Use these card numbers in test mode (with an sk_test_… key) to exercise the authorisation paths your application needs to handle. They are rejected in live mode — live mode only accepts real cards.
All test cards use:
- CVC:
737 - Expiry: any future date
Common outcomes
| Brand | Number | Outcome |
|---|---|---|
| Visa | 4111 1111 1111 1111 |
Authorised |
| Mastercard | 5555 4444 3333 1111 |
Authorised |
| Visa | 4000 3000 1111 2220 |
Refused |
| Visa | 4000 0200 0000 0000 |
Expired card |
| Visa | 4988 4388 4388 4305 |
Insufficient funds |
3-D Secure outcomes
When your account is configured for 3-D Secure (authentication: "automatic" in the payment body), these cards force specific authentication outcomes:
| Number | Outcome |
|---|---|
4871 0499 9999 9910 |
Frictionless 3DS success |
3714 4963 5398 431 (CVC 7373) |
Challenge required, success after challenge |
For the full list of test cards (including AMEX, JCB, Diners, Discover, and country-specific issuer behaviour), see Adyen's test card numbers reference.
Smoke test before integrating
A reasonable smoke test:
- ✅ A successful payment with the Visa 4111… card.
- ✅ A declined payment — assert your code handles
status: "failed"(not just HTTP 4xx). - ✅ A 3DS challenge — assert your code redirects to
next_action.redirect_urland handles the return. - ✅ A 3DS frictionless — same setup, but the issuer doesn't challenge.
- ✅ An idempotent retry — submit the same payment with the same
Idempotency-Key; assert you get back the samepay_...ID. - ✅ A retry with a changed body — assert you get
409 key_reused. - ✅ A customer creation — assert duplicate emails fail with
customer_email_taken. - ✅ A payment with a customer attached — assert the customer is on the payment response.
If any of these eight scenarios behaves unexpectedly, fix it before integrating further.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article