Mastercard EFM Program: 3-D Secure RequirementsCheckout Security Isn’t Just Nice to Have. It’s a MUST-Have
3-D Secure is Required for EFM Merchants
Once you’re in Mastercard’s Excessive Fraud Merchant (EFM) program, certain security protocols are no longer optional. Instead, they become mandatory.
If you’re enrolled in the card network’s EFM Program, you’ll be required to implement 3-D Secure (3DS), a powerful tool for authenticating cardholders at checkout. In this chapter, I’m gonna give you a rundown of 3DS, along with Mastercard’s compliance requirements within the context of the Mastercard fraud monitoring program.
3DS Utilization Thresholds for the Mastercard EFM Program
Countries like the United States and Canada don’t have strong customer authentication (SCA) standards required by law, as is the case with the Revised Payment Service Directive (PSD2) in the EU. But, even though 3DS authentication at checkout is voluntary, it’s still a good idea.
Mastercard imposes different compliance thresholds for EU and non-EU merchants. In the EU, merchants are in violation of network rules when fewer than 50% of transactions are authenticated using 3DS. In non-regulated regions like the US and Canada, Mastercard is much more lax; merchants are only considered non-compliant if fewer than 10% of transactions are authenticated using 3DS.
This is good news. It means you can be proactive here; EU merchants who are fully compliant with regional 3DS regulations — and US/Canadian merchants who voluntarily protect transactions using 3DS — face essentially no risk of enrollment in Mastercard’s EFM.
3D Secure Requirements by Region
Remember, though: Mastercard’s 3DS compliance thresholds only apply to EMV-protected transactions (either chip-and-signature or chip-and-PIN), and to data-only transactions.
