Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Cardholder verification

Overview

Cardholder verification lets a token requestor request proof that the end user is the cardholder.

Use this flow when the token requestor needs extra assurance before allowing a sensitive account change, such as updating an email address, account name, or billing address.

The token requestor sends the verification request through the TSP.

The issuer gateway translates this request into the existing Get IDnV Method List call with purpose = CARDHOLDER_STEPUP.

Note

Even if in such case there is no actual device binding, the variable deviceBindingReference is used to track the use case and link the virtualCardId to be able to manage, later in the flow, the in-app ID&V method support for Mastercard using the push message to trigger the application.

The following sequence diagrams show the end-to-end flow.

...

If the issuer returns approve with step-up authentication, use the relevant section for the selected ID&V method.

Once the flow is complete, the issuer gateway sends a Notify Virtual Card Change notification that indicates the action taken:

  • CARDHOLDER_STEPUP_OTP

    • Indicates that verification succeeds through an OTP.

  • CARDHOLDER_STEPUP_ISSUER_APP

    • Indicates that verification succeeds through the issuer application.

Verify with an OTP

The TSP generates the OTP.

The issuer gateway forwards it through Send OTP, as in the Tokenization flow.

Use otpMethodId to identify the selected method and prepare the right message and channel.

The sequence diagram below shows the flow.

...

The TSP verifies the OTP and notifies the relevant parties when verification succeeds.

Verify in the issuer application

In this flow, the issuer verifies the end user in the issuer application.

You can trigger the issuer application in two ways.

Trigger from the token requestor application

This approach matches the Tokenization flow used for token activation.

The interaction is the same as Integrate issuer application with wallet.

The TSP also sends additional data that the issuer must parse to identify the cardholder verification context:

  • Visa

    • lifeCycleTraceID

    • reasonCode = CARDHOLDER_STEPUP

  • Mastercard

    • authenticationCorrelationId

These fields are specific to post-Tokenization cardholder verification.

Trigger with a push message

This option is supported only by Mastercard.

The issuer triggers the issuer application through a push message.

If the end user selects this method, the issuer gateway sends the method ID through Send OTP without an OTP value.

MDES does not generate an OTP for this flow.

Use otpMethodId to identify the method and build the push message.

Report the verification result

Regardless of the trigger method, the issuer must report the result to the TSP through Update Card State.

Send these values:

  • virtualCardId =

    • Visa: tokenReferenceID

    • Mastercard: tokenUniqueReference

  • deviceBindingReference

    • For Visa, do not use it

    • For Mastercard, use authenticationCorrelationId

In case of successful verification:

  • action = CARDHOLDER_STEPUP_ISSUER_APP

In case of unsuccessful verification:

  • Mastercard

    • Send an empty action.

The sequence diagram below shows the full flow.

...

Unsuccessful result.

Visa does not provide a specific interface to report an unsuccessful result.

If cardholder verification fails, Visa recommends suspending the token.

To keep a consistent approach across Mastercard and Visa, you can also use this approach for a Mastercard token. Note that suspending the token might lead the legitimate end user to contact customer service or cause the merchant to delete the token.

Last updated

Was this helpful?