Mastercard Merchant Advice Codes (MAC): What They Mean, When to Retry, and How to Avoid TPE Penalties

Written by Tyler DurbinJune 12, 2026
Merchant Alternatives is reader-supported. When you make purchases through links on our site, we may earn a commission. This is always at no additional cost to you and helps us continue to provide accurate, transparent and up-to-date information on the things that matter most to your business, for free.

A Mastercard decline is not just a yes/no signal. In many cases, the issuer also sends a Merchant Advice Code (MAC) that tells you what to do next: retry later, stop retrying, update payment credentials, or wait a specific number of days.

If you ignore MACs and keep re-attempting the same card-not-present (CNP) authorization, you can pay network penalties under Mastercard's Transaction Processing Excellence (TPE) programs. The goal of this guide is simple: help you treat MACs as hard decisioning inputs so you recover more revenue with fewer retries and fewer fees.

What is a Mastercard Merchant Advice Code (MAC) in plain English?

A Mastercard Merchant Advice Code (MAC) is guidance returned with a declined authorization that indicates the next best action for the merchant. In practice, MACs are most relevant for subscription billing, merchant-initiated transactions (MITs), and other CNP scenarios where retry logic is automated.

Think of it like this:

  • The decline code answers "what happened?"
  • The MAC answers "what should I do now?"

If your processor surfaces MACs, you should treat them as first-class data in your decline handling, similar to how you treat AVS/CVV responses or 3DS outcomes.

Where do MACs show up in the payment stack (and why merchants miss them)?

Most merchants do not "turn on" MACs. They are typically included in the issuer response and then passed through the network and acquirer to your gateway or processor. The problem is that different platforms expose them differently:

  • Some gateways map MAC into a dedicated field.
  • Some include it in extended response data or raw network fields.
  • Some support teams can see it, but your API integration cannot.

Action step: ask your processor or gateway support for a sample decline payload that includes "Merchant Advice Code" or "MAC" and confirm the exact JSON field name and set of possible values.

What are the most common Mastercard MAC values and recommended actions?

MAC 01: updated account info might exist

MAC 01 is your cue to treat the decline as a credentials problem, not a customer intent problem. Before you retry, run account updater (if you are enrolled) and verify that your gateway will actually use the refreshed credentials on the next attempt.

If you are using network tokens (Apple Pay, Google Pay, card-on-file tokens, etc.), make sure you understand whether the update is happening on the PAN record, the token record, or both. A surprising number of retry loops happen because the merchant updates the customer record in their app, but the processor is still attempting the original credential.

MAC 02: retry later, but do it with spacing

MAC 02 is the classic "soft decline" instruction. The issuer is telling you the transaction cannot be approved right now, but that a later attempt could succeed.

Spacing matters. If you retry immediately, you are effectively testing the same issuer decision again with no new information. Better patterns are time-based:

  • Attempt 1 fails with MAC 02
  • Wait 24 to 48 hours
  • Attempt 2
  • If it fails again with MAC 02, wait longer before attempt 3

For subscription businesses, the right schedule depends on your dunning window. A five-day window cannot support a ten-day wait. In those cases, treat MAC 02 as "retry later" but still stay inside your cancellation policy.

MAC 03 and MAC 21: stop signals that should flip you into dunning

When you receive MAC 03 (do not try again) or MAC 21 (payment cancellation), the safest interpretation is that the issuer does not want you to keep attempting that transaction.

Your best next steps are usually non-technical:

  • Notify the customer that a payment method update is required
  • Offer an alternate payment rail (ACH, RTP, or a new card)
  • If you have fraud signals, pause service and ask for verification

Below is a practical "decision table" you can use to implement safe retry logic. Do not treat this as a complete list for every region or program, but it covers the codes you are most likely to see in recurring billing.

MAC Meaning (plain English) What to do next
01 New account information may be available Run account updater before retrying.
02 Cannot approve now, try later Retry later using a capped schedule.
03 Do not try again Stop retries. Trigger cardholder outreach.
04 Token requirements not fulfilled for this token type Fix tokenization and credential storage, then request a new payment method.
21 Payment cancellation Stop retries immediately.

Implementation tip: treat MAC 03 and MAC 21 as "hard stops" for automated retries unless your processor gives you a compliant exception path.

When is it safe to retry a Mastercard decline?

It is safest to retry when the issuer is telling you the decline is temporary. MAC 02 is the common example.

A good default pattern:

  • Wait at least 24 to 48 hours before the first retry.
  • Spread additional retries out (not hourly).
  • Cap total retry attempts inside your dunning window.
  • Stop early if the MAC changes to 03/21.

If you want a payment-ops style checklist, here is a simple starting point:

  • Retry only if your decline bucket is "soft" and the MAC allows it.
  • Never retry more than once on the same day.
  • Never exceed a fixed maximum attempts per card per billing cycle.

What does Mastercard's TPE program penalize, and why does it matter?

Why Mastercard cares about retries

Retries are not free for the network. Every attempt consumes issuer authorization capacity and contributes to fraud monitoring signals. Large retry storms, especially during card testing attacks, can degrade authorization performance for everyone.

From the merchant side, too many retries also create operational side effects:

  • Higher interchange and processing cost on repeated attempts
  • Worse issuer trust signals, which can lower approvals on future legitimate attempts
  • More support tickets and refund requests if customers see multiple pending authorizations

Mastercard's Transaction Processing Excellence (TPE) programs are designed to discourage behavior that harms the network, such as excessive authorization retries after declines.

Two common penalty categories merchants run into:

1) **Excessive authorization attempts**

If your system keeps hammering the same PAN with repeated declines (common during a BIN attack or poorly designed retry loop), you can trigger excessive attempt fees and additional compliance attention.

2) **Retrying after "do not retry" signals**

Mastercard introduced a Merchant Advice Code fee within TPE for certain CNP reattempt patterns. One practical interpretation: when the network tells you "do not retry," your retry engine must comply.

The operational point is not the fee amount. It is that your retry logic can become a direct line item on your monthly statement.

What exactly triggers a Mastercard MAC fee (TPE) for reattempts?

Your processor statement may list something like "Merchant Advice Code fee" or a TPE program fee.

According to Moneris' published network fee updates, Mastercard introduced a Merchant Advice Code (MAC) fee as part of TPE in May 2022, applying to certain CNP transactions after a reattempt following specific "do not retry" responses, using a 30-day lookback window.

Moneris also notes that Mastercard updated the MAC fee amounts over time and ties the fee to non-compliant retry behavior in its TPE initiatives.

Practical takeaway: if you retry after a decline that is effectively telling you to stop (MAC 03/21 style outcomes), you should assume you can pay a fee and also degrade your approval rate.

How to build a compliant Mastercard retry policy for subscriptions (sample logic)

A simple retry schedule you can start with (example)

This is intentionally conservative and designed to avoid rapid-fire reattempts:

  • Day 0: first attempt (original renewal)
  • Day 2: retry 1 (only if MAC allows)
  • Day 4: retry 2
  • Day 7: retry 3

Stop early if you receive a stop MAC, if the customer cancels, or if your fraud tools flag the pattern.

If you run a higher-ticket subscription, you may also require a manual review before the final attempt.

Here is a conservative, compliance-first policy you can adapt.

Step 1: classify the attempt

  • Is this cardholder-initiated (CIT) or merchant-initiated (MIT)?
  • Is this a subscription renewal, installment, or ad-hoc invoice?
  • Is the decline likely temporary (insufficient funds) or a policy/fraud block?

Step 2: read the MAC and branch

  • **MAC 03 or MAC 21:** stop retrying. Move to dunning: email, in-app prompts, and payment method update.
  • **MAC 01:** run account updater and retry only if you receive updated credentials.
  • **MAC 02:** schedule retries with spacing.
  • **MAC 04:** fix network token or credential-on-file setup before retrying.

Step 3: add guardrails that prevent retry loops

  • Max attempts per card per 30 days.
  • Max attempts per day per card.
  • Stop if the same response repeats.
  • Stop if your fraud system flags the pattern.

Step 4: capture reason codes for analytics

Store, at minimum: network, decline code, MAC, attempt number, time since last attempt, and whether 3DS was used.

How MACs intersect with "authorization data" requirements like TLID

Networks increasingly want you to include data from the original authorization response in follow-on attempts.

For example, Worldpay documents a Mastercard requirement (effective October 23, 2026) to send the Transaction Link Identifier (TLID) from the original cardholder-initiated response in subsequent merchant-initiated authorization requests.

Even if your system is not sending TLID directly, this trend matters: the network wants retries to be traceable and well-behaved.

Can 3D Secure help when a Mastercard decline keeps happening?

Sometimes. If the issuer is declining because it wants more confidence that the cardholder is present, step-up authentication can improve authorization outcomes.

For ecommerce, see our guide to 3DS2 here: 3D Secure 2 Merchant Guide.

3DS is not a workaround for MAC 03/21 style "do not retry" outcomes. It is a tool for the right bucket of soft declines.

A quick comparison: MAC-based retries vs. blind retries

What to ask your processor for (so you can implement this correctly)

If you are not sure whether you are getting MACs today, send these questions to your processor or gateway:

  • Do you pass Mastercard MAC values in the API response? If yes, what field name?
  • Do you pass Visa Merchant Advice Codes or Visa response category info?
  • Are there settings that control whether MACs are surfaced?
  • If we enroll in account updater, how do updates flow into merchant-initiated retries?
  • Do you pass through TPE-related fees as line items? If yes, what are the descriptor names?

Documenting the answers now saves time if your account later gets flagged for excessive retries.

  • **Blind retries:** maximize network noise, trigger fees, and often reduce approval rates.
  • **MAC-based retries:** reduce attempts, align timing with issuer guidance, and help you explain your process to your processor if you get flagged.

If you only implement one change this quarter, implement MAC parsing plus a hard stop for do-not-retry signals.

FAQ

Do all processors pass Mastercard MACs to merchants?

No. Some processors do not expose MACs in their API payloads, or they only expose them for specific products. Ask support for a sample response that includes MAC and confirm where it appears in your integration.

Is MAC the same thing as MCC?

No. MAC is guidance after a decline. MCC is your merchant category classification used for risk and interchange.

Should I ever retry after MAC 03 or MAC 21?

As a default, no. Treat these as stop signals for automated retries. If you believe the decline is incorrect, move to customer outreach or manual review instead of automated reattempts.

How many times can I retry a declined Mastercard transaction?

There is no single safe universal number because it depends on your processor, your decline mix, and Mastercard monitoring programs. A conservative approach is to keep retries low, spaced out, and always compliant with the MAC guidance.

Will retry fees show up on my merchant statement?

Often yes. Many processors pass network fees through as line items, including TPE-related fees.

Closing: get a merchant account that supports your retry model

You can apply for a merchant account through Easy Pay Direct or another processor that fits your model. Other options worth a look:

  • https://merchantalternatives.com/go/easypaydirect/
  • https://merchantalternatives.com/go/helcim/
  • https://merchantalternatives.com/go/stax/

Internal links used in this article:

  • https://merchantalternatives.com/visa-vamp-merchant-guide/
  • https://merchantalternatives.com/merchant-account-reserves-and-funding-holds-guide/
  • https://merchantalternatives.com/3d-secure-2-merchant-guide/

Sources:

  • https://www.mastercard.com/content/dam/mccom/shared/business/support/rules-pdfs/mastercard-rules.pdf
  • https://www.moneris.com/en/support/additional-resources/payment-card-network-fee-updates
  • https://www.paypal.com/us/brc/article/avoid-excessive-retries-penalties
  • https://docs.worldpay.com/apis/ips/features/mastercard-tlid
Written by 

Tyler Durbin