Skip to main content
Customer Authentication Module (CAM) is a feature provided by Mastercard’s Click to Pay that adds an extra layer of security to transactions. It verifies the identity of the customer by analyzing device and behavioral data during the checkout process, reducing the risk of fraud. When CAM is enabled, it silently collects device and behavioral data in the background as the customer interacts with the checkout page. This data is used to create a risk profile for the transaction. Based on this profile, CAM determines whether the transaction is low-risk and can proceed without interruption, or if it requires additional verification. If a higher risk is detected, CAM may prompt the customer for a one-time password (OTP) or another form of step-up authentication to confirm their identity before the payment is completed. This process is designed to be as seamless as possible, only introducing friction when necessary.

Benefits

  • Enhanced Security: Adds a robust layer of authentication to prevent fraudulent transactions.
  • Reduced Friction: Most legitimate transactions are processed without any extra steps for the customer.
  • Increased Trust: Provides customers with greater confidence that their payments are secure.

Implementation

To enable Customer Authentication Module when using Secure Fields for Click to Pay, add the authenticate.consumer property to your Secure Fields configuration and set it to true. When enabled, CAM automatically collects and analyzes data to authenticate customers during checkout, providing enhanced security without any additional integration effort. 
<ClickToPay
  srcDpaId='{SRC_DPA_ID}'
  dpaName='{DPA_NAME}'
  dpaLocale='en_AU'
  cardBrands={['mastercard', 'visa', 'amex']}
  consentCheckbox='#click-to-pay-consent-checkbox'
  learnMoreLink="#click-to-pay-learn-more-link"
  authenticate={{
    consumer: true,
  }}
/>

Common issues

This occurs when the 3DS acquirer configuration does not match the required values. Check the 3DS acquirer configuration and verify that the acquirer details for each card scheme are configured exactly as per the Mastercard Unified Checkout Solutions SDK reference, listed below.Mastercard
ParameterValue
Acquirer BIN545301
Acquirer Merchant IDSRC3DS
Visa
ParameterValue
Acquirer BIN432104
Acquirer Merchant ID33334444
On supported devices, authentication can complete with a passkey and no 3DS prompt appears. If you expect a challenge-based 3DS flow and no prompt appears, work through the following checks.1. Check which features are enabledIn the browser developer tools, open the Network tab and find the request to click-to-pay.html. Copy the Request URL and URL-decode it twice. The decoded payload should include an authenticate block reflecting the features you have enabled:
"authenticate": {
  "checkout": true,
  "consumer": true
}
authenticate.checkout controls TAS and authenticate.consumer controls CAM. If either value is missing or set to false, the feature is not enabled.2. Check the dynamicDataType fieldIn the same decoded payload, ensure that the dynamicDataType field is either omitted or set to CARD_APPLICATION_CRYPTOGRAM_SHORT_FORM. This configuration requests a dynamic network token, which TAS requires.3. Verify acquirer_data is present in the acquirer responseIn the Network tab, locate the acquirer request. The response must have values for acquirer_data. If there is no acquirer data, it is likely due to the checkout session initiation. Ensure the checkout session setup was created with the correct data fields.