Menu

Important: Test values have changed in API version v3 of 3DS. Go here for thev1 & v2 test values.

3DS Testing

API v3
Last updated January 2024

Test your 3DS integration on the Try environment using the magic values provided below. Send requests and see simulated responses.

For theAndroid/iOS SDK, the environment must be set to CardinalEnvironment.STAGING as part of the CardinalConfigurationParameters to use the test values on the Access Try environment.

Tokens

If you're creating tokens containing the test card numbers you must delete the token before creating another with the same PAN. You are prevented from creating another token using the same PAN. As an alternative, you can also change the namespace used as part of the token creation.

Liability shift

Liability shift is confirmed on payment authorization. Thetest card numbertables show the different scenarios and the likely liability shift based on the authentication details provided (e.g. authenticationValue, eci, transactionId).

Test Card Number

Use different card numbers to alter the 3DS authentication outcome.

Important: Do not mix the old test values used for API v1/v2 with the new ones for API v3 or you will get unexpected scenario outcomes. Set the cardHolderName to any other value e.g. Bob Smith

Important: Always use a test card number from the tables below. Using a number not listed will result in the challenge failing to load for both web and SDK.

Common Issues

IssueCause
Mobile SDK: challenge page fails to load, producing one of the following errors
  • Android SDK returns: 20606 (Payload Validation failed)
  • Invalid Signature. Your request contains an invalid signature.
  • You must use version 3 of the API with the mobile SDK on Try and ensure you use the updated test card values below.
  • You cannot use a made up card number. You must use a test card value below or the challenge will not display correctly.
Web Integration: challenge page fails to load
  • Ensure you're using the correct API version and Test values. API version 3 uses the card numbers below. APIversion 1&2use the cardholder name.
  • You cannot use a made up card number. You must use a test card value below or the challenge will not display correctly.
Issuer Challenge page fails to load on live (400 response)
  • You have 30 seconds to submit the challenge form (using the JWT) before it expires. On the Try environment this is 10 minutes.

3DS2

Test ScenarioDescriptionTest ValuesAuthentication outcomeVerification outcomeLiability shiftAction
Successful Authentication (Frictionless)
  • Visa: 4000000000001000
  • Mastercard: 5200000000001005
  • AMEX: 340000000001007
authenticatedN/AYesApply authentication object in payment request, proceed with payment authorization
Failed Frictionless Authentication
  • Visa: 4000000000001018
  • Mastercard: 5200000000001013
  • AMEX: 340000000001015
authenticationFailedN/ANoDo not proceed with payment authorization. Either retry 3DS or prompt for another form of payment.
Attempts Stand-In Frictionless AuthenticationCardholder is enrolled in 3DS but the issuer does not support. This results in the issuer stand-in for the authentication
  • Visa: 4000000000001026
  • Mastercard: 5200000000001021
  • AMEX: 340000000001023
authenticatedN/AYesApply authentication object in payment request, proceed with payment authorization
Authentication Unavailable (issuer)Cardholder is enrolled but authentication is unavailable
  • Visa: 4000000000001034
  • Mastercard: 5200000000001039
  • AMEX: 340000000001031
unavailableN/ANoProceed as non-authenticated transaction or retry authentication request
Authentication RejectedAuthentication rejected by the issuer, no challenge is offered
  • Visa: 4000000000001042
  • Mastercard: 5200000000001047
  • AMEX: 340000000001049
authenticationFailedN/ANoDo not proceed with payment authorization. Either retry 3DS or prompt for another form of payment.
Authentication Unavailable (system error)Authentication rejected by the issuer, no challenge is offered
  • Visa: 4000000000001059
  • Mastercard: 5200000000001054
  • AMEX: 340000000001056
unavailableN/ANoProceed as non-authenticated transaction or retry authentication request
Authentication ErrorError whilst attempting authentication
  • Visa: 4000000000001067
  • Mastercard: 5200000000001062
  • AMEX: 340000000001064
unavailableN/ANoProceed as non-authenticated transaction or retry authentication request
Authentication TimeoutTimeout during the authentication request
  • Visa: 4000000000001075
  • Mastercard: 5200000000001070
  • AMEX: 340000000001072
unavailableN/ANoProceed as non-authenticated transaction or retry authentication request
Successful Authentication (Challenged)Issuer prompts a challenge in authentication, customer responds successfully
  • Visa: 4000000000001091
  • Mastercard: 5200000000001096
  • AMEX: 340000000001098
challengedauthenticatedYesApply authentication object in payment request, proceed with payment authorization
Failed Challenged AuthenticationIssuer prompts a challenge in authentication, customer responds with incorrect details (e.g. OTP, fingerprint etc)
  • Visa: 4000000000001109
  • Mastercard: 5200000000001104
  • AMEX: 340000000001106
challengedauthenticationFailedNoDo not proceed with payment authorization. Either retry 3DS or prompt for another form of payment.
Verification UnavailableAuthentication data following a challenge cannot be retrieved
  • Visa: 4000000000001117
  • Mastercard: 5200000000001112
  • AMEX: 340000000001114
challengedunavailableNoProceed as non-authenticated transaction or retry verification request
Verification ErrorError whilst attempting verification
  • Visa: 4000000000001125
  • Mastercard: 5200000000001120
  • AMEX: 340000000001122
challengedunavailableNoProceed as non-authenticated transaction or retry verification request
BypassBypass the consumer authentication flow via Cardinal Rules Engine configuration. Returned if 3DS premium is enabled or when there is a timeout connecting to the 3DS directory server.
  • Visa: 4000000000001083
  • Mastercard: 5200000000001088
  • AMEX: 340000000001080
bypassedN/ANoProceed as non-authenticated transaction

3DS1

3DS1 has been largely decommissioned and now only applies to a small number of countries:

  • Visa: Bangladesh, Bhutan, Maldives, Nepal, India, Sri Lanka (domestic) - Ending Oct 12th 2023
  • Mastercard: India and Bangladesh (domestic and cross boarder) - Ending Oct 3rd 2023
  • AMEX: India - Ending Oct 13th 2023

3DS1 test cases are now disabled by default and will only return an 'unavailable' response.