**Last updated**: 14 November 2025 | [**Change log**](/products/payments/changelog/) # Testing Test your Payments API integration in the Try environment using a combination of cardholder and card number test values. Send requests and see simulated responses. As you can enable features such as 3DS, FraudSight or auto settlement, the outcome of the scenarios below changes based on the configuration you have in place. Using Worldpay Tokens If you're creating tokens containing the test card numbers, you must delete the token before creating another with the same PAN. You are prevented from creating another token using the same PAN. As an alternative, you can also change the `tokenCreation.namespace` used as part of the token creation. ## Test scenarios Payment only - To simulate the different values (e.g. cvc, avs, response code) the issuer can return in the payment response see [Issuer Response Test Values](#issuer-response-test-values). - All unknown `cardHolderName` values (e.g. Bob) treat the payment as `authorized` by default. | **Test scenario** | **Description** | **cardHolderName** | **cardNumber** | **Outcomes** | | --- | --- | --- | --- | --- | | **Authorized** | Authorized by issuer | `AUTHORISED` | Schemes:- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` - Cartes Bancaires (Visa): `4000000000004970` | `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | | **Refused** | Refused by issuer | `REFUSED`- [Full list of refusal test values](#issuer-response-test-values) | Schemes:- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` - Cartes Bancaires (Visa): `4000000000004970` | `refused` | 3DS - All FraudSight assessments are `lowRisk` for the below scenarios - All payment outcomes are `authorized` unless 3DS prevents the payment progressing - You can swap the `cardHolderName` to `REFUSED` to see a successful 3DS authentication that is still refused by the issuer | **Test scenario** | **Description** | **cardHolderName** | **cardNumber** | **Outcomes** | | --- | --- | --- | --- | --- | | **Successful frictionless 3DS** | Issuer assessment resulted in a frictionless 3DS authentication | `AUTHORISED` | Schemes:- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` Cartes Bancaires: supported but not testable yet | outcomes1. `3dsDeviceDataRequired` 2. `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | | **Successful 3DS challenge** | Issuer prompts a challenge in authentication, customer responds successfully | `AUTHORISED` | Schemes:- Visa: `4000000000002503` - Mastercard: `5200000000002151` - AMEX: `340000000002534` - Discover/Diners: `6011000000002265` - JCB: `3338000000000569` Cartes Bancaires: Supported but not testable yet | outcomes1. `3dsDeviceDataRequired` 2. `3dsChallenged` 3. `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | | **Failed frictionless 3DS authentication (request `/3dsDeviceData`)** | Issuer failed the 3DS authentication without offering a challenge | `Bob` - not important for this scenario | Schemes:- Visa: `4000000000002925` - Mastercard: `5200000000002276` - AMEX: `340000000002096` - Discover/Diners: `6011000000002364` - JCB: `3338000000000361` - Cartes Bancaires (Visa): `4000000000004574` - Cartes Bancaires (Mastercard): `5200000000004538` | Outcomes1. `3dsDeviceDataRequired` 2. `3dsAuthenticationFailed` | | **Failed challenged 3DS authentication (request `/3dsChallenges`)** | Issuer prompts a challenge in authentication, customer responds with incorrect details (e.g. OTP, fingerprint etc) | `Bob` - not important for this scenario | Schemes:- Visa: `4000000000002370` - Mastercard: `5200000000002490` - AMEX: `340000000002237` - Discover/Diners: `6011000000002695` - JCB: `3338000000000874` - Cartes Bancaires (Visa): `4000000000004293` - Cartes Bancaires (Mastercard): `5200000000004041` | Outcomes1. `3dsDeviceDataRequired` 2. `3dsChallenged` 3. `3dsAuthenticationFailed` | | **3DS unavailable when attempting authentication (request `/3dsDeviceData`)** | Initial 3DS authentication not available due to downstream system error | `Bob` - not important for this scenario | Schemes:- Visa: `4000000000002990` - Mastercard: `5200000000002409` - AMEX: `340000000002468` - Discover/Diners: `6011000000002836` - JCB: `3338000000000940` - Cartes Bancaires (Visa): `4000000000004285` - Cartes Bancaires (Mastercard): `5200000000004090` | Outcomes1. `3dsDeviceDataRequired` 2. `3dsUnavailable` | | **3DS timeout / authentication outage (request `/3dsDeviceData`)** | Timeout during the authentication request downstream (e.g. Visa/Mastercard/ACS provider). Outcome will vary if authenticationOutage is enabled. | `Bob` - not important for this scenario | Schemes:- Visa: `4000000000002354` - Mastercard: `5200000000002326` - AMEX: `340000000002047` - Discover/Diners: `6011000000002869`o - JCB: `3338000000000577` | Outcomes1. `3dsDeviceDataRequired` 2. `3dsUnavailable` -- OR -- If [authenticationOutage](/products/payments/enable-features/3ds-authentication/web#6.-outcome-details) is enabled `authorized` or `sentForSettlement` | | **3DS bypassed (request `/3dsDeviceData`)** | Bypass the 3DS flow via Cardinal Rules Engine configuration. Returned if 3DS premium is enabled | `Bob` - not important for this scenario | Schemes:- Visa: `4000000000002560` - Mastercard: `5200000000002508` - AMEX: `340000000002948` - Discover/Diners: `6011000000002976` - JCB: `3338000000000122` - Cartes Bancaires (Visa): `4000000000004640` - Cartes Bancaires (Mastercard): `5200000000004124` | Outcomes1. `3dsDeviceDataRequired` 2. `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | ## Common issues | **Issue** | **Cause** | | --- | --- | | Web integration: challenge page fails to load --OR-- Mobile SDK: challenge page fails to load, producing one of the following errors Android SDK returns: `20606 (Payload Validation failed)``Invalid Signature. Your request contains an invalid signature.` | You must use a test card value above (for a challenge scenario) or the challenge will not display correctly. | | Issuer Challenge page fails to load on live (400 response) | You have 30 seconds to submit the challenge form (using the JWT) before it expires. On the Try environment this is 10 minutes. | ## 3DS test forms Quickly test the frontend/clientside steps in the 3DS integration using the forms below: ### Test device data form The form below allows you to submit the 3DS device data details provided in the API response and receive the `sessionId`/`collectionReference` back for use in the `/3dsDeviceData` request. This is useful if using tools such as postman/insomnia to test your integration. Access 3ds - Device Data Collection form ### Test challenge form The form below allows you to submit the 3DS challenge details provided in the API response and display the issuer challenge. This is useful if using tools such as postman/insomnia to test your integration. Access 3ds - Device Data Collection form FraudSight - If enabled all 3DS authentications are `successful frictionless 3DS` for the below scenarios - All payment outcomes are `authorized` unless FraudSight prevents the payments progressing that far (e.g. highRisk) - If `fraud.silentMode` is set to `true` - a payment attempt is made regardless of the FraudSight outcome - `fraud.outcome` adds a `(silentMode)` suffix e.g. `lowRisk(silentMode)` | **Test scenario** | **Description** | **cardHolderName** | **cardNumber** | **Outcomes** | | --- | --- | --- | --- | --- | | **highRisk** | FraudSight flags the payment as highRisk and stops it from proceeding | `fs-highRisk` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` - Cartes Bancaires (Visa): `4000000000004970` | Outcomes- `fraudHighRisk` - if `fraud.silentMode` is set to `true` the outcome `authorized` or `sentForSettlement` is returned as the outcome is ignored | | **review** | The assessment score is high enough to prompt a manual check but does not prevent the payment from proceeding. This only applies if your risk threshold levels are setup to use `review` | `fs-review` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` - Cartes Bancaires (Visa): `4000000000004970` | Outcomes- `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | | **lowRisk** | The assessment score is low enough to return a lowRisk outcome, the payment proceeds | `fs-lowRisk`- **default behavior for any other value** | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` - AMEX: `340000000002708` - Discover/Diners: `6011000000002117` - JCB: `3338000000000296` - Cartes Bancaires (Visa): `4000000000004970` | Outcomes- `authorized` or `sentForSettlement` (if [settlement.auto](/products/payments/enable-features/auto-settlement) is enabled) | SCA Exemptions If you are not configured for SCA exemptions you will see `"result": "rejected"` and `"reason": "notSubscribed"` in the response exemption object | **Test scenario** | **Description** | **cardHolderName** | **cardNumber** | **Outcomes** | | --- | --- | --- | --- | --- | | **`authorization / lowRisk` - Exemption is granted and honored** | A lowRisk exemption in authorization is **granted**. It is then placed in authorization where it is **honored**. | `ex-exemption-lowRisk-authorization` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` | ```json "exemption": { "granted": true, "placement": "authorization", "type": "lowRisk", "result": "honored", "reason": "issuerHonored" } ``` | | **`authorization lowValue` Exemption is granted and honored** | A lowValue exemption in authorization is **granted**. It is then placed in authorization where it is **honored**. | `ex-exemption-lowValue-authorization` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` | ```json "exemption": { "granted": true, "placement": "authorization", "type": "lowValue", "result": "honored", "reason": "issuerHonored" } ``` | | **`authentication lowRisk` Exemption is granted, 3DS authentication is run and it is honored** | A lowRisk exemption in authentication is **granted**. 3DS authentication is submitted where the `threeDS.challenge.preference` is automatically set to `noChallengeRequestedTRAPerformed`. The issuer respects the 3DS preference flag (`"status": "I"` in response). It is then placed in authorization where it is **honored**. | `ex-exemption-lowRisk-authentication` | Schemes- Visa: `4000000000002024` - Mastercard: `5200000000002052` | ```json "threeDS": { "outcome": "authenticated", "issuerResponse": "frictionless", "version": "2.2.0", "eci": "07", "acsTransactionId": "59e034b9-32c0-4d94-8b75-2ba606a7d00f", "dsTransactionId": "86147c1c-fe22-40b9-8069-9786b2227ee8", "status": "I", "challengePreference": "noChallengeRequestedTRAPerformed" }, "exemption": { "granted": true, "placement": "authentication", "type": "lowRisk", "result": "honored", "reason": "issuerHonored" } ``` | | **Exemption is granted and payment is soft declined. Flow continues with 3DS and authorization is retried** | An exemption in authorization is **granted**. It is then placed in payment where it is **soft declined**. The customer is 3DS authenticated and the payment is successful. | There is no specific test value for this flow yet. The flow is identical to supporting 3DS (see 3DS testing tab) | | ```json "exemption": { "granted": true, "placement": "authorization", "type": "lowRisk", "result": "rejected", "reason": "issuerRejected" } ``` | | **Exemption is not granted and payment is refused** | An exemption is **requested but not granted**. The customer is 3DS authenticated and the payment is refused. | `REFUSED5` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` | ```json "exemption": { "granted": false, } ``` | | **Exemption is not granted and payment is successful** | An exemption in authorization is **requested but not granted**. The customer is 3DS authenticated and the payment is successful. | **default behavior for any other value**- `ex-noExemption` - `Sherlock Holmes` | Schemes- Visa: `4000000000002701` - Mastercard: `5200000000002235` | ```json "exemption": { "granted": false, } ``` | ## Issuer response test values Issuer response Input these magic values in your `paymentInstrument.cardHolderName` parameter. | Magic value | Result code | Result description | | --- | --- | --- | | AUTHORISED | N/A | AUTHORISED | | ERROR | N/A | ERROR | | REFUSED | N/A | REFUSED | | REFUSED4 | 4 | HOLD CARD | | REFUSED5 | 5 | REFUSED | | REFUSED8 | 8 | APPROVE AFTER IDENTIFICATION | | REFUSED13 | 13 | INVALID AMOUNT | | REFUSED15 | 15 | INVALID CARD ISSUER | | REFUSED17 | 17 | ANNULATION BY CLIENT | | REFUSED28 | 28 | ACCESS DENIED | | REFUSED29 | 29 | IMPOSSIBLE REFERENCE NUMBER | | REFUSED33 | 33 | CARD EXPIRED | | REFUSED34 | 34 | FRAUD SUSPICION | | REFUSED38 | 38 | SECURITY CODE EXPIRED | | REFUSED41 | 41 | LOST CARD | | REFUSED43 | 43 | STOLEN CARD, PICK UP | | REFUSED51 | 51 | LIMIT EXCEEDED | | REFUSED55 | 55 | INVALID SECURITY CODE | | REFUSED56 | 56 | UNKNOWN CARD | | REFUSED57 | 57 | ILLEGAL TRANSACTION | | REFUSED62 | 62 | RESTRICTED CARD | | REFUSED63 | 63 | SECURITY RULES VIOLATED | | REFUSED75 | 75 | SECURITY CODE INVALID | | REFUSED76 | 76 | CARD BLOCKED | | REFUSED85 | 85 | REJECTED BY CARD ISSUER | | SOFT_DECLINED | 65 | AUTHENTICATION REQUESTED | Raw response code Input these magic values in your `paymentInstrument.cardHolderName` parameter to return the `rawCode`. Note that these responses are specific to card schemes, so your test `cardNumber` should match the card scheme. Note A `rawCode` is only returned if specifically requested. Please contact your Implementation Manager. | Magic value | `code` | `rawCode` | `description` | Card scheme | Example test `cardNumber` | | --- | --- | --- | --- | --- | --- | | REFUSEDRCN3RAW | 831 | N3 | Cash service not available | Visa | 4444333322221111 | | REFUSEDRC62RAW | 62 | 62 | Restricted card | Visa, Mastercard, JCB | 4444333322221111 (Visa) 5555555555554444 (Mastercard) 343434343434343 (Amex) | | REFUSEDRCG7RAW | 584 | G7 | The amount exceeds the limit for the day. Contact Issuer. | Mastercard | 5555555555554444 | | REFUSEDRC20625RAW | 583 | 20625 | The card is maxed out for the day. Contact Issuer. | Mastercard | 5555555555554444 | Refusal advice Input these magic values in your `paymentInstrument.cardHolderName` parameter to get the `refusalAdvice` object in a refused response. Note A Mastercard or Maestro test card number is also required to test these outcomes. | Refusal Advice Code | Magic value | Result code | Example Scenarios | Retry Advised? | | --- | --- | --- | --- | --- | | 01 | REFUSEDRC79MAC01 | 79 | Card expired: updated account information available | Yes: with updated account information or authentication | | 01 | REFUSEDRC82MAC01 | 82 | Card expired: updated account information available | Yes: with updated account information or authentication | | 01 | REFUSEDRC83MAC01 | 83 | Card expired: updated account information available | Yes: with updated account information or authentication | | 02 | REFUSEDRC79MAC02 | 79 | Insufficient funds at present | Yes: try later (after 72 hours) | | 02 | REFUSEDRC82MAC02 | 82 | Insufficient funds at present | Yes: try later (after 72 hours) | | 02 | REFUSEDRC83MAC02 | 83 | Insufficient funds at present | Yes: try later (after 72 hours) | | 03 | REFUSEDRC79MAC03 | 79 | Invalid Account Number | No: do not retry (scheme fees may apply) | | 03 | REFUSEDRC82MAC03 | 82 | Invalid Transaction | No: do not retry (scheme fees may apply) | | 03 | REFUSEDRC83MAC03 | 83 | Lost/Stolen Card | No: do not retry (scheme fees may apply) | | 04 | REFUSEDRC79MAC04 | 79 | Problem with network token authentication value | Yes: review network token authentication value | | 04 | REFUSEDRC82MAC04 | 82 | Problem with network token authentication value | Yes: review network token authentication value | | 04 | REFUSEDRC83MAC04 | 83 | Problem with network token authentication value | Yes: review network token authentication value | | 21 | REFUSEDRC79MAC21 | 79 | Cardholder requested that recurring or installment payment be stopped | No: do not retry (scheme fees may apply) | | 21 | REFUSEDRC82MAC21 | 82 | Cardholder requested that recurring or installment payment be stopped | No: do not retry (scheme fees may apply) | | 21 | REFUSEDRC83MAC21 | 83 | Cardholder requested that recurring or installment payment be stopped | No: do not retry (scheme fees may apply) | | 22 | REFUSEDRC79MAC22 | 79 | Merchant not enrolled in Mastercard instalment program | No: do not retry | | 22 | REFUSEDRC82MAC22 | 82 | Merchant not enrolled in Mastercard instalment program | No: do not retry | | 22 | REFUSEDRC83MAC22 | 83 | Merchant not enrolled in Mastercard instalment program | No: do not retry | | 24 | REFUSEDRC51MAC24 | 51 | Insufficient funds at present | Yes: Try later (after 1 hour) | | 25 | REFUSEDRC51MAC25 | 51 | Insufficient funds at present | Yes: Try later (after 24 hours) | | 26 | REFUSEDRC51MAC26 | 51 | Insufficient funds at present | Yes: Try later (after 2 days) | | 27 | REFUSEDRC51MAC27 | 51 | Insufficient funds at present | Yes: Try later (after 4 days) | | 28 | REFUSEDRC51MAC28 | 51 | Insufficient funds at present | Yes: Try later (after 6 days) | | 29 | REFUSEDRC51MAC29 | 51 | Insufficient funds at present | Yes: Try later (after 8 days) | | 30 | REFUSEDRC51MAC30 | 51 | Insufficient funds at present | Yes: Try later (after 10 days) | The results are returned in this format: { "outcome": "refused", "refusalCode": "83", "refusalDescription": "Lost/Stolen Card", "advice": { "code": "03" } } CVC Use these values to test CVC responses. ### Testing CVC Use these magic values in the `cvc` parameter in your request. Your response in contained in the `riskFactors` object. Note A response is returned only if the check produces a conflict. | Magic value | CVC result code | CVC result description | | --- | --- | --- | | [Left blank] | `riskFactors.risk : not_supplied``riskFactors.type : cvc` | NOT SUPPLIED BY SHOPPER | | 111 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NOT SENT TO ACQUIRER | | 222 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NO RESPONSE FROM ACQUIRER | | 333 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NOT CHECKED BY ACQUIRER | | 444 | `riskFactors.risk : not_matched``riskFactors.type : cvc` | FAILED | | 555 | No `riskFactors` returned | APPROVED | ### Testing CVC (American Express) Use these magic values in the `cvc` parameter in your request. Your response is contained in the `riskFactors` object. Note A response is returned only if the check produces a conflict. | Magic value | CVC result code | CVC result description | | --- | --- | --- | | [Left blank] | `riskFactors.risk : not_supplied``riskFactors.type : cvc` | NOT SUPPLIED BY SHOPPER | | 1111 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NOT SENT TO ACQUIRER | | 2222 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NO RESPONSE FROM ACQUIRER | | 3333 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | NOT CHECKED BY ACQUIRER | | 4444 | `riskFactors.risk : not_matched``riskFactors.type : cvc` | FAILED | | 5555 | `riskFactors.risk : not_checked``riskFactors.type : cvc` | UNKNOWN | | 6666 | No `riskFactors` returned | APPROVED | AVS Use these values to test [AVS responses](/products/payments/openapi/payment/payment#payment/payment/response&c=201). ### Testing AVS Use these magic values in the `postalCode` attribute in your request. You get responses for [postcode checks](#avs-responses) and for [address checks](#avs-responses) in the `riskFactors` object. Note A response is returned only if the check produces a conflict. ### AVS responses | Magic value | `riskFactors` Response | Meaning | | --- | --- | --- | | AAAA | No `riskFactors` returned | Postcode and address matched | | BBBB | `riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs` | Postcode matched; address not checked | | CCCC | `riskFactors.risk : not_matched``riskFactors.detail : address``riskFactors.type : avs` | Postcode matched; address not matched | | DDDD | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs` | Address matched; postcode not checked | | EEEE | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not checked | | FFFF | `riskFactors.risk : not_matched``riskFactors.detail : postcode``riskFactors.type : avs` | Address matched; postcode not matched | | GGGG | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_matched``riskFactors.detail : address``riskFactors.type : avs` | Postcode not checked; address not matched | | HHHH | `riskFactors.risk : not_supplied``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_supplied``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not supplied by customer/merchant | | IIII | `riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs``riskFactors.risk : not_matched``riskFactors.detail : postcode``riskFactors.type : avs` | Address not checked; postcode not matched | | JJJJ | `riskFactors.risk : not_matched``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_matched``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not matched | | [Left blank] | `riskFactors.risk : not_supplied``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_supplied``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not supplied by customer/merchant | | KKKK | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not checked | | LLLL | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not checked | | MMMM | `riskFactors.risk : not_checked``riskFactors.detail : postcode``riskFactors.type : avs``riskFactors.risk : not_checked``riskFactors.detail : address``riskFactors.type : avs` | Postcode and address not checked |