow was successful without requiring a challenge
"error"The flow encountered an error during the process
attemptedbooleanIndicates if authentication was attempted
timed_outbooleanIndicates if the authentication process timed out
user_cancelledbooleanIndicates if the user cancelled the challenge

After authentication

Once you receive the 3-D Secure authentication result, you can determine whether authentication was attempted and whether it was successful. You can then proceed to create a transaction regardless of the outcome. The authentication object provides the following key signals:
  • attempted: Whether the authentication process was initiated
  • timed_out: Whether the authentication timed out before completing
  • user_cancelled: Whether the user dismissed the challenge
  • transaction_status: The final result ("Y" = success, "N" = failed, null = unknown)
Based on these values, you can decide to proceed with the transaction creation or inform the user accordingly. The authentication result is included in the transaction response and can be used for reporting, compliance, or business logic decisions.

Testing and validation

To test your Native 3DS implementation, use the 3DS Test Cards in your sandbox environment. These cards allow you to simulate various outcomes, including frictionless authentication, mandatory challenges, and specific failure states.

Test cards

Visa

Card NumberExpected 3DS Outcome
4000 0000 0000 0010Frictionless Success: Authenticated without user interaction.
4000 0000 0000 0028Challenge Required: Triggers a 3DS challenge UI.
4000 0000 0000 0044Authentication Failed: Simulates a “Not Authenticated” result.
4000 0000 0000 1042Rejected: The authentication request was explicitly rejected.

Mastercard

Card NumberExpected 3DS Outcome
5100 0000 0000 0010Challenge Required: Triggers a 3DS challenge UI.
5200 0000 0000 2052Frictionless Success: Authenticated without user interaction.
5200 0000 0000 1039Unavailable: Simulates a scenario where 3DS is not available for the card.
5100 0000 0000 0065Suspected Fraud: Frictionless failure due to suspected fraud.

American Express

Card NumberExpected 3DS Outcome
3415 0209 8634 895Frictionless Success: Authenticated without user interaction.
3486 3826 7931 507Challenge Required: Triggers a 3DS challenge UI.
3456 9539 9207 589Authentication Failed: Frictionless failure.

Challenge screen inputs

When a challenge is triggered, use the following values to simulate different transaction results.

OTP (One-Time Password)

When the challenge screen asks for a code, enter one of the following:
OTP CodeResulting Transaction StatusDescription
1234YSuccess / Authenticated.
1111NNot Authenticated.
2222RRejected.
3333UUnavailable / Unable to complete.

Selection options

Some challenges may present a list of options (for example, “Select your favorite city”). Single-select
  • Paris or Nice: Returns Success (Y).
Multi-select
  • Paris & Lyon: Returns Success (Y).
  • Toulouse & Lyon: Returns Success (Y).

Best practices for testing

  1. Verify UI transitions: Ensure your app correctly transitions from the card entry screen to the 3DS challenge modal and back.
  2. Test error states: Use the “Rejected” or “Failed” cards to ensure your app displays helpful messaging to the user when a card cannot be verified.
  3. Check authentication outcome: After a successful test, verify that the authentication object in your callback reflects the expected result before attempting the final transaction.