Issuer yellow path decision trigger the identification and verification process of the cardholder through one of the available activation methods. Activation methods for the specific cardholder is provided by issuer in the response to the Request Activation Methods.
Token Service Providers is the primary entities describing the supported activation methods and then it is between their requirements and issuer willingness to implement certain set consumer activation methods. Excluding the type of tenured channels for communication between the issuer and cardholder there are following three types of activation methods are foreseen:
- Activation Code;
- Issuer Mobile Application;
- Call center.
Activation Code can be also referred as One-Time Password or passcode. This is a human-readable passcode which is usually 6 digits length that is generated and validated by TSP. Certain TSPs also allow issuer to generate and validate passcode on their behalf. Activation code can be presented as a different activation methods basing on the channels how it is provided to the consumer. This may be SMS text message, E-mail or inbound call to the cardholder.
This is issuer responsibility to handle Activation Code delivery to the cardholder selected option when received Deliver Activation Code request from Pre-Digization API.
Mask pattern for cardholder contact details
There are no specific requirements issued by the payment network or third-party wallets on how to mask the cardholder contact data. However we recommend to use the following approach:
E-mail - First two characters remains of identifier remains as is, rest is replaced with the *. Domain remains unchanged.
Phone number - Mask all digits with the * except the last 4. Leave hyphens if applicable.
Issuer Mobile Application
Activation by the mean of issuer mobile app. Depending on the context this activation method can be also referred as an "In-App Verification".
Activation from issuer mobile application require the secure authentication of the cardholder into the application. Token Service Provider may offer different options for the token activation in the back-end. MeaWallet recommends to use the consolidated method for all available TSPs using the Customer Service API Token Activate request.
This is prohibited to offer the issuer mobile application activation method to the cardholder if request is initiated by the push provisioning.
Issuer must provide reference to their mobile application while offering this activation option to the cardholder with activation method attribute type as CARDHOLDER_TO_USE_MOBILE_APP. However Token Service Providers has different approach how to link it with the issuer mobile app:
- Mastercard Digital Enablement Service - Issuer mobile application is configured in the MDES Manager;
- Visa Token Service - Reference to the mobile app returned in the response to the Request Activation Methods. This must be Apple Adam ID for iOS and Android Package Name for Android respectively.
Issuer mobile application must be additionally integrated with the selected third-party wallets according to their specifications in order to support such activation method.
Cardholder outbound call to the call center. This is mandatory activation that must be supported by all issuers. However not all third-party wallets allow to display it as a default one for the better customer experience. This may be displayed as an additional, fall-back or backup activation method. Issuer staff conducting the call with cardholder must be trained for fraud prevention and has the access to the systems that allows manual activation of the token.