3D Secure 2 API reference

For 3D Secure 2, you include additional parameters in your payment requests that provide additional information to authenticate your shoppers. You include these parameters when you make a request to one of the following endpoints:

• /payments
• /payments/details
• /sessions

This page describes payload structures and objects for Checkout API v41 or later. If you are using a classic integration, see 3D Secure 2 classic integration.

Parameter types

There are various parameters you can include in your requests for 3D Secure 2 authentication. The tables on this page specify the parameters that are required, conditionally required, recommended, and optional to include in your requests.

Icon	Type	Description
	Required	Parameters that are required to complete 3D Secure 2 authentication.
	Conditionally required	Parameters that are required for particular setups, or issuers and card schemes.
	Recommended	Parameters that are not required to send in your requests, but including them may increase the authentication performance.
	Optional	Parameters that map to a field in the EMVCo Authentication Response (Areq), but are optional to include in your requests.

3D Secure 2 objects

In addition to the regular fields you provide in your payment requests, we recommend that you provide all available information to increase the likelihood of achieving a frictionless flow and a higher authorisation rate.

Some of these objects are mandatory for some issuers and card schemes, and not providing them in your payment request can result in a failed authentication. Some fields have sub-fields where you can, or need to, provide more information.

Object	Required	Description
accountInfo		Shopper account information for 3D Secure 2. See the reference to learn its sub-fields.
authenticationData		Use case: required for certain 3D Secure 2 setups. The data for the 3D secure 2 authentication. See the reference to learn its sub-fields.
billingAddress		The address where to send the invoice. We recommend to include it in your requests when available to improve authentication performance See the reference to learn its required sub-fields.
browserInfo		The shopper's browser information. See the reference to learn its sub-fields and the requirements depending on your integration type.
channel		The platform where a payment transaction takes place. Possible values: Web iOS Android
deliveryAddress		The address where the purchased goods must be delivered. Include this in your request whenever available. See the reference to learn about its required sub-fields.
installments		If you want to split the payment into installments, include this object to specify the installment settings. See the reference to learn about its required sub-fields.
merchantRiskIndicator		Additional risk fields for 3D Secure 2. Include this in your request whenever available. See the reference to learn about its sub-fields.
mpiData		Use case: required if you are making a request to authorize a payment using third-party authentication data from another 3D Secure 2 provider. This is the authentication data produced by a merchant plug-in (MPI). See the reference to learn its required sub-fields.
origin		Use case: required for browser-based (channel: Web) transactions. The origin URL of the page where you are rendering the Drop-in/Component. When this field is not set, or set incorrectly, the 3D Secure 2 action can not be handled correctly. Format: Maximum characters: 80 Do not include subdirectories and a trailing slash. Example: If you are rendering on https://your-company.example.com/checkout/payment, set to https://your-company.example.com.
paymentMethod		The type and required details for a card payment method. See the reference to learn about its required sub-fields.
telephoneNumber		Use case: required for Visa and JCB transactions if you did not include the shopperEmail field. The shopper's phone number. To be more specific, you can use the mobilePhone, homePhone, and workPhone fields in the threeDS2RequestData object. Format: The phone number must include a plus sign (+) and a country code (1-3 digits), followed by the number (4-15 digits). Example: +4912345678901 If the value you provide does not follow the guidelines, we drop the value and do not submit it for authentication.
returnUrl		The URL where the shopper is redirected back to after completing authentication to support cases where the payment is routed to the 3D Secure 2 redirect flow. See our integration guides to learn how to set this URL depending on your platform.
scaExemption		Use case: required if you want to request exemptions through the API request, or when making a Cartes Bancaires transaction. We do not recommend to use this field, because it overrides our exemption logic. The exemption type that you want to request for the particular transaction. Possible values: lowValue secureCorporate trustedBeneficiary transactionRiskAnalysis
shopperEmail		Use case: required for Visa and JCB transactions; if you don't include this, you have to send the phone number in telephoneNumber. We strongly recommend to include the email address for all transactions. The cardholder's email address.
shopperIP		Use case: required for Visa and JCB transactions for all web and mobile integrations. You must include shopperIP for native mobile integrations to support cases where the transaction is routed to the redirect flow. We recommend to include this field for all transactions, because it is used in a number of risk checks. The IP address of the shopper.
socialSecurityNumber		The shopper's CPF or CNPJ number. We strongly recommend that you include this for shoppers in Brazil. Supported from v50 and later of our API.
threeDS2RequestData		Use case: required for certain 3D Secure 2 setups. See the reference to learn about its required sub-fields depending on integration type.

accountInfo

The accountInfo object is not required, but we recommend to include it in your requests to increase the chances of achieving the frictionless flow.

Field	Type	Required	Description
accountAgeIndicator	String		Indicator for the length of time since this shopper account was created. Possible values: notApplicable thisTransaction lessThan30Days from30To60Days moreThan60Days
accountChangeDate	String		Date when the shopper's account was last changed. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
accountChangeIndicator	String		Indicator for when the shopper's account was last changed. Possible values: thisTransaction lessThan30Days from30To60Days moreThan60Days
accountCreationDate	String		Date when the shopper's account was created. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
accountType	String		The type of the shopper's account. For example, for a multi-account card product. Possible values: notApplicable credit debit
addCardAttemptsDay	Integer		Number of attempts the shopper made to add a card to their account in the last day. Maximum value: 999
passwordChangeDate	String		Date when the shopper last changed their password. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
passwordChangeIndicator	String		Indicator for when the shopper's account password was last changed. Possible values: thisTransaction lessThan30Days from30To60Days moreThan60Days
purchasesLast6Months	Integer		Number of purchases in the last 6 months. Maximum value: 9999
pastTransactionsDay	Integer		Number of transactions from this shopper in the past 24 hours. Maximum value: 999
pastTransactionsYear	Integer		Number of transactions from this shopper in the past year. Maximum value: 999
paymentAccountAge	String		Date this payment method was added to the shopper's account. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
paymentAccountIndicator	String		Indicator for the length of time since this payment method was added to the shopper's account. Possible values: notApplicable thisTransaction lessThan30Days from30To60Days moreThan60Days
deliveryAddressUsageDate	String		Date when the selected delivery address was first used with the 3DS Requestor. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
deliveryAddressUsageIndicator	String		Indicator for when this delivery address was first used with the 3DS Requestor. Possible values: thisTransaction lessThan30Days from30To60Days moreThan60Days
suspiciousActivity	Boolean		Whether suspicious activity was recorded on this account.
homePhone Deprecated in Checkout API v68	String		Use threeDSRequestData.homePhone instead. Shopper's home phone number, including the country code.
mobilePhone Deprecated in Checkout API v68	String		Use threeDSRequestData.mobilePhone instead. Shopper's mobile phone number, including the country code.
workPhone Deprecated in Checkout API v68	String		Use threeDSRequestData.workPhone instead. Shopper's work phone number, including the country code.

Mapping Adyen parameters to EMVCo fields

The Adyen accountInfo parameters map to the EMVCo specifications as follows.

authenticationData

The authenticationData object contains sub-fields that are required to include for certain 3D Secure 2 authentication scenarios.

Field	Type	Required	Description
authenticationOnly	Boolean		Use case: required to trigger the authentication-only flow. When set to true, you only perform the 3D Secure 2 authentication, and will not proceed to the payment authorization. The default value is false.
attemptAuthentication	String		Indicates whether to attempt 3D Secure 2 authentication for a transaction. We do not recommend to use this field. This overrides your Dynamic 3D Secure settings. Possible values: always: attempt 3D Secure 2. never: do not attempt 3D Secure 2. If regulations require authentication, the transaction gets declined.
threeDSRequestData.challengeWindowSize	String		The size of the challenge window displayed to the shopper in the challenge flow. Possible values: 01: ['250px', '400px'] 02: ['390px', '400px'] 03: ['500px', '600px'] 04: ['600px', '400px'] 05: ['100%', '100%']
threeDSRequestData.dataOnly Available on Checkout API v69	String		Use case: required to trigger the data-only flow. When set to true, forces the 3D Secure 2 data-only flow for all transactions where it is possible. If you are using Checkout API v68 or earlier, use the additionalData.threeDSDataOnly field instead.
threeDSRequestData.nativeThreeDS	String		Use case: required to trigger the native flow when using the /payments endpoint, or to trigger the redirect flow when using the /sessions endpoint. Indicates if native 3D Secure 2 should be used when available. Adyen can still select to fallback to the redirect flow to optimize authorization rates and improve the shopper's experience. Possible values: preferred: use native 3D Secure 2 when available. disabled: only use the redirect 3D Secure 2 flow.
threeDSRequestData.threeDSVersion	String		The version of 3D Secure 2 to use. Possible values: 2.1.0 2.2.0

billingAddress

The billingAddress object is not required, but we recommend to include it in your requests when available to improve authentication performance. This object includes some required sub-fields.

When using our Drop-in/Components, the billing address is returned in an event. For example, on web integrations, this is the state.data.billingAddress object from the onSubmit event.

Field	Type	Required	Description
city	String		The name of the city.
country	String		The country code. Format: the two-letter ISO-3166-1 alpha-2 country code. Exception: QZ (Kosovo).
houseNumberOrName	String		The number or name of the house.
postalCode	String		The postal code consisting of a maximum of five digits for an address in the US, or a maximum of ten characters for an address in all other countries/regions.
stateOrProvince	String		Use case: required for addresses in the US and Canada. The state or province code of the billing address as defined in ISO 3166-2. Example: CA in US, or ON in Canada.
street	String		The name of the street.

browserInfo

The sub-fields that you must include in browserInfo depend on your integration type:

• For mobile integrations ( channel: iOS/Android): the acceptHeader, and userAgent sub-fields are required to support cases where the payment is routed to 3D Secure 2 redirect.
• For web integrations ( channel: Web): the full object, except javaScriptEnabled, is required.

Field	Type	Required	Description
acceptHeader	String		The accept header value of the shopper's browser.
colorDepth	Int		Use case: web integrations. The color depth of the shopper's browser in bits per pixel. Use the browser's screen.colorDepth property to obtain the value. Accepted values: 1, 4, 8, 15, 16, 24, 32, or 48 bit.
javaEnabled	Boolean		Use case: web integrations. Boolean value indicating if the shopper's browser is able to execute Java.
javaScriptEnabled	Boolean		Boolean value indicating if the shopper's browser is able to execute JavaScript. If not present, the default value is true.
language	String		Use case: web integrations. The name of the browser language used by the shopper. This is the navigator.language value of the shopper's browser as defined in IETF BCP 47. Examples: nl-NL, fr-FR, en-US.
screenHeight	Int		Use case: web integrations. The pixel height of the shopper's screen.
screenWidth	Int		Use case: web integrations. The pixel width of the shopper's screen.
timeZoneOffset	String		Use case: web integrations. Time difference between UTC time and the shopper's browser local time, in minutes. Example: -120
userAgent	String		The user agent value of the shopper's browser.

deliveryAddress

Include the deliveryAddress object in your request if you want to submit the shopper's delivery address. If you include this object in your request, provide the required fields.

Field	Type	Required	Description
city	String		The name of the city.
country	String		The country code. Format: the two-letter ISO-3166-1 alpha-2 country code. Exception: QZ (Kosovo).
houseNumberOrName	String		The number or name of the house.
postalCode	String		The postal code consisting of a maximum of five digits for an address in the US, or a maximum of ten characters for an address in all other countries/regions.
stateOrProvince	String		Use case: required for addresses in the US and Canada. The state or province code of the billing address as defined in ISO 3166-2. Example: CA in US, or ON in Canada.
street	String		The name of the street.

installments

Include the installments object in your request when you want to split the payment into installments. If you include this object in your request, some sub-fields are required.

Field	Type	Required	Description
value	Integer		The number of installments. For Mexico, the value can be 0, for other countries, the value must be greater than zero. See installment options in supported countries/regions for possible values. Usually, the acquirer sets the maximum allowed number of installments. For example, it may not be possible to split a payment in more than 24 installments.
extra	Integer		The bonus percentage, refund percentage, or if the transaction is completed with a Buy Now Pay Later payment method for transactions processed in Mexico.
plan	String		Use case: required for installments in Japan, and Mexico. The installment plan. Possible values: regular revolving bonus The default value is regular.

merchantRiskIndicator

The merchantRiskIndicator object is not required, but we recommend to include it in your requests to increase the chances of achieving the frictionless flow.

Field	Type	Required	Description
addressMatch	Boolean		Whether the chosen delivery address is identical to the billing address.
deliveryEmail Deprecated in Checkout API v68	String		Use deliveryEmailAddress instead. The delivery email address (for digital goods).
deliveryEmailAddress	String		The delivery email address (for digital goods).
deliveryTimeframe	String		The estimated delivery time for the shopper to receive the goods. Possible values: electronicDelivery sameDayShipping overnightShipping twoOrMoreDaysShipping
giftCardAmount	Integer		For prepaid or gift card purchase, the purchase amount total of prepaid or gift card(s).
giftCardCurr	Integer		For prepaid or gift card purchase, ISO 4217 three-digit currency code of the gift card, other than those listed in Table A.5 of the EMVCo 3D Secure Protocol and Core Functions Specification.
giftCardCount	String		For prepaid or gift card purchase, total count of individual prepaid or gift cards/codes purchased.
preOrderDate	String		For pre-order purchases, the expected date this product will be available to the shopper. Format: ISO 8601 YYYY-MM-DDThh:mm:ssTZD Example: 2017-07-17T13:42:40+01:00
preOrderPurchase	Boolean		Whether this transaction is for pre-ordering a product.
preOrderPurchaseInd	String		Indicates if this transaction is for placing an order for merchandise with a future availability or release date.
reorderItems	Boolean		Whether the shopper has already purchased the same items in the past.
reorderItemsInd	Boolean		Indicates if the he cardholder is reordering previously purchased merchandise.
deliveryAddressIndicator	String		Indicator regarding the delivery address. Possible values: shipToBillingAddress shipToVerifiedAddress shipToNewAddress shipToStore digitalGoods goodsNotShipped other
shipIndicator	String		Indicates the shipping method for the purchase.

Mapping Adyen parameters to EMVCo fields

The Adyen merchantRiskIndicator parameters map to the EMVCo specifications as follows.

mpiData

The mpiData object is required in your authorization requests with Adyen if you use authentication data from a third-party to authorize payments. Get the values from the authentication data produced by a 3D Secure 2 provider. When you make the request to Adyen, include all the fields you receive from the third-party authentication provider.

Field	Type	Required	Description
authenticationResponse	String		The transStatus from the last CRes (Challenge Response) message or in the RReq (Results Request) sent after the shopper completes the challenge. If the transaction was frictionless there is no RReq, so omit this parameter.
cavv	String		The cardholder authentication value (base64 encoded, 20 bytes in a decoded form). This is the authenticationValue returned in the Authentication Response (ARes) for the frictionless flow, or the RReq for the challenge flow.
challengeCancel	String		Indicator informing the Access Control Server (ACS) and the Directory Server (DS) that the authentication has been cancelled. See possible values.
directoryResponse	String		The result of the initial authentication response. This is the transStatus from the ARes.
dsTransID	String		The unique transaction identifier assigned by the Directory Server to identify a single transaction.
eci	String		The electronic commerce indicator (ECI). This is a scheme specific indicator of the authentication result.
riskScore	String		Use case: required for Cartes Bancaires transactions. Risk score calculated by Directory Server (DS).
threeDSVersion	String		The version of 3D Secure 2 used. Possible values: 2.1.0 2.2.0
transStatusReason	String		Provides information on why the transStatus field has the specified value. See possible values.
tokenAuthenticationVerificationValue	String		The network token authentication verification value (TAVV). This is the network token cryptogram.

Possible challengeCancel values

MPI data combinations

When you are using authentication data from a third party to authorize payments with Adyen, you send multiple values you receive to Adyen. You must make sure that the combination of the values you send are aligned with what Adyen expects.

The possible combinations differ for each authentication flow. Cartes Bancaires does not use the ECI value, but it may be returned in some cases.

Mapping Adyen parameters to EMVCo fields

The Adyen mpiData parameters map to the EMVCo specifications as follows.

paymentMethod

The paymentMethod object, and its sub-fields below, are required for 3D Secure 2 transactions. If you are fully PCI compliant you can pass the parameters for raw card data instead.

Field	Type	Required	Description
type	String		Set to scheme.
encryptedCardNumber	String		The encrypted card number.
encryptedExpiryMonth	String		The encrypted card expiry month.
encryptedExpiryYear	String		The encrypted card expiry year.
encryptedSecurityCode	String		The encrypted card verification code.
brand	String		Use case: required for Cartes Bancaires transactions. The secondary brand of the card.
holderName	String		Use case: required for Visa and JCB transactions. The name of the cardholder. We recommend to include this field whenever available for higher authentication rates.
threeDS2SdkVersion	String		Use case: required for native mobile integrations. The 3D Secure 2 mobile SDK version. See our integration guides to learn how you can get the SDK version.

threeDS2RequestData

The threeDS2RequestData object contains additional request fields that are required for certain types of 3D Secure 2 integrations.

Field	Type	Required	Description
acquirerBIN	String		Use case: required if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow. The acquiring BIN enrolled for 3D Secure 2. This string should match the value that you will use in the authorization.
acquirerMerchantID	String		Use case: required if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow. The authorisation merchant ID enrolled for 3D Secure 2. This string should match the value that you will use in the authorization.
addrMatch	String		Indicates if the shipping address and billing address of the shopper match. Possible values: Y: the addresses match. N: the addresses do not match.
challengeIndicator Deprecated in Checkout API v68	String		Use case: required to manually request exemptions to the challenge through the API request, or for Cartes Bancaires transactions. The preference for receiving a challenge from the issuer. Possible values: noPreference requestNoChallenge requestChallenge requestChallengeAsMandate On Checkout API v68 or later, use threeDSRequestorChallengeInd instead.
deviceRenderOptions.sdkInterface	String		Only for app-based integrations. The supported SDK interface types. Defaults to native. Possible values: native html both
deviceRenderOptions.sdkUiType	Array		Only for app-based integrations. The string array of UI types supported for displaying specific challenges. Defaults to all values. Possible values: text singleSelect multiSelect outOfBand otherHtml
mcc	String		Use case: required if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow. The four-digit code with which the acquirerMerchantID is registered at the scheme.
merchantName	String		Use case: required if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow, or if you are enrolled with Adyen, and want to override the merchant name configured on your account. The merchant name that the issuer presents to the shopper if they get a challenge. We recommend to use the same value that you will use in the authorization. Format: Maximum length: 40 characters
messageVersion	String		The 3D Secure 2 protocol version.
notificationURL	String		Use case: required for deviceChannel browser or if you built your own implementation with channel Web. The URL where the Challenge Response value will be sent.
sdkAppID	String		Use case: required for deviceChannel app. The sdkAppID value as received from the 3D Secure 2 SDK.
sdkEncData	String		Use case: required for deviceChannel app. The sdkEncData value as received from the 3D Secure 2 SDK.
sdkEphemPubKey	Object		Use case: required for deviceChannel app. The sdkEphemPubKey value as received from the 3D Secure 2 SDK. This object includes the crv, kty, x, and y.
sdkMaxTimeout	Integer		Only for app-based integrations. The maximum amount of time in minutes for the 3D Secure 2 authentication process. Defaults to 60 minutes.
sdkReferenceNumber	String		Use case: required for app-based integrations. The sdkReferenceNumber value as received from the 3D Secure 2 SDK.
sdkTransID	String		Use case: required for app-based integrations. The sdkTransID value as received from the 3D Secure 2 SDK.
threeDSCompInd	String		The completion indicator for the threeDSMethodUrl fingerprinting.
threeDSRequestorChallengeInd	String		Use case: required if you want to manually request exemptions to the challenge through the API request, or for Cartes Bancaires transactions. Indicates whether a challenge is requested for this transaction. Possible values: 01: no preference 02: no challenge requested 03: challenge requested by the 3D Secure requestor 04: challenge requested due to a mandate 05: no challenge requested due to a performed risk analysis. 06: Data-only flow.
threeDSRequestorID	String		Use case: required for Visa payments if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow. The unique requestor ID assigned by the Directory Server when you enrol for 3D Secure 2.
threeDSRequestorName	String		Use case: required for Visa payments if you enrolled for 3D Secure 2 through a different acquirer or PSP and are performing the authentication-only flow. The unique requestor name assigned by the Directory Server when you enrol for 3D Secure 2.
threeDSRequestorURL	String		The URL of the (customer service) website that will be shown to the shopper in case of technical errors during the 3D Secure 2 process.
transactionType	String		The type of transaction being authenticated. Highly recommended for Brazil. Possible values: goodsOrServicePurchase checkAcceptance accountFunding quasiCashTransaction prepaidActivationAndLoad Supported from v50 and later of Checkout API.
homePhone, workPhone or mobilePhone	String		Use case: required for Visa and JCB payments if you did not include the shopperEmail parameter, and did not provide the phone number in telephoneNumber. A phone number for the shopper. Format: The phone number must include a country code (1-3 digits), followed by the number (4-15 digits). Example: +4912345678901 If the value you provide does not follow the guidelines, we drop the value and do not submit it for authentication.

Challenge flow objects

When the 3D Secure 2 authentication has to go through the fingerprint or challenge flows, you initialize the flows using the following objects. The Component returns the fingerprint or the challengeResult that you need to pass when you submit the authentication result.