3DS Configuration

3DS Flex is the most advanced product on the market for 3-D Secure (3DS). It helps to increase issuer approvals for transactions affected by PSD2.

For full details, and to download the user PDF, visit the 3DS Flex web page.

To use 3DS authentication, you must enable and configure 3DS. Do the following:

  1. Go to Admin/Stores/Configuration/Sales/Worldpay.

  2. Click the Credit Card 3DS Authentication tab to see the 3DS configuration panels below.

Activating 3DS

Step 1. Set Activate 3DS Authentication to Yes or No.

Step 2. If Activate 3DS Authentication is set to Yes, then set Enable 3DS1 Authentication to Yes or No.

Step 3. If Activate 3DS Authentication and Enable 3DS1 Authentication are both set to Yes, then set Enable 3DS2 Authentication to Yes or No.

Step 4. If Activate 3DS Authentication is set to Yes, Enable 3DS1 Authentication is set to No, and Enable 3DS2 Authentication is set to Yes, you can then configure 3DS2.


If you enable both 3DS1 and 3DS2, the Worldpay gateway automatically detects the right authentication for the credit card.

See the sample values in the image above to configure 3DS2. After configuration, you must clear the Magento cache: php bin/magento cache:clean

Enable 3DS2 AuthenticationThis enables or disables the 3DS2 feature. If 3DS2 is disabled, orders will be placed by 3DS1 (if 3DS has been enabled). If both are disabled then the order will be placed by normal credit card authorisation.
JWT (JSON Web Token) eventThis is for capturing the session ID from the domain. For production mode, please use: Cardinal Commerce. For test mode, please use: Worldpay secure test.
JWT API Key, JWT Issuer and Organisational Unit IDWorldpay supplies these values. You must contact your Worldpay representative to register you for 3DS2.
Test DDC (Device Data Collection) URLThis is for creating the JWT session ID. For test mode, use: a Worldpay secure test.
Production DDC URLTo create the JWT session ID in production mode, use: Cardinal Commerece
Risk Data*If this is enabled, the plugin provides additional information to Worldpay to reduce the chances that the shopper is challenged.
Authentication MethodThis is added as risk data. It is a mechanism to authenticate shoppers: guestCheckout: The shopper is not authenticated. localAccount: You authenticate the shopper using your own systems. federatedAccount: You authenticate the shopper using a Federated ID. fidoAuthenticator: You use the FIDO Authenticator to authenticate the shopper. issuerCredentials: You use issuer credentials to authenticate the shopper. thirdPartyAuthentication: You use third-party authentication to authenticate the shopper.
Test Challenge URLThis is the URL for the challenge page. For test mode, please use the [Worldpay secure test] (https://secure- test.worldpay.com/shopper/3ds/challenge.html).
Production Challenge URLThis is the URL for the challenge page. For production mode, please use Cardinal Commerce.
Challenge PreferencenoPreference: You have no preference about whether a challenge is made. noChallengeRequested: You prefer that no challenge is made. challengeRequested: You want a challenge to be made. challengeMandated: There are local or regional mandates that insist that a challenge must be made. This is an optional field.
Challenge Window TypeThe 3DS2 challenge form redirects shoppers either to a full page or an iframe. The Full Page redirects them to either Worldpay or Cardinal. The Iframe challenge form appears in the same page.

3DS2 works with both Direct and Redirect modes. You can enable the integration mode at Stores/Configuration/Sales/Credit Cards. See Credit Card configuration for more details.

Credit card configurations

For a detailed view of risk data, go to Sales/Orders/Order View/Information and look under Payment Information.

Previously saved card not working after 3DS2 activation

If a shopper has saved their card before 3DS2 activation, they must update the card details in their My Account section. This is because the token created earlier may not work with 3DS2.


Card details are not saved. The token is only saved at the Magento level.