--- url: 'https://www.corbado.com/blog/mastercard-identity-check' title: 'Mastercard Identity Check: Everything Issuers & Merchants Need to Know' description: 'Explore Mastercard Identity Check: A guide for issuers & merchants on EMV 3DS, NuData biometrics and achieving secure, frictionless authentication.' lang: 'en' author: 'Max' date: '2025-05-07T09:35:43.600Z' lastModified: '2026-03-27T07:01:28.957Z' keywords: 'Mastercard Identity Check, NuData behavioural biometrics, Mastercard 3-D Secure, frictionless authentication flows, EMV 3DS Mastercard program' category: 'Passkeys Strategy' --- # Mastercard Identity Check: Everything Issuers & Merchants Need to Know ## Key Facts - Mastercard Identity Check is Mastercard's program built on EMV 3DS, succeeding SecureCode, targeting **90-95% frictionless** transactions and reduced CNP fraud across its network. - **EMV 3DS 2.0** enables exchange of over 150 data elements versus roughly 15 in 3DS 1.0, giving issuers far richer context for accurate risk decisions. - **NuData behavioural biometrics**, acquired in 2017, passively analyzes hundreds of interaction signals to detect bots and fraudsters even when they hold stolen credentials. - Mastercard reports **approval rate lifts** of 10-12 basis points with peaks of 14%, directly reducing false declines and increasing completed sales. - Mastercard's **2030 tokenization and passwordless vision** targets 100% e-commerce tokenization in Europe and eliminates passwords using EMV 3DS 2.3, SPC and device biometrics. ## 1. Introduction: Mastercard Identity Check The world of digital commerce presents a fundamental tension: how can businesses offer a smooth, effortless online checkout experience while simultaneously protecting themselves and their customers from the ever-present threat of fraud? Card-Not-Present (CNP) transactions, the backbone of [e-commerce](https://www.corbado.com/passkeys-for-e-commerce), lack the inherent security of physically presenting a card, leading to significantly higher fraud rates. Historically, [CNP](https://www.corbado.com/glossary/cnp) transactions have accounted for a disproportionate share of fraud losses compared to their volume. Furthermore, the cost of preventing fraud through overly aggressive measures, resulting in legitimate transactions being mistakenly declined (false declines or "customer insults"), can sometimes exceed the cost of fraud itself, leading to lost sales and customer frustration. Enter [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) Identity Check, [Mastercard's](https://www.corbado.com/blog/mastercard-passkeys) comprehensive program designed to address this challenge head-on. Built upon the global EMV [3-D Secure](https://www.corbado.com/glossary/3d-secure) standard, it represents a significant evolution in authenticating online [payments](https://www.corbado.com/passkeys-for-payment). Its core mission is to enhance security, combat fraud, boost transaction approval rates, and streamline the [payment](https://www.corbado.com/passkeys-for-payment) journey for cardholders, issuing banks (issuers), and businesses (merchants) alike. This blog post answers critical questions for [issuers](https://www.corbado.com/glossary/issuer), [merchants](https://www.corbado.com/glossary/merchant), [Payment](https://www.corbado.com/passkeys-for-payment) Service Providers (PSPs), software developers, product managers, and security professionals looking to deeply understand [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) Identity Check: 1. What exactly is [Mastercard](https://www.corbado.com/blog/mastercard-passkeys) Identity Check, and why was it developed? 2. How does Mastercard Identity Check leverage EMV [3-D Secure](https://www.corbado.com/glossary/3d-secure) technology to reduce fraud and false declines? 3. What role do advanced technologies, like NuData behavioral biometrics, play in enabling frictionless user authentication? 4. How can [merchants](https://www.corbado.com/glossary/merchant) and [PSPs](https://www.corbado.com/blog/payment-provider-passkeys-third-party-sdk) effectively integrate Mastercard Identity Check into their existing [payment](https://www.corbado.com/passkeys-for-payment) processes? 5. What tangible benefits—in terms of transaction approval rates, user experience, and fraud reduction—can businesses expect from adopting Mastercard Identity Check? ## 2. Program Origins & Objectives: Moving Beyond SecureCode The journey to Mastercard Identity Check began with the inherent [vulnerabilities](https://www.corbado.com/glossary/vulnerability) of early [e-commerce](https://www.corbado.com/passkeys-for-e-commerce). As online shopping surged, fraudsters exploited the lack of physical card presence, leading to escalating [CNP](https://www.corbado.com/glossary/cnp) fraud rates. The initial response from the industry came in 1999 with the introduction of the [3-D Secure](https://www.corbado.com/glossary/3d-secure) (3DS) protocol. [Mastercard's](https://www.corbado.com/blog/mastercard-passkeys) branded version of this first iteration was known as Mastercard SecureCode. While SecureCode (3DS 1.0) aimed to replicate the security of a physical payment by adding a layer of cardholder authentication and offered the crucial benefit of shifting liability for certain fraudulent chargebacks away from [merchants](https://www.corbado.com/glossary/merchant), it suffered from significant drawbacks that hampered its effectiveness and adoption: • **High Friction**: The most common implementation involved static passwords or cumbersome challenge questions, often requiring users to enroll beforehand and remember separate credentials. This added noticeable friction to the checkout process. • **Poor User Experience**: Redirects to [issuer](https://www.corbado.com/glossary/issuer)-branded pages for authentication created an inconsistent and often jarring user experience, leading to confusion and suspicion among shoppers. This friction directly contributed to high shopping [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication) rates. • **Limited Data Exchange**: 3DS 1.0 only allowed for the exchange of about 15 data elements between the [merchant](https://www.corbado.com/glossary/merchant) and [issuer](https://www.corbado.com/glossary/issuer), providing insufficient context for accurate risk assessment. • **Browser-Centric Design**: It was primarily designed for browser-based transactions, making it ill-suited for the rapidly growing world of mobile app [payments](https://www.corbado.com/passkeys-for-payment) and emerging [IoT](https://www.corbado.com/blog/how-to-use-passkeys-apple-watch) commerce. • **Inadequate False Decline Mitigation**: The limited data and focus on explicit challenges didn't effectively address the significant problem of false declines, where legitimate transactions were incorrectly flagged as fraudulent, damaging customer relationships and causing revenue loss. It became evident that the negative impact of poor user experience – manifested in cart abandonment and false declines – often represented a greater financial loss for businesses than direct fraud costs. This economic reality, coupled with the need for stronger fraud prevention in an increasingly digital world, drove the development of a modernized approach. The launch of Mastercard Identity Check, built upon the next-generation EMV 3-D Secure protocol, aimed to overcome these limitations with a clear set of objectives: 1. **Reduce CNP Fraud**: Employ more sophisticated techniques to detect and prevent unauthorized transactions. 2. **Minimize Friction**: Create smoother, faster frictionless authentication flows for the vast majority of transactions. 3. **Increase Approval Rates**: Reduce false declines by providing [issuers](https://www.corbado.com/glossary/issuer) with richer data for more accurate risk assessments. 4. **Support Modern Channels**: Natively support authentication within mobile apps, digital [wallets](https://www.corbado.com/blog/digital-wallet-assurance), and other connected devices. 5. **Enable Rich Data Exchange**: Facilitate the secure sharing of significantly more transaction and contextual data. 6. **Maintain Liability Shift**: Preserve the benefit of shifting liability for authenticated fraudulent transactions away from participating merchants. | **3DS 1.0 (SecureCode) Drawback** | **Mastercard Identity Check (EMV 3DS) Objective/Solution** | | ------------------------------------- | ---------------------------------------------------------- | | High Friction (Static Passwords) | Minimize Friction (Frictionless Flows) | | Poor User Experience (Redirects) | Native Mobile/App Support, Consistent UX | | Limited Data Exchange (\~15 elements) | Rich Data Exchange (150+ elements) | | Browser-Centric | Support for Modern Channels (Mobile, IoT) | | Inadequate False Decline Mitigation | Increased Approval Rates (Better Risk Assessment) | [Mastercard Identity Check - Early Adopter Program Learnings](https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/smb/other/Mastercard-Identity-Check-Early-Adopter-Program-Learnings.pdf) ## 3. How Mastercard Built on EMV 3DS: Protocol vs. Program It's essential to distinguish between the underlying technology standard and [Mastercard's](https://www.corbado.com/blog/mastercard-passkeys) specific implementation. ### 3.1 EMV® 3-D Secure (EMV 3DS): The Foundation EMV 3DS is the global protocol specification developed and managed by EMVCo, an organization jointly owned by major global payment networks including Mastercard, [Visa](https://www.corbado.com/blog/visa-passkeys), American Express, Discover, JCB, and UnionPay. It defines the technical framework for secure communication and data exchange between the three key domains involved in an online transaction authentication: 1. **Acquirer Domain**: Includes the [merchant](https://www.corbado.com/glossary/merchant), their payment gateway, and the acquiring bank (merchant's bank). This domain initiates the authentication request via a component typically called the 3DS Server (or historically, [Merchant](https://www.corbado.com/glossary/merchant) Plug-In/MPI). 2. **Issuer Domain**: Includes the issuing bank (cardholder's bank) and the cardholder. This domain is responsible for verifying the cardholder's identity via a component called the Access Control Server (ACS). 3. **Interoperability Domain**: Consists primarily of the Directory Server (DS), operated by the card scheme (like Mastercard). The DS acts as a central router, directing authentication messages between the correct 3DS Server and [ACS](https://www.corbado.com/glossary/acs) based on the card number (specifically, the Bank Identification Number or BIN). The EMV 3DS protocol (often referred to as 3DS 2.0 or 2.x) introduced significant improvements over the original 3DS 1.0: - **10x More Data**: Supports the exchange of over 150 data elements (compared to \~15 in 3DS 1.0), providing a richer context for risk assessment, including device information, transaction history, browser details, and merchant data. - **Risk-Based Authentication (RBA)**: Enables frictionless authentication flows where low-risk transactions are approved silently in the background based on data analysis, without requiring cardholder interaction. Aiming for 90–95% frictionless rates. - **Native Mobile/App Support**: Includes Software Development Kits (SDKs) for seamless integration within mobile app checkout flows, eliminating disruptive browser redirects. - **Enhanced Authentication Methods**: Supports modern authentication methods like One-Time Passcodes (OTPs) delivered via SMS or app, biometrics (fingerprint, facial recognition), and out-of-band authentication, moving away from static passwords. - **Broader Use Cases**: Extends beyond simple payment authentication to support non-payment authentication (e.g., adding a card to a [digital wallet](https://www.corbado.com/blog/digital-wallet-assurance)), recurring [payments](https://www.corbado.com/passkeys-for-payment), and tokenization. [Mastercard Identity Check](https://developer.mastercard.com/product/identity-check/) Corbado [3DS ACS](https://www.corbado.com/blog/emv-3ds-acs-passkeys-fido-and-spc) Passkeys ### 3.2 Program Implementation Mastercard Identity Check is the name of Mastercard's specific program that implements and governs the use of the EMV 3DS protocol within its network. It is the successor to the Mastercard SecureCode program. While built on the EMV 3DS standard, Mastercard Identity Check incorporates Mastercard's unique assets and technologies to enhance performance and security. This includes: - **Proprietary AI and Machine Learning**: Leveraging Mastercard's vast network data and AI capabilities to refine risk scoring and decisioning. - **Behavioural Analytics (NuData)**: Integrating insights from NuData behavioural biometrics (discussed in the next section) to understand user interaction patterns and detect sophisticated fraud attempts. - **Network Intelligence**: Utilizing insights from billions of transactions processed globally to inform risk assessments. - **Program Governance**: Mastercard sets specific Key Performance Indicators (KPIs) and rules for participants (issuers, merchants, [acquirers](https://www.corbado.com/glossary/acquirer)) within the Identity Check program to ensure optimal performance and user experience across its network. Therefore, Mastercard Identity Check is not merely a rebranding of the EMV 3DS protocol. It represents Mastercard's strategic layering of its proprietary intelligence and governance framework onto the standardized protocol foundation. This synergy aims to deliver a potentially more effective and differentiated authentication service compared to a basic EMV 3DS implementation, offering enhanced risk detection and performance optimization within the Mastercard ecosystem. [Mastercard Identity Check](https://developer.mastercard.com/product/identity-check/) ## 4. Key Components: The Engine Behind Mastercard Identity Check Mastercard Identity Check relies on a sophisticated interplay of several core technological components to achieve its goals of security and seamlessness. Understanding these components is crucial for appreciating how the system assesses risk and authenticates users. ### 4.1 NuData Behavioural Biometrics Acquired by Mastercard in 2017, NuData behavioural biometrics technology is a cornerstone of Mastercard's advanced authentication capabilities. Unlike traditional authentication that focuses on what a user knows (password) or has (phone for OTP), behavioural biometrics analyzes how a user interacts with their device and the application. It focuses on passive biometrics – inherent, often subconscious patterns of interaction. - **How it Works**: During an online session (like checkout or even [account opening](https://www.corbado.com/blog/digital-identity-verification)), NuData technology passively collects and analyzes hundreds of subtle behavioural signals. These can include: - Typing dynamics (speed, rhythm, pressure) - Mouse movements (patterns, speed, clicks) - Device handling (angle, accelerometer data) - Touchscreen interaction (pressure, swipe patterns) - Navigation patterns (using Tab vs. clicking, form progression, 'circle back' behaviour) - Session behaviour (form familiarity, time taken, copy/paste usage, window switching) - **Purpose & Integration**: This behavioural data is fed into [machine learning](https://www.corbado.com/blog/10-top-nodejs-libraries-machine-learning) models that build a unique profile for each legitimate user. The system analyzes billions of data points annually to continuously learn and refine these profiles. Its primary function within Mastercard Identity Check is to distinguish genuine humans from automated bots and sophisticated fraudsters, even when they possess stolen credentials. It detects anomalies and high-risk signals in real-time, providing a critical input to the Risk-Based Authentication engine. NuData technology is integral to Mastercard's layered security strategy, powering solutions like NuDetect and contributing significantly to the intelligence behind Mastercard Identity Check. It is particularly effective against automated attacks like [credential stuffing](https://www.corbado.com/glossary/credential-stuffing) and account takeover attempts. [WSJ Mastercard Nudata](https://partners.wsj.com/aws/how-mastercards-nudata-keeps-identities-protected-with-aws/) ### 4.2 Device Intelligence Leveraging the rich data exchange capabilities of EMV 3DS 2.0, Mastercard Identity Check incorporates comprehensive device intelligence. This involves collecting and analyzing a wide array of data points specific to the device initiating the transaction. - **Data Points**: The EMV 3DS protocol allows for the transmission of over 150 variables. This includes information such as: - Device type, model, and operating system - Browser type, version, language, and installed plugins - IP address and geolocation data - Network connection type and time zone - Device identifiers or fingerprints - Screen resolution and other device characteristics - Mastercard may also partner with companies like Ekata to further enrich device and [identity verification](https://www.corbado.com/blog/digital-identity-guide) data - **Purpose**: This wealth of device information helps build a comprehensive risk profile. It allows the system to recognize trusted devices, detect anomalies like location mismatches or attempts to spoof device information, identify high-risk network connections, and flag potentially fraudulent activity originating from unfamiliar or compromised devices. Device intelligence is another critical input for the RBA engine. ### 4.3 Risk-Based Authentication (RBA) Engine The RBA engine is the central intelligence hub of Mastercard Identity Check, responsible for evaluating the overall risk of a transaction in real-time and determining the appropriate authentication path. **How it Works**: The engine synthesizes information from multiple sources: - EMV 3DS data fields (transaction details, merchant info, device intelligence) - NuData behavioural biometric signals - Historical transaction data and user profiles - Mastercard's proprietary AI and [machine learning](https://www.corbado.com/blog/10-top-nodejs-libraries-machine-learning) models, trained on global network data **Purpose**: Based on this holistic analysis, the RBA engine calculates a risk score for the transaction. This score informs the decision on whether to proceed with a frictionless authentication (for low-risk transactions) or to initiate a step-up challenge (for higher-risk transactions) to further verify the cardholder's identity. The outcome (a score or recommendation) is typically sent to the [issuer's](https://www.corbado.com/glossary/issuer) [ACS](https://www.corbado.com/glossary/acs) to aid in their final authentication decision. Mastercard also offers Stand-In RBA services to provide coverage if an [issuer's](https://www.corbado.com/glossary/issuer) own [ACS](https://www.corbado.com/glossary/acs) is unavailable or not yet 3DS-ready. The power of Mastercard Identity Check lies in the synergy between these components. While rich device and transaction data from EMV 3DS provide essential context, the integration of NuData's behavioural biometrics adds a critical layer of defense. NuData can often detect sophisticated fraud attempts, such as account takeovers using valid credentials or bots designed to mimic human interaction, which might bypass systems relying solely on traditional data points. This multi-faceted approach allows the RBA engine to make more nuanced and confident risk assessments, enabling a higher rate of frictionless approvals while maintaining robust security. [Mastercard Identity Check Program](https://static.developer.mastercard.com/content/identity-check/uploads/files/mastercardidentitycheckprogram.pdf) ## 5. Frictionless-Flow Enablement: Data, Exemptions, and Liability A primary objective of Mastercard Identity Check is to minimize disruption during online checkout by enabling frictionless authentication flows whenever possible. This seamless experience, where authentication happens silently in the background, relies heavily on data-driven approvals, intelligent use of exemptions, and a clear understanding of liability implications. ### 5.1 Mechanism: Data-Driven Approvals via RBA The foundation for frictionless flow is Risk-Based Authentication (RBA). The EMV 3DS protocol facilitates the exchange of a vast amount of data (over 150 potential elements) between the [merchant's](https://www.corbado.com/glossary/merchant) environment (via the 3DS Server) and the [issuer's](https://www.corbado.com/glossary/issuer) environment (the ACS). Mastercard enhances this data with its own network intelligence, AI algorithms, and NuData behavioural biometrics insights. The issuer's ACS (or Mastercard's RBA service) analyzes this comprehensive data set in real-time. If the analysis indicates a low probability of fraud – based on factors like a recognized device, typical purchase behaviour, familiar location, consistent behavioural patterns, and other contextual clues – the transaction can be authenticated passively, without requiring the cardholder to perform any action (like entering an OTP or using a fingerprint). This is the essence of a data-driven approval enabling the frictionless flow, aiming to cover 90–95% of authentications. ### 5.2 Strong Customer Authentication (SCA) Exemptions In regions like Europe governed by the Payment Services Directive (PSD2), [Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance) (SCA) – typically requiring two independent authentication factors – is often mandatory for online payments. However, the regulation and the EMV 3DS protocol allow for specific exemptions where SCA is not required, further facilitating frictionless experiences. Mastercard Identity Check supports the application of these exemptions. Key exemptions include: - **Transaction Risk Analysis (TRA)**: If either the [acquirer](https://www.corbado.com/glossary/acquirer) or the [issuer](https://www.corbado.com/glossary/issuer) performs real-time risk analysis and deems the transaction low-risk, and the transaction amount is below certain thresholds linked to the entity's overall fraud rate, SCA can be exempted. - **Low-Value Payments**: Transactions below a specific value (e.g., €30 in Europe) can be exempt, although cumulative limits apply (e.g., total amount or number of transactions since the last SCA). - **Trusted Beneficiaries (Merchant Whitelisting)**: Cardholders can designate specific merchants as "trusted" with their issuer. Subsequent transactions with these whitelisted merchants may be exempt from SCA. - **Recurring Payments & Merchant-Initiated Transactions (MITs)**: While the initial setup of a recurring payment or card-on-file agreement usually requires SCA, subsequent merchant-initiated payments using those credentials may be considered out-of-scope or exempt under certain conditions. EMV 3DS 2.2 and later versions provide specific support for these 3RI (3DS Requestor Initiated) transactions. - **Secure Corporate Payments**: Specific exemptions may apply to corporate payments made using dedicated secure protocols. | **Exemption Type** | **Description** | **Typical Liability (if exemption applied)** | | ------------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------------------------- | | Transaction Risk Analysis (TRA) | Low-risk transaction based on acquirer/issuer analysis below fraud thresholds. | Merchant (if requested by merchant) / Issuer (if applied by issuer) | | Low-Value Payments | Transactions below a certain value (e.g., €30), cumulative limits apply. | Merchant (if requested by merchant) | | Trusted Beneficiaries | Cardholder whitelists merchant with issuer. | Merchant (if requested by merchant) | | Recurring Payments (subsequent) | Subsequent payments after initial SCA. | Merchant (often, for MITs) | Merchants and [PSPs](https://www.corbado.com/blog/payment-provider-passkeys-third-party-sdk) can indicate their request for an exemption within the EMV 3DS authentication message. Corbado Outcome Based SCA Passkey ### 5.3 Liability Shift Implications A significant benefit of using 3-D Secure has always been the potential shift in liability for certain types of fraudulent chargebacks. - **Successfully Authenticated Transactions**: When a transaction is successfully authenticated through Mastercard Identity Check (whether via frictionless flow or a challenge), liability for chargebacks claimed as "unauthorized" generally shifts from the merchant to the card issuer. This protection applies even if the authentication was frictionless, although specific card scheme rules and scenarios might apply. - **Impact of Exemptions**: This is a critical point: if a merchant or their [PSP](https://www.corbado.com/blog/payment-provider-passkeys-third-party-sdk) requests an SCA exemption (like TRA or low-value) and the issuer grants it, the liability for fraud typically remains with the merchant. The merchant gains the benefit of a smoother checkout but retains the financial risk of fraud. However, if the issuer unilaterally decides to apply an exemption (e.g., based on their own risk assessment), liability may shift to the issuer. - **Attempted/Failed Authentication**: Rules surrounding liability when authentication is attempted but fails or cannot be completed (e.g., issuer ACS unavailable) can be complex and depend on the specific circumstances and card scheme rules. Mastercard rules might offer merchant protection in certain scenarios, even if the issuer hasn't fully migrated. - **Data-Only Flows**: Specific flows like Mastercard's "Identity Check Insights," which involve sharing data for risk assessment without performing a full authentication attempt, explicitly do not grant liability shift to the merchant. This creates an important strategic decision point for merchants and [PSPs](https://www.corbado.com/blog/payment-provider-passkeys-third-party-sdk). Requesting exemptions can optimize [conversion rates](https://www.corbado.com/blog/logins-impact-checkout-conversion) by ensuring a frictionless experience, but it comes at the cost of retaining fraud liability. Conversely, forcing authentication (even if it results in a frictionless flow approved by the issuer) might secure liability shift but could potentially introduce friction if a challenge is required. Therefore, a sophisticated [risk management strategy](https://thectoclub.com/tools/best-risk-management-software) is needed to determine the optimal approach on a transactional basis, balancing conversion goals with fraud risk tolerance. Furthermore, the success of the frictionless flow, and the accuracy of the RBA decision, is highly dependent on the quality and completeness of the data provided by the merchant and their [PSP](https://www.corbado.com/blog/payment-provider-passkeys-third-party-sdk) through the EMV 3DS messages. Incomplete or inaccurate data hinders the issuer's ability to perform reliable risk assessments, potentially leading to more challenges or even declines, thereby undermining the benefits of the system. Achieving optimal frictionless performance is a collaborative effort requiring diligent data management on the acquiring side. [Mastercard Identity Check Program](https://static.developer.mastercard.com/content/identity-check/uploads/files/mastercardidentitycheckprogram.pdf) [Mastercard Frictionless Future](https://www.mastercard.us/content/dam/public/mastercardcom/na/us/en/documents/welcome-to-the-frictionless-future.pdf) ## 6. Issuer Integration Paths: ACS Choices and BIN Enablement For card [issuers](https://www.corbado.com/glossary/issuer), integrating with the Mastercard Identity Check program is essential to leverage its security and user experience benefits. This involves enabling their card portfolios (identified by Bank Identification Numbers, or BINs) and connecting to the authentication infrastructure, primarily through an Access Control Server (ACS). ### 6.1 The Role of the Access Control Server (ACS) The ACS resides within the issuer's domain and is the technological heart of the authentication process from the issuer's perspective. Its key responsibilities include: - Receiving Authentication Requests (AReq messages) routed from the merchant via the Mastercard Directory Server (DS) - Verifying if the specific card number is enrolled and eligible for Mastercard Identity Check - Performing risk assessment (often leveraging RBA engines and data like the Mastercard Smart Authentication score) - Deciding whether to authenticate frictionlessly or initiate a challenge - Managing the challenge process if required (e.g., sending an OTP via SMS, prompting for biometric verification via a [banking](https://www.corbado.com/passkeys-for-banking) app) - Generating and returning the Authentication Response (ARes message), including the crucial Accountholder Authentication Value (AAV) for successfully authenticated transactions, back to the DS ### 6.2 Issuer ACS Options Issuers have several pathways for implementing ACS functionality: 1. **In-house ACS**: An issuer can choose to build, deploy, host, and manage their own ACS software solution within their own IT environment. - Pros: Offers maximum control over authentication logic, risk rules, user experience customization, and integration with internal systems. - Cons: Requires substantial internal technical expertise, significant development and maintenance resources, and rigorous adherence to ongoing EMVCo and [PCI](https://www.corbado.com/blog/pci-dss-4-0-authentication-passkeys) 3DS compliance standards. 2. **Hosted ACS (Third-Party Vendor)**: Issuers can partner with specialized, Mastercard-approved ACS vendors who provide the ACS as a managed service. The issuer in this model is often referred to as a "Hosted Principal." - Pros: Reduces the issuer's operational complexity, infrastructure costs, and compliance burden. Leverages the vendor's expertise and potentially offers faster time-to-market. - Cons: May offer less granular control and customization compared to an in-house solution. Reliance on a third party for a critical function. - Vendor Ecosystem: Mastercard maintains a list of compliant ACS vendors, with examples including companies like Entersekt, Netcetera, GPayments, and Logibiztech. 3. **Mastercard Supplementary Services**: Mastercard offers value-added services that can augment an issuer's chosen ACS path: - Mastercard Smart Authentication for ACS/Issuers: Provides RBA intelligence to enhance the [ACS'](https://www.corbado.com/glossary/acs)s decisioning capabilities. - Mastercard Stand-In RBA: Offers backup RBA processing if the issuer's primary ACS is unavailable or if specific BINs are not yet fully enabled for EMV 3DS. - Mastercard 3-D Secure Authentication Challenge Service: Provides biometric challenge capabilities (leveraging FIDO standards) that can be integrated with the ACS flow. The selection between in-house and hosted ACS represents a significant strategic decision for issuers, balancing the desire for control against the need for efficiency, cost-effectiveness, and speed of implementation. ### 6.3 BIN Enablement Checklist for Issuers Enabling specific Bank Identification Number (BIN) ranges for Mastercard Identity Check involves a series of coordinated steps: 1. **Select ACS Path**: Determine whether to use an in-house ACS or a hosted provider. 2. **Ensure ACS Compliance**: Verify that the chosen ACS solution (in-house or vendor) is compliant with the current Mastercard Identity Check program rules and the relevant EMV 3DS specification version. This typically involves the ACS operator completing Mastercard compliance testing. 3. **Register for Mastercard Identity Check**: Enroll the issuing institution in the program via the Mastercard Identity Check Test Platform on Mastercard Connect, accepting terms and providing necessary identifiers like Company ID (CID) and Interbank Card Association (ICA) number. 4. **Enroll BIN Ranges with Directory Server**: Use the Identity Solutions Services Management (ISSM) tool on Mastercard Connect to register the specific BIN ranges that will participate in Identity Check. For each enrolled range, the URL of the corresponding ACS must be provided. Note that BIN ranges previously enrolled for Mastercard SecureCode (3DS 1.0) require separate enrollment for Identity Check (EMV 3DS). 5. **Configure Authentication Rules**: Define the primary authentication methods (e.g., RBA) and any step-up challenge methods (e.g., SMS OTP, Biometrics) to be used for the enrolled BINs. Ensure support for both frictionless and challenge flows is configured. 6. **Manage Certificates**: Obtain and manage the necessary Transport Layer Security (TLS) server/client certificates for secure communication with the Mastercard Directory Server, and digital signing certificates if applicable, using the Mastercard Key Management Portal. 7. **Implement AAV Validation**: Set up processes to validate the Accountholder Authentication Value (AAV) received in authorization messages for authenticated transactions. This can be done internally or by using Mastercard's AAV validation service. 8. **Coordinate with Processor**: Ensure the issuer's payment processor is capable of handling any new data elements associated with Mastercard Identity Check, such as Digital Transaction Insights. 9. **Go Live and Monitor**: Once configuration and testing are complete, activate the enrolled BIN ranges in the production environment and continuously monitor transaction performance and KPIs. It is important to recognize that BIN management is an ongoing process. Industry changes, such as the migration from 6-digit to 8-digit BINs, require issuers to proactively assess their portfolios, potentially consolidate BINs, and update their systems and configurations accordingly to ensure continued seamless operation of authentication services like Mastercard Identity Check. [Mastercard Identity Check Program](https://static.developer.mastercard.com/content/identity-check/uploads/files/mastercardidentitycheckprogram.pdf) ## 7. Impact on Merchants & PSPs: Driving Approvals, Reducing Friction The adoption of Mastercard Identity Check and the underlying EMV 3DS Mastercard program offers significant advantages for merchants and the Payment Service Providers (PSPs) that serve them. The core impacts revolve around improving transaction success rates, enhancing the customer experience, and simplifying operations in the global [e-commerce](https://www.corbado.com/passkeys-for-e-commerce) landscape. ### 7.1 Approval Rate Uplift One of the most compelling benefits is the potential to increase authorization approval rates. - **How it works**: The richer data exchanged through EMV 3DS combined with sophisticated RBA engines using AI and behavioural analytics provides issuers with far greater insight into the legitimacy of a transaction. This allows them to more accurately distinguish between genuine customers and fraudsters, leading to a reduction in false declines – situations where a legitimate transaction is mistakenly rejected due to suspected fraud. - **Quantified Results**: Studies and reports indicate significant improvements. Mastercard data has shown average approval rate lifts of 10–12 basis points (0.10–0.12%) or even uplifts as high as 14% across billions of transactions in a year. Other sources mention potential lifts of 12%. Case studies, like one involving a clothing retailer, demonstrated substantial sales increases attributed to improved approvals and fraud reduction via Identity Check. - **Benefits**: For merchants, higher approval rates directly translate to increased completed sales, higher revenue, and improved customer satisfaction. For PSPs, offering a solution that demonstrably boosts their clients' approval rates enhances their value proposition and competitiveness. ### 7.2 Reduced Step-ups and Enhanced Customer Experience A direct consequence of effective RBA is a significant reduction in the need for [step-up authentication](https://www.corbado.com/glossary/step-up-authentication), where the cardholder is actively challenged to provide further proof of identity. - **How it works**: The goal is for the vast majority (often cited as >90% or 95%) of transactions to be authenticated frictionlessly based on the risk assessment. This means fewer interruptions for the customer during checkout. - **Benefits**: This dramatically improves the user experience by removing unnecessary hurdles. Reduced friction leads directly to lower shopping [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication) rates and higher [conversion rates](https://www.corbado.com/blog/logins-impact-checkout-conversion) for merchants. ### 7.3 Simplified Global Rollout Mastercard Identity Check's foundation on the global EMV 3DS standard facilitates easier implementation and management for businesses operating across borders. - **How it works**: EMV 3DS provides a common technical language and framework for authentication recognized by participating issuers and [acquirers](https://www.corbado.com/glossary/acquirer) worldwide. - **Benefits**: This standardization reduces the complexity for international merchants and PSPs, who might otherwise need to integrate multiple, disparate regional authentication solutions. Integration is streamlined through standardized protocols, APIs, and SDKs provided by Mastercard and its partners. Furthermore, using an EMV 3DS-based solution like Mastercard Identity Check helps businesses meet regulatory requirements such as [PSD2](https://www.corbado.com/blog/psd2-passkeys) SCA in Europe and similar mandates emerging elsewhere. For PSPs, these merchant benefits are amplified. By offering a robust, globally consistent, and high-performing authentication solution like Mastercard Identity Check, PSPs can attract more merchants, reduce their own operational overhead related to managing diverse authentication methods, and potentially lower their exposure to fraud-related costs passed on from merchants. [Mastercard Identity Check](https://www.mastercard.us/en-us/business/overview/safety-and-security/identity-check.html) ## 8. KPI framework & reporting To effectively manage and optimize the performance of Mastercard Identity Check, issuers, [acquirers](https://www.corbado.com/glossary/acquirer), and merchants need a clear framework of Key Performance Indicators (KPIs). Tracking these metrics provides insights into user experience, security effectiveness, and compliance with the EMV 3DS Mastercard program rules. ### 8.1 Key Performance Indicators (KPIs) Based on program guides and best practices, the following KPIs are crucial for monitoring Mastercard Identity Check performance: 1. **Challenge Rate**: This measures the percentage of authentication requests that result in the cardholder being actively challenged (e.g., asked for an OTP or biometric verification). A lower challenge rate generally indicates a better, more frictionless user experience. Mastercard guidance suggests aiming for challenges in less than 10% of transactions, relying on RBA for the majority. 2. **Authentication Success Rate**: This tracks the percentage of authentication attempts (both frictionless and challenged) that are successfully completed by the cardholder and verified by the issuer. High success rates are vital for minimizing transaction abandonment. Mastercard may set minimum thresholds for overall authenticated transaction approval rates (e.g., 90%) and monitor challenge success rates specifically. 3. **Frictionless Rate**: The inverse of the challenge rate, this measures the percentage of authentications successfully completed without requiring cardholder interaction. A high frictionless rate is a primary goal of EMV 3DS and is strongly correlated with higher overall success rates and better user experience. 4. **Fraud Rate**: Monitoring the rate of confirmed fraudulent transactions, particularly those that were authenticated via Identity Check, is essential to gauge the system's effectiveness in preventing fraud. Mastercard monitors merchant fraud levels through programs like the Excessive Fraud Merchant (EFM) program. A key goal is to see a reduction in fraud compared to unauthenticated transactions. 5. **Authorization Approval Rate**: The ultimate measure of transaction success is the final authorization approval rate by the issuer. Identity Check aims to lift this rate by reducing false declines. 6. **Technical Performance**: Metrics such as ACS and 3DS Server uptime (Mastercard requires 99.0% availability for vendors), transaction processing times, and error rates in the authentication messaging are also critical. | **KPI** | **Description** | **Why it's Important** | **Target Example (if available)** | | --------------------------- | ---------------------------------------------------------------- | ------------------------------------- | --------------------------------- | | Challenge Rate | % of auth requests resulting in active cardholder challenge. | Measures friction. | <10% | | Authentication Success Rate | % of auth attempts successfully completed. | Minimizes abandonment. | >90% (overall) | | Frictionless Rate | % of auths completed without challenge. | Measures seamlessness. | >90-95% | | Fraud Rate | Rate of confirmed fraudulent transactions (post-authentication). | Gauges security effectiveness. | Reduction vs. unauthenticated | | Authorization Approval Rate | Final issuer approval rate. | Measures overall transaction success. | Increase vs. pre-Identity Check | | Technical Performance | ACS/3DS Server uptime, processing times, error rates. | Ensures system reliability. | e.g., 99.0% uptime | ### 8.2 Reporting Mechanisms Monitoring these KPIs relies on various reporting channels: - **Mastercard Program Monitoring:** Mastercard actively monitors the performance of participants against established program KPIs. Non-compliance can trigger notifications and potential assessments or fines under programs like DIMP or EFM. - **Data Integrity Monitoring Program (DIMP) Reports:** This program specifically focuses on the accuracy and completeness of transaction data flowing through the Mastercard network. Issuers and acquirers can access DIMP reports via a dedicated portal to identify transactions flagged for data integrity issues. Several DIMP "edits" directly relate to EMV 3DS data, such as missing or invalid DS Transaction IDs, missing exemption indicators, invalid AAVs, or mismatching transaction amounts.111 Issuers can specifically subscribe to a **Mastercard Data Integrity Monitoring Report** to track their performance against frictionless rate targets. - **Payment Service Provider (PSP) / Vendor Reporting:** Merchants and issuers often utilize the reporting dashboards and analytics provided by their PSPs, 3DS Server providers, or ACS vendors to track their authentication performance metrics. Effectively utilizing these KPIs and reporting mechanisms allows [stakeholders](https://www.corbado.com/blog/passkeys-stakeholder) to identify areas for improvement, optimize configurations (like RBA rules), troubleshoot technical issues, and ultimately maximize the benefits of the Mastercard Identity Check program. [Mastercard Identity Check Program](https://static.developer.mastercard.com/content/identity-check/uploads/files/mastercardidentitycheckprogram.pdf) ## 9. Roadmap: The Future of Authentication with EMV 3DS v2.3+ and SPC The landscape of online payment authentication is constantly evolving, driven by the need for enhanced security, regulatory changes, and the demand for ever-smoother user experiences. **Mastercard Identity Check**, being built on the **EMV 3DS Mastercard program**, is intrinsically linked to the roadmap set by EMVCo for the 3-D Secure protocol. EMV 3DS Evolution (v2.1, v2.2, v2.3) The EMV 3DS protocol has seen several iterations since its initial launch (version 2.0), each introducing new features and refinements: - **EMV 3DS 2.1:** Became the mandated baseline, incorporating foundational support for richer data exchange and improved mobile experiences compared to 3DS 1.0. Mastercard required support by mid-2020. - **EMV 3DS 2.2:** Introduced further enhancements, including better support for SCA exemptions (like [Acquirer](https://www.corbado.com/glossary/acquirer) TRA and Trusted Merchant Listing via Mastercard message extensions) and refined data elements. Mastercard began supporting compliance testing for 2.2, with mandates following later. Mastercard Gateway planned to sunset support for 2.1 in September 2024, making 2.2 the effective minimum. - **EMV 3DS 2.3 (specifically 2.3.1):** Released by EMVCo in late 2021/2022, this version represents the latest significant advancement, focusing on further improving security, user experience, and channel support. Key features relevant to the future of authentication include: - **Enhanced Data & Flows:** Additional data elements and message flows to further streamline authentication and improve fraud detection. Includes richer data for recurring payments and payment tokens. - **Secure Payment Confirmation (SPC) Support:** Integration points for [SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc), enabling cryptographic confirmation of transaction details using FIDO [authenticators](https://www.corbado.com/glossary/authenticator) within the 3DS flow. - **WebAuthn Support:** Explicit support for using W3C's Web Authentication (WebAuthn) standard, facilitating the use of passkeys and platform [authenticators](https://www.corbado.com/glossary/authenticator) (like [device biometrics](https://www.corbado.com/blog/passkeys-local-biometrics)) for challenges. - **Out-of-Band (OOB) Authentication Improvements:** Automated transitions to streamline the user experience when authentication needs to happen via a separate channel, like a [banking](https://www.corbado.com/passkeys-for-banking) app. - **Device Binding:** Allows users to link a trusted device to their account, potentially reducing future challenges on that device. - **Split-SDK Model:** Offers greater flexibility for implementing 3DS SDKs across diverse platforms, including traditional web/mobile and emerging channels like [IoT](https://www.corbado.com/blog/how-to-use-passkeys-apple-watch) devices. - **UI Enhancements:** More options for issuers and merchants to customize the user interface during challenges. Mastercard, as a key member of EMVCo, actively participates in developing these standards. They are strong supporters of [SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) and the broader move towards modern, [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) methods like passkeys. Companies like DECTA have already achieved early certification for EMV 3DS 2.3.1.1 with Mastercard, indicating adoption is underway. **Secure Payment Confirmation (SPC) Integration** [SPC](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) is a W3C web standard designed to work alongside authentication protocols like EMV 3DS. It leverages FIDO/WebAuthn credentials (passkeys) to allow users to authenticate and explicitly confirm transaction details (amount, payee) directly within the browser, using their device's built-in [authenticator](https://www.corbado.com/glossary/authenticator) (e.g., fingerprint, [face ID](https://www.corbado.com/faq/is-face-id-passkey), PIN). - **How it integrates with EMV 3DS 2.3:** During a 3DS challenge flow, if the issuer supports SPC and the user has a registered FIDO credential (passkey) with the issuer for that device, the issuer's ACS can return the necessary information in the ARes message. The [merchant's](https://www.corbado.com/glossary/merchant) website then invokes the browser's SPC API, presenting a standardized, secure confirmation dialog. The user authenticates locally (e.g., via biometrics), cryptographically signing the transaction details. This signed [assertion](https://www.corbado.com/glossary/assertion) is sent back to the ACS for verification. - **Benefits:** SPC promises a highly secure (phishing-resistant) and potentially very low-friction challenge experience compared to OTPs, improving [conversion rates](https://www.corbado.com/blog/logins-impact-checkout-conversion). It provides strong cryptographic proof of user consent tied to specific transaction details. Mastercard is actively promoting [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) and SPC support. **Mastercard's Broader Vision: Towards a Passwordless Future** Beyond the immediate EMV 3DS roadmap, Mastercard has articulated a broader vision for the future of online authentication, aiming to eliminate manual card entry and passwords entirely by 2030. This strategy relies on the convergence of: - **Tokenization:** Replacing sensitive Primary Account Numbers (PANs) with secure network tokens (via MDES - Mastercard Digital Enablement Service) to protect underlying card data. Mastercard aims for 100% e-commerce tokenization in regions like Europe by 2030. - **Biometric Authentication:** Leveraging on-[device biometrics](https://www.corbado.com/blog/passkeys-local-biometrics) (fingerprints, facial recognition - "smiles and fingerprints") via standards like FIDO/WebAuthn and technologies like SPC and Mastercard's Payment Passkey Service. - **Click to Pay:** Mastercard's streamlined online checkout solution based on EMV Secure Remote Commerce (SRC) standards, designed to work seamlessly with tokenization and modern authentication. This future state envisions a checkout experience where users authenticate securely and confirm payments with a simple biometric action, without ever needing to manually type card numbers or passwords. The ongoing evolution of EMV 3DS, including version 2.3 and the integration of SPC, are critical stepping stones towards realizing this ambitious goal. Corbado EMV [3DS ACS](https://www.corbado.com/blog/emv-3ds-acs-passkeys-fido-and-spc) Passkeys ## 10. Conclusion: Securing Today, Building for Tomorrow **Mastercard Identity Check**, powered by the **EMV 3DS Mastercard program**, represents a critical evolution in securing the digital payments ecosystem. Moving beyond the limitations of its predecessor, Mastercard SecureCode, it addresses the core challenge of balancing robust fraud prevention with the imperative for **frictionless authentication flows** in modern e-commerce. For issuers and merchants, the benefits are tangible: - **Enhanced Security:** Leveraging rich data exchange, sophisticated Risk-Based Authentication (RBA) engines, **NuData behavioural biometrics**, and device intelligence significantly improves fraud detection accuracy. - **Improved User Experience:** The focus on frictionless flows minimizes checkout disruptions, reducing [cart abandonment](https://www.corbado.com/blog/ecommerce-authentication) and fostering customer loyalty. - **Higher Approval Rates:** More accurate risk assessment leads to fewer false declines, boosting legitimate sales and revenue. - **Liability Protection:** The potential for liability shift on authenticated transactions remains a key incentive for adoption. Implementing Mastercard Identity Check requires careful consideration of integration paths, particularly the choice of ACS for issuers, and diligent management of BIN enablement and data quality. Monitoring performance through the provided KPI framework and reporting tools, such as the Data Integrity Monitoring Report, is essential for optimization and compliance. Looking ahead, the evolution continues with EMV 3DS 2.3 and beyond, incorporating standards like [Secure Payment Confirmation](https://www.corbado.com/blog/dynamic-linking-passkeys-spc) (SPC) and WebAuthn to enable even more secure and [user-friendly authentication](https://www.corbado.com/faq/passkey-user-experience-benefits-non-technical-audience) using passkeys and [device biometrics](https://www.corbado.com/blog/passkeys-local-biometrics). This aligns with Mastercard's broader vision of a passwordless, numberless future for online payments by 2030, anchored in tokenization and biometrics. As the authentication landscape shifts towards these more modern, [phishing](https://www.corbado.com/glossary/phishing)-resistant methods, understanding the foundations laid by programs like Mastercard Identity Check is crucial. For businesses seeking to implement next-generation authentication that combines robust security with unparalleled user convenience, exploring solutions built on FIDO standards, like passkeys offered by providers such as Corbado, represents the logical next step in future-proofing online interactions and payments. ## Frequently Asked Questions ### What steps are involved in enabling BINs for Mastercard Identity Check? Issuers must select and certify an ACS solution, register via Mastercard Connect and enroll specific BIN ranges using the Identity Solutions Services Management (ISSM) tool. BINs previously enrolled for SecureCode require separate enrollment for Identity Check. The ongoing migration from 6-digit to 8-digit BINs also requires portfolio reassessment and system updates. ### What happens to fraud liability when a merchant requests an SCA exemption under Mastercard Identity Check? When a merchant or PSP requests an SCA exemption such as Transaction Risk Analysis or a low-value payment exemption, fraud liability remains with the merchant rather than shifting to the issuer. If the issuer unilaterally applies an exemption based on their own risk assessment, liability may shift to the issuer instead. ### What ACS deployment options do issuers have for Mastercard Identity Check? Issuers can deploy an in-house ACS for maximum control over authentication logic and user experience, or use a hosted ACS from a Mastercard-approved vendor such as Entersekt, Netcetera or GPayments. Mastercard also offers Stand-In RBA and Smart Authentication services to cover issuers whose ACS is unavailable or not yet fully 3DS-ready. ### What KPIs does Mastercard set for Identity Check program participants? Mastercard targets a challenge rate below 10%, a frictionless rate above 90-95% and an overall authentication success rate above 90%. ACS vendors must maintain 99.0% uptime. The Data Integrity Monitoring Program (DIMP) tracks data accuracy and non-compliance can trigger assessments or fines under programs like DIMP or the Excessive Fraud Merchant program. ### How does Secure Payment Confirmation integrate with the Mastercard Identity Check challenge flow in EMV 3DS 2.3? When a challenge is required and the user has a registered FIDO credential with the issuer, the ACS returns SPC parameters in the authentication response. The merchant's website then invokes the browser's SPC API, allowing the user to cryptographically sign specific transaction details via device biometrics, replacing OTPs with a phishing-resistant confirmation.