The Universal Cardholder Authentication Field (UCAF) is Mastercard’s cryptogram for authenticating network token transactions. Like Visa’s TAVV, UCAF is generated per authorization, tied to the MDES token, and validated by the issuer during scoring. Static tokens without fresh UCAF data generally behave like weaker card-not-present traffic in issuer systems.
Mastercard defines UCAF usage across digital commerce programs, including legacy SecureCode and modern token flows. The cryptogram must match the transaction category, one-off purchase versus recurring mandate, and align with the ECI sent in the authorization ISO fields. Mismatches trigger unnecessary declines or fraud challenges.
Many merchants first encounter UCAF through 3-D Secure programs; with MDES, UCAF also secures tokenized card-on-file charges where no cardholder step-up occurs. That makes operational discipline on cryptogram refresh as important as initial token provisioning.
Veliro retrieves UCAF from MDES at authorization time through the same cryptogram API used for Visa TAVV and Amex AEVV, selecting scheme-specific payloads from the card’s network. Unified cryptogram access lets your PSP forwarding layer stay dumb: pass token, cryptogram, and ECI; change acquirer without reworking authentication plumbing.
Mastercard recurring mandates may require distinct UCAF indicators from one-off checkout; encode transaction type in your billing jobs and verify acquirer ISO field maps anytime you add a new PSP connection.