Redirect the user to the 3D Secure authentication URL, then send them back to your own return/callback URL after the challenge. Don’t treat the redirect as the final result once the user returns, verify the authentication outcome server-to-server by calling the CyberSource REST API using the transaction/request ID. The final payment decision should always come from the API, not the browser callback.
