PT-2021-06: Lack of integrity checks of the MCC field

Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)


Severity level: Medium
Lack of integrity checks of the MCC field
Access Vector: Remote

CVSS v3.0
Base Score: 4.9
Vector: (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Vulnerability description:

EMV used as a predecessor of mobile wallets does not require putting some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions.
Alternatively, mobile wallets should send the information about the type of cardholder verification (whether it was made on the locked phone or a fingerprint/PIN were presented, and the cardholder unlocked the phone). Along with the Amount and MCC, the tokenisation service could appropriately decide to reject or approve transactions.

Advisory status:

October, 2021 - Vendor notification date


Timur Yunusov