Track authentication events
Last updated: December 11, 2024
You can track authentication events that occur throughout a payment's lifecycle in the Dashboard.
You can view the 3D Secure (3DS) or Google SPA authentication events in:
- The list of payments displayed in the Payments > Processing > All Payments section
- A payment's Payment details page, within the Payment timeline and Authentication sections
Use the Status column to understand which stage of the authentication process each payment is in.
- Authentication requested – Authentication sessions are asynchronous, so this status appears while the process is still ongoing
- Authenticated – When a payment request has been successfully authenticated using 3DS or Google SPA
- Authentication failed – When a payment request has failed 3DS or Google SPA authentication
Authenticated payments display a 3DS or Google SPA label next to the status. This allows you to easily identify which payments were successfully authenticated, and which authentication experience was used.
All authentication events that your payment triggers appear in the timeline, so you can view the entire session.
You can view information about the authentication session in the Authentication section of the Payment details page.
The status tables provide examples of codes you may see.
Information
For 3DS payments, the Protocol version value represents the version used to authenticate the transaction.
The values will be dependent on the protocol version of the transaction.
Transaction status | Description |
---|---|
| Authentication verification successful. |
| Not authenticated or account not verified. This means the transaction was denied. |
| Authentication or account verification could not be performed. This is due to a technical problem, or another problem as indicated in ARes or RReq. |
| Attempt at processing performed. Not authenticated or verified, but a proof of attempted authentication/verification is provided. |
| Challenge required. Additional authentication is required using the CReq or CRes. |
| Challenge required. Decoupled authentication confirmed. |
| Authentication or account verification rejected. Issuer is rejecting and requests that authorization not be attempted. |
| Informational only. 3DS requestor challenge preference acknowledged. |
Information
For more information about the ARes, RReq, CReq, and CRes messages in the 3DS flow, see the 3DS documentation.
Value on screen | Description |
---|---|
| Card authentication failed. |
| Unknown device. |
| Unsupported device. |
| Exceeds authentication frequency limit. |
| Expired card. |
| Invalid card number. |
| Invalid transaction. |
| No card record. |
| Security failure. |
| Stolen card. |
| Suspected fraud. |
| Transaction not permitted to cardholder. |
| Cardholder not enrolled in service. |
| Transaction timed out at the ACS. |
| Low confidence. |
| Medium confidence. |
| High confidence. |
| Very high confidence. |
| Exceeds ACS maximum challenges. |
| Non-payment transaction not supported. |
| 3RI transaction not supported. |
| ACS technical issue. |
| Decoupled authentication required by ACS, but not requested by 3DS requestor. |
| 3DS requestor decoupled. Max expiry time exceeded. |
| Decoupled authentication did not have sufficient time to authenticate cardholder. ACS will not make attempt. |
| Authentication attempted but not performed by the cardholder. |
| Reserved for EMVCo future use (values invalid until defined by EMVCo) |
| Reserved for DS use. |
Value on screen | Description |
---|---|
| Payment transaction. |
| Recurring transaction. |
| Installment transaction. |
| Add card. |
| Maintain card. |
| Cardholder verification as part of EMV token ID&V. |
| Reserved for EMVCo future use (values invalid until defined by EMVCo). |
| Reserved for DS use. |
Value | VISA | MASTERCARD |
---|---|---|
| TRA supported by issuer. | Card range is enrolled is Smart Authentication Stand-In Service. (Automatically added to card ranges that are not enrolled in IDC.) |
| Data-only supported by issuer. | Card range is enrolled in Smart Authentication Direct. Populated when issuer enrolls a card range in SA-Direct using ISSM. |
| Delegated authentication supported by issuer. | N/A |
| N/A | Card range supports payment transactions. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card range supports non-payment transactions. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card range supports the app channel. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card range supports the browser channel. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card Range supports app-based ACS or Issuer Challenge Capabilities. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card range supports browser-based ACS or Issuer Challenge Capabilities. Populated when issuer enrolls a card range in ISSM. |
| N/A | Card range is enrolled in Identity Check Express. Populated when issuer enrolls a card range in Identity Check Express using ISSM. |
| N/A | Card range supports Authentication Express Merchant Delegation for Identity Check Express (Type I). Populated when issuer enrolls card range to Identity Check Express Type I using ISSM. Model open to all merchants using a FIDO-compliant device authentication solution. SCA validation of authentication results is done by Mastercard. |
| N/A | Card range supports Authentication Express Low Fraud Merchant (Type II). Populated when issuer enrolls a card range to low fraud SCA delegation using ISSM. Model open to low-fraud merchants (<13 bps) using any PSD2-compliant authentication solution. SCA validation of authentication results is done by Merchant. |
| N/A | Card range participates in Authentication Express Wallet Delegation. Populated when issuer enrolls Wallet delegation for card range in the Authentication express SCA delegation using ISSM. |
| N/A | Card range participates in Authentication Express Device Delegation. Populated when issuer enrolls device delegation for card range in authentication express SCA delegation using ISSM. |