Checkout icon

Standalone authentication

Perform the 3D Secure 2 authentication with Adyen and submit the payment authorization later.

Use standalone authentication when you want to separate authentication from authorization. In the standalone authentication flow, you make a payment request that specifies only authentication. When authentication is successfully completed, you receive the 3D Secure 2 authentication data which you can use to authorize the payment with Adyen or another payment service provider (PSP).

Requirements

Before you begin, take into account the following requirements, limitations, and preparations.

Requirement Description
Integration type Make sure that you have built an online payments integration that uses the Advanced flow.
API credential roles You need an API credential with an API key and the Checkout webservice role.
Webhooks Subscribe to Standard webhooks, and enable the non-default AUTHENTICATION event code.
Limitations You cannot trigger standalone authentication with the /sessions endpoint or with Hosted Checkout.
Setup steps Before you begin:

How it works

With standalone authentication, you perform the 3D Secure 2 authentication independently of the payment authorization flow.

  1. Make a payment request, where you use the authenticationOnly parameter to specify that the request is only for performing authentication.
  2. In the /payments response, use the action object to determine the authentication flow you need to perform.
  3. Perform the required authentication flow.
  4. Get the 3D Secure 2 authentication data.
  5. Use the authentication data to authorize the payment with Adyen, or with another PSP or acquirer.

Keep in mind that authentication data is valid for a different time period for each scheme, and you can not use it after it expires.

Make a payment request for authentication

A payment request to perform standalone authentication is similar to making a /payments request for a payment authorization with your standard 3D Secure 2 integration. You add the authenticationOnly parameter to specify that you only want to authenticate the shopper.

To perform standalone authentication:

  1. In your POST /payments request, specify:

    Parameter Required Description
    paymentMethod Required Object that contains the shopper's card information from your front end or client app. Make sure that you:
    • Include the encrypted, or if you are fully PCI compliant, unecrypted card details.
    • For co-badged cards, set the brand to the scheme that you want to authenticate with.
    • For Visa and JCB transactions, include the holderName.
    channel Required Specify the platform that you are using.
    Possible values:
    • Web
    • iOS
    • Android
    authenticationOnly Required Set to true to trigger the standalone authentication flow.
    nativeThreeDS Conditionally required Use case: if you have a native 3D Secure integration.
    Set to preferred to indicate that the native flow should be triggered when available.
    browserInfo Required Object that contains information about the shopper's browser. The sub-fields that you must include in browserInfo depend on your integration type:
    • For mobile integrations ( channel: iOS/Android): the acceptHeader, and userAgent sub-fields are required to support cases where the payment is routed to 3D Secure 2 redirect.
    • For web integrations ( channel: Web): the full object, except javaScriptEnabled, is required.
    returnUrl The URL where the shopper is redirected back to after completing authentication to support cases where the payment is routed to the 3D Secure 2 redirect flow. See our integration guides to learn how to set this URL depending on your platform.
    origin Conditionally required Use case: required for browser-based (channel: Web) transactions.
    The origin URL of the page where you are rendering the Drop-in/Component. When this field is not set, or set incorrectly, the 3D Secure 2 action can not be handled correctly.
    Format:
    • Maximum characters: 80
    • Do not include subdirectories and a trailing slash.
    Example: If you are rendering on https://your-company.example.com/checkout/payment, set to https://your-company.example.com.
    shopperIP Conditionally required Use case: required for browser-based (channel: Web) transactions.
    The shopper's IP address. Required for channel web.
    billingAddress Recommended The shopper's billing address.
    shopperEmail Conditionally required Use case: required for Visa and JCB transactions.
    The cardholder's email address. If you do not include this, you must send the telephoneNumber, or a phone number in the threeDS2RequestData object.
    telephoneNumber Conditionally required Use case: required for Visa and JCB transactions if you did not include the shopperEmail field.
    The shopper's phone number. To be more specific, you can use the mobilePhone, homePhone, and workPhone fields in the threeDS2RequestData object.
    Format: The phone number must include a plus sign (+) and a country code (1-3 digits), followed by the number (4-15 digits).
    Example: +4912345678901
    If the value you provide does not follow the guidelines, we drop the value and do not submit it for authentication.

    This is the required icon. Required for all transactions.
    This is the conditionally required icon. Required for particular setups, or issuers and card schemes.
    This is the recommended icon. Recommended for all transactions, but not required.

    We recommend that you do the following to prevent authorization refusals:

  2. In the /payments response, check the resultCode:

    • If the result code is AuthenticationNotRequired , You can proceed to authorize the payment with Adyen by making a standard /payments request, or with another PSP or acquirer.

    • If you get a 3D Secure 2 authentication result code, proceed to perform the authentication.

      resultCode
      Description
      Action to take
      ChallengeShopper The issuer requires authentication from the shopper, for example through facial recognition or entering a code received on their phone. Initiate the challenge flow to present the challenge to the shopper, and submit the result to Adyen.
      IdentifyShopper The issuer requires authentication from the device the shopper is using. Initiate the frictionless flow to get the shopper's device fingerprint, and submit the result to Adyen.
      RedirectShopper The issuer requires the shopper to provide authentication in an an external web page or app. Redirect the shopper to complete the authentication.

If you authorize the payment that you authenticate with Adyen with a different PSP, it is recommended to include additional acquirer-related data. Get the following details from your acquirer. These details are part of the 3D Secure 2 enrollment process between your acquirer and card schemes.

If you are unable to get these details from your acquirer, contact our Support Team.

Acquirer data Description
acquirerBIN The acquiring BIN enrolled for 3D Secure 2. This string should match the value that you will use in the authorization.
If you are building a test integration, you can use the string 123456 in place of an actual acquirerBIN.
acquirerMerchantID The authorization merchant ID enrolled for 3D Secure 2. This string should match the value that you will use in the authorization.
If you are building a test integration, you can use the string 123456 in place of an actual acquirerMerchantID.
mcc The four-digit Merchant Category Code registered with the scheme for the same acquirerMerchantID sent in the request.
merchantName The merchant name that the issuer presents to the shopper if they get a challenge. We recommend to use the same value that you will use in the authorization.
Format: Maximum 40 characters.
threeDSRequestorID Required for Visa and Mastercard. The unique requestor ID assigned by the Directory Server when you enroll for 3D Secure 2.
threeDSRequestorName Required for Visa and Mastercard. The unique requestor name assigned by the Directory Server when you enrol for 3D Secure 2.

Make a POST /payments request containing the parameters required for the standalone authentication, together with the acquirer data listed above.

Perform the authentication

  1. In the /payments response, you receive action.type: ThreeDS2. Use the action.subtype object to determine your next steps. The way to handle the action object for the standalone authentication flow is the same as handling it for your native or redirect 3D Secure implementation.

  2. When authentication is completed, submit the authentication result in a /payments/details request, including authenticationData.authenticationOnly: true.
    Below is an example /payments/details request:

  3. In the /payments/details response, check the following fields:

    • resultCode: If the authentication process has finished, you receive AuthenticationFinished. If an error occurs during the authentication flow, and the authentication process is not completed, you receive Refused.
    • threeDS2Result: The object that contains the authentication data that you need to authorize the payment following a successful authentication.
    • threeDS2Result.transStatus: Indicates the result of the authentication. The value Y means that authentication is successful.

      If the authentication went through the redirect flow, the result of the authentication is in additionalData.threeDAuthenticatedResponse.

Get the 3D Secure 2 authentication data

After a successful authentication, you get a resultCode with the value of AuthenticationFinished in the /payments/details response. The response contains threeDS2Result object, that contains the authentication data produced by a Merchant Plug-in (MPI).

Some schemes do not provide all fields; the Applies to column shows which schemes provide each field.

Parameter Applies to Description
authenticationValue All schemes The value for the 3D Secure 2 authentication session. The returned value is a Base64-encoded 20- or 21-byte array.
Example: AQIDBAUGBwgJCgsMDQ4PEBESExQ=
eci All schemes The Electronic Commerce Indicator returned from the schemes for the 3D Secure 2 payment session.
Example: 02
threeDSServerTransID All schemes The unique identifier assigned by the 3D Secure 2 server.
transStatus All schemes Indicates whether a transaction was authenticated, or whether additional verification is required. Possible values:
  • Y: Authentication / account verification successful.
  • I: Authentication / exemption granted by Issuer.
  • N: Not Authenticated / account not verified. Transaction denied.
  • U: Authentication / account verification could not be performed.
  • A: Authentication / verification was attempted but could not be verified.
  • C: Challenge Required. Additional authentication is required using a Challenge.
  • R: Authentication / account verification rejected by the Issuer.
This field is called 3DS challenged in your Customer Area.
dsTransID All schemes The unique transaction identifier assigned by the Directory Server (DS) to identify a single transaction.
transStatusReason All schemes Provides information on why the transStatus field has the specified value. See possible values.
challengeCancel Cartes Bancaires The indicator informing the Access Control Server (ACS) and the DS that the authentication has been cancelled. See the API reference for possible values.
threeDSRequestorChallengeInd Cartes Bancaires Indicates whether a challenge is requested for this transaction.
  • 01: No preference
  • 02: No challenge requested
  • 03: Challenge requested (3DS Requestor preference)
  • 04: Challenge requested (Mandate)
  • 05: No challenge (transactional risk analysis is already performed)
  • 06: Data Only
exemptionIndicator Cartes Bancaires If an exemption was applied by the issuer to the authentication, indicates the exemption type. Possible values:
  • lowValue
  • secureCorporate
  • trustedBeneficiary
  • transactionRiskAnalysis
riskScore Cartes Bancaires The risk score calculated by the Cartes Bancaires DS.

Some of these fields are also returned in the threeDAuthenticatedResponse object, but we recommend to use the threeDS2Result object.

transStatusReason value Scheme Description
01 All Card authentication failed.
02 All Unknown device.
03 All Unsupported device.
04 All Exceeds authentication frequency limit.
05 All Expired card.
06 All Invalid card number.
07 All Invalid transaction.
08 All No card record.
09 All Security failure.
10 All Stolen card.
11 All Suspected fraud.
12 All Transaction not permitted for cardholder.
13 All Cardholder not enrolled in service.
14 All Transaction timed out at ACS.
15 All Low confidence.
16 All Medium confidence.
17 All High confidence.
18 All Very high confidence.
19 All Exceeds ACS maximum challenges.
20 All Non-payment transaction not supported.
21 All 3RI transaction not supported.
22 All ACS technical issue.
23 All Decoupled Authentication required by ACS but not requested by 3DS Requestor.
24 All 3DS Requestor decoupled max expiry time exceeded.
25 All Decoupled Authentication was provided insufficient time to authenticate cardholder. ACS will not make attempt.
26 All Authentication attempted but not performed by the cardholder.
80 Visa Error connecting to ACS.
80 Mastercard Returned on all Data Only authentications.
80 American Express Safekey is not available for this type of card.
81 Visa ACS timed out.
81 Mastercard Challenge exemption accepted.
82 Visa Invalid response from ACS.
82 Mastercard Challenge Mandate requested but could not be performed.
83 Mastercard, Visa System Error response from ACS.
84 Mastercard, Visa Internal error while generating CAVV.
85 Visa VMID not eligible for requested program.
86 Visa Protocol version not supported by ACS
87 Visa Transaction is excluded from Attempts Processing (includes non- reloadable pre-paid cards and non-payments (NPA)).
88 Visa Requested program not supported by ACS.

Authorize the payment

Use the 3D Secure 2 authentication produced by the MPI to authorize the payment with Adyen, or with another PSP. For information on authorizing with other PSPs, refer to their documentation.

For payment authorizations, keep the following in mind:

  • You cannot reuse the authentication data across PSPs. For example, if you send a request to authorize the payment using the data to a PSP and it fails, you can not pass the same data to another PSP.
  • Make sure to use the authentication data before it expires.

Authorize the payment with Adyen

To authorize the payment with Adyen, make a POST  /payments request, including:

  1. The standard parameters required to make a payment. Make sure to pass the scheme that authenticated the transaction in the paymentMethod.brand object for co-badged cards.
  2. The authentication data you received in the threeDS2Result object of the /payments/details response. Send this data in the mpiData object. The fields you need to send in your request map to the threeDS2Result fields as shown in the table below.
  3. For Cartes Bancaires, include the required additional fields from the additionalData and the threeDS2RequestData objects. It is possible that you do not receive all Cartes Bancaires fields for each transaction, these fields are only required when they are returned in the /payments/details response that contains the authentication data.
Parameter Parameter in threeDS2Result Schemes
mpiData.authenticationResponse transStatus All
mpiData.directoryResponse transStatus All
mpiData.cavv authenticationValue All
mpiData.dsTransID dsTransID All
mpiData.eci eci All
mpiData.threeDSVersion messageVersion All
mpiData.challengeCancel challengeCancel Cartes Bancaires
mpiData.riskScore riskScore Cartes Bancaires
threeDS2RequestData.threeDSRequestorChallengeInd threeDSRequestorChallengeInd Cartes Bancaires
additionalData.scaExemption exemptionIndicator Cartes Bancaires
additionalData.acquirerCode - Cartes Bancaires.
Set to AdyenCartesBancaires.

You will receive an  Authorised resultCode if the payment authorization was successful. See  Result codes for a complete list of possible responses.

Authentication data expiry

Authentication data and cryptograms expire depending on card schemes. This means that you can no longer use the authentication data after it expires.

Card scheme Cryptogram validity
Amex 45 days
CUP 90 days
Mastercard 95 days
Visa 90 days

Authentication not required reasons

You get an AuthenticationNotRequired result code in the /payments response when a transaction doesn't require 3D Secure authentication. If you get this code, you can proceed with the standard payment flow with Adyen, or another PSP.

Below is the list of possible authenticationNotRequiredReason values:

Value Description
MerchantInitiatedTransaction The payment is a subsequent transaction initiated by the merchant. The initial payment has gone through SCA and the shopper has agreed to subsequent merchant-initiated transactions.
MOTO Mail order and telephone order (MOTO) transactions are not electronic payments. They do not require SCA.
POS The point-of-sale payment is made with a secure payment terminal. SCA applies to online payments where the shopper is not present.
AcquirerNotInEEA The business is not located in the EEA, Monaco, or the UK.
IssuerNotInEEA The issuer is not located in the EEA, Monaco, or the UK.
NonFinancial Zero-value authorizations do not require SCA.
No matching 3ds configuration Check the required parameters for your 3D Secure request to make sure they are correct.
Card not enrolled for 3DS The card used for the transaction is not enrolled in 3D Secure.

Testing

Use our Testing 3D Secure 2 authentication guide to test your integration.

In this flow, you receive an AUTHENTICATION webhook that informs you of the outcome of the authentication.

See also