MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

Transcription

1 MasterCard PayPass M/Chip, Acquirer Implementation Requirements v.1-a4 6/06

2 TABLE OF CONTENTS 1 USING THESE REQUIREMENTS Purpose Scope Audience Overview Language Use Related Publications Related Information Abbreviations Further Information INTRODUCTION Overview of MasterCard PayPass Interoperability Implementation Summary Transaction Flow Enhancements for PayPass ACQUIRER IMPACTS Overview Program Enrollment Terminal Selection Branding PayPass Readers Supporting Other Payment Acceptance Methods at PayPass M/Chip Terminals Terminal and Network Performance Terminal Application Application Selection and Cardholder Confirmation Offline Data Authentication Requirements Offline PIN Cardholder Verification and Receipt Limits for PayPass M/Chip PayPass Service Codes Fallback for PayPass Transactions Decline and Pick-up/Capture Card Responses Referrals / Call Me Issuer Responses Terminal Installation Amount Entry at POS Environment Accepting PayPass Mag Stripe and Cardholder Devices Network and Host System Changes Terminal Integration Process (TIP) Testing TERMINAL CONFIGURATION PayPass Specific Terminal Data List of AIDs and Related Application Labels Cardholder Verification and Receipt Limit for PayPass M/Chip Permitted PayPass Transaction Types Terminal Action Codes Terminal Capabilities NETWORK INTERFACES AND HOST SYSTEMS Summary of Changes Authorization Requests Authorization Responses Clearing Chargebacks Network Interface Validation (NIV) Testing TESTING Testing Overview Testing Scope by PayPass Terminal Type Testing Process Test Stages System Buildup TIP NIV ETED Post-Live Monitoring Further Information and Contact Details...34 APPENDICES...35 Appendix A, PayPass Transaction Flows...35 Appendix B, Glossary v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

3 Copyright The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and its Members. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Media This document is available in both electronic and printed format. MasterCard International CCOE Chaussée de Tervuren, 198A B-1410 Waterloo Belgium MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 3

4 . USING THESE REQUIREMENTS 1.1 Purpose This document provides guidelines for acquirers implementing the MasterCard PayPass M/Chip product. These implementation requirements assume an implementation on top of an acquirer s existing EMV (contact) deployment. For further information on migrating to contact EMV refer to the MasterCard M/Chip Customer Implementation Guide. 1.2 Scope This document defines the impacts and implementation requirements for acquirers implementing PayPass M/Chip acquiring. It provides a level of detail that will enable acquirers to identify the required system changes. This includes information on terminal functionality and configuration. Further detailed information on the PayPass and M/Chip technology is available in the corresponding specification documents. The reader may need to refer to these for a deeper understanding of the technology or areas outside the scope of an acquirer implementation. These requirements are for PayPass implementations of the MasterCard credit product only. The following are outside the scope of these requirements: Implementing EMV acquiring. Only the additional requirements for PayPass M/Chip are addressed in this document. ATMs, bank branch terminals, level 4 8 Cardholder Activated Terminals or transactions. NOTE These requirements apply to acquirers who have already implemented EMV acceptance. They describe implementing PayPass acceptance within that context. These requirements are limited to acquirer acceptance of PayPass M/Chip issued cards but references PayPass Mag Stripe where necessary. 4 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

5 1.3 Audience This document is intended for use by acquirers implementing MasterCard PayPass acceptance. It is assumed that the audience is already familiar with EMV Chip acceptance in general. 1.4 Overview This document is a guide for acquirers implementing PayPass M/Chip. It details the requirements, impacts, and any necessary implementation data or configurations. PayPass M/Chip implementations are an extension to an acquirer EMV Chip implementation. The following table provides an overview of the chapters in this manual: CHAPTER Table of Contents 1. Using These Requirements DESCRIPTION A list of the manual s tabbed sections and subsections. Each entry references a section and page number. Describes the purpose and contents of the manual. 2. Introduction Provides an introduction to the MasterCard PayPass product and this manual. 3. Acquirer Impacts Describes the impacts and considerations for an acquirer implementation of PayPass M/Chip. 4. Terminal Configuration 5. Network Interfaces and Host Systems Defines required terminal data for PayPass M/Chip terminals. Summarizes the network interface and host system changes required for PayPass M/Chip. 6. Testing Summarizes the required testing for an acquirer implementation. Appendix A PayPass Transaction Flows Appendix B Glossary Transaction flow diagrams at PayPass M/Chip terminals. Glossary of terms used in this document. 1.5 Language Use The spelling of English words in this manual follows the convention used for U.S. English as defined in Webster s New Collegiate Dictionary. An exception to the above concerns the spelling of proper nouns. In this case, we use the local English spelling. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 5

6 1. USING THESE REQUIREMENTS 1.6 Related Publications The following publications contain material directly related to the contents of this book: 1. AS2805 Message Formats (authorizations) 2. Chargebacks Standards Bulletin January CIS Message Formats for Regional Service Centers (authorizations) 4. Customer Interface Specification (authorizations) 5. GCMS Release Document (clearing) 6. Global Operations Bulletin No. 6, June IPM Clearing Formats (clearing) 8. M/Chip 4 Security & Key Management, Version 1.0 October M/Chip Customer Implementation Guide, September M/Chip Functional Architecture for Debit and Credit, January MasterCard PayPass Product Guide, February MDS Message Formats for Regional Service Centers (single message systems) 13. PayPass ISO/IEC Implementation Specification, Version 1.10 March PayPass M/Chip Technical Specifications, Version 1.3 September PayPass Mag Stripe Security Architecture, Version 1.0a September PayPass Mag Stripe Technical Specifications, Version 3.1 November PayPass Branding Standards Manual, Version 5 July PayPass Terminal Vendor Testing Process Manual 19. V5 Interface Specification (authorizations) 1.7 Related Information The following reference materials may be of use to the reader of this manual: ISO/IEC 7811/2 ISO/IEC 7813:1995 EMV BOOK 1 EMV BOOK 2 EMV BOOK 3 EMV BOOK 4 Identification cards Recording technique Part 2: Magnetic stripe Identification cards Financial transaction cards Integrated Circuit Card Specification for Payment Systems: Application Independent ICC to Terminal Interface Requirements. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Security & Key Management. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Application Specification. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Cardholder, Attendant and Acquirer Interface Requirements. Version 4.1 May v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

7 1.8 Abbreviations The following abbreviations are used in these requirements: ABBREVIATION AC AID ASI CAM CAT CDA CIS CVC CVM DDA ECR ETEC ETED EMV Hex ICC IIN ISO NIV NCFF PAN PIN PIX POS RFU SDA TAC TDOL TIP TRM DESCRIPTION Application Cryptogram Application Identifier Application Status Indicator Card Authentication Method Cardholder Activated Terminal Combined Data Authentication Customer Implementation Systems Card Verification Code Cardholder Verification Method Dynamic Data Authentication Electronic Cash Register Easy Test Cards End-to-End Demonstration (testing) Europay MasterCard Visa Hexadecimal Integrated Circuit Card Issuer Identification Number International Organization for Standardization Network Interface Validation Non-Card Form Factor Primary Account Number Personal Identification Number Proprietary Application Identifier Extension Point of Sale Reserved for Future Use Static Data Authentication Terminal Action Codes Transaction Certificate Data Object List Terminal Integration Process Terminal Risk Management MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 7

8 1. USING THESE REQUIREMENTS 1.9 Further Information Further information on the above and the overall PayPass program is available in the MasterCard PayPass Product Guide and the PayPass Technical Specifications. Questions may also be addressed to the following addresses: General: Specifications: Testing: Chip Technical Help: 8 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

9 . INTRODUCTION 2.1 Overview of MasterCard PayPass MasterCard has initiated the development of a program allowing consumers to make MasterCard payment transactions at point of sale using contactless technology. The generic term proximity payment is used when the point of interaction is up to 10 meters from the point-of-sale (POS) terminal. While the proximity payment program covers multiple technologies and ranges, this document deals only with the MasterCard PayPass program built on the PayPass ISO/IEC Implementation Specification technology up to a range of 10 cm (4 inches). Two generic types of card products are part of the PayPass program: PayPass Mag Stripe and PayPass M/Chip. PayPass Mag Stripe was developed to allow PayPass payments using authorization networks that presently support magnetic-stripe authorization for credit or debit applications. Security has been enhanced with the introduction of a new Cardholder Verification Code (CVC) for these transactions. The new CVC is referred to as CVC3 and may be a Static or Dynamic value depending on the issuer s card implementation. There is some terminal processing required to support using CVC3 which all PayPass approved terminals will have implemented. CVC3 usage does not impact acquirer host systems or networks. PayPass M/Chip was developed to allow PayPass payments in markets that support EMV. PayPass M/Chip terminals support EMV Chip data in authorizations and clearing. They also support acceptance of PayPass Mag Stripe cards and cardholder devices. PayPass M/Chip terminals may optionally support current payment acceptance methods e.g., contact EMV and magnetic stripe. 2.2 Interoperability Interoperability is a principal PayPass requirement. This is achieved with the following requirements: The PayPass M/Chip terminal must support PayPass Mag Stripe and PayPass M/Chip cards. The PayPass Mag Stripe terminal must support PayPass Mag Stripe and PayPass M/Chip cards. The PayPass M/Chip card must support PayPass Mag Stripe. As such, all PayPass cards and cardholder devices are capable of being accepted by all PayPass terminals. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 9

10 2. INTRODUCTION 2.3 Implementation Summary Implementing PayPass M/Chip acceptance is an extension to an acquirer s existing infrastructure. The following list is a high-level summary of requirements: Acquirers need to start a PayPass M/Chip project with MasterCard and enroll in the PayPass program. For more information refer to the PayPass Product Guide. Acquirers must support full-grade Contact EMV for all PayPass M/Chip implementations. Partial grade acquiring is not permitted. Acquirers, or their merchants, will need approved PayPass terminals. Acquirers and merchants must support changes to transaction messages indicating PayPass transactions performed at PayPass terminals. Acquirers will need to manage some PayPass specific terminal configuration data. Acquirers must perform the PayPass M/Chip testing. The following chapters detail the acquirer impacts including a summary of the required network changes and terminal data configuration for a PayPass M/Chip implementation. Chapter 6, Testing, summarizes the required testing for an acquirer implementation. 2.4 Transaction Flow Enhancements for PayPass The PayPass M/Chip terminal transaction flow is based on the EMV 2000 specifications, with the specific PayPass adaptations summarized below. PayPass transaction flows are defined in the PayPass M/Chip Technical Specifications and are also shown compared to a standard EMV transaction in Appendix A, PayPass Transaction Flows, of this document. Transaction processing has been enhanced for PayPass M/Chip. The principal reason for the changes is to reduce the time that the card and terminal need to be in communication. The changes are implemented by the terminal vendor and any resulting impacts have been included in the relevant sections of this document. The following is a summary of the changes: 1. The terminal only performs the first GENERATE AC command. 2. Card-terminal interaction stops after the first GENERATE AC command. 3. Offline data authentication may be performed after the first GENERATE AC command. 4. Data exchange between the card and terminal is optimized by personalizing a fixed record structure for PayPass M/Chip card applications. This enables PayPass M/Chip terminals to read the minimal amount of data required for that transaction. The terminal can also skip reading certain records if it knows in advance that the transaction will be processed online. 5. Offline Personal Identification Number (PIN) is not supported for performance, usability, and security reasons. 6. Dynamic Data Authentication (DDA) is not supported since it requires a card to remain in communication with the terminal for a period of time that may be too long for cardholders. 10 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

11 . ACQUIRER IMPACTS 3.1 Overview For a general overview of PayPass requirements, services, and products refer to the MasterCard PayPass Product Guide. This document provides information to acquirers to help assess and plan their PayPass M/Chip implementation. 3.2 Program Enrollment Acquirers implementing PayPass M/Chip acceptance must enroll in the MasterCard PayPass program. Program enrollment allows acquirers access to all required specifications and to receive MasterCard related services and products. Only enrolled acquirers may offer their PayPass acquiring service or products to cardholders and merchants. 3.3 Terminal Selection The following sections provide general information on PayPass M/Chip terminal design and options to help acquirers and/or their merchants select existing or new terminals that meet their business needs. All PayPass M/Chip terminals must support MasterCard s branding requirements (see Section 3.3.1, Branding) but acquirers and merchants will need to choose their implementation-specific options such as: The physical design of the PayPass M/Chip terminal and reader. Other payment acceptance methods that the implementation supports (at the same or different terminal). Terminal and network performance. Acquirers and merchants must only use approved PayPass terminals. Products which are not PayPass approved will need to obtain approval before implementation. Subsequent changes to terminal software could affect compliance with PayPass Terminal Vendor Testing and must be discussed with MasterCard. The vendor procedures for PayPass approval are given in the MasterCard PayPass Terminal Vendor Testing Process manual. An acquirer need not be involved in the approval process, other than to request proof of approval from the vendor. Products which are already PayPass approved products are listed on MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 11

12 3. ACQUIRER IMPACTS NOTE Acquirers should note the scope of a vendor s letter of approval. It may apply only to the reader and not necessarily the reader integrated with a current or other manufacturer s POS terminal Branding Acquirer or merchant terminals must conform to MasterCard brand requirements. In order to give the cardholder clear information as to where to tap the PayPass device on the PayPass terminal, MasterCard has created the PayPass landing zone to help cardholders locate MasterCard PayPass terminals. The landing zone must be placed on the terminal to indicate where the cardholder has to tap or hold the MasterCard PayPass card. The landing zone contains the contactless identifier and the PayPass identifier. Acceptable designs are described in the MasterCard PayPass Branding Standards Manual. Figure 1 shows a PayPass terminal landing zone. Figure 1, Example of a PayPass Landing Zone PayPass Readers PayPass contactless card-to-terminal communication is supported by new PayPass readers. Acquirers may plan deployment of PayPass readers as extensions to an existing POS or as new terminal implementations. A PayPass reader does not necessarily have to be embedded in the terminal. A PayPass reader may be fully or partially integrated to a POS terminal as illustrated in Figure 2. The contactless reader may be integrated with the POS equipment in a number of configurations. Acquirers and merchants therefore have a high degree of flexibility on how to implement terminals appropriately for their implementations. For example, the PayPass reader(s) could be connected to: Individual electronic cash registers connected to a merchant store system. A single central terminal (e.g., in a tollgate or transportation scenario). A stand-alone terminal (e.g., video rental store, bus). 12 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

13 EMBEDDED READER Figure 2, PayPass Readers EXTERNAL READER Supporting Other Payment Acceptance Methods at PayPass M/Chip Terminals PayPass M/Chip terminals may support acceptance methods other than contactless. A PayPass M/Chip terminal may support the following combinations of acceptance methods: Contactless only Contactless and magnetic stripe (swipe) Contactless, contact, and magnetic stripe (swipe) NOTE MasterCard recommends that a merchant also be able to accept contact EMV transactions at a PayPass M/Chip location. Frequent consecutive use of a PayPass card causes a card s offline counters to accumulate. If the PayPass card is not used as a contact EMV card, then the limits will finally be exceeded and a contact transaction required. A successful contact EMV transaction resets the card s offline counters. For further information on how offline counters affect card behavior in M/Chip applications, refer to the MasterCard M/Chip Functional Architecture for Debit and Credit Terminal and Network Performance The PayPass product emphasizes: Cardholder convenience. Adoption of card payments for lower value transactions. Fast transactions. The adoption of card payments for lower value transactions is likely to increase the volume of card transactions. The acquirer/merchant terminals and their networks should plan for an increased volume of transactions. Increased use of PayPass M/Chip may also result in a corresponding rise in the number of contact EMV transactions at the same or other terminals for the reasons described in Section 3.3.3, Supporting Other Acceptance Methods of PayPass M/Chip Terminals. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 13

14 3. ACQUIRER IMPACTS Required transaction timings may vary significantly depending upon the type of deployment and factors external to the terminal, e.g., network and host system capabilities. Acquirers and merchants should assess their choice of terminal and the implementation environment with consideration to: Speed of offline data authentication (e.g., for Combined Data Authentication (CDA)/Static Data Authentication (SDA) and with varying key lengths and a variation of cards). Online response times for online capable terminals (e.g., less than 4 seconds). Fast receipt printing (e.g., less than 2 seconds) for cardholders requesting a receipt, or transactions above the PayPass Cardholder Verification and Receipt Limit (see Section 3.4.4, Cardholder Verification and Receipt Limits for PayPass M/Chip). 3.4 Terminal Application The terminal application for PayPass M/Chip must meet the technical requirements of PayPass M/Chip Technical Specification. The PayPass M/Chip specific impacts for the terminal application and transaction processing are described in the following sections: Application Selection and Cardholder Confirmation Offline Data Authentication Requirements Offline PIN Cardholder Verification and Receipt Limits PayPass Service Codes Fallback for PayPass Transactions Decline and Pick-up/Capture Card Responses Referral/Call Me Issuer Responses Application Selection and Cardholder Confirmation Application selection for PayPass M/Chip is modified from standard EMV (as detailed in the PayPass M/Chip Technical Specifications). The changes allow the payment application to be selected with the minimum number of command/responses. A consequence is that PayPass M/Chip terminals do not support cardholder confirmation for PayPass contactless transactions. The payment application will always be selected automatically by the PayPass M/Chip terminal. Acquirers will therefore not need to support the EMV option of allowing cardholders to select an application at a PayPass terminal. PayPass card applications that have been personalized to require cardholder confirmation will not be accepted as PayPass transactions at PayPass M/Chip terminals Offline Data Authentication Requirements The following requirements apply to PayPass M/Chip transactions only. Data authentication requirements for contact EMV transactions remain unchanged. PayPass M/Chip online capable terminals may skip data authentication if they know that they will go online for that transaction. PayPass M/Chip terminals must support data authentication as shown in Table v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

15 Offline Static Card Authentication Method (CAM) Offline Dynamic CAM SDA DDA* CDA POS with offline capability Mandatory Not Allowed Mandatory POS online only Optional Not Allowed Optional CAT online only Optional Not Allowed Optional CAT online and offline capable Mandatory Not Allowed Mandatory CAT offline only terminals Mandatory Not Allowed Mandatory * Not supported. As explained in Section 2.4, Transaction Flow for PayPass Table 1, Offline Data Authentication Requirements for PayPass M/Chip Terminals Payment system public keys for PayPass M/Chip are the same as for contact EMV and must be shared for PayPass use Offline PIN Offline PIN is not permitted at PayPass M/Chip terminals for PayPass M/Chip transactions. Offline PIN may be supported at the same terminal but only for contact EMV transactions. PayPass M/Chip does not support offline PIN verification over the contactless interface. Both offline plaintext PIN and offline enciphered PIN verification are not available when using the PayPass technology. The reasons for not supporting offline PIN are: A practical difficulty of asking cardholders to enter a PIN while holding the card in front of the reader. A potential security vulnerability from eavesdropping and PIN probing. Preventing offline PIN support requires a specific definition of the Terminal Capabilities in the configuration data for a PayPass M/Chip terminal, as defined in Section 4.6, Terminal Capabilities, of this document Cardholder Verification and Receipt Limits for PayPass M/Chip As part of the PayPass program, MasterCard has introduced new global rules for cardholder verification and receipt requirements. Cardholder verification and receipts are optional for all PayPass transactions under US $25. Regions may lower this limit if required. Further details are available in the MasterCard Chargebacks Standards Bulletin January These implementation requirements refer to the transaction amount at which the new requirement applies as the PayPass Cardholder Verification and Receipt Limit. PayPass transactions under the PayPass Cardholder Verification and Receipt Limit do not require either cardholder verification (i.e., no Cardholder Verification Method [CVM]) or a receipt; however, a cardholder may still request a receipt. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 15

16 3. ACQUIRER IMPACTS The following are required to support this PayPass functionality: The terminal must maintain a PayPass M/Chip CVM and receipt limit. The terminal must be able to use specific Terminal Capabilities value(s) (or profiles) for PayPass transactions, independent of values used for contact EMV. For PayPass transactions above the PayPass CVM and receipt limit, CVM processing is performed as defined in EMV Book 3. The PayPass CVM and receipt limit is applicable only to CVM and receipt processing and is not used to influence decisions to authorize transactions online or offline. At an online-capable terminal, if either the card or the results of Terminal Action Analysis indicate that online authorization is required, then the transaction must be sent for online authorization. NOTE The CVM and receipt limit is independent of a terminal or merchant floor limit. Existing rules apply to the value and use of floor limits PayPass Service Codes PayPass terminal and acquirer host systems may see new service code values in use for PayPass cards. PayPass terminals and acquirer host systems must be prepared to accept all ISO defined service code values appropriate to their terminals. Refer to ISO 7813 for permitted values. An explanation of why the issuer might use new service code values is given below. For further details on CVC see the PayPass M/Chip Technical Specifications. PayPass cards contain a new CVC value (CVC3) used in PayPass Mag Stripe transactions for enhanced security. Issuers have a number of options for implementing how the new CVC3 value is calculated. One permitted method is to use different service code values for the chip track data used in the PayPass Mag Stripe transactions and the magnetic stripe. As the service code is input to a CVC calculation, different CVC values would result without issuer needing to change the CVC algorithm. An example below illustrates one possible way the service code could differ between the magnetic stripe and the PayPass Mag Stripe Track 2 data. Example: When the card is used as contact EMV or magnetic stripe (swiped) a service code of xx1 is used (1 = No Restrictions). When the card is used as PayPass Mag Stripe a service code of xx2 is used (2 = Goods and Services Only). 16 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

17 3.4.6 Fallback for PayPass Transactions The following defines the PayPass requirements for fallback at PayPass terminals. Definition A PayPass fallback transaction is a consecutive transaction, at the same terminal, with the same card (or cardholder device) but with a different acceptance technology (e.g., contact EMV or mag stripe). Transactions are classified as fallback when the preceding transaction did not complete because of a failure in the terminal-to-card communication after the first successful select command. Application layer errors or declines are not considered communication errors. A consecutive transaction with the same card at a different terminal is not considered a PayPass fallback transaction. Fallback Rules for PayPass Cards at PayPass Terminals The possible methods of fallback depend on the implemented technologies of both the card and the terminal. A mag stripe is mandatory for PayPass cards and optional for PayPass non-card form factor (NCFF) (cardholder) devices. PayPass M/Chip cards must also have a contact chip. When supported by both the card and the terminal, PayPass fallback always follows the order of preference of: Contact EMV Magnetic stripe (swipe) At a terminal supporting only PayPass contactless (i.e., not supporting magnetic stripe swipe or contact EMV) there is no fallback. Identifying Fallback Transactions Since there are no current means to identify PayPass fallback transactions at the terminal, there are no changes to network messages to identify PayPass fallback. Current rules apply to transactions falling back from contact to mag stripe. Current rules for fallback with contact EMV are explained in the M/Chip Functional Architecture. Online/Offline Authorizations for PayPass Fallback Transactions There are no changes to authorization requirements for PayPass fallback transactions. PayPass fallback transactions are authorized according to the current payment product rules Decline and Pick-up/Capture Card Responses Acquirers must decline these transactions and optionally retain the card at an attended terminal. NOTE This is optional since it may be impractical for an attendant to retain a card that is not initially handed over to the merchant during payment. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 17

18 3. ACQUIRER IMPACTS Referrals / Call Me Issuer Responses Referrals / Call Me Issuer responses are not required to be supported by Acquirers for PayPass M/Chip. They may be declined by the Acquirer or Merchant. The PayPass product offering is aimed at fast, convenient payments. Merchants may tend to implement PayPass payments at either unattended or Fast Service cash registers which would make Call Me or Referral responses inappropriate. Additionally, cardholders paying with a PayPass cardholder device may be unable to provide the card number if it is not embossed or printed on the device. 3.5 Terminal Installation The following describes considerations relevant to terminal installation: Amount Entry at POS If a merchant uses a separate Electronic Cash Register (ECR) and PayPass POS terminal then they must be connected. The payment amount generated by the ECR must be made automatically available electronically to the PayPass terminal when a cardholder chooses to pay with PayPass Environment Acquirers should note the importance of the physical environment for their PayPass M/Chip terminals. The placement of the PayPass reader is particularly important as it is the cardholder who uses the terminal and not the merchant. The PayPass reader containing the antenna needs to be conveniently placed and easily visible. The PayPass contactless operation can also be adversely affected by inappropriate placement of the reader; e.g., on a metal surface. 18 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

19 3.5.3 Accepting PayPass Mag Stripe and Cardholder Devices Acquirers should note that their PayPass M/Chip terminals will also support PayPass Mag Stripe transactions. Merchants should be made aware that PayPass Mag Stripe acceptance also means that non-conventional card forms (non-card form factors) will be valid for acceptance at their terminals. Examples include key fobs and mobile phones. Figure 3, Example of PayPass Cardholder Devices Transactions from PayPass Mag Stripe cards and PayPass cardholder devices are PayPass Mag Stripe transactions with new values in existing fields for authorization and clearing messages as described in Chapter 5, Network Interfaces and Host Systems, of this document. 3.6 Network and Host System Changes Terminals, merchant systems, and acquirer host need to support changes to network messages and host systems as summarized in Chapter 5, Network Interfaces and Host Systems, of this document. 3.7 Terminal Integration Process (TIP) Testing An acquirer or merchant s terminal installation is tested during TIP testing. The testing environment should be as close to the intended deployment as possible. Easy Test Cards (ETEC) and the MasterCard simulator are required for this testing (see Section 6.6, TIP, of this document for details). MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 19

20 . TERMINAL CONFIGURATION 4.1 PayPass Specific Terminal Data The following sections provide configuration requirements for PayPass M/Chip terminals. The acquirer and/or merchant must ensure that the following are PayPass M/Chip specific and maintainable independently of other contact EMV data: 1. List of supported Application Identifiers (AIDs) and related application labels 2. CVM and receipt limit (PayPass) 3. Permitted transaction types 4. Terminal Action Codes 5. Terminal Capabilities NOTE KEY MANAGEMENT: Payment System Public keys for PayPass M/Chip are the same as for contact EMV and must be shared for PayPass use. 4.2 List of AIDs and Related Application Labels PayPass M/Chip terminals must maintain an independent list of identifiers (AIDs) accepted by the terminal for PayPass. The AID value used for transaction processing is the AID of the card application e.g., MasterCard Credit (A ). There are no specific AIDs for PayPass. The terminal list of identifiers is a list of all applications accepted at that terminal. Application Status Indicators (ASIs) are associated with each AID in the terminal list. The ASI defines whether the AID may be used in partial selection or a full match only. Only selection of the full AID is currently supported for PayPass. All ASIs must indicate that only full AID selection is supported. Refer to the MasterCard PayPass M/Chip Technical Specifications for a detailed definition of how ASIs are used in PayPass. PIX extensions are not excluded in PayPass, but note that since PayPass supports only full AID selection, PIX extensions should only be used for specific domestic, co-branding or issuer implementations. Generic acceptance of PayPass cards uses the MasterCard product AID without any extension. Table 2 provides the names (Application Labels) that must be associated with the specific AIDs used for MasterCard products. 20 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

21 PRODUCT RID PIX PIX EXTENSION APPLICATION LABEL MasterCard A MasterCard MasterCard with domestic functions MasterCard applications for domestic environment only A DCCC XX.. MasterCard A DCCC XX Issuer-defined MasterCard co-branded A CNNNNN YYYY.. MasterCard Legend: D Hex D (4 bits coded as 1101) C Hex C (4 bits coded as 1100) CCC Country code of the national registration authority NNNNN Co-brander s identification defined by MasterCard XX Defined by the national registration authority YYYY.. Defined by the co-brander As defined by ISO , domestic schemes may use the registration category D (4 bits coded as 1101) followed by the country code of the national registration authority, followed by fields specified by the national authority. This may be used for cards with a non-mastercard Issuer Identification Number (IIN). Table 2 lists the application label recommended by MasterCard. Issuers and acquirers can either use the labels in lowercase (e.g., mastercard ), as provided in Table 2, or in capitals (e.g., MASTERCARD ). Table 2, AIDs and Related Application Labels 4.3 Cardholder Verification and Receipt Limit for PayPass M/Chip PayPass M/Chip terminals must be able to maintain a limit value, specific to PayPass, below which cardholder verification and a receipt are optional. The limit is used in conjunction with the terminal capabilities as described in Section 4.6, Terminal Capabilities, of this document Permitted PayPass Transaction Types Permitted PayPass M/Chip transaction types are as current payment product rules; however, the following are not within the scope of this guide. ATM transactions Branch terminal transactions CAT 4 8 transactions All MasterCard PayPass transactions are card-present transactions. 4.5 Terminal Action Codes (TACs) TACs specific to PayPass M/Chip use are required. The TACs defined in these tables are specified to work in conjunction with the PayPass transaction flows as defined in the MasterCard PayPass M/Chip Technical Specifications. They are optimized with a bias toward permitting offline transactions. Table 3 and Table 4 list the defined TACs by terminal type for: Online-capable POS and CAT Offline-only POS and CAT MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 21

22 4. TERMINAL CONFIGURATION NOTE These TACs are specific to PayPass M/Chip terminals performing PayPass M/Chip transactions. If the terminal supports contact transactions the terminal should maintain the PayPass TACs independently. BYTE BIT MEANING DENIAL ONLINE DEFAULT 1 8 Offline data authentication was not performed Offline static data authentication failed Integrated Circuit Card (ICC) data missing Card appears on terminal exception file Offline dynamic data authentication failed Combined DDA/AC generation failed RFU RFU ICC and terminal have different application versions Expired application Application not yet effective Requested service not allowed for card product New card RFU RFU RFU Cardholder verification was not successful Unrecognized CVM PIN try limit exceeded PIN entry required and PIN pad not present or not working 4 PIN entry required, PIN pad present but PIN was not entered Online PIN entered RFU RFU Transaction exceeds floor limit 0 1 0/1 * Legend 0 Mandated setting. 0/1 Non-mandated setting 1 Mandated setting. RFU Reserved for future use (The settings must be 0, 0, 0 ) * An attended POS may support voice authorization for a MasterCard card (the acquirer assumes liability if voice authorization was not obtained above the international floor limit). CAT Terminals must decline. Table 3, Full Grade TACs Online-Capable POS and CAT 22 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

23 BYTE BIT MEANING DENIAL ONLINE DEFAULT 4 7 Lower consecutive offline limit exceeded Upper consecutive offline limit exceeded Transaction selected randomly for online processing Merchant forced transaction online RFU RFU RFU Default TDOL used Issuer authentication was unsuccessful Script processing failed before final GENERATE AC Script processing failed after final GENERATE AC RFU RFU RFU RFU Legend 0 Mandated setting. 0/1 Non-mandated setting 1 Mandated setting. RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 3, Full Grade TACs Online-Capable POS and CAT, continued BYTE BIT MEANING DENIAL ONLINE DEFAULT 1 8 Offline data authentication was not performed Offline static data authentication failed ICC data missing Card appears on terminal exception file Offline dynamic data authentication failed Combined DDA/AC generation failed RFU RFU ICC and terminal have different application versions Expired application Application not yet effective Legend 0 Mandated setting 0/1 Non-mandated setting 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 4, TACs Offline-Only POS and CAT MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 23

24 4. TERMINAL CONFIGURATION BYTE BIT MEANING DENIAL ONLINE DEFAULT 2 5 Requested service not allowed for card product New card RFU RFU RFU Cardholder verification was not successful Unrecognized CVM PIN try limit exceeded PIN entry required and PIN pad not present or not working 4 PIN entry required, PIN pad present but PIN was not entered Online PIN entered RFU RFU Transaction exceeds floor limit 0 1 0/1 * 7 Lower consecutive offline limit exceeded Upper consecutive offline limit exceeded Transaction selected randomly for online processing Merchant forced transaction online RFU RFU RFU Default TDOL used Issuer authentication was unsuccessful Script processing failed before final GENERATE AC Script processing failed after final GENERATE AC RFU RFU RFU RFU Legend 0 Mandated setting 0/1 Non-mandated setting 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) * An attended offline only POS must support voice authorization for a MasterCard card (the acquirer assumes liability if voice authorization was not obtained above the international floor limit). A CAT terminal must decline. Table 4, TACs Offline-Only POS and CAT, continued 24 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

25 4.6 Terminal Capabilities The terminal capability (or profile) must be specific to PayPass M/Chip use. The Terminal Capabilities field is coded according the definition in EMV Book 4 but with the values specified in Table 5, Table 6, Table 7, and Table 8 of these requirements. PayPass terminals must be able to make use of PayPass specific terminal capabilities when performing a PayPass M/Chip transaction. Additionally, the value of the PayPass Terminal Capabilities depends upon whether the transaction is above the PayPass CVM and Receipt Limit or not (see Byte 2 Table 7 of the Terminal Capabilities). The terminal capabilities is then used with the CVM list from the card to select the cardholder verification method (i.e., no CVM) as specified in EMV 2000 Book 3. b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0/1 x x x x x x x Manual key entry x 0/1 x x x x x x Magnetic stripe x x 0/1 x x x x x IC with contacts x x x 0 x x x x RFU x x x x 0 x x x RFU x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) * EMV defines the structure of this data item and does not yet include a value for contactless support, but EMVCo may decide to include a value future definitions. Table 5, Terminal Capabilities Byte 1 Card Data Input Capability* b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0 x x x x x x x Plain-text PIN for ICC verification x 0/1 x x x x x x Enciphered PIN for online verification x x 0/1 ** x x x x x Signature (paper) x x x 0 x x x x Enciphered PIN for offline verification x x x x 0/1 x x x No CVM Required x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) ** If the terminal supports cardholder signature as a CVM, the terminal must be an attended terminal (Terminal Type = x1, x2, or x3 ) and must support a printer (Additional Terminal Capabilities, byte 4, Print, attendant bit = 1 ). Table 6, Terminal Capabilities Byte 2 CVM Capability for Transactions above the PayPass CVM and Receipt Limit MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 25

26 4. TERMINAL CONFIGURATION b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0 x x x x x x x Plain-text PIN for ICC verification x 0 x x x x x x Enciphered PIN for online verification x x 0 x x x x x Signature (paper) x x x 0 x x x x Enciphered PIN for offline verification x x x x 1 x x x No CVM Required x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 7, Terminal Capabilities Byte 2 CVM Capability for Transactions under the PayPass CVM and Receipt Limit b8 b7 b6 b5 b4 b3 b2 b1 MEANING 1/0 x x x x x x x SDA x 0 x x x x x x DDA x x 1/0 x x x x x Card capture x x x 0 x x x x RFU x x x x 1/0 x x x Combined DDA/Application Cryptogram Generation x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 8, Terminal Capabilities Byte 3 Security Capability 26 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

27 . NETWORK INTERFACES AND HOST SYSTEMS 5.1 Summary of Changes PayPass transactions at PayPass M/Chip terminals are indicated by new values in existing fields for authorizations and clearing. These PayPass specific changes are detailed in the MasterCard Global Operations Bulletin No. 6, June 2005, and incorporated in the latest authorization and clearing manuals for your region. PayPass transactions from PayPass M/Chip terminals will be either: PayPass ICC transactions with ICC related data (i.e., field DE055 ICC related Data and DE023 Card Sequence Number if provided by the card to the terminal). ICC related data is not present in authorization requests and clearing transactions. PayPass Mag Stripe transactions with the same format as current mag stripe transactions. All PayPass transactions contain new values in fields DE022 and DE061, indicating that they are PayPass transactions at a PayPass terminal. The network changes to support these requirements are summarized in the following sections. Accepting Contact EMV at PayPass M/Chip Terminals Acquirers who deploy PayPass M/Chip terminals supporting contact EMV must be Full Grade acquirers. If a PayPass M/Chip terminal accepts contact EMV then it must also accept mag stripe transactions and be EMVCo certified. Partial Grade and PayPass Mag Stripe acquirers must migrate to Full Grade EMV acquiring. Full Grade acquiring is the term used to describe an acquirer that has invested in chip terminals, and has also upgraded its network and host systems to support the additional information generated during a chip transaction. Full Grade acquirers provide DE055 in the authorization request and clearing messages. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 27

28 5. NETWORK INTERFACES AND HOST SYSTEMS 5.2 Authorization Requests PayPass authorizations must be processed with the new values defined in Table 9 below. DATA ELEMENT SUBELEMENT VALUES 061 (POS Data) 11 (POS card data terminal input capability) 022 (POS Entry Mode) 1 (POS Terminal Primary Account Number [PAN] Entry Mode) 4: contactless magnetic stripe 3: contactless M/Chip Table 9, New Values in Existing Fields for PayPass Authorizations 91: PAN auto-entry via contactless mag stripe 07: PAN auto entry via contactless M/Chip 5.3 Authorization Responses ICC response data, including Issuer Scripts, is not returned from issuers for PayPass M/Chip transactions. In the event that ICC response data is returned, acquirers are not required to return it to the terminal. If the data is returned to the terminal then the terminal shall not process the data. The terminal is not required to retain the data. 5.4 Clearing New values in existing fields are required for PayPass clearing transactions. Table 10 defines the new values. Other fields and values remain as present. DATA ELEMENT SUBELEMENT VALUES 022 (POS Entry Mode) 1 (POS card data input capability) A: terminal supports PAN auto-entry via contactless mag stripe M: terminal supports PAN auto-entry via contactless M/Chip 022 (POS Entry Mode) 7 (card data input mode) A: PAN auto-entry via contactless mag stripe M: PAN auto entry via contactless M/Chip 022 (POS Entry Mode) 10 (card data output capability) 0: unknown no indication given 1: none 3: ICC (Contact EMV, PayPass Mag Stripe, and PayPass M/Chip) Table 10, New Values in Existing Fields for PayPass Clearing Transactions 28 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

29 NOTE The TVR sent to the issuer in clearing messages from offline only terminals may differ from the TVR used in Terminal Action Analysis. This is because the PayPass M/Chip Transaction flow enhancements allow some terminal-related, TVR-related processing to be postponed until after the first GENERATE AC command. The value that the terminal sent to the card in the first GENERATE AC must be used in clearing messages. This is illustrated in transaction flows in Appendix A, PayPass Transaction Flows, of this document and in full detail in the PayPass M/Chip Technical Specification. 5.5 Chargebacks Cardholder verification and receipts are optional for all PayPass transactions under US $25. Regions may lower this limit if required. These implementation requirements refer to the transaction amount at which the new requirement applies as the PayPass Cardholder Verification and Receipt Limit (see Section 3.4.4, Cardholder Verification and Receipt Limits for PayPass M/Chip, of this document). To support this change, acquirers are protected against chargebacks for PayPass transactions with the reason codes shown in Table 11. Issuers may not chargeback properly identified PayPass transactions with these reason codes. MESSAGE REASON CODE DESCRIPTION 4801 Requested Transaction Data Not Received 4802 Requested/Required Information Illegible or Missing 4837 No Cardholder Authorization Table 11, PayPass Impacted Chargeback Reason Codes Full details of the changes are available in the MasterCard Chargebacks Standards Bulletin January For users of MasterCom, the existing Acquirer s Retrieval Response Code has been updated to reflect these changes (see Table 8). Acquirers may use this rejection code for qualified PayPass transactions under US $25. ACQUIRER RESPONSE CODE C DESCRIPTION The issuer s request for retrieval was for a transaction identified as a PayPass transaction that is equal to or below US $25 or QPS No item available Table 12, Updated MasterCom Acquirer Response Codes for PayPass 5.6 Network Interface Validation (NIV) Testing The acquirer s network implementation is tested during NIV testing. See Section 6.7, NIV, of this document for further information on NIV testing. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 29