Skip to content
3D Secure/
/
States

States

Learn about the different states in the 3D Secure authentication lifecycle and how to handle each one.

Overview

During a 3D Secure authentication process, the transaction will progress through various states. Understanding these states helps you handle the authentication flow correctly and provide the best user experience.

States

The following table describes the possible states of a 3DS transaction.

StateDescription
PendingClientDataYou've successfully pre-initiated a 3DS authentication request. Our checks confirmed that 3DS is supported. You can now initiate a 3DS authentication request.
AuthenticationSuccessfulThe 3DS authentication request was successful.
AuthenticationFailedThe 3DS authentication request failed. Usually, it's sent along with state code data to provide more information about the reason for failure. You can retry authentication. It's not advisable to proceed with authorisation as the liability for the transaction stays with you. If the transaction is in the scope of PSD2, we strongly advise you to use an exemption in authorisation if applicable. Otherwise, the transaction is considered as non-compliant under PSD2 and might be soft-declined.

Here are some example cases where you might receive this state:
  • Transaction status = N. It indicates that authentication was attempted but failed. The cardholder couldn't be verified.
    • Risk-based decision failures.
    • Data mismatch cases:
      • Billing address mismatch with issuer records (severe discrepancy).
      • Phone number not on file or doesn't match.
      • Email domain suspicious (disposable email addresses).
      • Account velocity patterns abnormal but not critical.
      • Merchant/transaction category issues.
  • Transaction status = U. It indicates technical inability to authenticate. This isn't a pass or fail decision, it just means the process couldn't be completed.
    • Issuer system limitations:
      • Cardholder not enrolled in 3DS program.
      • Card type doesn't support authentication (some prepaid/corporate). = BIN not configured for 3DS 2.x (only 3DS 1.0 available).
      • Issuer region doesn't support online authentication.
    • Data availability issues:
      • No cardholder data on file for comparison.
      • Account too new (insufficient history).
      • Data privacy regulations prevent authentication.
      • Cardholder opted out of data sharing.
    • Technical failures at issuer side (ACS server):
      • Database connection timeout.
      • Risk-scoring engine failure.
      • HSM (Hardware Security Module) unavailable.
      • Integration with core banking timeout.
      • Rate limiting triggered.
AuthenticationRejectedThe 3DS authentication request was rejected. Usually, it's sent along with state code data to provide more information about the reason for rejection. For example, if the cardholder entered the wrong one-time passcode (OTP). Do not retry authentication. You cannot proceed with authorisation.

Here are some example cases where you might receive this state:
  • Card/account issues:
    • Card reported stolen or lost: The issuer has flagged the card in their system.
    • Account closed: The cardholder has closed the account but the card details still validate.
    • Card blocked for fraud: Previous fraudulent activity has triggered a hard block.
    • Card restricted for online transactions: The issuer has disabled e-commerce on this card.
    • Regulatory restrictions: The card can't be used for certain merchant categories or jurisdictions.
  • Risk-based rejections:
    • Velocity limits exceeded: Too many authentication attempts in short timeframe.
    • Suspicious authentication pattern: Multiple failed attempts across different merchants.
    • Geolocation mismatch: Transaction originating from sanctioned/blocked country.
    • Device fingerprint on blocklist: Device associated with previous fraud.
  • Data validation failures:
    • Invalid threeDSRequestorAuthenticationInd: For recurring/MIT transactions with incorrect indicators.
    • Merchant on issuer blocklist: Specific merchant has been blocked by issuer.
    • Invalid merchant category: Gambling merchants for cards with gambling blocks, for example.
AuthenticationErrorAn error occurred and authentication couldn't be completed. Liability for the transaction stays with you. If the transaction is in the scope of PSD2, we strongly advise you to use an exemption in authorisation if applicable. Otherwise, the transaction is considered as non-compliant under PSD2 and might be soft-declined.

Common error codes:
TypeError codeDescription
System301Transaction ID not recognised.
System302Data couldn't be decrypted.
System303Access denied (merchant not enrolled).
System304ISO code invalid.
System305Transaction data not valid.
Timeout402Transaction timed out.
Timeout403Transaction receiving queue full.
Format101Message format invalid.
Format102Message version not supported.
Format201Required field missing.
Format203Invalid format in field.
PendingCustomerChallengeThe ACS Server decided that frictionless 3DS authentication (without cardholder interaction) wasn't enough. It has stepped the authentication up to challenge. You need to redirect the cardholder to their issuer's page for authentication.

State data codes and reasons

The stateData.code and stateData.reason provide additional context about why a particular state was reached, regardless of whether it's a success, challenge, failure, or error state. They're there to help you understand the specific circumstances of the authentication result.

The following table describes the possible state codes and reasons:

State code State reason
01Card authentication failed.
02Unknown device.
03Unsupported device.
04Exceeds authentication frequency limit.
05Expired card.
06Invalid card number.
07Invalid transaction.
08No card record.
09Security failure.
10Stolen card.
11Suspected fraud.
12Transaction not permitted to Cardholder.
13Cardholder not enrolled in service.
14Transaction timed out at the ACS.
15Low confidence.
16Medium confidence.
17High confidence.
18Very high confidence.
19Exceeds ACS maximum challenges.
20Non-Payment transaction not supported.
213RI transaction not supported.
22ACS technical issue.
23Decoupled Authentication required by ACS but not requested by 3DS Requestor.
243DS Requestor Decoupled Max Expiry Time exceeded.
25Decoupled Authentication was provided insufficient time to authenticate Cardholder. ACS will not make attempt.
26Authentication attempted but not performed by the Cardholder.
27Preferred Authentication Method not supported.
28Validation of content security policy failed.
29Authentication attempted but not completed by the Cardholder. Fall back to Decoupled Authentication.
30Authentication completed successfully but additional authentication of the Cardholder required. Reinitiate as Decoupled Authentication.
©2025 PXP Financial. PXP Financial Registered Office: The Corn Mill - 1 Roydon Road - Stanstead Abbotts - Hertfordshire - SG12 8XL - United Kingdom Phone +44 2038850598. PXP Financial is Authorised By The Financial Conduct Authority And Our Financial Services Register Number is 504318.