Masterpass Service Provider Onboarding and Integration Guide Merchant by Merchant Model U.S. Version 6.18

Masterpass Service Provider Onboarding and Integration Guide Merchant by Merchant Model U.S. Version 6.18 30 September 2016 SPMM

Summary of Changes, 30 September 2016 Summary of Changes, 30 September 2016 This document reflects changes made since the previous publication. To locate these changes online, click the hyperlinks in the following table. Change Date Description of Change Where to Look 30 September 2016 Updated the URL of the Masterpass Merchant Portal: Former URL: https:// masterpass.com/sp/merchant/ Home New URL: https:// masterpass.com/hub/ 30 September 2016 Updated the "Standard Full-Screen Display" section to indicate that Masterpass now includes language in the header of the full-screen display to indicate what the user can expect when selecting the close (X) button. 30 September 2016 Revised the following sections to account for the movement of all credential-management functions registration, login, profile management, user invitations to the replatformed Masterpass Merchant Portal: Service Provider Registration and Setup Service Provider Activity Add Developer to Service Provider Profile Service Provider Activity Make Available as Third Party Platform Provider Service Provider Activity Merchant Registration and Setup Merchant Activity Review Key Request and Approve/Reject Merchant Activity Throughout document Standard Full-Screen Display Service Provider Registration and Setup Service Provider Activity Add Developer to Service Provider Profile Service Provider Activity Make Available as Third Party Platform Provider Service Provider Activity Merchant Registration and Setup Merchant Activity Review Key Request and Approve/Reject Merchant Activity U.S. Version 6.18 30 September 2016 2

Summary of Changes, 30 September 2016 Change Date Description of Change Where to Look 30 September 2016 Updated the "Parameters for Invoking Masterpass Checkout" table in the "Lightbox Integration" section to indicate that both the successcallback and failurecallback parameters are required. 30 September 2016 Added a note to the "Standard Checkout Callback" section indicating the importance of providing both the successcallback and failurecallback parameters. 14 September 2016 Updated graphics and screenshots of Masterpass user experiences to reflect the new Masterpass brand identity. 10 August 2016 Replaced all references to the Mastercard Developer Zone with Mastercard Developers to reflect the renaming of the site that provides services to developers seeking to add Mastercard capabilities to their own application(s); Mastercard replatformed the site on 10 August 2016. 10 August 2016 Revised the following sections to account for the replatform of the site formerly known as Mastercard Developer Zone: Create a Mastercard Developers Account Generate Mastercard Developers API Key Renew a Mastercard Developers API Key 29 July 2016 Added a note to the Displaying the Masterpass Checkout Button and Acceptance Marks and Masterpass Learn More Page sections stating that Masterpass has redesigned many digital assets with the July 2016 Release. Lightbox Integration Standard Checkout Callback Throughout document Throughout document Create a Mastercard Developers Account Generate Mastercard Developers API Key Renew a Mastercard Developers API Key Displaying the Masterpass Checkout Button and Acceptance Marks Masterpass Learn More Page U.S. Version 6.18 30 September 2016 3

Summary of Changes, 30 September 2016 Change Date Description of Change Where to Look 29 July 2016 Revised the Renew Your Mastercard Developers Key section to: Indicate that the Mastercard Developers portal no longer supports the creation or renewal of keys using certificate signing request (CSR) files generated with MD5 digest. Provide troubleshooting instructions for users who receive an error message when they try to upload a CSR file. Renew a Mastercard Developers API Key 24 June 2016 Updated the Lightbox dimensions provided in the Standard Lightbox Display (desktop and laptop) section. Standard Lightbox Display (desktop and laptop) 24 June 2016 Made the following updates to the Standard Mobile Display (.mobi) section: Updated height of the header and footer of the mobile experience. Inserted language indicating that there will be a landscape view for mobile. Standard Mobile Display (.mobi) 24 June 2016 Updated the Standard Full-Screen Display section to indicate that the full-screen view will always be used for Account Management (noncheckout) flows. Standard Full-Screen Display 24 June 2016 Updated the Sample Integration subsection of the Android and ios App Integration section to indicate that upon the user s clicking of Masterpass Checkout, the merchant application must redirect the user to a mobile browser that launches the Masterpass experience, and that Masterpass does not support webview for in-app implementation. Android and ios App Integration U.S. Version 6.18 30 September 2016 4

Summary of Changes, 30 September 2016 Change Date Description of Change Where to Look 24 June 2016 Updated the Masterpass Sandbox Testing section to indicate that Masterpass has eliminated the following pre-set Masterpass wallet accounts from use in the sandbox environment: joe.test@email.com joe.test3@email.com 3ds.masterpass +securecode@gmail.com 3ds.masterpass +verifiedbyvisa@gmail.com Masterpass Sandbox Testing 24 June 2016 Added two new procedures that U.S. merchants and service providers must follow to conduct testing in the sandbox environment. Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience Sign in to a Test Masterpass Wallet Account during Checkout and Test the Recognized Experience Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience Sign in to a Test Masterpass Wallet Account during Checkout and Test the Recognized Experience 24 June 2016 Replaced the test cases for both Mastercard SecureCode and Verified by Visa in the 3-D Secure Test Cases section. 24 June 2016 Added the following bullet to the Checklist for Masterpass Asset Placement : Verify that the Masterpass checkout button is used appropriately on the checkout page to initiate the Masterpass experience. 3-D Secure Test Cases Checklist for Masterpass Asset Placement U.S. Version 6.18 30 September 2016 5

Summary of Changes, 30 September 2016 Change Date Description of Change Where to Look 24 June 2016 Updated the following bullet in the In-Wallet Experience checklist to account for the required enablement of 3-D Secure for the Masterpass wallet: Merchants requesting liability shift for Masterpass transactions should use Advanced Checkout/3-D Secure within Masterpass. Merchants must enable 3-D Secure such that it is invoked within the Masterpass wallet. 24 June 2016 Added the following bullet to the Post-Wallet Experience checklist: Verify that any information provided by a consumer s Masterpass wallet (for example, payment, shipping, profile information, and so on) is used only for that transaction and is not stored for subsequent use. 24 June 2016 Added the following bullet to the Postback checklist: Ensure that you are submitting postback for all Masterpass transactions initiated with the consumer s click of the Masterpass checkout button (approved, declined, or abandoned). In-Wallet Experience Post-Wallet Experience Postback U.S. Version 6.18 30 September 2016 6

Summary of Changes, 30 September 2016 Change Date Description of Change Where to Look 24 June 2016 Added the following bullet to the General checklist: Verify that your implementation follows the standard process and utilizes all calls (to the Masterpass wallet, complete postback, and so on) for each and every transaction initiated by a consumer s click of the Masterpass checkout button. Verify that you are accepting and passing the wallet identifier (WID) when present for Masterpass transactions. 11 May 2016 Added onboarding content to reflect changes to the Merchant Portal, including updates to the Authentication Settings page and new logic related to Advanced Checkout. Added and updated integration content to to reflect changes to 3-D Secure authentication. Updated the EciFlag and PaResStatus elements in the Checkout Resource section of the Appendix to reflect 3-D Secure updates. 12 April 2016 Further updates to integration content throughout the guide to reflect changes that apply specifically to U.S. merchants. Added content to the integration steps to reflect updates to the Lightbox integration and Android/iOS integration. General Merchant Registration and Setup Merchant Activity 3-D Secure Overview Checkout Resource Overview Masterpass Checkout Experiences Service Provider Merchant by Merchant Onboarding Service Provider Merchant by Merchant Onboarding Steps Integration Process Android and ios App Integration Masterpass Branding Appendix U.S. Version 6.18 30 September 2016 7

Contents Contents Summary of Changes, 30 September 2016...2 Chapter 1: Overview... 11 Reflecting 2016 U.S. Masterpass Enhancements in This Guide...12 How does Masterpass Work?... 12 Masterpass User Interface...12 Chapter 2: Masterpass Checkout Experiences... 16 Masterpass Standard Checkout Process Flow...17 Android Merchant App-to-Wallet App Checkout...22 Chapter 3: Service Provider Merchant by Merchant Onboarding... 24 Incorporating Masterpass into Your Site or App...25 Merchant by Merchant Onboarding Process...25 Chapter 4: Service Provider Merchant by Merchant Onboarding Steps... 28 Service Provider Registration and Setup Service Provider Activity... 29 Add Developer to Service Provider Profile Service Provider Activity...30 Make Available as Third Party Platform Provider Service Provider Activity... 32 Merchant Registration and Setup Merchant Activity...32 Invite Service Provider to be Merchant s Developer Merchant Activity... 42 Developer Registration, API Keys, Initiate Development Developer Activity... 44 Masterpass Merchant Portal Developer Account... 44 Create a Mastercard Developers Account...44 Generate Mastercard Developers API Key...46 Initiate Development and Masterpass Implementation... 48 Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers)... 49 Review Key Request and Approve/Reject Merchant Activity...53 Deploy Application Using Production Credentials Developer Activity... 55 Chapter 5: Integration Process...57 Lightbox Integration...58 Standard checkout... 60 Standard Checkout Callback...60 Implementing DSRP and Tokenization... 62 U.S. Version 6.18 30 September 2016 8

Contents Split/Partial Shipments and Recurring Payment Transactions... 73 3-D Secure Considerations...73 Testing DSRP...73 Masterpass Service Descriptions...73 Android and ios App Integration...77 Completing the Integration... 80 Chapter 6: Masterpass Branding...81 Displaying the Masterpass Checkout Button and Acceptance Marks...82 Masterpass Checkout Button Example... 83 Dynamic Checkout Button...84 Masterpass Learn More Page...84 Chapter 7: Testing...85 Masterpass Sandbox Testing...86 Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience...86 Sign in to a Test Masterpass Wallet Account during Checkout and Test the Recognized Experience... 88 Q/A Checklist... 89 Checklist for Masterpass Asset Placement...89 In-Wallet Experience... 89 Post-Wallet Experience...89 Postback...90 General... 90 Chapter 8: Troubleshooting...91 Common Errors...92 Support...92 Appendix A: Appendix...94 Lightbox Parameters...95 OAuth Samples... 97 Request Token... 97 Merchant Initialization Service...99 Shopping Cart Service... 103 Access Token Service... 108 Checkout Resource...110 Postback Service... 124 Renew a Mastercard Developers API Key... 133 U.S. Version 6.18 30 September 2016 9

Contents Mastercard Developers Key Tool Utility... 137 3-D Secure Overview...138 3-D Secure Service Description...138 General Overview of Mastercard SecureCode and Verified by Visa Transaction Authentication... 139 Important Merchant Information... 140 Notices...142 U.S. Version 6.18 30 September 2016 10

Overview Chapter 1 Overview This document is intended to orient service partners and their developers seeking to integrate Masterpass as a checkout option for merchant s commerce sites or mobile application. Reflecting 2016 U.S. Masterpass Enhancements in This Guide...12 How does Masterpass Work?...12 Masterpass User Interface...12 Standard Lightbox Display (desktop and laptop)...13 Standard Mobile Display (.mobi)... 14 Standard Full-Screen Display... 14 U.S. Version 6.18 30 September 2016 11

Overview Reflecting 2016 U.S. Masterpass Enhancements in This Guide Reflecting 2016 U.S. Masterpass Enhancements in This Guide With Masterpass s focus on continuous product improvement and user experience optimization, we have identified key enhancement opportunities that will be launched in Q2 2016. Therefore, this guide is specifically targeted to U.S. merchants and service providers that will be implementing Masterpass in/after Q2 2016. For additional details, work with your regional Masterpass representative or Implementation Manager. NOTE: This is a preliminary version of the document and may undergo revisions. How does Masterpass Work? Masterpass is a wallet service that enables consumers to store, manage and securely share their payment information, shipping information, and billing address with the websites and mobile apps they transact with. Masterpass supports checkout on full and mobile websites, as well as in-app purchases on Android and ios apps. In addition, Masterpass recently added the ability to quickly implement native, app-to-app checkout experiences with EMV-like security within Android smartphone applications. NOTE: In Q2 2016, Masterpass is bringing a highly enhanced consumer experience and we are working towards a full product redesign to support that. As part of the redesign, Masterpass will be updating core wallet features, as well as intelligent wallet routing and security features to deliver a more seamless user experience that enables fast checkout. We are also introducing a new checkout button design, along with an ability to display a personalized dynamic checkout button based on consumers past wallet usage. The dynamic checkout button capability is currently available to select wallet providers. We are also reassessing certain features, such as loyalty/rewards, pairing, the shopping cart experience, and Connected checkout. As a result, these features will be unavailable to U.S. merchants/service providers. Masterpass User Interface The Masterpass user interface, or Lightbox, floats the Masterpass wallet interface on top of the merchant s web page through illuminated overlays, and backgrounds dimmed to 0.7 opacity. This modern method allows a consumer to interact with their Masterpass digital wallet without having to leave the merchant s page. The Masterpass Lightbox is built in a responsive design style allowing it to respond dynamically to the various screen sizes and orientations. Masterpass supports the following displays: U.S. Version 6.18 30 September 2016 12

Overview How does Masterpass Work? Standard Lightbox Standard Full Screen Standard Lightbox Display (desktop and laptop) At full screen, where the browser is set to 100% height and width, the overall Lightbox dimensions are 730 pixels (height) by 680 pixels (width). This is inclusive of the height of the Lightbox header (60 pixels) and footer (30 pixels). The interior Lightbox dimensions are 640 pixels (height) by 680 pixels (width). If the height of the browser is reduced to 800 pixels or less and the width is maintained at greater than 680 pixels, the entire Lightbox has an outer frame height of 620 pixels. The Lightbox header and footer heights are maintained at 60 pixels and 30 pixels, respectively, but the content container (wallet frame) has dimensions of 530 pixels (height) by 680 pixels (width). If the browser is set to 100% maximum width but is less than 620 pixels in height, vertical scrolling will appear. If the browser is set to less than 680 pixels in width the Lightbox layout will change to accommodate small screen formats (for example, phones and smaller tablets). There is a 320 pixel width threshold for the content container. U.S. Version 6.18 30 September 2016 13

Overview How does Masterpass Work? Standard Mobile Display (.mobi) Within the.mobi experience, the height of the header and footer are 50 pixels and 23 pixels, respectively. The interior content area for mobile devices is content-dependent. The initial view of content is based on the overall screen sizes. Content that does not fit within the initial view of content can be accessed by scrolling. There will be a landscape view for mobile.the mobile interface fills the screen and does not use modal windows such as the Lightbox display. Standard Full-Screen Display Special conditions apply to the standard full-screen display. Under certain conditions, such as the following: 1. The consumer s browser does not support the Lightbox display (older browser) 2. The merchant has not yet made coding changes to invoke the Lightbox display 3. The URL requesting the Lightbox display is different from the merchant-specified origin URL 4. Third-party cookies are blocked by the browser (currently Safari versions 8 and higher) 5. The consumer is managing their wallet account (non-checkout/masterpass.com). Masterpass will render the wallet experience in full screen as our Lightbox experience requires Masterpass cookies to be dropped in the browser. In the case of scenario four above, we are able to drop cookies during the full-screen redirect experience, and subsequent Masterpass checkouts on that browser will show the Lightbox experience. For Account Management (non-checkout) flows, the full-screen view will always be used. Masterpass includes language in the header of the full-screen display to indicate what the user can expect when selecting the close (X) button. This language, which is only available for the U.S. Version 6.18 30 September 2016 14

Overview How does Masterpass Work? full-screen checkout experience in the U.S. market, will reflect the same merchant name that was entered when the merchant was registered through the Masterpass Merchant Portal. U.S. Version 6.18 30 September 2016 15

Masterpass Checkout Experiences Chapter 2 Masterpass Checkout Experiences This section provides information on the Masterpass checkout experiences. Masterpass Standard Checkout Process Flow...17 Android Merchant App-to-Wallet App Checkout...22 U.S. Version 6.18 30 September 2016 16

Masterpass Checkout Experiences Masterpass Standard Checkout Process Flow Masterpass Standard Checkout Process Flow This topic provides information on the standard checkout process flow using the Masterpass user interface or Lightbox where the merchant/service provider integrates with Masterpass through the service provider. The merchant/service provider initiates the Masterpass user interface but does not receive consumer s PAN. The following diagram illustrates the standard Masterpass checkout process flow with the Masterpass Lightbox UI. The merchant must use this process flow for a non-registered (guest) user. NOTE: Origin URL can no longer be sent along with the Shopping Cart. Merchants must use the Merchant Initialization service to send the Origin URL. U.S. Version 6.18 30 September 2016 17

Masterpass Checkout Experiences Masterpass Standard Checkout Process Flow Standard Checkout User Flow The following steps explain the standard Masterpass checkout process flow: NOTE: The product images in the following screenshots are blurred for trademark reasons. 1. The consumer clicks the Masterpass Checkout button. 2014 2016 Mastercard. Proprietary. All rights reserved. U.S. Version 6.18 30 September 2016 18

Masterpass Checkout Experiences Masterpass Standard Checkout Process Flow 2. The consumer logs in to their wallet. U.S. Version 6.18 30 September 2016 19

Masterpass Checkout Experiences Masterpass Standard Checkout Process Flow 3. The consumer selects their payment method and shipping address. 4. The consumer reviews and submits the order. U.S. Version 6.18 30 September 2016 20

Masterpass Checkout Experiences Masterpass Standard Checkout Process Flow 5. The merchant confirms the order. U.S. Version 6.18 30 September 2016 21

Masterpass Checkout Experiences Android Merchant App-to-Wallet App Checkout NOTE: Origin URL can no longer be sent along with the Shopping Cart. Merchants must use the Merchant Initialization service to send the Origin URL. Android Merchant App-to-Wallet App Checkout Starting in 2016, Masterpass is introducing a multi-channel checkout solution that allows merchants to integrate Masterpass as a secure checkout experience within their native Android applications. This checkout solution provides merchants with (a) a simplified, unified checkout experience across all merchant channels, including in-store contactless and in-app, and (b) the ability to generate transactions that are secured with Digital Secure Remote Payment (DSRP). U.S. Version 6.18 30 September 2016 22

Masterpass Checkout Experiences Android Merchant App-to-Wallet App Checkout DSRP is a Mastercard payment solution through which card-not-present merchants benefit from the dynamic secure data generated by contactless M/Chip applications. DSRP transactions contain dynamic data (cryptograms) generated by a payment application using EMV-based cryptography. Currently, DSRP cryptograms can only be generated for transactions initiated on an Android mobile app or mobile browser that has incorporated the Masterpass Mobile Checkout SDK, and transactions completed on a Masterpass Android wallet application (this will be available for other types of transactions later this year). If Mobile Checkout is available in your country, refer to the Masterpass Android Checkout Sample App page on GitHub. U.S. Version 6.18 30 September 2016 23

Service Provider Merchant by Merchant Onboarding Chapter 3 Service Provider Merchant by Merchant Onboarding This topic provides information on service provider merchant by merchant onboarding process. Incorporating Masterpass into Your Site or App...25 Merchant by Merchant Onboarding Process... 25 U.S. Version 6.18 30 September 2016 24

Service Provider Merchant by Merchant Onboarding Incorporating Masterpass into Your Site or App Incorporating Masterpass into Your Site or App Enabling checkout with Masterpass on behalf of your merchant site or mobile app is straightforward here are the required activities for the Merchant by Merchant onboarding process. Merchant by Merchant Onboarding Process This process must be used if merchants create their own accounts. Step by step instructions can be found here. Activity Actor Steps Environment 1. Service Provider Registration and Setup 2. Add Developer to Service Provider Profile 3. Make Available as Third Party Platform Provider 4. Merchant Registration and Setup 5. Add Service Provider to be Merchant Developer 6. Developer Registration Service Provider Service Provider Service Provider Merchant Merchant Developer Create Service Provider account Add Developer to Service Provider Profile Make Service Provider Available as Third Party Platform Provider Create Merchant account, set shipping profile, and advanced authentication Invite Service Provider to manage integration Log in to Masterpass Developer account that is created upon invite Create consumer key requests and submit to service provider business owner Create Mastercard Developers account Generate developer s sandbox and production keys Review sample code/sdk and design services integration Masterpass Partner Portal Masterpass Partner Portal Masterpass Partner Portal Masterpass Merchant Portal Masterpass Merchant Portal Masterpass Merchant Portal Mastercard Developers U.S. Version 6.18 30 September 2016 25

Service Provider Merchant by Merchant Onboarding Incorporating Masterpass into Your Site or App Activity Actor Steps Environment 7. Review and approve sandbox and/or production consumer key approval request Service Provider Business Owner Approve consumer key request(s) Masterpass Merchant Portal 8. Test Integration in Sandbox Developer Obtain checkout IDs for each successfully provisioned merchant from results file. Map each checkout ID to the correct merchant. Test against Masterpass sandbox environment 9. Production Migration Developer Update Masterpass API endpoints, consumer key, callback URL and Private Key (.p12 file), if different than Sandbox Masterpass Merchant Portal Service Provider Engineering Environment Service Provider Production Environment The following accounts will be created during the onboarding process. Use the following table to record the account information for future reference. NOTE: Email address must be unique for each account. Account Type Details Account Info Merchant Portal Service Provider Account Merchant Portal Service Provider Developer Account(s) Created by Service Provider business owner. This id should be used to login at https:// masterpass.com/hub/ Go here to create Service Provider account, invite developers. Created when the Service Provider invites a developer. It is a system generated user id. This id should be used to login at https://masterpass.com/hub/ Go here to request consumer keys. Userid: Email: Userid: Email: U.S. Version 6.18 30 September 2016 26

Service Provider Merchant by Merchant Onboarding Incorporating Masterpass into Your Site or App Account Type Details Account Info Mastercard Developers Developer Account(s) Merchant Portal Merchant Account(s) Created by developer and is used for key exchange. This id should be used to login at https:// developer.mastercard.com Go here to perform key exchange, download SDKs and Sample Applications, integration guides, and to access FAQs. Created by the merchant business owner. This ID will be used to login at https:// masterpass.com/hub/ Go here to create merchant account, invite Service Provider, create shipping profiles, etc. Userid: Email: Userid: Email: U.S. Version 6.18 30 September 2016 27

Service Provider Merchant by Merchant Onboarding Steps Chapter 4 Service Provider Merchant by Merchant Onboarding Steps This section contains the steps that service providers must follow when assisting one merchant at a time with their Masterpass integration. Service Provider Registration and Setup Service Provider Activity... 29 Add Developer to Service Provider Profile Service Provider Activity... 30 Make Available as Third Party Platform Provider Service Provider Activity...32 Merchant Registration and Setup Merchant Activity...32 Invite Service Provider to be Merchant s Developer Merchant Activity...42 Developer Registration, API Keys, Initiate Development Developer Activity... 44 Masterpass Merchant Portal Developer Account... 44 Create a Mastercard Developers Account... 44 Generate Mastercard Developers API Key... 46 Initiate Development and Masterpass Implementation... 48 Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers)... 49 Review Key Request and Approve/Reject Merchant Activity...53 Deploy Application Using Production Credentials Developer Activity... 55 U.S. Version 6.18 30 September 2016 28

Service Provider Merchant by Merchant Onboarding Steps Service Provider Registration and Setup Service Provider Activity Service Provider Registration and Setup Service Provider Activity Before beginning this process, request an invitation code from your Mastercard representative; this will grant you access and allow you to register as a service provider within the merchant portal. About this task Developers invited to integrate Masterpass on behalf of a service provider will manage their integration activities through following portals. Masterpass Merchant Portal (https://masterpass.com/hub/) Mastercard Developers (http://developer.mastercard.com) Procedure 1. From the Masterpass Merchant Portal, select the Sign Up. It s Free link. 2. Enter your invitation code and select the Create an Account button. NOTE: Service provider invitation codes should begin with the prefix SP. Please verify that you have the invitation code with the correct prefix. 3. Complete all of the required fields in the Create Your Profile screen and select the Continue button. 4. Complete all of the required fields in the Business Information screen and select the Submit button. At this point, you will have created a service provider account. U.S. Version 6.18 30 September 2016 29

Service Provider Merchant by Merchant Onboarding Steps Add Developer to Service Provider Profile Service Provider Activity Add Developer to Service Provider Profile Service Provider Activity The next step is to add developers who will integrate Masterpass into the checkout flow on behalf of your merchant(s). About this task From the dashboard of the Masterpass Merchant Portal, you will add developers to the service provider profile. These developers will handle the technical implementation of Masterpass. Procedure 1. To get started, locate the Create Account, Invite Developers option on the dashboard of the Masterpass Merchant Portal and select the Create Now button. 2. You will need to indicate who will perform the technical integration. Select the Invite New Users button. 3. Under Select User Type, select Developer. U.S. Version 6.18 30 September 2016 30

Service Provider Merchant by Merchant Onboarding Steps Add Developer to Service Provider Profile Service Provider Activity 4. Service providers that have an internal or contracted engineering team should select An Internal or contracted developer from the Select a developer type drop-down menu. 5. Provide contact information for the developer you want to invite and select the Send Invite button. Results Masterpass will send an email to each newly added developer indicating that they have been invited to handle the technical integration of Masterpass on behalf of your company. This email will contain the invitation code that the developer must use to create their Masterpass Merchant Portal account. U.S. Version 6.18 30 September 2016 31

Service Provider Merchant by Merchant Onboarding Steps Make Available as Third Party Platform Provider Service Provider Activity Make Available as Third Party Platform Provider Service Provider Activity Service providers should complete these instructions to make themselves visible and available to merchants in the portal for assistance with Masterpass implementation. Procedure 1. Sign in to your service provider account in the Masterpass Merchant Portal. 2. Locate the Make Yourself Visible option on the dashboard of the Masterpass Merchant Portal and select the Start Now button. 3. From the Business Profile page, select the I want merchants to be able to select me to perform their Masterpass implementation checkbox. You can change this setting by clearing this checkbox. Merchant Registration and Setup Merchant Activity Before beginning this process, request an invitation code from your Mastercard representative; this will grant you access and allow you to register within the merchant portal. About this task Developers invited to integrate Masterpass on behalf of a service provider will manage their integration activities through following portals. Masterpass Merchant Portal (https://masterpass.com/hub/) Mastercard Developers (http://developer.mastercard.com) U.S. Version 6.18 30 September 2016 32

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity Procedure 1. From the Masterpass Merchant Portal, select the Sign Up. It s Free link. 2. Enter your invitation code and select the Create an Account button. NOTE: Merchant invitation codes should begin with the prefix MT. Please verify that you have the invitation code with the correct prefix. 3. Complete all of the required fields in the Create Your Profile screen and select the Continue button. 4. Complete all of the required fields in the Business Information screen and select the Submit button. 5. To enter the merchant assets (for example, name, logo) that will be displayed to consumers in their Masterpass wallets during checkout, click Digital Assets. Enter merchant display name, domain-level URL, an alias identifying this set of digital assets (for example, website or Android app ), an optional description of the merchant s goods/services. If no logo is provided, only the merchant name will be displayed in the consumers Masterpass wallets during registration and checkout. NOTE: Merchants doing business in the U.S. only should enter the display name and an alias, (but not the display logo). The Masterpass Merchant Portal is currently being redesigned, and parts of the interface may vary during the transition to the new experience. U.S. Version 6.18 30 September 2016 33

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity Once this information has been entered, a checkout identifier will be generated for the developer to use during the integration process. To edit this information at any time, click the View link. NOTE: Merchant administrators and/or developers can enter and edit this information. 6. After the merchant account has been created and the digital assets provided, select Shipping Profiles to indicate the countries to which your company ships your goods. U.S. Version 6.18 30 September 2016 34

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity NOTE: The Masterpass Merchant Portal is currently being redesigned, and parts of the interface may vary during the transition to the new experience. Merchants must have at least one shipping profile (and no more than 25). 7. Merchants may set a default shipping profile by clicking the box next to Save as Default. U.S. Version 6.18 30 September 2016 35

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity To edit this information at any time, click the View link. NOTE: U.S. merchants Please do not enter loyalty information in the loyalty/rewards module you see in the portal. This functionality is no longer available to U.S. merchants and is being reassessed for future use. 8. If 3-D Secure is not available to you, you will not see the Authentication Settings option. If the option is available in your country, select Authentication Settings to enable 3-D Secure Authentication. Where available, 3-D Secure can be enabled for Mastercard (which includes Maestro) and Visa cards. 3-D Secure authentication allows merchants to gain liability shift on fraudulent ecommerce transactions. You will first need to supply the details of your merchant acquirer accounts U.S. Version 6.18 30 September 2016 36

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity 9. To add an acquirer, select Add Acquirers. Complete the form, including acquirer name and ID number, your assigned merchant ID, and supported currencies under that acquirer. NOTE: Mastercard SecureCode is used to set up acquirers for both Mastercard and Maestro transactions. U.S. Version 6.18 30 September 2016 37

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity Once saved, successfully added acquirer profiles will appear on the page by card brand. To complete the setup for 3-D Secure, select the Advanced Checkout check box for each card brand to enable 3-D Secure for that brand. NOTE: If you enable your account for 3-D Secure, you will have the option to out of 3-D Secure checkout by clearing the Advanced Checkout check box on this page. U.S. Version 6.18 30 September 2016 38

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity Results Mastercard uses a third party, Cardinal Commerce, to act as a Merchant Plug In (MPI) for the 3-D Secure step-up process. When set up, the 3-D Secure user interface will be involved for all checkout transactions for the selected card brand. The 3-D Secure onboarding status for an acquiring account will be provided in the acquirer list under each card brand. U.S. Version 6.18 30 September 2016 39

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity The possible merchant 3-D Secure statuses are as follows: SUBMITTED: The merchant's acquirer information has been submitted to Cardinal Commerce. ACQUIRER PENDING: Cardinal Commerce is in the process of onboarding the merchant to its system, and the merchant s acquirer information has been sent to the card brand company and is waiting completion. ACTIVE: The merchant has been successfully registered in the Cardinal Commerce system, and the acquirer is participating. You are ready to process 3-D Secure production transactions. ACQUIRER NOT SUPPORTED: The acquirer ID (BIN) used in the merchant registration is not valid. Upon receiving this message, you will receive an email from Masterpass Merchant support team attached with an unknown acquirer form. U.S. Version 6.18 30 September 2016 40

Service Provider Merchant by Merchant Onboarding Steps Merchant Registration and Setup Merchant Activity When adding your acquirer accounts, it is possible that your acquirer has not previously been onboarded to Cardinal s system. In this case, you will need to download and complete the Acquirer Certificate Request and submit it to Cardinal Commerce for processing. The form will be available in the portal upon submission of an unrecognized acquirer ID and will be sent to you by email. Acquirer setup may take 3 5 business days once the Acquirer Certificate Request is returned to Cardinal. U.S. Version 6.18 30 September 2016 41

Service Provider Merchant by Merchant Onboarding Steps Invite Service Provider to be Merchant s Developer Merchant Activity Invite Service Provider to be Merchant s Developer Merchant Activity The following process explains how to invite a service provider to be the merchant's developer. Procedure 1. Sign in to your merchant s account from the Masterpass Merchant Portal. 2. On the Masterpass Setup page, click the Start This Step button under the Add developers option. 3. Select A third party platform provider. U.S. Version 6.18 30 September 2016 42

Service Provider Merchant by Merchant Onboarding Steps Invite Service Provider to be Merchant s Developer Merchant Activity 4. Select the service provider from the vendor drop-down list. Results Service provider business owners will be notified as soon as the organization has been selected by a merchant. The service provider s developer will receive invitation emails from Masterpass indicating that they have been selected to handle the technical integration of U.S. Version 6.18 30 September 2016 43

Service Provider Merchant by Merchant Onboarding Steps Developer Registration, API Keys, Initiate Development Developer Activity Masterpass Services on behalf of the merchant. The integration guide will guide the developer through the integration process. Developer Registration, API Keys, Initiate Development Developer Activity Developers invited to integrate Masterpass on behalf of a merchant will manage their integration activities through two portals. Masterpass Merchant Portal (https://masterpass.com/hub/) Mastercard Developers (http://developer.mastercard.com) NOTE: These are two different websites that use different login credentials. If you are a new developer for Masterpass, you must sign up for a Mastercard Developers account. Masterpass Merchant Portal Developer Account Developers will use the Masterpass Merchant Portal to request and access merchant-specific integration credentials (consumer keys and checkout identifiers), which will be used when interacting with the Masterpass web services. After the service provider invites you as a developer, you will receive your Masterpass Developers credentials in two emails from Masterpass along with instructions for creating your portal account and links to the Masterpass development documentation and resources. You do not need a Mastercard Developers account to access and view this documentation. Create a Mastercard Developers Account Developers invited to integrate Masterpass on behalf of a service provider will use the Mastercard Developers site to view integration documentation and generate developer keys. Complete the following instructions to create your Mastercard Developers account and access these materials. Procedure 1. Navigate to the Mastercard Developers site. 2. From the main page of the Mastercard Developers site, click Sign Up. U.S. Version 6.18 30 September 2016 44

Service Provider Merchant by Merchant Onboarding Steps Developer Registration, API Keys, Initiate Development Developer Activity 3. Complete and submit the registration form. After submitting the form, you will receive a confirmation email. 4. Activate your Mastercard Developers profile by clicking on the link included in the confirmation email. U.S. Version 6.18 30 September 2016 45

Service Provider Merchant by Merchant Onboarding Steps Developer Registration, API Keys, Initiate Development Developer Activity Generate Mastercard Developers API Key After creating your Mastercard Developers account, you will need to create API keys for both the sandbox and production environments by completing the following steps. Procedure 1. Click My Projects. 2. On the My Projects page, click on the Masterpass Merchant Keys button. U.S. Version 6.18 30 September 2016 46

Service Provider Merchant by Merchant Onboarding Steps Developer Registration, API Keys, Initiate Development Developer Activity 3. Confirm that you understand the process that you must complete before beginning work on your Masterpass project by clicking on the Okay, got it button. 4. Under Complete Your Profile, enter your name, address, and phone number, and click Next. 5. Under Create Sandbox Key, enter an alias and password for your sandbox key, and click Download Key and Continue. A P12 certificate file for your sandbox key will automatically be downloaded to your personal computer. 6. Under Create Production Key, enter an alias and password for your production key, and click Download Key and Continue. U.S. Version 6.18 30 September 2016 47

Service Provider Merchant by Merchant Onboarding Steps Developer Registration, API Keys, Initiate Development Developer Activity A P12 certificate file for your production key will automatically be downloaded to your personal computer. Results At this point, developers will have a Sandbox Key ID and a Production Key ID, which will be used when submitting key approvals in the Masterpass Merchant Portal. NOTE: Keys expire after one year before which they should be renewed by completing the Renew a Mastercard Developers API Key process. As of July 2016, the Mastercard Developers portal no longer supports the creation or renewal of the Certificate Signing Request (CSR) generated with MD5 digest. Notifications at 30, 15, and one day prior to key expiration will be sent to the email address associated with the Mastercard Developers account. When the keys expire, Masterpass transactions will fail. Therefore the keys need to be renewed prior to expiration. Initiate Development and Masterpass Implementation Once a developer has generated their Mastercard Developers API keys, they can begin developing their own implementation. NOTE: All methods and flows in the current sample app available in the SDK for Masterpass may not fully apply to U.S. service providers and merchants. For further guidance with your implementation, follow the integration guide and, if you need assistance, contact Masterpass support. Masterpass follows the OAuth 1.0a specification. Any merchant or service provider integrating with Masterpass must strictly adhere to the OAuth specs for interacting with Masterpass U.S. Version 6.18 30 September 2016 48

Service Provider Merchant by Merchant Onboarding Steps Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers) through Open API Gateway. Failure to implement OAuth correctly may impact your integration and transactions with Masterpass. For more details, refer to the What authentication requirements are there to use the raw REST protocol? page on the Mastercard Developers site. Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers) Prior to allowing the developer s code to interact with the Masterpass service (on behalf of a merchant), the merchant administrator must approve a request to link the developer s API keys to create a credential called a consumer key created by the developer from the Mastercard Developers site with the merchant identifier. About this task Typically, the developer will make two separate key approval requests: Request to generate a consumer key that will grant the developer access to the Masterpass sandbox environment on behalf of the merchant NOTE: The sandbox environment does not contain real consumer data. Request to generate a consumer key that will grant the developer access to the production environment to enable real transactions Developers will use the Masterpass Merchant Portal to request and access merchant-specific integration credentials which will be used when interacting with the Masterpass services. The consumer keys are generated by requesting key approval from the business owner in the Key Management module; the checkout identifiers are generated in the Digital Assets module. Procedure 1. To get started, sign into the Masterpass Merchant Portal. Under Manage Development, click Key Management to open an interface with Mastercard Developers, enter your Mastercard Developers credentials, and click Sign In. U.S. Version 6.18 30 September 2016 49

Service Provider Merchant by Merchant Onboarding Steps Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers) NOTE: If you have not already set up your Mastercard Developers account, click here. 2. After you have entered your Mastercard Developers information, to create a sandbox or production key, click Create Consumer Key. 3. Select the key type (as in, sandbox or production), and then click Continue. 4. After clicking Browse Keys, a list of all the keys of the specified type you have in your Mastercard Developers account is displayed; select the key you want to associate with the merchant s Masterpass integration. U.S. Version 6.18 30 September 2016 50

Service Provider Merchant by Merchant Onboarding Steps Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers) Click Submit for Approval; an email will be sent to the merchant administrator for approval. Upon approval, a Masterpass consumer key will be generated for the selected environment and will be displayed on this page. These keys, along with the Checkout Identifier (refer to Digital Assets section below) are required to make Masterpass calls in sandbox and production environments. 5. Repeat the steps above as needed to generate additional keys. Typically, developers need at least one sandbox and one production key for each merchant integration. 6. To generate or view a checkout identifier, under Manage Development, click Digital Assets. If the merchant administrator has previously input data for the required fields for this module during registration, the checkout identifiers will be displayed on the main page. U.S. Version 6.18 30 September 2016 51

Service Provider Merchant by Merchant Onboarding Steps Obtaining Integration Credentials (Consumer Keys and Checkout Identifiers) To edit this information at any time, click the View link. If the merchant administrator has requested that the developer input this data on behalf of the merchant, click Add Assets, and enter the merchant display name, an alias identifying this set of digital assets (for example, website or Android app ), and an optional description of the merchant s goods/services U.S. Version 6.18 30 September 2016 52

Service Provider Merchant by Merchant Onboarding Steps Review Key Request and Approve/Reject Merchant Activity NOTE: If no logo is provided, the merchant name will be displayed. Review Key Request and Approve/Reject Merchant Activity After the developer submits the request for sandbox or production credentials, the merchant will get an email notification. Procedure 1. Upon receipt of the email notification that a developer has submitted a key request for approval, log on to the portal and click Key Management. 2. Click the down arrow to the right of the developer s name to view the details of the request (environment, key alias, key status, date of expiration, and the consumer key). U.S. Version 6.18 30 September 2016 53

Service Provider Merchant by Merchant Onboarding Steps Review Key Request and Approve/Reject Merchant Activity 3. To approve the developer s request for a new key, click Approve, or to reject the request, click Deny. The key status will update on the portal UI for the administrator as well as for the requesting developer. An email notification will also be sent to the requesting developer notifying him/her that the approval request has been completed. If the request was approved, the developer will also be able to see the system-generated consumer key that is needed to make calls to Masterpass services. U.S. Version 6.18 30 September 2016 54

Service Provider Merchant by Merchant Onboarding Steps Deploy Application Using Production Credentials Developer Activity 4. Make a note of the following values as they will be used in the code to integrate with Masterpass web services: Consumer Key (97 characters) Callback URL Checkout Identifier Keystore and Keystore Password Deploy Application Using Production Credentials Developer Activity Once the digital assets have been entered and the checkout identifier generated, and the key approvals have been completed and the consumer keys generated, the developer has the system-generated credentials needed to communicate with the Masterpass services. Procedure 1. Prior to production deployment, ensure that (a) you have implemented the Masterpass button on your site or app and (b) your sandbox implementation passes all items in the QA checklist. 2. To move your code to production, update your code with the following: U.S. Version 6.18 30 September 2016 55

Service Provider Merchant by Merchant Onboarding Steps Deploy Application Using Production Credentials Developer Activity Masterpass production endpoint Merchant s production Consumer Key Production callback URL Keystore (if different than Sandbox) 3. The last step is to deploy your code to production. NOTE: For more details on the specific configuration parameters, refer to the Masterpass Checkout FAQs page and look for the question, What are the various parameters I need to call Masterpass services, and where do I get them from? U.S. Version 6.18 30 September 2016 56

Integration Process Chapter 5 Integration Process This topic provides information on the Masterpass integration process. Lightbox Integration...58 Standard checkout...60 Standard Checkout Callback... 60 Redirect to Merchant Callback URL Parameters for Standard Checkout... 62 Checkout Callback Method Example...62 Implementing DSRP and Tokenization...62 DSRP Extension Points in the Masterpass Merchant API...63 DSRP Extension Points in the Masterpass Checkout XML...66 Tokenization Extension Points in the Masterpass Checkout XML...70 Split/Partial Shipments and Recurring Payment Transactions...73 3-D Secure Considerations... 73 Testing DSRP... 73 Masterpass Service Descriptions...73 Request Token Service...73 Shopping Cart Service...74 Merchant Initialization Service...74 Access Token Service...74 Retrieve Payment, Shipping Data, and 3-D Secure Details...75 Postback Service... 76 Android and ios App Integration... 77 Completing the Integration...80 U.S. Version 6.18 30 September 2016 57

Integration Process Lightbox Integration NOTE: All methods and flows in the current sample app available in the SDK for Masterpass may not fully apply to U.S. Service Providers and merchants. For further guidance with your implementation, please follow the integration guide, and if you need assistance, please contact Masterpass support. Lightbox Integration Lightbox integration is required to launch the Masterpass user interface. Procedure 1. To invoke the Lightbox, merchants must include the following scripts to the page on which they are adding the Masterpass Checkout button. NOTE: Merchants invoking the Lightbox from an iframe must include both the sandbox and production scripts on the parent (outer) web page and the iframe source that is invoking Masterpass Lightbox. a. Add jquery. Include this jquery file from the public jquery repository: https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js b. Add the Masterpass Integration Script to your checkout page. Sandbox https://sandbox.static.masterpass.com/dyn/js/switch/integration/ Masterpass.client.js Production https://static.masterpass.com/dyn/js/switch/integration/ Masterpass.client.js 2. Add the Masterpass Checkout Button to your checkout page. <img src = https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_147x034px.png id = "_masterpass_checkout_btn" /> NOTE: Be sure to change the image name to the image size and locale that you would like to use. For further details, refer to Masterpass Branding. 3. Launch Masterpass checkout on the click of the button. U.S. Version 6.18 30 September 2016 58

Integration Process Lightbox Integration Parameters for Invoking Masterpass Checkout Parameter Data Type Required Description requesttoken String Yes Your request token from the Standard Checkout flow callbackurl String Yes The URL to which the browser must redirect when checkout is complete NOTE: This is required even if you use callback functions. merchantcheckoutid String Yes Your unique checkout identifier from the Masterpass Merchant Portal allowedcardtypes String array No Card types accepted by merchant Version String No (default: v6) Masterpass API Version successcallback Function Yes The function that will be called if the Masterpass flow ends successfully failurecallback Function Yes The function that will be called if the Masterpass flow ends in a failure U.S. Version 6.18 30 September 2016 59

Integration Process Standard checkout Parameter Data Type Required Description cancelcallback Function No The function that will be called if the user cancels the Masterpass flow 4. Handle the callback on completion of checkout. On completion of checkout (success, failure or cancellation), the control will be transferred to your system either via the callback url or the callback functions. NOTE: If Masterpass is forced to go full screen, then you will not be able to call the JavaScript callback method and must use a merchant callback redirect. As a result, you must support always support the callback url redirect. Standard checkout The following steps are necessary to integrate a standard Masterpass checkout. For more details, click on each of the following steps: 1. Request Token Service 2. Shopping Cart Service 3. Merchant Initialization Service 4. Invoke Masterpass UI (Lightbox) for checkout 5. Standard Callback method and Redirect to callback URL 6. Access Token Service 7. Retrieve Payment, Shipping Data, and 3DS Details 8. Authorize Payment through payment processor 9. Postback Service NOTE: Origin URL can no longer be sent along with the Shopping Cart. Merchants must use the Merchant Initialization service to send the Origin URL. Standard Checkout Callback Once a checkout is completed, Masterpass will return context to the merchant. NOTE: If Masterpass is forced to go to the standard full-screen display, then you will not be able to call the JavaScript callback method and must use a merchant callback redirect. As a result, you must support both the callback method and the redirect. Masterpass will return context to the merchant following checkout completion via the following: A callback URL: Masterpass uses the callback URL ( callbackurl ) parameter passed when invoking lightbox or oauth_callback from the request token call to direct back to the merchant site when lightbox is rendered in standard full-screen display. U.S. Version 6.18 30 September 2016 60

Integration Process Standard checkout A JavaScript callback method: Use the failurecallback and successcallback parameters to give control back to the page that initiated the Lightbox without any redirects. These parameters must be set when invoking the Masterpass lightbox user interface. Use the cancelcallback parameter to notify a Masterpass merchant that a consumer has canceled their transaction. NOTE: If the successcallback parameter is not provided, wallets will not be able to complete checkout from the standard full-screen display. If the failurecallback parameter is not provided, failed checkouts will not be handled properly. Callback Parameters for Standard Checkout Parameter Data Type Required Description mpstatus String Success, Failure, Cancel Indicates whether the Masterpass flow was completed and results in success, failure or cancel oauth_token String Used in conjunction with oauth_verifier to retrieve the access token oauth_verifier String Used in conjunction with oauth_token to retrieve the access token checkout_resource_url String API URL to retrieve checkout information Example of Callback URL (Successful Transaction) http://www.somemerchant.com/checkoutcomplete.htm? mpstatus=success checkout_resource_url=https%3a%2f%2fapi.mastercard.com%2fmasterpass %2Fv6%2Fcheckout%2F17%3Fwallet %3Dphw& oauth_verifier=6c50838e31b7441e6eafa2229385452889255b13& oauth_token=d6fa60984308aebb6183d44fb9688fb9dc8332dc Example of Callback URL (Cancelled Transaction) http://www.somemerchant.com/checkoutcomplete.htm?mpstatus=cancel Example of Callback Function function handlecallbacksuccess (data) { callyourserverwith(data.oauth_token, data.oauth_verifier, data.checkout_resource_ur);} U.S. Version 6.18 30 September 2016 61

Integration Process Standard checkout Redirect to Merchant Callback URL Parameters for Standard Checkout Merchants must use the following data parameters to complete the Masterpass Standard Checkout flow. mpstatus Success, failure, or cancel. Indicates whether Masterpass flow was completed. oauth_token Used in concert with oauth_verifier to retrieve access token. oauth_verifier Used in concert with oauth_token to retrieve access token. checkout_resource_url API URL to retrieve checkout information. Following are examples of the redirect to merchant callback URLs when a transaction is successful or cancelled: Redirect to Merchant Callback URL Example for a Successful Transaction http://www.somemerchant.com/checkoutcomplete.htm? mpstatus=success&checkout_resource_url=https%3a%2f%2fsandbox.api.mastercard.com %2Fmasterpass %2Fv6%2Fcheckou t%2f10189977%3fwallet %3Dphw&oauth_verifier=6c50838e31b7441e6eafa222938545288 9255b13&oauth_token=d6fa60984308aebb6183d44fb9688fb9dc8332dc Redirect to Merchant Callback URL Example for a Cancelled Transaction http://www.somemerchant.com/checkoutcomplete.htm?mpstatus=cancel Checkout Callback Method Example The following is a sample of the checkout callback method. function onsuccessfulcheckout(data) { document.getelementbyid('oauthtoken').value=data.oauth_token; document.getelementbyid('oauthverifer').value=data.oauth_verifier; document.getelementbyid('checkouturl').value=data.checkout_resource_url; } Implementing DSRP and Tokenization A Masterpass transaction must meet the following conditions to be processed as a Digital Secure Remote Payment (DSRP) transaction. The merchant or service provider must have successfully implemented Masterpass Merchant API version 6, including the merchant initialization call and the new DSRP and tokenization extension points. The merchant or service provider must have successfully implemented Masterpass Merchant Mobile Checkout SDK that facilitates consumer transactions from the merchant Android application to an Android Masterpass wallet application (app-to-app). DSRP cryptograms can currently only be generated for transactions that occur for these Android U.S. Version 6.18 30 September 2016 62

Integration Process Standard checkout app-to-app use cases. If Mobile Checkout is available in your country, refer to the Masterpass Android Checkout Sample App page on GitHub for more information. Systems must be in place to correctly identify authorizations for split/partial shipments and recurring payments so that the DSRP data is accurately processed for subsequent authorizations (for more information, refer to the section below). The payment gateway and acquirer must have updated their Dual Message and Single Message System interfaces to pass and receive DSRP data elements (refer to the Digital Secure Remote Payment Acquirer Implementation Guide for more information). Masterpass recommends that merchants or service providers contact their payment gateway(s) and acquirer(s) to: Understand the changes the gateway and acquirer are making to support DSRP. Identify any corresponding work that the merchants or service providers must complete. The consumer s card issuer/wallet provider must have successfully updated their interfaces to pass and receive DSRP data elements. The consumer has elected to pay with a card that has been digitized (for Masterpass Mobile Checkout transactions, this will be a Mastercard Digital Enablement Services [MDES]-enabled Mastercard brand card). If any of these conditions has not been met, the transaction will be considered a standard Masterpass transaction. For Masterpass transactions that start on a merchant's Android application and complete on a consumer s Android Masterpass wallet application, a DSRP cryptogram will be generated. A DSRP cryptogram will be accompanied by a 16-digit token rather than the actual Mastercard card brand primary account number (PAN). Whenever a token is passed instead of the actual account number, the last four digits of the consumer s actual PAN will be passed in an extension point so that they can be displayed to the consumer if so desired. DSRP Extension Points in the Masterpass Merchant API Merchants and service providers must use the merchant initialization call and the Digital Secure Remote Payment (DSRP) extension points in the Masterpass Merchant API version 6 to pass and receive DSRP data elements and values. MerchantInitializationRequest with DSRP Extension Points V6 XML Details Element Description Type Min Max MerchantInitializationRe quest Root Element XML MerchantInitializationRe quest.oauthtoken Request Token (oauth_token) returned by call to the request_token API U.S. Version 6.18 30 September 2016 63

Integration Process Standard checkout Element Description Type Min Max MerchantInitializationRe quest.originurl Identifies the URL of the page that initializes the lightbox string NA MerchantInitializationRe quest.extensionpoint.ds RP.DSRPOptions.Option. BrandId MerchantInitializationRe quest.extensionpoint.ds RP.DSRPOptions.Option. AcceptanceType MerchantInitializationRe quest.extensionpoint.ds RP.UnpredictableNumbe r Required for DSRP transactions. Identifies the card brands for which DSRP is desired. The valid card IDs are master and maestro. Required for DSRP transactions. Indicates the type(s) of cryptograms the merchant or service provider can accept. Valid types are: UCAF and/or ICC (see descriptions that follow). Masterpass passes the most secure selection (ICC) if both acceptance types are indicated. Optional for DSRP transactions. EMVquality random number generated by the merchant, service provider, or if null by Masterpass and Base64 encoded string alpha 4-byte binary string 8 A cryptogram is the output of the process of transforming clear text into ciphertext for security or privacy. There are two forms in which the DSRP cryptograms may be generated and sent depending on the capabilities of the merchant, payment gateway, and acquirer systems: UCAF data: In this case, the EMV cryptogram and a subset of the EMV data are carried in the Universal Cardholder Authentication Field (UCAF) in data element (DE) 48, subelement 43. U.S. Version 6.18 30 September 2016 64

Integration Process Standard checkout The UCAF cryptogram is Base64 encoded and is up to 32 characters in length and contains a subset of the EMV data including the application cryptogram, application transaction counter (ATC), unpredictable number, and cryptogram version. Most merchant and acquirer systems are configured today to support UCAF data transmission. Full EMV data: In this case the full set of EMV data is carried in data element (DE) 55 Integrated Circuit Card (ICC) System-Related Data in transaction messages. The ICC cryptogram is Hex encoded and is up to 512 characters in length as it contains the full set of EMV data including all the data listed previously for UCAF plus other information such as issuer application data, terminal verification results, cryptogram information data (CID), cardholder verification method (CVM) results, authorized amount, other amount, transaction currency code, transaction date, transaction type, application primary account number (PAN), application expiration date, and terminal country code. While ICC is considered the more secure, recommended option, many merchant and acquirer systems today are not yet configured to support this data element. If the merchant and acquirer systems are enabled to send and receive the DSRP cryptogram data in both the UCAF and/or ICC (DE 55) forms, the merchant or service provider can specify both UCAF and ICC. In this instance, Masterpass passes the cryptogram with the highest level of security (ICC) if the consumer s wallet provider also supports ICC. If the consumer s wallet cannot support ICC, Masterpass passes the UCAF form of the cryptogram. The Unpredictable Number is four-byte binary data that is randomly generated (per the EMVCo Specification Bulletin No. 144) by either the merchant, service provider, or Masterpass (which is then passed back to the merchant or service provider at the end of the transaction). The presence of the Unpredictable Number provides an additional layer of security by providing an element that is unknowable and unique to a specific transaction. This prevents a cryptogram from being used for anything other than the transaction for which it was generated. Masterpass recommends that you do not populate the Unpredictable Number element; in such cases, Masterpass will generate the value on your behalf. However, if you want to generate your own random/unpredictable numbers in order to able to validate the transaction easily by comparing the number that you generated with what was returned to you refer to EMVCo s requirements for this value in the Random Number Generation section of the EMV Acquirer and Terminal Security Guidelines document. After generation, the value must then be Base64 encoded and passed in the Unpredictable Number extension point in the Merchant Initialization Request OpenAPI call. MerchantInitializationRequest with DSRP Extension Points Sample URL: https://api.mastercard.com/masterpass/v6/merchant-initialization NOTE: The following example illustrates a case in which a merchant has chosen to generate the unpredictable number; if the UnpredictableNumber field is left null, Masterpass will generate the value on behalf of the merchant. <MerchantInitializationRequest> <OAuthToken>297d0203c3434be0400d8a755a62b65500e944b9</OAuthToken> U.S. Version 6.18 30 September 2016 65

Integration Process Standard checkout <OriginUrl>https://somemerchant.com</OriginUrl> <ExtensionPoint> <DSRP> <DSRPOptions> <Option> <BrandId>master</BrandId> <AcceptanceType>UCAF</AcceptanceType> </Option> </DSRPOptions> <UnpredictableNumber>413142==</UnpredictableNumber> </DSRP> </ExtensionPoint> </MerchantInitializationRequest> MerchantInitializationResponse Sample <MerchantInitializationResponse> <OAuthToken>297d0203c3434be0400d8a755a62b65500e944b9</OAuthToken> <ExtensionPoint> <UnpredictableNumber>413142==</UnpredictableNumber> </ExtensionPoint> <MerchantInitializationResponse> DSRP Extension Points in the Masterpass Checkout XML After a remote transaction has been facilitated and secured via Digital Secure Remote Payment (DSRP), the Masterpass wallet will generate a cryptogram that the merchant or service provider will receive in the Checkout XML. The "Checkout XML Sample with UCAF Cryptogram" illustrates a case in which a merchant or service provider has indicated that it can only receive a UCAF cryptogram. The "Checkout XML Sample with ICC Cryptogram" illustrates a case in which a merchant or service provider has indicated that it can receive (a) a UCAF or ICC or (b) an ICC crytogram. The elements shown in bold are elements that are impacted by the presence of a cryptogram. The AccountNumber element is a 16-digit, device-based token rather than the cardholder's actual card number. The ExpiryMonth and ExpiryYear elements indicate the expiration data of the provided token. The AuthenticateMethod element indicates that DSRP was the method utilized for this transaction. The DSRP ExtensionPoint elements are populated with the cryptogram, type, unpredictable number, and ECI flag. These extension points will usually be followed by token extension points described in more detail below. Checkout XML Sample with UCAF Cryptogram Received from URL: https://api.mastercard.com/itf/masterpass/v6/checkout/ {checkoutid} <Checkout> <Card> <BrandId>master</BrandId> <BrandName>Mastercard</BrandName> <AccountNumber>5178058604388374</AccountNumber> <BillingAddress> <City>O fallon</city> U.S. Version 6.18 30 September 2016 66

Integration Process Standard checkout <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> </BillingAddress> <CardHolderName>Jane Doe</CardHolderName> <ExpiryMonth>6</ExpiryMonth> <ExpiryYear>2017</ExpiryYear> </Card> <TransactionId>286532912</TransactionId> <Contact> <FirstName>Jane</FirstName> <LastName>Doe</LastName> <NationalID>***********</NationalID> <Country>US</Country> <EmailAddress>janedoe@test.com</EmailAddress> <PhoneNumber>1-3692581470</PhoneNumber> </Contact> <ShippingAddress> <City>O fallon</city> <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> <RecipientName>Jane Doe</RecipientName> <RecipientPhoneNumber>US+1-8734048394</RecipientPhoneNumber> </ShippingAddress> <AuthenticationOptions> <AuthenticateMethod>DSRP</AuthenticateMethod> </AuthenticationOptions> <WalletID>208</WalletID> <PreCheckoutTransactionId>a4c411b-18h26t-icni2rol-1-ics6caee-123y</ PreCheckoutTransactionId> <ExtensionPoint> <DSRP> <DSRPData>Qwertyuio0987654321asdfghjklpois</DSRPData> <DSRPDataType>UCAF</DSRPDataType> <UnpredictableNumber>413142==</UnpredictableNumber> <Eci>02</Eci> </DSRP> </ExtensionPoint> Checkout XML Sample with ICC Cryptogram Received from URL: https://api.mastercard.com/masterpass/v6/checkout/{checkoutid} NOTE: U.S. merchants will not receive the PreCheckoutTransactionId element in the following example. <Checkout> <Card> <BrandId>master</BrandId> <BrandName>Mastercard</BrandName> <AccountNumber>5178058604388374</AccountNumber> <BillingAddress> <City>O fallon</city> <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> U.S. Version 6.18 30 September 2016 67

Integration Process Standard checkout <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> </BillingAddress> <CardHolderName>Jane Doe</CardHolderName> <ExpiryMonth>6</ExpiryMonth> <ExpiryYear>2017</ExpiryYear> </Card> <TransactionId>286532912</TransactionId> <Contact> <FirstName>Jane</FirstName> <LastName>Doe</LastName> <NationalID>***********</NationalID> <Country>US</Country> <EmailAddress>janedoe@test.com</EmailAddress> <PhoneNumber>1-3692581470</PhoneNumber> </Contact> <ShippingAddress> <City>O fallon</city> <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> <RecipientName>Jane Doe</RecipientName> <RecipientPhoneNumber>US+1-8734048394</RecipientPhoneNumber> </ShippingAddress> <AuthenticationOptions> <AuthenticateMethod>DSRP</AuthenticateMethod> </AuthenticationOptions> <WalletID>208</WalletID> <PreCheckoutTransactionId>a4c411b-18h26t-icni2rol-1-ics6caee-123y</ PreCheckoutTransactionId> <ExtensionPoint> <DSRP> <DSRPData>Qwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh245678 912e9inyQwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh24567891 2e9inyQwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh245678912e 9inyQwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh245678912e9i nyqwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh245678912e9iny Qwertyuio0987654321asdfghjklpoiuytrewq1234567890unhtsrebnkoiemskdh245678912e9inyqa zwsxedcrfvtgbyhnuj</dsrpdata> <DSRPDataType>ICC</DSRPDataType> <UnpredictableNumber>413142==</UnpredictableNumber> </DSRP> </ExtensionPoint> </Checkout> Checkout XML DSRP Details NOTE: For details on the remaining elements in XML, refer to the V6 Checkout XML Details table. U.S. Version 6.18 30 September 2016 68

Integration Process Standard checkout Element Description Type Min-Max Checkout.Card.Account Number Card number or primary account number (PAN) that identifies the consumer s card. For DSRP transactions the actual number is replaced with an MDES DSRP device-based or card on file token. Integer 13 24 Checkout.Authenticatio noptions.authenticate Method The method used to authenticate the cardholder at checkout. Valid values are MERCHANT ONLY, 3DS and NO AUTHENTICATION, and DSRP. Alphanumeric NA Value equals DSRP for DSRP transactions. Checkout.ExtensionPoin t.dsrp.dsrpdata DSRP cryptogram generated by the consumer s Masterpass wallet Alphanumeric UCAF: Max 32 ICC: Max 512 Checkout.ExtensionPoin t.dsrp.dsrpdatatype Indicates the type of cryptogram generated by the consumer s Masterpass wallet. Alpha NA Masterpass passes the most secure selection (ICC) if the merchant or service provider has indicated they can accept both types (UCAF, ICC). U.S. Version 6.18 30 September 2016 69

Integration Process Standard checkout Element Description Type Min-Max Checkout.ExtensionPoin t.dsrp.unpredictablenu mber Checkout.ExtensionPoin t.dsrp.eci Encoded EMV-quality random number generated by either the merchant or Masterpass. Electronic commerce indicator (ECI) value (DE 48 SE 42 position 3). Present only when DSRP data type is UCAF. For Mastercard brand cards, value is: 02 Authenticated by ACS (Card Issuer Liability) 4-byte binary string 8 Numeric UCAF: 02 ICC: N/A NOTE: The Security Level Indicators (SLIs) found in Authorization DE 48 (Additional Data Private Data), subelement 42 (Electronic Commerce Indicators), subfield 1 (Electronic Commerce Security Level Indicator and UCAF Collection Indicator), positions 1 3 for a Masterpass DSRP transaction are 24X, where the positions 1 and 2 combination of 24 indicates a DSRP transaction and the position 3 value of X is the ECI value. Tokenization Extension Points in the Masterpass Checkout XML When Masterpass generates and replaces the primary account number (PAN) with a token (device-based or card-on-file), the Checkout XML that is returned to the merchant or service provider will include (a) a token in place of the actual account/card number in the AccountNumber element, (b) the expiry month and year of the token, and (c) values in the three tokenization-related extension points described in the Checkout XML Tokenization Details table. Merchants or service providers must parse the checkout XML to extract and utilize the values provided to: Display the last four digits of consumer s card number to facilitate the entry of the card security code or print on the order confirmation page and/or receipt. Identify and pass the identifier of the token requestor. Record the payment account reference (PAR) data element to link the current transaction to others made by the same consumer. Checkout XML Sample with Tokenization Extension Points NOTE: The elements shown in bold are affected by the presence of a token. U.S. Version 6.18 30 September 2016 70

Integration Process Standard checkout <Checkout> <Card> <BrandId>master</BrandId> <BrandName>Mastercard</BrandName> <AccountNumber>5178058604388374</AccountNumber> <BillingAddress> <City>O fallon</city> <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> </BillingAddress> <CardHolderName>Jane Doe</CardHolderName> <ExpiryMonth>6</ExpiryMonth> <ExpiryYear>2017</ExpiryYear> </Card> <TransactionId>286532912</TransactionId> <Contact> <FirstName>Jane</FirstName> <LastName>Doe</LastName> <NationalID>***********</NationalID> <Country>US</Country> <EmailAddress>janedoe@test.com</EmailAddress> <PhoneNumber>1-3692581470</PhoneNumber> </Contact> <ShippingAddress> <City>O fallon</city> <Country>US</Country> <CountrySubdivision>US-MO</CountrySubdivision> <Line1>4305 applerock dr</line1> <Line2/> <Line3/> <PostalCode>63368</PostalCode> <RecipientName>Jane Doe</RecipientName> <RecipientPhoneNumber>US+1-8734048394</RecipientPhoneNumber> </ShippingAddress> <AuthenticationOptions> <AuthenticateMethod>DSRP</AuthenticateMethod> </AuthenticationOptions> <WalletID>208</WalletID> <PreCheckoutTransactionId>a4c411b-18h26t-icni2rol-1-ics6caee-123y</ PreCheckoutTransactionId> <ExtensionPoint> <DSRP> <DSRPData>Qwertyuio0987654321asdfghjklpois</DSRPData> <DSRPDataType>UCAF</DSRPDataType> <UnpredictableNumber>413142==</UnpredictableNumber> <Eci>02</Eci> </DSRP> <Tokenization> <FPanSuffix>1234</FPanSuffix> <TokenRequestorId>12345678911</TokenRequestorId> </Tokenization> <PaymentAccountReference>01123456789abcdefghijkl9</ PaymentAccountReference> </ExtensionPoint> </Checkout> U.S. Version 6.18 30 September 2016 71

Integration Process Standard checkout Checkout XML Tokenization Details NOTE: For details on the remaining elements in XML, refer to the V6 Checkout XML Details table. Checkout XML Element Description Type Min Max Tokenization- Related Extension Points FPanSuffix Last digits of card number or primary account number that identifies the card. Also known as Funding Primary Account Number. Normally suffix is the last four digits. String 8 TokenRequestorId Identifier of the entity requesting the token, typically the wallet from which the transaction originated. For Masterpass transactions, this ID is that for Mastercard/ Masterpass or for the wallet provider. String 11 PaymentAccountR eference Data element that allows merchants/ service providers and acquirers to link all transactions for a single consumer even in the absence of the actual primary account number (PAN). Alphanumeric 24 For more information on the Payment Account Reference (PAR), refer to EMVCo Draft Specification Bulletin No. 167. U.S. Version 6.18 30 September 2016 72

Integration Process Standard checkout Split/Partial Shipments and Recurring Payment Transactions Split/partial shipments occur when an e-commerce merchant or service provider ships several items in separate consignments (for example, if a portion of the purchased items are out of stock or items are shipping from separate locations). Recurring payments occur when a cardholder has authorized a merchant to bill the cardholder s account on a recurring basis (for example, monthly or quarterly). The amount of each payment may or may not be the same. Only the first authorization for split/partial or recurring payments associated with a Digital Secure Remote Payment (DSRP) transaction may contain cryptographic data. Merchants or service providers must not include the cryptogram with each subsequent authorization request. They must indicate (in DE 48, SE 42, position 3), however, that the subsequent authorizations are associated with a previous authorization that was cryptographically authenticated (by coding a value of 07 in position 3 rather than a value of 02 as mentioned in the Eci row of the Checkout XML DSRP Details table in the DSRP Extension Points in the Masterpass Merchant API section). 3-D Secure Considerations It is important to note that the Masterpass Mobile Checkout product that facilitates merchant app-to-wallet app transactions automatically suppresses 3-D Secure for Digital Secure Remote Payment (DSRP) transactions when it is called from within the Masterpass wallet. Merchants should also suppress 3-D Secure for these transactions. For more information about the Mobile Checkout product, refer to the Masterpass Android Checkout Sample App page on GitHub. Testing DSRP For information on the tools that are currently available for testing Digital Secure Remote Payment (DSRP) implementation, send a message to the following email address. merchant_testing_support@masterpass.com Masterpass Service Descriptions The following sections describe the different services offered by Masterpass. Request Token Service This must be executed when a consumer clicks the Masterpass Checkout button on your site/app. Sandbox and Production Endpoints for the Request Token Service The endpoints to be used for the Request Token Service are as follows. https://sandbox.api.mastercard.com/oauth/consumer/v1/request_token https://api.mastercard.com/oauth/consumer/v1/request_token U.S. Version 6.18 30 September 2016 73

Integration Process Standard checkout Shopping Cart Service Merchants must call the Shopping Cart service before invoking the Masterpass UI for checkout. NOTE: The product description needs to be HTML encoded and has a character limit of 100 characters. Sandbox and Production Endpoints for the Shopping Cart Service The endpoints to be used for the Shopping Cart Service are as follows. https://sandbox.api.mastercard.com/masterpass/v6/shopping-cart https://api.mastercard.com/masterpass/v6/shopping-cart Merchant Initialization Service This service is used to secure Lightbox connections between merchant and Masterpass. Merchant Initialization also has an optional SecondaryOriginUrl field if the service provider sets this. This is used only when the Lightbox will be invoked from a frame that is on a merchant site and when that frame is of a different domain than that of the merchant site, like for a service provider. This service requires a request token (OAuthToken). Request and response parameter details can be found here. Sandbox and Production Endpoints for the Merchant Initialization Service The endpoints to be used for the Merchant Initialization Service are as follows. https://sandbox.api.mastercard.com/masterpass/v6/merchant-initialization https://api.mastercard.com/masterpass/v6/merchant-initialization Access Token Service The next step is to exchange a request token for a long access token from the Masterpass service. You will need the Request Token (oauth_token) and Verifier (oauth_verifier) from the merchant callback to get an access token. Request and response parameter details can be found here. Sandbox and Production Endpoints for the Access Token Service The endpoints to be used for the Access Token Service are as follows. https://sandbox.api.mastercard.com/oauth/consumer/v1/access_token https://api.mastercard.com/oauth/consumer/v1/access_token U.S. Version 6.18 30 September 2016 74

Integration Process Standard checkout Retrieve Payment, Shipping Data, and 3-D Secure Details Now you will use the Checkout Resource URL request parameter (checkout_resource_url) received from the callback URL to retrieve consumer s payment, shipping address, and 3-D Secure information from Masterpass. The checkout resource URL supplied by Masterpass must be decoded and consumed by the merchant as provided by Masterpass. Masterpass may add or delete parameters in future. Below are two examples of callback URLs with the checkout_resource_url parameter in bold: 1. https://anymerchant.com/checkoutcallback? mpstatus=success&checkout_resource_url=https%3a%2f%2fapi.mastercard.com %2Fmasterpass%2Fv6%2Fcheckout %2F11318523&oauth_verifier=aa2ff8e8f1144f45c3b8fdc3d42398913a49e387&oauth_t oken=b8361ad151af35f71df7b395e083befcaf8192dd Decoded checkout URL: checkout_resource_url=https://api.mastercard.com/masterpass/v6/checkout/11318523 2. https://anymerchant.com/checkoutcallback?checkout_resource_url=https%3a%2f %2Fapi.mastercard.com%2Fmasterpass%2Fv6%2Fcheckout %2F11318500&checkoutId=11318500&oauth_verifier=aa2ff8e8f1144f45c3b8fdc3d423 98913a49e387&oauth_token=b8361ad151af35f71df7b395e083befcaf8192dd Decoded checkout URL: checkout_resource_url=https://api.mastercard.com/masterpass/v6/checkout/ 11318500&checkoutId=11318500 Request and response parameter details can be found here. NOTE: Masterpass performs a CVC/CVV check at card enrollment. However, in accordance with PCI standards, CVC2/CVV2 data is not persisted, and will not be provided to the merchant. As the card data has been validated and securely stored by Masterpass, merchants must not require CVC/CVV entry from a consumer checking out with Masterpass. In cases where, prior to submitting their order, the cardholder chooses to replace the payment details provided by Masterpass with different, manually entered payment details, Merchants should ask the cardholder to enter CVV2/CVC2/CID as they would in the normal course and should not pass the wallet indicator flag to the acquirer. In this case, the transaction is no longer considered to be a Masterpass transaction. Checkout Postback is still required. It is recommended not to allow consumers to change their card details after returning from Masterpass. A three-byte wallet Indicator (WID) Flag (WalletID xml element in the checkout xml) will be part of the output returned by this request. This value must be passed to your acquiring bank, and will indicate that the customer s payment details were provided by the Masterpass service, rather than being manually entered. You may need to work with your payment provider (acquirer, payment gateway, and so on) to understand how best to handle this data element. In the event, your acquirer has not completed implementation of this element, your transactions will continue to process as-is. Contact customer support if you have any questions. U.S. Version 6.18 30 September 2016 75

Integration Process Standard checkout The following message elements in the Dual Message System (Authorization and Clearing) and Single Message System carry this WID Flag: Dual Message System (Authorization) Data element (DE) 48 (Additional Data Private Data), subelement 26 (Wallet Program Data), subfield 1 (Wallet Identifier) Dual Message System (Clearing) PDS 0207 (Wallet Identifier) Single Message System DE 48 (Additional Data), subelement 26 (Wallet Program Data), subfield 1 (Wallet Identifier) Postback Service The final step of a Masterpass transaction is a service call from the merchant to Masterpass, communicating the result of the transaction (success or failure). Abandoned transactions do not need to be reported. The <TransactionId> value should be the value from the <TransactionId> element of the Checkout XML returned in the Checkout request. U.S. Version 6.18 30 September 2016 76

Integration Process Standard checkout Request and response parameter details can be found here. The following fields are passed in the postback service call: ConsumerKey: Consumer key from key management on the Masterpass Merchant Portal Currency: Currency for the transaction, for example, USD OrderAmount: Transaction order amount with no decimals, for example, 1500 (for USD 15 transaction amount) PurchaseDate: Date of Purchase ApprovalCode: Six-digit approval code returned by payment API. TransactionId: Transaction ID from TransactionId element of the Checkout XML from the retrieve payment, shipping, and 3-D Secure data service call for example, 35201 TransactionStatus: Status of transaction. Valid values are: SUCCESS: For approved transaction FAILURE: For declined transaction PreCheckoutTransactionId: U.S. merchants can ignore this field, as it is optional Sandbox and Production Endpoints for the Postback Service The endpoints to be used for the Postback Service are as follows. https://sandbox.api.mastercard.com/masterpass/v6/transaction https://api.mastercard.com/masterpass/v6/transaction Android and ios App Integration In order to integrate the Masterpass web checkout experience into your Android or ios application, you must integrate with all of the Masterpass services described previously.. Mobile Browser Support Below is a list of mobile browsers supported by Masterpass Lightbox. Phone ios 8+ (Safari ) on iphone 6+ ios 8+ (Safari) on iphone 5+ Android 4.0+ (Chrome ) Android 4.0+ (Stock Browser) Tablet ios 8+ (Safari) Android 4.0+ (Chrome) Android 4.0+ (Stock Browser) Sample Integration In the merchant's application, the merchant must have a Masterpass Checkout button depending on the Masterpass checkout process. Please refer to Chapter 2 Masterpass Checkout Experiences section for more information on the various checkout process flows. U.S. Version 6.18 30 September 2016 77

Integration Process Standard checkout Merchants should integrate Masterpass Lightbox by refering to the Lightbox Integration section. Once Masterpass Lightbox Integration is completed, upon the user s clicking of Masterpass Checkout, the merchant application must redirect the user to a mobile browser that launches the Masterpass experience. NOTE: Masterpass does not support webview for in-app implementation due to security issues. A sample web page implementation is provided below. Open URL in Mobile Browser Sample ios Objective-C Code to Open URL [ [UIApplication sharedapplication ] openurl : [NSURL URLWithString : @"url_to_merchant_web_page_that_launches_masterpass" ] ] ; Sample ios Swift Code to Open URL UIApplication. sharedapplication ( ). openurl ( NSURL (string : "url_to_merchant_web_page_that_launches_masterpass" )! ) Sample Android Code to Open URL Uri uri = Uri. parse ( "url_to_merchant_web_page_that_launches_masterpass" ) ; Intent intent = new Intent (Intent.ACTION_VIEW, uri ) ; startactivity (intent ) ; Sample Web Page That Launches Masterpass <html> <head> <!-- url to sandbox masterpass lightbox --> <script type="text/javascript" src=" https:// sandbox.static.masterpass.com/dyn/js/switch/integration/masterpass.client.js "></ script> <!-- url to production masterpass lightbox --> <!-- <script type="text/javascript" src=" https:// static.masterpass.com/dyn/js/switch/integration/masterpass.client.js "></script> --> <!-- url to jquery 1.10.2 --> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/ jquery/1.10.2/jquery.min.js"></script> </head> <body> <script> <!-- see sample javascript to invoke Masterpass below--> </script> </body> </html> 1234567891011121314151617 Sample JavaScript to Invoke Masterpass Checkout Below is a sample JavaScript to invoke Masterpass. You can also see Lightbox Integration - Standard checkout for more information. U.S. Version 6.18 30 September 2016 78

Integration Process Standard checkout $ (document ). ready ( function ( ) { Masterpass.client. checkout ( { // from Masterpass Request Token Service "requesttoken" : "request_token", // redirect url after checkout is completed "callbackurl" : "merchant_callback_url", // checkout identifier from the Masterpass Merchant Portal "merchantcheckoutid" : "merchant_checkout_id", // Card types accepted by merchant "allowedcardtypes" : "master,amex,diners,discover,maestro,visa", // version v6 "version" : "v6" } ) ; } ) ; Handling Callbacks from Masterpass In addition to invoking Masterpass, the merchant must implement callbacks from Masterpass on its backend system when a transaction is successful or cancelled. For Standard Checkout callback, please refer to Standard Checkout Callback. Redirecting User Back to Merchant App After a checkout is completed, the merchant should implement its own mechanism to redirect users back to its mobile application. Android On Android, one of the ways to redirect users back to a native application from browser is to use an Intent. You can find more information by referring to Android's developer website. Helpful Links When coming from the Chrome mobile browser https://developer.chrome.com/multidevice/android/intents When using Android Intent ios http://developer.android.com/reference/android/content/intent.html On ios, some of the ways to redirect users back to a native application from browser are to use URL Schemes and Universal Links. You can find more information by refering to Apple's developer website. Helpful Links URL Schemes https://developer.apple.com/library/ios/documentation/iphone/conceptual/ iphoneosprogrammingguide/inter-appcommunication/inter-appcommunication.html Universal Link https://developer.apple.com/library/ios/documentation/general/conceptual/appsearch/ UniversalLinks.html U.S. Version 6.18 30 September 2016 79

Integration Process Completing the Integration Completing the Integration By the end of the integration, your site or mobile app must be able to do the following: 1. Display Masterpass Checkout button and the Learn More link at the start of the checkout experience. 2. Invoke and display the Masterpass Lightbox. 3. Relay Masterpass checkout requests to the Masterpass service. 4. Receive consumer s billing and shipping address from Masterpass service. 5. Process card and shipping information using existing checkout process. NOTE: Your implementation must satisfy all criteria in the Q/A Checklist. U.S. Version 6.18 30 September 2016 80

Masterpass Branding Chapter 6 Masterpass Branding This topic provides information on Masterpass branding. Displaying the Masterpass Checkout Button and Acceptance Marks...82 Masterpass Checkout Button Example...83 Dynamic Checkout Button...84 Masterpass Learn More Page... 84 U.S. Version 6.18 30 September 2016 81

Masterpass Branding Displaying the Masterpass Checkout Button and Acceptance Marks Displaying the Masterpass Checkout Button and Acceptance Marks The Masterpass Masterpass Checkout button URLs and acceptance mark URLs can be found in this section. To ensure the best consumer experience, the checkout button should be placed at the earliest possible entry point, prior to the collection of shipping and billing information. NOTE: With the July 2016 Release, Masterpass has redesigned many digital assets, including but not limited to the Buy with Masterpass button, Masterpass acceptance marks, and the Learn More link. In the coming months, Masterpass will update the integration guides, the Masterpass Merchant Portal, the Mastercard Developers site, and so on, to reflect the new button design and branding. Masterpass Checkout Button Masterpass Acceptance Mark NOTE: Downloading and locally hosting the Masterpass Checkout Button image and acceptance marks is against Masterpass integration guidelines. To minimize the impact of future branding updates, use the country-specific link (indicated in the following section) to the images on the checkout page. To successfully integrate with Masterpass and enable successful checkout by an end-user consumer via the service, the Masterpass Checkout button must be integrated on the merchant/service provider website and displayed as noted in the Masterpass Merchant Branding Requirements document. The URL naming convention uses the base URL, Language Code (ISO 639-1), Country Code (ISO 3166-1), and Button file name based on size as follows: Base URL/Language/Country/ Image File Name Base URL: https://static.masterpass.com/dyn/img/ NOTE: The list of language/country folders can be found on the Masterpass Checkout FAQs page under the question, Which countries and locales are currently supported to host Buy with Masterpass images? U.S. Version 6.18 30 September 2016 82

Masterpass Branding Displaying the Masterpass Checkout Button and Acceptance Marks Below is the list of all production Masterpass Checkout button URLs supported for the U.S. market: https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_147x034px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_160x037px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_166x038px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_180x042px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_290x068px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_317x074px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_326x076px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_360x084px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_376x088px.png https://static.masterpass.com/dyn/img/btn/en/us/mp_chk_btn_539x126px.png Below is the list of all production Masterpass acceptance mark URLs supported for the U.S. market: https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_046px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_060px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_068px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_076px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_100px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_130px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_acc_226px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_023px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_030px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_034px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_038px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_050px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_065px.png https://static.masterpass.com/dyn/img/acc/en/us/mp_mc_acc_113px.png Masterpass Checkout Button Example The following is an example of how a merchant can include the checkout button. <div class="masterpassbtnexample"><a href="/exampleredirect"> <img src="https://static.masterpass.com/dyn/img/btn/en/us/ mp_chk_btn_147x034px.png" alt="checkout with Masterpass Button Example" /></a></div> U.S. Version 6.18 30 September 2016 83

Masterpass Branding Masterpass Learn More Page Dynamic Checkout Button As part of the product redesign, Masterpass is introducing a new checkout button design, along with an ability to display a personalized dynamic checkout button based on a consumer s past wallet usage. The dynamic button capability will be initially available to a few wallet providers, and merchants integrating to any of the URLs in the Displaying the Masterpass Checkout Button and Acceptance Marks section will be able to display this button to their shoppers using Masterpass. Masterpass Learn More Page In addition to the Masterpass checkout button and acceptance mark, Masterpass also requires merchants/service providers to provide a link to Learn More page which can be used by the consumers to get additional information about Masterpass. We recommend that you place the link in close proximity to the Masterpass Checkout button. NOTE: With the July 2016 Release, Masterpass has redesigned many digital assets, including but not limited to the Buy with Masterpass button, Masterpass acceptance marks, and the Learn More link. In the coming months, Masterpass will update the integration guides, the Masterpass Merchant Portal, Mastercard Developers, and so on, to reflect the new button design and branding. The following URL needs to be referenced for displaying the Learn More page for the U.S. market: English - https://www.mastercard.com/mc_us/wallet/learnmore/en/us/ NOTE: Downloading and locally hosting this content is against Masterpass integration guidelines. To minimize the impact of future updates to this page, use the below mentioned country-specific link to the images on the checkout page. U.S. Version 6.18 30 September 2016 84

Testing Chapter 7 Testing This topic provides information on how to perform testing in the sandbox environment. Masterpass Sandbox Testing...86 Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience...86 Sign in to a Test Masterpass Wallet Account during Checkout and Test the Recognized Experience...88 Q/A Checklist...89 Checklist for Masterpass Asset Placement...89 In-Wallet Experience...89 Post-Wallet Experience... 89 Postback... 90 General... 90 U.S. Version 6.18 30 September 2016 85

Testing Masterpass Sandbox Testing Masterpass Sandbox Testing To access the necessary information to test in the sandbox environment, the developer must submit an approval request to the merchant and obtain a sandbox consumer key as explained earlier in the guide. The following pre-set Masterpass wallet accounts, which have previously been available for sandbox testing, are no longer available: joe.test@email.com joe.test3@email.com 3ds.masterpass+securecode@gmail.com 3ds.masterpass+verifiedbyvisa@gmail.com To conduct testing in the sandbox environment, you must first set up your own Masterpass test wallet account. Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience To set up a Masterpass test wallet account and test the unrecognized experience in the sandbox environment, complete the following instructions. Procedure 1. Go to your merchant website in the test environment, add an item to the shopping cart, and click on the Masterpass checkout button. Because you are an unrecognized, first-time user, the standard Masterpass checkout button appears. 2. Click on Sign-up. 3. Add an existing email ID and phone number that you have access to (for example, your work email address and phone number). 4. Click on I m not a robot. 5. Ensure you have chosen country US-English language (see the flag in the bottom-right corner of the screen). 6. Add one of the test card numbers from the table below. Note that these are not real cards and cannot be used outside of the Masterpass testing environment. There are two categories of test card numbers: Category1 cards: Intelligent wallet routing links to a Masterpass by Mastercard wallet. When you return to the same site as a recognized consumer after completing checkout at the first visit, the same Standard Checkout button will appear. Note that the images included here are only for illustrative purposes and may change as button design is finalized. U.S. Version 6.18 30 September 2016 86

Testing Masterpass Sandbox Testing Category2 cards: Intelligent wallet routing links to a Pilot3 wallet. When you return to the same site as a recognized consumer after completing checkout at the first visit, the Dynamic Checkout button specific to Pilot3 wallet provider will appear. Note that the images included here are only for illustrative purposes and may change as button design is finalized. Category Test Card # CVC Expiration Date Billing Address Category1 5506900140100305 [Any] [Any] [Any] Category1 5506900140100107 [Any] [Any] [Any] Category1 5506900140100206 [Any] [Any] [Any] Category1 5506900140100404 [Any] [Any] [Any] Category1 5506900140100503 [Any] [Any] [Any] Category2 5506900140200105 [Any] [Any] [Any] NOTE: You should always add one of the test cards above to test the new Masterpass experience, which uses intelligent wallet routing and dynamic-button functionality. On the next screen, notice the change in branding on top of the Lightbox screen based on the wallet you were routed to (Masterpass by Mastercard wallet or Pilot3 co-branded wallet). 7. Add your billing addresses, password, and shipping addresses to your wallet account. 8. Select the Remember me on this device option on the Congratulations screen so you (a) do not have to rekey the entire test account information every time you login to Masterpass and (b) are not asked to authenticate with a one-time password (OTP) via SMS or email ID. 9. Click on the Continue button. All of the transaction data will be sent to your test merchant site, and you will be redirected to your merchant test site (where you can submit/place the order). U.S. Version 6.18 30 September 2016 87

Testing Masterpass Sandbox Testing NOTE: If you have a test payment gateway setup for this testing, you may need to replace the test card details provided above with your own test card data and send the transaction through to the gateway and Masterpass. Submit a postback, too, per Masterpass integration guidelines. NOTE: As an exception to step 2, service providers that have onboarded merchants to Masterpass and have a need to provide them with a single wallet account should create their test wallet account using a false email ID ending in @example.com or @email.com. Masterpass whitelists all wallet accounts associated with an email ID with these two false email domains for a static OTP 123456. As a result, however, you will not receive any email communications related to test-account activity. If you have questions or concerns, contact your local Masterpass representative or the Mastercard implementation manager working with you. Sign in to a Test Masterpass Wallet Account during Checkout and Test the Recognized Experience After setting up your Masterpass test wallet account, complete the following instructions to test the recognized Masterpass checkout experience. Before you begin You must have already created a your Masterpass test wallet account by completing the Sign up for a Test Masterpass Wallet Account during Checkout and Test the Unrecognized Experience instructions. Procedure 1. Go to your merchant website in the test environment and add an item to the shopping cart. Notice the change in the Masterpass checkout button that appears. The checkout button you see will depend on the category of test card number that you used. Category1 cards: The Standard Checkout button will appear. Note that the images included here are only for illustrative purposes and may change as button design is finalized. Category2 cards: The Dynamic Checkout button specific to a Pilot3 wallet provider will appear. Note that the images included here are only for illustrative purposes and may change as button design is finalized. 2. Click on the Masterpass checkout button. 3. Click Sign in and provide your password. U.S. Version 6.18 30 September 2016 88

Testing Q/A Checklist 4. Confirm your card and shipping details. 5. Click on the Continue button. All of the transaction data will be sent to your test merchant site, and you will be redirected to your merchant test site (where you can submit/place the order). NOTE: If you want to test the Unrecognized consumer experience again, clear all cookies on your browser so you can initiate the steps above again. Q/A Checklist This topic provides information on the Q/A checklist. Checklist for Masterpass Asset Placement The following is an checklist to follow for proper placement of Masterpass visual assets. Verify your adherence to the Masterpass Merchant Branding Requirements document. Verify that you are linking to all Masterpass visual assets (this includes the checkout button, acceptance marks, and Learn More link) and JavaScript library through provided URLs. Do not download and host these assets on your own side. Verify that the Masterpass checkout button is used appropriately on the checkout page to initiate the Masterpass experience. In-Wallet Experience The following is a checklist for the Masterpass in-wallet experience. Verify that the consumer can only select cards and addresses that are supported by the merchant. Merchants requesting liability shift for Masterpass transactions should use Advanced Checkout/3-D Secure within Masterpass. Merchants must enable 3-D Secure such that it is invoked within the Masterpass wallet. Post-Wallet Experience The following is a checklist for post-wallet experience. After clicking the Finish Shopping button, verify the consumer is taken to a valid page. Verify that the Masterpass acceptance mark is displayed for all Masterpass transactions. As recommended by Masterpass, do not allow consumers to edit the payment information returned on the merchant site. Verify that any information provided by a consumer s Masterpass wallet (for example, payment, shipping, profile information, and so on) is used only for that transaction and is not stored for subsequent use. Verify that your code gracefully handles consumers returning without selecting a card and address (as a result of user choice or login failure). Verify that your code handles the return of a consumer with an expired request token. U.S. Version 6.18 30 September 2016 89

Testing Q/A Checklist NOTE: The request token is valid for 15 minutes; therefore, if the process is not completed within the timeout, the request token will expire, and the checkout will need to be restarted. Verify that your code is able to parse and ingest the returned data. Verify that any post-masterpass wallet page has a clear call to action (for example, select preferred shipping method) versus simply having the consumer review the data they just selected in the wallet. Verify that the consumer is not required to enter CVC/CVV in order to complete the transaction. Verify that the card primary account number (PAN) has not been provided to any entity that does not have the appropriate security in place for storage and transmission of card data (per PCI guidelines). Verify that if merchants are provided with the PAN, this value is not displayed on screen. Verify that your system can handle the PostalCode element of up to nine characters; this element is sent by Masterpass as part of the BillingAddress and the ShippingAddress elements in checkout XML. Postback The following is a checklist for postback: Ensure that you are submitting postback for all Masterpass transactions initiated with the consumer s click of the Masterpass checkout button (approved, declined, or abandoned). Verify that the transaction ID submitted as part of a postback was sourced from the associated Masterpass transaction. Verify that the transaction result (postback) is reported immediately. General The following is a general checklist. Ensure that you are coding to DNS and not to IP addresses for our URLs and endpoints. Verify that your implementation follows the standard process and utilizes all calls (to the Masterpass wallet, complete postback, and so on) for each and every transaction initiated by a consumer s click of the Masterpass checkout button. Verify that you are accepting and passing the wallet identifier (WID) when present for Masterpass transactions. U.S. Version 6.18 30 September 2016 90

Troubleshooting Chapter 8 Troubleshooting This topic provides information on troubleshooting. Common Errors... 92 Support... 92 U.S. Version 6.18 30 September 2016 91

Troubleshooting Common Errors Common Errors The following are the procedures to troubleshoot the most common errors that you may encounter. If you get Error 400 when calling Masterpass web services: Verify Authorization header is not missing from the request. Verify Authorization header has the following: Signature Consumer Key (exists and correct length) Nonce Signature Method Timestamp Callback URL (Request Token call only) oauth_verifier (Access Token call only) oauth_token (Access Token call only) If you get Error 401 when calling Masterpass web services: Verify that you are passing the Access Token in the get CheckoutXML call. If you get Error 403 - Forbidden when calling Masterpass services: Verify correct credentials or correct environment (that is, sandbox credentials with the prod URL). Verify timestamp. If you get Error 500 when calling Masterpass web services: Verify oauth_body_hash exists and is correct (Post Transaction call only). Verify Content-Type HTTP header is being sent. Verify correct private key. Verify signature is readable (for example, encoded incorrectly). Support This topic provides information on how to get additional support. Refer to the Masterpass Checkout FAQs page on the Mastercard Developers site. If you have any questions or comments relating to Masterpass merchant testing, contact the implementation manager assigned to work with you on this implementation. If you don t have an assigned implementation manager, send an email with the following information (as applicable) to merchant_support@masterpass.com for merchants that are new to Masterpass or support@masterpass.com for existing Masterpass merchants: Merchant/Service Provider Name U.S. Version 6.18 30 September 2016 92

Troubleshooting Support Email Address Country/Region Onboarding Model (Direct Merchant, Service Provider Merchant-by-Merchant or Service Provider File and API Onboarding) Environment of Integration (Sandbox or Production) Checkout Version and Checkout Identifier Consumer Key Postback Details (Amount, Date and Time of recent Checkout) Detailed description of the issue, including expected and actual test results (if applicable) Error Message(s) Screenshot(s) Exact Timestamp U.S. Version 6.18 30 September 2016 93

Appendix Appendix Appendix A Appendix This appendix provides additional information related to Masterpass integration process. Lightbox Parameters... 95 OAuth Samples...97 Request Token...97 Merchant Initialization Service... 99 Shopping Cart Service... 103 Access Token Service... 108 Checkout Resource... 110 Postback Service...124 Renew a Mastercard Developers API Key...133 Mastercard Developers Key Tool Utility... 137 3-D Secure Overview...138 3-D Secure Service Description... 138 General Overview of Mastercard SecureCode and Verified by Visa Transaction Authentication... 139 Important Merchant Information... 140 U.S. Version 6.18 30 September 2016 94

Appendix Lightbox Parameters Lightbox Parameters This section provides descriptions of the Masterpass Lightbox parameters. Lightbox parameters invoked on clicking the Masterpass Checkout button O = Optional; R = Required; A = Automatically populated Parameter name Data type Card Security Checkout Description allowedcardtypes string[] O This parameter restricts the payment methods that may be selected based on card brand. Omit this parameter to allow all payment methods. Here are the valid values for different card types Mastercard: master Maestro: maestro American Express: amex Discover: discover Diners: diners Visa: visa JCB: jcb callbackurl string O O This defines the base URL to which the browser is redirected to upon successful or failed completion of the flow if there is no appropriate callback function available. cancelcallback failurecallback functio n functio n O O This defines the function to be called when the flow is cancelled by the consumer prior to completing checkout. O O This defines the function to be called when the flow ends in failure. Refer SDK for more examples. U.S. Version 6.18 30 September 2016 95

Appendix Lightbox Parameters Parameter name Data type Card Security Checkout Description merchantcheckoutid string R R This is the checkout identifier which is used to identify the merchant and their checkout branding. requestbasiccheckout boolean O Set to "true" to disable step-up authentication (advanced checkout) during any checkout flow. The default is "false". requesttoken string R R This is an OAuth token. shippinglocationprofile comma separat ed string O This parameter defines Merchant s Shipping Profile(s) for the transaction that they set in their account. Multiple values may be passed via comma separation (as in, no spaces within a profile name). For example, "CHEERIO,AUONLY,NAmerica". successcallback functio n O O This defines the function to be called when the flow ends in success. suppressshippingaddressenable boolean O When set to true, the consumer placing the order through Masterpass Wallet will not provide a shipping address (for example, when the consumer purchases digital goods). When set to false, the consumer placing the order through Masterpass Wallet must provide a shipping address. U.S. Version 6.18 30 September 2016 96

Appendix OAuth Samples OAuth Samples This topic provides information on OAuth samples. Request Token This section describes the Request Token parameters. Request Token Parameters request_token Request request_token Response oauth_callback oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp realm X X X X X X X X oauth_token oauth_callback_confirmed oauth_expires_in oauth_token_secret xoauth_request_auth_url X X X X X Request Parameter Details Request Token Request Description Possible Values Signature Base String Authorization Header oauth_callback Endpoint that will handle the transition from the wallet site to the merchant checkout page Variable oauth_signature RSA/SHA1 signature generated from the signature base string Variable U.S. Version 6.18 30 September 2016 97

Appendix OAuth Samples Request Token Request Description Possible Values oauth_version oauth version 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method. Consumer Key generated when completing key management on the Masterpass Merchant portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable realm Used to differentiate between our mobile and full site. Currently not used. ewallet Request Token Response Description Possible Values Oauth Token oauth_token oauth_token is sent in the signature base string, authorization header and redirect URL Variable Request Token oauth_callback_con firmed Variable oauth_expires_in Time the Request Token expires in seconds Variable oauth_token_secret Oauth Secret Variable xoauth_request_aut h_url Authorize URL Variable Signature Base String Example POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Foauth%2Fconsumer%2Fv1%2Freque st_token&oauth_callback%3dhttp%253a%252f%252fprojectabc.com%252fmerchant%252f Callback.jsp%26oauth_consumer_key%3DZGho8Df8vqW- IpGCIu559HYriL093IBXdJeKavp4dce9db2a%25216464586653467358724b616c744754454433 49466a413d3d%26oauth_nonce%3D1143452272881219%26oauth_signature_method%3DRSA- SHA1%26oauth_timestamp%3D1339612030%26oauth_version%3D1.0 HTTP Request Example POST /oauth/consumer/v1/request_token HTTP/1.1 Authorization: OAuth oauth_callback="http%3a%2f%2fprojectabc.com%2fmerchant%2fcallback.jsp",oauth_ signature="pznoggtgshe16%2fwhp4cstrxkgj1mv%2fkm6do5zvi6dokzajz0m8qqhieri5lrup U.S. Version 6.18 30 September 2016 98

Appendix OAuth Samples hdyukhw8lkdul1tetpdxm32vtr%2bqgf6n6ibjr8dgcyymfalyayvhf%2fx5oqhudvpdxic10dj0m iuwzpbj1qopn3ibeozvgnxheihykvnpvyehc%3d",oauth_version="1.0",oauth_nonce="114 3452272881219",oauth_signature_method="RSA- SHA1",oauth_consumer_key="ZGho8Df8vqW- IpGCIu559HYriL093IBXdJeKavp4dce9db2a%216464586653467358724b616c74475445443349 466a413d3d",oauth_timestamp="1339612030",realm="eWallet" HTTP Response Example oauth_callback_confirmed=true&oauth_expires_in=900&oauth_token=a02c5c5c1a128c2 cebc650ea9aa3dfb7&oauth_token_secret=c2daaf0888779d82bd63524159bee91f&xoauth_r equest_auth_url=https%3a%2f%2fsandbox.masterpass.com%2fonline%2fcheckout%2faut horize Merchant Initialization Service This section describes the Merchant Initialization parameters. Merchant Initialization Parameters Merchant Initialization resource Request Merchant Initialization Resource Response oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp realm oauth_body_hash oauth_token Merchant Initialization Request XML X X X X X X X X X X Merchant Initialization Response XML X U.S. Version 6.18 30 September 2016 99

Appendix OAuth Samples Merchant Initialization Request Parameter Details Merchant Initialization Resource Request Description Possible Values Signature Base String Authorization Header oauth_signature RSA/SHA1 signature generated from the signature base string Variable oauth_version Oauth version. 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method. Consumer Key generated when completing key management on the Masterpass Merchant Portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable oauth_token Request token Variable Merchant Initialization Request XML MerchantInitializatio nrequest XML Merchant Initialization details Merchant Initialization Resource Response Description Possible Values Oauth Token oauth_token oauth_token is sent in the request Variable Signature Base String Example POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Fmasterpass%2Fv6%merchantinitial ization&oauth_body_hash%3d8k9uhvezjvdzw8aiyixpr70kctk%253d%26oauth_consumer_key %3DcLb0tKkEJhGTITp_6ltDIibO5Wgbx4rIldeXM_jRd4b0476c%2521414f4859446c4a366c726a3 27474695545332b353049303d%26oauth_nonce%3DDEAEB1CD-CA03-405D-A7B4- B4263CB5A305%26oauth_signature_method%3DRSA- SHA1%26oauth_timestamp%3D1380049711%26oauth_version%3D1.0 HTTP Request Example POST /masterpass/v6/merchant-initialization HTTP/1.1 Authorization: OAuth realm="ewallet",oauth_consumer_key="clb0tkkejhgtitp_6ltdiibo5wgbx4rildexm_jrd4b 0476c%21414f4859446c4a366c726a327474695545332b353049303d",oauth_signature_metho d="rsa-sha1",oauth_nonce="deaeb1cd-ca03-405d-a7b4- B4263CB5A305",oauth_timestamp="1380049711",oauth_version="1.0",oauth_body_hash= "8K9uhveZjVdZW8AIYiXpR70KCtk%3D",oauth_signature="IdV4%2FREyJ7nAXK%2FYvuJ2BtO4C 8t6PlW8xTrDob0WzWJ5%2FRBOPDj534Sm7oPdojivWTGOLAcZq3kbVF6rwrsjGFWlNJITXt3HT3zrav U.S. Version 6.18 30 September 2016 100

Appendix OAuth Samples b02oqtrvqh3zlx5fi4o0u2xxqrdwhzvbhjpgwbybrme%2fotw2l9h%2fznsn45xcs1ejpa%2fgi%3d" XML V6 MerchantInitializationRequest XML Schema <?xml version="1.0" encoding="utf-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/xmlschema"> <xs:element name="merchantinitializationrequest" type="merchantinitializationrequest" /> <xs:complextype name="merchantinitializationrequest"> <xs:sequence> <xs:element name="oauthtoken" type="xs:string" /> <xs:element name="precheckouttransactionid" type="xs:string" maxoccurs="1" minoccurs="0" /> <xs:element name="originurl" type="xs:string" /> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0" /> </xs:sequence> </xs:complextype> <xs:element name="merchantinitializationextension" type="merchantinitializationextension"/> <xs:complextype name="merchantinitializationextension"> <xs:sequence> <xs:element name="secondaryoriginurl" type="xs:string" minoccurs="0"/> </xs:sequence> </xs:complextype> URL: https://api.mastercard.com/masterpass/v6/merchant-initialization Sample Request <?xml version="1.0" encoding="utf-8" standalone="yes"?> <MerchantInitializationRequest> <OAuthToken>oauth_demo_token4sj4x6f1eqka2ib2f1nzd1ib2ivvjx16a</OAuthToken> <OriginUrl>http://localhost:8080</OriginUrl> <ExtensionPoint> <SecondaryOriginUrl>http://localhost:8080</SecondaryOriginUrl> </ExtensionPoint> </MerchantInitializationRequest> V6 MerchantInitializationResponse XML Schema <?xml version="1.0" encoding="utf-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/xmlschema"> <xs:element name="merchantinitializationresponse" type="merchantinitializationresponse"/> <xs:complextype name="merchantinitializationresponse"> <xs:sequence> <xs:element name="oauthtoken" type="xs:string"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="extensionpoint"> <xs:sequence> <xs:any maxoccurs="unbounded" processcontents="lax" namespace="##any" /> </xs:sequence> <xs:anyattribute /> </xs:complextype> </xs:schema> U.S. Version 6.18 30 September 2016 101

Appendix OAuth Samples V6 MerchantInitializationResponse XML Sample <MerchantInitializationResponse> <OAuthToken>4c7b34cc63a68282bba77a4b34f0192fcb2268fb</OAuthToken> </MerchantInitializationResponse> V6 MerchantInitializationRequest XML Details MerchantInitialization Request XML Element Description Type Min Max MerchantInitializationRe quest Root Element XML - MerchantInitializationRe quest OAuthToken Request Token (oauth_token) returned by call to the request_token API - OriginUrl Identifies the URL of the page that will initialize the Lightbox. string NA ExtensionPoint Reserved for future enhancement. Optional Any SecondaryOriginUrl Identifies the domain URL of the outer/parent web page. This optional field should only be used when the Lightbox will be invoked from a frame that s on a merchant site, and when that frame is of a different domain than that of the merchant site, like for a service provider. string NA MerchantInitialization Response XML Element Description Type Min Max OAuthToken Request Token (oauth_token) returned by call to the request_token API XML - U.S. Version 6.18 30 September 2016 102

Appendix OAuth Samples MerchantInitialization Response XML Element Description Type Min Max ExtensionPoint Reserved for future enhancement. Optional Any - ExtensionPoint Elements Starting with API v6, all schema container elements contain a new optional element named ExtensionPoint. These elements are intended to provide expandability of the API without requiring a new major version. These elements are defined to contain a sequence of xs:any, meaning that any XML content can be contained within the element. In order to ensure future expandability, all integrators must not perform any validation of elements received inside an ExtensionPoint element, beyond any that may be defined by Masterpass in the future with a separate schema. Any such extensions will be optional. Further, only authorized schemas will be allowed inside ExtensionPoint elements, and any unknown elements will be dropped by Masterpass. ExtensionPoint Sample <ExtensionPoint> <s:sampleextension xmlns:s= https://www.masterpass.com/location/of/example/ ns > <s:samplefield>sample Value</s:SampleField> </s:sampleextension> <f:anotherexampleextension xmlns:f= https://www.masterpass.com/location/of/ example2/ns > <f:samplecontainer> <f:anothersamplefield>sample Value</f:AnotherSampleField> </f:samplecontainer> </f:anotherexampleextension> </ExtensionPoint> Shopping Cart Service This section provides description on the Shopping Cart parameters. Shopping Cart Parameters Shopping Cart Request Shopping Cart Response oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp X X X X X X U.S. Version 6.18 30 September 2016 103

Appendix OAuth Samples oauth_body_hash X oauth_token X X Shopping Cart Request XML X Shopping Cart Response XML X Shopping Cart Parameter Details Shopping Cart Request Description Possible Values Signature Base String Authorization Header oauth_signature RSA/SHA1 signature generated from the signature base string Variable oauth_version Oauth version 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method Consumer Key generated when completing key management on the Masterpass Merchant Portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable oauth_body_hash SHA1 hash of the message body Variable Oauth Token oauth_token oauth_token is sent in the signature base string, authorization header and redirect URL Variable Transfer XML Strings Shopping Cart Request XML Merchant Shopping Cart details Shopping Cart Response Description Possible Values Oauth Token oauth_token oauth_token is sent in the signature base string, authorization header and redirect URL Variable U.S. Version 6.18 30 September 2016 104

Appendix OAuth Samples Transfer XML Strings Shopping Cart Response XML Signature Base String Example POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Fmasterpass%2Fv6%2Fshopping-cart &oauth_body_hash%3d8k9uhvezjvdzw8aiyixpr70kctk%253d%26oauth_consumer_key% 3DcLb0tKkEJhGTITp_6ltDIibO5Wgbx4rIldeXM_jRd4b0476c %2521414f4859446c4a366c726a327474695545332b353049303d% 26oauth_nonce%3DDEAEB1CD-CA03-405D-A7B4-B4263CB5A305%26oauth_signature_method %3DRSA-SHA1%26oauth_timestamp% 3D1380049711%26oauth_version%3D1.0 HTTP Request Example POST /masterpass/v6/shopping-cart HTTP/1.1 Authorization: OAuth realm="ewallet",oauth_consumer_key="clb0tkkejhgtitp_6ltdiibo5wgbx4rildexm_jrd4b047 6c% 21414f4859446c4a366c726a327474695545332b353049303d",oauth_signature_method="RSA- SHA1",oauth_nonce="DEAEB1CD- CA03-405D-A7B4- B4263CB5A305",oauth_timestamp="1380049711",oauth_version="1.0",oauth_body_hash="8K 9uhveZjVdZW8AIYiXpR70KCtk% 3D",oauth_signature="IdV4%2FREyJ7nAXK%2FYvuJ2BtO4C8t6PlW8xTrDob0WzWJ5% 2FRBOPDj534Sm7oPdojivWTGOLAcZq3kbVF6rwrsjGFWlNJITXt3HT3zravb02oqTrVQH3Zlx5fi4o0u2x xqrdwhzvbhjpgwbybrme% 2FoTw2l9H%2FznSn45xcS1eJPa%2FGI%3D" V6 ShoppingCart XML Schema <xs:complextype name="shoppingcart"> <xs:sequence> <xs:element name="currencycode" type="xs:string"/> <xs:element name="subtotal" type="xs:long"/> <xs:element name="shoppingcartitem" type="shoppingcartitem" minoccurs="0" maxoccurs="unbounded"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="shoppingcartitem"> <xs:sequence> <xs:element name="description" type="xs:string"/> <xs:element name="quantity" type="xs:long"/> <xs:element name="value" type="xs:long"/> <xs:element name="imageurl" type="xs:string" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="shoppingcartrequest"> <xs:sequence> <xs:element name="oauthtoken" type="xs:string"/> <xs:element name="shoppingcart" type="shoppingcart"/> <xs:element name="extensionpoint" type="shoppingcartrequestextensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:element name="shoppingcartrequestextensionpoint" type="shoppingcartrequestextensionpoint"/> U.S. Version 6.18 30 September 2016 105

Appendix OAuth Samples <xs:complextype name="shoppingcartrequestextensionpoint"> <xs:sequence> </xs:sequence> <xs:anyattribute/> </xs:complextype> <xs:element name="extensionpoint" type="extensionpoint"/> <xs:complextype name="extensionpoint"> <xs:sequence> <xs:any maxoccurs="unbounded" processcontents="lax" namespace="##any"/> </xs:sequence> <xs:anyattribute/> </xs:complextype> V6 ShoppingCart XML Details ShoppingCartRequest Element Description Type Min Max OAuthToken Request Token (oauth_token) returned by call to the request_token API String Variable ShoppingCart Merchant Shopping Cart details XML - String Variable ShoppingCart CurrencyCode Defined by ISO 4217 to be exactly three characters, such as, USD for U.S. Dollars. All MonetaryValues will be modified by the CurrencyCode. Alpha 3 Subtotal ShoppingCartItem Total sum of all the items in the cart excluding shipping, handling and tax. Integer without the decimal, for example, USD 119.00 will be 11900. Details of a single shopping cart item. Integer 1 12 XML - ShoppingCartItem Description Describes a single shopping cart item. String 1 100 Quantity Number of a single shopping cart item. Integer 1 12 U.S. Version 6.18 30 September 2016 106

Appendix OAuth Samples Value ImageURL ExtensionPoint Price or monetary value of a single shopping cart item. Cost * Quantity. Integer without decimal, for example, USD 100.00 is 10000. Link to shopping cart item image. URLs must be HTTPS and not HTTP. Reserved for future enhancement. Optional Integer 1 12 String 0 2000 Any - ShoppingCartRespons e Element Description Type Min Max OAuthToken Request Token (oauth_token) returned by call to the request_token API String Variable ExtensionPoint Reserved for future enhancement. Optional Any - ShoppingCartRequest XML Sample <?xml version="1.0"?> <ShoppingCartRequest> <OAuthToken>f7f16d8462a9424365498afade20caaa</OAuthToken> <ShoppingCart> <CurrencyCode>USD</CurrencyCode> <Subtotal>11900</Subtotal> <ShoppingCartItem> <Description>This is one item</description> <Quantity>1</Quantity> <Value>1900</Value> </ShoppingCartItem> <ShoppingCartItem> <Description>Five items</description> <Quantity>5</Quantity> <Value>10000</Value> <ImageURL>https://somemerchant.com/someimage</ImageURL> </ShoppingCartItem> </ShoppingCart> </ShoppingCartRequest> ShoppingCartResponse XML Sample <?xml version="1.0" encoding="utf-8" standalone="yes"?> <ShoppingCartResponse> <OAuthToken>a747f7e7c2e0c3048843f640b92806c8</OAuthToken> </ShoppingCartResponse> U.S. Version 6.18 30 September 2016 107

Appendix OAuth Samples ShoppingCartResponse XML Schema <?xml version="1.0" encoding="utf-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/xmlschema"> <xs:element name="shoppingcartresponse" type="shoppingcartresponse"/> <xs:complextype name="shoppingcartresponse"> <xs:sequence> <xs:element name="oauthtoken" type="xs:string" /> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0" /> </xs:sequence> </xs:complextype> <xs:complextype name="extensionpoint"> <xs:sequence> <xs:any maxoccurs="unbounded" processcontents="lax" namespace="##any" /> </xs:sequence> <xs:anyattribute /> </xs:complextype> </xs:schema> HTTP Response Example <?xml version="1.0" encoding="utf-8" standalone="yes"?> <ShoppingCartResponse> <OAuthToken>93dcec2e58e1bee050301bb2ee7d9331</OAuthToken> </ShoppingCartResponse> Access Token Service This section describes the Access Token parameters. Access Token Parameters access_token Request access_token Response oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp realm X X X X X X X oauth_token X X oauth_token_secret X oauth_verifier X U.S. Version 6.18 30 September 2016 108

Appendix OAuth Samples Access Token Parameter Details Access Token Request Description Possible Values Signature Base String Authorization Header oauth_signature RSA/SHA1 signature generated from the signature base string Variable oauth_version Oauth version. 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method Consumer Key generated when completing key management on the Masterpass Merchant Portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable realm oauth_verifier oauth_token Used to differentiate between our mobile and full site. Currently not used. Verifier is returned on the callback and used in the access token request oauth token obtained from request token call ewallet Variable Access Token Response Description Possible Values Access Token oauth_token oauth_token that needs to be sent in the signature base string and authorization header for checkout resource call Variable Oauth_Token_Secret oauth_token_secret Oauth Secret Variable Signature Base String Example POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Foauth%2Fconsumer %2Fv1%2Faccess_token&oauth_consumer_key %3DcLb0tKkEJhGTITp_6ltDIibO5Wgbx4rIldeXM_jRd4b0476c %21414f4859446c4a366c726a327474695545332b353049303d%26oauth_nonce%3DXgqPqENy %26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1433963296%26oauth_token U.S. Version 6.18 30 September 2016 109

Appendix OAuth Samples %3Df263a7383ce705fdf17dc163a33c00c5d49bea4e%26oauth_verifier %3Daa73f490841655a36b6ba8fe5e938367a8f0f5d9%26oauth_version%3D1.0 HTTP Request Example Authorization: OAuth oauth_consumer_key="clb0tkkejhgtitp_6ltdiibo5wgbx4rildexm_jrd4b0476c %21414f4859446c4a366c726a327474695545332b353049303d",oauth_nonce="XgqPqENy",oauth_ signature="jimdswuf1aw %2FeAjsXwwgAEeKsEZ0qJiRH39jar3BtZdA6Ccc2zbx4nhDRWm7QNmEgfkruVFbLFkdckix8ZABNW8e %2Fte0mapbCeI0ldkWPb3Bc2z9qvu8uoHpUU9t8Un6k0bbI %2BAswSA30VCcUKtcy2crA2plkAoU52SOq1Cyqdk%3D",oauth_signature_method="RSA- SHA1",oauth_timestamp="1433963296",oauth_token="f263a7383ce705fdf17dc163a33c00c5d4 9bea4e",oauth_verifier="aa73f490841655a36b6ba8fe5e938367a8f0f5d9",oauth_version="1.0",realm="eWallet" HTTP Response Example oauth_token=9429f23bd08f992c41fb5ddabcc03ecd&oauth_token_secret=cd1ab178419c2111 fb1171083f5dc8d9 Checkout Resource This topic provides details of the Checkout parameters and XML. Checkout Parameters Checkout resource Request Checkout Resource Response oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp realm oauth_token checkout_resource_url X X X X X X X X Used as endpoint Checkout XML X U.S. Version 6.18 30 September 2016 110

Appendix OAuth Samples Checkout Parameter Details Checkout Resource Request Description Possible Values Signature Base String Authorization Header oauth_signature RSA/SHA1 signature generated from the signature base string Variable oauth_version Oauth version. 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method. Consumer Key generated when completing key management on the Masterpass Merchant Portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable realm oauth_token checkout_resource_ url Used to differentiate between our mobile and full site. Currently not used. Access token that is returned in the access token response needs to be sent in the signature base string, authorization header for checkout resource call Endpoint used to request the users billing and shipping information from Masterpass ewallet Variable Checkout Resource Response Description Possible Values Transfer XML Strings Checkout XML Refer to the V6 Checkout XML Details table in this section. Signature Base String Example GET&https%3A%2F%2Fsandbox.api.mastercard.com%2Fmasterpass%2Fv6%2Fcheckout %2F306067563&oauth_consumer_key%3DcLb0tKkEJhG====_6ltDIibO5Wgbx4rIl====_jRd4b0476c %21414f4859446c4a366c726a327474695545332b353049====%26oauth_nonce %3D8yNKr7i3%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp U.S. Version 6.18 30 September 2016 111

Appendix OAuth Samples %3D1433970146%26oauth_token%3Dd475e1a692b7bfed07b492dd845b7f43190becad %26oauth_version%3D1.0 HTTP Request Example GET /masterpass/v6/checkout/4400 HTTP/1.1 Authorization:OAuth oauth_consumer_key="clb0tkkejhgtitp_6ltdiibo5wgbx4rildexm_jrd4b0476c %21414f4859446c4a366c726a327474695545332b353049303d",oauth_nonce="8yNKr7i3",oauth_ signature="g95ku%2blpj%2blt %2FIOCGYj5a3H1OB7LNltBrw7Hq7%2BhrTtXoiAMRp56obJYlkX10LS2lNugBPKq %2FU8YyJ8Tt8wDDsRCLFbS1XT4xi%2FzKsXk%2B7LRXN3YwLTi8exDI4rAan %2B02YYOpMyOk4uX6KDb9ue6Lu%2FxAfQ0lqB2zK7mT24TwHs%3D",oauth_signature_method="RSA- SHA1",oauth_timestamp="1433970146",oauth_token="d475e1a692b7bfed07b492dd845b7f4319 0becad",oauth_version="1.0",realm="eWallet" V6 Checkout XML Schema URL: https://api.mastercard.com/masterpass/v6/checkout/ The checkout resource URL supplied by Masterpass should be decoded and consumed by the merchant as provided by Masterpass. Masterpass may add or delete parameters in future. The following are examples of decoded URL: checkout_resource_url=https://api.mastercard.com/masterpass/v6/checkout/ 11318500&checkoutId=11318500 checkout_resource_url=https://api.mastercard.com/masterpass/v6/checkout/ 11318501 NOTE: U.S. merchants can ignore the PreCheckoutTransactionId element. <?xml version="1.0" encoding="utf-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/xmlschema"> <xs:element name="checkout" type="checkout"/> <xs:complextype name="checkout"> <xs:sequence> <xs:element name="card" type="card"/> <xs:element name="transactionid" type="xs:string"/> <xs:element name="contact" type="contact"/> <xs:element name="shippingaddress" type="shippingaddress" minoccurs="0"/> <xs:element name="authenticationoptions" type="authenticationoptions" minoccurs="0"/> <xs:element name="walletid" type="xs:string"/> <xs:element name="precheckouttransactionid" type="xs:string" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="authenticationoptions"> <xs:sequence> <xs:element name="authenticatemethod" type="xs:string" minoccurs="0"/> <xs:element name="cardenrollmentmethod" type="xs:string" minoccurs="0"/> <xs:element name="cavv" type="xs:string" minoccurs="0"/> <xs:element name="eciflag" type="xs:string" minoccurs="0"/> <xs:element name="mastercardassignedid" type="xs:string" minoccurs="0"/> U.S. Version 6.18 30 September 2016 112

Appendix OAuth Samples <xs:element name="paresstatus" type="xs:string" minoccurs="0"/> <xs:element name="scenrollmentstatus" type="xs:string" minoccurs="0"/> <xs:element name="signatureverification" type="xs:string" minoccurs="0"/> <xs:element name="xid" type="xs:string" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="card"> <xs:sequence> <xs:element name="brandid" type="nonemptystring"/> <xs:element name="brandname" type="nonemptystring"/> <xs:element name="accountnumber" type="nonemptystring"/> <xs:element name="billingaddress" type="address"/> <xs:element name="cardholdername" type="nonemptystring"/> <xs:element name="expirymonth" type="month" minoccurs="0"/> <xs:element name="expiryyear" type="year" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="address"> <xs:sequence> <xs:element name="city" type="nonemptystring"/> <xs:element name="country" type="country"/> <xs:element name="countrysubdivision" type="nonemptystring" minoccurs="0"/> <xs:element name="line1" type="nonemptystring"/> <xs:element name="line2" type="nonemptystring" minoccurs="0"/> <xs:element name="line3" type="nonemptystring" minoccurs="0"/> <xs:element name="postalcode" type="nonemptystring" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="contact"> <xs:sequence> <xs:element name="firstname" type="nonemptystring"/> <xs:element name="middlename" minoccurs="0"> <xs:simpletype> <xs:restriction base="xs:string"> <xs:minlength value="1"/> <xs:maxlength value="150"/> </xs:restriction> </xs:simpletype> </xs:element> <xs:element name="lastname" type="nonemptystring"/> <xs:element name="gender" type="gender" minoccurs="0"/> <xs:element name="dateofbirth" type="dateofbirth" minoccurs="0"/> <xs:element name="nationalid" minoccurs="0"> <xs:simpletype> <xs:restriction base="xs:string"> <xs:minlength value="1"/> <xs:maxlength value="150"/> </xs:restriction> </xs:simpletype> </xs:element> <xs:element name="country" type="country"/> <xs:element name="emailaddress" type="emailaddress"/> <xs:element name="phonenumber" type="xs:string"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> U.S. Version 6.18 30 September 2016 113

Appendix OAuth Samples </xs:complextype> <xs:complextype name="dateofbirth"> <xs:sequence> <xs:element name="year"> <xs:simpletype> <xs:restriction base="xs:int"> <xs:mininclusive value="1900"/> <xs:pattern value="\d{4}"/> </xs:restriction> </xs:simpletype> </xs:element> <xs:element name="month" type="month"/> <xs:element name="day"> <xs:simpletype> <xs:restriction base="xs:int"> <xs:mininclusive value="1"/> <xs:maxinclusive value="31"/> </xs:restriction> </xs:simpletype> </xs:element> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:simpletype name="gender"> <xs:restriction base="xs:token"> <xs:enumeration value="m"/> <xs:enumeration value="f"/> </xs:restriction> </xs:simpletype> <xs:complextype name="shippingaddress"> <xs:complexcontent> <xs:extension base="address"> <xs:sequence> <xs:element name="recipientname" type="nonemptystring"/> <xs:element name="recipientphonenumber" type="xs:string"/> </xs:sequence> </xs:extension> </xs:complexcontent> </xs:complextype> <xs:simpletype name="nonemptystring"> <xs:restriction base="xs:string"> <xs:minlength value="1"/> <xs:whitespace value="collapse"/> </xs:restriction> </xs:simpletype> <xs:simpletype name="country"> <xs:restriction base="xs:string"> <xs:pattern value="[a-z]{2}"/> </xs:restriction> </xs:simpletype> <xs:simpletype name="emailaddress"> <xs:restriction base="xs:string"> <xs:pattern value="[a-za-z0-9!#-'\*\+\-/=\?\^_`\{-~]+(\.[a-za-z0-9! #-'\*\+\-/=\?\^_`\{-~]+)*@[A-Za-z0-9!#-'\*\+\-/=\?\^_`\{-~]+(\.[A-Za-z0-9!#-'\*\+ \-/=\?\^_`\{-~]+)*"/> </xs:restriction> </xs:simpletype> <xs:simpletype name="month"> <xs:restriction base="xs:int"> <xs:mininclusive value="1"/> <xs:maxinclusive value="12"/> </xs:restriction> </xs:simpletype> U.S. Version 6.18 30 September 2016 114

Appendix OAuth Samples <xs:simpletype name="year"> <xs:restriction base="xs:int"> <xs:mininclusive value="2013"/> <xs:pattern value="\d{4}"/> </xs:restriction> </xs:simpletype> <xs:complextype name="extensionpoint"> <xs:sequence> <xs:any maxoccurs="unbounded" processcontents="lax" namespace="##any"/> </xs:sequence> <xs:anyattribute/> </xs:complextype> </xs:schema> V6 Checkout Sample XML Response URL: https://api.mastercard.com/masterpass/v6/checkout/123456 <Checkout> <Card> <BrandId>master</BrandId> <BrandName>Mastercard</BrandName> <AccountNumber>5435579315709649</AccountNumber> <BillingAddress> <City>Anytown</City> <Country>US</Country> <Line1>100 Not A Real Street</Line1> <PostalCode>63011</PostalCode> </BillingAddress> <CardHolderName>Joe Test</CardHolderName> <ExpiryMonth>02</ExpiryMonth> <ExpiryYear>2016</ExpiryYear> </Card> <TransactionId>72525</TransactionId> <Contact> <FirstName>Joe</FirstName> <MiddleName>M</MiddleName> <LastName>Test</LastName> <Gender>M</Gender> <DateOfBirth> <Year>1975</Year> <Month>03</Month> <Day>28</Day> </DateOfBirth> <NationalID>30258374209</NationalID> <Country>US</Country> <EmailAddress>joe.test@email.com</EmailAddress> <PhoneNumber>1-9876543210</PhoneNumber> </Contact> <ShippingAddress> <City>O Fallon</City> <Country>US</Country> <CountrySubdivision>US-AK</CountrySubdivision> <Line1>1 main street</line1> <PostalCode>63368</PostalCode> <RecipientName>Joe Test</RecipientName> <RecipientPhoneNumber>1-9876543210</RecipientPhoneNumber> </ShippingAddress> <WalletID>101</WalletID> </Checkout> U.S. Version 6.18 30 September 2016 115

Appendix OAuth Samples V6 Checkout XML Details CheckoutXML Element Description Type Min Max Checkout Root Element XML - Checkout Card Child Element XML - Card BrandId Identifies the card brand id, for example, master for Mastercard. Alpha Numeric 0 8 BrandName AccountNumber BillingAddress Identifies the card brand name, for example, Mastercard Card number or primary account number that identifies the card Billing Address for the card holder. String 0 255 Integer 13 24 XML - CardHolderName Cardholder name String 1 100 ExpiryMonth Expiration month displayed on the payment card. Date XML format ExpiryYear Expiration year displayed on the payment card. Date XML format ExtensionPoint Reserved for future enhancement. Optional Any - Checkout TransactionID Child Element String 1 255 Checkout Contact Child Element XML Contact FirstName Contact First Name String 1 150 Optional MiddleName Contact Middle Name or Initial String 1 150 LastName Contact Surname String U.S. Version 6.18 30 September 2016 116

Appendix OAuth Samples CheckoutXML Element Description Type Min Max Optional * Gender Contact Gender (M or F) M or F [SB1] NOTE: This field may only be requested from a Masterpass wallet if it is required by law in a region. Merchants and service providers seeking to use this field must work with the local Masterpass representative to get the necessary clearances before requesting these data elements. Optional * DateOfBirth Contact DOB YYYY/MM/DD NOTE: This field may only be requested from a Masterpass wallet if it is required by law in a region. Merchants and service providers seeking to use this field must work with the local Masterpass representative to get the necessary clearances before requesting these data elements. Sequence: Year (Int); Month (Int) Day (Int) Y (4) M (2) D (2) * Only when legally required and enabled by Masterpass U.S. Version 6.18 30 September 2016 117

Appendix OAuth Samples CheckoutXML Element Description Type Min Max Optional (dependent on merchant country of incorporation and the consumer country of residence) NationalID Contact National Identification NOTE: This field may only be requested from a Masterpass wallet if it is required by law in a region. Merchants and service providers seeking to use this field must work with the local Masterpass representative to get the necessary clearances before requesting these data elements. String 1 150 Optional Country Contact Country of Residence String 0 2 EmailAddress Contact Email Address String 5 512 PhoneNumber Contact Phone String 3 20 DateOfBirth Contact DOB Year Contact DOB Year Integer 4 Month Contact DOB Month Integer 1 2 Day Contact DOB Day Integer 1 2 ExtensionPoint Reserved for future enhancement. Optional Any - Checkout ShippingAddress Child Element XML - ShippingAddress Address Child Element XML - Address City Cardholder s city String 0 25 U.S. Version 6.18 30 September 2016 118

Appendix OAuth Samples CheckoutXML Element Description Type Min Max Country CountrySubdivision Line 1 Line 2 Line 3 PostalCode ExtensionPoint Cardholder s country. Defined by ISO 3166-1 alpha-2 digit country codes, for example, U.S. is United States, AU is Australia, CA is Canada, GB is United Kingdom, and so on. Cardholder s country subdivision. Defined by ISO 3166-1 alpha-2 digit code, for example, US-VA is Virginia, US-OH is Ohio Address line 1 used for Street number and Street Name. Address line 2 used for Apt Number, Suite Number, and so on. Address line 3 used to enter remaining address information if it does not fit in Line 1 and Line 2 Postal Code or Zip Code appended to mailing address for the purpose of sorting mail. Reserved for future enhancement. Optional String 2 String 5 String 1 40 String 0 40 String 0 255 String 0 20 Any - ShippingAddress RecipientName Name of person set to receive the shipped order. String 1 100 U.S. Version 6.18 30 September 2016 119

Appendix OAuth Samples CheckoutXML Element Description Type Min Max ShippingAddress RecipientPhoneNumb er Phone of the person set to receive the shipped order. String 3 20 Checkout AuthenticationOption s Child Element XML - Checkout WalletID Helps identify origin wallet String 3 AuthenticationOptions AuthenticateMethod Method used to authenticate the cardholder at checkout. Valid values are MERCHANT ONLY, 3DS and No Authentication. Alpha NA CardEnrollmentMeth od Method by which the card was added to the wallet. Valid values are: Alpha NA Manual Direct Provisioned 3DS Manual NFC Tap CAvv (CAVV) Cardholder Authentication Verification Value generated by card issuer upon successful authentication of the cardholder. This must be passed in the authorization message Alpha Numeric NA U.S. Version 6.18 30 September 2016 120

Appendix OAuth Samples CheckoutXML Element Description Type Min Max EciFlag Electronic commerce indicator (ECI) flag. Possible values are as follows: Mastercard: 00 No Authentication 01 Attempts (Card Issuer Liability) 02 Authenticated by ACS (Card Issuer Liability) 03 Maestro (MARP) 05 Risk Based Authentication (Issuer, not in use) 06 Risk Based Authentication (Merchant, not in use) Visa: 05 Authenticated (Card Issuer Liability) 06 Attempts (Card Issuer Liability) 07 No 3DS Authentication (Merchant Liability) Alphanume ric NA MasterCardAssignedI D This value is assigned by Mastercard and represents programs associated directly with Maestro cards. This field should be supplied in the authorization request by the merchant. Alpha Numeric NA U.S. Version 6.18 30 September 2016 121

Appendix OAuth Samples CheckoutXML Element Description Type Min Max PaResStatus A message formatted, digitally signed, and sent from the ACS (issuer) to the MPI providing the results of the issuer s Mastercard SecureCode/Verified by Visa cardholder authentication. Possible values are: Alpha NA Y The card was successfully authenticated via 3-D Secure N Authentication failed A signifies that either (a) the transaction was successfully authenticated via a 3- D Secure attempts transaction or (b)the cardholder was prompted to activate 3-D Secure during shopping but declined (Visa). U Authentication results were unavailable U.S. Version 6.18 30 September 2016 122

Appendix OAuth Samples CheckoutXML Element Description Type Min Max SCEnrollmentStatus Mastercard SecureCode Enrollment Status: Indicates if the issuer of the card supports payer authentication for this card. Possible values are as follows: Alpha NA Y The card is eligible for 3-D Secure authentication. N The card is not eligible for 3-D Secure authentication. U Lookup of the card's 3-D Secure eligibility status was either unavailable, or the card is inapplicable (for example, prepaid cards). SignatureVerification: Signature Verification. Possible values are as follows: Alpha NA Y Indicates that the signature of the PaRes has been validated successfully and the message contents can be trusted. N Indicates that for a variety of reasons (tampering, certificate expiration, and so on) the PaRes could not be validated, and the result should not be trusted. U.S. Version 6.18 30 September 2016 123

Appendix OAuth Samples CheckoutXML Element Description Type Min Max XID Transaction identifier resulting from authentication processing. Alpha Numeric NA ExtensionPoint Reserved for future enhancement. Optional Any PreCheckoutTransactionId Pre Checkout Transaction ID ID associated with the PreCheckout Transaction Alphanume ric NOTE: This element is not applicable to U.S. merchants. Postback Service This topic provides information on the Postback parameters. Postback Parameters Post Transaction Request Post Transaction Response oauth_signature oauth_version oauth_nonce oauth_signature_method oauth_consumer_key oauth_timestamp oauth_body_hash X X X X X X X MerchantTransactions XML X X U.S. Version 6.18 30 September 2016 124

Appendix OAuth Samples Postback Parameter Details Post Transaction Request Description Possible Values Signature Base String Authorization Header oauth_signature RSA/SHA1 signature generated from the signature base string Variable oauth_version Oauth version. 1.0 oauth_nonce oauth_signature_m ethod oauth_consumer_ke y Unique alphanumeric string generated from code oauth signature method. Consumer Key generated when completing key management on the Masterpass Merchant Portal. Variable RSA-SHA1 Variable oauth_timestamp Current timestamp Variable oauth_body_hash SHA1 hash of the message body Variable Transfer XML Strings Merchant Transactions XML Transaction details Post Transaction Response Description Possible Values Transfer XML Strings Merchant Transactions XML Transaction details Signature Base String Example POST&https%3A%2F%2Fsandbox.api.mastercard.com%2Fmasterpass%2Fv6%2Ftransaction &oauth_body_hash%3dycnt7a676vey7i0skyymkorihcg%253d%26oauth_consumer_key%3dclb0 tkkejhgtitp_6ltdiibo5wgbx4rildexm_jrd4b0476c%2521414f4859446c4a366c726a32747469 5545332b353049303d%26oauth_nonce%3D26123188000346%26oauth_signature_method%3DRS A-SHA1%26oauth_timestamp%3D1380054060%26oauth_version%3D1.0 HTTP Request Example POST /masterpass/v6/transaction HTTP/1.1 Authorization: OAuth oauth_signature="aom0wfgfi7ityv1izfn125bod6jgftdx15dq8xbjvmggkgktj5awv7wsmgwucc eglpl52hfs%2b%2boqzvrcdxuidvgekox1nhdfhns0l1yiaqgdkjqyr%2bcqgu1qo7xvjvztqpxulrc 2uzVCjyLoQEroIWv5cAOj5l4aBxDopz7OKQA%3D",oauth_body_hash="ycNt7A676VEY7i0SkyymK orihcg%3d",oauth_version="1.0",oauth_nonce="26123188000346",oauth_signature_met hod="rsa- SHA1",oauth_consumer_key="cLb0tKkEJhGTITp_6ltDIibO5Wgbx4rIldeXM_jRd4b0476c%2141 4f4859446c4a366c726a327474695545332b353049303d",oauth_timestamp="1380054060" U.S. Version 6.18 30 September 2016 125

Appendix OAuth Samples MerchantTransactions Request XML Schema NOTE: U.S. merchants can ignore the PreCheckout and ExpressCheckout elements. <?xml version="1.0" encoding="utf-8" standalone="yes"?> <xs:schema version="1.0" xmlns:xs="http://www.w3.org/2001/xmlschema"> <xs:element name="merchanttransactions" type="merchanttransactions"/> <xs:complextype name="merchanttransactions"> <xs:sequence> <xs:element name="merchanttransactions" type="merchanttransaction" minoccurs="0" maxoccurs="unbounded"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:complextype name="merchanttransaction"> <xs:sequence> <xs:element name="transactionid" type="xs:string"/> <xs:element name="consumerkey" type="xs:string" minoccurs="0"/> <xs:element name="currency" type="xs:string"/> <xs:element name="orderamount" type="xs:long"/> <xs:element name="purchasedate" type="xs:datetime"/> <xs:element name="transactionstatus" type="transactionstatus"/> <xs:element name="approvalcode" type="xs:string"/> <xs:element name="precheckouttransactionid" type="xs:string" minoccurs="0"/> <xs:element name="expresscheckoutindicator" type="xs:boolean" minoccurs="0"/> <xs:element name="extensionpoint" type="extensionpoint" minoccurs="0"/> </xs:sequence> </xs:complextype> <xs:simpletype name="transactionstatus"> <xs:restriction base="xs:string"> <xs:enumeration value="success"/> <xs:enumeration value="failure"/> </xs:restriction> </xs:simpletype> <xs:complextype name="extensionpoint"> <xs:sequence> <xs:any maxoccurs="unbounded" processcontents="lax" namespace="##any"/> </xs:sequence> <xs:anyattribute/> </xs:complextype> </xs:schema> HTTP Request Example NOTE: U.S. merchants can ignore the PreCheckoutTransactionId and ExpressCheckoutIndicator elements. <MerchantTransactions> <MerchantTransactions> <TransactionId>4549794</TransactionId> <ConsumerKey>0zMKpm0nFtUv8lLXT97jDRo2bp4vNF8MFYyt3R5R87e3f3f4! 414b48675861677159682b563745776b593652377939673d</ConsumerKey> <Currency>USD</Currency> <OrderAmount>1229</OrderAmount> <PurchaseDate>2014-08-01T14:52:57.539-05:00</PurchaseDate> <TransactionStatus>Success</TransactionStatus> U.S. Version 6.18 30 September 2016 126

Appendix OAuth Samples <ApprovalCode>sample</ApprovalCode> <PreCheckoutTransactionId>a4a6x55-rgb1c5-hyaqkemj-1-hybxhplo-947</ PreCheckoutTransactionId> <ExpressCheckoutIndicator>false</ExpressCheckoutIndicator> <MerchantTransactions> </MerchantTransactions> MerchantTransactionsResponse Schema NOTE: U.S. merchants can ignore the PreCheckout and ExpressCheckout elements. <?xml version-/="1.0" encoding-/="utf-8" standalone-/="yes"?> <xs:schema version-/="1.0" xmlns:xs-/="http://www.w3.org/2001/xmlschema"> <xs:element name-/="merchanttransactions" type-/="merchanttransactions"/> <xs:complextype name-/="merchanttransactions"> <xs:sequence> <xs:element name-/="merchanttransactions" type-/ ="MerchantTransaction" minoccurs-/="0" maxoccurs-/="unbounded"/> <xs:element name-/="extensionpoint" type-/="extensionpoint" minoccurs-/="0"/> </xs:sequence> </xs:complextype> <xs:complextype name-/="merchanttransaction"> <xs:sequence> <xs:element name-/="transactionid" type-/="xs:string"/> <xs:element name-/="consumerkey" type-/="xs:string" minoccurs-/="0"/> <xs:element name-/="currency" type-/="xs:string"/> <xs:element name-/="orderamount" type-/="xs:long"/> <xs:element name-/="purchasedate" type-/="xs:datetime"/> <xs:element name-/="transactionstatus" type-/="transactionstatus"/> <xs:element name-/="approvalcode" type-/="xs:string"/> <xs:element name-/="precheckouttransactionid" type-/="xs:string" minoccurs-/="0"/> <xs:element name-/="expresscheckoutindicator" type-/="xs:boolean" minoccurs-/="0"/> <xs:element name-/="extensionpoint" type-/="extensionpoint" minoccurs-/="0"/> </xs:sequence> </xs:complextype> <xs:simpletype name-/="transactionstatus"> <xs:restriction base-/="xs:string"> <xs:enumeration value-/="success"/> <xs:enumeration value-/="failure"/> </xs:restriction> </xs:simpletype> <xs:complextype name-/="extensionpoint"> <xs:sequence> <xs:any maxoccurs-/="unbounded" processcontents-/="lax" namespace-/ ="##any"/> </xs:sequence> <xs:anyattribute/> </xs:complextype> </xs:schema> HTTP Response Example (response will be identical to the XML sent if call was successful) NOTE: U.S. merchants can ignore the PreCheckoutTransactionId and ExpressCheckoutIndicator elements. U.S. Version 6.18 30 September 2016 127

Appendix OAuth Samples <MerchantTransactions> <MerchantTransactions> <TransactionId>4549794</TransactionId> <ConsumerKey>0zMKpm0nFtUv8lLXT97jDRo2b593652377939673d0zMKpm0nFt9682b563745776b593 652377939673d</ConsumerKey> <Currency>USD</Currency> <OrderAmount>1229</OrderAmount> <PurchaseDate>2014-08-01T14:52:57.539-05:00</PurchaseDate> <TransactionStatus>Success</TransactionStatus> <ApprovalCode>sample</ApprovalCode> <PreCheckoutTransactionId>a4a6x55-rgb1c5-hyaqkemj-1-hybxhplo-9477</ PreCheckoutTransactionId> <ExpressCheckoutIndicator>false</ExpressCheckoutIndicator> </MerchantTransactions> </MerchantTransactions> MerchantTransactions XML Details MerchantTransactio nsrequest Element Description Type Min - Max MerchantTransactions MerchantTransactions XML - ExtensionPoint Reserved for future enhancement. Optional Any - U.S. Version 6.18 30 September 2016 128

Appendix OAuth Samples MerchantTransactio nsrequest Element Description Type Min - Max MerchantTransactions TransactionID Uses the TransactionID element of the Checkout XML String 1 255 ConsumerKey Currency OrderAmount Consumer Key generated when completing key management on the Masterpass Merchant Portal. Currency of the transaction. Defined by ISO 4217 to be exactly three characters, such as, USD for U.S. Dollars. (Integer) Transaction order amount without decimal, for example, 1500. String 97 String 3 Integer 1 12 PurchaseDate Date and Time of the shopping cart purchase. Date XML format TransactionStatus ApprovalCode PreCheckoutTransactio nid State of the transaction. Indicates whether successful. Valid values are Success or Failure. Approval code returned to merchant from merchant's payment API with payment gateway or service provider. Value returned from the PrecheckoutData call. NOTE: This does not apply to U.S. merchants. String 7 String 6 String ExpressCheckoutIndicat or True or False. Set to false for connected checkout NOTE: This does not apply to U.S. merchants Boolean ExtensionPoint Reserved for future enhancement. Optional Any - U.S. Version 6.18 30 September 2016 129

Appendix OAuth Samples MerchantTransactio nsresponse Element Description Type Min - Max MerchantTransactions MerchantTransactions Root Element XML - ExtensionPoint Reserved for future enhancement. Optional Any - U.S. Version 6.18 30 September 2016 130

Appendix OAuth Samples MerchantTransactio nsresponse Element Description Type Min - Max MerchantTransactions TransactionID Uses the TransactionID element of the Checkout XML String 1 255 ConsumerKey Currency OrderAmount Consumer Key generated when completing key management on the Masterpass Merchant Portal. Currency of the transaction. Defined by ISO 4217 to be exactly three characters, such as, USD for U.S. Dollars. Integer Transaction order amount without decimal, for example, 1500. String 97 String 3 Integer 1 12 PurchaseDate Date and Time of the shopping cart purchase, for example, 2012-06-06T15:12:24.254-05:00 Date XML format TransactionStatus ApprovalCode PreCheckoutTransactio nid State of the transaction. Indicates whether successful. Valid values are Success or Failure. Approval code returned to merchant from merchant's payment API with payment gateway or service provider. Value returned from the PrecheckoutData call. NOTE: This does not apply to U.S. merchants. String 7 String 6 String U.S. Version 6.18 30 September 2016 131

Appendix OAuth Samples MerchantTransactio nsresponse Element Description Type Min - Max ExpressCheckoutIndicat or True or False. Set to false for connected checkout. NOTE: This does not apply to U.S. merchants. Boolean ExtensionPoint Reserved for future enhancement. Optional Any - ExtensionPoint Elements Starting with API v6, all schema container elements contain a new optional element named ExtensionPoint. These elements are intended to provide expandability of the API without requiring a new major version. These elements are defined to contain a sequence of xs:any, meaning that any XML content can be contained within the element. In order to ensure future expandability, all integrators must not perform any validation of elements received inside an ExtensionPoint element, beyond any that may be defined by Masterpass in the future with a separate schema. Any such extensions will be optional. Further, only authorized schemas will be allowed inside ExtensionPoint elements, and any unknown elements will be dropped by Masterpass. ExtensionPoint Sample <ExtensionPoint> <s:sampleextension xmlns:s= https://www.masterpass.com/location/of/example/ns > <s:samplefield>sample Value</s:SampleField> </s:sampleextension> <f:anotherexampleextension xmlns:f= https://www.masterpass.com/location/of/example2/ns > <f:samplecontainer> <f:anothersamplefield>sample Value</f:AnotherSampleField> </f:samplecontainer> </f:anotherexampleextension> </ExtensionPoint> U.S. Version 6.18 30 September 2016 132

Appendix Renew a Mastercard Developers API Key Renew a Mastercard Developers API Key This section provides information on how to complete the key-renewal process on the Mastercard Developers site. About this task The Mastercard Developers portal no longer supports the creation or renewal of keys using certificate signing request (CSR) files generated with MD5 digest. Renewing keys with such CSR files will result in the error message cert renewal failed. For instructions on how to work around this potential error, refer to step four of this task. Procedure 1. Login to Mastercard Developers (https://developer.mastercard.com). 2. Click on My Projects. 3. Select the project associated with the key you re trying to renew. 4. In the Keys section of the project page, click the Manage Keys button. U.S. Version 6.18 30 September 2016 133