{"section":"known-issues","requestedLocale":"en","requestedSlug":"the-cielo-3ds2-app-is-returning-an-approved-status-even-in-scenarios-when-the-authentication-has-failed","locale":"en","slug":"the-cielo-3ds2-app-is-returning-an-approved-status-even-in-scenarios-when-the-authentication-has-failed","path":"docs/en/known-issues/Payments/the-cielo-3ds2-app-is-returning-an-approved-status-even-in-scenarios-when-the-authentication-has-failed.md","branch":"main","content":"## Summary\n\nWhen the 3DS2 authentication step fails (e.g., the customer cannot be authenticated), the Cielo authentication app incorrectly continues the flow and sends an `approved` status to the authorization step. As a result, the transaction proceeds to the acquirer even though the 3DS2 check was not completed.\nThis creates a security gap: fraudulent transactions can bypass 3DS2 protection and get authorized by Cielo. Cielo may later flag those transactions as fraud indicators, putting the merchant at risk of disputes and chargebacks.\n\n## Simulation\n\n1. Enable 3DS2 in a store using the CieloV3 connector.\n2. Attempt a purchase with a card that will fail the 3DS2 enrollment step.\n3. Observe in the transaction interaction logs that the authentication returned a failure status (`Customer cannot be authenticated` or similar).\n4. Note that despite the failure, VTEX sent `Authenticate: true` to Cielo, and the transaction was authorized.\n\n## Workaround\n\nMigrate to the **Cielo Ecommerce** connector (CieloV4). The bug is specific to `cielo-authentication-app v1.2.1` used by CieloV3. Cielo has officially recommended this migration, and the 3DS2 flow behaves correctly in the newer connector."}