In the world of e-commerce, ensuring that a customer is who they say they are is paramount. As digital transactions grow, so does the risk of fraud. To combat this, payment networks developed a security layer known as 3-D Secure, which includes protocols like Mastercard® SecureCode™ and Visa Secure.
At the heart of these security checks are two critical pieces of data: the Universal Cardholder Authentication Field (UCAF) and the Cardholder Authentication Verification Value (CAVV). While they appear as complex strings of characters, they are the digital keys that unlock a more secure transaction for merchants, banks, and customers alike.
Let's break down what each of these values are and the vital role they play.
Mastercard's UCAF: The Universal Cardholder Authentication Field
When a customer uses a Mastercard for an online purchase on a site using 3-D Secure, they may be asked to verify their identity with their bank. The data generated from this successful authentication is encapsulated within the UCAF.
The merchant's payment system collects this cryptographic value and "passes" it along with the rest of the transaction data to the card issuer (the customer's bank). This serves as proof that the cardholder was properly authenticated.
| | | | :--- | :--- | | Schema | ucaf | | Description | A cryptographic value containing the Mastercard SecureCode™ authentication data generated by the issuer or cardholder during a transaction. | | Data Format | Alphanumeric string, up to 32 characters in length. | | Example Value | ucaf:jJJLtQa+|ws8AREAEbjsA1MAAAA |
Visa's CAVV: The Cardholder Authentication Verification Value
CAVV is Visa’s equivalent to UCAF and is the cornerstone of the Visa Secure program. It functions in precisely the same way: it’s a unique value generated after a cardholder successfully authenticates themselves during the online checkout process.
This value is proof of authentication. By collecting and submitting the CAVV with the transaction, the merchant provides the issuer with verifiable evidence that the security check was completed.
| | |
| :--- | :--- |
| Schema | cavv |
| Description | A cryptographic value containing the Visa Secure authentication data generated by the issuer or cardholder during a transaction. |
| Data Format | Alphanumeric string, up to 40 characters in length. |
| Example Value | cavv:00000109260000719349 |Why UCAF and CAVV Matter
For merchants, successfully passing UCAF or CAVV data is more than just a technical requirement; it's a crucial part of fraud prevention with a major benefit: liability shift.
When a transaction is authenticated with 3-D Secure and the corresponding UCAF or CAVV is correctly passed, liability for certain types of fraud-related chargebacks (such as those claiming an unauthorized transaction) can shift from the merchant to the card-issuing bank.
In essence, these values provide the digital paper trail that protects merchants and validates the legitimacy of a transaction, fostering a more secure and trustworthy environment for everyone in the e-commerce ecosystem.