MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

MasterCard PayPass M/Chip, Acquirer Implementation Requirements v.1-a4 6/06

TABLE OF CONTENTS 1 USING THESE REQUIREMENTS...4 1.1 Purpose...4 1.2 Scope...4 1.3 Audience...5 1.4 Overview...5 1.5 Language Use...5 1.6 Related Publications...6 1.7 Related Information...6 1.8 Abbreviations...7 1.9 Further Information...8 2 INTRODUCTION...9 2.1 Overview of MasterCard PayPass...9 2.2 Interoperability...9 2.3 Implementation Summary...10 2.4 Transaction Flow Enhancements for PayPass...10 3 ACQUIRER IMPACTS...11 3.1 Overview...11 3.2 Program Enrollment...11 3.3 Terminal Selection...11 3.3.1 Branding...12 3.3.2 PayPass Readers...12 3.3.3 Supporting Other Payment Acceptance Methods at PayPass M/Chip Terminals...13 3.3.4 Terminal and Network Performance...13 3.4 Terminal Application...14 3.4.1 Application Selection and Cardholder Confirmation...14 3.4.2 Offline Data Authentication Requirements...14 3.4.3 Offline PIN...15 3.4.4 Cardholder Verification and Receipt Limits for PayPass M/Chip...15 3.4.5 PayPass Service Codes...16 3.4.6 Fallback for PayPass Transactions...17 3.4.7 Decline and Pick-up/Capture Card Responses...17 3.4.8 Referrals / Call Me Issuer Responses...18 3.5 Terminal Installation...18 3.5.1 Amount Entry at POS...18 3.5.2 Environment...18 3.5.3 Accepting PayPass Mag Stripe and Cardholder Devices...19 3.6 Network and Host System Changes...19 3.7 Terminal Integration Process (TIP) Testing...19 4 TERMINAL CONFIGURATION...20 4.1 PayPass Specific Terminal Data...20 4.2 List of AIDs and Related Application Labels...20 4.3 Cardholder Verification and Receipt Limit for PayPass M/Chip...21 4.4 Permitted PayPass Transaction Types...21 4.5 Terminal Action Codes...21 4.6 Terminal Capabilities...25 5 NETWORK INTERFACES AND HOST SYSTEMS...27 5.1 Summary of Changes...27 5.2 Authorization Requests...28 5.3 Authorization Responses...28 5.4 Clearing...28 5.5 Chargebacks...29 5.6 Network Interface Validation (NIV) Testing...29 6 TESTING...30 6.1 Testing Overview...30 6.2 Testing Scope by PayPass Terminal Type...30 6.3 Testing Process...30 6.4 Test Stages...31 6.5 System Buildup...31 6.6 TIP...32 6.7 NIV...32 6.8 ETED...33 6.9 Post-Live Monitoring...33 6.10 Further Information and Contact Details...34 APPENDICES...35 Appendix A, PayPass Transaction Flows...35 Appendix B, Glossary...39 2 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

Copyright The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and its Members. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard. Media This document is available in both electronic and printed format. MasterCard International CCOE Chaussée de Tervuren, 198A B-1410 Waterloo Belgium E-mail: specifications@paypass.com MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 3

. USING THESE REQUIREMENTS 1.1 Purpose This document provides guidelines for acquirers implementing the MasterCard PayPass M/Chip product. These implementation requirements assume an implementation on top of an acquirer s existing EMV (contact) deployment. For further information on migrating to contact EMV refer to the MasterCard M/Chip Customer Implementation Guide. 1.2 Scope This document defines the impacts and implementation requirements for acquirers implementing PayPass M/Chip acquiring. It provides a level of detail that will enable acquirers to identify the required system changes. This includes information on terminal functionality and configuration. Further detailed information on the PayPass and M/Chip technology is available in the corresponding specification documents. The reader may need to refer to these for a deeper understanding of the technology or areas outside the scope of an acquirer implementation. These requirements are for PayPass implementations of the MasterCard credit product only. The following are outside the scope of these requirements: Implementing EMV acquiring. Only the additional requirements for PayPass M/Chip are addressed in this document. ATMs, bank branch terminals, level 4 8 Cardholder Activated Terminals or transactions. NOTE These requirements apply to acquirers who have already implemented EMV acceptance. They describe implementing PayPass acceptance within that context. These requirements are limited to acquirer acceptance of PayPass M/Chip issued cards but references PayPass Mag Stripe where necessary. 4 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

1.3 Audience This document is intended for use by acquirers implementing MasterCard PayPass acceptance. It is assumed that the audience is already familiar with EMV Chip acceptance in general. 1.4 Overview This document is a guide for acquirers implementing PayPass M/Chip. It details the requirements, impacts, and any necessary implementation data or configurations. PayPass M/Chip implementations are an extension to an acquirer EMV Chip implementation. The following table provides an overview of the chapters in this manual: CHAPTER Table of Contents 1. Using These Requirements DESCRIPTION A list of the manual s tabbed sections and subsections. Each entry references a section and page number. Describes the purpose and contents of the manual. 2. Introduction Provides an introduction to the MasterCard PayPass product and this manual. 3. Acquirer Impacts Describes the impacts and considerations for an acquirer implementation of PayPass M/Chip. 4. Terminal Configuration 5. Network Interfaces and Host Systems Defines required terminal data for PayPass M/Chip terminals. Summarizes the network interface and host system changes required for PayPass M/Chip. 6. Testing Summarizes the required testing for an acquirer implementation. Appendix A PayPass Transaction Flows Appendix B Glossary Transaction flow diagrams at PayPass M/Chip terminals. Glossary of terms used in this document. 1.5 Language Use The spelling of English words in this manual follows the convention used for U.S. English as defined in Webster s New Collegiate Dictionary. An exception to the above concerns the spelling of proper nouns. In this case, we use the local English spelling. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 5

1. USING THESE REQUIREMENTS 1.6 Related Publications The following publications contain material directly related to the contents of this book: 1. AS2805 Message Formats (authorizations) 2. Chargebacks Standards Bulletin January 2006 3. CIS Message Formats for Regional Service Centers (authorizations) 4. Customer Interface Specification (authorizations) 5. GCMS Release Document (clearing) 6. Global Operations Bulletin No. 6, June 2005 7. IPM Clearing Formats (clearing) 8. M/Chip 4 Security & Key Management, Version 1.0 October 2002 9. M/Chip Customer Implementation Guide, September 2006 10. M/Chip Functional Architecture for Debit and Credit, January 2006 11. MasterCard PayPass Product Guide, February 2005 12. MDS Message Formats for Regional Service Centers (single message systems) 13. PayPass ISO/IEC 14443 Implementation Specification, Version 1.10 March 2006 14. PayPass M/Chip Technical Specifications, Version 1.3 September 2005 15. PayPass Mag Stripe Security Architecture, Version 1.0a September 2003 16. PayPass Mag Stripe Technical Specifications, Version 3.1 November 2003 17. PayPass Branding Standards Manual, Version 5 July 2005 18. PayPass Terminal Vendor Testing Process Manual 19. V5 Interface Specification (authorizations) 1.7 Related Information The following reference materials may be of use to the reader of this manual: ISO/IEC 7811/2 ISO/IEC 7813:1995 EMV BOOK 1 EMV BOOK 2 EMV BOOK 3 EMV BOOK 4 Identification cards Recording technique Part 2: Magnetic stripe Identification cards Financial transaction cards Integrated Circuit Card Specification for Payment Systems: Application Independent ICC to Terminal Interface Requirements. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Security & Key Management. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Application Specification. Version 4.1 May 2004 Integrated Circuit Card Specification for Payment Systems: Cardholder, Attendant and Acquirer Interface Requirements. Version 4.1 May 2004 6 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

1.8 Abbreviations The following abbreviations are used in these requirements: ABBREVIATION AC AID ASI CAM CAT CDA CIS CVC CVM DDA ECR ETEC ETED EMV Hex ICC IIN ISO NIV NCFF PAN PIN PIX POS RFU SDA TAC TDOL TIP TRM DESCRIPTION Application Cryptogram Application Identifier Application Status Indicator Card Authentication Method Cardholder Activated Terminal Combined Data Authentication Customer Implementation Systems Card Verification Code Cardholder Verification Method Dynamic Data Authentication Electronic Cash Register Easy Test Cards End-to-End Demonstration (testing) Europay MasterCard Visa Hexadecimal Integrated Circuit Card Issuer Identification Number International Organization for Standardization Network Interface Validation Non-Card Form Factor Primary Account Number Personal Identification Number Proprietary Application Identifier Extension Point of Sale Reserved for Future Use Static Data Authentication Terminal Action Codes Transaction Certificate Data Object List Terminal Integration Process Terminal Risk Management MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 7

1. USING THESE REQUIREMENTS 1.9 Further Information Further information on the above and the overall PayPass program is available in the MasterCard PayPass Product Guide and the PayPass Technical Specifications. Questions may also be addressed to the following e-mail addresses: General: paypass@mastercard.com Specifications: specifications@paypass.com Testing: testing@paypass.com Chip Technical Help: chip_help@mastercard.com 8 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

. INTRODUCTION 2.1 Overview of MasterCard PayPass MasterCard has initiated the development of a program allowing consumers to make MasterCard payment transactions at point of sale using contactless technology. The generic term proximity payment is used when the point of interaction is up to 10 meters from the point-of-sale (POS) terminal. While the proximity payment program covers multiple technologies and ranges, this document deals only with the MasterCard PayPass program built on the PayPass ISO/IEC 14443 Implementation Specification technology up to a range of 10 cm (4 inches). Two generic types of card products are part of the PayPass program: PayPass Mag Stripe and PayPass M/Chip. PayPass Mag Stripe was developed to allow PayPass payments using authorization networks that presently support magnetic-stripe authorization for credit or debit applications. Security has been enhanced with the introduction of a new Cardholder Verification Code (CVC) for these transactions. The new CVC is referred to as CVC3 and may be a Static or Dynamic value depending on the issuer s card implementation. There is some terminal processing required to support using CVC3 which all PayPass approved terminals will have implemented. CVC3 usage does not impact acquirer host systems or networks. PayPass M/Chip was developed to allow PayPass payments in markets that support EMV. PayPass M/Chip terminals support EMV Chip data in authorizations and clearing. They also support acceptance of PayPass Mag Stripe cards and cardholder devices. PayPass M/Chip terminals may optionally support current payment acceptance methods e.g., contact EMV and magnetic stripe. 2.2 Interoperability Interoperability is a principal PayPass requirement. This is achieved with the following requirements: The PayPass M/Chip terminal must support PayPass Mag Stripe and PayPass M/Chip cards. The PayPass Mag Stripe terminal must support PayPass Mag Stripe and PayPass M/Chip cards. The PayPass M/Chip card must support PayPass Mag Stripe. As such, all PayPass cards and cardholder devices are capable of being accepted by all PayPass terminals. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 9

2. INTRODUCTION 2.3 Implementation Summary Implementing PayPass M/Chip acceptance is an extension to an acquirer s existing infrastructure. The following list is a high-level summary of requirements: Acquirers need to start a PayPass M/Chip project with MasterCard and enroll in the PayPass program. For more information refer to the PayPass Product Guide. Acquirers must support full-grade Contact EMV for all PayPass M/Chip implementations. Partial grade acquiring is not permitted. Acquirers, or their merchants, will need approved PayPass terminals. Acquirers and merchants must support changes to transaction messages indicating PayPass transactions performed at PayPass terminals. Acquirers will need to manage some PayPass specific terminal configuration data. Acquirers must perform the PayPass M/Chip testing. The following chapters detail the acquirer impacts including a summary of the required network changes and terminal data configuration for a PayPass M/Chip implementation. Chapter 6, Testing, summarizes the required testing for an acquirer implementation. 2.4 Transaction Flow Enhancements for PayPass The PayPass M/Chip terminal transaction flow is based on the EMV 2000 specifications, with the specific PayPass adaptations summarized below. PayPass transaction flows are defined in the PayPass M/Chip Technical Specifications and are also shown compared to a standard EMV transaction in Appendix A, PayPass Transaction Flows, of this document. Transaction processing has been enhanced for PayPass M/Chip. The principal reason for the changes is to reduce the time that the card and terminal need to be in communication. The changes are implemented by the terminal vendor and any resulting impacts have been included in the relevant sections of this document. The following is a summary of the changes: 1. The terminal only performs the first GENERATE AC command. 2. Card-terminal interaction stops after the first GENERATE AC command. 3. Offline data authentication may be performed after the first GENERATE AC command. 4. Data exchange between the card and terminal is optimized by personalizing a fixed record structure for PayPass M/Chip card applications. This enables PayPass M/Chip terminals to read the minimal amount of data required for that transaction. The terminal can also skip reading certain records if it knows in advance that the transaction will be processed online. 5. Offline Personal Identification Number (PIN) is not supported for performance, usability, and security reasons. 6. Dynamic Data Authentication (DDA) is not supported since it requires a card to remain in communication with the terminal for a period of time that may be too long for cardholders. 10 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

. ACQUIRER IMPACTS 3.1 Overview For a general overview of PayPass requirements, services, and products refer to the MasterCard PayPass Product Guide. This document provides information to acquirers to help assess and plan their PayPass M/Chip implementation. 3.2 Program Enrollment Acquirers implementing PayPass M/Chip acceptance must enroll in the MasterCard PayPass program. Program enrollment allows acquirers access to all required specifications and to receive MasterCard related services and products. Only enrolled acquirers may offer their PayPass acquiring service or products to cardholders and merchants. 3.3 Terminal Selection The following sections provide general information on PayPass M/Chip terminal design and options to help acquirers and/or their merchants select existing or new terminals that meet their business needs. All PayPass M/Chip terminals must support MasterCard s branding requirements (see Section 3.3.1, Branding) but acquirers and merchants will need to choose their implementation-specific options such as: The physical design of the PayPass M/Chip terminal and reader. Other payment acceptance methods that the implementation supports (at the same or different terminal). Terminal and network performance. Acquirers and merchants must only use approved PayPass terminals. Products which are not PayPass approved will need to obtain approval before implementation. Subsequent changes to terminal software could affect compliance with PayPass Terminal Vendor Testing and must be discussed with MasterCard. The vendor procedures for PayPass approval are given in the MasterCard PayPass Terminal Vendor Testing Process manual. An acquirer need not be involved in the approval process, other than to request proof of approval from the vendor. Products which are already PayPass approved products are listed on www.paypass.com. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 11

3. ACQUIRER IMPACTS NOTE Acquirers should note the scope of a vendor s letter of approval. It may apply only to the reader and not necessarily the reader integrated with a current or other manufacturer s POS terminal. 3.3.1 Branding Acquirer or merchant terminals must conform to MasterCard brand requirements. In order to give the cardholder clear information as to where to tap the PayPass device on the PayPass terminal, MasterCard has created the PayPass landing zone to help cardholders locate MasterCard PayPass terminals. The landing zone must be placed on the terminal to indicate where the cardholder has to tap or hold the MasterCard PayPass card. The landing zone contains the contactless identifier and the PayPass identifier. Acceptable designs are described in the MasterCard PayPass Branding Standards Manual. Figure 1 shows a PayPass terminal landing zone. Figure 1, Example of a PayPass Landing Zone 3.3.2 PayPass Readers PayPass contactless card-to-terminal communication is supported by new PayPass readers. Acquirers may plan deployment of PayPass readers as extensions to an existing POS or as new terminal implementations. A PayPass reader does not necessarily have to be embedded in the terminal. A PayPass reader may be fully or partially integrated to a POS terminal as illustrated in Figure 2. The contactless reader may be integrated with the POS equipment in a number of configurations. Acquirers and merchants therefore have a high degree of flexibility on how to implement terminals appropriately for their implementations. For example, the PayPass reader(s) could be connected to: Individual electronic cash registers connected to a merchant store system. A single central terminal (e.g., in a tollgate or transportation scenario). A stand-alone terminal (e.g., video rental store, bus). 12 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

EMBEDDED READER Figure 2, PayPass Readers EXTERNAL READER 3.3.3 Supporting Other Payment Acceptance Methods at PayPass M/Chip Terminals PayPass M/Chip terminals may support acceptance methods other than contactless. A PayPass M/Chip terminal may support the following combinations of acceptance methods: Contactless only Contactless and magnetic stripe (swipe) Contactless, contact, and magnetic stripe (swipe) NOTE MasterCard recommends that a merchant also be able to accept contact EMV transactions at a PayPass M/Chip location. Frequent consecutive use of a PayPass card causes a card s offline counters to accumulate. If the PayPass card is not used as a contact EMV card, then the limits will finally be exceeded and a contact transaction required. A successful contact EMV transaction resets the card s offline counters. For further information on how offline counters affect card behavior in M/Chip applications, refer to the MasterCard M/Chip Functional Architecture for Debit and Credit. 3.3.4 Terminal and Network Performance The PayPass product emphasizes: Cardholder convenience. Adoption of card payments for lower value transactions. Fast transactions. The adoption of card payments for lower value transactions is likely to increase the volume of card transactions. The acquirer/merchant terminals and their networks should plan for an increased volume of transactions. Increased use of PayPass M/Chip may also result in a corresponding rise in the number of contact EMV transactions at the same or other terminals for the reasons described in Section 3.3.3, Supporting Other Acceptance Methods of PayPass M/Chip Terminals. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 13

3. ACQUIRER IMPACTS Required transaction timings may vary significantly depending upon the type of deployment and factors external to the terminal, e.g., network and host system capabilities. Acquirers and merchants should assess their choice of terminal and the implementation environment with consideration to: Speed of offline data authentication (e.g., for Combined Data Authentication (CDA)/Static Data Authentication (SDA) and with varying key lengths and a variation of cards). Online response times for online capable terminals (e.g., less than 4 seconds). Fast receipt printing (e.g., less than 2 seconds) for cardholders requesting a receipt, or transactions above the PayPass Cardholder Verification and Receipt Limit (see Section 3.4.4, Cardholder Verification and Receipt Limits for PayPass M/Chip). 3.4 Terminal Application The terminal application for PayPass M/Chip must meet the technical requirements of PayPass M/Chip Technical Specification. The PayPass M/Chip specific impacts for the terminal application and transaction processing are described in the following sections: Application Selection and Cardholder Confirmation Offline Data Authentication Requirements Offline PIN Cardholder Verification and Receipt Limits PayPass Service Codes Fallback for PayPass Transactions Decline and Pick-up/Capture Card Responses Referral/Call Me Issuer Responses 3.4.1 Application Selection and Cardholder Confirmation Application selection for PayPass M/Chip is modified from standard EMV (as detailed in the PayPass M/Chip Technical Specifications). The changes allow the payment application to be selected with the minimum number of command/responses. A consequence is that PayPass M/Chip terminals do not support cardholder confirmation for PayPass contactless transactions. The payment application will always be selected automatically by the PayPass M/Chip terminal. Acquirers will therefore not need to support the EMV option of allowing cardholders to select an application at a PayPass terminal. PayPass card applications that have been personalized to require cardholder confirmation will not be accepted as PayPass transactions at PayPass M/Chip terminals. 3.4.2 Offline Data Authentication Requirements The following requirements apply to PayPass M/Chip transactions only. Data authentication requirements for contact EMV transactions remain unchanged. PayPass M/Chip online capable terminals may skip data authentication if they know that they will go online for that transaction. PayPass M/Chip terminals must support data authentication as shown in Table 1. 14 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

Offline Static Card Authentication Method (CAM) Offline Dynamic CAM SDA DDA* CDA POS with offline capability Mandatory Not Allowed Mandatory POS online only Optional Not Allowed Optional CAT online only Optional Not Allowed Optional CAT online and offline capable Mandatory Not Allowed Mandatory CAT offline only terminals Mandatory Not Allowed Mandatory * Not supported. As explained in Section 2.4, Transaction Flow for PayPass Table 1, Offline Data Authentication Requirements for PayPass M/Chip Terminals Payment system public keys for PayPass M/Chip are the same as for contact EMV and must be shared for PayPass use. 3.4.3 Offline PIN Offline PIN is not permitted at PayPass M/Chip terminals for PayPass M/Chip transactions. Offline PIN may be supported at the same terminal but only for contact EMV transactions. PayPass M/Chip does not support offline PIN verification over the contactless interface. Both offline plaintext PIN and offline enciphered PIN verification are not available when using the PayPass technology. The reasons for not supporting offline PIN are: A practical difficulty of asking cardholders to enter a PIN while holding the card in front of the reader. A potential security vulnerability from eavesdropping and PIN probing. Preventing offline PIN support requires a specific definition of the Terminal Capabilities in the configuration data for a PayPass M/Chip terminal, as defined in Section 4.6, Terminal Capabilities, of this document. 3.4.4 Cardholder Verification and Receipt Limits for PayPass M/Chip As part of the PayPass program, MasterCard has introduced new global rules for cardholder verification and receipt requirements. Cardholder verification and receipts are optional for all PayPass transactions under US $25. Regions may lower this limit if required. Further details are available in the MasterCard Chargebacks Standards Bulletin January 2006. These implementation requirements refer to the transaction amount at which the new requirement applies as the PayPass Cardholder Verification and Receipt Limit. PayPass transactions under the PayPass Cardholder Verification and Receipt Limit do not require either cardholder verification (i.e., no Cardholder Verification Method [CVM]) or a receipt; however, a cardholder may still request a receipt. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 15

3. ACQUIRER IMPACTS The following are required to support this PayPass functionality: The terminal must maintain a PayPass M/Chip CVM and receipt limit. The terminal must be able to use specific Terminal Capabilities value(s) (or profiles) for PayPass transactions, independent of values used for contact EMV. For PayPass transactions above the PayPass CVM and receipt limit, CVM processing is performed as defined in EMV Book 3. The PayPass CVM and receipt limit is applicable only to CVM and receipt processing and is not used to influence decisions to authorize transactions online or offline. At an online-capable terminal, if either the card or the results of Terminal Action Analysis indicate that online authorization is required, then the transaction must be sent for online authorization. NOTE The CVM and receipt limit is independent of a terminal or merchant floor limit. Existing rules apply to the value and use of floor limits. 3.4.5 PayPass Service Codes PayPass terminal and acquirer host systems may see new service code values in use for PayPass cards. PayPass terminals and acquirer host systems must be prepared to accept all ISO defined service code values appropriate to their terminals. Refer to ISO 7813 for permitted values. An explanation of why the issuer might use new service code values is given below. For further details on CVC see the PayPass M/Chip Technical Specifications. PayPass cards contain a new CVC value (CVC3) used in PayPass Mag Stripe transactions for enhanced security. Issuers have a number of options for implementing how the new CVC3 value is calculated. One permitted method is to use different service code values for the chip track data used in the PayPass Mag Stripe transactions and the magnetic stripe. As the service code is input to a CVC calculation, different CVC values would result without issuer needing to change the CVC algorithm. An example below illustrates one possible way the service code could differ between the magnetic stripe and the PayPass Mag Stripe Track 2 data. Example: When the card is used as contact EMV or magnetic stripe (swiped) a service code of xx1 is used (1 = No Restrictions). When the card is used as PayPass Mag Stripe a service code of xx2 is used (2 = Goods and Services Only). 16 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

3.4.6 Fallback for PayPass Transactions The following defines the PayPass requirements for fallback at PayPass terminals. Definition A PayPass fallback transaction is a consecutive transaction, at the same terminal, with the same card (or cardholder device) but with a different acceptance technology (e.g., contact EMV or mag stripe). Transactions are classified as fallback when the preceding transaction did not complete because of a failure in the terminal-to-card communication after the first successful select command. Application layer errors or declines are not considered communication errors. A consecutive transaction with the same card at a different terminal is not considered a PayPass fallback transaction. Fallback Rules for PayPass Cards at PayPass Terminals The possible methods of fallback depend on the implemented technologies of both the card and the terminal. A mag stripe is mandatory for PayPass cards and optional for PayPass non-card form factor (NCFF) (cardholder) devices. PayPass M/Chip cards must also have a contact chip. When supported by both the card and the terminal, PayPass fallback always follows the order of preference of: Contact EMV Magnetic stripe (swipe) At a terminal supporting only PayPass contactless (i.e., not supporting magnetic stripe swipe or contact EMV) there is no fallback. Identifying Fallback Transactions Since there are no current means to identify PayPass fallback transactions at the terminal, there are no changes to network messages to identify PayPass fallback. Current rules apply to transactions falling back from contact to mag stripe. Current rules for fallback with contact EMV are explained in the M/Chip Functional Architecture. Online/Offline Authorizations for PayPass Fallback Transactions There are no changes to authorization requirements for PayPass fallback transactions. PayPass fallback transactions are authorized according to the current payment product rules. 3.4.7 Decline and Pick-up/Capture Card Responses Acquirers must decline these transactions and optionally retain the card at an attended terminal. NOTE This is optional since it may be impractical for an attendant to retain a card that is not initially handed over to the merchant during payment. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 17

3. ACQUIRER IMPACTS 3.4.8 Referrals / Call Me Issuer Responses Referrals / Call Me Issuer responses are not required to be supported by Acquirers for PayPass M/Chip. They may be declined by the Acquirer or Merchant. The PayPass product offering is aimed at fast, convenient payments. Merchants may tend to implement PayPass payments at either unattended or Fast Service cash registers which would make Call Me or Referral responses inappropriate. Additionally, cardholders paying with a PayPass cardholder device may be unable to provide the card number if it is not embossed or printed on the device. 3.5 Terminal Installation The following describes considerations relevant to terminal installation: 3.5.1 Amount Entry at POS If a merchant uses a separate Electronic Cash Register (ECR) and PayPass POS terminal then they must be connected. The payment amount generated by the ECR must be made automatically available electronically to the PayPass terminal when a cardholder chooses to pay with PayPass. 3.5.2 Environment Acquirers should note the importance of the physical environment for their PayPass M/Chip terminals. The placement of the PayPass reader is particularly important as it is the cardholder who uses the terminal and not the merchant. The PayPass reader containing the antenna needs to be conveniently placed and easily visible. The PayPass contactless operation can also be adversely affected by inappropriate placement of the reader; e.g., on a metal surface. 18 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

3.5.3 Accepting PayPass Mag Stripe and Cardholder Devices Acquirers should note that their PayPass M/Chip terminals will also support PayPass Mag Stripe transactions. Merchants should be made aware that PayPass Mag Stripe acceptance also means that non-conventional card forms (non-card form factors) will be valid for acceptance at their terminals. Examples include key fobs and mobile phones. Figure 3, Example of PayPass Cardholder Devices Transactions from PayPass Mag Stripe cards and PayPass cardholder devices are PayPass Mag Stripe transactions with new values in existing fields for authorization and clearing messages as described in Chapter 5, Network Interfaces and Host Systems, of this document. 3.6 Network and Host System Changes Terminals, merchant systems, and acquirer host need to support changes to network messages and host systems as summarized in Chapter 5, Network Interfaces and Host Systems, of this document. 3.7 Terminal Integration Process (TIP) Testing An acquirer or merchant s terminal installation is tested during TIP testing. The testing environment should be as close to the intended deployment as possible. Easy Test Cards (ETEC) and the MasterCard simulator are required for this testing (see Section 6.6, TIP, of this document for details). MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 19

. TERMINAL CONFIGURATION 4.1 PayPass Specific Terminal Data The following sections provide configuration requirements for PayPass M/Chip terminals. The acquirer and/or merchant must ensure that the following are PayPass M/Chip specific and maintainable independently of other contact EMV data: 1. List of supported Application Identifiers (AIDs) and related application labels 2. CVM and receipt limit (PayPass) 3. Permitted transaction types 4. Terminal Action Codes 5. Terminal Capabilities NOTE KEY MANAGEMENT: Payment System Public keys for PayPass M/Chip are the same as for contact EMV and must be shared for PayPass use. 4.2 List of AIDs and Related Application Labels PayPass M/Chip terminals must maintain an independent list of identifiers (AIDs) accepted by the terminal for PayPass. The AID value used for transaction processing is the AID of the card application e.g., MasterCard Credit (A0000000041010). There are no specific AIDs for PayPass. The terminal list of identifiers is a list of all applications accepted at that terminal. Application Status Indicators (ASIs) are associated with each AID in the terminal list. The ASI defines whether the AID may be used in partial selection or a full match only. Only selection of the full AID is currently supported for PayPass. All ASIs must indicate that only full AID selection is supported. Refer to the MasterCard PayPass M/Chip Technical Specifications for a detailed definition of how ASIs are used in PayPass. PIX extensions are not excluded in PayPass, but note that since PayPass supports only full AID selection, PIX extensions should only be used for specific domestic, co-branding or issuer implementations. Generic acceptance of PayPass cards uses the MasterCard product AID without any extension. Table 2 provides the names (Application Labels) that must be associated with the specific AIDs used for MasterCard products. 20 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

PRODUCT RID PIX PIX EXTENSION APPLICATION LABEL MasterCard A000000004 1010 MasterCard MasterCard with domestic functions MasterCard applications for domestic environment only A000000004 1010 DCCC XX.. MasterCard A000000004 9999 DCCC XX Issuer-defined MasterCard co-branded A000000004 1010 CNNNNN YYYY.. MasterCard Legend: D Hex D (4 bits coded as 1101) C Hex C (4 bits coded as 1100) CCC Country code of the national registration authority NNNNN Co-brander s identification defined by MasterCard XX Defined by the national registration authority YYYY.. Defined by the co-brander As defined by ISO 7816-5, domestic schemes may use the registration category D (4 bits coded as 1101) followed by the country code of the national registration authority, followed by fields specified by the national authority. This may be used for cards with a non-mastercard Issuer Identification Number (IIN). Table 2 lists the application label recommended by MasterCard. Issuers and acquirers can either use the labels in lowercase (e.g., mastercard ), as provided in Table 2, or in capitals (e.g., MASTERCARD ). Table 2, AIDs and Related Application Labels 4.3 Cardholder Verification and Receipt Limit for PayPass M/Chip PayPass M/Chip terminals must be able to maintain a limit value, specific to PayPass, below which cardholder verification and a receipt are optional. The limit is used in conjunction with the terminal capabilities as described in Section 4.6, Terminal Capabilities, of this document. 4.4. Permitted PayPass Transaction Types Permitted PayPass M/Chip transaction types are as current payment product rules; however, the following are not within the scope of this guide. ATM transactions Branch terminal transactions CAT 4 8 transactions All MasterCard PayPass transactions are card-present transactions. 4.5 Terminal Action Codes (TACs) TACs specific to PayPass M/Chip use are required. The TACs defined in these tables are specified to work in conjunction with the PayPass transaction flows as defined in the MasterCard PayPass M/Chip Technical Specifications. They are optimized with a bias toward permitting offline transactions. Table 3 and Table 4 list the defined TACs by terminal type for: Online-capable POS and CAT Offline-only POS and CAT MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 21

4. TERMINAL CONFIGURATION NOTE These TACs are specific to PayPass M/Chip terminals performing PayPass M/Chip transactions. If the terminal supports contact transactions the terminal should maintain the PayPass TACs independently. BYTE BIT MEANING DENIAL ONLINE DEFAULT 1 8 Offline data authentication was not performed 0 1 1 7 Offline static data authentication failed 1 0 0 6 Integrated Circuit Card (ICC) data missing 0 1 1 5 Card appears on terminal exception file 1 0 0 4 Offline dynamic data authentication failed 1 0 0 3 Combined DDA/AC generation failed 1 0 1 2 RFU 0 0 0 1 RFU 0 0 0 2 8 ICC and terminal have different application versions 0 0 0 7 Expired application 1 0 0 6 Application not yet effective 0 0 0 5 Requested service not allowed for card product 0 1 1 4 New card 0 0 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 3 8 Cardholder verification was not successful 0 1 1 7 Unrecognized CVM 0 0 0 6 PIN try limit exceeded 0 0 0 5 PIN entry required and PIN pad not present or not working 4 PIN entry required, PIN pad present but PIN was not entered 0 1 1 0 1 1 3 Online PIN entered 0 1 1 2 RFU 0 0 0 1 RFU 0 0 0 4 8 Transaction exceeds floor limit 0 1 0/1 * Legend 0 Mandated setting. 0/1 Non-mandated setting 1 Mandated setting. RFU Reserved for future use (The settings must be 0, 0, 0 ) * An attended POS may support voice authorization for a MasterCard card (the acquirer assumes liability if voice authorization was not obtained above the international floor limit). CAT Terminals must decline. Table 3, Full Grade TACs Online-Capable POS and CAT 22 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

BYTE BIT MEANING DENIAL ONLINE DEFAULT 4 7 Lower consecutive offline limit exceeded 0 0 0 6 Upper consecutive offline limit exceeded 0 0 0 5 Transaction selected randomly for online processing 0 1 0 4 Merchant forced transaction online 0 1 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 5 8 Default TDOL used 0 0 0 7 Issuer authentication was unsuccessful 0 0 0 6 Script processing failed before final GENERATE AC 0 0 0 5 Script processing failed after final GENERATE AC 0 0 0 4 RFU 0 0 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 Legend 0 Mandated setting. 0/1 Non-mandated setting 1 Mandated setting. RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 3, Full Grade TACs Online-Capable POS and CAT, continued BYTE BIT MEANING DENIAL ONLINE DEFAULT 1 8 Offline data authentication was not performed 1 0 0 7 Offline static data authentication failed 1 0 0 6 ICC data missing 0 0 0 5 Card appears on terminal exception file 1 0 0 4 Offline dynamic data authentication failed 1 0 0 3 Combined DDA/AC generation failed 1 0 1 2 RFU 0 0 0 1 RFU 0 0 0 2 8 ICC and terminal have different application versions 0 0 0 7 Expired application 1 0 0 6 Application not yet effective 0 0 0 Legend 0 Mandated setting 0/1 Non-mandated setting 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 4, TACs Offline-Only POS and CAT MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 23

4. TERMINAL CONFIGURATION BYTE BIT MEANING DENIAL ONLINE DEFAULT 2 5 Requested service not allowed for card product 1 0 0 4 New card 0 0 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 3 8 Cardholder verification was not successful 0 1 1 7 Unrecognized CVM 0 0 0 6 PIN try limit exceeded 0 0 0 5 PIN entry required and PIN pad not present or not working 4 PIN entry required, PIN pad present but PIN was not entered 0 0 0 0 0 0 3 Online PIN entered 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 4 8 Transaction exceeds floor limit 0 1 0/1 * 7 Lower consecutive offline limit exceeded 0 0 0 6 Upper consecutive offline limit exceeded 0 0 0 5 Transaction selected randomly for online processing 0 0 0 4 Merchant forced transaction online 0 0 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 5 8 Default TDOL used 0 0 0 7 Issuer authentication was unsuccessful 0 0 0 6 Script processing failed before final GENERATE AC 0 0 0 5 Script processing failed after final GENERATE AC 0 0 0 4 RFU 0 0 0 3 RFU 0 0 0 2 RFU 0 0 0 1 RFU 0 0 0 Legend 0 Mandated setting 0/1 Non-mandated setting 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) * An attended offline only POS must support voice authorization for a MasterCard card (the acquirer assumes liability if voice authorization was not obtained above the international floor limit). A CAT terminal must decline. Table 4, TACs Offline-Only POS and CAT, continued 24 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

4.6 Terminal Capabilities The terminal capability (or profile) must be specific to PayPass M/Chip use. The Terminal Capabilities field is coded according the definition in EMV Book 4 but with the values specified in Table 5, Table 6, Table 7, and Table 8 of these requirements. PayPass terminals must be able to make use of PayPass specific terminal capabilities when performing a PayPass M/Chip transaction. Additionally, the value of the PayPass Terminal Capabilities depends upon whether the transaction is above the PayPass CVM and Receipt Limit or not (see Byte 2 Table 7 of the Terminal Capabilities). The terminal capabilities is then used with the CVM list from the card to select the cardholder verification method (i.e., no CVM) as specified in EMV 2000 Book 3. b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0/1 x x x x x x x Manual key entry x 0/1 x x x x x x Magnetic stripe x x 0/1 x x x x x IC with contacts x x x 0 x x x x RFU x x x x 0 x x x RFU x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) * EMV defines the structure of this data item and does not yet include a value for contactless support, but EMVCo may decide to include a value future definitions. Table 5, Terminal Capabilities Byte 1 Card Data Input Capability* b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0 x x x x x x x Plain-text PIN for ICC verification x 0/1 x x x x x x Enciphered PIN for online verification x x 0/1 ** x x x x x Signature (paper) x x x 0 x x x x Enciphered PIN for offline verification x x x x 0/1 x x x No CVM Required x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) ** If the terminal supports cardholder signature as a CVM, the terminal must be an attended terminal (Terminal Type = x1, x2, or x3 ) and must support a printer (Additional Terminal Capabilities, byte 4, Print, attendant bit = 1 ). Table 6, Terminal Capabilities Byte 2 CVM Capability for Transactions above the PayPass CVM and Receipt Limit MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 25

4. TERMINAL CONFIGURATION b8 b7 b6 b5 b4 b3 b2 b1 MEANING 0 x x x x x x x Plain-text PIN for ICC verification x 0 x x x x x x Enciphered PIN for online verification x x 0 x x x x x Signature (paper) x x x 0 x x x x Enciphered PIN for offline verification x x x x 1 x x x No CVM Required x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 7, Terminal Capabilities Byte 2 CVM Capability for Transactions under the PayPass CVM and Receipt Limit b8 b7 b6 b5 b4 b3 b2 b1 MEANING 1/0 x x x x x x x SDA x 0 x x x x x x DDA x x 1/0 x x x x x Card capture x x x 0 x x x x RFU x x x x 1/0 x x x Combined DDA/Application Cryptogram Generation x x x x x 0 x x RFU x x x x x x 0 x RFU x x x x x x x 0 RFU Legend 0 Mandated setting 0/1 Non-mandated setting, dependent upon on the specific terminal configuration 1 Mandated setting RFU Reserved for future use (The settings must be 0, 0, 0 ) Table 8, Terminal Capabilities Byte 3 Security Capability 26 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

. NETWORK INTERFACES AND HOST SYSTEMS 5.1 Summary of Changes PayPass transactions at PayPass M/Chip terminals are indicated by new values in existing fields for authorizations and clearing. These PayPass specific changes are detailed in the MasterCard Global Operations Bulletin No. 6, June 2005, and incorporated in the latest authorization and clearing manuals for your region. PayPass transactions from PayPass M/Chip terminals will be either: PayPass ICC transactions with ICC related data (i.e., field DE055 ICC related Data and DE023 Card Sequence Number if provided by the card to the terminal). ICC related data is not present in authorization requests and clearing transactions. PayPass Mag Stripe transactions with the same format as current mag stripe transactions. All PayPass transactions contain new values in fields DE022 and DE061, indicating that they are PayPass transactions at a PayPass terminal. The network changes to support these requirements are summarized in the following sections. Accepting Contact EMV at PayPass M/Chip Terminals Acquirers who deploy PayPass M/Chip terminals supporting contact EMV must be Full Grade acquirers. If a PayPass M/Chip terminal accepts contact EMV then it must also accept mag stripe transactions and be EMVCo certified. Partial Grade and PayPass Mag Stripe acquirers must migrate to Full Grade EMV acquiring. Full Grade acquiring is the term used to describe an acquirer that has invested in chip terminals, and has also upgraded its network and host systems to support the additional information generated during a chip transaction. Full Grade acquirers provide DE055 in the authorization request and clearing messages. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 27

5. NETWORK INTERFACES AND HOST SYSTEMS 5.2 Authorization Requests PayPass authorizations must be processed with the new values defined in Table 9 below. DATA ELEMENT SUBELEMENT VALUES 061 (POS Data) 11 (POS card data terminal input capability) 022 (POS Entry Mode) 1 (POS Terminal Primary Account Number [PAN] Entry Mode) 4: contactless magnetic stripe 3: contactless M/Chip Table 9, New Values in Existing Fields for PayPass Authorizations 91: PAN auto-entry via contactless mag stripe 07: PAN auto entry via contactless M/Chip 5.3 Authorization Responses ICC response data, including Issuer Scripts, is not returned from issuers for PayPass M/Chip transactions. In the event that ICC response data is returned, acquirers are not required to return it to the terminal. If the data is returned to the terminal then the terminal shall not process the data. The terminal is not required to retain the data. 5.4 Clearing New values in existing fields are required for PayPass clearing transactions. Table 10 defines the new values. Other fields and values remain as present. DATA ELEMENT SUBELEMENT VALUES 022 (POS Entry Mode) 1 (POS card data input capability) A: terminal supports PAN auto-entry via contactless mag stripe M: terminal supports PAN auto-entry via contactless M/Chip 022 (POS Entry Mode) 7 (card data input mode) A: PAN auto-entry via contactless mag stripe M: PAN auto entry via contactless M/Chip 022 (POS Entry Mode) 10 (card data output capability) 0: unknown no indication given 1: none 3: ICC (Contact EMV, PayPass Mag Stripe, and PayPass M/Chip) Table 10, New Values in Existing Fields for PayPass Clearing Transactions 28 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

NOTE The TVR sent to the issuer in clearing messages from offline only terminals may differ from the TVR used in Terminal Action Analysis. This is because the PayPass M/Chip Transaction flow enhancements allow some terminal-related, TVR-related processing to be postponed until after the first GENERATE AC command. The value that the terminal sent to the card in the first GENERATE AC must be used in clearing messages. This is illustrated in transaction flows in Appendix A, PayPass Transaction Flows, of this document and in full detail in the PayPass M/Chip Technical Specification. 5.5 Chargebacks Cardholder verification and receipts are optional for all PayPass transactions under US $25. Regions may lower this limit if required. These implementation requirements refer to the transaction amount at which the new requirement applies as the PayPass Cardholder Verification and Receipt Limit (see Section 3.4.4, Cardholder Verification and Receipt Limits for PayPass M/Chip, of this document). To support this change, acquirers are protected against chargebacks for PayPass transactions with the reason codes shown in Table 11. Issuers may not chargeback properly identified PayPass transactions with these reason codes. MESSAGE REASON CODE DESCRIPTION 4801 Requested Transaction Data Not Received 4802 Requested/Required Information Illegible or Missing 4837 No Cardholder Authorization Table 11, PayPass Impacted Chargeback Reason Codes Full details of the changes are available in the MasterCard Chargebacks Standards Bulletin January 2006. For users of MasterCom, the existing Acquirer s Retrieval Response Code has been updated to reflect these changes (see Table 8). Acquirers may use this rejection code for qualified PayPass transactions under US $25. ACQUIRER RESPONSE CODE C DESCRIPTION The issuer s request for retrieval was for a transaction identified as a PayPass transaction that is equal to or below US $25 or QPS No item available Table 12, Updated MasterCom Acquirer Response Codes for PayPass 5.6 Network Interface Validation (NIV) Testing The acquirer s network implementation is tested during NIV testing. See Section 6.7, NIV, of this document for further information on NIV testing. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 29

. TESTING 6.1 Testing Overview The MasterCard test process for PayPass M/Chip is a series of test stages. This chapter summarizes how PayPass M/Chip implementations are tested. Acquirers will be able to use this information to plan their testing and understand the purpose, scope, and requirements for PayPass testing. Refer to the PayPass specific testing documentation for more information. This guide is for acquirers who are already contact EMV acquirers. Only the additional testing for PayPass M/Chip is described here. For more information on migrating to contact EMV refer to the MasterCard M/Chip Implementation Guide. 6.2 Testing Scope by PayPass Terminal Type The acquirer or merchant s choice of terminal determines the scope of required testing. All new PayPass M/Chip implementations must perform this testing. In addition, if the terminal also supports contact EMV then: a) The terminal must be EMV certified. b) TIP for a new contact EMV terminal must be performed. An acquirer who has already implemented PayPass M/Chip and is only adding new terminals performs only: c) TIP for a new PayPass M/Chip terminal. d) TIP for a new contact EMV terminal if the terminal supports contact EMV and the terminal must be EMV certified. Information on contact EMV testing is available in the MasterCard M/Chip Customer Implementation Guide. 6.3 Testing Process The services provided by MasterCard and described in this section are designed to validate, to a reasonable degree, that the acquirer s infrastructure can accept MasterCard PayPass approved cards. 30 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

6.4 Test Stages The acquirer test stages for a PayPass M/Chip implementation are summarized in Table 13. The following sections provide a summary of each stage. The stages are then further explained in the following sections. STAGE REQUIRED? DESCRIPTION AND NOTES System Buildup Optional (on request) Purpose: Test the initial acquirer development. Optional system testing with MasterCard. Intended to support more complex developments. TIP Required Purpose: Tests the terminal in an integrated acquirer environment. The TIP tests to be performed are defined when the acquirer supplies MasterCard with a completed TIP questionnaire. ETEC cards are used with the acquirer terminal(s). PayPass interoperability ETEC cards may also be required if there are any known field interoperability issues. NIV End-to-End Demonstration (ETED) Required (Once per acquirer or processor) Required Purpose: Tests the acquirer authorization and clearing network interfaces against the MasterCard simulators, using ETEC cards. Additional PayPass transactions have been added. Purpose: Validates the completed implementation in the production environment, including some areas that can only be validated in production e.g., key management and network functions. A set of PayPass transactions are performed by MasterCard using MasterCard-supplied live cards. Post Live Monitoring Required Purpose: Monitor the stability of the implementations through normal business use. No acquirer action required. Table 13, Summary Test Stages 6.5 System Buildup MasterCard offers acquirers the option of testing their development from an early stage with the objective of reducing project development time and cost for the acquirer. For PayPass, the system changes are limited and this testing is optional. Acquirers should notify MasterCard if they intend to do this testing and will also need: MasterCard simulators Test keys available (scheme public keys) PayPass subset 7 ETEC cards MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 31

6. TESTING 6.6 TIP Acquirers run the tests and then submit log files from the simulators for validation by MasterCard. The TIP is designed to validate that the terminal: Meets the business needs of the acquirer. Conforms to the MasterCard PayPass M/Chip and PayPass Mag Stripe Technical Specifications, after integration in the acquirer environment. Conforms to MasterCard requirements related to the: Payment product(s) the terminal will accept (such as the support of online PIN, if required) Operational effectiveness, such as the implementation of fallback to contact or magnetic stripe (depending on the terminal type) Based on the needs of the acquirer, the TIP can comprise up to four components: 1. Validation that the terminal meets the requirements of both the acquirer and MasterCard. 2. Assessment of testing requirements and identification of the ETEC cards required. PayPass cards are ETEC cards subset 6 and 8. 3. Terminal Integration Workshop, to explain the TIP and the testing that will be performed, agree on the scope of the TIP, and confirm the testing configuration. 4. TIP Testing. 6.7 NIV Acquirers run the tests and then submit log files from the simulators for validation by MasterCard. To correctly process PayPass transactions, acquirers need to upgrade their network interfaces with MasterCard. The NIV testing checks that authorization and clearing interfaces are in accordance with the current MasterCard authorization and clearing requirements for the acquirer s region. Subset 6 and 7 ETEC cards are used with the MasterCard simulator for this testing. Offline Authorization Testing (Mandatory) For authorization testing, acquirers use the MasterINQ Simulator (U.S. region), or the MasterCard Europe Authorization Simulator (MEAS) (non-u.s. regions) to ensure that they are able to correctly provide the additional chip data in authorization messages. With the simulator connected to the acquirer host, which is itself connected to the terminal, acquirers perform transactions using the ETEC cards. Further explanations regarding ETEC cards are also provided in the MasterCard M/Chip Implementation Guide. 32 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

Conditional Offline Clearing Testing Currently, acquirers may choose if they wish to send chip data in clearing messages or not. Acquirers that do decide to send chip data in clearing messages must perform offline clearing testing before being set up for live operations. Acquirers performing clearing testing use the MasterCard Clearing Presentment Simulator to validate the: Conformity of the clearing interface. Ability of the host system to send clearing messages containing chip data. Optional Online Testing Online testing is optional. Acquirers that wish to perform online tests interface with the online testing facility provided by MasterCard. The online testing facility provides the following benefits: Availability of a close-to-production environment, where the bank sends real messages across the real network infrastructure. Ability to perform specific testing customized to meet the needs of the acquirer. 6.8 ETED The ETED is designed to validate that all activities under the control of the acquirer (e.g., terminal, acceptance network, authorization system, interfaces to MasterCard systems, etc.) function correctly. It is performed as soon as the implementation is promoted to live. The acquirer provides MasterCard with the locations of the terminal(s) to be tested. MasterCard uses a representative set of live MasterCard-branded, PayPass-approved cards (provided by various issuers) to perform transactions at the terminals to be tested. MasterCard and the acquirer monitor transactions across the real-time authorization network and through the clearing and settlement process. The log files are also verified after the end-to-end tests have been performed. 6.9 Post-Live Monitoring To ensure a smooth rollout and prove that the implementation is stable, MasterCard monitors the acquirer s transactions for a period of 30 days. MasterCard issues the acquirer with a completion notice at the end of this period and the acquirer system is ready to move to business as usual. The acquirer receives confirmation of the successful completion of the period of live monitoring. The acquirer s implementation is now considered as a Business As Usual (BAU) system. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 33

6. TESTING 6.10 Further Information and Contact Details Queries and further assistance can be obtained from the acquirer s regional representative or the following specific support addresses: AREA PayPass testing General chip help System buildup testing TIP NIV MEAS (non-u.s. regions) MasterINQ debit/credit (U.S. regions) Clearing simulator Online software upgrades ETEC cards CONTACT testing@paypass.com chip_help@mastercard.com chip_help@mastercard.com tip@mastercard.com Customer Implementation Services (CIS) Acquirers will be provided the contact details for the Network Interface Testing Engineer assigned to their implementation project. meas.sim@mastercard.com debit.sim@mastercard.com credit.sim@mastercard.com mcps.sim@mastercard.com www.mastercardonline.com chip_help@mastercard.com (for information regarding the use of ETEC cards for pretesting purposes) test_tools@silicomp.fr (for information regarding the purchase of ETEC cards) 34 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

APPENDICES Appendix A: PayPass Transaction Flows Overview The PayPass M/Chip terminal transaction flow is based on the EMV 2000 specifications with some specific PayPass adaptations. PayPass transaction flows are defined in the PayPass M/Chip Technical Specifications. PayPass transaction flows have been defined to optimize the PayPass M/Chip implementation. This section shows the transaction flows as defined by the M/Chip Technical Specification and illustrates the variance from standard EMV processing and the specific PayPass features that must be implemented by a PayPass M/Chip terminal. NOTE Acquirers, merchants, or vendors wishing to deviate from the defined PayPass transaction flows are advised to consult MasterCard. Terminal Vendor Testing will be based upon the behavior expected from the MasterCard PayPass examples. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 35

APPENDICES Appendix A, PayPass Transaction Flows, continued Online-Capable Terminal Transaction Flow Figure A-1 shows the transaction flow for a PayPass M/Chip card at an online-capable PayPass M/Chip terminal. PayPass M/Chip Card at Online capable PayPass M/Chip terminal Card Activation Standard EMV Transaction Flow Card Activation Application Selection Application Selection Initiate Application Processing Initiate Application Processing Initiate PayPass Mag Stripe Processing no M/Chip Profile yes Read Application Data Read Application Data Offline Card Authentication Processing Restrictions Processing Restrictions Terminal Risk Management Terminal Risk Management Cardholder Verification Cardholder Verification Terminal Action Analysis Terminal Action Analysis Card and Terminal in Contactless Communication (GEN AC) Card Action Analysis (GEN AC) Card Action Analysis Card and Terminal Communication Ended AAC AAC or TC? no Online decision (ARQC)? TC yes yes GEN AC was CDA? no Offline Card Authentication no Offline Card Authentication OK? yes Terminal Online Processing* Terminal Online Processing *If required Key EMV processing is: Normal Terminal Decline Transaction Completion Transaction Completion Modified / See Notes Script Processing Omitted New Figure A-1, PayPass M/Chip/EMV Transaction Online-Capable Terminal 36 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

Offline-Only Terminal Transaction Flow Figure A-2 shows the transaction flow for a PayPass M/Chip card at an offline-only PayPass M/Chip terminal. PayPass M/Chip Card at Offline Only PayPass M/Chip terminal Standard EMV Transaction Flow Card Activation Card Activation Application Selection Application Selection Initiate Application Processing Initiate Application Processing Initiate PayPass Mag Stripe Processing no M/Chip Profile? yes Read Application Data Read Application Data Card and Terminal in Contactless Communication (GEN TC) Card Action Analysis TVR = 0000000000 Card And Terminal Communication Ended yes AAC,ARQC or AAR response? no Offline Card Authentication Offline Card Authentication Processing Restrictions Processing Restrictions Terminal Risk Management Terminal Risk Management Cardholder Verification Terminal Action Analysis Cardholder Verification Terminal Action Analysis no TC? yes (GEN AC) Card Action Analysis Terminal Decline Transaction Completion Transaction Completion Key EMV processing is: Normal Modified / See Notes Omitted New Figure A-2, PayPass M/Chip/EMV Transaction Offline-Only Terminal MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 37

APPENDICES Appendix A, PayPass Transaction Flows, continued PayPass Mag Stripe Transaction Flow Figure A-3 shows the transaction flow for a mag stripe transaction at a PayPass M/Chip terminal. This will be the transaction flow for a PayPass Mag Stripe card or PayPass cardholder device at a PayPass M/Chip terminal. PayPass Mag Stripe transaction Online capable PayPass M/Chip terminal Read Mag Stripe Application Data Mag Stripe Application Version Number Checking Compute Cryptographic Checksum (CVC3) Standard Mag Stripe Cardholder Verification Mag Stripe processing is: Normal Standard Mag Stripe online / offline processing* *With PayPass indication New Standard Mag Stripe Completion Figure A-3, PayPass Mag Stripe Transaction Flow 38 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

Appendix B, Glossary Term M/Chip 4 Application Non-Card Form Factor Device PayPass Approved Terminals PayPass Cardholder Device PayPass M/Chip Application PayPass M/Chip Card PayPass M/Chip Terminal PayPass M/Chip Transaction PayPass Mag Stripe Transaction PayPass Technology PayPass Terminal Vendor Testing Description The M/Chip 4 Select and M/Chip 4 Lite card applications as implemented on issuer s cards and as specified in the MasterCard M/Chip 4 Card Application Specification for Debit and Credit. When behavior is specific to one of the applications, the specific application name, i.e., M/Chip 4 Lite application or M/Chip 4 Select application, is used. Refer to PayPass Cardholder Device. MasterCard tests products for compliance to all required specifications. Products which are proven to comply are issued a PayPass Letter of Approval and are PayPass approved. MasterCard publishes lists of PayPass approved products to help acquirers choose their products. A product may require configuration or further functionality before use, but this must not change the product s compliance with specifications. Approved products are used as part of an overall payment system. Also referred to as an NCFF device. A PayPass product allowing cardholders to make contactless PayPass payments, but not in the standard bankcard (ID-1) form. Examples include PayPass tags and key fobs. The M/Chip 4 card application, extended for communication over a contact and contactless interface as specified in the MasterCard PayPass M/Chip Technical Specification manual. Dual-interface card with the PayPass M/Chip Application accessible over the contact and contactless interface. A terminal accepting PayPass M/Chip cards using a transaction flow similar to the EMV contact transaction flow and supporting Terminal Risk Management (TRM). If the terminal has offline capability then it will also support offline CAM. The terminal may also accept existing magnetic stripe cards and contact cards. The PayPass M/Chip terminal must also accept PayPass Mag Stripe transactions. It may also accept other contactless schemes. A PayPass transaction which includes the required M/Chip EMV data elements as used in Authorizations and Clearing messages. A PayPass transaction which contains the required mag stripe only data elements. The MasterCard specific implementation of ISO/IEC 14443. PayPass uses the technology as defined in the PayPass ISO/IEC 14443 Implementation Specification for the wireless ( contactless ) exchange of data between card and terminal. The MasterCard process of testing products for compliance to all required specifications. Products which pass all the required tests are PayPass-approved products. MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 39

APPENDICES Appendix B, Glossary, continued Term PayPass Transaction PayPass Transaction Time Description A payment transaction using PayPass technology for the data exchange between card and terminal. A transaction can be either a PayPass M/Chip Transaction or PayPass Mag Stripe Transaction. The time the PayPass card needs to be present in the terminal s electromagnetic field in order to allow for a complete data exchange. The completion of the data exchange is indicated by a beep and a visual indication. Any processing done by the terminal after the card has been removed is excluded from the PayPass transaction time. 40 v.1-a4 6/06 MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS

MASTERCARD PAYPASS M/CHIP, ACQUIRER IMPLEMENTATION REQUIREMENTS v.1-a4 6/06 41

PayPass-23 v.1-a4 6/06 2006 MasterCard International Incorporated