Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mastercard is a global payment network that processes credit and debit card transactions. When embedded as a checkout option on an e-commerce site, it triggers a 3D Secure 2 authentication flow (Mastercard Identity Check) that may set cookies on Mastercard domains and forward device, IP and behavioural signals to the United States. As a payment processor, the core flow falls under contractual necessity, but consent rules apply to any analytics or marketing layer placed alongside it.
Mastercard appears on European e, commerce sites in two distinct shapes. The first is the Mastercard JavaScript SDK that some Payment Service Providers (Adyen, Stripe, Worldpay) load inside the checkout page to tokenise card numbers client side. The second is the redirect to idcheck.mastercard.com that performs 3D Secure 2 strong customer authentication. Both flows process personal data and may set cookies, so they need to be mapped before any DPIA or privacy notice can be considered complete.
During Mastercard Identity Check, the cardholder browser receives Akamai cookies (AKA_A2, bm_sz, _abck) used for bot detection, Adobe Analytics cookies (s_cc, s_sq, AMCV_*) used to measure Mastercard pages, and an IDS cookie that remembers a frictionless authentication outcome. The Mastercard 3DS server also collects the device fingerprint (browser version, language, screen size, time zone), the user agent and the public IP address of the cardholder, plus the merchant identifier and transaction amount. Cardholder names and PANs are pseudonymised through the Mastercard token vault but are still personal data under the GDPR.
For the payment itself, the lawful basis is Article 6(1)(b) GDPR (contract performance) reinforced by Article 6(1)(c) for the PSD2 obligation of strong customer authentication. For fraud scoring, Mastercard and the merchant rely on Article 6(1)(f) GDPR (legitimate interest). The cookies set on idcheck.mastercard.com qualify as strictly necessary under Article 5(3) of the ePrivacy Directive because they are essential to deliver the authentication service explicitly requested by the user, so no banner is required for them. Any additional analytics layer placed by the merchant on its own checkout page does require consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Mastercard International Inc. is established in Purchase, New York. Authentication and fraud data routinely transit Mastercard data centres in the United States and may be replicated to its global processing network. The transfer relies on Standard Contractual Clauses signed with the merchant or its acquirer, supplemented by the EU, US Data Privacy Framework where Mastercard subsidiaries are certified. European supervisory authorities expect a Transfer Impact Assessment that documents US surveillance exposure (FISA 702, EO 12333) and any supplementary measures.
Map every Mastercard touchpoint (SDK, iframe, redirect) in your processing register. Reference Mastercard International Inc. as a recipient in your privacy notice and add the United States to your list of destinations. Sign the Mastercard Data Processing Addendum through your acquirer. Document the legal basis split (contract for payment, legitimate interest for fraud). Exclude Mastercard 3DS cookies from your consent banner because they are strictly necessary, but never bundle them with analytics or marketing tags loaded from the same domain.
Websites using Mastercard must obtain user consent under GDPR regulations.
DPIA considerations
Mastercard processes cardholder data, transaction metadata, device fingerprints and behavioural signals for risk scoring during 3D Secure 2 authentication (Identity Check). Key DPIA considerations: (1) global cross-border transfers to Mastercard International Inc. in the United States and to its processor network; (2) device fingerprinting and IP address used as fraud signals, with possible Art. 22 GDPR implications if a transaction is automatically rejected without human review; (3) long retention of authentication outcomes for chargeback defence (up to 13 months under PSD2) and 7 years under AML obligations; (4) joint-controllership analysis between merchant, acquirer and Mastercard during the 3DS data exchange (EDPB Guidelines 7/2020 apply); (5) PCI DSS scope when the merchant page embeds the Mastercard JavaScript SDK directly rather than a hosted iframe. A DPIA is recommended for any high-volume checkout or where Mastercard signals contribute to automated transaction rejection.
Sample consent text
When you pay by card, we share the transaction details and the data needed to authenticate you (3D Secure) with Mastercard International Inc. and our payment service provider. This processing is necessary to perform our contract with you and to comply with our anti, fraud obligations under PSD2. Mastercard may set cookies and process device signals on its own domain (idcheck.mastercard.com) for fraud prevention purposes. No consent is required for the payment itself, but you can refuse any optional analytics or marketing cookies in our consent banner.
Third-party domains contacted
mastercard.comidcheck.mastercard.comsecurecode.mastercard.comsrc.mastercard.comsandbox.mastercard.commastercard.usCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| AMCV_*@AdobeOrg | Functional | 2 years | Persistent cross, domain visitor identifier set during 3D Secure (Mastercard Identity Check) and used to recognise the same user across sessions and Mastercard properties. |
| AKA_A2 | Strictly necessary | 1 hour | Akamai bot detection token used to verify that the 3D Secure challenge is performed by a human and not by an automated client. |
| bm_sz | Strictly necessary | 4 hours | Akamai Bot Manager session cookie that protects the Mastercard Identity Check endpoint from credential, stuffing and scripted attacks. |
| IDS | Functional | 1 year | Identity Check session identifier used by Mastercard to remember a frictionless authentication outcome and avoid challenging the same low, risk device repeatedly. |
| s_cc | Analytics | Session | Adobe Analytics cookie that tells Mastercard whether cookies are enabled in the user's browser during the authentication flow. |
| s_sq | Analytics | Session | Adobe Analytics cookie that records the last link clicked inside the Mastercard Identity Check pages. |
Mastercard uses cookies for user preferences — inform visitors with a consent banner.
Mastercard itself does not set first, party cookies on your domain. During 3D Secure 2 the cardholder browser is redirected to idcheck.mastercard.com which sets Akamai bot, detection cookies (AKA_A2, bm_sz, _abck), Adobe Analytics cookies (s_cc, s_sq, AMCV_*) and an IDS session cookie. All of these live on Mastercard domains, not yours.
No. The payment itself relies on contract performance under Article 6(1)(b) GDPR and on the PSD2 strong customer authentication obligation. The 3DS cookies set on idcheck.mastercard.com qualify as strictly necessary under Article 5(3) ePrivacy and are exempt from the consent banner. Consent remains mandatory for any analytics or marketing tag added on your own checkout page.
Article 6(1)(f) GDPR (legitimate interest) for the antifraud signals (device fingerprint, IP, behavioural patterns) and Article 6(1)(c) for the regulatory obligation to perform strong customer authentication under PSD2. Document the balancing test in your processing register and inform users in your privacy notice.
Yes. Mastercard International Inc. is based in Purchase, New York and authentication data routinely flows through its US data centres. Transfers rely on Standard Contractual Clauses and, where applicable, on the EU, US Data Privacy Framework. A Transfer Impact Assessment is expected by EU supervisory authorities.
A DPIA is recommended for high, volume checkouts, for use cases where Mastercard fraud signals contribute to automated transaction rejection (Article 22 GDPR risk), or where the merchant embeds the Mastercard SDK directly rather than using a hosted iframe. Smaller deployments may rely on the merchant's acquirer DPIA combined with their own balancing test.
Use a hosted iframe or full redirect to keep PCI DSS scope minimal. Sign the Mastercard Data Processing Addendum through your acquirer. Reference Mastercard International Inc. and the United States in your privacy notice. Keep 3DS cookies out of the consent banner but list them in your cookie policy as strictly necessary. Monitor that no extra Mastercard marketing pixel is loaded without consent.
Several European card schemes exist: Cartes Bancaires (France), Girocard (Germany), Bancontact (Belgium), Dankort (Denmark) and the upcoming European Payments Initiative (EPI Wero) for account, to, account payments. Most of them still rely on Mastercard or Visa rails internationally, so a full replacement requires combining a local scheme with SEPA Instant for cross, border flows.
List the Mastercard Identity Check cookies (Akamai, Adobe, IDS) in the strictly, necessary category of your cookie table with their domain (mastercard.com or subdomains), their lifetime and a short purpose description. Add Mastercard International Inc. to the list of recipients, mention the United States as a destination, and link to Mastercard's own Global Privacy Notice.