If you are using 3D Secure for PSD2 compliance, read our comprehensive PSD2 SCA guide.
/authoriseAPI. For online payments integration using
/payments, refer to the 3D Secure 2 API integration page.
The latest version of 3D Secure brings a new approach to authentication through a wider range of data and biometric authentication, and with an improved online payments experience.
Unlike 3D Secure 1 where the shopper is redirected to another site to verify the payment, in 3D Secure 2 the card issuer performs the authentication within your app or payment form. The shopper's identity may be verified using passive, biometric, and two-factor authentication approach. A transaction may go through a passive frictionless authentication flow or a challenge authentication flow where the issuer requires further interaction with a shopper.
As a general rule, the chargeback liability shifts from you to the issuer if the shopper completes a successful challenge authentication flow. For more information on 3D Secure 2 chargeback liability rules, see 3D Secure liability shift rules.
A 3D Secure 2 transaction can go through either a frictionless or challenge authentication flow depending on the issuer's requirements.
In a frictionless flow, the acquirer, issuer, and card scheme exchanges all necessary information in the background through passive authentication using the shopper's device fingerprint. In your integration, you will need to get the 3D Secure 2 device fingerprint and if it is validated and approved by the issuer, the transaction is completed without further shopper interaction.
The issuer requires additional shopper interaction for verification, either through biometrics, two-factor authentication, or similar methods based on SCA authentication factors.
In a web-based integration, the issuer might require the challenge right after you submit a payment request or after you send the 3D Secure 2 device fingerprint. In an app-based flow, the 3D Secure 2 device fingerprinting process is always performed before a challenge is deemed required.
3D Secure 2 payment flows
The following diagram illustrates full implementation authentication flows based on result codes:
A 3D Secure authentication flow starts with a payment request. Send a payment request from your server with the required 3D Secure 2 objects indicating that you are ready to support 3D Secure authenticated payments.
You will get a response containing any of the following result codes:
- Authorised: The payment has been successfully authorised. If you receive this as a response to your payment request, this could mean that the transaction was either exempted or out-of-scope for 3D Secure 2.
- IdentifyShopper: The issuer requires the 3D Secure 2 device fingerprint.
- ChallengeShopper: The issuer requires shopper interaction.
- RedirectShopper: The issuer does not support 3D Secure 2 and you have the 3D Secure 1 fallback enabled. The transaction needs to be authenticated with 3D Secure 1.
- Refused/ Error: The transaction was refused or something went wrong. This response includes a refusal reason.
Handle the transaction based on the result code. For example, if you received an IdentifyShopper result code, proceed to get the 3D Secure device fingerprint and then submit the required data to Adyen. The possible responses after you submit the device fingerprint results are:
- Authorised: This means the authentication was frictionless and the payment has been authorised.
- ChallengeShopper: The issuer requires additional shopper interaction. Proceed to the challenge flow.
- Refused/ Error: The authentication was refused or something went wrong. This response includes a refusal reason.
For more information on result codes and the actions that you need to take, see Result codes.
3D Secure 1 fallback
In case the issuer does not support 3D Secure 2, we will initiate a 3D Secure 1 fallback by default, indicated by a RedirectShopper
resultCode response. To handle this scenario, make sure that you have implemented a 3D Secure 1 authentication flow.
If you do not want to automatically fall back to 3D Secure 1, contact Support Team. However, note that not having a fallback implementation might negatively affect your authorization rates since SCA is required for authorization in some markets.
In a full 3D Secure 2 integration, we will perform the authentication and proceed with the payment authorisation. If you choose to only perform one part of the process with us, use the following implementations:
- Full integration on web, iOS, or Android: Perform both 3D Secure 2 authentication and payment authorisation with Adyen.
- Authentication-only: Perform only the 3D Secure 2 authentication with us and submit the payment authorisation later.
- Authorize with 3D Secure 2 authentication data: Use a third-party 3D Secure 2 provider and perform the payment authorisation request with Adyen.