3D Secure (Verified by Visa, Mastercard SecureCode™) is an additional authentication protocol that increases security: the shopper is redirected to their card issuer, where they need to authenticate before the payment operation can send an authorisation request.
Set up the following:
- For TEST environment this functionality is enabled by default.
- For LIVE, it is enabled by default for Visa/Mastercard/Maestro/BCMC (EU acquiring), and in other cases you need to contact the Adyen Support Team and request configuring 3D Secure for your account.
Ensure that your integration supports:
- Making an API call to redirect the shopper to the card issuer.
- Submitting a second API call after the redirect to complete the payment.
Steps to follow
UnionPay requires an additional security layer, see Secure plus to know more.
Redirect to the card issuer
This API call is very similar for non-3D Secure and 3D Secure payment transactions.
3D Secure payments require one additional element:
browserInfo object is a child element of the
paymentRequest main element in a payment request.
browserInfo acts as a container object for the following child elements:
acceptHeader: holds the Accept header information of the shopper's web browser.
userAgent: user agent information of the shopper's browser.
3D Secure directory lookup
After your account is configured for 3D Secure, the Adyen system performs a directory lookup to check if the card is enrolled in the 3D Secure program:
- If the card is not enrolled, the response is the same as a normal API
- If the card is enrolled, the response contains the following fields:
resultCode(which must be set to
RedirectShopper). For more information on these fields, refer to PaymentResult.
Submit 3D Secure lookup response
When a 3D Secure directory lookup confirms that a card is enrolled, you can redirect the shopper to the card issuer for 3D Secure verification.
You can use an HTML form that you submit with an HTTP POST method call to the URL endpoint specified in
In the form, include the following
PaReq- It corresponds to
paRequestand holds the 3D Secure request data for the issuer.
- It corresponds to
md. A payment session identifier returned by the card issuer.
- It corresponds to
termUrl. After completing 3D Secure verification on the card issuer site, the shopper is redirected back to the merchant site. This URL value specifies the merchant site page the shopper goes back to.
Initiate the payment
Return to the merchant site
After a successful 3D Secure verification, the issuer redirects the shopper to merchant website using an HTTP POST call to the URL endpoint specified in
The POST call includes the following parameters, which should be used while making an authorise payment call to Adyen, to complete the payment transaction:
MD- A payment session identifier returned by the card issuer.
PaRes- A payment authorisation response returned by the card issuer.
Authorise the payment
To complete 3D Secure authenticated payment, make a payment request to the authorise3d endpoint and pass the following parameters with the call:
merchantAccount- Your merchant account number.
browserInfo- A user's browser information.
md- A payment session identifier returned by the card issuer.
paResponse- Payment authorisation response returned by the card issuer.
shopperIP- We strongly recommend that you provide
shopperIPas it is used in a number of risk checks (like location-based and number of payment attempts checks).
For more information on these fields, refer to PaymentRequest3d.
UnionPay requires an additional security layer as SecurePlus using telephone verification.
To use SecurePlus:
- Make an authorise call including the
- If a response contains
paRequestset to CUPSecurePlus-CollectSMSVerificationCode, this indicates that a verification code is sent to the provided phone number.
- On your web page collect the verification code from the shopper and make an authorise3d call passing this code as the
paResponsefield value. In addition, include the
additionalDataand set its value to CUPSecurePlus to indicate that you are making a SecurePlus request.
- You get a response with the payment status.
- Make an auth call including the
- A verification code is sent to the phone number provided by the shopper.
- After the shopper enters the code, Adyen process the payment and sends you a response.
This flow is a part of our Risk management and the authentication may be triggered dynamically based on the risk thresholds set by you. To enable this feature, contact Adyen Support Team.