Migration Guide to 3DS 2.0 (EMV 3DS)

As part of the security improvements from card networks like Visa and MasterCard for your online card payments and to minimize chargeback liability, Xendit will be enabling 3DS 2.0 (EMV 3DS) for all credit / debit card transactions made using Xendit by December 2021. To learn more about 3DS 2.0, see here.

You do not need to make any changes in your API/XenInvoice/Xendit integrations (Shopify, Wix etc) to support EMV 3DS. We do not expect the enablement of EMV 3DS to cause any breaking changes in your setup with us.

However, we are unable to guarantee perfect compatibility between your webpages / mobile apps and the new One-Time Password pages returned by the card networks and issuers for EMV 3DS. In order to minimize the risk of any issues arising from EMV 3DS on your webpages / apps, please follow the below recommendations on your sites or integrations and perform test payments using different web browsers if possible.

IntegrationRecommended Action
APIContent Security Policy optimization (see below)
Xendit SDKUpgrade to latest SDK Version: Xendit.js = v2.4.0 Android = v4.1.1 iOS = v3.8.2
InvoiceContent Security Policy optimization (see below)
Xendit Integrations : - WooComerce - Shopify - Wix - Magento - Ecwid - Zapier - Sirclo - OpenCart - Easy Digital Download - VirtueMart - XeroContent Security Policy optimization (see below)

Content Security Policy

If your websites or integrations utilize Content-Security-Policy header as part of security enhancement, you’ll be required to have additional domains to whitelist in order for EMV 3DS can be triggered.

The additional domains are part of the migration to EMV 3DS that introduces a new Javascript library that will be automatically loaded when Xendit.js is imported. On top of that, during the 3DS initiation, the library will collect device data and call a few new APIs for the potential frictionless flow.

Here are some additional domains that are required to be whitelisted:

  • https://\*.xendit.co
  • https://\*.cardinalcommerce.com
  • https://kg668dbov0.execute-api.us-east-1.amazonaws.com

Example of CSP configuration that we found are working:

Content-Security-Policy DirectiveValue
default-srcself; https://\*.xendit.co;
connect-srcself; https://*.xendit.co; https://\**.cardinalcommerce.com; https://kg668dbov0.execute-api.us-east-1.amazonaws.com;
script-srcself; https://\*.xendit.co; https://songbird.cardinalcommerce.com; https://songbirdstag.cardinalcommerce.com;
frame-srcdata:; https:; https://\*.xendit.co;

An example of the error message that might be returned if CSP are not configured properly to support additional process required for EMV 3DS:


  1. Will I need to make any changes to my integration or existing setup with Xendit?
    1. No, you will not. There are no new API params or behaviour that you will need to handle, in order for your payments to qualify for 3DS 2.0 (EMV 3DS). You will only need to whitelist the additional domains if your website utilize Content-Security-Policy.
    2. You may be interested in increasing the possibility of your payments going through frictionless 3DS. If so, you can optionally choose to send us more data in your Tokenization requests. See here for more info on how to do so.
  2. Are there any fees payable for the migration?
    1. None - you will continue to pay the fees that you are currently paying for Xendit’s products.

Last Updated on 2024-03-05