Search

Are you looking for test card numbers?

Would you like to contact support?

Online-payment icon

3D Secure 1 and 2 redirect authentication

Learn how you can support both versions of 3D Secure through a redirect page.

If you are using 3D Secure for PSD2 compliance, read our comprehensive PSD2 SCA guide.

3D Secure is an additional layer of credit card authentication. When used for a personal card payment, the issuing bank becomes liable for fraudulent chargebacks.

The payment flow for a 3D Secure is different to a regular card payment. To complete a card payment with 3D Secure authentication, the shopper must verify the payment with their bank. For 3D Secure 1, this usually involves entering a unique password or SMS code on their bank's website. For 3D Secure 2, shoppers need to successfully complete authentication flows, which can be either a frictionless or a challenge flow, before a payment is authorised.

On this page we describe how you can support both versions of 3D Secure through a redirect. If you have an existing 3D Secure 1 implementation, you can already support 3D Secure 2 on the same redirect.

3D Secure authentication is supported by the following card schemes:

  • American Express
  • Cartes Bancaires
  • China UnionPay (with API-only)
  • Diners / Discover
  • JCB
  • Maestro
  • Mastercard
  • Visa

Not all cards issued by these schemes support 3D Secure.

Payment Type Payment flow Recurring Refunds Partial Refunds Captures Partial Captures Chargebacks
Credit card Redirect Yes Yes Yes Yes Yes Yes, for non-fraud

Managing PSD2 SCA compliance with 3D Secure

If you are implementing 3D Secure to handle PSD2 compliance, your options are to:

  1. Let Adyen handle PSD2 compliance by default.
  2. Configure rules using Dynamic 3D Secure.
  3. Submit your preference for each transaction in your API request.

In this integration guide, we talk about the steps on how you can submit 3D Secure requests for options 1 and 2.

If you want to use option 3 to send your preference for each transaction in your API request, you will need to submit additional fields. However, note that option 3 overrides our default PSD2 compliance handling logic, including checking if the transaction is out of scope, determining the most suitable exemption type to request for, and evaluating whether to send the exemption in the authentication or authorisation request.

We recommend using option 3 only if you have an extensive knowledge of PSD2 SCA regulations and the 3D Secure protocol.

Before you begin

Before you can start implementing 3D Secure redirect authentication, make sure that you:

  1. Sign up for an Adyen test account at https://www.adyen.com/signup
  2. Get your API Key. Save a copy as you'll need it for API calls you make to the Adyen payments platform.
  3. Integrate Drop-in, Card Component, or build your own UI to collect shopper's card details.

Integration steps

To support 3D Secure redirect authentication, you should already have collected shopper's card details with your existing integration. After you have the shopper's card details, you can then:

  1. Submit a /payments request with the required parameters to trigger 3D Secure authentication. You will get a response that indicates that you should redirect the shopper to another website or app to complete the payment.
  2. Redirect the shopper. If you are using Drop-in, Drop-in will handle the redirection. Otherwise, you can choose to:
    • Use the Redirect Component for iOS or Android.
    • Perform the redirect on your own.
  3. Complete the payment in a /payment/details request.

Step 1: Submit a payment request

After you collect your shopper's card details through Drop-in, Card Components, or your own UI, you can then submit a payment request.

You need to include additional parameters in your payments request to initiate 3D Secure authentication.

  • Make a POST /payments request, providing:

    • reference: Your unique reference for this payment.
    • amount
    • paymentMethod: Object that contains the shopper's card details. You can get this from Drop-in or Card Components or collect the values with your own UI.

      • type: Set this to scheme to indicate card payment method.
      • encryptedCardNumber: Encrypted card number.
      • encryptedExpiryMonth: Encrypted card expiry month.
      • encryptedExpiryYear: Encrypted card expiry year.
      • encryptedSecurityCode: Encrypted card verification code.
      • holderName: Cardholder's name.

        If you are PCI Level 1 or 2 certified you can pass raw card data instead.

    • browserInfo: The shopper's browser information. Providing this is optional but provides a smoother authentication flow for the shopper.
    • shopperIP: The shopper's IP address.
    • returnUrl: Specify the URL to where the shopper will be redirected back to after completing 3D Secure authentication.

      • For Web, the URL should include the protocol: http:// or https://. For example, https://your-company.com/checkout/.
      • For iOS, use the custom URL for your app. For example, my-app://. For more information on setting custom URL schemes, refer to the Apple Developer documentation.
      • For Android, if you are using Drop-in or Components, get the URL from the RedirectComponent.getReturnUrl(context). Otherwise, use a custom URL handled by an Activity on your app. You can configure it with an intent filter. For example, configure my-app://your.package.name, and then add that to your manifest.xml file.

        <activity
        android:name=".YourActivity">
        <intent-filter>
          <action android:name="android.intent.action.VIEW"/>
        
          <category android:name="android.intent.category.DEFAULT"/>
          <category android:name="android.intent.category.BROWSABLE"/>
        
          <data
            android:host="${applicationId}"
            android:scheme="my-app"/>
        </intent-filter>
        </activity>

    If you are using the redirect authentication for 3D Secure 2, we recommend that you provide all available information to increase the likelihood of achieving a frictionless flow and a higher authorisation rate. In addition to the regular parameters you provide to Adyen, send additional parameters in this list.

    {
       "merchantAccount":"YOUR_MERCHANT_ACCOUNT",
       "reference":"YOUR_ORDER_NUMBER",
       "amount":{
          "currency":"EUR",
          "value":1000
       },
       "shopperIP": "192.0.2.1",
       "paymentMethod":{
          "type":"scheme",
          "encryptedCardNumber":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedExpiryMonth":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedExpiryYear":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedSecurityCode":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "holderName": "S. Hopper"
       },
       "returnUrl":"https://your-company.com/checkout/",
       "browserInfo":{
          "userAgent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052912 Firefox/3.0",
          "acceptHeader":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
       }
    }

    If the shopper's card supports 3D Secure, you'll receive a response containing:

    • resultCode of RedirectShopper.
    • action object containing a url. This is supported from API v49 and later.
    • paymentData: Payload needed to complete the payment
    • redirect: Object containing information needed to redirect the shopper: 

      • data.PaReq: Payload needed when redirecting the shopper. 
      • data.TermUrl: The returnUrl you provided in the request.
      • data.MD: Payload needed to complete the payment
      • url: URL to where you should redirect the shopper to complete a 3D Secure 1 or 3D Secure 2 authentication.
    {
       "resultCode": "RedirectShopper",
       "action": {
           "data": {
               "MD": "OEVudmZVMUlkWjd0MDNwUWs2bmhSdz09...",
               "PaReq": "eNpVUttygjAQ/RXbDyAXBYRZ00HpTH3wUosPfe...",
               "TermUrl": "https://your-company.com/checkout/"
           },
           "method": "POST",
           "paymentData": "Ab02b4c0!BQABAgA4e3wGkhVah4CJL19qdegdmm9E...",
           "paymentMethodType": "scheme",
           "type": "redirect",
           "url": "https://test.adyen.com/hpp/3d/validate.shtml"
       },
       "details": [
           {
               "key": "MD",
               "type": "text"
           },
           {
               "key": "PaRes",
               "type": "text"
           }
       ],
       "paymentData": "Ab02b4c0!BQABAgA4e3wGkhVah4CJL19qdegdmm9E...",
       "redirect": {
           "data": {
               "PaReq": "eNpVUttygjAQ/RXbDyAXBYRZ00HpTH3wUosPfe...",
               "TermUrl": "https://your-company.com/checkout/",
               "MD": "OEVudmZVMUlkWjd0MDNwUWs2bmhSdz09..."
           },
           "method": "POST",
           "url": "https://test.adyen.com/hpp/3d/validate.shtml"
       }
    }

Next, redirect the shopper to complete the payment.

Step 2: Redirect the shopper

To redirect the shopper, you can:

If you are using Drop-in, Drop-in will handle the redirection and will then provide the information that you will need to submit in your next API request.

Perform the redirect

If you are implementing this on the web and you prefer to keep the shopper on your checkout page, you can alternatively present the URL in an iframe and then handle the authentication completion.

  • Use the url in the /payments response to make an HTTP POST. Append this with the fields you received in the redirect.data or action.data object.

    curl https://test.adyen.com/hpp/3d/validate.shtml \
    --data-urlencode 'PaReq=eNpVUttygjAQ/RXbDyAJl4LMmg6VztQH1LH63GHCjtApAQNU9O...' \
    --data-urlencode 'TermUrl=https://your-company.com/...' \
    --data-urlencode 'MD=djIhMFQxMHpFRHlyY3BOSHJ1UUNmZnk1Zz09IZ3a9YOyDsr30Ni+jrj0M3pyy...'

After the shopper completes the 3D Secure authentication, the card issuer will redirect them back to your website via an HTTP POST. This will be appended with MD and PaRes variables.

Next, validate the payment result.

Step 3: Complete the 3D Secure payment

After the shopper completes the 3D Secure authentication, you can verify the payment result by submitting the data that you received from Drop-in, Card Components, or if you performed the redirection on your own, from the HTTP POST from the issuer.

  • Make a POST /payments/details request, specifying: 

    • paymentData: Value you received in the /payments response.
    • details: Object that contains the redirection result. You can get this from the HTTP POST from the issuer if you performed the redirect on your own, or from Drop-in or Card Components.

      • MD: Value you received when the shopper was redirected back to your website.
      • PaRes: Value you received when the shopper was redirected back to your website.
      {
       "paymentData":"Ab02b4c0!BQABAgBKNFnhRjSn4jZPsP7nywoY...",
       "details":{
         "MD":"djIhMFQxMHpFRHlyY3BOSHJ1UUNmZnk1Zz09IZ3a9YOyDsr30Ni+jrj0M3pyy...",
         "PaRes":"eNpVUttygjAQ/RXrB5CLoJFZM5PKQ31QacXnDhN2lGkBDVDl75uAlzZP5+zZ3eyeB..."
        }
      }

The response will contain a resultCode and a pspReference. The pspReference is our unique identifier for the transaction.

Successful payments

When a payment is successful you'll receive a notification for the transaction that has: 

  • eventCodeAUTHORISATION. 
  • successtrue.

SecurePlus authentication

SecurePlus is the 3D Secure authentication layer used by China UnionPay. Instead of redirecting the shopper to verify a payment, collect and submit the SMS verification code sent to them by China UnionPay.

To use SecurePlus authentication with our API integration:

  1. When you collect the shopper's payment details, additionally collect their telephone number.
  2. When you submit the payment with 3D Secure authentication, additionally include: 

    • paymentMethod.telephoneNumber: The shopper's telephone number.
    {
       "merchantAccount":"YourMerchantAccount",
       "amount":{
          "currency":"CNY",
          "value":1000
       },
       "reference":"secureplus test",
       "paymentMethod":{
          "type":"scheme",
          "encryptedCardNumber":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedExpiryMonth":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedExpiryYear":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "encryptedSecurityCode":"adyenjs_0_1_18$MT6ppy0FAMVMLH...",
          "telephoneNumber":"+85211112222"
       },
       "returnUrl":"https://your-company.com/checkout/",
       "browserInfo":{
          "userAgent":"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9) Gecko/2008052912 Firefox/3.0",
          "acceptHeader":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
       }
    }

    If SecurePlus authentication is supported, you'll receive a resultCode of Pending.

    {
      "resultCode":"Pending",
      "details":[
        {
          "key":"cupsecureplus.smscode",
          "type":"text"
        },
        {
          "key":"MD",
          "type":"text"
        }
      ],
      "paymentData":"Ab02b4c0!BQABAgBKNFnhRjSn4jZPsP7nywoY...",
      "redirect":{
        "data":{
          "MD":"djIhMFQxMHpFRHlyY3BOSHJ1UUNmZnk1Zz09IZ3a9YOyDsr30Ni+jrj0M3pyy..."
        }
      }
    }

    If the card does not support SecurePlus verification you'll receive the same response as a regular credit card payment.

  3. Present a screen in your UI to collect the SMS verification code that was sent to the shopper.
  4. When you submit the result in a POST /payments/details request, additionally include:

    • cupsecureplus.smscode: The SMS verification code you collected from the shopper.
    {
      "paymentData":"Ab02b4c0!BQABAgBKNFnhRjSn4jZPsP7nywoY...",
      "details":{
        "MD":"djIhMFQxMHpFRHlyY3BOSHJ1UUNmZnk1Zz09IZ3a9YOyDsr30Ni+jrj0M3pyy...",
        "cupsecureplus":{
          "smscode":"123456"
        }
      }
    }
  5. Use the resultCode you received from the /payments/details endpoint to present the shopper with the result of the payment in your website or app. Check our result codes documentation for information on what these mean and the actions you should take.

Dynamic 3D Secure

While 3D Secure reduces the risk of fraudulent payments, many shoppers are still unfamiliar with the authentication process, and do not complete payment verification. In addition, client-side technical errors can occur when the shopper is being redirected, further lowering your conversion rate.

To counter these issues we developed Adyen Dynamic 3D Secure. This lets you use rules to determine which payments are routed though 3D Secure authentication, and which are processed without.

Dynamic 3D Secure requires additional configuration by Adyen. To enable this feature, contact our Support Team team.

For more information, see our Dynamic 3D Secure documentation.

Testing 3D Secure payments

Before going live, use the following card numbers and credentials to test your integration.

We recommend testing each Card Type.

Testing 3D Secure 2

To test how your integration handles different 3D Secure 2 authentication scenarios, use our test card numbers along with specific amounts.
All our test cards use the following expiry dates and security codes:

Expiry Date CVC/CVV CID
10/2020 737 7373
03/2030 737 7373

When prompted for 3D Secure 2 text challenges, use the following credentials:

  • For mobile, use password: 1234
  • For web, use password: password
Card Type Card Number
American Express 3714 4963 5398 431
Cartes Bancaires 4035 5014 2814 6300
Diners 3056 9309 0259 04
Discover 6011 1111 1111 1117
JCB 3566 1111 1111 1113
Mastercard 5454 5454 5454 5454
UnionPay 6212 3456 7890 1232
Visa 4917 6100 0000 0000

When you make a payment request with these cards, you'll receive the following result codes depending on your integration:

  • RedirectShopper: You'll receive this result code if you are using the Redirect authentication.
  • IdentifyShopper: You'll receive this result code if you are using the Native authentication.
  • ChallengeShopper: You will get this result code after you submit the 3D Secure 2 device fingerprinting result in a Native authentication, unless you specify a frictionless flow.

To test the web-based flow where the device fingerprinting step is skipped (because the issuer's ACS has not configured a threeDSMethodURL), and you get a ChallengeShopper resultCode immediately after submitting the payment request, use the following card:

Card Type Card Number
Visa 4212 3456 7891 0006

To test the frictionless flow, in which you perform a fingerprint but no challenge, use the following test card number:

Card number Authentication scenario
5201 2815 0512 9736 Fingerprint but no challenge

App-based integration

To test different authentication scenarios for app-based integration, use the following test cards:

Card number Authentication scenario
5201 2855 6567 2311 Basic text authentication
5201 2874 9905 2008 Basic single select
5201 2815 9233 1633 Basic multi select
5201 2888 2269 6974 Basic out-of-band (OOB) authentication
5201 2895 0084 3268 HTML OOB authentication
5201 2861 5377 1465 App single select then text authentication

Other scenarios

Card number Scenario
4199 3500 0000 0002 The card is not enrolled for 3D Secure transactions.
5201 2829 9900 5515 There was a technical error.

Testing 3D Secure 1

Card Type Card Number Country Expiry Month Expiry Year Security Code (CVC/CVV)
American Express 3451 7792 5488 348 International 10 2020 7373
International 6731 0123 4567 8906 NL 10 2020 737
JCB 3569 9900 1009 5833 US 10 2020 737
Maestro 6771 8309 9999 1239 GB 10 2020 737
Maestro 6771 8300 0000 0000 006 GB 10 2020 737
Mastercard 5212 3456 7890 1234 JP 10 2020 737
Visa 4212 3456 7890 1237 CA 10 2020 737

When prompted for 3D Secure authentication, use the following credentials:

  • Username: user
  • Password: password

Card not enrolled in 3D Secure 1

To test a scenario where the card is not enrolled for 3D Secure transactions, use the following card:

Card Type Card Number
Visa 4199 3500 0000 0002

You can check the status of 3D Secure test payments in your Customer Area > Transactions > Payments.

See also