Data-only flow

In a regular 3D Secure 2 flow, the payment has to be authenticated by the issuer before it can be authorized. In a data-only flow, you use the same 3D Secure 2 infrastructure, but only to share shopper data with Visa or Mastercard directly. The card schemes then handle the risk evaluation and the authentication with the issuer. The data-only flow is particularly useful outside PSD2 SCA regulated markets.

Requirements

How it works

When you send a data-only request, Adyen sends it directly to Visa or Mastercard. The card schemes then handle the authentication request with the issuer, and include their risk evaluation in the authorization message. The issuer uses the risk evaluation data to improve their decision when authorizing a payment.

Because this flow only shares data, shoppers will not be presented with a 3D Secure 2 challenge. This also means that there is no liability shift for the data-only flow.

Use the Authentication Engine

We recommend using our Authentication Engine to make optimal use of the data-only flow, including Visa's Digital Commerce Authentication Program. The Authentication Engine is included when you set up your native or redirect 3D Secure 2 integration with Adyen. Based on issuer readiness and performance uplift, the engine can make the best decision on when to use the data-only flow.

Make a data-only payment request

When you use the native or redirect 3D Secure 2 integration for Web, iOS or Android, the Authentication Engine will decide if the data-only flow is triggered. No further action is required on your side.

To optimize the engine and to help the card schemes and the issuers make better risk assessments, collect and submit as many of the following recommended fields as possible in your payment request:

• shopperIP
• paymentMethod.holderName
• shopperEmail
• billingAddress
• deliveryAddress (if available)
• threeDS2requestData.homePhone, threeDS2requestData.mobilePhone or threeDS2requestData.workPhone

The 3D Secure 2 API reference has more information about these fields.

If you are processing Visa transactions in the United States or Canada, make sure that you review the DCAP section below.

If you want to force the data-only flow, or if you have built an API-only integration that uses our 3D Secure 2 component, make a POST /payments request containing the 3D Secure 2 fields and the following:

• additionalData.threeDS2DataOnly: true. This forces the 3D Secure 2 data-only flow for all transactions where this flow is possible.
• For a better shopper experience, we recommend using specific 3D Secure 2 values. Depending on your integration:
  • Checkout API v68 or earlier: include allow3DS2: true.
  • Checkout API v69 or later: include nativeThreeDS: preferred.

Check the resultCode included in the /payments response. If the resultCode is Authorised, inform the shopper that the payment was successful.

Visa's Digital Commerce Authentication Program (DCAP)

DCAP is a Visa program that aims to enhance the security and authorization rates of Card Not Present transactions by using the 3D Secure data-only flow to share more data with issuers. Visa offers interchange fee discounts for this data.

We recommend that you use Adyen's Authentication Engine to optimize your interchange discounts with DCAP. We do not recommend that you apply the data-only flow for all transactions, as this can lower your authorization rates with some issuers.

Visa requires you send all the following fields to qualify for DCAP interchange discounts:

• shopperIP
• shopperEmail
• billingAddress: Include all billing address fields.
• deviceFingerprint: Send a device fingerprint to identify the shopper's device.

Test the data-only flow

Use the test card below to try the 3D Secure 2 data-only flow. Testing is only available for Mastercard.

See also