Important Updates for Visa, MasterCard and Amex for November 2021

Visa, MasterCard and Amex all announced the sunset dates for 3DSecure Version 1.0.2 with other important dates and exceptions.

Welcome to another industry updated on 3DSecure. All Card schemes have announced a date for decommissioning of 3DSecure Version 1.0.2. The effective dates are 14^th Oct 2022 for MasterCard and Amex (with the exception of India) and 15^th October 2022 for Visa.

MasterCard will also stop the enrollment of new merchants for Version 1 from March 31 2022; this means that any new merchants must go into production with Version 2.

Below is a summary of important dates and notification from all 3 schemes, with some of these deadlines already now in effect.

MasterCard

The latest Authentication Guide for Europe is now Version 1.4.

REMINDER: Effective 2 November 2021, MasterCard has re-enabled kX AAVs for Identity Check Insights transactions functionality.  Please refer to AN 4882 Introduction of Accountholder Authentication Values for Identity Check Insights and Non-Payment Transactions for more information.

REMINDER – 2.2 MANDATE, EUROPE: MasterCard is announcing revised Standards for EMV 3D-Secure (3DS) version 2.2 specifications implementation for all card-not-present (CNP) transactions on MasterCard and Maestro account ranges. The revised Standards will require issuers and acquirers in the Europe region to support cardholder authentication using EMV 3DS version 2.2, effective 14 October 2022.

REMINDER:  Per the Identity Check Program Guide, requirement 149, ACS operators must challenge a request to add a Card-on-File (COF) regardless if it is requested using a non-payment or payment transaction.  There are further details in the Program Guide with respect to specific data elements and values in the AReq that indicate this type of transaction.

MPORTANT UPCOMING DATES:

3DS1 Decommissioning

• March 31 2022 MasterCard will no longer allow 3DS 1.0 account range or Merchant ID enrollments.
• October 14 2022 MasterCard will no longer process any 3DS 1.0 transactions for cardholder authentication. Any transaction submitted to the MasterCard 3DS 1.0 Directory Server will result in an error response.

Visa

Effective 15 October 2022, Visa will discontinue support of 3-D Secure 1.0.2 and related technology.

Effective 16 October 2021, Visa will continue to support 3DS 1.0.2 transaction processing, including the 3DS 1.0.2 Directory Server (DS), but will stop support of 3DS 1.0.2 Attempts Server for non-participating issuers. After 15 October 2021, Visa will respond with a Verify Enrollment Response (VERes) = N to all authentication requests when the issuer does not support 3DS 1.0.2 (e.g. BIN range does not have an access control server [ACS] URL listed in the DS).

If an issuer continues to support 3DS 1.0.2 after 15 October 2021, it will be able to respond to merchants with a fully authenticated response and Cardholder Authentication Verification Value (CAVV), and merchants will obtain fraud liability protection. These transactions will be blocked from fraud-related disputes1 in Visa Resolve Online. Issuers wishing to stop support of 3DS 1.0.2 must request that their Bank Identification Number (BIN) ranges be removed from the Visa Secure DS.

The follow table for Fraud Liability applies:

Amex

The SafeKey 1.0 product will be terminated on 14 October 2022, with the exception of participants in India, where SafeKey 1.0 will sunset on 13 October 2023.

ACS providers in India should retain the 1.0 ACS service until October 2023 and contact the American Express SafeKey Team on amexenabledsafekey@aexp.com to discuss next steps.

• MPIs and 3DSS servicing merchants in India should retain their MPI service until October 2023 and contact the American Express SafeKey Team on amexenabledsafekey@aexp.com to discuss next steps.
• Global ACS providers can choose to retain the 1.0 ACS service to allow for any inbound spend in India until October 2023.