> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/classic-tokenization/use-cases/post-enrolment/token-verification/cardholder-verification.md). # Cardholder verification ### Overview Cardholder verification lets a token requestor request proof that the end user is the cardholder. Use this flow when the token requestor needs extra assurance before allowing a sensitive account change, such as updating an email address, account name, or billing address. The token requestor sends the verification request through the TSP. The issuer gateway translates this request into the existing **Get IDnV Method List** call with `purpose` = `CARDHOLDER_STEPUP`. {% hint style="info" %} Note Even if in such case there is no actual device binding, the variable `deviceBindingReference` is used to track the use case and link the `virtualCardId` to be able to manage, later in the flow, the in-app ID\&V method support for Mastercard using the push message to trigger the application. {% endhint %} The following sequence diagrams show the end-to-end flow. ... If the issuer returns **approve with step-up authentication**, use the relevant section for the selected ID\&V method. Once the flow is complete, the issuer gateway sends a **Notify Virtual Card Change** notification that indicates the `action` taken: * `CARDHOLDER_STEPUP_OTP` * Indicates that verification succeeds through an OTP. * `CARDHOLDER_STEPUP_ISSUER_APP` * Indicates that verification succeeds through the issuer application. ### Verify with an OTP The TSP generates the OTP. The issuer gateway forwards it through **Send OTP**, as in the Tokenization flow. Use `otpMethodId` to identify the selected method and prepare the right message and channel. The sequence diagram below shows the flow. ... The TSP verifies the OTP and notifies the relevant parties when verification succeeds. ### Verify in the issuer application In this flow, the issuer verifies the end user in the issuer application. You can trigger the issuer application in two ways. #### Trigger from the token requestor application This approach matches the Tokenization flow used for token activation. The interaction is the same as [Integrate issuer application with wallet](/classic-tokenization/use-cases/card-enrolment/generic-enrollment-flow/step-5-activate-the-token/option-c-activate-in-the-issuer-application/integrate-issuer-application-with-wallet.md). The TSP also sends additional data that the issuer must parse to identify the cardholder verification context: * **Visa** * `lifeCycleTraceID` * `reasonCode` = `CARDHOLDER_STEPUP` * **Mastercard** * `authenticationCorrelationId` These fields are specific to post-Tokenization cardholder verification. #### Trigger with a push message {% hint style="warning" %} This option is supported only by Mastercard. {% endhint %} The issuer triggers the issuer application through a push message. If the end user selects this method, the issuer gateway sends the method ID through **Send OTP** without an OTP value. MDES does not generate an OTP for this flow. Use `otpMethodId` to identify the method and build the push message. ### Report the verification result Regardless of the trigger method, the issuer must report the result to the TSP through **Update Card State**. Send these values: * `virtualCardId` = * Visa: `tokenReferenceID` * Mastercard: `tokenUniqueReference` * `deviceBindingReference` * For Visa, do not use it * For Mastercard, use `authenticationCorrelationId` In case of **successful** verification: * `action` = `CARDHOLDER_STEPUP_ISSUER_APP` In case of **unsuccessful** verification: * Mastercard * Send an empty `action`. The sequence diagram below shows the full flow. ... {% hint style="info" %} **Unsuccessful result**. Visa does not provide a specific interface to report an unsuccessful result. If cardholder verification fails, Visa recommends suspending the token. To keep a consistent approach across Mastercard and Visa, you can also use this approach for a Mastercard token. Note that suspending the token might lead the legitimate end user to contact customer service or cause the merchant to delete the token. {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.payments.thalescloud.io/classic-tokenization/use-cases/post-enrolment/token-verification/cardholder-verification.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.