Cardholder verification
Overview
Cardholder verification lets a token requestor request proof that the end user is the cardholder.
Use this flow when the token requestor needs extra assurance before allowing a sensitive account change, such as updating an email address, account name, or billing address.
The token requestor sends the verification request through the TSP.
The issuer gateway translates this request into the existing Get IDnV Method List call with purpose = CARDHOLDER_STEPUP.
Note
Even if in such case there is no actual device binding, the variable deviceBindingReference is used to track the use case and link the virtualCardId to be able to manage, later in the flow, the in-app ID&V method support for Mastercard using the push message to trigger the application.
The following sequence diagrams show the end-to-end flow.
...
If the issuer returns approve with step-up authentication, use the relevant section for the selected ID&V method.
Once the flow is complete, the issuer gateway sends a Notify Virtual Card Change notification that indicates the action taken:
CARDHOLDER_STEPUP_OTPIndicates that verification succeeds through an OTP.
CARDHOLDER_STEPUP_ISSUER_APPIndicates that verification succeeds through the issuer application.
Verify with an OTP
The TSP generates the OTP.
The issuer gateway forwards it through Send OTP, as in the Tokenization flow.
Use otpMethodId to identify the selected method and prepare the right message and channel.
The sequence diagram below shows the flow.
...
The TSP verifies the OTP and notifies the relevant parties when verification succeeds.
Verify in the issuer application
In this flow, the issuer verifies the end user in the issuer application.
You can trigger the issuer application in two ways.
Trigger from the token requestor application
This approach matches the Tokenization flow used for token activation.
The interaction is the same as Integrate issuer application with wallet.
The TSP also sends additional data that the issuer must parse to identify the cardholder verification context:
Visa
lifeCycleTraceIDreasonCode=CARDHOLDER_STEPUP
Mastercard
authenticationCorrelationId
These fields are specific to post-Tokenization cardholder verification.
Trigger with a push message
This option is supported only by Mastercard.
The issuer triggers the issuer application through a push message.
If the end user selects this method, the issuer gateway sends the method ID through Send OTP without an OTP value.
MDES does not generate an OTP for this flow.
Use otpMethodId to identify the method and build the push message.
Report the verification result
Regardless of the trigger method, the issuer must report the result to the TSP through Update Card State.
Send these values:
virtualCardId=Visa:
tokenReferenceIDMastercard:
tokenUniqueReference
deviceBindingReferenceFor Visa, do not use it
For Mastercard, use
authenticationCorrelationId
In case of successful verification:
action=CARDHOLDER_STEPUP_ISSUER_APP
In case of unsuccessful verification:
Mastercard
Send an empty
action.
The sequence diagram below shows the full flow.
...
Unsuccessful result.
Visa does not provide a specific interface to report an unsuccessful result.
If cardholder verification fails, Visa recommends suspending the token.
To keep a consistent approach across Mastercard and Visa, you can also use this approach for a Mastercard token. Note that suspending the token might lead the legitimate end user to contact customer service or cause the merchant to delete the token.
Last updated
Was this helpful?