Developer-resource icon

Testing 3D Secure 2 authentication

Test 3D Secure 2 authentication with your integration and troubleshoot issues before it goes live.

Test your integration to make sure that you can handle 3D Secure 2 authentication scenarios.

If you configured Dynamic 3D Secure and your default rule is set to Prefer Not do either of the following to trigger 3D Secure 2 scenarios while testing:

  • Set your default Dynamic 3D Secure rule to Always.
  • Include authenticationData.attemptAuthentication in your API request.
  • Use an amount that triggers authentication.

When prompted for 3D Secure 2 text challenges:

  • For web and mobile browser integrations, use password: password.
  • For native mobile (app-based) integrations, use password: 1234.

If you want to test failed scenarios, use the wrong password (any value other than password provided) to fail the authentication challenge.

To view the details and results of your test payments, do either of the following:

  • In your test Customer Area, go to Transactions > Payments.
  • Check the AUTHORISATION webhook you received. The success field informs you of the outcome of a payment request.

Test cards

These cards are enrolled in 3D Secure.

Make test payments with the following cards to make sure your integration can handle 3D Secure 2 authentication scenarios.

Card Type Card Number Expiry Date Security Code (CVC/CVV/CID)
Bancontact / Maestro 6703 4444 4444 4449 03/2030 Not applicable
Bancontact / Visa 4871 0499 9999 9910 03/2030 737
Cartes Bancaires / Visa Debit 4035 5014 2814 6300 03/2030 737
Cartes Bancaires 4360 0000 0100 0005 03/2030 737
China UnionPay (Credit) 6250 9470 0000 0014 03/2030 123
China UnionPay (Debit) 6250 9460 0000 0016 03/2030 123
Diners 3056 9309 0259 04 03/2030 737
Discover 6011 1111 1111 1117 03/2030 737
Maestro 5000 5500 0000 0029 03/2030 Not applicable
Mastercard 5454 5454 5454 5454 03/2030 737
Mastercard Credit 2222 4000 1000 0008 03/2030 737
Visa 4917 6100 0000 0000 03/2030 737
Visa Classic 4166 6766 6766 6746 03/2030 737

When you make a payment request with these cards, you'll receive the following result codes depending on your integration:

RedirectShopper: You'll receive this result code if you are using Redirect authentication.
IdentifyShopper: You'll receive this result code if you are using Native authentication.
ChallengeShopper: You will get this result code after you submit the 3D Secure 2 device fingerprinting result in a Native authentication, unless you specify a frictionless flow.

3D Secure 2 challenge action

If your integration uses the Advanced flow, test this scenario. This does not apply to integrations using the Sessions flow.

Test a payment that requires handling the action object included in a payment response that includes the ChallengeShopper result code. Use the following payment details:

Card type Card number Expiry date Security code (CVC/CVV/CID)
Visa 4212 3456 7891 0006 03/2030 737

If the payment was not successful, check that your client-side and server-side integration handles the required action from the /payments response.

Frictionless flow

If your integration uses the Advanced flow, test this scenario. This does not apply to integrations using the Sessions flow.

Test a payment that goes through frictionless flow, where your integration must provide a device fingerprint. No further authentication interaction with the client-side UI is required. Use the following payment details:

Card type Card number Expiry date Security code (CVC/CVV/CID)
Mastercard 5201 2815 0512 9736 03/2030 737

If the payment was not successful, check that your client-side and server-side integration handles the required action from the /payments response.

Mobile app integration

On mobile, shoppers can get different types of 3D Secure 2 authentication challenges. Use the following payment details to make test payments and test specific scenarios.

When prompted for 3D Secure 2 text challenge for native mobile (app-based) integrations, use password: 1234. If you want to test failed scenarios, use the wrong password (any value other than 1234) to fail the authentication challenge.

Card type Card number Expiry date Security code (CVC/CVV/CID) Scenario
Mastercard 5201 2855 6567 2311 03/2030 737 Basic text authentication
Mastercard 5201 2874 9905 2008 03/2030 737 Basic single select
Mastercard 5201 2815 9233 1633 03/2030 737 Basic multi select
Mastercard 5201 2888 2269 6974 03/2030 737 Basic out-of-band (OOB) authentication
Mastercard 5201 2895 0084 3268 03/2030 737 HTML out-of-band (OOB) authentication
Mastercard 5201 2861 5377 1465 03/2030 737 App single select and text authentication

To test advanced 3D Secure 2 authentication scenarios for native mobile (app-based) integrations, use the following test cards:

Card type Card number Expiry Date Security Code (CVC/CVV/CID) Scenario
Visa 4917 6100 0000 0042 03/2030 737 ACS sends an empty Challenge Response (CRes)
Visa 4917 6100 0000 0067 03/2030 737 Invalid content in the acsSignedContent field in Authentication Response (ARes)
Visa 4917 6100 0000 0059 03/2030 737 Challenge Response (CRes) timeout

Authentication-only flow

If your integration uses the Authentication-only flow, test that your integration can handle the possible outcomes using our test cards.

In this flow, you receive an AUTHENTICATION webhook, instead of the AUTHORISATION webhook to inform you of the payment request outcome.

Authentication without liability shift

Test a payment that goes through 3D Secure 2 authentication without liability shift, use the following payment details.

When prompted for a 3D Secure 2 text challenge, use password: NoLiabilityShift.

Card type Card number Expiry date Security code (CVC/CVV/CID)
Visa 4917 6100 0000 0000 03/2030 737

Advanced scenarios

Test the following scenarios to make sure your integration can handle advanced 3D Secure 2 flows.

Use the following test cards to test scenarios returning ARes (Authentication Response) with different transStatus values:

  • Y: Authentication / account verification successful.
  • N: Not Authenticated / account not verified. Transaction denied.
  • A: Authentication / verification was attempted but could not be verified.
  • U: Authentication / account verification could not be performed.
  • R: Authentication / account verification rejected by the Issuer.
Card type Card number Expiry date Security Code (CVC/CVV/CID) Scenario
Mastercard 5201 2815 0512 9736 03/2030 737 Return ARes with transStatus=Y
Mastercard 5201 2812 6243 5268 03/2030 737 Return ARes with transStatus=N
Mastercard 5201 2850 9382 3592 03/2030 737 Return ARes with transStatus=A
Mastercard 5201 2828 2836 6351 03/2030 737 Return ARes with transStatus=U
Mastercard 5201 2864 9681 6589 03/2030 737 Return ARes with transStatus=R
Mastercard 5201 2846 7071 7533 03/2030 737 Return ARes with transStatus=U and transStatusReason =06

Use the following test cards to test other advanced 3D Secure 2 scenarios.

Card type Card number Expiry date Security Code (CVC/CVV/CID) Scenario
Mastercard 5201 2829 9900 5515 03/2030 737 Timeout error
Mastercard 5201 2886 9531 5843 03/2030 737 Connection failure error
Mastercard 5201 2858 9491 2800 03/2030 737 Version number not supported error
Mastercard 5201 2852 4062 4612 03/2030 737 Access denied error
Mastercard 5201 2859 4986 5169 03/2030 737 MCC not valid error
Mastercard 5201 2829 4084 9714 03/2030 737 Invalid endpoint error