# March 2025 Pre-Release Notes source: https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_taf_jan25/index.md This site provides the release information of the MDES pre-digitization API for supporting post-tokenization authentication for Secure Card on File (SCOF) and Click to Pay using MDES authentication methods. ## Release Change Summary {#release-change-summary} Mastercard is expanding MDES authentication methods to support cardholder post-tokenization authentication for SCOF and Click to Pay. ## Dates for Introduction of Release {#dates-for-introduction-of-release} * MTF - ~~8 Jan 2025~~ 26 Mar 2025 * Production - ~~29 Jan 2025~~ 23 Apr 2025 ### Impacted Market of Release {#impacted-market-of-release} * Functionality Available - Global ## Change 1 - Introducing additional MDES authentication for SCOF and Click to Pay {#change-1---introducing-additional-mdes-authentication-for-scof-and-click-to-pay} A cardholder can be authenticated by the issuer in various ways after an active token has been created for the token requestor post-tokenization. The cardholder authentication can occur: * For a card immediately after it is tokenized. * For a previously tokenized card. * For a tokenized payment transaction. * For a tokenized card that will be bound to a consumer device as required in the Token Authentication Framework (TAF). For more information, see the [Mastercard Token Authentication Framework Guide](https://techdocs.mastercard.com/bundle/m_MTAF_en-us/page/cbu1683835035513.html). ### 1.1 Change in Request Activation Methods {#11-change-in-request-activation-methods} Enhancing usage of Request Activation Methods to post-tokenization authentication for SCOF and Click to Pay. * Impact the following parameters in request: | Field | Description | Data Type | Required | |--------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------------------------------| | authRequestCorrelationId | Value linking different authentication requests/messages. | String | Conditional Present for post-tokenization Authentication use cases only | | authenticatorInfo | Contains authenticator information that authenticates cardholders for subsequent payment transactions. | Complex object | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | | bindId | The unique and fixed identifier to a component of data bound to the credential. | String | Optional | | certifiedMFAAuthMethodId | Mastercard certified multi-factor authentication method ID that authenticator will use to authenticate cardholder for subsequent authentication after token or Account has been bound with given bind ID. | String | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | | deviceInfo | Contain device information where card is digitized or cardholder is being authenticated for post-tokenization authentication option | Complex object | Optional | | paymentData | Contains payment meta information. | Complex object | Conditional Present for post-tokenization Authentication use cases and reason code is PAYMENT_TRANSACTION. | | recentAuthenticationInfo | Cardholder recently authenticated by this entity. Applicable only for post-tokenization authentication. | Complex object | Optional | | reasonCodes | The reason the account holder is being authenticated. The reason could impact the generation and validation of the code in a number of ways including but not limited to the time period of validity of the code and the number of attempts allowed to validate the code. New reason codes can be added at any time and should not result in a failure. Possible push methods are: ADD_CARD: The account holder is being authenticated after adding the card to the token requestor VERIFY_ACCOUNT: The account holder is being authenticated in order to verify account ownership. **TOKEN_BINDING: The account holder is being authenticated in order to bind the token with bind id as defined in TAF** **ACCOUNT_BINDING: The account holder is being authenticated in order to bind the card number or financial account (bank account) which is tokenized with bind id as defined in TAF.** **PAYMENT_TRANSACTION: the account holder is being authenticated in order to initiate payment transaction.** OTHER: The account holder is being authenticated for a reason not enumerated in this list. | Array of String | Conditional - Only present for Post-tokenization authentication for SCOF and TAF Service | * Impact the following parameters in response: | Field | Description | Data Type | Required | |------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|----------| | authenticationDecision | Issuer decision for post-tokenization authentication decision. Supported Values REQUIRE_ADDITIONAL_AUTHENTICATION - Cardholder Authentication is required APPROVED: Requested use case approved and Cardholder Authentication is not required. DECLINED: Requested use case is not approved. | String | Optional | | activationMethod.type | Specifies the activation method type. Must be one of TEXT_TO_CARDHOLDER_NUMBER = Text message to Account holder's mobile phone number. Value will be the Account holder's masked mobile phone number EMAIL_TO_CARDHOLDER_ADDRESS = Email to Account holder's email address. Value will be the Account holder's masked email address CARDHOLDER_TO_CALL_AUTOMATED_NUMBER = Account holder-initiated call to automated call center phone number. Value will be the phone number for the Account holder to call CARDHOLDER_TO_CALL_MANNED_NUMBER = Account holder-initiated call to manned call center phone number. Value will be the phone number for the Account holder to call CARDHOLDER_TO_VISIT_WEBSITE = Account holder to visit a website. Value will be the website URL **CARDHOLDER_TO_USE_MOBILE_APP = Account holder to use a specific mobile app Value will be replaced by a formatted string. Set Value as PUSH_NOTIFICATION if an issuer wants to support application that opens through push notification along with Android intent and iOS deep link URL. PUSH_NOTIFICATION value is not applicable for activating a device token, it is only applicable for post-tokenization authentication.** ISSUER_TO_CALL_CARDHOLDER_NUMBER = Issuer-initiated voice call to Account holder's phone. Value will be the Account holder's masked voice call phone number. EMV_3DS = Identity check using EMV 3DS will be used to authenticate the cardholder. Value will be replaced by 3DS URL **PUSH_NOTIFICATION_TO_MOBILE_APP = Push Notification to mobile app instance of cardholder to receive authentication code, it is only applicable for Post-tokenization authentication.** | String | Yes | API Reference: `GET /requestActivationMethods` ### 1.2 Change in Deliver Activation Code {#12-change-in-deliver-activation-code} Enhancing usage of Deliver Activation Code for post-tokenization authentication for SCOF and Click to Pay. * Introducing the following parameters in request: | Field | Description | Data Type | Required | |--------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------|------------------------------------------------------------------------------------------| | authRequestCorrelationId | Value linking different authentication requests/messages. | String | Conditional Present for post-tokenization Authentication use cases only | | reasonCodes | The reason the account holder is being authenticated. The reason could impact the generation and validation of the code in a number of ways including but not limited to the time period of validity of the code and the number of attempts allowed to validate the code. New reason codes can be added at any time and should not result in a failure. Possible push methods are: ADD_CARD: The account holder is being authenticated after adding the card to the token requestor VERIFY_ACCOUNT: The account holder is being authenticated in order to verify account ownership. **TOKEN_BINDING: The account holder is being authenticated in order to bind the token with bind id as defined in TAF** **ACCOUNT_BINDING: The account holder is being authenticated in order to bind the card number or financial account (bank account) which is tokenized with bind id as defined in TAF.** **PAYMENT_TRANSACTION: the account holder is being authenticated in order to initiate payment transaction.** OTHER: The account holder is being authenticated for a reason not enumerated in this list. | Array of String | Conditional - Only present for Post-tokenization authentication for SCOF and TAF Service | | activationMethod.type | Specifies the activation method type. Must be one of TEXT_TO_CARDHOLDER_NUMBER = Text message to Account holder's mobile phone number. Value will be the Account holder's masked mobile phone number EMAIL_TO_CARDHOLDER_ADDRESS = Email to Account holder's email address. Value will be the Account holder's masked email address CARDHOLDER_TO_CALL_AUTOMATED_NUMBER = Account holder-initiated call to automated call center phone number. Value will be the phone number for the Account holder to call CARDHOLDER_TO_CALL_MANNED_NUMBER = Account holder-initiated call to manned call center phone number. Value will be the phone number for the Account holder to call CARDHOLDER_TO_VISIT_WEBSITE = Account holder to visit a website. Value will be the website URL **CARDHOLDER_TO_USE_MOBILE_APP = Account holder to use a specific mobile app Value will be replaced by a formatted string. Set Value as PUSH_NOTIFICATION if an issuer wants to support application that opens through push notification along with Android intent and iOS deep link URL. PUSH_NOTIFICATION value is not applicable for activating a device token, it is only applicable for Post-tokenization authentication.** ISSUER_TO_CALL_CARDHOLDER_NUMBER = Issuer-initiated voice call to Account holder's phone. Value will be the Account holder's masked voice call phone number. EMV_3DS = Identity check using EMV 3DS will be used to authenticate the cardholder. Value will be replaced by 3DS URL **PUSH_NOTIFICATION_TO_MOBILE_APP = Push Notification to mobile app instance of cardholder to receive authentication code, it is only applicable for Post-tokenization authentication.** | String | Yes | API Reference: `GET /deliverActivationCode` ## Change 2 - Notifying issuers of device binding events {#change-2---notifying-issuers-of-device-binding-events} MDES is enhancing API and network messages to notify issuers about the device binding events such as completion or deletion as per TAF. ### 2.1 Change in Notify Token Updated {#21-change-in-notify-token-updated} * Introducing the following parameters in request: | Field | Description | Data Type | Required | |--------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------|--------------------------------------------------------------------------------| | reasonCode | The reason code for why the notification is being sent. This applies to all tokens in the Tokens array. Must be one of: STATUS_UPDATE - The status of the tokens has been changed when the token is activated, suspended, deleted, or inactivated. REDIGITIZATION_COMPLETE - The token has been re-digitized to the device in the token expiry and FPAN update to a new range use cases. DELETED_FROM_CONSUMER_APP - The token has been deleted from the consumer application. The token may still be active in MDES. AUTHENTICATION_PERFORMED - Account holder authentication was performed on the token. The status did not change as a result PAYMT_CHANNEL_PREFERENCE_UPDATED - Cardholder has updated the payment channels the token is allowed to be used for (India only). FUNDING_ACCOUNT_UPDATE - Token and FPAN mapping has been updated due to FPAN or expiry or Financial account has been changed but Token is not changed. The status did not change as a result. **TOKEN_BINDING: Token has been bound with bind ID.** **ACCOUNT_BINDING: Account corresponding to the token has been bound with bind ID.** | String | Required | | authenticatorInfo | Contains authenticator information that authenticates cardholders for subsequent payment transactions. | Complex object | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | | bindId | The unique and fixed identifier to a component of data bound to the credential. | String | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | | certifiedMFAAuthMethodId | Mastercard certified multi-factor authentication method ID that authenticator will use to authenticate cardholder for subsequent authentication after token or Account has been bound with given bind ID. | String | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | | bindingStatus | Status of Token Binding or Account Binding. ACTIVE - Token or Account is bound with bindId DEACTIVATED - Token or Account is NOT bound with bindId | String | Conditional Present when reason code value is TOKEN_BINDING or ACCOUNT_BINDING | API Reference: `GET /notifyTokenUpdated` For more detail, refer the announcement [GLB 9396.3](https://techdocs.mastercard.com/bundle/m_an9396_en-us/page/zew1712058422502.html)
## Impact {#impact} ### Existing Issuers {#existing-issuers} Issuers enabled for post-tokenization authentication should be prepared to receive additional decisioning data in their existing pre-digitization API for post-tokenization authentication functionalities for SCOF and Click to Pay. ### New Issuers {#new-issuers} New issuers can choose to support the post-tokenization authentication for SCOF and Click to Pay. These issuers will need to follow the configuration details before using this functionality. ### Personal data \& Privacy Note {#personal-data--privacy-note} Issuers are reminded that the information presented via the pre-digitization API includes personal data which is subject to data privacy laws. Issuers must satisfy themselves that the processing of such personal data is compliant with applicable privacy laws.