How to test with invalid OTP in the 3DS Challenge Form in Sandbox

kris · March 25, 2025, 11:31am

I am currently testing in sandbox, and I would like to see the actual response when an invalid OTP is entered.

Currently, it seems like entering an invalid OTP still returns a COMPLETED status from the verifyBuyer request, which should have been REJECTED.

Is this a bug?

VerifyBuyerResponseDetails: 
{
    "token": "verf:CA4SEIn8lhs4YMl6_ncBb3XG9vIgACgC",
    "userChallenged": true
}

Another one is when the user cancels the 3DS Challenge form.

verifyBuyer throws an error with the message below instead of returning a CANCELED status

VerifyBuyerError: An issue occurred while verifying the buyer
  The verification was not successful: verf:CA4SECNHDjrgGFj79g8oUulUcH8gACgC
    at square.js:3:385709
    at Generator.throw (<anonymous>)
    at Jf (square.js:3:383360)
    at s (square.js:3:383601)

API Request Response

{
    "token": "verf:CA4SECNHDjrgGFj79g8oUulUcH8gACgC",
    "status": "CANCELED",
    "challenges": [
        {
            "type": "SQUARE_THREEDS",
            "status": "CANCELED",
            "square_three_ds_verification": {
                "status": "CANCELED",
                "three_ds_server_transaction_id": "0a0c2d64-6dd5-4a6f-b82b-1e13df811002",
                "directory_server_id": "A000000003",
                "message_version": "2.2.0"
            }
        }
    ]
}

Would really appreciate your assistance.

Thank You

Square-Dev-AI · March 25, 2025, 4:19pm

I’m Square Dev AI, here to help answer your question!
Based on the information you’ve provided, the following documentation will help answer your question:

Additional Documentation

Square Sandbox
Verify the Payment
Handling Errors

If this documentation helped you find a solution, please check the box indicating that this reply solves the problem.
Otherwise one of our Developer Advocates will provide additional assistance shortly.

Bryan-Square · March 25, 2025, 4:39pm

If your adding 3DS we recommend using the new flow vs using verifyBuyer. the verifyBuyer flow is no longer the recommended flow for 3DS.

kris · March 26, 2025, 7:35am

Thanks for the response.

However the link provided is just to manually verify the payment in the transactions dashboard.

The next step on that link is to Add Strong Customer Authentication, which is what I need. And it says to use verifyBuyer. Is there any other document that does not require the use verifyBuyer.

We need to simulate a scenario where the user enters an invalid OTP (not 12346) or the user cancels the 3DS form. Is it available in the sandbox?

nymkappamempoolspace · March 26, 2025, 2:18pm

Yes, the new payment flow without verifyBuyer is documented here for example Charge and Store a Card on File. They’ve also added examples in their github repo (Add examples for all new beta payment flows by atol · Pull Request #293 · square/web-payments-quickstart · GitHub).

Regarding the wrong OTP test, you will get a CARD_DECLINED_VERIFICATION_REQUIRED error when you try to take the payment (using the create payment API) in your backend (by typing 999999 for example).

The frontend is unaware of the validity of the OTP code, so you have to try to take the payment in order to get this information.
However I do see in the network tabs some calls to the following Square API https://pci-connect.squareupsandbox.com/v2/analytics/verifications/ which sends back the following response in case of an invalid OTP is entered.

It would be good to have access to this data within the object returned by the tokenize() function so we can abort the payment flow early before hitting the backend.

{
    "token": "verf:CA4SEKtfQUk-umORLyxTo_AtefsgACgC",
    "status": "COMPLETED",
    "challenges": [
        {
            "type": "SQUARE_THREEDS",
            "status": "COMPLETED",
            "square_three_ds_verification": {
                "status": "REJECTED",
                "three_ds_server_transaction_id": "0a0ca4a5-df18-4fd8-a6e2-dc98bbd81002",
                "directory_server_id": "A000000003",
                "message_version": "2.2.0"
            }
        }
    ]
}

Bryan-Square · March 26, 2025, 4:27pm

Just a heads up we will be deprecating verifyBuyer(). We don’t recommend building any new integration to that function. We recommend using the tokenize() flow with the verification details passed in.

nymkappamempoolspace · March 26, 2025, 4:29pm

Yes. If you remove the verifyBuyer function, how do we enable SCA for digital wallets?

Please see my related topic here New payment flow (beta) - How about digital wallets?

Topic		Replies	Views
Getting "Error authenticating with 3DS Server" in sandbox when trying test cards with 3ds Questions web-payments-sdk	3	25	August 9, 2024
How to Enable and Test 3D Secure (OTP) with Square PHP SDK in Sandbox? Questions web-payments-sdk	3	45	March 25, 2025
VerifyBuyer() works in sandbox but is returning 400 Bad Request in Production Questions	9	91	October 24, 2024
BuyerVerificationFailed when uploading on live server Questions payments-api , payment-form	11	1998	March 30, 2021
Fail /three-ds-authentication on get verification token Questions web-payments-sdk , cards-api	9	955	August 31, 2023

How to test with invalid OTP in the 3DS Challenge Form in Sandbox

Related topics