Important Updates from MasterCard for September 2021

MasterCard Identity Check Updates. 3DS1 Attempts server to be decommissioned on October 5th, 2021. 

A number of important changes are announced by MasterCard for the MasterCard Identity Check Program. Below is an abstract covering topics of interest to merchants.

• UPDATE: SPA1 for EMV 3DS will be retired on September 30, 2021, not October 15 as previously communicated.

• REMINDER: A reminder that on Sept. 30, 2021 ACSs/3DS Servers must support the enhanced Transaction Status Reason processing logic as introduced in AN 4805. This enhancement also introduces a new Directory Server-specific transStatusReason value of 83 – ‘DS dropped reason code received from DS’, as well as a new Directory Server-specific authenticationType value of 83 – ‘DS altered transaction status’ (the addition of the new authenticationType value will be published in an upcoming update expected Sept. 7, 2021.)

• REMINDER:  Per the Identity Check Program Guide, requirement 149, ACS operators must challenge a request to add a Card-on-File (COF) regardless if it is requested using a non-payment or payment transaction.  There are further details in the Program Guide with respect to specific data elements and values in the AReq that indicate this type of transaction.

• REMINDER: As per security standards, Mastercard is planning to Introduce Application Security Manager ( ASM ) Policy in both our 3DS1 and 3DS2 Mastercard Networks. In preparation to this all the Merchants (MPIs/ 3DSS) using cookie attributes that are following prior (pre-2011)  grammar are advised to adhere/reference to RFC 6265 standards for cookie handling grammar and behavior. All customers must adhere to RFC 6265 and make any code changes by the end of  September 2021.

• REMINDER: On September 14, 2021, Mastercard will add UK/Gibraltar to the list of countries where Smart Authentication Stand-in will no longer fully authenticate Intra-EEA/UK/Gibraltar transactions above EUR 30. All Intra-EEA/UK/Gibraltar transactions above EUR 30 will receive a Attempts authentication response.

• REMINDER: On September 14, 2021, Issuers in UK/Gibraltar may be automatically enrolled into Smart Authentication Direct for Acquirer Exemption service if they step-up more than 10 percent of their authentication requests featuring acquirer exemptions or Strong Consumer Authentication (SCA) flags.  

• IMPORTANT UPCOMING DATES:
  • SPA1 for EMV 3DS will be retired on September 30, 2021.
  • 3DS1 Attempts server to be decommissioned on October 5th, 2021.