Mastercard SecureCode: How to use it and keep your payments safe

Mastercard SecureCode: How to use it and keep your payments safe

In the decade of the rising online fraud, Mastercard SecureCode is a true guard for both clients and merchants. Programs like this make the eCommerce environment a safer place. And this quality is extremely vital right now. Why so?

Insurance Information Institute shares the following data – 2018 rounded up with 3 million identity theft reports. Consumers lost $1.48 billion. Besides this, 15% of complaints were the ones connected with identity theft.

And the icing on the cake is the fact that the most widespread chargeback reason codes are 4837 – No Cardholder Authorization and 4863 – Cardholder Not Recognized.

As you can see, identity theft is the most common fraud type. When cyber crooks possess customers’ personal or financial data, they harm not only the shoppers but the merchants as well. The shoppers lose the money due to unauthorized purchases, while the merchants lose money resolving chargeback disputes.

Mastercard SecureCode mission

Mastercard SecureCode is the program saying, “You shall not pass!” to online criminals. Mastercard supports this mission through the number of features:

  • Extra protection. SecureCode provides an extra security layer to the existing credit or debit card use. Thus, the customers eliminate unauthorized actions thanks to the program.
  • Worldwide coverage. 1M+ online merchants offer SecureCode option in 122+ locations to safeguard the transactions. The Mastercard SecureCode logo indicates the presence of the security layer.
  • Convenience and simplicity. Any shopper who owns an account can activate the SecureCode option.

mastercard securecode work

By keeping the mission clear and simple, Mastercard helps make online transactions more secure. Moreover, the merchants are more likely to build trust and long-lasting relationships with the customers thanks to this security program.

Now, hold your breath. It’s time to dive deep in the all-things Mastercard SecureCode.

What is Mastercard SecureCode?

The SecureCode brings mutual benefit for both customers and merchants. The Mastercard SecureCode definition goes as follows:

  • Mastercard SecureCode is an international program, the main aim of which is to provide an additional security layer by authenticating the shoppers.”

Despite the duality, let’s take a look at how this program helps customers and merchants separately. Understanding how SecureCode influences shopping behavior will help merchants to benefit from providing this extra check.

SecureCode for customers

Mastercard SecureCode is available to any Mastercard account holder. It enhances online transactions’ safety. And this feature is essential, as transactions’ fraud estimated $31.3 billion in 2018 globally.

The main goal of the SecureCode customer-wise is unauthorized use protection. Just as the customer uses the PIN for the purchase confirmation in the offline store, so the shopper receives a special code during online shopping.

What’s important is that the secure code is only a ‘customer-issuing bank’ thing. The merchant has no access to the authentication code. Nevertheless, the shoppers know that the website supports the SecureCode thanks to the unique mark.

Also, there is a special list of the participating banks where customers can check the SecureCode availability.

mastercard 3d secure

To enable the 3D Secure solution, the cardholders need to activate this program for their cards. The user’s program enrollment takes part on the financial institution side. The enrollment server maintains the enrollment process.

  • The cardholder/customer validates the account number and makes sure it is eligible for the SecureCode program (check the participating banks’ list we’ve shared).
  • The issuing bank authenticates the customer via the secret questions. Moreover, these questions vary from bank to bank.
  • The customer creates and sets up the Mastercard SecureCode for future use.
  • The cardholder maintains the profile and is in charge of the SecureCode or email change. It is the customer’s obligation to track the purchases.

That is how the program works for the shopper. Now, it’s time to look at it from the merchant’s point of view.

SecureCode for merchants

Mastercard SecureCode merchant-wise means an extra security layer added by enabling the issuing banks to authenticate their users. As online transactions are de facto “card-not-present” ones, it’s hard to identify the cards’ belonging. And SecureCode solves this problem.

Mastercard SecureCode holds three main benefits for merchants:

  1. Increases customers’ loyalty. Trust issues can be the reason for cart abandonment. When shoppers see that the checkout page is verified by Mastercard, they feel safer. That positively influences customers’ willingness to shop from your website.
  2. Decreases chargebacks ratio. Chargeback losses will cost merchants circa $25 million per year by 2020. And SecureCode eliminates unauthorized card use. That, in its turn, saves merchants from the chargeback disputes.
  3. Shifts liability. Do you remember when we talked about ‘cardholder-issuing bank’ relationships? As only the cardholder and the bank knows the code, it’s the banks’ obligation to make a check. If the customer claims the ‘card unauthorized’ code, the bank will deal with it.

While plenty of merchants worldwide suffer from abandoned carts, SecureCode is a worthy tool for conversion growth. Customers who trust the site have more chances to become the return clients. And you, as a merchant, can grow revenue by upselling.

Taking into account that every disputed dollar costs $2.40 for merchants, the liability shift is a great advantage. Moreover, merchants are welcome to download the Mastercard SecureCode identifier. Show that your checkout page is safe to use.

what is mastercard securecode

How does the Mastercard SecureCode work?

We want to describe SecureCode work the way the shoppers see it and what happens behind the scenes. The merchants should understand the procedure in terms of usability and convenience for clients. That’s why let’s jump to the customers’ perspective.

SecureCode x Cardholders

  1. The customer shops as usual. After browsing the website, the consumer adds the item(s) to the online cart. Then the shopper reviews and confirms the purchase to proceed to the checkout (or payment) page.
  2. The shopper fills in the delivery and payment information. After this, the customer has another chance to review the shopping data and submit the order.
  3. To finalize the purchase, the cardholder needs to enter the special code. Two extra fields will appear on the window with the card number, purchase date, and amount. They are the “Personal Greeting” and the SecureCode itself.
  4. After the shopper types in the SecureCode and the bank confirms the cardholders’ identity, the cardholder checkouts as usual.

You might also like: What does PCI DSS stand for and how it affects your business?

SecureCode x Merchant

It is possible to describe this point by making two presumptions: 1) the card owner has enrolled in the program and owns the SecureCode; 2) all communication goes via the SSL-secured channels.

verified by Mastercard

The communication consists of seven layers.

  1. The card owner makes the purchase(s) on the merchant’s website. On the checkout page s/he types in the credit/debit card data and the account number.
  2. The merchant’s plug-in passes the query to the directory. Its goal is the enrollment status verification. The status is verified for a certain bank via the verification request message.
  3. If the issuing bank participates in the SecureCode program, the directory transmits the request to the Access Control Server (ACS). The ACS checks the enrollment status of the card owner. The check result goes to the plug-in via the same route.
  4. If the particular cardholder participates in the program, the plug-in creates and sends the PAR* message to the cardholder’s browser.
  5. The browser transmits the message to the ACS to authenticate a cardholder. As soon as the ACS gets the request message, the authentication procedure begins. For shoppers, this step looks like an additional authentication window.
  6. The ACS authenticates the SecureCode and signs the response message. Then the message goes back to the merchant’s plug-in. For shoppers, this step looks like an authentication window disappearance.
  7. The ACS sends PATransRec to the Mastercard authentication history server.

*PAR – Payer Authentication Request

The main aim is to offer an extra security layer for both the merchant and the buyer. So, merchants receive additional protection against chargebacks on top of the payment service provider’s anti-fraud tools.

mastercard securecode components

SecureCode security components

We’ve learned what the SecureProgram is and how it works. Nevertheless, how does the authentication process go? How does the issuing bank understand the legal cardholder makes the purchase? Meet these two abbreviations – UCAF and AAV. Let’s figure out their role in the process.

  • UCAF or Universal Cardholder Authentication Field is a standard or a globally recognized method of collecting card owner authentication data. The data is collected at the interaction point and covers various channels (Internet, mobile, etc.).

Another name for the card owner authentication data is an Accountholder Authentication Value or AAV.

To make the UCAF definition not that complicated, we may say that it is a special mechanism. Its goal to transmit the AAV from the merchant to the issuing bank to identify the payer.

So, what is this field? It has a fixed number of positions, which is 32. Yet, the data structure within it is flexible. The flexibility is a vital feature to ensure the diversity of the authentication and security approaches each issuer has.

Despite the established value, the field comprises 23 binary bites and one control binary byte. Mastercard assigns and manages both byte types.

The bytes themselves are additionally encoded with Base64 before including in the authentication message.

As you can see, the SecureCode procedure is pretty complex and includes many security layers. Firstly, each cardholder has a specific value attached to his or her account. Secondly, thanks to extra encryption, criminals cannot get the initial authentication value. The control byte ensures that the legitimate owner performs the operation.


Malware, scammers, data leaks… In the current decade financial sector, eCommerce, and users faced so many security threats. That is why 3D Secure systems are the real superheroes when it comes to payments.

Mastercard SecureCode is a program that ensures merchants’ safety and helps to eliminate extra spendings. Thanks to the liability shift, the bank is in charge of unauthorized use. Thus, you, as a merchant, has nothing to do with the reimbursement if the customer checkouts with the SecureCode.

Besides this, the Mastercard SecureCode program grows customers’ loyalty as your website looks more trustworthy. Moreover, don’t forget to showcase the SecureCode indicator on your payment page.

Ask your payment service provider if it supports 3D Secure protocol to offer enhanced security to your customers. To safeguard yourself and your clients, and grow your business, fill in the PaySpacelv’s merchant form. We are ready to offer state-of-the-art protection, analytics, and 3D Secure to our merchants.