Tabs
Mastercard

In the 3D Secure 2 protocol, the Message Extension fields allow for more customized and card-specific information to be passed in both the request and response messages. This article focuses on what Mastercard uses the Message Extension fields for, including:
 

  • Strong Customer Authentication (SCA) exemptions and Allowlisting
  • Merchant fraud rate
  • Acquirer country code
  • Secure corporate payments

To get the most out of this article, we recommend you first read our Browser Authentication for 3D Secure article.

SCA exemptions

One of the key advantages of 3D Secure 2 is that it provides a framework for merchants to benefit from exemptions from SCA under certain conditions. With 3D Secure version 2.2, merchants can flag specific exemptions using the Challenge Request Indicator field.

In addition, for Mastercard authentications, the specific exemption the merchant is requesting must be included in the Message Extension fields during the Initiate Authentication step.

Sample request (specific fields)

In the authentication request, include the following fields.

"challenge_request_indicator":"NO_CHALLENGE_REQUESTED",
"message_extension": [
   {
      "name": "Merchant Data",
      "id": "A000000004-merchantData",
      "criticality_indicator": "false",
      "data": {
         "A000000004-merchantData": {
            "scaExemptions":"05"
         }
      }
   }
]

Sample response (specific fields)

If the request for an exemption is successful, the response of the Authentication request will contain the following values. The authentication value will start with kN.

{
   "authentication_value": "kNABBhIBRwAAAAAANQFHAAAAAAA=",
   "status": "AUTHENTICATION_FAILED",
   "status_reason": "81",
   "eci": "06",
}

Allowlisting

3D Secure 2 allows customers to allowlist, or whitelist, certain merchants—effectively telling the Issuer that transactions with particular merchants should be trusted. If this occurs, the Issuer may return information in the authentication response regarding the allowlist status of the merchant.

In version 2.1, Mastercard does not support allowlisting merchants as trusted beneficiaries list. However, Mastercard is able to share the allowlist status of a merchant through message extension.

"message_extension": [
   {
      "name": "ACS Data",
      "id": "A000000004-acsData",
      "criticality_indicator": "false",
      "data": {
         "A000000004-acsData": {
            "whitelistStatus":"Y"
         }
      }
   }
],

Merchant fraud rate

Mastercard allows the merchant fraud rate to be shared with the Issuer as part of the Authentication Request message using a specific Message Extension field. Sharing the merchant fraud rate can increase the Issuer’s level of confidence in the transaction. Issuers can also use it to decide if a merchant should be eligible for the allowlist exemption.

There is no change to the response message when using this extension.

info

Sample request (specific fields)

In the authentication request, include the following fields.

"message_extension": [
   {
      "name": "Merchant Data",
      "id": "A000000004-merchantData",
      "criticality_indicator": false,
      "data": {
         "A000000004-merchant_data":{
         "merchantfraudrate": "1"
         }
      }
   }
]

Acquirer country code

Merchants can use this extension to inform the Issuer if the Acquirer country and merchant country differ. This is particularly important for transaction processing in countries where regulations may apply based on the Acquirer country. 

If a transaction is “two-leg”—that is, the country code of both the Acquirer and the Issuer is in the European Economic Area (EEA)—then it is in scope of SCA. It is therefore important to share the Acquirer country code; otherwise, an Issuer could incorrectly flag a transaction as a “one-leg” transaction, which would be out of scope of SCA.

There is no change to the response message when using this extension.

info

Sample request (specific fields)

In the authentication request, include the following fields.

"message_extension": [
   {
      "name": "Merchant Data",
      "id": "A000000004-merchantData",
      "criticality_indicator": false,
      "data": {
         "A000000004-merchant_data":{
         "acquirer_country_code": "050"
         }
      }
   }
]
Unavailable
Off
American Express Rewards

The American Express Membership Rewards message extension enables merchants to obtain the balance of a card member’s rewards points and display it on the checkout page as an alternative payment option for the customer.

There are two major steps in this process:

  • Perform a non-payment authentication to obtain the rewards points balance
  • Perform a payment authentication to redeem their points and use them to pay

To use the American Express Membership Rewards message extension, contact your account manager or a member of our support team.

info

Step 1: Eligibility and points balance

After gathering the customer’s card data, billing and shipping details, as well as other 3D Secure 2 data such as browser information, we can then perform a non-payment authentication while specifying that we want the American Express rewards balance.

If the customer is eligible for membership rewards, the Issuer will respond with an Authentication Successful message and include the rewards data in the Message Extension fields. If they are not eligible, the reason for this will be returned.

Sample request (specific fields)

In the non-payment authentication request, include the following fields.

"message_category": "NON_PAYMENT_AUTHENTICATION",
"authentication_request_type": "AMEX_REWARDS_BALANCE",
"message_extension": [
   {
      "name": "Membership Rewards",      
      "id": "A000000025-001",
      "criticality_indicator": false,
      "data": {
         "mr_balance":"14040", 
         "mr_currencyName":"Membership Rewards", 
         "conversion_points":"1000", 
         "converted_currAmount":"10", 
         "mr_status_reason":"01" 
      }
   }
]

Step 2: Points authentication

You can now present the customer with the option to pay using their points balance. Next, we perform a 3D Secure 2 payment authentication for a customer paying with their points balance. The authentication will proceed through a standard challenge flow to allow the customer to redeem their points and use them to pay.

For more information on the standard challenge flow, see the API Reference for 3D Secure 2.

API sample request (specific fields)

In the payment authentication request, include the following fields.

"message_category": "PAYMENT_AUTHENTICATION",
"authentication_request_type": "AMEX_REWARDS_BALANCE",
Unavailable
Off
Internal Title
XML (Ecommerce Only)
Show Content Nav
On
Tags
Subtitle
Use this field to send customized information to the Issuer.