Boosting Authorization Success: A Practical Guide to Visa NTI and Mastercard Trace ID Mandates

Blog

Devang Gaur, Sr Product Manager (Payments & Risk), Adobe and Ashwin Das Gururaja, Sr Engineering Manager (Payments & Risk), Adobe

Nov 12, 2025

Blog

Introduction

Digital commerce continues to shift toward business models where the cardholder isn’t always present: subscriptions, top-ups, auto-renewals, installment payments, delayed charges, and pay-as-you-go services. These experiences drive user convenience — but they also increase issuer risk perception if the transaction context isn’t clear.

Visa and Mastercard have therefore implemented mandates to help issuers trust subsequent Merchant-Initiated Transactions (MITs). The mandates require merchants to properly track and transmit network reference identifiers from the original Customer-Initiated Transaction (CIT). These identifiers are:

Visa: Transaction Identifier (TID) — sometimes called “NTI” informally
Mastercard: Trace ID

When implemented correctly, issuers can confidently link MITs back to verified setup transactions — resulting in higher approval rates, lower fraud friction, and fewer data integrity issues. [1][2]

This guide explains:

1. What these identifiers are

2. Why networks introduced them

3. How they map technically in ISO 8583

4. Regulatory implications (SCA in EEA/France)

5. Practical examples to help merchants implement correctly

Understanding the Card Network Mandates

The Evolution of Stored Credential Frameworks

In 2017, Visa and Mastercard introduced updated Stored Credential (Credential-on-File) frameworks. These required merchants to:

Flag initial stored-credential transactions correctly
Identify whether follow-ups are CIT or MIT
Provide a network reference linking the series of charges

Following these frameworks ensures issuers understand:

Who initiated the transaction
When the user last authenticated
Why the merchant is charging again
Which original authorization validated the cardholder’s intent

Result: Proper signaling → better issuer approval logic → improved revenue capture. [1][3]

Visa’s Network Transaction Identifier (NTI) Mandate

What is the Network Transaction Identifier (NTI)?

Visa assigns a Transaction Identifier (TID) to every authorization. Industry teams often call it the NTI, but Visa’s official term is TID. It's a numeric value up to 15 digits that uniquely identifies the original authorization. [1]

Merchants must capture TID in the initial CIT (e.g., first subscription setup) and reuse it in all related MITs — otherwise, issuers may view future charges as unfamiliar risk.

Technical Specifications

Field	Description
DE 62.2	Visa Transaction Identifier returned in initial auth response

Merchant Requirements:

Capture TID on the first CIT authorization
Store alongside subscription or stored-credential metadata
Populate DE 62.2 in all related MITs [1]

Mastercard’s Trace ID Mandate

What is the Mastercard Trace ID?

Mastercard requires Trace ID as the reference for MITs — particularly under PSD2/SCA rules to evidence a customer-authenticated setup. [2]

Technical Specifications

Field	Description
DE 48, sub-element 63	Mastercard Trace ID

Trace ID is constructed from original authorization network data, including:

Financial Network Code (FNC)
Banknet Reference Number (BRN) (may default to 999999 for grandfathered pre-SCA agreements)
Settlement date (MMDD) [3]

Sample position map:

Positions 1–3: FNC

Positions 4–9: BRN

Positions 10–13: Settlement Date

Positions 14–15: Blank

Actual values vary per acquirer integration.

Note: Failure to populate Trace ID is a top data-integrity monitoring metric for Mastercard. [4]

Key Differences Between Visa NTI and Mastercard Trace ID

Category	Visa	Mastercard
Official Field Name	Transaction Identifier (TID)	Trace ID
Primary Field	DE 62.2	DE 48.63
Composition	Numeric, up to 15 digits	Constructed network reference (multi-segment)
Primary Value	Transaction chaining	SCA traceability + switch reconciliation

In practice, merchants should treat both as must-have linkage references.

Connection with 3D Secure Authentication

In regions enforcing SCA (e.g., EEA/UK), issuers require a way to confirm whether a cardholder has already authenticated.

● CIT → 3DS/SCA typically required

● MIT → may rely on Trace ID/TID + MIT indicators to bypass repeated friction

Without linkage, issuers fall back to “Authentication Required” responses even if the cardholder approved the original setup. [3][5]

Thus, identifiers serve both compliance and customer experience goals.

Implementation Examples for Different Business Models

Example 1: Subscription-Based Streaming Service

CIT Setup

Customer signs up for monthly plan
Merchant sends authorization with CoF flags → receives TID/Trace ID
Merchant stores identifier and authentication result

MIT Renewal

Identifier + MIT flags included in DE 62.2 / DE 48.63
Issuer recognizes recurring agreement → reduced decline risk

Example 2: On-Demand Delivery Marketplace

CIT at Checkout

Customer actively confirms order = CIT
Stored credential captured with TID/Trace ID

MIT Scenarios

Tip adjustment
Split shipments
Partial delivery capture

Only these follow-ups must include the identifier — not every future user-initiated purchase.

Key takeaway: User interaction determines CIT vs MIT, not whether a credential is stored.

How Networks Monitor Transactions and Assess Fines

Transaction Monitoring Mechanisms

Networks continuously evaluate data flowing through acquirers, checking:

Missing identifiers on MITs
Incorrect MIT sub-type classification
Authorization vs clearing mismatches

These are visible to acquirers via data integrity reports that identify issues by edit codes. [4]

Non-Compliance Assessment Process

If merchants fail to fix errors:

Progressive per-transaction fees apply
Acquirers may increase scrutiny
Issuers may reduce approvals

The merchant impacts:

Decline rates rise
Revenue leakage increases
Hard costs through assessments

Regulatory Considerations

EEA/France Enforcement Context

Under PSD2 SCA, issuers in Europe — including French banks — have strengthened controls on MIT risk. If the issuer cannot establish traceability to a prior SCA-compliant CIT:

MITs may be declined with “Authentication Required” indicators
The risk intensifies during billing cycles or card reissuance events [5]

Merchants selling into EEA markets should ensure:

Authentication + identifier captured at setup
MIT flags mapped correctly on renewals
Close acquirer alignment on local rules

This reduces authorization volatility for recurring revenue.

Strategies for Ensuring Compliance

Proactive Monitoring

Check presence of DE 62.2 / DE 48.63 for all MITs
Identify gaps by issuer country patterns
Build dashboards for missing-identifier alerts

Processor Partnership

Request access to data integrity reporting
Validate mapping during gateway migrations
Confirm differences across regional acquirer endpoints

System Updates

Payment gateway routing must populate identifier fields
Billing engines should fall back to CIT retry logic if TID missing
Quality Assurance (QA) testing must simulate European issuer behavior

Conclusion

Visa’s TID and Mastercard’s Trace ID mandates are now fundamental to the success of stored-credential payments. They:

Help issuers distinguish trusted recurring charges
Support SCA compliance without customer friction
Improve long-term authorization rates
Reduce operational risk from data compliance failures

With proper storage, implementation governance, and continuous monitoring, merchants achieve:

Higher revenue capture
Stronger issuer relationships
Improved fraud protection
Better customer experience

About the Authors

Devang Gaur is a Senior Product Manager (Payments & Risk) and Ashwin Gururaja is a Senior Engineering Manager (Payments & Risk) at Adobe, where they lead global initiatives to improve payment authorization performance, reduce fraud, and ensure compliance with evolving card-network requirements.

About Adobe

Adobe is a global leader in creativity and digital experience solutions. Through its Creative Cloud, Document Cloud, and Experience Cloud offerings, Adobe empowers individuals and enterprises to design, create, and deliver exceptional digital experiences.

—-------------

References