Token Authentication Service (TAS) is a security feature provided by Mastercard for Click to Pay transactions. TAS generates a cryptogram that authenticates the payment token during checkout, providing an additional layer of security similar to EMV chip transactions for online payments.Documentation Index
Fetch the complete documentation index at: https://docs.gr4vy.com/llms.txt
Use this file to discover all available pages before exploring further.
TAS is only available for Mastercard and Visa transactions. Other card networks supported by Click to Pay (American Express and Discover) do not currently support this feature.
How TAS works
When TAS is enabled, a cryptogram is generated during the checkout process. This cryptogram is a unique, one-time code that validates the authenticity of the payment token being used. The cryptogram is sent along with the transaction to the card issuer for verification. This process happens seamlessly in the background without requiring any additional action from the customer. The cryptogram provides strong authentication that the payment token is being used by the authorized card holder, reducing the risk of fraud. On supported devices, TAS leverages passkeys (biometric authentication such as fingerprint or face recognition) to further streamline the authentication process while maintaining high security standards. When a customer authenticates with a passkey, the transaction is no longer treated as a 3-D Secure flow. The merchant no longer sees 3DS data on the transaction. Instead, it is processed as a network token transaction with a cryptogram and an Electronic Commerce Indicator (ECI) that reflects the authentication outcome.Benefits
- Enhanced Security: Adds cryptographic authentication to token-based transactions, significantly reducing fraud risk.
- Higher Authorization Rates: Issuers can approve transactions with greater confidence, leading to fewer declined payments.
- Replaces 3-D Secure: Provides strong authentication that can replace traditional 3-D Secure (3DS) flows, eliminating redirect steps and improving conversion rates.
- Seamless Experience: Works transparently without adding friction to the customer checkout flow.
- EMV-Level Security: Brings chip card security standards to online and mobile transactions.
Prerequisites
TAS requires 3-D Secure to be configured at the merchant account level, not at the connection level. This is because TAS authentication occurs before transaction routing, at a point where the payment service connection has not yet been determined. To set up 3DS at the merchant account level, follow the instructions in the 3-D Secure setup guide. Make sure to configure a scheme profile for each card scheme you want to support with Click to Pay.Merchant account-level 3DS configuration is currently in beta. Please contact the support team to enable this feature for your account.
Implementation
The platform makes it simple to enable Token Authentication Service when using Secure Fields for Click to Pay. To activate TAS, add theauthenticate.checkout property to your Secure Fields configuration and set it to true.
When enabled, TAS automatically generates the cryptogram for each Click to Pay transaction, providing enhanced security without any additional integration effort.
Common issues
3DS overlay pops up but automatically closes
3DS overlay pops up but automatically closes
This occurs when the 3DS acquirer configuration does not match the required values. Check the 3DS acquirer configuration and verify that the acquirer details for each card scheme are configured exactly as per the Mastercard Unified Checkout Solutions SDK reference, listed below.Mastercard
Visa
| Parameter | Value |
|---|---|
| Acquirer BIN | 545301 |
| Acquirer Merchant ID | SRC3DS |
| Parameter | Value |
|---|---|
| Acquirer BIN | 432104 |
| Acquirer Merchant ID | 33334444 |
No 3DS prompt when you expect a challenge flow
No 3DS prompt when you expect a challenge flow
On supported devices, authentication can complete with a passkey and no 3DS prompt appears. If you expect a challenge-based 3DS flow and no prompt appears, work through the following checks.1. Check which features are enabledIn the browser developer tools, open the Network tab and find the request to
click-to-pay.html.
Copy the Request URL and URL-decode it twice. The decoded payload should include an authenticate block reflecting the features you have enabled:authenticate.checkout controls TAS and authenticate.consumer controls CAM. If either value is missing or set to false, the feature is not enabled.2. Check the dynamicDataType fieldIn the same decoded payload, ensure that the dynamicDataType field is either omitted or set to CARD_APPLICATION_CRYPTOGRAM_SHORT_FORM.
This configuration requests a dynamic network token, which TAS requires.3. Verify acquirer_data is present in the acquirer responseIn the Network tab, locate the acquirer request.
The response must have values for acquirer_data. If there is no acquirer data, it is likely due to the checkout session initiation.
Ensure the checkout session setup was created with the correct data fields.