# August 2026 Pre-Release Notes source: https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_token_provisioning_insights_aug26/index.md ## Release Change Summary {#release-change-summary} MDES is enhancing the Pre-Digitization API by introducing [Token Provisioning Insights (TPI)](https://developer.mastercard.com/mdes-pre-digitization/documentation/faqs/index.md) to help issuers assess the fraud risk of token provisioning events. This enables issuers to approve more digitization events while reducing downstream transaction fraud. As part of this enhancement, MDES will provide issuers with the TPI. It is a combination of Mastercard generated [risk score](https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_token_provisioning_insights_aug26/index.md#risk-score) and [reason code](https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_token_provisioning_insights_aug26/index.md#reason-code) derived from the Mastercard network data for the device wallet and remote commerce token provisioning requests. ##### Impacted API: {#impacted-api} * Authorize Service (AS) ## Release Timeline {#release-timeline} * MTF: 1 June 2026 * Production: 27 August 2026 ### Impacted Market {#impacted-market} * Availability: Global, excluding India and Indonesia ## Change 1 - Introduction of Security Services Insights {#change-1---introduction-of-security-services-insights} A new complex object `securityServicesInsights` will be added to the Authorize Service request. #### Security Services Insights object {#security-services-insights-object} | Field and Description | Data Type | Min Length | Max Length | Required | |-----------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------| | `securityServicesInsights` Contains information about the token provisioning insights risk score and reason code of the digitization request. | Object | NA | NA | No | ##### Security Services Insights parameters {#security-services-insights-parameters} | Field and Description | Data Type | Min Length | Max Length | Required | |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------| | `securityServicesIndicator` The Mastercard embedded security services indicator for issuers. | string | 3 | 3 | Yes | | `securityServicesData` The security services data contains data supporting token provisioning insights. * The first character represents the risk score (0-9), where higher values indicate a higher degree of risk. * The last two characters represent the reason code. AA--ZZ, with AA as the higher risk reason and ZZ as the lower risk reason. Note: When a risk score and reason code cannot be generated, Mastercard returns a risk score of **5** and reason code of **JA**. | string | 3 | 3 | Yes | API Reference: `GET /authorizeService` ### Risk score {#risk-score} A comprehensive risk score calculated in real-time that combines: * Select provisioning data * Network transaction data * Network fraud trends The risk score is a value from 0 to 9 and represents the token provisioning score. The lowest risk is 0; the highest risk is 9. ##### ISO device types {#iso-device-types} | Code | Device Type | |------|-------------------------------------------------------------------------------------------------------------------------------------------------| | 00 | Card | | 01 | Mobile Network Operator (MNO) controlled removable secure element (SIM or UICC) personalized for use with a mobile phone or smartphone | | 02 | Key fob | | 03 | Watch using a contactless chip or a fixed (non-removable) secure element not controlled by the MNO | | 04 | Mobile tag | | 05 | Wristband | | 06 | Mobile phone case or sleeve | | 07 | Mobile phone or smartphone with a fixed (non-removable) secure element controlled by the MNO, for example, code division multiple access (CDMA) | | 08 | Removable secure element not controlled by the MNO, for example, memory card personalized for used with a mobile phone or smartphone | | 09 | Mobile phone or smartphone with a fixed (non-removable) secure element not controlled by the mobile network operator | | 10 | MNO controlled removable secure element (SIM or UICC) personalized for use with a tablet or e-book | | 11 | Tablet or e-book with a fixed (non-removable) secure element controlled by the MNO | | 12 | Removable secure element not controlled by the MNO, for example, memory card personalized for use with a tablet or e-book | | 13 | Tablet or e-reader with a fixed (non-removable) secure element not controlled by the mobile network operator | | 14 | Mobile phone or smartphone with a payment application running in a host processor | | 15 | Tablet or e-book with a payment application running in a host processor | | 16 | Mobile phone or smartphone with a payment application running in the TEE of a host processor | | 17 | Tablet or e-book with a payment application running in the TEE of a host processor | | 18 | Watch with a payment application running in the TEE of a host processor | | 19 | Watch with a payment application running in a host processor | | 21 | Phone - mobile phone | | 22 | Tablet | | 23 | Watch | | 24 | Sticker | | 25 | Personal computer | | 26 | Device peripheral | | 27 | Tag | | 28 | Jewelry | | 29 | Fashion accessory | | 30 | Garment | | 31 | Domestic appliance | | 32 | Vehicle | | 33 | Media or gaming device | | 34 | Virtual reality headset | | 99 | None of above | Note: Values from 20--99 exclusively indicate the form factor only without also indicating the storage technology. Any value in this range may occur within the form factor and transaction data without prior notice. ### Reason code {#reason-code} The reason code values from AA-ZZ represent the reasons in the following table, where AA is a higher risk, and ZZ is a lower risk reason. The reason code provides a deeper understanding of the risk score and the main reason for that score. | Reason Code | Description | |-------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | AB | Suspicious transaction linked to the card. | | AG | Previous cross-border transactions may signal risk. | | AY | High-velocity provisioning activity by token requestor. | | BT | Suspicious token requestor behaviour. | | HW | High transaction volume before provisioning. | | HZ | Suspicious provisioning request due to multiple risk indicators. | | JA | Unable to generate provisioning insight. A reason code of JA will be returned if a score is unable to be generated, and the risk score will automatically be set to 5. | | LL | New card with no recent provisioning activity. | | NR | No recent token requestor activity. | | SG | Provisioning behaviour appears normal and stable. | | ST | Normal token requestor behaviour. | | TC | Provisioning request from banking app. | | YH | New token request from a low-risk token requestor and consistent activity with this card. | For details, refer the announcement [MDES Token Provisioning Insights](https://trc-techresource.mastercard.com/r/bundle/m_an13024_en-us/page/d/en-US/xmd0500787557241.html). ## Impact {#impact} These parameters are optional and backward compatible, so existing integrations will continue to work without any impact. Issuers can adopt and code to the new parameters whenever they are ready. ### Personal data \& Privacy Note {#personal-data--privacy-note} Issuers are reminded that the information presented via the Pre-Digitization API includes personal data which is subject to data privacy laws. Issuers must satisfy themselves that the processing of such personal data is compliant with applicable privacy laws.