Mastercard SecureCode is an authentication layer that verifies your identity when you make online purchases with a Mastercard. It adds a security step between entering your card details and completing the transaction, helping prevent unauthorized use of your card number. Mastercard has since rebranded the program as Mastercard Identity Check, upgrading it from simple passwords to modern verification methods like fingerprints and one-time codes.
How the Authentication Works
When you buy something online from a merchant that supports 3-D Secure (the underlying technology behind SecureCode), a few things happen behind the scenes in seconds. The merchant sends a security check request through the Mastercard network. Your card-issuing bank then evaluates the transaction and decides whether it needs additional verification from you.
That decision depends on how risky the transaction appears. Your bank looks at factors like the purchase amount, the merchant, your device, your location, and your recent spending patterns. If everything looks normal, the bank may approve the transaction without asking you to do anything extra. This is called a “frictionless flow,” and it means the checkout experience feels no different from a regular card payment.
If the bank flags the transaction as potentially risky, you’ll be asked to verify your identity. This is the “challenge flow,” and it can take several forms depending on what your bank supports:
- Biometrics: A fingerprint scan or Face ID prompt through your bank’s mobile app
- One-time password (OTP): A code sent to your phone via text or email that you enter on the checkout page
- App-based approval: A push notification from your banking app asking you to confirm the purchase
Once you complete the verification, the merchant processes the payment normally. The entire check typically adds only a few seconds to checkout when a challenge is required.
From Passwords to Biometrics
The original SecureCode system, launched in the early 2000s, relied on a static password you created when you enrolled. Every time you shopped online at a participating merchant, a pop-up window asked for that password. The system worked, but it had clear drawbacks. People forgot their passwords, the pop-up windows looked suspicious to shoppers unfamiliar with the system, and static passwords are inherently less secure than dynamic verification.
The current version, Mastercard Identity Check, runs on EMV 3-D Secure (sometimes called 3DS2), which replaced the older protocol. Instead of one fixed password for every transaction, your bank now picks the verification method based on the risk level of each individual purchase. Low-risk transactions sail through without any extra steps. Higher-risk ones trigger a biometric check or one-time code that expires after use, making stolen credentials far less useful to fraudsters.
What It Means for You as a Cardholder
You don’t need to sign up for a separate service in most cases. If your bank has enabled Mastercard Identity Check on your account, it activates automatically when you shop at merchants that support it. Your bank’s mobile app is typically the key piece. Having it installed and set up with biometric login ensures the smoothest experience if a challenge is triggered.
If you don’t have your bank’s app installed, verification usually falls back to a one-time code sent by text or email. This still works, but it requires that your bank has your current phone number or email address on file. Keeping your contact information updated with your bank avoids failed verifications that could block a legitimate purchase.
When a transaction is declined during the authentication step, it usually means the verification wasn’t completed in time or the response didn’t match. Trying again and completing the prompt typically resolves it. If your card is repeatedly blocked during online purchases, contacting your bank can help confirm your account is properly enrolled and your contact details are correct.
How It Protects Against Fraud
The core benefit is that a stolen card number alone isn’t enough to complete a purchase at a merchant using 3-D Secure. Even if someone has your 16-digit card number, expiration date, and CVV, they’d still need to pass the authentication step, which requires access to your phone, your fingerprint, or your banking app. This makes card-not-present fraud significantly harder to pull off.
There’s also a liability shift built into the system. When a merchant supports 3-D Secure and the transaction is authenticated, responsibility for fraudulent chargebacks generally moves from the merchant to the card-issuing bank. This incentivizes both merchants and banks to participate, which is why you’ll encounter the system at most major online retailers.
Where You’ll Encounter It
Not every online purchase triggers a SecureCode or Identity Check prompt. The merchant has to support 3-D Secure on their end, and your bank has to be enrolled. Large online retailers, travel booking sites, and subscription services commonly support it. Smaller merchants may not have implemented it yet.
You’re also more likely to see a verification prompt for larger purchases, first-time transactions with a new merchant, or purchases made from a device or location your bank doesn’t recognize. Routine purchases from familiar merchants on your usual device often pass through without any visible security check, even though the risk assessment is still happening in the background every time.