PayPass M/Chip Requirements. 10 April 2014

Transcription

1 PayPass M/Chip Requirements 10 April 2014

2 Notices Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online. Proprietary Rights The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively MasterCard ), or both. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Trademarks Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Customer Operations Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States. All third-party product and service names are trademarks or registered trademarks of their respective owners. Disclaimer MasterCard makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. Without limitation, MasterCard specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, MasterCard specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third party patents, copyrights, trade secrets or other rights. Translation A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any translated document to its customers AS IS and makes no representations or warranties of any kind with respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall MasterCard be liable for any damages resulting from reliance on any translated document. The English version of any MasterCard document will take precedence over any translated version in any legal proceeding. Information Available Online MasterCard provides details about the standards used for this document including times expressed, language use, and contact information on the Publications Support page available on MasterCard Connect. Go to Publications Support for centralized information. PPMR 10 April 2014 PayPass M/Chip Requirements

3 Summary of Changes, 10 April 2014 This document reflects changes associated with the 10 April 2014 publication. To locate these changes online, click the hyperlinks in the following table. Description of Change Removed Purchase with Cash Back is not supported on Maestro PayPass Added information that the contactless interface must not be used for transactions identified with specific MCCs Removed General Requirements, topic PayPass Enrollment Removed Maestro cards must not support Purchase with Cash Back on the contactless interface. from the topic Purchase with Cash Back Added information in Application Selection : R ALL Issuers must configure the Kernel Identifier in each directory entry of the PPSE on the card. Added information in Personalization Requirements : BP ALL Issuers should be aware of the ricks and limitations associated with using proprietary tags in their card personalization. Where to Look Chapter 2, section PayPass Transaction Types Chapter 2, section PayPass Transaction Types Chapter 3, Issuer Requirements Chapter 3, section Card Requirements Chapter 3, section Card Requirements, topic Application Selection Chapter 3, section Card Requirements, topic Personalization Requirements BP ALL If present in the card personalization, it is recommended that Third Party Data be included in the FCI Issuer Discretionary Data that is returned when the application is selected. Added Issuers should be aware that the contents of the Proprietary Data subfield of Third Party Data can be freely read, and therefore should not contain sensitive cardholder information BP ALL Issuers should respect relevant local data privacy laws when personalizing the Proprietary Data subfield of Third Party Data on the card. Added the following information regarding PayPass M/Chip Personalization Requirements : If the card application supports the configuration of a maximum transaction amount then this must only be used to influence the decision to authorize the transaction online or offline. A transaction must not be declined based solely on this parameter. Chapter 3, section Card Requirements, topic PayPass M/Chip Personalization Requirements R ALL If a maximum transaction amount in the contactless card configuration is used, it must not lead to transactions being declined offline. To facilitate ATC monitoring, issuers should able to distinguish card identifiers read from separate cardholder devices, even if they are linked. This can be done by using different PAN values and/or PAN Sequence Numbers. PayPass M/Chip Requirements 10 April

4 Description of Change Where to Look BP ALL The issuer should not use the same combination of PAN and PAN Sequence Number on separate cardholder devices, even if linked. Issuers may choose to use an Application PAN on the contactless interface which is different to the PAN present on the magnetic stripe or that appears on the face of the card. Added the following information regarding Card Delivery : In order to fully benefit from new payment opportunities that contactless offers, issuers must inform cardholders that contactless functionality is available and provide directions on using it with the card. Chapter 3, section Card Delivery R ALL Issuers must alert cardholders that contactless functionality exists when issuing/providing new cards. Updated DE 22, subfield 1 values in topic Authorization Messages Updated the following information regarding Authorization Decisions : Although the information in DE 55 is normally consistent with other fields, there may be some difference for certain data elements. Issuers should not routinely decline transactions when differences occur in the data. Chapter 3, section Issuer Host Requirements, topic Authorization Messages Chapter 3, section Issuer Host Requirements, topic Authorization Decisions BP ALL If the ARQC is correct, the issuer should not decline a transaction simply because the data in DE 55 is different from the values in the following data elements: DE 3 Processing Code DE 4 Amount, Transaction DE 13 Date, Local Transaction DE 43 Card Acceptor, Name/Location DE 49 Currency Code, Transaction DE 54 Additional Amounts Added the following information regarding Authorization Responses: As a result of contactless-specific risk management the issuer may wish to decline and prompt the cardholder to perform a contact transaction with CVM where possible. In this case the issuer should use an authorization response code 65 exceeds withdrawal count limit. Chapter 3, section Issuer Host Requirements, topic Authorization Responses BP ALL If the issuer declines a contactless transaction on a dual interface card, but wants to offer the cardholder the option to perform a contact transaction, an authorization response code 65 exceeds withdrawal count limit should be used. Clarified wording regarding PayPass M/Chip Personalization Requirements Chapter 3, section Card Requirements 2 10 April 2014 PayPass M/Chip Requirements

5 Description of Change Added the following information regarding PayPass Acceptance : R ALL A contactless-enabled terminal that supports EMV contact chip transactions must also support EMV mode contactless transactions. Added the following information regarding terminal approvals and testing: All existing contactless readers that comply with PayPass M/Chip version 3.0 or EMVCo Book C-2 must support the Terminal Risk Management Data data object (as defined in Data Requirements) before 1 January Where to Look Chapter 4, section General Requirements, topic PayPass Acceptance Chapter 4, section Terminals, topic Approvals and Testing R ALL Contactless readers that comply with PayPass M/Chip version 3.0 or EMVCo Book C-2 must support the Terminal Risk Management Data data object by 1 January Added the following information regarding terminal design and ergonomics: Additional actions must not be required on the terminal in order to enable a contactless transaction. This includes: Inserting a card Pressing extra buttons on the POS terminal (with respect to contact transactions) Entering the amount a second time on the POS terminal Chapter 4, Terminals, topic Terminal Design and Ergonomics R ALL Additional actions must not be required on the payment terminal in order to activate the contactless reader. Updated information regarding Purchase with Cash Back Updated information regarding Manual Cash Advance Updated information regarding Reader Specifications Clarified information regarding Visual Card Checks Updated information regarding the presence of CVM Results (tag 9F34 ) being mandatory for all authorization messages containing DE 55 that are transmitted from acquirer chip systems certified by MasterCard on or after 13 April 2012 Updated information regarding POI Currency Conversion Chapter 4, section Terminals, topic Transaction Types Purchase with Cash Back Chapter 4, section Terminals, topic Manual Cash Advance Chapter 4, section Terminals, topic Reader Specifications Chapter 4, section Terminals, topic Visual Card Checks Chapter 4, section Authorization Requirements Chapter 4, section Terminals PayPass M/Chip Requirements 10 April

6 Description of Change Updated information regarding Terminal Action Codes Updated references: From: chargeback protection amount To: CVM limit Where to Look Chapter 5, section Terminal Action Codes Throughout document 4 10 April 2014 PayPass M/Chip Requirements

7 Table of Contents Chapter 1 Using This Manual... 1-i Purpose Scope Audience Requirements and Best Practices Terminology Reference Information Conventions Chapter 2 PayPass Introduction... 2-i Introduction Participation PayPass Operating Modes PayPass Cards PayPass Transaction Types PayPass Acceptance PayPass Transaction Flow Other Transaction Environments Chapter 3 Issuer Requirements... 3-i Card Requirements Card Delivery Issuer Host Requirements Clearing Requirements Chargeback and Exception Processing Chapter 4 Acquirer Requirements... 4-i General Requirements Terminals Offline Card Authentication Cardholder Verification Terminal Risk Management Terminal Action Codes PayPass M/Chip Requirements 10 April 2014 i

8 Table of Contents Authorization Responses Cardholder Receipts Subsequent Contact Transactions Terminated Transactions Cardholder Activated Terminals Automated Teller Machines Vending Machines Acquirer Network Requirements Authorization Requirements Clearing Requirements Exception Processing On-behalf Services Chapter 5 Data Requirements... 5-i Terminal Action Codes Payment Scheme Specific Data Objects Application Capabilities Information Terminal Risk Management Data Third Party Data Track 1 Data Track 2 Data Appendix A Abbreviations... A-i Abbreviations...A-1 ii 10 April 2014 PayPass M/Chip Requirements

9 Chapter 1 Using This Manual This section provides information on the purpose, overview, and conventions used within this manual as well as other related information. Purpose Scope Audience Requirements and Best Practices Terminology Reference Information Conventions PayPass M/Chip Requirements 10 April i

10 Using This Manual Purpose Purpose This document provides the MasterCard requirements and best practices for issuers and acquirers when using contactless chip technology with their MasterCard M/Chip products. It contains the requirements relating to MasterCard, Debit MasterCard and Maestro PayPass card programs, and the requirements for performing contactless transactions at attended and unattended terminals. This document does not provide an introduction to PayPass or explanation as to how PayPass works, nor does it duplicate or reproduce existing standards such as EMV or the existing MasterCard requirements for other technologies. The purpose of the manual is to: Define the PayPass requirements that MasterCard has established for use with MasterCard brands Propose recommendations that constitute best practices for PayPass implementations Define when and how the functions must be used as a requirement or should be used as a best practice Scope This document does not discuss general brand rules or requirements, except to explain how certain rules are implemented in PayPass. In general, the brand rules continue to apply to PayPass transactions except when modified for PayPass and as explained in this document. For example, chargeback rights are the same for PayPass except in connection with CVM limits described here. For full details of the rules and requirements for specific card brands, refer to the relevant documentation on MasterCard Connect (see the Reference Information below). These requirements have been written for PayPass M/Chip deployments. In that context they also cover PayPass Mag Stripe functionality. They do not apply to PayPass-Mag Stripe only deployments. PayPass M/Chip Requirements 10 April

11 Using This Manual Audience The following products, services, or environments are not in the scope of this document because they are already addressed in other dedicated documents: Card Application Specifications (for example, M/Chip Advance, PayPass M/Chip 4) Terminal and reader specifications EMV contact chip card interface and transactions (for example, M/Chip Requirements) Personalization Data Data Storage applications used with PayPass MasterCard Cash Audience This document is intended for use by MasterCard customers and product vendors involved in PayPass implementation projects who already have a general understanding of how the contactless chip product works. The target audience includes: Staff working on PayPass M/Chip implementation projects Operations staff who need to understand the impact of PayPass on their activities Requirements and Best Practices Requirements are functional elements which must be implemented as stated in the text to achieve the required level of acceptance for MasterCard or Maestro branded PayPass cards on PayPass-enabled terminals. Requirements are always expressed using the word must. Requirements are contained in tables and are indicated by a capital R in the left column. Best practices are MasterCard recommendations for the best ways to implement different options. If customers choose not to follow them, their PayPass implementation will still work but may not be as effective or efficient as it could be. Best practices are written using the word should. Best practices are formatted in the same way as requirements but are preceded by the letters BP. Requirements and best practices include an indication of whether they apply to all products or just to the MasterCard or Maestro brand April 2014 PayPass M/Chip Requirements

12 Using This Manual Terminology R All Requirement applies to all PayPass cards or terminals. R MC Requirement applies to MasterCard branded PayPass cards or terminals. R MS Requirement applies to Maestro branded PayPass cards or terminals. Terminology The following terms and their meanings are used throughout this manual. PayPass Cards and Devices PayPass devices can be issued in form factors other than that of a traditional payment card, for example: mobile phones, key fobs, watches. Throughout this document a reference to PayPass cards includes other devices unless specifically excluded. A dual interface card refers to a chip card that can perform both EMV contact and contactless chip transactions. A hybrid card refers to a card that has a magnetic stripe and a chip with a contact interface. The chip carries an EMV payment application that supports the same payment product that is encoded on the magnetic stripe. PayPass Terminals and Readers Functionality for the acceptance of PayPass cards may be provided by the PayPass reader or by the accompanying terminal. Throughout this document a reference to a PayPass terminal includes both the reader and terminal functionality and unless specifically stated does not imply the function should be in a specific part of the terminal system. A hybrid terminal refers to a payment device that can accept transactions using both contact chip and magnetic stripe technologies. Magnetic Stripe Grade Issuers Magnetic stripe grade issuers receive additional information produced during a chip transaction, but do not process it. If the magnetic stripe grade issuer uses the Chip Conversion service, the issuer does not receive the additional information. On Device Cardholder Verification Devices such as a mobile phone may allow the cardholder to verify themselves to the device, for example by entering a PIN, either before or during a PayPass transaction. When required, the device confirms to the terminal that cardholder verification has been performed during the transaction processing. This is known as On Device Cardholder Verification but is also referred to as mpin. PayPass M/Chip Requirements 10 April

13 Using This Manual Reference Information Reference Information The following references are used in, or are relevant to, this document. The latest version applies unless a publication date is explicitly stated. Chargeback Guide M/Chip Card Personalization Standard Profiles M/Chip Requirements MasterCard Contactless ATM Implementation Requirements Maestro PayPass Branding Standards MasterCard PayPass Branding Standards Transaction Processing Rules Quick Reference Booklet PayPass Mag Stripe Acquirer Implementation Requirements PayPass On-behalf Services Guide PayPass Personalization Data Specification M/Chip Advance Personalization Data Specifications PayPass Vendor Product Approval Process Guide (Cards and Devices) PayPass Vendor Product Approval Process Guide (Terminals) Mobile PayPass Issuer Implementation Guide PayPass M/Chip Issuer Guide PayPass Mag Stripe Issuer Implementation Requirements Security Rules and Procedures April 2014 PayPass M/Chip Requirements

14 Using This Manual Conventions Conventions A generic reference to PayPass includes all applicable products. The terms MasterCard PayPass or Maestro PayPass are used to identify specific product requirements. A reference to the MasterCard product or MasterCard brand includes MasterCard and Debit MasterCard unless specifically addressed. MasterCard brands refers to MasterCard and Maestro products. Values expressed in hexadecimal form ( 0 to 9 and A to F ) are enclosed in single quotes. For example, a hexadecimal value of ABCD is indicated as ABCD. Values expressed in binary form are followed by a lower case b. For example, 1001b. EMV Card commands are indicated in bold capitals, for example, GENERATE AC. Specific byte/bit references within a data object are included in square brackets. For example, [1][3] means the third bit of the first byte of the given data object. PayPass M/Chip Requirements 10 April

15 Chapter 2 PayPass Introduction This section provides information on PayPass participation, transaction types, and transaction flows. Introduction Participation PayPass Operating Modes PayPass Cards PayPass Transaction Types PayPass Acceptance PayPass Transaction Flow Other Transaction Environments PayPass M/Chip Requirements 10 April i

16 PayPass Introduction Introduction Introduction PayPass is the proximity payments program from MasterCard Worldwide. It allows cardholders to make payments without having to hand over, dip or swipe a payment card. To make a payment, the cardholder simply taps their PayPass card onto a PayPass terminal. The details are read from the card over a contactless interface using radio frequency communications and a transaction is performed over the existing MasterCard payment networks and infrastructure. Primary characteristics of PayPass transactions are speed and convenience for merchants and cardholders. PayPass is supported on the MasterCard and Maestro brands. The PayPass contactless functionality can be used at any merchant location that has PayPass terminals and accepts the underlying payment brand. The merchant segments where PayPass is expected to be most attractive include those environments with high transaction volumes and where fast transaction times are important. PayPass contactless functionality can also be used at ATMs. Participation To issue PayPass cards or acquire PayPass transactions customers must enroll in the PayPass program. Vendors are required to obtain a license agreement before developing and selling PayPass cards and devices. All cards, devices and readers used for performing PayPass transactions must have been approved and licensed by MasterCard. Customers must only purchase and deploy cards and terminals from properly licensed vendors. Detailed information about the type approval process can be found in the PayPass Vendor Product Approval Process Guide (Cards and Devices) and the PayPass Vendor Product Approval Process Guide (Terminals) documents. Issuers and acquirers must start a project with the relevant MasterCard project team in order to define and complete various certification steps that are required. Unless otherwise stated within the Project Implementation Plan issuers will complete Issuer NIV, CPV and Issuer End-to-end Demonstration and acquirers will complete Acquirer NIV, TIP and Acquirer End-to-end Demonstration. Questions about the PayPass license process should be directed to contactless@mastercard.com. PayPass M/Chip Requirements 10 April

17 PayPass Introduction PayPass Operating Modes PayPass Operating Modes PayPass supports two modes of operation as detailed below. PayPass Mag Stripe mode PayPass M/Chip mode PayPass Mag Stripe transactions are authorized online by the issuer, either in real-time or deferred. PayPass Mag Stripe is designed for contactless transactions using authorization networks that currently support only magnetic stripe authorization for MasterCard cards. PayPass M/Chip transactions use transaction logic similar to EMV contact chip. They may require online authorization but may be approved offline by the card and terminal. The PayPass M/Chip mode is designed for contactless transactions in markets that have migrated to chip technology for EMV contact transactions. EMV mode (PayPass M/Chip) is the preferred transaction mode for contactless MasterCard transactions, however to ensure interoperability all contactless MasterCard cards and terminals support Mag-Stripe mode (PayPass Magstripe). Maestro contactless cards and terminals are configured to support only PayPass M/Chip transactions for the Maestro product. PayPass Cards PayPass functionality may be: Included in a standard ISO 7816 ID-1 card Issued in another form factor, such as a mobile phone or key fob All PayPass cardholder devices are valid for acceptance at PayPass terminals; not just cards. PayPass Transaction Types Different transaction types are available for PayPass. PayPass issuers and acquirers must support purchase transactions. Refunds must be supported by issuers for contactless MasterCard transactions. Refunds must be supported by acquirers for contactless MasterCard and Maestro transactions, although they may not be available at every PayPass terminal. PayPass data should only be used for card present transactions. Electronic commerce or Mail Order/Telephone Order transactions should not be performed with PayPass data read through the contactless interface April 2014 PayPass M/Chip Requirements

18 PayPass Introduction PayPass Acceptance The contactless interface may be used for Purchase with Cash Back transactions based on the existing product rules. Cardholder verification is always required for Purchase with Cash Back transactions. The contactless interface may be used for payment transactions based on the existing product rules. The contactless interface must not be used for transactions identified with the following MCCs: Gambling Transactions (MCC 7995) Gambling-Horse Racing, Drag Racing, Non-Sports Intrastate Internet Gambling (MCC 9754) Money Transfer (MCC 4829) Quasi Cash-Customer Financial Institution (MCC 6050) Quasi Cash-Merchant (MCC 6051) For MCC descriptions, refer to Chapter 3 of the Quick Reference Booklet. PayPass Acceptance PayPass cards may be accepted at attended and unattended terminals. PayPass cards may be used at ATMs. Card Checking PayPass transactions are carried out by the cardholder; therefore, the card does not need to be given to the merchant. Since the PayPass card may remain in the hands of the cardholder, the merchant is exempt from the visual inspection requirement to determine if the PayPass card is valid. The card only needs to be given to the merchant after the contactless interaction is complete if signature verification is to be performed. Transaction Amount The transaction amount is usually known before the PayPass transaction is initiated to ensure fast processing of PayPass transactions. The amount should be displayed to the cardholder. If the transaction amount exceeds the maximum amount for PayPass transactions, for the product or terminal, the terminal or merchant should prompt the cardholder to use a different technology to complete the transaction (for example an EMV contact chip transaction). This ensures cardholders are not denied service when they have a valid MasterCard product for the transaction. PayPass M/Chip Requirements 10 April

19 PayPass Introduction PayPass Transaction Flow Limits Appendix C of the Chargeback Guide lists, per market, a limit to be used for contactless transactions. Transactions equal to or less than this limit do not need cardholder verification. In addition, receipts need only be provided on request of the cardholder. For Maestro PayPass, apart from some markets listed in Appendix C of the Chargeback Guide, transactions are not allowed above this limit. In that context, it is referred to as a ceiling limit. In this document the term CVM limit is used generically to refer to this limit. A maximum transaction amount, above which contactless transactions are not permitted, may be published separately for MasterCard PayPass in some specific markets. Floor limits for contactless transactions are for EVM contact chip (PayPass M/Chip) or magnetic stripe (PayPass Mag Stripe) transactions. The floor limit may vary per market. Fallback If the contactless technology fails the transaction may be completed by any other technology available. A subsequent transaction is not considered a technical fallback transaction. PayPass Transaction Flow Several steps are involved in the PayPass transaction. Technology Selection The cardholder decides whether to use PayPass or an alternative interface on the card. PayPass technology is used for the transaction when the PayPass card is presented by the cardholder to the PayPass reader. If the card application selected and the terminal supports PayPass M/Chip mode, then it is automatically used by the terminal to complete the transaction. Otherwise, PayPass Mag Stripe mode is used. Application Selection If the cardholder has chosen to pay by PayPass, the terminal attempts to find an application via the contactless interface to complete the transaction. When the terminal detects more than one application that it supports on the PayPass card, the terminal automatically selects the application with the highest priority set by the issuer. To improve transaction speed, interactive cardholder selection or confirmation is not supported for PayPass April 2014 PayPass M/Chip Requirements

20 PayPass Introduction PayPass Transaction Flow If there are no available applications, given any relevant transaction limits, then the PayPass transaction cannot proceed. For MasterCard products, the same Application Identifiers (AID) are used for PayPass transactions as for EMV contact chip transactions. There are no PayPass specific AIDs. Card Authentication For all PayPass transactions the card being used is authenticated. For PayPass M/Chip transactions the card can be authenticated: Offline by the terminal OR Online by the issuer All offline approved Maestro PayPass transactions must be authenticated by the terminal using CDA. All offline MasterCard PayPass M/Chip transactions must be authenticated by the terminal using either: CDA OR SDA 1 While older cards may support SDA, the only offline card authentication method allowed for new cards is CDA. All PayPass M/Chip terminals support CDA. PayPass does not support DDA. For online PayPass M/Chip transactions the issuer should perform online authentication by verifying the application cryptogram received in the online authorization. For PayPass Mag Stripe transactions, transactions are authorized online by the issuer, either in real time or deferred. The PayPass card produces a unique password, referred to as dynamic CVC3, for each transaction. The value is placed by the terminal in issuer defined positions within the existing track data fields. The issuer should perform online authentication by verifying the dynamic CVC3 received in the online authorization. If PayPass Mag Stripe profile transactions are not authorized by the issuer, then the acquirer may be liable for any disputed transactions. 1. SDA authenticates the card, but not the transaction data. New PayPass cards cannot be issued supporting SDA. Newly deployed PayPass terminals do not support SDA, and are not configured to support SDA. PayPass M/Chip Requirements 10 April

21 PayPass Introduction PayPass Transaction Flow Offline-only terminals may be configured to: decline transactions performed with PayPass Mag Stripe cards. allow transactions where an ARQC is provided by the PayPass M/Chip card. Cardholder Verification PayPass purchase transactions for amounts less than or equal to the CVM limit do not require cardholder verification. For transaction amounts above the CVM limit, cardholder verification is required or the acquirer may be liable for disputed transactions. For MasterCard PayPass, acceptable cardholder verification methods are: Online PIN Signature On Device Cardholder Verification For Maestro PayPass, acceptable cardholder verification methods are: Online PIN On Device Cardholder Verification PayPass does not support offline PIN. For PayPass Mag Stripe transactions, the CVM to be used for transactions above the CVM limit is determined by the terminal. This can be done in a similar way to swiped magnetic stripe transactions, based on the methods supported by the terminal and data read from the card. The cardholder device notifies the terminal if On Device Cardholder Verification is supported, in which case this method is used if supported by the terminal and cardholder verification is required. For PayPass M/Chip transactions, the CVM is determined by the PayPass reader application in the terminal, based on the CVM List or other information contained in the card. The actual CVM is completed after the interaction with the card is complete, except for On Device Cardholder Verification which is completed before the interaction begins. Card Risk Management The card risk management performed is at the discretion of the issuer. Online/Offline Authorization PayPass M/Chip transactions may be authorized offline by the PayPass card or the card may request online authorization by the issuer. PayPass Mag Stripe transactions are usually authorized online by the issuer April 2014 PayPass M/Chip Requirements

22 PayPass Introduction Other Transaction Environments If PayPass Mag Stripe transactions are not authorized online, then the acquirer may be liable for any disputed transactions. If online PIN has been identified as the cardholder verification method for the transaction, the PIN is verified as part of the online authorization request. End of Transaction A PayPass M/Chip terminal ends the interaction with the card once the response to the first GENERATE AC command is received by the terminal. A PayPass Mag Stripe terminal ends the interaction with the card once the response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command is received by the terminal. This is not the end of the PayPass transaction. The PayPass terminal completes the transaction based on: An offline approval or decline response from the card for PayPass M/Chip transactions. OR An online authorization response (approve or decline) when requested for PayPass M/Chip or PayPass Mag Stripe transactions When the printing of a receipt is supported by the point of sale, for PayPass transactions less than or equal to the CVM limit, a receipt must be available if requested by the cardholder. A receipt must be provided for transactions above the CVM limit amount if the terminal is capable of producing a receipt. See Transaction Processing Rules for exemptions. Neither Issuer Authentication Data nor issuer scripts are returned to the card during a PayPass M/Chip transaction. Other Transaction Environments There are additional transaction types and environments in which PayPass cards may or may not be used. Cardholder Activated Terminals MasterCard defines several types of cardholder activated terminals (CATs). PayPass may be used at CAT Level 1, 2, 3 and 4 terminals (see the Chargeback Guide for full definitions). As CAT Level 1 terminals require PIN based cardholder verification, only PayPass cards that support online PIN or On Device Cardholder Verification may be used at these terminals. Automated Teller Machines PayPass contactless functionality can also be used at ATMs. PayPass M/Chip Requirements 10 April

23 Chapter 3 Issuer Requirements This section includes information on requirements for the issuer. Card Requirements Card Delivery Issuer Host Requirements Clearing Requirements Chargeback and Exception Processing PayPass M/Chip Requirements 10 April i

24 Issuer Requirements Card Requirements Card Requirements Various requirements and best practices exist for the PayPass card. Approvals and Testing All PayPass cards issued are required by MasterCard to have MasterCard vendor product approval. It is the issuer s responsibility to confirm all products have received this approval. A full PayPass card Letter of Approval is only granted to a card when it has successfully completed all of the following: Interface and Application Testing Compliance Assessment and Security Testing Card Quality Management When ordering cards from a card manufacturer, the issuer must ensure that the card manufacturer has a current PayPass Letter of Approval for the product being purchased. The Letter of Approval is valid for the duration of the time the cards are held in stock prior to being issued. All PayPass products must have a valid PayPass Letter of Approval at the time the product is issued. R ALL Issuers must ensure that all PayPass cards are covered by a valid Letter of Approval at the time they are issued. Branding, Appearance and Physical Requirements For the brand standards and design elements required for PayPass cards, please refer to the MasterCard PayPass Branding Standards and the Maestro PayPass Branding Standards. Issuers must obtain approval from MasterCard Card Design Management for their PayPass card design, even if a similar design has already been approved for use on a non-paypass card. R ALL Cards must comply with the PayPass branding requirements. PayPass Cards If PayPass M/Chip is implemented on an ISO 7816 compliant ID-1 plastic card then the card must support an EMV contact chip and optionally a magnetic stripe. R ALL PayPass M/Chip cards that are of ID-1 format and ISO 7816 compliant must be dual interface cards supporting EMV contact chip transactions. PayPass M/Chip Requirements 10 April

25 Issuer Requirements Card Requirements A MasterCard PayPass card that supports EMV contact chip transactions on the contact interface normally also supports PayPass M/Chip. BP MC An EMV contact chip capable MasterCard branded PayPass card should support PayPass M/Chip. Non-card Devices PayPass functionality can be present in form factors other than traditional payment cards. Examples of different forms are: Mobile phones Key fobs Watches All PayPass non-card devices conduct PayPass transactions in the same way as PayPass cards. They may support special functionality, such as On Device Cardholder Verification. When PayPass M/Chip cards use offline risk management features, an interaction with the card is required to manage the offline risk management counters. This cannot be performed in a normal PayPass transaction since response data from the issuer is not returned to the card. This interaction may be achieved: By performing a transaction through the EMV contact chip interface of a hybrid card By over-the-air messages, for example to a mobile phone Through the contactless interface in a special terminal designed for this purpose, if supported by the cardholder device. PayPass cards which support offline transactions must be able to support the management of the offline risk management counters. PayPass M/Chip non-card devices that cannot support the management of the offline risk management counters must be configured as online only. All PayPass non-card device programs must be approved by MasterCard. The MasterCard PayPass device given to the cardholder can be linked to a MasterCard card account assigned to that same cardholder accessed by a standard MasterCard card. This card does not have to be a PayPass card. The expiration date of the PayPass device must not be later than the card that it is linked to. If the MasterCard card is cancelled, the issuer must simultaneously cancel the companion PayPass device. It is not necessary for the PayPass device to display an account number. As a result, a non-card form factor that is issued without a companion card may be limited in use. Issuers must highlight this to the account holder at the time of issuance April 2014 PayPass M/Chip Requirements

26 Issuer Requirements Card Requirements Devices other than mobile phones should accommodate a signature panel where possible. Those devices that cannot accommodate a signature panel should contain a customization area or unique identification number. A minimal space on small form factors is sufficient to provide cardholders with an opportunity to customize the device with their initials or another mark to identify it as belonging to them. R ALL All PayPass non-card device programs must be approved in advance by MasterCard. R ALL If linked to a card, the expiration date of the PayPass device must not exceed the expiration date of the card to which it is linked. R ALL If linked to a card, the PayPass device must be cancelled if the card is cancelled. BP ALL The PayPass device, other than a mobile phone, should accommodate a signature panel. R ALL PayPass M/Chip non-card devices that do not provide a mechanism to reset offline risk management counters must be configured as online only. R ALL PayPass M/Chip non-card devices must be issued with clear instructions for the account holder regarding the limitations of their use. Card Application PayPass M/Chip must be implemented using approved applications. Examples are: M/Chip Advance PayPass M/Chip 4 Mobile PayPass PayPass M/Chip Flex R ALL All PayPass M/Chip cards must use approved applications. Support of PayPass M/Chip and PayPass Mag Stripe A PayPass card using the MasterCard brand: Must support PayPass Mag Stripe transactions (unless for domestic use only) May support PayPass M/Chip transactions R MC A MasterCard PayPass card that is not exclusively for domestic use must support PayPass Mag Stripe transactions. PayPass M/Chip Requirements 10 April

27 Issuer Requirements Card Requirements A PayPass card using the Maestro brand: Must support PayPass M/Chip transactions Must not support PayPass Mag Stripe transactions for Maestro R MS A Maestro PayPass card must support PayPass M/Chip transactions. R MS Unless explicitly allowed in the Transaction Processing Rules, a Maestro PayPass card must not support PayPass Mag Stripe transactions. PayPass technology may not currently be used on MasterCard Fleet or MultiCard products as data positions required by PayPass are already used in the product personalization requirements of these products. R MC MasterCard Fleet or MultiCard products must not support contactless transactions. ATM The CVM used for ATM transactions is online PIN. Issuers should support ATM transactions on the contactless interface. Because not all ATMs validate the settings of the card, issuers should be aware that they may receive transactions from ATMs even if: support for ATM is not indicated in the Application Usage Control support for online PIN is not included in the CVM list BP ALL The Application Usage Control should indicate support for ATM transactions. Online and Offline Capability PayPass Mag Stripe transactions are always authorized online, either in real-time or deferred. The card has no input into the decision to seek authorization. In PayPass M/Chip cards the transaction counters and decision making capability of the chip are used to control risk. To support fast transactions, it is recommended that PayPass M/Chip cards be configured to support offline transaction approval. As some terminals operate online only, PayPass M/Chip cards should be configured to support online transaction approval. PayPass M/Chip cards issued in the U.S. region must be configured to support both online and offline transaction approval April 2014 PayPass M/Chip Requirements

28 Issuer Requirements Card Requirements To meet special market requirements MasterCard may approve cards that are online only or offline only; however, issuers should be aware that these cards do not work in some terminals. R ALL PayPass M/Chip cards issued in the U.S. region must be configured to support both online and offline transaction approval. BP ALL PayPass M/Chip cards should be configured to support offline transaction approval. They should not be configured to be online only. BP ALL PayPass M/Chip cards should be configured to support online transaction approval. They should not be configured to be offline only. Service Codes A value for the service code may be found several times on a PayPass M/Chip card. For example: on the magnetic stripe of the card in both Track 1 and Track 2 Track 1 Data (tag 56 ) and Track 2 Data (tag 9F6B ) accessed via the contactless interface Track 2 Equivalent Data (tag 57 ) accessed via the contactless interface Track 2 Equivalent Data (tag 57 ) accessed via the EMV contact chip interface It is recommended that cards be personalized to use the service code appropriate for the product. The service code values that are used in the PayPass application should be consistent in each data object when the service code appears. Although not recommended, PayPass issuers may choose to use service code values in the PayPass application that differ from those used on the magnetic stripe of the same card. If the issuer does use a different service code value on the contactless interface, the value may be acted on by some terminals. In particular, terminals that process the service code may reject international cards that have a service code value starting with 5 (National use only). BP ALL Issuers should use a value of the service code appropriate for the product. BP ALL Issuers should use the same value of the service code each time the service code is used. Expiry Dates The expiry date of the card should be consistent across all technologies supported. BP ALL The expiry date in the PayPass application should be consistent with the expiry date of the card. PayPass M/Chip Requirements 10 April

29 Issuer Requirements Card Requirements Purchase with Cash Back Debit MasterCard cards and Maestro cards may support Purchase with Cash Back on the contactless interface. Purchase with Cash Back on the contactless interface may only be supported by MasterCard credit cards in European markets. Purchase with Cash Back transactions always require cardholder verification, regardless of the amount. R MC MasterCard credit cards issued outside the Europe region must not be configured to support Purchase with Cash Back through the contactless interface. Application Selection PayPass terminals normally perform application selection using the PPSE on the card. All PayPass cards must contain a PPSE. Issuers must configure the Application Priority Indicator in each directory entry of the FCI of the PPSE to show the preferred sequence of choice of all PayPass applications on the card. Issuers must set a different priority for each directory entry in the FCI of the PPSE. Cardholder confirmation must not be requested. The AID value used for PayPass is the same AID used for the EMV contact chip interface. There are no specific AIDs for PayPass. Supported AIDs are: MasterCard A Maestro A Identification of PayPass cards use the product AID without any extension, as shown above. PIX extensions may be used by issuers and are considered as a successful match by the terminal when partial AID matching is supported. However, it is recommended not to use PIX extensions, as some legacy PayPass terminals do not support partial AID matching. If the same account is accessed through the contact and contactless interfaces, the AID used on each interface may be different if supported by the card implementation. The Application Label (tag 50 ) must be present in a PayPass card. This may appear on any receipts. A MasterCard card must be configured with an appropriate Application Label such as MasterCard, MASTERCARD, Debit MasterCard, or DEBIT MASTERCARD. A Maestro card must be configured with an appropriate Application Label such as Maestro or MAESTRO April 2014 PayPass M/Chip Requirements

30 Issuer Requirements Card Requirements Issuers may personalize the Application Preferred Name (tag 9F12 ) and Issuer Code Table Index (tag 9F11 ). The Application Preferred Name may be used on receipts instead of the Application Label if the terminal supports the code table indicated. R ALL All PayPass cards must contain a PPSE. R ALL Issuers must set a unique value for the Application Priority Indicator in each directory entry in the FCI of the PPSE. R ALL Issuers must not set the Cardholder Confirmation bit in the Application Priority Indicator in the FCI of the PPSE. R ALL Issuers must use the appropriate Application Label. BP ALL PIX extensions should not be used in the AID for PayPass. Card Authentication MasterCard requires the use of dynamic CVC3 by all PayPass Mag Stripe capable cards. This includes PayPass M/Chip cards that perform PayPass Mag Stripe transactions. For PayPass M/Chip online transactions the application cryptogram should be validated to prevent counterfeit fraud. For MasterCard PayPass M/Chip: New cards issued in the Europe or U.S. regions must support CDA and must not support SDA New cards issued outside of the Europe or U.S. regions that do not support CDA must operate as online only. Cards must not support SDA. Cards that do not support CDA may experience interoperability issues and may not work with some merchants such as mass transit agencies. MasterCard recommends that the issuer support CDA. Issuers of old cards that support only SDA should note that SDA will not be performed on PayPass readers that comply with EMVCo Book C-2 and therefore all transactions at these readers will require online authorization. All Maestro PayPass cards must support CDA and must not support SDA for Maestro PayPass M/Chip. PayPass does not support DDA. R MS Maestro PayPass M/Chip cards must support CDA and must not support SDA. R MC MasterCard PayPass M/Chip cards must not support SDA. R MC MasterCard PayPass M/Chip cards issued in the Europe or U.S. regions must support CDA. PayPass M/Chip Requirements 10 April

31 Issuer Requirements Card Requirements R MC MasterCard PayPass M/Chip cards issued outside of the Europe or U.S. regions that do not support CDA must be configured as online only. BP MC Issuers outside the Europe and U.S. regions are strongly recommended to use CDA on MasterCard PayPass M/Chip cards. R ALL PayPass M/Chip cards must not support DDA on the PayPass interface. R MC MasterCard PayPass M/Chip cards must use a dynamic CVC3 for PayPass Mag Stripe transactions. BP ALL Issuers are strongly recommended to validate the application cryptogram for online PayPass M/Chip transactions. The payment system public keys for PayPass M/Chip have the same values and expiry dates as those used for MasterCard EMV contact chip transactions. It is recommended to use the same Issuer Key pair for transactions on the contact and contactless interface of a PayPass M/Chip card; therefore, the same Issuer Public Key certificate may be used. It is recommended to use the same ICC Key pair for transactions on the contact and contactless interface of a PayPass M/Chip card. The ICC Public Key Certificate cannot be shared between the contact and contactless interface even if the same keys are used since some of the data elements signed in the certificate are different. BP ALL Issuers should use the same Issuer and ICC Public Keys across both the contact and contactless interface. Cardholder Verification A signature or PIN is not required for a PayPass transaction less than or equal to the CVM limit regardless of the setting of the Service Code for PayPass Mag Stripe, or CVM List for PayPass M/Chip. For transactions greater than the CVM limit, cardholder verification is normally requested. If transactions are completed offline with no cardholder verification above the CVM limit then the acquirer may be liable for disputed transactions. For PayPass Mag Stripe transactions, the cardholder verification method is determined by the terminal in a similar manner to swiped magnetic stripe transactions. The terminal is not required to refer to the Service Code, which appears in multiple data elements. If the device supports On Device Cardholder Verification, this is communicated to the terminal as part of the transaction. For PayPass M/Chip transactions, the CVM is determined by the PayPass reader application in the terminal based on the terminal capabilities and CVM List or other data in the cardholder device April 2014 PayPass M/Chip Requirements