When a card user makes an online payment in the scope of PSD2 regulations, they are asked to authenticate before the payment can be authorised. Understanding the 3D Secure authentication and authorisation process is useful so you can help your card users if they have questions about their payments.
Card user experience
When a card user makes a payment that is within the scope of PSD2 SCA, they go through the following process:
- The card user is redirected to a 3D Secure authentication page. In this page, they must provide:
- Their password.
- A one-time password (OTP) sent through a text message to their mobile phone number.
- The card user's credentials are validated against the authentication data that you set for the card.
- If the authentication is successful, the payment is sent to Adyen for authorisation.
- If the authentication fails, the payment fails.
- If the payment authorisation is approved, the payment is completed.
To help your card users recognize your brand when authenticating, you can change the logo shown in the 3D Secure authentication page. Reach out to your Adyen contact if you want to add a logo.
Payments that don't trigger 3D Secure
Your card users might notice that not all online payments made within the EEA and the UK trigger 3D Secure authentication. This is because some online payments are out of scope or exempted from PSD2 SCA. For these payments, Adyen doesn't require the card user to provide an OTP and password. The payment proceeds to authorisation.
Adyen checks if a payment is out of scope or exempted from PSD2 SCA. You don't have to do anything in your card issuing integration.
The following transactions are not within the scope of PSD2, therefore they don't require SCA.
- Transactions from cards issued outside of the EEA and the UK.
- Transactions with the acquirer based outside the EEA and the UK.
- Merchant-initiated transactions (MIT), used for recurring and subscription transactions. This does not apply to the initial transaction where the merchants set up the recurring or subscription contracts.
- Mail Order / Telephone Order (MOTO) transactions.
If a payment is within the scope of PSD2 regulations, it can still be exempted from SCA. Exemptions can be applied by Adyen or requested by the acquirer. SCA is not required if a transaction is considered to be:
- Low value: This exemption applies if a transaction is less than 30 EUR. When the sum of consecutive transactions exceed 100 EUR, Adyen requires SCA.
- Secure corporate payment: Transaction from virtual cards.
- Low risk based on Transaction Risk Analysis (TRA): Adyen makes a risk-based decision on whether to perform authentication based on PSD2 regulations.
Troubleshooting failed payments
The following are common reasons why payments that go through 3D Secure authentication might fail.
When 3D Secure authentication fails, you will likely receive a feedback from your card user that they are unable to use their card. You don't receive a relayed authorisation or a notification webhook, and you don't see the payment in the Payments list in your Balance Platform Customer Area. This is because the payment is already blocked after the authentication, and the authorisation is not sent to Adyen.
To resolve this issue, ask the card user to:
- Make sure that they provided the correct authentication data, then retry the payment.
- Update their phone number or reset their password, then retry the payment.
The card has been blocked
When 3D Secure authentication fails multiple times, you will likely receive a feedback from your card user that they are unable to use their card. As required by PSD2 regulations, Adyen temporarily blocks a card from performing 3D Secure authentication after five consecutive failed authentication attempts.
To resolve this issue:
- Wait an hour until the block is automatically lifted, then ask the card user to try again.
- If the card needs to be unblocked more quickly, contact our Support Team. We may require additional information about the account holder to which the card is linked, to verify the ownership of the card.
The payment requires SCA but the processing merchant skipped 3D Secure
Following PSD2 requirements, by default, Adyen sends a soft decline if a merchant skips 3D Secure authentication for a payment that requires SCA. Adyen informs the merchant to retry the payment with a 3D Secure flow. It is up to the merchant to retry the payment.
When a payment is soft declined, Adyen sends a balancePlatform.payment.created notification webhook for the failed authorisation. In the validationResult array, you will find the
type PSD2SoftDeclineCheck with an invalid
You can also see the payment attempt in the Payments list in your Balance Platform Customer Area.