Investor
Professional
- Messages
- 279
- Reaction score
- 170
- Points
- 43
A Step-by-Step Guide to Creating an Online Store with 2D Secure Payment Processing, Configuring the Payment Gateway, and Organizing Secure Operations with High-Level OPSEC.
What Is 2D Secure and Why It Works
2D Secure is a type of card payment processing where the transaction goes through without additional authentication (OTP, biometrics, SMS code). The customer only enters standard card details — number, expiry date, and CVV — and the payment completes instantly. No extra screens, no OTP codes.In 2026, 2D Secure payments work like this:
| Aspect | Description |
|---|---|
| Checkout Speed | Instant — customer never leaves the site |
| Authentication | Only basic card data (PAN, expiry, CVV) |
| Liability | All fraud and chargeback risk falls on the merchant |
| Where It Works | USA, Australia, and other countries without SCA mandates |
| Amounts | Usually up to $100-200, depending on the bank |
Key Point: 2D Secure is possible even in countries with SCA mandates if the merchant requests an exemption and the bank approves it.
How It Works Technically
When a customer enters card details on your site, the following happens:
Code:
Customer enters card → Your site sends request to payment gateway
→ Gateway sends authorization to acquiring bank
→ Acquiring bank checks the card and returns a decision:
• APPROVED — payment passed, goods shipped
• DECLINED — payment rejected
• 3DS REQUIRED — additional authentication neededIn the case of 3DS REQUIRED, if you can't provide OTP, the transaction is blocked. To avoid this, you use exemptions and frictionless flow.
What to Read Before Starting
1. Payment Gateway Technical Documentation
| Gateway | What It Provides | Where to Read |
|---|---|---|
| CODARAB Pay | Ready WooCommerce plugin, 2D Secure up to $100, hiding data from PayPal | CODARAB LinkedIn |
| Mastercard Gateway | Full PSD2 exemption documentation, LOW_VALUE, LOW_RISK parameters | Mastercard Developer |
| Global Payments API | Exemption Status parameters: LOW_VALUE, TRANSACTION_RISK_ANALYSIS | Global Payments |
| Paysafe 3DS API | requestorChallengePreference — how to request NO_CHALLENGE_REQUESTED | Paysafe Developer |
| CyberSource | Account setup for Payer Authentication, obtaining MID | CyberSource |
2. Practical Guides
| Resource | What It Provides |
|---|---|
| CODARAB DEV YouTube | Step-by-step videos on setting up PayPal Business without documents |
| PayPal Community Forum | Solutions to integration issues |
| Reddit r/PayPal | Discussions on account blocking issues |
3. Key Concepts
- Frictionless Flow: Payment passes without a challenge because the bank assessed the risk as low.
- SCA Exemptions: LOW_VALUE (up to €30), TRANSACTION_RISK_ANALYSIS (depends on merchant fraud rate), SECURE_CORPORATE_PAYMENT.
- challengePreference: NO_CHALLENGE: Direct request to the bank to skip 3DS.
How to Do It: Step-by-Step Instructions
Option 1: WooCommerce + CODARAB Pay (For Beginners)
This is the easiest method if you don't have technical skills.Step 1. Set Up PayPal Business Account
Create a PayPal Business account — you can do this in 2 minutes without a legal entity or documents.Instructions:
- Go to PayPal Business registration page
- Select "Business Account" and click "Next"
- Enter business details (you can list yourself as a sole proprietor)
- Confirm your email
- For safe setup and to avoid automatic bans, use CODARAB's YouTube guide
Step 2. Install CODARAB Pay Plugin
- Install and activate the plugin on WooCommerce
- In settings, select "Card Payment Only" mode — this disables the PayPal button and protects against easy one-click disputes
- Enable hiding product names and URLs in PayPal payment receipts
Step 3. Configure 2D Secure
Key plugin parameters:- Payments up to $100 pass without OTP (depends on the issuing bank and card policy)
- Supported countries: USA, Canada, Australia, UK, Germany, France, Spain, Italy, Japan, Mexico
- Supported cards: Visa, Mastercard, American Express, Discover, JCB, UnionPay
Step 4. Protect High-Risk Sites (CODARAB Redirect)
If you're working in a high-risk industry:- Install the CODARAB Redirect plugin
- Configure redirection of customers from the risky domain to a secure WooCommerce checkout
- The visible URL doesn't change — this hides your activity from monitoring
Option 2: Direct Gateway API Integration (For Experienced Users)
If you want more control, use the gateway's direct API.Step 1. Obtain Merchant ID and Configure Account
What you need for CyberSource:- Merchant ID (MID)
- Website URL
- Two-letter country code
- Merchant Category Code (MCC)
- Contact name, address, email at the bank
- BIN numbers (first 8 digits of cards you accept)
Setup Process:
- Contact gateway support to enable Payer Authentication
- Create a Secure Acceptance profile in the Business Center
- Configure supported card types and currencies
- Enable Payer Authentication (3DS) for each card type
Step 2. Request Frictionless Flow (No Challenge)
When sending the payment request, add the parameter challengePreference: NO_CHALLENGE.Example for Mastercard Gateway:
JSON:
{
"authentication": {
"psd2": {
"exemption": "LOW_VALUE"
},
"challengePreference": "NO_CHALLENGE"
}
}Step 3. Use Exemptions
For transactions that should pass without 3DS, request an exemption:| Exemption | Conditions |
|---|---|
| LOW_VALUE | Transaction < €30, cumulative < €100 since last SCA, no more than 5 consecutive transactions |
| TRANSACTION_RISK_ANALYSIS | Merchant fraud < 0.13% for amounts up to €100, < 0.06% up to €250, < 0.01% up to €500 |
| SECURE_CORPORATE_PAYMENT | Corporate cards |
Example for Global Payments:
JSON:
{
"exemptionStatus": "TRANSACTION_RISK_ANALYSIS"
}Step 4. Send Additional Data
To increase the chances of frictionless flow, send:- Customer IP address
- Browser data (language, screen resolution)
- Shipping and billing addresses
- Device data (device fingerprint)
Security and OPSEC
Protecting Your Account from Blocking
| Rule | Why |
|---|---|
| Don't mix personal and business data | PayPal blocks accounts without explanation |
| Hide product information | Use CODARAB Pay settings that hide name and URL |
| Disable PayPal button | PayPal button is easy one-click disputes |
| Use CODARAB Redirect | Redirect customers from risky domains to secure checkout |
Card Data Protection (PCI DSS)
| Requirement | What to Do |
|---|---|
| Don't store CVV/CVC | Prohibited by PCI DSS rules |
| Don't send card data by email | Direct path to compromise |
| Use encryption | Blowfish ECB for request parameters |
| Verify HMAC | Ensure messages aren't forged |
Protection from Detection
| Threat | Solution |
|---|---|
| Bank fraud analytics | Send additional data — increases chance of frictionless flow |
| Automatic gateway ban | Start with small amounts (< $100) |
| Chargebacks | Collect all transaction data for dispute cases |
Readiness Checklist
markdown:
Code:
[ ] PayPal Business account created (without documents if using CODARAB)
[ ] CODARAB Pay plugin installed and activated
[ ] "Card Payment Only" mode enabled
[ ] Product name and URL hiding enabled
[ ] Test payment completed and passed
[ ] For API integration: challengePreference=NO_CHALLENGE added
[ ] HMAC signature configured correctly
[ ] Logs are kept (but without CVV!)
[ ] CODARAB Redirect configured for high-risk domains
Final Conclusion
Bro, creating a 2D Secure shop for linking cards is doable, but requires attention to detail.Key Takeaways:
- Start with CODARAB Pay on WooCommerce — the easiest path for beginners.
- Request frictionless flow via challengePreference: NO_CHALLENGE — this is the foundation of 2D Secure.
- Use exemptions (LOW_VALUE, TRA) — they reduce the chance of a 3DS challenge.
- Hide product information from payment systems — protects against automatic bans.
- Send additional data — increases the chance of frictionless flow.
The Main Risk: You're operating in a high-risk zone. Any configuration error can lead to account blocking. Start small, test every step, and don't mix different activities on the same account.
Good luck, brother. If you need anything — write.
