Skip to main content
UQPAY supports 3D Secure (3DS) authentication to help prevent fraud on online transactions. By default, 3DS decisions are made by the UQPAY risk engine. You can override this behavior per card to either enforce or bypass 3DS challenges.
3DS configuration support varies by card BIN. See Supported BINs for risk control configurations.

Configure 3DS behavior

Control the allow_3ds_transactions flag under risk_controls:
ValueBehavior
Y (default)Risk engine evaluates each transaction. May trigger 3DS challenge for high-risk transactions
NBypasses risk evaluation. All transactions proceed via frictionless flow
When set to N, the card uses a frictionless 3DS authentication mechanism. Transactions complete without OTP input and are treated as cardholder-authenticated. As a result, disputes based on fraud or unauthorized use cannot be raised for such transactions. For enhanced security, it is recommended to keep this set to Y.

Set at card creation

{
  "cardholder_id": "7c4ff2cd-1bf6-4aaa-bf16-266771425011",
  "card_product_id": "7c4ff2cd-1bf6-4aaa-bf16-266771425011",
  "card_currency": "USD",
  "card_limit": 2100.02,
  "risk_controls": {
    "allow_3ds_transactions": "N"
  }
}

Update on an existing card

curl -X POST https://api-sandbox.uqpaytech.com/api/v1/issuing/cards/{card_id} \
  -H "x-auth-token: YOUR_API_TOKEN" \
  -H "x-idempotency-key: $(uuidgen | tr '[:upper:]' '[:lower:]')" \
  -H "Content-Type: application/json" \
  -d '{
    "risk_controls": {
      "allow_3ds_transactions": "N"
    }
  }'
  • If allow_3ds_transactions is omitted during card creation, it defaults to Y.
  • During card update, omitting the field leaves the current setting unchanged.
  • Physical cards automatically have allow_3ds_transactions set to Y upon activation.
  • This setting affects only 3DS behavior. Other fraud checks are not affected.

OTP delivery

When a 3DS challenge is triggered, an OTP is sent to the cardholder’s registered email address. The cardholder enters the OTP on the authentication page to complete verification.
Ensure the cardholder’s email is accurate when creating or updating the cardholder. OTPs are valid for a few minutes.

3DS OTP webhook

UQPAY sends a card.3ds.otp webhook when an OTP is generated: 
{
  "version": "V1.6.0",
  "event_name": "ISSUING",
  "event_type": "card.3ds.otp",
  "event_id": "26de83a5-cea5-4f84-ab11-48813025e40a",
  "source_id": "12ea604d-5899-43d6-8c2d-618c9ce8eae3",
  "data": {
    "otp": "12344444",
    "reference_code": "4868798",
    "customer_id": "67f006f4-d593-49f4-be0e-f1f894e8933b",
    "card_id": "1d749d10-511e-469f-9a83-0560a602ac37",
    "card_number": "1234********3381",
    "transaction_currency": "USD",
    "transaction_amount": "100",
    "merchant_name": "Example Merchant"
  }
}