codeUCAF is a Create Transaction API response field that includes both Visa and Mastercard network authentication responses.

When including a cryptogram for Visa and Mastercard in a 3DS, Apple Pay, or Google Pay Create Transaction API to be sent to the network, the issuer will verify the cryptogram and confirm the cardholder was authenticated or not.

Use Cases

Risk Decisioning: Use the indicator to understand whether a transaction was downgraded and therefore not fully protected under Identity Check.
Transaction Fraud Review: Flag downgraded transactions for closer review or additional risk checks, since they lack strong cardholder authentication.
3DS Performance Improvement: Monitor downgrade rates to identify integration issues (e.g., UCAF not being passed correctly) and improve 3DS setup over time.
Apple Pay / Google Pay tokenized transactions: Confirm issuer cryptogram validation and reduce false declines.
Higher-risk or out-of-pattern transactions: Use CAVV/AAV as an additional authentication when normal transaction behavior deviates (new device, flagged location, unusually large purchase).

Both Visa and Mastercard have different cryptograms with different results code values.

If the Cardholder Authentication Verification Value (CAVV) cryptogram is present in a Visa 3DS, Apple Pay, or Google Pay Create Transaction API request, then the CAVV is included in the authorization message sent to the card network.

The issuer then verifies the CAVV to confirm the cardholder was authenticated or not when verifying the cryptogram value.

When available from the card networks in the Authorization Response, TabaPay will relay the CAVV Results Code in the API response in the codeUCAF field. See the response or learn more about response field descriptions.

Network Workflow (Simplified)

The following diagram is a simplified network workflow of CAVV/AVV and the codeUCAF response field.

Customer submits the payment request
You send a Create Transaction API request with the Visa/Mastercard cryptogram.
TabaPay sends transaction info with cryptogram to the network/issuer.
Issuer returns with AAV, or CAVV authentication results.
TabaPay returns the Create Transaction API response with codeUCAF with the network results code.
You display the relevant confirmation to the customer.

How codeUCAF Works

The field codeUCAF contains both Visa and Mastercard values.

Create Transaction Response

{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "Visa",
  "networkID": "123454646545645",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "additional": {
    "codeUCAF":"2",   <--------- codeUCAF - Visa CAVV Response Code
    "codeECI": "05",  
    "par": "V0010056422073825495104907179"
  }
}

{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "Visa",
  "networkID": "123454646545645",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "additional": {
    "codeUCAF":"7",      <--------- codeUCAF - Visa CAVV Response Code
    "codeECI": "06",
    "par": "V0010056422073825495104907179"
  }
}

{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "MasterCard",
  "networkID": "123454646545645",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "additional": {
    "codeUCAF": "2",  <---------Universal Cardholder Authentication Field (UCAF)
    "par": "5001005642207382549510767179"
  }
}

{
  "SC": 200,
  "EC": "0",
  "transactionID": "TabaPay_TransactionID_",
  "network": "MasterCard",
  "networkID": "123454646545645",
  "networkRC": "00",
  "status": "COMPLETED",
  "approvalCode": "000000",
  "additional": {
    "par": "5001005642207382549510767179"
  }
}

Note: If the presence of codeUCAF is absent for Mastercard, the authentication did not have an issue.

Visa CAVV Response Codes

CAVV results/values appearing in the Create Transaction API response, are found in the codeUCAF field.

The results not only indicate a failed authentication, but also a successful indication, and can help merchants fine tune their risk decisioning upstream for future transactions.

CAVV Results Code	Description	What does this mean
Blank	CAVV not present in authorization message OR CAVV not verified, issuer has not selected CAVV verification option	No liability shift; merchant not protected from chargebacks
0	CAVV could not be verified OR CAVV data was not provided when expected	No liability shift; merchant not protected from chargebacks
1	CAVV failed verification – cardholder authentication	(Usually an indication of potential bad or fraudulent CAVV data in the authorization message; CAVV was created by the Issuer’s ACS) Liability for this transaction should remain with the Issuer for fraud chargebacks.
2	CAVV passed verification – cardholder authentication	Fully authenticated transaction. Liability shift may apply.
3	CAVV passed verification – attempted authentication	Attempted authentication; Liability shift may apply.
4	CAVV failed verification – attempted authentication	Attempted authentication; Liability shift may apply.
6	CAVV not verified, issuer not participating in CAVV verification	Attempted authentication; Liability shift may apply. .
7	CAVV failed verification – attempted authentication	Attempted authentication; Liability shift may apply.
8	CAVV passed verification – attempted authentication	Attempted authentication; Liability shift may apply.
9	CAVV failed verification – attempted authentication	Attempted authentication; Liability shift may apply.
A	CAVV passed verification – attempted authentication	Attempted authentication; Liability shift may apply.
B	CAVV passed verification – no liability shift	No liability shift; merchant not protected from fraud chargebacks.
C	CAVV was not verified (Attempted Authentication)	Liability shift may apply.
D	CAVV was not verified (Cardholder Authentication)	Liability shift may apply.

CAVV Verification Fails

CAVV verification can fail for one of the following reasons

Scenario	Details
Transaction May Be Fraudulent	A fraud perpetrator may be trying to submit an authorization transaction with a “made up” CAVV in an attempt to obtain an authorization. Due to the potential for fraud, issuers are most likely to decline the transaction when CAVV verification fails. This results data, therefore, enhances our client's risk decisioning process.
Processing Error (Rare)	When CAVV data is corrupted
Issuer system issues	Unexpected issues at the issuer that prevents them from reading the CAVV cryptogram

Mastercard UCAF Response Codes

AAV results/values appearing in the Create Transaction API Mastercard response, are found in the codeUCAF field.

The results for Mastercard only indicate a downgrade in the transaction, and will be absent if the authentication is successful.

Value	Description
0	Missing Universal Cardholder Authentication Field (UCAF)
1	Invalid Universal Cardholder Authentication Field (UCAF)
2	Invalid Security Level Indicator (SLI). If you receive this code, please let TabaPay know via [email protected]

AAV Verification Failure Steps

Interpret the Indicator Map the values (0, 1, 2) to understand whether the transaction was downgraded.
Transaction Decisioning: Decide whether to accept, review, or decline downgraded transactions based on your risk appetite.
Feedback Loop: Use the UCAF and downgrade data to fine-tune your upstream 3DS authentication flows and minimize downgrade frequency.