The most important things at a glance:
What is the Mastercard Identity Check?
The Mastercard Identity Check (formerly: Mastercard Secure Code) is an authentication method that enables secure payments on the Internet. Basically, we are talking about the 3D secure process.
The 3D-Secure procedure corresponds to a "two-factor authentication" (2FA), ie a second authentication level is required in order to make an online payment. This is also called “strong customer authentication”. The payment process must be confirmed a second time, for example with a TAN, a password or even a fingerprint.
From September 14, 2019, the newly established EU Payment Service Directive (the so-called Payment Service Directive 2, PSD for short) will come into effect, which stipulates that Internet payments must be confirmed by a second factor.
What exactly is strong customer authentication?
As part of the new EU Payment Services Directive, new requirements for secure online payments have been set. It was determined that for card payments or transfers, the identity of the payer must be proven twice.
In practice, this means that a payment process must always be confirmed using 2 independent security features - the card number together with the security code (CVC) will no longer be sufficient in future. In addition, another authentication must now be carried out. This can be, for example, entering a password or confirmation by fingerprint or Face ID.
This process is already used for mobile payments with smartphones.
Why is a new variant of the 3D secure process being used now?
In principle, the new 3D secure process should be even more secure and better protect customers against online fraud. In addition, the new variant should also be simpler and more user-friendly for customers - especially when using the smartphone.
In addition, significantly more information can be exchanged between the merchant and the card issuer (usually the bank) in the new 3D secure process. This makes it even easier to understand whether a payment was actually made by the person who also owns the card or account. In general, this should help identify and combat abuse earlier.
When is the Mastercard Identity Check not required?
There are also exceptional cases in which the customer does not have to perform double authentication for Internet payments. These exceptions were defined in PSD2 as follows:
Payments under 30 euros
In general, strong customer authentication is not required for amounts under 30 euros. However, in the case of 5 consecutive transactions without authentication, authentication must always be carried out for the 6th payment. The same applies if the individual payments together reach a value of 100 euros.
For payments that recur at regular intervals, no customer authentication has to be started. The best examples from practice are subscriptions such as Netflix or Spotify, which are debited from the Mastercard every month.
Approved dealers (dealer whitelist)
The card issuer can also offer its customers what is known as dealer whitelisting (not an obligation). This allows customers to create a list of dealers who prefer to buy from. Accordingly, “two-factor authentication” is no longer necessary for these retailers. However, the customers themselves bear the risk.