Creating a transaction (PCI and 3D Secure)

If you are PCI-DSS certified, you have the right to collect sensitive information related to the payment method on your website. You can create a new transaction using the Charge/CreatePayment Web Service by transmitting the sensitive information related to the payment method.

The example of integration explains how to create a payment with strong authentication, such as 3D Secure or SafeKey.

Process of payment with 3D Secure authentication

A transaction with strong authentication implies several exchanges:

Description of the steps:

Step Description
1 The Buyer transmits the details of the payment method to the merchant server.
2 Call to Charge/CreatePayment to create a new transaction.
3 If 3D Secure authentication is necessary, the Web Service returns a response of V4/Charge/RedirectRequest type.
4 The Merchant redirects the Buyer to the 3D Secure page of his or her bank.
5 Once the buyer has been authenticated, the browser is redirected to the payment gateway.
6 The payment gateway will create the transaction and call the URL that was defined in the merchantPostUrlSuccess parameter during the first call.
7 The Merchant verifies the transaction status and redirects the Buyer to the purchase confirmation page.

The return URLs can be defined with the help of two parameters during step 1:

  • merchantPostUrlSuccess: if the transaction is authorized.
  • merchantPostUrlRefused: if the transaction is rejected.

If merchantPostUrlRefused is not defined in case of a rejected transaction, the Buyer is redirected to merchantPostUrlSuccess.

Preparing the environment

If you use PHP with our SDK, we recommend to store your keys in a configuration file.

Example with test keys:

 * Get the client
require_once __DIR__ . '/vendor/autoload.php';

 * Define configuration

/* Username, password and endpoint used for server to server web-service calls */

Make sure you replace them with your personal keys.

For more information, see Server SDKs and Prerequisites.

Initiating the transaction

In order to create a new transaction using a new payment method, one must use the Charge/CreatePayment Web Service:

    "amount": 990,
    "currency": "EUR",
    "merchantPostUrlSuccess": "",
    "merchantPostUrlRefused": "",
    "paymentForms": [
          "paymentMethodType": "CARD",
          "pan": "4970100000000055",
          "expiryMonth": "11",
          "expiryYear": "21",
          "securityCode": "123"
 * I initialize the PHP SDK
require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/keys.PCI.php';
require_once __DIR__ . '/helpers.php';

 * Initialize the SDK 
 * see keys.php
$client = new Lyra\Client();

 * Define the card to use (we use a 3DS enabled card)
$card = array(
  "paymentMethodType" => "CARD",
  "pan" => "4970100000000022",
  "expiryMonth" => "11",
  "expiryYear" => "21",
  "securityCode" => "123"

 * starting to create a transaction
$store = array(
  "amount" => 250, 
  "currency" => "EUR",
  "paymentForms" => array($card),
  "merchantPostUrlSuccess" => "",
  "merchantPostUrlRefused" => "",
  "customer" => array(
    "email" => "",
    "orderId" => uniqid("MyOrderId")

 * do the web-service call
$response = $client->post("V4/Charge/CreatePayment", $store);

The response will be:

    "webService": "Charge/CreatePayment",
    "version": "V4",
    "applicationVersion": "4.6.1",
    "status": "SUCCESS",
    "answer": {
        "redirectUrl": "https://authentication-server-url/buyer-bank",
        "width": 390,
        "height": 434,
        "template": "3dsecure",
        "postData": {
            "MD": "JSESSIONID=f9a1CBA1beF8AbAfFE89bD35.vadpayment01tls;+_CqX06BsfWgStNNUg7VgJ",
            "PaReq": "eJxVUttu2zAM/RXD74skp/EloFW0CYp1QINuSW9+GVSJcYwlcmLJS9yvn+Q6a6sX8VDE4eGh4PK02wZ/sTFVrfOQjWgYoJa1qnSZhw+rm29pGBgrtBLbWmMedmjCSw6rTYM4X6JsG+Rwh8aIEoNK5eHv2eGZxtdm/VQu7WLxUCaP5Y+Qw/3VLzxwGFpx12kUATlDR9HIjdCWg5CH69sFv8iSmFIgA4QdNrdzTvuTAXmHoMUO+bIOUJgusHVg0VggfRZk3WrbdDyaOJozgLbZ8o21+ykhx+NxtBfdG+oRtkD8C5APIfetj4xjOlWK/xzfvNzNi5mMiueCLejqz+SxeFNPBa1zIL4ClLDII8oyGtE0oNk0SqeTBEifB7HzEniW+aHeY9j7FlefHj4nwJnbuGV0PEtSN8EZAZ72bheuwhn4PwaFRjr9w/UhfvbdeyqtsyuR48l6jAJjjC7WGKWxShhbx6+vinmn+yJPX3nbGGM9vwdAPA0ZlkiGhbvoy0f4B/cLwxM=",
            "TermUrl": "https://payment-service-provider-return-url"
        "allowIFrame": true,
        "hideAtStartup": false,
        "hideTimeout": 15,
        "_type": "V4/Charge/RedirectRequest"
    "ticket": null,
    "serverDate": "2019-02-08T09:28:57+00:00",
    "applicationProvider": "PAYZEN",
    "metadata": null,
    "_type": "V4/WebService/Response"

If the type of the returned object is not V4/Charge/RedirectRequest but V4/Payment, 3D Secure is not required, and the response contains the transaction details (Transaction object). For more information, see Creating a transaction (PCI).

More information on the Web Service: PCI/Charge/CreatePayment.

Authentication (3DS)

The Merchant must redirect the Buyer to the authentication page. For this, one must create a form that will be automatically submitted with the following characteristics:

  • Target URL (action) defined in the redirectUrl parameter.
  • Invisible fields (hidden input) containing data specified in postData.
  • The method is always POST.

Example of a redirection form:

<form id="goTo3DS" action="https://authentication-server-url/buyer-bank" method="POST">
    <input type='hidden' name='MD' value='JSESSIONID=3f1c1eD7716a696FB1F74d21.vadpayment02tls;+_Z5NVQRqn73uWdF7SOLhL'>
    <input type='hidden' name='PaReq' value='eJxVUttSwjAQ/ZVO3yXpzVJmG8cbozMiKgjqixOTVepACk0q1K83KfWWl(...)'>
    <input type='hidden' name='TermUrl' value='https://payment-service-provider-return-url'>
<script type="text/javascript">
<form id="goTo3DS" action="<?php echo $redirectRequest['redirectUrl'] ?>" method="POST">
    foreach ($redirectRequest['postData'] as $key => $value) {
        echo "<input type='hidden' name='".htmlentities($key)."' value='".htmlentities($value)."'>\n";
<script type="text/javascript">

Retrieving transaction details

Once your Buyer is authenticated, the transaction is created by the payment gateway. The transaction details are transmitted to the URL defined in merchantPostUrlSuccess or merchantPostUrlRefused, depending on the payment result.

See Payment completed for more details.