Mastercard Identity Check: Everything Issuers & Merchants Need to Know

The world of digital commerce presents a fundamental tension: how can businesses offer a smooth, effortless online checkout experience while simultaneously protecting themselves and their customers from the ever-present threat of fraud? Card-Not-Present (CNP) transactions, the backbone of e-commerce, lack the inherent security of physically presenting a card, leading to significantly higher fraud rates. Historically, CNP transactions have accounted for a disproportionate share of fraud losses compared to their volume. Furthermore, the cost of preventing fraud through overly aggressive measures, resulting in legitimate transactions being mistakenly declined (false declines or "customer insults"), can sometimes exceed the cost of fraud itself, leading to lost sales and customer frustration.

Enter Mastercard Identity Check, Mastercard's comprehensive program designed to address this challenge head-on. Built upon the global EMV 3-D Secure standard, it represents a significant evolution in authenticating online payments. Its core mission is to enhance security, combat fraud, boost transaction approval rates, and streamline the payment journey for cardholders, issuing banks (issuers), and businesses (merchants) alike.

This blog post answers critical questions for issuers, merchants, Payment Service Providers (PSPs), software developers, product managers, and security professionals looking to deeply understand Mastercard Identity Check:

1. What exactly is Mastercard Identity Check, and why was it developed?

2. How does Mastercard Identity Check leverage EMV 3-D Secure technology to reduce fraud and false declines?

3. What role do advanced technologies, like NuData behavioral biometrics, play in enabling frictionless user authentication?

4. How can merchants and PSPs effectively integrate Mastercard Identity Check into their existing payment processes?

5. What tangible benefits—in terms of transaction approval rates, user experience, and fraud reduction—can businesses expect from adopting Mastercard Identity Check?

The journey to Mastercard Identity Check began with the inherent vulnerabilities of early e-commerce. As online shopping surged, fraudsters exploited the lack of physical card presence, leading to escalating CNP fraud rates. The initial response from the industry came in 1999 with the introduction of the 3-D Secure (3DS) protocol. Mastercard's branded version of this first iteration was known as Mastercard SecureCode. While SecureCode (3DS 1.0) aimed to replicate the security of a physical payment by adding a layer of cardholder authentication and offered the crucial benefit of shifting liability for certain fraudulent chargebacks away from merchants, it suffered from significant drawbacks that hampered its effectiveness and adoption:

• High Friction: The most common implementation involved static passwords or cumbersome challenge questions, often requiring users to enroll beforehand and remember separate credentials. This added noticeable friction to the checkout process.

• Poor User Experience: Redirects to issuer-branded pages for authentication created an inconsistent and often jarring user experience, leading to confusion and suspicion among shoppers. This friction directly contributed to high shopping cart abandonment rates.

• Limited Data Exchange: 3DS 1.0 only allowed for the exchange of about 15 data elements between the merchant and issuer, providing insufficient context for accurate risk assessment.

• Browser-Centric Design: It was primarily designed for browser-based transactions, making it ill-suited for the rapidly growing world of mobile app payments and emerging IoT commerce.

• Inadequate False Decline Mitigation: The limited data and focus on explicit challenges didn't effectively address the significant problem of false declines, where legitimate transactions were incorrectly flagged as fraudulent, damaging customer relationships and causing revenue loss.

It became evident that the negative impact of poor user experience – manifested in cart abandonment and false declines – often represented a greater financial loss for businesses than direct fraud costs. This economic reality, coupled with the need for stronger fraud prevention in an increasingly digital world, drove the development of a modernized approach.

The launch of Mastercard Identity Check, built upon the next-generation EMV 3-D Secure protocol, aimed to overcome these limitations with a clear set of objectives:

1. Reduce CNP Fraud: Employ more sophisticated techniques to detect and prevent unauthorized transactions.

2. Minimize Friction: Create smoother, faster frictionless authentication flows for the vast majority of transactions.

3. Increase Approval Rates: Reduce false declines by providing issuers with richer data for more accurate risk assessments.

4. Support Modern Channels: Natively support authentication within mobile apps, digital wallets, and other connected devices.

5. Enable Rich Data Exchange: Facilitate the secure sharing of significantly more transaction and contextual data.

6. Maintain Liability Shift: Preserve the benefit of shifting liability for authenticated fraudulent transactions away from participating merchants.

Mastercard Identity Check - Early Adopter Program Learnings

It's essential to distinguish between the underlying technology standard and Mastercard's specific implementation.

EMV 3DS is the global protocol specification developed and managed by EMVCo, an organization jointly owned by major global payment networks including Mastercard, Visa, American Express, Discover, JCB, and UnionPay. It defines the technical framework for secure communication and data exchange between the three key domains involved in an online transaction authentication:

1. Acquirer Domain: Includes the merchant, their payment gateway, and the acquiring bank (merchant's bank). This domain initiates the authentication request via a component typically called the 3DS Server (or historically, Merchant Plug-In/MPI).

2. Issuer Domain: Includes the issuing bank (cardholder's bank) and the cardholder. This domain is responsible for verifying the cardholder's identity via a component called the Access Control Server (ACS).

3. Interoperability Domain: Consists primarily of the Directory Server (DS), operated by the card scheme (like Mastercard). The DS acts as a central router, directing authentication messages between the correct 3DS Server and ACS based on the card number (specifically, the Bank Identification Number or BIN).

The EMV 3DS protocol (often referred to as 3DS 2.0 or 2.x) introduced significant improvements over the original 3DS 1.0:

• 10x More Data: Supports the exchange of over 150 data elements (compared to ~15 in 3DS 1.0), providing a richer context for risk assessment, including device information, transaction history, browser details, and merchant data.

• Risk-Based Authentication (RBA): Enables frictionless authentication flows where low-risk transactions are approved silently in the background based on data analysis, without requiring cardholder interaction. Aiming for 90–95% frictionless rates.

• Native Mobile/App Support: Includes Software Development Kits (SDKs) for seamless integration within mobile app checkout flows, eliminating disruptive browser redirects.

• Enhanced Authentication Methods: Supports modern authentication methods like One-Time Passcodes (OTPs) delivered via SMS or app, biometrics (fingerprint, facial recognition), and out-of-band authentication, moving away from static passwords.

• Broader Use Cases: Extends beyond simple payment authentication to support non-payment authentication (e.g., adding a card to a digital wallet), recurring payments, and tokenization.

Mastercard Identity Check

Corbado 3DS ACS Passkeys

Mastercard Identity Check is the name of Mastercard's specific program that implements and governs the use of the EMV 3DS protocol within its network. It is the successor to the Mastercard SecureCode program. While built on the EMV 3DS standard, Mastercard Identity Check incorporates Mastercard's unique assets and technologies to enhance performance and security. This includes:

• Proprietary AI and Machine Learning: Leveraging Mastercard's vast network data and AI capabilities to refine risk scoring and decisioning.

• Behavioural Analytics (NuData): Integrating insights from NuData behavioural biometrics (discussed in the next section) to understand user interaction patterns and detect sophisticated fraud attempts.

• Network Intelligence: Utilizing insights from billions of transactions processed globally to inform risk assessments.

• Program Governance: Mastercard sets specific Key Performance Indicators (KPIs) and rules for participants (issuers, merchants, acquirers) within the Identity Check program to ensure optimal performance and user experience across its network.

Therefore, Mastercard Identity Check is not merely a rebranding of the EMV 3DS protocol. It represents Mastercard's strategic layering of its proprietary intelligence and governance framework onto the standardized protocol foundation. This synergy aims to deliver a potentially more effective and differentiated authentication service compared to a basic EMV 3DS implementation, offering enhanced risk detection and performance optimization within the Mastercard ecosystem.

Mastercard Identity Check

Mastercard Identity Check relies on a sophisticated interplay of several core technological components to achieve its goals of security and seamlessness. Understanding these components is crucial for appreciating how the system assesses risk and authenticates users.

Acquired by Mastercard in 2017, NuData behavioural biometrics technology is a cornerstone of Mastercard's advanced authentication capabilities. Unlike traditional authentication that focuses on what a user knows (password) or has (phone for OTP), behavioural biometrics analyzes how a user interacts with their device and the application. It focuses on passive biometrics – inherent, often subconscious patterns of interaction.

• How it Works: During an online session (like checkout or even account opening), NuData technology passively collects and analyzes hundreds of subtle behavioural signals. These can include:

  • Typing dynamics (speed, rhythm, pressure)

  • Mouse movements (patterns, speed, clicks)

  • Device handling (angle, accelerometer data)

  • Touchscreen interaction (pressure, swipe patterns)

  • Navigation patterns (using Tab vs. clicking, form progression, 'circle back' behaviour)

  • Session behaviour (form familiarity, time taken, copy/paste usage, window switching)

• Purpose & Integration: This behavioural data is fed into machine learning models that build a unique profile for each legitimate user. The system analyzes billions of data points annually to continuously learn and refine these profiles. Its primary function within Mastercard Identity Check is to distinguish genuine humans from automated bots and sophisticated fraudsters, even when they possess stolen credentials. It detects anomalies and high-risk signals in real-time, providing a critical input to the Risk-Based Authentication engine.

NuData technology is integral to Mastercard's layered security strategy, powering solutions like NuDetect and contributing significantly to the intelligence behind Mastercard Identity Check. It is particularly effective against automated attacks like credential stuffing and account takeover attempts.

WSJ Mastercard Nudata

Leveraging the rich data exchange capabilities of EMV 3DS 2.0, Mastercard Identity Check incorporates comprehensive device intelligence. This involves collecting and analyzing a wide array of data points specific to the device initiating the transaction.

• Data Points: The EMV 3DS protocol allows for the transmission of over 150 variables. This includes information such as:

  • Device type, model, and operating system

  • Browser type, version, language, and installed plugins

  • IP address and geolocation data

  • Network connection type and time zone

  • Device identifiers or fingerprints

  • Screen resolution and other device characteristics

  • Mastercard may also partner with companies like Ekata to further enrich device and identity verification data

• Purpose: This wealth of device information helps build a comprehensive risk profile. It allows the system to recognize trusted devices, detect anomalies like location mismatches or attempts to spoof device information, identify high-risk network connections, and flag potentially fraudulent activity originating from unfamiliar or compromised devices. Device intelligence is another critical input for the RBA engine.

The RBA engine is the central intelligence hub of Mastercard Identity Check, responsible for evaluating the overall risk of a transaction in real-time and determining the appropriate authentication path.

How it Works: The engine synthesizes information from multiple sources:

• EMV 3DS data fields (transaction details, merchant info, device intelligence)

• NuData behavioural biometric signals

• Historical transaction data and user profiles

• Mastercard's proprietary AI and machine learning models, trained on global network data

Purpose: Based on this holistic analysis, the RBA engine calculates a risk score for the transaction. This score informs the decision on whether to proceed with a frictionless authentication (for low-risk transactions) or to initiate a step-up challenge (for higher-risk transactions) to further verify the cardholder's identity. The outcome (a score or recommendation) is typically sent to the issuer's ACS to aid in their final authentication decision. Mastercard also offers Stand-In RBA services to provide coverage if an issuer's own ACS is unavailable or not yet 3DS-ready.

The power of Mastercard Identity Check lies in the synergy between these components. While rich device and transaction data from EMV 3DS provide essential context, the integration of NuData's behavioural biometrics adds a critical layer of defense. NuData can often detect sophisticated fraud attempts, such as account takeovers using valid credentials or bots designed to mimic human interaction, which might bypass systems relying solely on traditional data points. This multi-faceted approach allows the RBA engine to make more nuanced and confident risk assessments, enabling a higher rate of frictionless approvals while maintaining robust security.

Mastercard Identity Check Program

A primary objective of Mastercard Identity Check is to minimize disruption during online checkout by enabling frictionless authentication flows whenever possible. This seamless experience, where authentication happens silently in the background, relies heavily on data-driven approvals, intelligent use of exemptions, and a clear understanding of liability implications.

The foundation for frictionless flow is Risk-Based Authentication (RBA). The EMV 3DS protocol facilitates the exchange of a vast amount of data (over 150 potential elements) between the merchant's environment (via the 3DS Server) and the issuer's environment (the ACS). Mastercard enhances this data with its own network intelligence, AI algorithms, and NuData behavioural biometrics insights. The issuer's ACS (or Mastercard's RBA service) analyzes this comprehensive data set in real-time. If the analysis indicates a low probability of fraud – based on factors like a recognized device, typical purchase behaviour, familiar location, consistent behavioural patterns, and other contextual clues – the transaction can be authenticated passively, without requiring the cardholder to perform any action (like entering an OTP or using a fingerprint). This is the essence of a data-driven approval enabling the frictionless flow, aiming to cover 90–95% of authentications.

In regions like Europe governed by the Payment Services Directive (PSD2), Strong Customer Authentication (SCA) – typically requiring two independent authentication factors – is often mandatory for online payments. However, the regulation and the EMV 3DS protocol allow for specific exemptions where SCA is not required, further facilitating frictionless experiences. Mastercard Identity Check supports the application of these exemptions. Key exemptions include:

• Transaction Risk Analysis (TRA): If either the acquirer or the issuer performs real-time risk analysis and deems the transaction low-risk, and the transaction amount is below certain thresholds linked to the entity's overall fraud rate, SCA can be exempted.

• Low-Value Payments: Transactions below a specific value (e.g., €30 in Europe) can be exempt, although cumulative limits apply (e.g., total amount or number of transactions since the last SCA).

• Trusted Beneficiaries (Merchant Whitelisting): Cardholders can designate specific merchants as "trusted" with their issuer. Subsequent transactions with these whitelisted merchants may be exempt from SCA.

• Recurring Payments & Merchant-Initiated Transactions (MITs): While the initial setup of a recurring payment or card-on-file agreement usually requires SCA, subsequent merchant-initiated payments using those credentials may be considered out-of-scope or exempt under certain conditions. EMV 3DS 2.2 and later versions provide specific support for these 3RI (3DS Requestor Initiated) transactions.

• Secure Corporate Payments: Specific exemptions may apply to corporate payments made using dedicated secure protocols.

Merchants and PSPs can indicate their request for an exemption within the EMV 3DS authentication message.

Corbado Outcome Based SCA Passkey

A significant benefit of using 3-D Secure has always been the potential shift in liability for certain types of fraudulent chargebacks.

• Successfully Authenticated Transactions: When a transaction is successfully authenticated through Mastercard Identity Check (whether via frictionless flow or a challenge), liability for chargebacks claimed as "unauthorized" generally shifts from the merchant to the card issuer. This protection applies even if the authentication was frictionless, although specific card scheme rules and scenarios might apply.

• Impact of Exemptions: This is a critical point: if a merchant or their PSP requests an SCA exemption (like TRA or low-value) and the issuer grants it, the liability for fraud typically remains with the merchant. The merchant gains the benefit of a smoother checkout but retains the financial risk of fraud. However, if the issuer unilaterally decides to apply an exemption (e.g., based on their own risk assessment), liability may shift to the issuer.

• Attempted/Failed Authentication: Rules surrounding liability when authentication is attempted but fails or cannot be completed (e.g., issuer ACS unavailable) can be complex and depend on the specific circumstances and card scheme rules. Mastercard rules might offer merchant protection in certain scenarios, even if the issuer hasn't fully migrated.

• Data-Only Flows: Specific flows like Mastercard's "Identity Check Insights," which involve sharing data for risk assessment without performing a full authentication attempt, explicitly do not grant liability shift to the merchant.

This creates an important strategic decision point for merchants and PSPs. Requesting exemptions can optimize conversion rates by ensuring a frictionless experience, but it comes at the cost of retaining fraud liability. Conversely, forcing authentication (even if it results in a frictionless flow approved by the issuer) might secure liability shift but could potentially introduce friction if a challenge is required. Therefore, a sophisticated risk management strategy is needed to determine the optimal approach on a transactional basis, balancing conversion goals with fraud risk tolerance.

Furthermore, the success of the frictionless flow, and the accuracy of the RBA decision, is highly dependent on the quality and completeness of the data provided by the merchant and their PSP through the EMV 3DS messages. Incomplete or inaccurate data hinders the issuer's ability to perform reliable risk assessments, potentially leading to more challenges or even declines, thereby undermining the benefits of the system. Achieving optimal frictionless performance is a collaborative effort requiring diligent data management on the acquiring side.

Mastercard Identity Check Program

Mastercard Frictionless Future

For card issuers, integrating with the Mastercard Identity Check program is essential to leverage its security and user experience benefits. This involves enabling their card portfolios (identified by Bank Identification Numbers, or BINs) and connecting to the authentication infrastructure, primarily through an Access Control Server (ACS).

The ACS resides within the issuer's domain and is the technological heart of the authentication process from the issuer's perspective. Its key responsibilities include:

• Receiving Authentication Requests (AReq messages) routed from the merchant via the Mastercard Directory Server (DS)

• Verifying if the specific card number is enrolled and eligible for Mastercard Identity Check

• Performing risk assessment (often leveraging RBA engines and data like the Mastercard Smart Authentication score)

• Deciding whether to authenticate frictionlessly or initiate a challenge

• Managing the challenge process if required (e.g., sending an OTP via SMS, prompting for biometric verification via a banking app)

• Generating and returning the Authentication Response (ARes message), including the crucial Accountholder Authentication Value (AAV) for successfully authenticated transactions, back to the DS

Issuers have several pathways for implementing ACS functionality:

1. In-house ACS: An issuer can choose to build, deploy, host, and manage their own ACS software solution within their own IT environment.

   • Pros: Offers maximum control over authentication logic, risk rules, user experience customization, and integration with internal systems.

   • Cons: Requires substantial internal technical expertise, significant development and maintenance resources, and rigorous adherence to ongoing EMVCo and PCI 3DS compliance standards.

2. Hosted ACS (Third-Party Vendor): Issuers can partner with specialized, Mastercard-approved ACS vendors who provide the ACS as a managed service. The issuer in this model is often referred to as a "Hosted Principal."

   • Pros: Reduces the issuer's operational complexity, infrastructure costs, and compliance burden. Leverages the vendor's expertise and potentially offers faster time-to-market.

   • Cons: May offer less granular control and customization compared to an in-house solution. Reliance on a third party for a critical function.

   • Vendor Ecosystem: Mastercard maintains a list of compliant ACS vendors, with examples including companies like Entersekt, Netcetera, GPayments, and Logibiztech.

3. Mastercard Supplementary Services: Mastercard offers value-added services that can augment an issuer's chosen ACS path:

   • Mastercard Smart Authentication for ACS/Issuers: Provides RBA intelligence to enhance the ACS's decisioning capabilities.

   • Mastercard Stand-In RBA: Offers backup RBA processing if the issuer's primary ACS is unavailable or if specific BINs are not yet fully enabled for EMV 3DS.

   • Mastercard 3-D Secure Authentication Challenge Service: Provides biometric challenge capabilities (leveraging FIDO standards) that can be integrated with the ACS flow.

The selection between in-house and hosted ACS represents a significant strategic decision for issuers, balancing the desire for control against the need for efficiency, cost-effectiveness, and speed of implementation.

Enabling specific Bank Identification Number (BIN) ranges for Mastercard Identity Check involves a series of coordinated steps:

1. Select ACS Path: Determine whether to use an in-house ACS or a hosted provider.

2. Ensure ACS Compliance: Verify that the chosen ACS solution (in-house or vendor) is compliant with the current Mastercard Identity Check program rules and the relevant EMV 3DS specification version. This typically involves the ACS operator completing Mastercard compliance testing.

3. Register for Mastercard Identity Check: Enroll the issuing institution in the program via the Mastercard Identity Check Test Platform on Mastercard Connect, accepting terms and providing necessary identifiers like Company ID (CID) and Interbank Card Association (ICA) number.

4. Enroll BIN Ranges with Directory Server: Use the Identity Solutions Services Management (ISSM) tool on Mastercard Connect to register the specific BIN ranges that will participate in Identity Check. For each enrolled range, the URL of the corresponding ACS must be provided. Note that BIN ranges previously enrolled for Mastercard SecureCode (3DS 1.0) require separate enrollment for Identity Check (EMV 3DS).

5. Configure Authentication Rules: Define the primary authentication methods (e.g., RBA) and any step-up challenge methods (e.g., SMS OTP, Biometrics) to be used for the enrolled BINs. Ensure support for both frictionless and challenge flows is configured.

6. Manage Certificates: Obtain and manage the necessary Transport Layer Security (TLS) server/client certificates for secure communication with the Mastercard Directory Server, and digital signing certificates if applicable, using the Mastercard Key Management Portal.

7. Implement AAV Validation: Set up processes to validate the Accountholder Authentication Value (AAV) received in authorization messages for authenticated transactions. This can be done internally or by using Mastercard's AAV validation service.

8. Coordinate with Processor: Ensure the issuer's payment processor is capable of handling any new data elements associated with Mastercard Identity Check, such as Digital Transaction Insights.

9. Go Live and Monitor: Once configuration and testing are complete, activate the enrolled BIN ranges in the production environment and continuously monitor transaction performance and KPIs.

It is important to recognize that BIN management is an ongoing process. Industry changes, such as the migration from 6-digit to 8-digit BINs, require issuers to proactively assess their portfolios, potentially consolidate BINs, and update their systems and configurations accordingly to ensure continued seamless operation of authentication services like Mastercard Identity Check.

Mastercard Identity Check Program

The adoption of Mastercard Identity Check and the underlying EMV 3DS Mastercard program offers significant advantages for merchants and the Payment Service Providers (PSPs) that serve them. The core impacts revolve around improving transaction success rates, enhancing the customer experience, and simplifying operations in the global e-commerce landscape.

One of the most compelling benefits is the potential to increase authorization approval rates.

• How it works: The richer data exchanged through EMV 3DS combined with sophisticated RBA engines using AI and behavioural analytics provides issuers with far greater insight into the legitimacy of a transaction. This allows them to more accurately distinguish between genuine customers and fraudsters, leading to a reduction in false declines – situations where a legitimate transaction is mistakenly rejected due to suspected fraud.

• Quantified Results: Studies and reports indicate significant improvements. Mastercard data has shown average approval rate lifts of 10–12 basis points (0.10–0.12%) or even uplifts as high as 14% across billions of transactions in a year. Other sources mention potential lifts of 12%. Case studies, like one involving a clothing retailer, demonstrated substantial sales increases attributed to improved approvals and fraud reduction via Identity Check.

• Benefits: For merchants, higher approval rates directly translate to increased completed sales, higher revenue, and improved customer satisfaction. For PSPs, offering a solution that demonstrably boosts their clients' approval rates enhances their value proposition and competitiveness.

A direct consequence of effective RBA is a significant reduction in the need for step-up authentication, where the cardholder is actively challenged to provide further proof of identity.

• How it works: The goal is for the vast majority (often cited as >90% or 95%) of transactions to be authenticated frictionlessly based on the risk assessment. This means fewer interruptions for the customer during checkout.

• Benefits: This dramatically improves the user experience by removing unnecessary hurdles. Reduced friction leads directly to lower shopping cart abandonment rates and higher conversion rates for merchants.

Mastercard Identity Check's foundation on the global EMV 3DS standard facilitates easier implementation and management for businesses operating across borders.

• How it works: EMV 3DS provides a common technical language and framework for authentication recognized by participating issuers and acquirers worldwide.

• Benefits: This standardization reduces the complexity for international merchants and PSPs, who might otherwise need to integrate multiple, disparate regional authentication solutions. Integration is streamlined through standardized protocols, APIs, and SDKs provided by Mastercard and its partners. Furthermore, using an EMV 3DS-based solution like Mastercard Identity Check helps businesses meet regulatory requirements such as PSD2 SCA in Europe and similar mandates emerging elsewhere.

For PSPs, these merchant benefits are amplified. By offering a robust, globally consistent, and high-performing authentication solution like Mastercard Identity Check, PSPs can attract more merchants, reduce their own operational overhead related to managing diverse authentication methods, and potentially lower their exposure to fraud-related costs passed on from merchants.

Mastercard Identity Check

To effectively manage and optimize the performance of Mastercard Identity Check, issuers, acquirers, and merchants need a clear framework of Key Performance Indicators (KPIs). Tracking these metrics provides insights into user experience, security effectiveness, and compliance with the EMV 3DS Mastercard program rules.

Based on program guides and best practices, the following KPIs are crucial for monitoring Mastercard Identity Check performance:

1. Challenge Rate: This measures the percentage of authentication requests that result in the cardholder being actively challenged (e.g., asked for an OTP or biometric verification). A lower challenge rate generally indicates a better, more frictionless user experience. Mastercard guidance suggests aiming for challenges in less than 10% of transactions, relying on RBA for the majority.

2. Authentication Success Rate: This tracks the percentage of authentication attempts (both frictionless and challenged) that are successfully completed by the cardholder and verified by the issuer. High success rates are vital for minimizing transaction abandonment. Mastercard may set minimum thresholds for overall authenticated transaction approval rates (e.g., 90%) and monitor challenge success rates specifically.

3. Frictionless Rate: The inverse of the challenge rate, this measures the percentage of authentications successfully completed without requiring cardholder interaction. A high frictionless rate is a primary goal of EMV 3DS and is strongly correlated with higher overall success rates and better user experience.

4. Fraud Rate: Monitoring the rate of confirmed fraudulent transactions, particularly those that were authenticated via Identity Check, is essential to gauge the system's effectiveness in preventing fraud. Mastercard monitors merchant fraud levels through programs like the Excessive Fraud Merchant (EFM) program. A key goal is to see a reduction in fraud compared to unauthenticated transactions.

5. Authorization Approval Rate: The ultimate measure of transaction success is the final authorization approval rate by the issuer. Identity Check aims to lift this rate by reducing false declines.

6. Technical Performance: Metrics such as ACS and 3DS Server uptime (Mastercard requires 99.0% availability for vendors), transaction processing times, and error rates in the authentication messaging are also critical.

Monitoring these KPIs relies on various reporting channels:

• Mastercard Program Monitoring: Mastercard actively monitors the performance of participants against established program KPIs. Non-compliance can trigger notifications and potential assessments or fines under programs like DIMP or EFM.

• Data Integrity Monitoring Program (DIMP) Reports: This program specifically focuses on the accuracy and completeness of transaction data flowing through the Mastercard network. Issuers and acquirers can access DIMP reports via a dedicated portal to identify transactions flagged for data integrity issues. Several DIMP "edits" directly relate to EMV 3DS data, such as missing or invalid DS Transaction IDs, missing exemption indicators, invalid AAVs, or mismatching transaction amounts.111 Issuers can specifically subscribe to a Mastercard Data Integrity Monitoring Report to track their performance against frictionless rate targets.

• Payment Service Provider (PSP) / Vendor Reporting: Merchants and issuers often utilize the reporting dashboards and analytics provided by their PSPs, 3DS Server providers, or ACS vendors to track their authentication performance metrics.

Effectively utilizing these KPIs and reporting mechanisms allows stakeholders to identify areas for improvement, optimize configurations (like RBA rules), troubleshoot technical issues, and ultimately maximize the benefits of the Mastercard Identity Check program.

Mastercard Identity Check Program

The landscape of online payment authentication is constantly evolving, driven by the need for enhanced security, regulatory changes, and the demand for ever-smoother user experiences. Mastercard Identity Check, being built on the EMV 3DS Mastercard program, is intrinsically linked to the roadmap set by EMVCo for the 3-D Secure protocol.

EMV 3DS Evolution (v2.1, v2.2, v2.3)

The EMV 3DS protocol has seen several iterations since its initial launch (version 2.0), each introducing new features and refinements:

• EMV 3DS 2.1: Became the mandated baseline, incorporating foundational support for richer data exchange and improved mobile experiences compared to 3DS 1.0. Mastercard required support by mid-2020.

• EMV 3DS 2.2: Introduced further enhancements, including better support for SCA exemptions (like Acquirer TRA and Trusted Merchant Listing via Mastercard message extensions) and refined data elements. Mastercard began supporting compliance testing for 2.2, with mandates following later. Mastercard Gateway planned to sunset support for 2.1 in September 2024, making 2.2 the effective minimum.

• EMV 3DS 2.3 (specifically 2.3.1): Released by EMVCo in late 2021/2022, this version represents the latest significant advancement, focusing on further improving security, user experience, and channel support. Key features relevant to the future of authentication include:

  • Enhanced Data & Flows: Additional data elements and message flows to further streamline authentication and improve fraud detection. Includes richer data for recurring payments and payment tokens.

  • Secure Payment Confirmation (SPC) Support: Integration points for SPC, enabling cryptographic confirmation of transaction details using FIDO authenticators within the 3DS flow.

  • WebAuthn Support: Explicit support for using W3C's Web Authentication (WebAuthn) standard, facilitating the use of passkeys and platform authenticators (like device biometrics) for challenges.

  • Out-of-Band (OOB) Authentication Improvements: Automated transitions to streamline the user experience when authentication needs to happen via a separate channel, like a banking app.

  • Device Binding: Allows users to link a trusted device to their account, potentially reducing future challenges on that device.

  • Split-SDK Model: Offers greater flexibility for implementing 3DS SDKs across diverse platforms, including traditional web/mobile and emerging channels like IoT devices.

  • UI Enhancements: More options for issuers and merchants to customize the user interface during challenges.

Mastercard, as a key member of EMVCo, actively participates in developing these standards. They are strong supporters of SPC and the broader move towards modern, passwordless authentication methods like passkeys. Companies like DECTA have already achieved early certification for EMV 3DS 2.3.1.1 with Mastercard, indicating adoption is underway. Secure Payment Confirmation (SPC) Integration SPC is a W3C web standard designed to work alongside authentication protocols like EMV 3DS. It leverages FIDO/WebAuthn credentials (passkeys) to allow users to authenticate and explicitly confirm transaction details (amount, payee) directly within the browser, using their device's built-in authenticator (e.g., fingerprint, face ID, PIN).

• How it integrates with EMV 3DS 2.3: During a 3DS challenge flow, if the issuer supports SPC and the user has a registered FIDO credential (passkey) with the issuer for that device, the issuer's ACS can return the necessary information in the ARes message. The merchant's website then invokes the browser's SPC API, presenting a standardized, secure confirmation dialog. The user authenticates locally (e.g., via biometrics), cryptographically signing the transaction details. This signed assertion is sent back to the ACS for verification.

• Benefits: SPC promises a highly secure (phishing-resistant) and potentially very low-friction challenge experience compared to OTPs, improving conversion rates. It provides strong cryptographic proof of user consent tied to specific transaction details. Mastercard is actively promoting passkey adoption and SPC support.

Mastercard's Broader Vision: Towards a Passwordless Future Beyond the immediate EMV 3DS roadmap, Mastercard has articulated a broader vision for the future of online authentication, aiming to eliminate manual card entry and passwords entirely by 2030. This strategy relies on the convergence of:

• Tokenization: Replacing sensitive Primary Account Numbers (PANs) with secure network tokens (via MDES - Mastercard Digital Enablement Service) to protect underlying card data. Mastercard aims for 100% e-commerce tokenization in regions like Europe by 2030.

• Biometric Authentication: Leveraging on-device biometrics (fingerprints, facial recognition - "smiles and fingerprints") via standards like FIDO/WebAuthn and technologies like SPC and Mastercard's Payment Passkey Service.

• Click to Pay: Mastercard's streamlined online checkout solution based on EMV Secure Remote Commerce (SRC) standards, designed to work seamlessly with tokenization and modern authentication.

This future state envisions a checkout experience where users authenticate securely and confirm payments with a simple biometric action, without ever needing to manually type card numbers or passwords. The ongoing evolution of EMV 3DS, including version 2.3 and the integration of SPC, are critical stepping stones towards realizing this ambitious goal.

Corbado EMV 3DS ACS Passkeys

Mastercard Identity Check, powered by the EMV 3DS Mastercard program, represents a critical evolution in securing the digital payments ecosystem. Moving beyond the limitations of its predecessor, Mastercard SecureCode, it addresses the core challenge of balancing robust fraud prevention with the imperative for frictionless authentication flows in modern e-commerce.

For issuers and merchants, the benefits are tangible:

• Enhanced Security: Leveraging rich data exchange, sophisticated Risk-Based Authentication (RBA) engines, NuData behavioural biometrics, and device intelligence significantly improves fraud detection accuracy.

• Improved User Experience: The focus on frictionless flows minimizes checkout disruptions, reducing cart abandonment and fostering customer loyalty.

• Higher Approval Rates: More accurate risk assessment leads to fewer false declines, boosting legitimate sales and revenue.

• Liability Protection: The potential for liability shift on authenticated transactions remains a key incentive for adoption.

Implementing Mastercard Identity Check requires careful consideration of integration paths, particularly the choice of ACS for issuers, and diligent management of BIN enablement and data quality. Monitoring performance through the provided KPI framework and reporting tools, such as the Data Integrity Monitoring Report, is essential for optimization and compliance. Looking ahead, the evolution continues with EMV 3DS 2.3 and beyond, incorporating standards like Secure Payment Confirmation (SPC) and WebAuthn to enable even more secure and user-friendly authentication using passkeys and device biometrics. This aligns with Mastercard's broader vision of a passwordless, numberless future for online payments by 2030, anchored in tokenization and biometrics.

As the authentication landscape shifts towards these more modern, phishing-resistant methods, understanding the foundations laid by programs like Mastercard Identity Check is crucial. For businesses seeking to implement next-generation authentication that combines robust security with unparalleled user convenience, exploring solutions built on FIDO standards, like passkeys offered by providers such as Corbado, represents the logical next step in future-proofing online interactions and payments.