> ## Documentation Index
> Fetch the complete documentation index at: https://developers.pcibooking.net/llms.txt
> Use this file to discover all available pages before exploring further.

# PSD2 and 3D Secure Implementation Guide

> Add 3D Secure (3DS2) authentication to your payment flow with PCI Booking. Supports hosted forms, third-party 3DS data, and in-transit tokenization. Includes test cards for all challenge types.

The EU's [PSD2 (Payment Services Directive)](https://en.wikipedia.org/wiki/Payment_Services_Directive) requires Strong Customer Authentication (SCA) for online card payments. [3D Secure 2 (3DS2)](https://en.wikipedia.org/wiki/3-D_Secure) satisfies the SCA requirement by verifying the cardholder's identity during the transaction. PCI Booking handles the 3DS2 flow on your behalf, so you can add frictionless authentication to your payment process without building the 3DS integration yourself.

## How PCI Booking Handles 3D Secure

PCI Booking supports 3DS authentication in three ways, depending on how you capture cards:

### Hosted Card Entry Form with 3DS

When you capture a card directly from the cardholder using the [Hosted Card Entry Form](/capture-cards/hosted-card-entry-form), enable 3DS in your [merchant setup](/account-setup/3ds-merchant-setup) and PCI Booking triggers the 3DS2 challenge automatically during card capture. The cardholder completes authentication on the same page, and you receive the fully authenticated token in the callback.

### Store 3DS authentication from a third party

When you receive 3DS authentication data from a third party (for example, an OTA that has already verified the cardholder), use the [Store 3DS Authentication](/api-reference/manage-tokens/store-3d-token) endpoint to attach the 3DS result to an existing card token. The stored authentication data can then be used when processing a charge through the payment gateway.

### Tokenize in transit with 3DS data

When tokenizing card data in transit from a third party using [Tokenization on Response](/capture-cards/tokenization-on-response) or [Tokenization on Request](/capture-cards/tokenization-on-request), PCI Booking preserves any 3DS authentication data alongside the token. This lets you charge the card with the original 3DS proof intact.

To configure your 3DS merchant details, follow the [3DS Merchant Setup](/account-setup/3ds-merchant-setup) guide.

## Test Cards

Use these cards to test 3DS flows in your sandbox environment. For all cards below:

* **Expiry date**: any future date
* **Name on card**: `Three DS test`
* **CVV**: `123`

### Frictionless

Cardholder is authenticated based on transaction data alone. No additional challenge is shown. You receive a fully authenticated 3DS result immediately.

| Card Scheme | Card Number      |
| ----------- | ---------------- |
| Visa        | 4761739000060016 |
| Mastercard  | 5455330200000016 |

### Device Fingerprint (DFP)

The issuer requests additional device information for risk analysis. The cardholder does not see any change in the flow.

| Card Scheme | Card Number      |
| ----------- | ---------------- |
| Visa        | 4761739001010010 |
| Mastercard  | 5185520050000010 |

### Challenge

The issuer requires a user challenge (OTP prompt).

| Card Scheme | Card Number      | Success OTP | Fail OTP |
| ----------- | ---------------- | ----------- | -------- |
| Visa        | 4018810000150015 | 0101        | 3333     |
| Mastercard  | 5299910010000015 | 4445        | 9999     |

### Device Fingerprint + Challenge

The issuer requests device information followed by a user challenge.

| Card Scheme | Card Number      | Success OTP | Fail OTP |
| ----------- | ---------------- | ----------- | -------- |
| Visa        | 4018810000190011 | 0101        | 3333     |
| Mastercard  | 5420711000401011 | 4445        | 9999     |

## Frequently asked questions

### Does PCI Booking handle the 3DS challenge flow automatically?

Yes. When you use the Hosted Card Entry Form with 3DS enabled, PCI Booking manages the entire 3DS2 flow including device fingerprinting and challenges. Your system receives the final authentication result.

### Can I use 3DS with cards received from an OTA?

Yes. If the OTA has already completed 3DS authentication, you can store the authentication data alongside the card token using the [Store 3DS Authentication](/api-reference/manage-tokens/store-3d-token) endpoint.

## Related

* [3DS Merchant Setup](/account-setup/3ds-merchant-setup). Configure merchant information for 3DS authentication.
* [3DS Auth Management](/manage-tokens/3ds-auth-management). Store, retrieve, and delete 3DS data on tokens.
* [Collect and Process a Payment](/use-cases/capture-and-charge). Full card capture and charge workflow with 3DS support.
