Issuin icon

Payment authorisation

Learn about the payment authorisation flow and how you can control payment approvals

For security and compliance reasons, Adyen must authorise any payment made with an Adyen-issued card. When a cardholder attempts a payment, Adyen receives a payment request that starts a payment authorisation flow. This flow results in the payment being approved or refused.

As part of the flow, we perform internal checks and validations to ensure that the transaction is legitimate. Additionally, we can perform custom verifications created by you. This helps you control the types of transactions that your cardholders can make. You can do this by configuring transaction rules or relayed authorisation.

Adyen internal checks

As an issuer, Adyen must verify that each transaction complies with financial regulations and manage fraud risk. We perform two types of internal checks:

  • Validations: These verify if the card and transaction are legitimate. For example, we check:
    • The expiry date of the card
    • The Card Verification Code (CVC) of the card
    • The available balance in your account
  • Internal transaction rules: These are transaction rules created by Adyen for regulatory controls. Some of these rules are:
    • Missing payment instrument capabilities
    • Contactless limit reached
    • Missing CVC2 on an ecommerce transaction

Custom verifications

If Adyen's internal checks are successful, then we perform the custom verifications created by you. Adyen offers two types of custom verifications: transaction rules and relayed authorisation. You can use either or both of these features.

Transaction rules

You can configure transaction rules to create a logic that automatically approves or declines payment attempts. You can create rules based on various conditions, for example:

  • Maximum amount
  • Maximum number of transactions
  • Types of payments allowed for a payment instrument

Transaction rules are automatically applied to each payment attempt. You can also combine them to facilitate different use cases.

Relayed authorisation

You can use your own business logic to approve or deny each payment attempt. On each attempt, Adyen sends a webhook to your server. Your server has up to 2000 milliseconds to respond. If we don't receive a response within this timeframe, we apply your default fallback.

Payment authorisation flow

The following diagram illustrates the complete payment authorisation flow.

As shown in the diagram, the flow ends when a payment is approved or refused. The steps of the flow are as follows:

  1. Adyen receives a payment request.
  2. Adyen performs validation checks on the request.
    If the payment complies with the validations, then the flow continues to step 3. Otherwise, the payment is refused.
  3. If you configured transaction rules, then the flow continues to step 4. Otherwise, it continues to step 5.
  4. Adyen checks if the payment complies with your transaction rules. If it complies, then the flow continues to step 5. Otherwise, the payment is refused.
  5. If you configured relayed authorisation, then Adyen sends an authorisation webhook to your server. Otherwise, the payment is approved.
  6. If your server responds within 2000 ms, then Adyen approves or refuses the payment as instructed in the response. Otherwise, Adyen applies your default fallback.

Next steps