PT-2021-06: Lack of integrity checks of the MCC field
Visa Tokenisation Service (VTS), MasterCard Tokenisation Service (MDES)
Severity level: Medium
Lack of integrity checks of the MCC field
Access Vector: Remote
Base Score: 4.9
EMV used as a predecessor of mobile wallets does not require putting some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions.
Alternatively, mobile wallets should send the information about the type of cardholder verification (whether it was made on the locked phone or a fingerprint/PIN were presented, and the cardholder unlocked the phone). Along with the Amount and MCC, the tokenisation service could appropriately decide to reject or approve transactions.
October, 2021 - Vendor notification date