Introduction
Get started with Mynt Platform
Customer onboarding
Onboarding overview
Card management
Tokenization and digital wallet
Sensitive card information
3DS - authentication of online payments
Strong customer authentication (SCA)
Spend control
Address verification service
Click to Pay
Account
External invoices
Payments
Card transactions
P2P transactions
L3 Data
Response codes
Communication
Customer communication strategy
White label
Web & mobile
System emails
Resources
Trust center

3DS - authentication of online payments

Introduction

3D Secure (3DS) adds an extra layer of authentication for online card transactions, enhancing security and reducing the risk of unauthorized activity. Mynt supports the 3DS process by forwarding authentication requests to a partner’s webhook, where the partner can present the request to the cardholder. This section provides details on how partners can implement 3DS requests, handle them securely, and respond using Mynt’s 3DS callback endpoints.

General Flow

The 3DS flow begins when Mynt receives a 3DS authentication request during an online transaction. Mynt forwards the request to the partner’s webhook, which presents the request to the user for approval. Once the user receives the request, the partner immediately notifies Mynt that the request has been presented, and Mynt relays this information further back the chain.

The initial roundtrip, from Mynt forwarding the request to receiving confirmation from the partner, should take no longer than 2 seconds. After the card holder approves or denies the request, the partner must call Mynt’s 3DS callback endpoint to finalize the process. The full roundtrip, including user action, can take up to 150 seconds.

Strong Customer Authentication (SCA) Implementation

To comply with PSD2 regulations, partners are required to implement Strong Customer Authentication (SCA) login within their app to support 3DS transactions. This ensures secure verification of users during the transaction process. It’s essential that your app is equipped to handle the SCA login flow for user authentication.

For partners who prefer not to implement Strong Customer Authentication (SCA) directly within their own app, Mynt offers a white-label app solution for card management, which includes full SCA functionality. This allows partners to rely on Mynt’s infrastructure to handle the SCA process, minimizing the need for internal development and ensuring compliance with PSD2 regulations.

Merchant landing page

The landing page includes:

  • Partner logo
  • MC/VISA required logo
  • Merchant name
  • Amount of purchase
  • Further instructions on how to authenticate
    (customizable for partners)

Mynt's 3DS Endpoints

Endpoint Overview

Partners need to implement two key components for the 3DS process:

  1. Webhook Integration: A webhook to receive 3DS requests from Mynt and present them to the user.
  2. Callback Endpoint: An endpoint to call Mynt after the user approves or denies the authentication request.

Webhook Integration

The partner is required to implement a webhook to receive 3DS requests from Mynt. Ensure that your webhook is accessible and capable of processing incoming requests securely.

API requirements

  • Full endpoint url, header name and API token must be sent to Mynt during integration
  • POST https://partner-domain.com/path/to/webhook
  • Endpoint should:
    • return 200 OK, 201 Created or 204 No Content on successful reception
    • accept a header for the API token, partner-api-token: xxx....secret...yyy (integrating Partner may choose a different header name)
  • Endpoint may:
    • Apply IP allow-listing in the production environment (Mynt IP addresses will be provided on demand)
    • return other error codes should anything fail during message processing

Retries

Due to the time-sensitive nature of 3DS, no retries are attempted. Mynt must respond back to the issuer’s access control server within 2 seconds of receiving the request from the partner’s webhook.

Callback Endpoint

Once the user approves or denies the 3DS request, the partner must call Mynt’s 3DS callback endpoint. The endpoint will handle three possible responses:

Time Management

Proper time management is crucial for ensuring smooth and efficient 3DS processing. Partners must meet specific timing requirements for both the initial and full roundtrip processes.

Initial Roundtrip

The maximum time for the initial roundtrip—from when the authentication request is sent to Mynt, forwarded to the partner’s webhook, presented to the user, and acknowledged by the partner—is 2 seconds. This ensures that the issuer and payment networks receive quick confirmation that the authentication process has begun.

Full Roundtrip

The maximum time for the entire 3DS flow—from when the authentication request is initiated to when Mynt receives the final response from the partner and forwards it back to the issuer—is 150 seconds. This time frame accounts for user interaction, allowing them to approve or deny the request.

Overview
On this page