Authenticate And Authorise

On this page:


The AUTHENTICATE and AUTHORISE methods are available to merchants who are either:

  • Unable to fulfil the majority of orders in less than 6 days, or
  • Sometimes unable to fulfil orders after 30 days, or
  • Do not know the exact amount of the transaction at the time the order is placed.

For example, when items are shipped and priced by weight, or items are affected by foreign exchange rates.

Note: You cannot use the AUTHENTICATE transaction type with European Payments.

How Authenticate and Authorise Transactions Work

Unlike PAYMENT or DEFERRED transaction types:

  • AUTHENTICATE transactions do not obtain an authorisation at the time the order is placed.
  • The card and cardholder are validated using the 3D-Secure mechanism provided by the card-schemes and card issuing banks, and aim to authorise later.
Note: When using the AUTHENTICATE and AUTHORISE transaction type, the transaction is always REGISTERED because the transaction is not 3D-Secured.


The authenticate process is as follows:

  1. Your site must register the transaction with a TxType of AUTHENTICATE, and redirect the customer to the Opayo payment pages to enter their payment details.
  2. We verify the card number and check the 3D-Secure directories if the card is part of the scheme.
    1. If not, the card details are held safely at Opayo and your NotificationURL is sent a Status of REGISTERED.
    2. If you do not have 3D-Secure active on your account or the Apply3DSecure flag is set to Off, the card details are held safely at Opayo and your NotificationURL is sent a Status of REGISTERED.
  3. Authentication takes place:
    1. When the customer passed authentication with their bank and a CAVV/UCAF value is returned, a Status of AUTHENTICATED and a CAVV value is returned. You can store this if you want.
    2. If they have not passed authentication, your rule base is consulted to check if they can proceed for authorisation. If not, your NotificationURL is sent a Status of REJECTED.
    3. If they failed authentication and your rule base allows them to proceed, your NotificationURL is sent a Status of REGISTERED.

In all cases:

  • The customer’s card is never authorised.
  • There are no shadow transactions placed on the customer’s account.
  • Your acquiring bank is not contacted.

The customer’s card details and their associated authentication status are stored by Opayo. You must AUTHORISE or CANCEL the transaction within 90 days (a limit set by the card schemes) using either:

Important: For transactions made using the International Maestro card, you must AUTHORISE or CANCEL the transaction within 30 days.


When you are ready to fulfil the order, to charge the customer you must AUTHORISE the transaction.

You can:

  • Authorise for any amount up to 115% of the value of the original Authentication
  • Use any number of Authorise requests against an original Authentication.

When the total value of the authorisation does not exceed the 115% limit and the requests are inside the 90 days limit, the transactions will be processed by Opayo:

  • Your acquiring bank is contacted for an authorisation code.
  • AVS/CV2 checks are performed and rules applied as normal.

This allows you greater flexibility for partial shipments or variable purchase values. If the AUTHENTICATE transaction was AUTHENTICATED (as opposed to simply REGISTERED) all authorisations are fully 3D-Secured.

When you have completed all your Authorisations, or when you do not want to take any, you can CANCEL the AUTHENTICATE and prevent further Authorisations being made against the card. This happens automatically after 90 days.