3D Secure (3DS) is a security protocol that adds an authentication step to online card payments. When triggered, the cardholder is asked to verify their identity — typically via an OTP sent to their phone or a biometric. 3DS2 is the modern version with frictionless authentication for low-risk transactions.

What is the difference between 3DS challenge and frictionless?

A 3DS challenge requires the cardholder to complete a verification step (OTP, biometric). Frictionless authentication uses risk signals to authenticate silently with no user action required. Both complete 3DS authentication; frictionless just has no visible step to the user.

When is 3DS required?

In Europe, PSD2 requires SCA (Strong Customer Authentication) for most consumer card transactions above €30. In other regions, 3DS is required when the card is enrolled and the merchant enables it, or when triggered by the issuer.

Do 3DS test cards work in production?

No. These are sandbox test cards only. They do not trigger real 3DS authentication in production. Real production 3DS behavior depends on the actual issuer bank and card enrollment status.

3D Secure Test Cards — Multi-Provider Reference

Consolidated 3DS2 test cards covering challenge required, frictionless, SCA, authentication failed, and not enrolled across all major payment providers.

Last updated: April 2026

verifiedVerified against All Providers documentation — April 22, 2026

Official docsopen_in_new

Consolidated 3D Secure test cards across all supported payment providers. Filter by provider to see the specific 3DS scenarios available in each sandbox environment.

search

Showing 19 of 19 test cards

Card Number	Network	Scenario	Code	Notes
4000 0000 0000 3220TEST ONLY	Visa	3DS — challenge required (new 3DS2)Global	—	[Stripe] Triggers a 3DS2 challenge. Authenticate in the test modal to complete.
4000 0027 6000 3184TEST ONLY	Visa	3DS — challenge required (3DS1 fallback)Global	—	[Stripe] Triggers a 3DS1 challenge flow.
4000 0000 0000 3055TEST ONLY	Visa	3DS — challenge required on setupGlobal	—	[Stripe]
4000 0000 0000 3097TEST ONLY	Visa	3DS — frictionless (no challenge)Global	—	[Stripe] Authenticates silently with no user interaction.
4000 0084 0000 1629TEST ONLY	Visa	3DS — authentication required (SCA EU)EU	—	[Stripe] Requires 3DS for EU merchants under PSD2.
4012 8888 8888 1881TEST ONLY	Visa	3DS — requires 3D Secure authenticationGlobal	—	[PayPal] Triggers 3DS authentication in PayPal sandbox.
4212 3456 7890 1237TEST ONLY	Visa	3DS2 — challenge requiredGlobal	—	[Adyen] Triggers a 3DS2 challenge flow. Respond to the challenge to complete.
4917 6100 0000 0000TEST ONLY	Visa	3DS2 — frictionless successGlobal	—	[Adyen] Authenticates without a challenge (frictionless flow).
4212 3456 7890 1245TEST ONLY	Visa	3DS — authentication failedGlobal	AuthenticationFailed	[Adyen]
5212 3456 7890 1232TEST ONLY	Mastercard	3DS2 — challenge requiredGlobal	—	[Adyen]
4000 0000 0000 0085TEST ONLY	Visa	3DS — challenge requiredGlobal	—	[Braintree] Use with Braintree's 3D Secure v2 flow.
4000 0000 0000 0051TEST ONLY	Visa	3DS — authentication unavailableGlobal	—	[Braintree]
4111 1111 1111 1111TEST ONLY	Visa	3DS — OTP authentication requiredIndia	—	[Razorpay] Indian cards require OTP-based 3DS by default. OTP: 1234 in test mode.
4000 0025 0000 3155TEST ONLY	Visa	3DS — SCA challenge required (PSD2)EU	—	[Mollie] Requires SCA under PSD2. Complete the challenge to proceed.
4000 0038 0000 0446TEST ONLY	Visa	3DS — frictionless (no challenge)EU	—	[Mollie] Passes 3DS without user challenge.
4659 1052 4276 7134TEST ONLY	Visa	3DS2 — challenge requiredGlobal	—	[Checkout.com] CVV: 123. Triggers a 3DS2 challenge flow.
4484 0700 0003 5519TEST ONLY	Visa	3DS2 — frictionless successGlobal	—	[Checkout.com] CVV: 257. Frictionless authentication, no challenge.
4484 0700 0003 5501TEST ONLY	Visa	3DS2 — authentication rejectedGlobal	authentication_failed	[Checkout.com]
4100 0000 0000 0019TEST ONLY	Visa	3DS — 3D Secure enrolledGlobal	—	[Worldpay] Card enrolled for 3D Secure. Will redirect to ACS for authentication.

TEST ONLY. These numbers will not process real transactions. Use only in All Providers's sandbox environment with test API credentials.

What it does

All providers in one place

3DS test cards from Stripe, PayPal, Adyen, Braintree, Square, Razorpay, Mollie, Checkout.com — consolidated and filterable.

Challenge vs frictionless

Cards that trigger a visible 3DS challenge and cards that authenticate frictionlessly — both essential to test.

SCA / PSD2 scenarios

EU-specific SCA test cards for Mollie, Adyen, and Stripe's European payment flows.

Authentication failure

Cards that simulate failed 3DS authentication for testing your error handling.

How to use 3D Secure Test Cards — Multi-Provider Reference

1
Filter by provider
Use the scenario filter to see cards labeled [Stripe], [Adyen], etc. Each card is labeled with its provider in the notes.
2
Pick your scenario
Choose between challenge required, frictionless, SCA required, or authentication failed.
3
Use with that provider's sandbox
The 3DS card only works in its provider's sandbox environment with that provider's test credentials.
4
Complete the challenge
For challenge-required cards, your integration must handle the redirect/popup that appears. Complete the test authentication to proceed.

Why each provider's 3DS test cards are different

3D Secure is a protocol, but each payment provider implements it differently in their sandbox. Stripe uses specific card numbers in the 4000 0000 0000 3xxx range. Adyen uses cards starting with 4212. Braintree has its own set. This is because each provider's sandbox has its own mock issuer that routes requests based on card number prefix.

This is why a card that triggers 3DS in Stripe's sandbox won't do anything special in Adyen's. The 3DS test behavior is provider-specific, not universal. Use this consolidated reference to find the right card for whichever provider you're integrating.

Testing PSD2 / SCA compliance

If you're building payment flows for European users, PSD2 compliance requires that most consumer card transactions above €30 go through SCA. In practice this means 3DS must be triggered and completed. Your integration needs to handle:

1. The 3DS redirect or popup appearing after payment submission 2. The cardholder completing authentication 3. The post-authentication callback returning the user to your confirmation page 4. Your server receiving the authentication result webhook

Test all four steps using the SCA test cards for your provider. Don't assume frictionless cards test SCA compliance — frictionless cards bypass the user-visible step but still complete authentication. Test with challenge cards to verify the visible UX works correctly.

Frequently Asked Questions

What is 3D Secure?: 3D Secure (3DS) is a security protocol that adds an authentication step to online card payments. When triggered, the cardholder is asked to verify their identity — typically via an OTP sent to their phone or a biometric. 3DS2 is the modern version with frictionless authentication for low-risk transactions.
What is the difference between 3DS challenge and frictionless?: A 3DS challenge requires the cardholder to complete a verification step (OTP, biometric). Frictionless authentication uses risk signals to authenticate silently with no user action required. Both complete 3DS authentication; frictionless just has no visible step to the user.
When is 3DS required?: In Europe, PSD2 requires SCA (Strong Customer Authentication) for most consumer card transactions above €30. In other regions, 3DS is required when the card is enrolled and the merchant enables it, or when triggered by the issuer.
Do 3DS test cards work in production?: No. These are sandbox test cards only. They do not trigger real 3DS authentication in production. Real production 3DS behavior depends on the actual issuer bank and card enrollment status.

Related Tools

fingerprint

UUID Generator

Generate random UUID v4 identifiers. Bulk generate up to 100 UUIDs, toggle uppercase/lowercase and hyphen formatting.

code

JSON Formatter

Clean, minify, and validate JSON data structures.

vpn_key

JWT Decoder

Decode and inspect JWT tokens — header, payload, timestamps.

find_in_page

Regex Tester

Real-time expression matching and testing.