Solidgate logo in black and white.

Mastercard SecureCode

What is Mastercard SecureCode?

Mastercard SecureCode is Mastercard's implementation of the (3DS) protocol, an authentication layer that asks the to confirm their identity before an online card payment is approved. It adds a verification step to card-not-present transactions, usually a one-time code sent to the cardholder's registered phone.
SecureCode was the brand name for Mastercard's original 3DS version 1 program, the direct counterpart to Visa's . Both the merchant and the cardholder enroll in the service at no cost. Mastercard has since moved most traffic to Mastercard Identity Check, built on the newer EMV 3DS standard, but "SecureCode" is still widely used to describe Mastercard's 3DS authentication. Once a transaction is authenticated, liability for eligible fraud-related disputes shifts from the merchant to the .

Key facts

  • Also known as: Mastercard Identity Check, the current EMV 3DS program that succeeded SecureCode
  • Based on: the protocol
  • Authentication method: a one-time code, typically sent by SMS, with or in-app approval under newer flows
  • Applies to: card-not-present (online) Mastercard transactions
  • Regulatory role: in the EEA, 3DS authentication helps satisfy Strong Customer Authentication (SCA) requirements
  • Main benefit: for fraud chargebacks on authenticated payments

How Mastercard SecureCode works

  1. Enrollment – the issuer registers the cardholder's Mastercard in the program, and the merchant's payment gateway is configured to support 3DS authentication.
  2. Checkout trigger – the cardholder enters their Mastercard details at checkout, and the gateway initiates the SecureCode check.
  3. Challenge – the issuer sends a one-time code to the cardholder's phone by SMS, or prompts approval inside the banking app.
  4. Verification – the cardholder submits the code, and the issuer confirms it matches.
  5. Authorization – once verified, the payment continues to , and liability for fraud-related moves to the issuer.

Why it matters

SecureCode targets the most common card-not-present pattern: someone who has stolen a card number but doesn't hold the cardholder's phone or banking app. Requiring a code tied to the cardholder's device blocks those attempts before authorization.
Issuers also treat an authenticated transaction as lower risk because the cardholder has proven their identity at checkout, which reduces security-related declines on genuine orders.
It changes who pays when fraud still slips through. On an authenticated SecureCode transaction, the makes the issuer, not the merchant, responsible for fraud-related chargebacks. That removes both the disputed amount and the chargeback fee from the merchant's books for those cases.

Common issues

  • Checkout friction. The extra step can cause cart abandonment, particularly with legacy 3DS1 flows that redirected buyers to a separate authentication page.
  • Partial coverage. Under legacy SecureCode, only enrolled cards are challenged, so it doesn't protect every Mastercard transaction.
  • Protocol migration. Mastercard has phased out the original 3DS1 SecureCode flows in favor of EMV 3DS, so current integrations run on Mastercard Identity Check, which uses risk-based authentication to challenge only the riskier payments.

Related terms