Professional Documents
Culture Documents
PayPass - MChip Reader Card Application Interface Specification (V2.0)
PayPass - MChip Reader Card Application Interface Specification (V2.0)
PayPass - MChip Reader Card Application Interface Specification (V2.0)
Proprietary Rights
The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively "MasterCard"), or both. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard.
Trademarks
Trademark notices and symbols used in this manual reflect the registration status of MasterCard trademarks in the United States. Please consult with the Customer Operations Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States. All third-party product and service names are trademarks or registered trademarks of their respective owners.
Media Address
This document is available in both electronic and printed format. MasterCard Worldwide 2200 MasterCard Boulevard O'Fallon MO 63368-7263 USA www.mastercard.com
2008 MasterCard
ii
Table of Contents
Table of Contents
Using this Manual ............................................................................... vii
Purpose ..................................................................................................................... vii Scope ........................................................................................................................ vii Audience................................................................................................................... vii Related Documentation ........................................................................................... viii Reference Materials................................................................................................... ix Abbreviations ..............................................................................................................x Notational Conventions ............................................................................................ xii Transition Flow Diagrams ....................................................................................... xiii Document Word Usage ........................................................................................... xiii Requirement Numbering ......................................................................................... xiv Guidance on Terminology ....................................................................................... xiv Document Overview..................................................................................................xv
Introduction ................................................................................ 1
1.1 1.2 1.3 1.4 MasterCard Proximity Payment.........................................................................1 M/Chip Profile and Mag Stripe Profile..............................................................1 Architecture........................................................................................................2 Transaction Processing Summary......................................................................2
Commands ................................................................................. 5
2.1 2.2 Introduction........................................................................................................5 COMPUTE CRYPTOGRAPHIC CHECKSUM .............................................................6
2.2.1 2.2.2 2.2.3 2.2.4 Definition and Scope .......................................................................................6 Command Message..........................................................................................6 Data Field Returned in the Response Message................................................6 Status Bytes .....................................................................................................7 Definition and Scope .......................................................................................7 Command Message..........................................................................................7 Data Field Returned in the Response Message................................................8 Status Bytes .....................................................................................................9 Definition and Scope .....................................................................................10 Command Message........................................................................................10 Data Field Returned in the Response Message..............................................10
2.3
GENERATE AC....................................................................................................7
2.3.1 2.3.2 2.3.3 2.3.4
2.4
2008 MasterCard
iii
Table of Contents
2.4.4
Status Bytes ...................................................................................................11 Definition and Scope .....................................................................................12 Command Message........................................................................................12 Data Field Returned in the Response Message..............................................12 Status Bytes ...................................................................................................13 Definition and Scope .....................................................................................13 Command Message........................................................................................13 Data Field Returned in the Response Message..............................................14 Status Bytes ...................................................................................................15
2.5
2.6
SELECT .............................................................................................................13
2.6.1 2.6.2 2.6.3 2.6.4
4.3
2008 MasterCard
iv
Table of Contents
2008 MasterCard
Scope
This document provides the specifications necessary to achieve interoperability between PayPass cards and PayPass M/Chip readers. It contains the following definitions as applied to both PayPass M/Chip and PayPass Mag Stripe purchase transactions: The definition of commands, responses and data objects exchanged between the card and PayPass reader The definition of the command sequence in order to support the purchase transaction flow The definition of the internal processing of the PayPass reader
Other transaction types (e.g. refunds) may be supported by the PayPass reader however they are not discussed in this document.
Audience
This document is intended for use by vendors that want to implement the PayPass M/Chip application on an acceptance device. This document is also intended for type approval services that test the actual implementations against this specification.
2008 MasterCard
vii
Related Documentation
For the purposes of developing PayPass readers this specification should be read in conjunction with the following MasterCard documents:
Document MasterCard PayPass Terminal Implementation Requirements PayPass M/Chip Acquirer Implementation Requirements PayPass Performance Measurement Content Lists requirements for reader development and for reader integration in retail systems. Describes the user interface. Lists requirements for acquirers implementing the PayPass M/Chip program, including reader/terminal functionality and configuration. Defines the method by which transaction time is measured during the testing of PayPass cards and readers. Lists the minimum performance, in terms of transaction time, required of PayPass cards and readers.
The content of this specification overlaps with that of the EMV Entry Point Specification. For the purposes of developing PayPass readers, the developer has the option of either Implementing all of the requirements in this document, or Implementing the requirements of the EMV Entry Point Specification in place of those given in Chapter 3 of this document. The requirements in the remaining chapters of this document have still to be implemented.
The different documents specifying PayPass reader behavior are summarized in the following figure:
2008 MasterCard
viii
Reference Materials
The following references are used in this document. The latest version applies unless a publication date is explicitly stated. [ISO 639-1] [ISO 3166-1] [ISO 4217] [ISO/IEC 7813] [ISO/IEC 7816-4] Codes for the representation of names and languages Part 1: Alpha-2 Code Codes for the representation of names of countries and their subdivisions Part 1: Country codes Codes for the representation of currencies and funds Identification cards Financial transaction cards Information technology Identification cards Integrated circuit(s) cards with contacts - Part 4: Interindustry commands for interchange Identification cards Integrated circuit(s) cards with contacts Part 5: Numbering system and registration procedure for application identifiers. Bank card originated messages Interchange message specifications Content for financial transactions Financial transaction card originated messages Interchange message specifications Information processing 8-bit single-byte coded graphic character sets Integrated Circuit Card Specification for Payment Systems: Application Independent ICC to Terminal Interface Requirements, Version 4.2, June 2008 Integrated Circuit Card Specification for Payment Systems: Security and Key Management, Version 4.2, June 2008 Integrated Circuit Card Specification for Payment Systems: Application Specification, Version 4.2, June 2008 Integrated Circuit Card Specification for Payment Systems: Cardholder, Attendant and Acquirer Interface Requirements, Version 4.2, June 2008 EMV Contactless Specifications for Payment Systems - EMV Contactless Communication Protocol Specification, v2.0 EMV Contactless Specifications for Payment Systems EMV Entry Point Specification, May 2008 MasterCard PayPass Terminal Implementation Requirements, Nov 2007
[ISO/IEC 7816-5]
2008 MasterCard
ix
Abbreviations
The following abbreviations are used in this specification:
Abbreviation AAC AC AFL AID AIP an ans ARQC ATC b BCD C C-APDU CA CDA CDOL CID CLA cn CVC CVM CVR DD DDA DF DOL EMV FCI IAD ICC INS ISO Lc Le LRC Description Application Authentication Cryptogram Application Cryptogram Application File Locator Application Identifier Application Interchange Profile Alphanumeric Alphanumeric Special Authorization Request Cryptogram Application Transaction Counter Binary Binary Coded Decimal Conditional Command Application Protocol Data Unit Certification Authority Combined DDA/AC Generation Card Risk Management Data Object List Cryptogram Information Data Class byte of command message Compressed Numeric Card Validation Code Cardholder Verification Method Cardholder Verification Rule Discretionary Data Dynamic Data Authentication Dedicated File Data Object List Europay MasterCard Visa File Control Information Issuer Application Data Integrated Circuit Card Instruction byte of command message International Organization for Standardization Number of bytes present in the data field of the C-APDU Maximum length of bytes expected in the data field of the R-APDU Longitudinal Redundancy Check
2008 MasterCard
Abbreviation M n NATCTRACK1 NATCTRACK2 NCA NI NIC O PAN PCVC3TRACK1 PCVC3TRACK2 PDOL PIN PPSE PUNATCTRACK1 PUNATCTRACK2 P1 P2 R-APDU RFU RID SDA SDAD SSAD SFI SW1 SW2 TC TLV TVR UDOL UN var.
Description Mandatory Numeric Track 1 Number of ATC Digits Track 2 Number of ATC Digits Length of the Certification Authority Public Key Modulus Length of the Issuer Public Key Modulus Length of the ICC Public Key Modulus Optional Primary Account Number Track 1 Bitmap for CVC3 Track 2 Bitmap for CVC3 Processing Options Data Object List Personal Identification Number Proximity Payment System Environment Track 1 Bitmap for UN and ATC Track 2 Bitmap for UN and ATC Parameter 1 Parameter 2 Response Application Protocol Data Unit Reserved for Future Use Registered Application Provider Identifier Static Data Authentication Signed Dynamic Application Data Signed Static Application Data Short File Identifier Status Byte One Status Byte Two Transaction Certificate Tag Length Value Terminal Verification Results Unpredictable Number Data Object List Unpredictable Number Variable length
2008 MasterCard
xi
Notational Conventions
The following notations apply in this document:
Notation '0' to '9' and 'A' to 'F' 1001b digit "M/Chip profile is supported" Track 1 Data GENERATE AC Description Hexadecimal notation. Values expressed in hexadecimal form are enclosed in single quotes (i.e. '_'). Binary notation. Values expressed in binary form are followed by a lower case "b". Any of the ten Arabic numerals from 0 to 9 Labels for flags, decision outcomes, or individual bits of a data object are enclosed in double quotes. Data object names are written in italics to distinguish them from the text. C-APDUs are written in SMALL CAPITALS to distinguish them from the text.
The following table lists symbols that are used throughout this document:
Symbol kTRACK1 kTRACK2 tTRACK1 Meaning Number of non-zero bits in the Track 1 Bitmap for UN (Numeric) and ATC (PUNATCTRACK1) Number of non-zero bits in the Track 2 Bitmap for UN (Numeric) and ATC (PUNATCTRACK2) The symbol tTRACK1 represents the value of NATCTRACK1 and indicates the number of digits of the ATC to be included in the discretionary data field of the Track 1 Data. The symbol tTRACK2 represents the value of NATCTRACK2 and indicates the number of digits of the ATC to be included in the discretionary data field of the Track 2 Data. The symbol nUN represents the number of positions available in the discretionary data fields of the Track 1 Data and Track 2 Data for transporting UN (Numeric) to the issuer. The symbol mTRACK1 indicates the number of characters present in the discretionary data field of the Track 1 Data. The symbol mTRACK2 indicates the number of digits present in the discretionary data field of the Track 2 Data. Number of non-zero bits in the Track 1 Bitmap for CVC3 (PCVC3TRACK1). The symbol qTRACK1 represents the number of CVC3 digits included in the discretionary data field of the Track 1 Data. Number of non-zero bits in the Track 2 Bitmap for CVC3 (PCVC3TRACK2). The symbol qTRACK2 represents the number of CVC3 digits included in the discretionary data field of the Track 2 Data.
tTRACK2
nUN
qTRACK2
2008 MasterCard
xii
The symbols are identified with a number. Paragraphs in the textual description starting with Symbol n correspond to the symbol bearing the same number in the transition flow diagram. The following example illustrates how it works. The decision symbol is used in a flow diagram, identified with number 2.
TEST OK NOK
An explanation of the check done in symbol 2 is given: Symbol 2 An explanation of how the application checks that the condition is satisfied.
2008 MasterCard
xiii
Requirement Numbering
Requirements in this document are uniquely numbered with the number appearing next to each requirement: For example: 4.3.2.3 If the PDOL is not present, the PayPass reader must use a command data field of '8300'.
Guidance on Terminology
PayPass Card Due to the legacy of the plastic card industry and the fact that the most common PayPass compliant form factor is card based, the term "card" is used frequently throughout this document. However, the contactless nature of PayPass permits noncard form factors. The functionality of PayPass cards and devices is driven by the chip inside and is independent of the form factor in which the chip resides. Therefore the default reference for the consumer token in this document is "PayPass card" or "card", as appropriate. PayPass Reader The term "PayPass reader" is used to refer to the device supporting the PayPass M/Chip application and providing the contactless interface used by the PayPass card. Although this can be an integral part of the terminal, it is considered in this specification as a separate logical entity. Terminal The term "terminal" is used in this document to mean the POS device, as distinct from the PayPass reader that provides the contactless interface. The terminal and the PayPass reader may exist in a single integrated device, but are considered separately in this document. MasterCard In this document, the term "MasterCard" is used to refer to MasterCard International Incorporated and/or its affiliated entities. It does not refer to the MasterCard payment brand.
2008 MasterCard
xiv
Document Overview
This document is organized as follows:
Section 1 Introduction 2 Commands 3 Application Activation Description This chapter provides a high-level summary of PayPass M/Chip. This chapter defines the commands and responses supported by PayPass M/Chip. This chapter describes the procedure for identifying and activating the PayPass application on the card, and other transaction pre-processing. This chapter describes the transaction processing of the PayPass reader after it has been enabled by the terminal and the PayPass application has been selected on the card. It specifies how the PayPass reader implements the transaction flow, and lists requirements to ensure interoperability. While other transaction types may be supported, this chapter focuses on the interaction between the PayPass card and the PayPass reader during a purchase transaction. This chapter defines the data object handling for the PayPass reader. This annex lists the data objects supported by the PayPass reader.
2008 MasterCard
xv
Introduction
MasterCard Proximity Payment
Introduction
This chapter provides a high-level summary of PayPass M/Chip.
1.1
1.2
2008 MasterCard
Introduction
Architecture
1.3
Architecture
This specification considers the PayPass reader to be a peripheral device of the terminal. The PayPass reader performs the interaction with the PayPass card and the cardholder. The architecture is summarized in Figure 1.1. Figure 1.1PayPass Terminal-Reader Architecture
Note
There is no requirement to create devices following the architecture described here. This logical architecture is only used to specify an externally observable behavior. A terminal and PayPass reader integrated in one physical device can also meet the requirements listed in this specification.
1.4
These steps may be done according to [EMVEPS] or according to the application activation described in Chapter 3 of this document. The PayPass reader initiates the transaction on the PayPass card. Based on the response from the PayPass card, the PayPass reader continues with either a PayPass Mag Stripe or PayPass M/Chip transaction.
2008 MasterCard
Introduction
Transaction Processing Summary
For a PayPass M/Chip transaction, the PayPass reader continues with the following steps: o o o o o The PayPass reader determines which form of ODA to perform. The PayPass reader reads the data records of the PayPass card. The PayPass reader performs Terminal Risk Management and Terminal Action Analysis, and selects a cardholder verification method for the transaction. The PayPass reader requests an application cryptogram from the PayPass card. The PayPass reader performs offline data authentication as appropriate.
For a PayPass Mag Stripe transaction, the PayPass reader continues with the following steps: o o o The PayPass reader reads the data records from the PayPass card. The PayPass reader issues the COMPUTE CRYPTOGRAPHIC CHECKSUM command to the PayPass card. The PayPass reader stores the CVC3-related data in the discretionary data fields of the Track 1 Data and Track 2 Data.
If the outcome of the above processing was successful, the reader provides a visible and audible indication of a successful PayPass interaction to the cardholder. The PayPass reader completes the transaction by preparing the necessary Data Record and Transaction Outcome information and returning it to the terminal. If the outcome of the above processing was not successful, the reader, if appropriate, provides an indication of the failure to the cardholder. The PayPass reader either: o o Retries the above processing, or Prepares the necessary Transaction Outcome information and returns it to the terminal. The PayPass reader then hands control back to the terminal.
The decision to provide failure indication and either retry or return control to the terminal is implementation dependent. The different stages of the transaction are summarized in Figure 1.2.
2008 MasterCard
Introduction
Transaction Processing Summary
2008 MasterCard
Commands
Introduction
Commands
This chapter defines the commands and responses supported by PayPass M/Chip.
2.1
Introduction
The INS byte of the C-APDU is structured according to [EMV BOOK 1]. The coding of INS and its relationship to CLA are shown in Table 2.1. Table 2.1Coding of the Instruction Byte
CLA '80' '80' '80' '00' '00' INS '2A' 'AE' 'A8' 'B2' 'A4' Meaning COMPUTE CRYPTOGRAPHIC CHECKSUM GENERATE AC GET PROCESSING OPTIONS READ RECORD SELECT
The status bytes returned by the PayPass card are coded as specified in Section 6.3.5 of [EMV BOOK 3]. In addition to the status bytes specific for every command, the PayPass card may return the status bytes shown in Table 2.2. Table 2.2Generic Status Bytes
SW1 '6D' '6E' '6F' SW2 '00' '00' '00' Meaning Instruction code not supported or invalid Class not supported No precise diagnosis
2008 MasterCard
Commands
Compute Cryptographic Checksum
2.2
The data field of the command message is coded according to the UDOL following the rules as defined in Section 5.2. If the PayPass card does not have a UDOL, the PayPass reader uses the Default UDOL.
2008 MasterCard
Commands
Generate AC
2.3
GENERATE AC
2.3.1 Definition and Scope
The GENERATE AC command sends transaction-related data to the card, which then computes and returns an Application Cryptogram. Depending on the risk management in the card, the cryptogram returned by the PayPass card may differ from that requested in the command message. The PayPass card may return an AAC (transaction declined), an ARQC (online authorization request) or a TC (transaction approved).
2008 MasterCard
Commands
Generate AC
The data field of the command message is coded according to CDOL1 following the rules as defined in Section 5.2.
Format 1
In the case of format 1, the data object returned in the response message is a primitive data object with tag equal to '80'. The value field consists of the concatenation without delimiters (tag and length) of the value fields of the data objects specified in Table 2.7. Format 1 is only used if CDA is not performed. Table 2.7GENERATE AC Response Message Data Field (Format 1)
Value CID ATC AC IAD Presence M M M O
2008 MasterCard
Commands
Generate AC
Format 2
In the case of format 2, the data object returned in the response message will vary depending on whether CDA was performed or not. CDA Not Performed If CDA is not performed, the data object returned in the response message for an AAC, ARQC or TC is a constructed data object with tag equal to '77', as specified in Table 2.8. Table 2.8GENERATE AC Response Message Data Field (Format 2) No CDA
Tag '77' Value Response Message Template '9F27' '9F36' '9F26' '9F10' CID ATC AC IAD Presence M M M M O
CDA Performed If CDA is performed, the data object returned in the response message for an ARQC or TC is a constructed data object with tag equal to '77'. It contains at least the three mandatory data objects specified in Table 2.9, and optionally the IAD. Table 2.9GENERATE AC Response Message Data Field (Format 2) CDA
Tag '77' Value Response Message Template '9F27' '9F36' '9F4B' '9F10' CID ATC SDAD IAD Presence M M M M O
2008 MasterCard
Commands
Get Processing Options
2.4
The data field of the command message is the Command Template with tag '83' and with a value field coded according to the PDOL provided by the PayPass card in the response to the SELECT command. If the PDOL is not provided by the PayPass card, the length field of the template is set to zero. Otherwise the length field is the total length of the value fields of the data objects transmitted to the card. The value fields are concatenated according to the rules defined in Section 5.2.
Format 1
In the case of format 1, the data object returned in the response message is a primitive data object with tag equal to '80'. The value field consists of the concatenation without delimiters (tag and length) of the value fields of the AIP and the AFL, as shown in Table 2.12.
2008 MasterCard
10
Commands
Get Processing Options
Format 2
In the case of format 2, the data object returned in the response message is a constructed data object with tag '77' (Response Message Template). The value field may include several TLV coded objects, but always includes the AIP (tag '82') and AFL (tag '94'), as shown in Table 2.13. Table 2.13GET PROCESSING OPTIONS Response Message Data Field (Format 2)
Tag '77' Value Response Message Template '82' '94' AIP AFL Presence M M M
2008 MasterCard
11
Commands
Read Record
2.5
READ RECORD
2.5.1 Definition and Scope
The READ RECORD command reads a file record in a linear file. The response of the PayPass card consists of returning the record.
Table 2.16 specifies the coding of P2 of the READ RECORD command. Table 2.16P2 of READ RECORD Command
b8 x b7 x b6 x b5 x b4 x 1 0 0 b3 b2 b1 Meaning SFI P1 is a record number
2008 MasterCard
12
Commands
Select
2.6
SELECT
2.6.1 Definition and Scope
The SELECT command is used to select the PPSE directory and the PayPass application. The response from the PayPass card consists of returning the FCI.
The data field of the command message contains the PPSE directory name ("2PAY.SYS.DDF01") or the ADF Name (or AID) of the application in the PayPass card 1.
Depending on the value of the File Name, the SELECT command is referred to as SELECT PPSE or SELECT AID command.
2008 MasterCard
13
Commands
Select
Select PPSE
Table 2.20 defines the FCI returned by a successful selection of the PPSE directory. The FCI contains the list of PayPass applications (ADF Names) supported by the card. Table 2.20SELECT Response Message Data Field (FCI) of the PPSE
Tag '6F' Value FCI Template '84' 'A5' DF Name FCI Proprietary Template 'BF0C' FCI Issuer Discretionary Data Presence M M M M
The FCI Issuer Discretionary Data is a constructed data object of which the value field is comprised of one or more Application Templates (tag '61') as described in Table 2.21. Table 2.21FCI Issuer Discretionary Data
'BF0C' Length '61' Length of directory entry 1 Directory entry 1 '61' Length of directory entry n Directory entry n
Each directory entry is the value field of an Application Template and contains the information according to Table 2.22 and Table 2.23. Table 2.22Directory Entry Format
Tag '4F' '87' '50' Value ADF Name (AID) Application Priority Indicator (see Table 2.23). Application Label Presence M M O
2008 MasterCard
14
Commands
Select
2 3
The FCI Proprietary Template may be empty. In this case the length must be set to zero. These specifications do not specify how to block the PPSE or PayPass application. For a dual-interface card (contact and contactless), this may be done by using the contact interface.
2008 MasterCard
15
Application Activation
Overview
Application Activation
This chapter describes the procedure for identifying and activating the PayPass application on the card, and other transaction pre-processing.
3.1
Overview
Application activation begins when the terminal enables the PayPass reader to perform a contactless transaction. Application activation can be divided into the following areas: 1. 2. 3. Pre-processing, in which the transaction amount is checked against defined limits for each supported application Protocol activation, in which contactless protocol of the PayPass reader is activated and prepared for card discovery Application selection, in which first the PPSE and then the PayPass application are selected on the card
3.2
Pre-Processing
When the PayPass reader has been enabled by the terminal and the values of the transaction related data objects listed in 5.4.1.4 are defined, then the following steps are performed. 3.2.1.1 3.2.1.2 The PayPass reader must set Transaction CVM to "No CVM". The PayPass reader must set the Transaction Outcome to "Declined".
The following steps are completed for each AID supported by the PayPass reader. 3.2.1.3 The PayPass reader must clear the following flags: 3.2.1.4 Terminal Contactless Transaction Limit Exceeded Flag Terminal Contactless Floor Limit Exceeded Flag Terminal CVM Required Limit Exceeded Flag
If the Amount, Authorized is greater than or equal to the Terminal Contactless Transaction Limit for that AID, then the Terminal Contactless Transaction Limit Exceeded Flag must be set for that AID. If the Amount, Authorized is greater than the Terminal Contactless Floor Limit for that AID, then the Terminal Contactless Floor Limit Exceeded Flag must be set for that AID.
3.2.1.5
2008 MasterCard
17
Application Activation
Protocol Activation
3.2.1.6
If the Amount, Authorized is greater than or equal to the Terminal CVM Required Limit for that AID, then the Terminal CVM Required Limit Exceeded Flag must be set for that AID.
3.3
Protocol Activation
3.3.1.1 If the PayPass reader has completed pre-processing, and if the Terminal Contactless Transaction Limit Exceeded Flag has not been set for at least one AID supported by the PayPass reader, then the PayPass reader must: Power up the contactless interface and start the polling and collision detection mechanisms as defined in [EMVCLPRO]. Provide a visible indication to the cardholder that the reader is active and that the card can be presented.
Otherwise, the PayPass reader must not proceed with the rest of application activation. It must instead continue with the Completion function as described in Section 4.3.15.
3.4
Application Selection
The application selection process is described in detail in the following sections from the standpoint of both the card and the PayPass reader. The application selection mechanism minimizes the number of commands between the card and PayPass reader. If no errors are encountered, only two SELECT commands (see Section 2.6) are necessary. The process is described in two steps, and is summarized in Figure 3.1. 1. The PayPass reader selects the PPSE and creates a list of applications that are supported by both the card and the PayPass reader. This list is referred to as the "candidate list" (see Section 3.4.1). 2. From the candidate list, the application to be run is chosen and selected on the card (see Section 3.4.2).
PayPass Card
1. SELECT PPSE 2. List of AIDs 3. SELECT AID 4. FCI
PayPass Reader
2008 MasterCard
18
Application Activation
Application Selection
As an alternative to the application selection method described here, the PayPass reader may also support a proprietary application selection method that is outside the scope of this specification. If so, then the proprietary method may be performed either: Immediately prior to step 3.4.1.1, or Immediately prior to step 3.4.2.1 if the candidate list is empty.
3.4.1.3
3.4.1.5
3.4.1.6
2008 MasterCard
19
Application Activation
Application Selection
Applications with no priority must come last and in the order in which they were listed in the PPSE directory entries in the FCI Issuer Discretionary Data (see Table 2.21).
2008 MasterCard
20
4.1
Transaction Flow
4.1.1.1
Note
The PayPass reader must execute the transaction flow as described in Figure 4.1 and Figure 4.2, and in the corresponding text below.
The transaction flow described in Figure 4.1 and Figure 4.2 assumes normal processing without exceptions. Exception processing is described in Section 4.2.
Symbol 1 FCI and SW1-SW2 Processing The PayPass reader performs certain checks on the data received in reply to the SELECT AID command as described in Section 4.3.1. Symbol 2 GET PROCESSING OPTIONS Command Processing The PayPass reader initiates the transaction by issuing the GET PROCESSING OPTIONS command as described in Section 4.3.2. The PayPass card returns the AIP and the AFL. Symbol 3 M/Chip profile? The PayPass reader verifies if the "M/Chip profile is supported" bit in the AIP is set. If the bit is set, the PayPass reader continues by selecting the method of offline data authentication to be used (see Symbol 7). If the bit is not set, then it continues by reading from the PayPass card the PayPass Mag Stripe application data (see Symbol 4). Symbol 4 Read Mag Stripe Application Data Based on the AFL previously received from the card, the PayPass reader reads the necessary data using the READ RECORD command as specified in Section 4.3.3. Symbol 5 Mag Stripe Application Version Number Checking The PayPass reader verifies the compatibility of its application with the PayPass Mag Stripe application in the PayPass card as specified in Section 4.3.4.
2008 MasterCard
21
Symbol 6 COMPUTE CRYPTOGRAPHIC CHECKSUM Processing The PayPass reader continues with the COMPUTE CRYPTOGRAPHIC CHECKSUM command as specified in Section 4.3.5. The PayPass reader then sets the Transaction Outcome to "Online Request".
Note After the completion of the COMPUTE CRYPTOGRAPHIC CHECKSUM response, the PayPass card can be removed from the PayPass reader.
Symbol 7 Offline Data Authentication Method Selection The PayPass reader selects the offline data authentication method to be used in the transaction. As described in Section 4.3.6, it compares the functionality available on the card, as indicated in the AIP, with its own capabilities. The result of this process is a decision to perform CDA, SDA or not to perform any offline data authentication. Symbol 8 Read M/Chip Application Data The PayPass reader reads the necessary data using READ RECORD commands as specified in Section 4.3.7. Symbol 9 Processing Restrictions The PayPass reader performs the Processing Restrictions function as specified in Section 4.3.8. This includes application version number checking, application usage control checking and application effective/expiry dates checking. Symbol 10 Terminal Risk Management The PayPass reader performs Terminal Risk Management as specified in Section 4.3.9. Symbol 11 M/Chip CVM Selection The PayPass reader selects a cardholder verification method as specified in Section 4.3.10. The result of this function is stored as the Transaction CVM. Symbol 12 Terminal Action Analysis The PayPass reader performs Terminal Action Analysis in order to decide whether the transaction should be approved offline, declined offline, or transmitted online. The PayPass reader makes this decision based on the content of the TVR, the Issuer Action Codes and Terminal Action Codes as specified in Section 4.3.11. Symbol 13 GENERATE AC The PayPass reader issues a GENERATE AC command, as described in Section 4.3.12, requesting a TC, ARQC or an AAC based on the results of Terminal Action Analysis. The PayPass card performs its card risk management when it receives the GENERATE AC command, and may decide to complete the transaction online (ARQC), offline (TC) or decline the transaction (AAC).
Note After the completion of the GENERATE AC response, the PayPass card may be removed from the PayPass reader.
2008 MasterCard
22
Symbol 14 Card Generated AAC? If the PayPass reader requested an ARQC or TC, and if the PayPass card has generated an AAC, the PayPass reader sets the Transaction Outcome to "Try Another Interface" and continues with the Completion function. If the PayPass reader requested an AAC, and if the PayPass card has generated an AAC, the PayPass reader sets the Transaction Outcome to "Declined" and continues with the Completion function. Otherwise, the PayPass reader continues by checking if CDA was used in the PayPass card response. Symbol 15 Combined DDA/AC Generation? If CDA is being performed, the PayPass reader continues by retrieving the ICC Public Key from the data read from the PayPass card and by verifying the SDAD. If CDA has not been performed, the PayPass reader continues by verifying that the PayPass card generated an ARQC. Symbol 16 Retrieve ICC Public Key and Verify SDAD (CDA) The PayPass reader retrieves the ICC Public Key and verifies the SDAD generated by the PayPass card as specified in Section 4.3.13. Symbol 17 Card Generated ARQC (CDA)? The PayPass reader checks if the card generated an ARQC. If this is the case, the PayPass reader sets the Transaction Outcome to "Online Request" for online capable terminals, and to "Declined" for offline-only terminals. If the PayPass card generated a TC, the PayPass reader sets the Transaction Outcome to "Approved". The PayPass reader continues with the Completion function. Symbol 18 Card Generated ARQC (No CDA)? The PayPass reader checks if the PayPass card generated an ARQC. If this is the case, the PayPass reader sets the Transaction Outcome to "Online Request" for online capable terminals, and to "Declined" for offline-only terminals. The PayPass reader then continues with the Completion function. If the PayPass card generated a TC, the PayPass reader continues by performing SDA. Symbol 19 Static Data Authentication The PayPass reader performs SDA as specified in Section 4.3.14. The PayPass reader sets the Transaction Outcome to "Approved". Symbol 20 Completion The PayPass reader executes the Completion function as specified in Section 4.3.15, and hands control back to the terminal.
2008 MasterCard
23
2008 MasterCard
24
2008 MasterCard
25
4.2
Exception Processing
This section specifies exceptions to normal processing that cause termination of the normal transaction flow.
4.2.1 Processing
4.2.1.1 If the PayPass reader encounters an exception during its processing, then it must set the Transaction Outcome to "End Application" and continue with the Completion function as specified in Section 4.3.15.
4.2.2.2
4.2.2.4
2008 MasterCard
26
2008 MasterCard
27
4.3
Note
4.3.1.2
The PayPass reader must verify that the FCI is correctly formatted, as specified in Table 2.24. If this is not the case, then the PayPass reader must terminate processing as specified in requirement 4.2.1.1. The PayPass reader must extract the PDOL (if present) from the FCI and store it for later use during the GET PROCESSING OPTIONS Command Processing. The PayPass reader must extract the DF Name (tag '84'), Application Label (tag '50') (if present), the Language Preference (tag '5F2D') (if present), the Issuer Code Table Index (tag '9F11') (if present) and the Application Preferred Name (tag '9F12') (if present) from the FCI, and store them for later use in the Completion function. Additional tags returned in the FCI that are not listed in Table 2.24 must be discarded by the PayPass reader. If the Language Preference (tag '5F2D') data object is included in the FCI, then the PayPass reader must perform language selection as specified in Section 11.1 of [EMV BOOK 4], except for interactive cardholder language selection. If no match is found and the PayPass reader supports more than one language, it must automatically select the local language.
4.3.1.3 4.3.1.4
4.3.1.5
2008 MasterCard
28
The PayPass reader must format the GET PROCESSING OPTIONS command as specified in Section 2.4.2. If the PDOL is not present (see requirement 4.3.1.3), the PayPass reader must use a command data field of '8300'. If the PDOL is present, the PayPass reader must use the PDOL to create a concatenated list of data objects without tags or lengths following the rules specified in Section 5.2. The PayPass reader must verify that all of the tags in the PDOL belong to data objects available to the PayPass reader. If this is not the case, the PayPass reader must provide a data object with the length specified and a value of all hexadecimal zeros for all such tags encountered. The PayPass reader must use the concatenated list as value field of the data object with tag '83'. The PayPass reader must verify that the response message to the GET PROCESSING OPTIONS command is correctly formatted as specified in Section 2.4.3. If this is not the case, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. The PayPass reader must retrieve from the response message the AIP (tag '82') and AFL (tag '94') data objects. If they are not both included, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. If the PayPass card response contains a constructed data object as described in Table 2.13, any additional data objects returned in the data field must be discarded by the PayPass reader. If the PayPass Mag Stripe Indicator for the selected AID indicates that the PayPass Mag Stripe profile is not supported and the "M/Chip profile is supported" bit in the AIP is not set, then the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. If the PayPass card returns SW1-SW2 = '6985' in response to the GET PROCESSING OPTIONS command, then the PayPass reader must remove the application from the candidate list and return to application selection as described in requirement 3.4.2.1.
Requirement 4.3.2.9 applies only if the PayPass reader implements application activation as specified in Chapter 3. If the EMV Entry Point is used, then SW1-SW2 = '6985' is handled as described in 4.2.3.1.
4.3.2.6
4.3.2.7
4.3.2.8
4.3.2.9
Note
2008 MasterCard
29
4.3.3.3
4.3.3.4
4.3.3.5
The PayPass reader must copy the discretionary data field of the Track 1 Data (if present) into DDCARD,TRACK1. The PayPass reader must copy the discretionary data field of the Track 2 Data into DDCARD,TRACK2. The PayPass reader must verify that the number of non-zero bits in PUNATCTRACK2 (kTRACK2) is greater than or equal to the number of digits of the ATC to be included in the discretionary data field of the Track 2 Data (t TRACK2). If kTRACK2 < tTRACK2, the PayPass reader must terminate the transaction, as specified in requirement 4.2.1.1. Otherwise, the PayPass reader must set nUN equal to kTRACK2 - t TRACK2. The PayPass reader must verify that nUN is less than or equal to 8. If nUN is greater than 8, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1.
4.3.3.6
4.3.3.7
2008 MasterCard
30
4.3.3.8
The PayPass reader must verify that the number of non-zero bits in PCVC3TRACK2 is greater than or equal to 3 (i.e. qTRACK2 3). If this is not the case, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. If Track 1 Data is included in the data returned from the card, the PayPass reader must verify that also PCVC3TRACK1, PUNATCTRACK1 and NATCTRACK1 are returned. If at least one of these data objects is not available, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1.
4.3.3.9
4.3.3.10 If Track 1 Data is available, the PayPass reader must verify that the number of non-zero bits in PUNATCTRACK1 (kTRACK1) is greater than or equal to the number of digits of the ATC to be included in the discretionary data field of Track 1 Data (tTRACK1). If kTRACK1 < t TRACK1, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. 4.3.3.11 If Track 1 Data is available, the PayPass reader must verify that kTRACK1 - tTRACK1 is equal to nUN. If this is not the case, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. 4.3.3.12 If Track 1 Data is available, the PayPass reader must verify that the number of non-zero bits in PCVC3TRACK1 is greater than or equal to 3 (i.e. qTRACK1 3). If this is not the case, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. 4.3.3.13 The PayPass reader must retrieve from the Track 2 Data the PAN and Expiry Date. If Track 1 Data is returned from the card, the PayPass reader must verify that the PAN and Expiry Date included in the Track 1 Data are the same as the PAN and Expiry Date included in the Track 2 Data. If this is not the case, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1.
2008 MasterCard
31
4.3.5.4
4.3.5.5
4.3.5.6
4.3.5.7
4.3.5.8
4.3.5.9
4.3.5.10 The PayPass reader must copy nUN into the least significant digit of the discretionary data field of the Track 2 Data.
2008 MasterCard
32
4.3.5.11 If Track 1 Data is available, the PayPass reader must retrieve the CVC3TRACK1 from the Response Message Template (tag '77'). If the Track 1 Data is available and the CVC3TRACK1 is not available, the PayPass reader must terminate the transaction as indicated in requirement 4.2.4.1. 4.3.5.12 Data objects returned in the Response Message Template (tag '77') with tags other than '9F60', '9F61' and '9F60' must be discarded by the PayPass reader. 4.3.5.13 If Track 1 Data is available, the PayPass reader must convert the binary encoded CVC3TRACK1 to the BCD encoding of the corresponding number expressed in base 10. The PayPass reader must convert the qTRACK1 least significant digits of the BCD encoded CVC3TRACK1 into the ASCII format and copy the qTRACK1 ASCII encoded CVC3TRACK1 characters into the eligible positions of the discretionary data field of the Track 1 Data. The eligible positions are indicated by the qTRACK1 nonzero bits in PCVC3TRACK1. 4.3.5.14 If Track 1 Data is available, the PayPass reader must convert the BCD encoded UN (Numeric) into the ASCII format and replace the nUN least significant eligible positions of the discretionary data field of the Track 1 Data by the nUN least significant characters of the ASCII encoded UN (Numeric). The eligible positions in the discretionary data field are indicated by the nUN least significant non-zero bits in PUNATCTRACK1. 4.3.5.15 If Track 1 Data is available and tTRACK1 0, the PayPass reader must convert the ATC to the BCD encoding of the corresponding number expressed in base 10. The PayPass reader must convert the tTRACK1 least significant digits of the ATC into the ASCII format. The PayPass reader must replace the tTRACK1 most significant eligible positions of the discretionary data field of the Track 1 Data by the tTRACK1 ASCII encoded ATC characters. The eligible positions in the discretionary data field are indicated by the tTRACK1 most significant non-zero bits in PUNATCTRACK1. 4.3.5.16 If Track 1 Data is available, the PayPass reader must convert nUN into the ASCII format and copy the ASCII encoded nUN character into the least significant position of the discretionary data field of the Track 1 Data. 4.3.5.17 The PayPass reader must execute the requirements 4.3.5.7, 4.3.5.8, 4.3.5.9 and 4.3.5.10 and the requirements 4.3.5.13, 4.3.5.14, 4.3.5.15 and 4.3.5.16 in the order as specified above.
2008 MasterCard
33
4.3.6.2
4.3.6.3
4.3.7.2 4.3.7.3
The PayPass reader must always read record 1 included in the file with SFI 2. If the offline data authentication method to be performed for the transaction is SDA or CDA (see Section 4.3.6), the PayPass reader must read record 1 included in the file with SFI 3.
2008 MasterCard
34
If the offline data authentication method to be performed for the transaction is SDA, the PayPass reader must read record 2 included in the file with SFI 3. If the offline data authentication method to be performed for the transaction is CDA, the PayPass reader must read record 1 and 2 included in the file with SFI 4. The PayPass reader must store all recognized data objects read, whether mandatory or optional, for later use in the transaction processing. Data objects that are not recognized by the PayPass reader (that is, their tags are unknown by the PayPass reader) must not be stored separately, but records containing such data objects may still participate in their entirety in offline data authentication, depending upon the coding of the AFL. All mandatory data objects must be present in the card. If any mandatory data object is not present, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. The mandatory data objects are listed in Table 4.3. Table 4.3Mandatory PayPass M/Chip Data Objects
Tag '5F24' '5A' '8C' '9F4A' Value Application Expiry Date PAN CDOL1 SDA Tag List
4.3.7.7
4.3.7.8
Proprietary data files (i.e. files with SFI outside the range 1 to 10) may or may not conform to this specification (refer to Table 2.17). Records in proprietary files may be represented in the AFL and may participate in offline data authentication if they are readable without conditions by the READ RECORD command coded according to Section 2.5.2.
The PayPass reader may support an exception file as specified in Section 6.3.5 of [EMV BOOK 4].
2008 MasterCard
35
The PayPass reader performs M/Chip CVM Selection as follows: 4.3.10.1 If the "Cardholder verification is supported" bit in the AIP is not set, then the PayPass reader must set the Transaction CVM to "No CVM". In the CVM Results, the PayPass reader must set byte 1 to "No CVM" and byte 3 to "successful". M/Chip CVM Selection is complete. Otherwise, the PayPass reader must continue with requirement 4.3.10.2. 4.3.10.2 If the CVM List is not present in the card or the CVM List has no CVRs, then the PayPass reader must set the "ICC Data Missing" bit in the TVR and the Transaction CVM to "No CVM". In the CVM Results, the PayPass reader must set byte 1 to "No CVM" and byte 3 to "unknown". M/Chip CVM Selection is complete. Otherwise, the PayPass reader must continue with requirement 4.3.10.3. 4.3.10.3 The PayPass reader must process each CVR in the order in which they appear in the CVM List according to requirements 4.3.10.4 and 4.3.10.5. M/Chip CVM Selection is completed when a CVM is successfully selected or when the CVM List is exhausted. 4.3.10.4 When processing each CVR, if any of the following is true, then the PayPass reader must bypass the CVR and proceed to the next CVR in the CVM List: The conditions expressed by the CVM Condition Code (second byte of the CVR) are not satisfied. Data required by the conditions expressed by the CVM Condition Code is not present. The CVM Condition Code is outside the range of codes understood by the PayPass reader (refer to requirement 4.3.10.6).
If there are no more CVRs in the list, then the PayPass reader must set the Transaction CVM to "No CVM" and set the "Cardholder verification was not successful" bit in the TVR. In the CVM Results, the PayPass reader must set byte 1 to "No CVM" and byte 3 to "failed". M/Chip CVM Selection is complete.
2008 MasterCard
36
4.3.10.5 If the conditions expressed by the CVM Condition Code are satisfied, then the PayPass reader must proceed according to the following steps: 1. If the CVM Code (first byte of the CVR) is recognized (refer to requirement 4.3.10.7), then the PayPass reader must proceed with step 2. If the CVM Code is not recognized, then the PayPass reader must set the 'Unrecognized CVM' bit in the TVR and proceed with step 3. 2. If the CVM Code is supported (refer to requirement 4.3.10.8) and is not "Fail CVM", then the PayPass reader must proceed as follows: The PayPass reader must set the Transaction CVM as indicated by the CVM Code. In the CVM Results, the PayPass reader must copy the CVR to bytes 1 and 2, and must set byte 3 to "unknown". If the CVM Code is "Enciphered PIN verified online", then the PayPass reader must set the "Online PIN entered" bit in the TVR. M/Chip CVM Selection is complete.
If the CVM Code is "Fail CVM" or if the CVM Code is not supported, then the PayPass reader must proceed with step 3. 3. The PayPass reader must examine b7 of the CVM Code. If b7 is set to 1b, processing continues with the next CVR, if present. If b7 is set to 0b, or if there are no more CVRs in the list, then the PayPass reader must set the Transaction CVM to "No CVM" and set the "Cardholder verification was not successful" bit in the TVR. The PayPass reader must set byte 3 of the CVM Results to "failed". If the CVM Code is "Fail CVM", then the PayPass reader must copy the CVR to bytes 1 and 2 of the CVM Results. If the CVM Code is not "Fail CVM", then the PayPass reader must set byte 1 of the CVM Results to "No CVM". M/Chip CVM Selection is complete. 4.3.10.6 The PayPass reader must understand the CVM Condition Codes defined in Annex C.3 of [EMV BOOK 3]. The PayPass reader may also understand proprietary CVM Condition Codes not defined in Annex C.3 of [EMV BOOK 3]. 4.3.10.7 The PayPass reader must recognize the CVM Codes defined in Annex C.3 of [EMV BOOK 3]. The PayPass reader may also recognize proprietary CVM Codes not defined in Annex C.3 of [EMV BOOK 3]. 4.3.10.8 The PayPass reader must verify support of a CVM Code as follows: For CVM Codes defined in Annex C.3 of [EMV BOOK 3], support must be indicated in the Terminal Capabilities. For CVM Codes not defined in Annex C.3 of [EMV BOOK 3], support may be known implicitly. For Combination CVMs, both CVM Codes must be supported. "Fail CVM" must always be supported.
2008 MasterCard
37
2008 MasterCard
38
4.3.12.9 If CDA was requested in the GENERATE AC command and the PayPass card did not generate an AAC, the PayPass reader must verify that the SDAD (tag '9F4B') is included in the Response Message Template (tag '77'). If the SDAD tag is not included, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. Additional data objects returned in the data field that are not listed in Table 2.9 must be used by the PayPass reader during the verification of the SDAD.
4.3.13.2 The PayPass reader must retrieve the Certification Authority Public Key, the Issuer Public Key and the ICC Public Key as described in Sections 6.2, 6.3 and 6.4 of [EMV BOOK 2] from the PayPass card data that was read in a previous step (see Section 4.3.7). 4.3.13.3 If the ICC Public Key is not retrieved successfully, then the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1. 4.3.13.4 Using the retrieved ICC Public Key in conjunction with the corresponding algorithm, the PayPass reader must verify the SDAD and recover the AC as described in Section 6.6.2 of [EMV BOOK 2]. 4.3.13.5 If the SDAD is not successfully verified, then CDA has failed. The PayPass reader must terminate the transaction as specified in requirement 4.2.1.1.
The Issuer Public Key Remainder or the ICC Public Key Remainder could be absent when the public key modulus can be recovered in its entirety from the public key certificate.
2008 MasterCard
39
4.3.14.2 The PayPass reader must perform SDA by retrieving the Certification Authority Public Key and Issuer Public Key and then verifying the SSAD as described in Section 5 of [EMV BOOK 2]. 4.3.14.3 If SDA is not successful, the PayPass reader must terminate the transaction as specified in requirement 4.2.1.1.
4.3.15 Completion
With the Completion function, the PayPass reader prepares the data objects to be returned to the terminal. The PayPass reader ends the Completion processing as described in Section 9.5 ("Removal") of [EMVCLPRO], and hands over control to the terminal. 4.3.15.1 The PayPass reader must indicate to the terminal the outcome of its transaction processing by means of the Transaction Outcome. 4.3.15.2 If a PayPass M/Chip transaction is performed, then the PayPass reader must indicate to the terminal the outcome of the M/Chip CVM Selection function by means of the Transaction CVM.
The Issuer Public Key Remainder could be absent when the public key modulus can be recovered in its entirety from the public key certificate.
2008 MasterCard
40
4.3.15.3 If the Transaction Outcome is "Online Request" or "Approved", the PayPass reader must provide a Data Record to the terminal containing the necessary elements for authorization and clearing. The data objects required will depend on the transaction profile. The Data Record that the PayPass reader must return for a PayPass M/Chip transaction is as shown in Table 4.6. The Data Record that the PayPass reader must return for a PayPass Mag Stripe transaction is as shown in Table 4.7. Data objects whose presence is listed as conditional (C) must be present in the Data Record if they are present on the card. Table 4.6Data Record Detail for PayPass M/Chip
Tag '57' '9F6E' '84' '50' '9F12' '9F11' '9F26' '9F27' '9F10' '9F36' '95' '9F37' '5F2A' '9C' '9A' '9F02' '9F1A' '9F34' '82' Data Object Track 2 Equivalent Data PayPass Third Party Data DF Name Application Label Application Preferred Name Issuer Code Table Index AC CID IAD ATC TVR UN Transaction Currency Code Transaction Type Transaction Date Transaction Amount Terminal Country Code CVM Results AIP
6
Presence C C M C C C M M C M M M M M M M M M M
The TVR as sent to the PayPass card by the PayPass reader in the GENERATE AC command.
2008 MasterCard
41
Presence M C C M C M C C C
DDCARD,TRACK27 PayPass Third Party Data DF Name Application Label Application Preferred Name Issuer Code Table Index
The format of the Data Record is implementation dependent. If the PayPass reader uses the TLV format, then implementation specific values may be used for the tags of DDCARD,TRACK1 and DDCARD,TRACK2.
2008 MasterCard
42
5.1
5.1.1.2 5.1.1.3
5.2
DOL Handling
To minimize processing in the card, the data field of the command messages is not TLV encoded. The application in the card indicates the requested data, including format and length, by sending a DOL to the PayPass reader. DOLs used in this specification include: The PDOL used with the GET PROCESSING OPTIONS command The CDOL1 used with the GENERATE AC command The UDOL used with the COMPUTE CRYPTOGRAPHIC CHECKSUM command. DOL Handling must be performed according to the rules specified in Section 5.4 of [EMV BOOK 3].
5.2.1.1
2008 MasterCard
43
5.3
Each bit in the bitmap refers to a position in the discretionary data. The least significant bit of the bitmap, i.e. the rightmost bit b1, corresponds to position p1; as indicated in Figure 5.2. Figure 5.2Relation between Discretionary Data and Bitmap
Discretionary Data pm br br-1 br-2 bm+1 bm pm-1 pm-2 pm-3 bm-1 bm-2 bm-3 Bitmap p5 b5 p4 b4 p3 b3 p2 b2 p1 b1
The bitmap is composed of a number of bytes, and therefore the number of bits in the bitmap is always a multiple of 8. To accommodate all the positions in a field, the number of bytes in the bitmap will normally contain more bits than the number of positions. If the number of bits in the bitmap is denoted by q, then q = (r+1)*8 where r is the integer quotient of (m-1)/8 For Track 2 Data mTRACK2 is a maximum of 13 digits, resulting in a bitmap of 16 bits or 2 bytes. For Track 1 Data the maximum value of mTRACK1 is 48 resulting in a bitmap of length 6 bytes or 48 bits. An example is given in Figure 5.3, for mTRACK2=13, tTRACK2=2 and PUNATCTRACK2 = '031A', referring to position p10p9p5p4p2. Based on this, kTRACK2 equals 5 and nUN equals 3. Figure 5.3Example PUNATCTRACK2 = '031A' Discretionary Data p13 p12 p11 p10 p9 0 b16 0 b15 '0' 0 b14 0 0 0 '3' Bitmap = '031A' 1 1 b9 p8 0 b8 p7 0 b7 '1' p6 0 b6 p5 1 b5 p4 1 b4 p3 0 b3 'A' p2 1 b2 p1 0 b1
2008 MasterCard
44
5.4
Separate instances of the following data objects must be configured for each AID supported by the PayPass reader.
Additional Terminal Capabilities Application Version Number
Default UDOL (if PayPass Mag Stripe transactions supported for that AID) Mag Stripe Application Version Number (if PayPass Mag Stripe transactions supported for that AID) Merchant Category Code PayPass Mag Stripe Indicator Terminal Action Codes Terminal Type Terminal Capabilities No CVM Required Terminal Capabilities CVM Required Terminal Contactless Transaction Limit Terminal Contactless Floor Limit Terminal CVM Required Limit
5.4.1.3
If the PayPass reader supports offline data authentication, it must be able to store six CA Public Keys per RID and must associate with each such key the following key-related information to be used with the key. Certification Authority Public Key Check Sum Certification Authority Public Key Exponent Certification Authority Public Key Index Certification Authority Public Key Modulus
The PayPass reader must be able to locate any such key (and key-related information) given the RID and Certification Authority Public Key Index provided by the ICC. 5.4.1.4 The PayPass reader must support the following transaction related data objects of which the value must be available before application activation.
2008 MasterCard
45
5.4.1.5
Amount Authorized (Binary) Amount Authorized (Numeric) Amount Other (Binary) Amount Other (Numeric) Transaction Category Code Transaction Currency Code Transaction Currency Exponent Transaction Date Transaction Time Transaction Type
Separate instances of the following flags must be must be available for each AID. Their values are set during application activation. Terminal Contactless Transaction Limit Exceeded Flag Terminal Contactless Floor Limit Exceeded Flag Terminal CVM Required Limit Exceeded Flag
5.4.1.6
The PayPass reader must support the following transaction related data objects of which the value is set during application activation and transaction processing. Cardholder Verification Method (CVM) Results DDCARD,TRACK1 and DDCARD,TRACK2 Terminal Capabilities Terminal Verification Results Transaction CVM Transaction Outcome Unpredictable Number
8
5.4.1.7
Unless otherwise indicated (by the labels MSDA and MCDA), all card data objects included in Table A.1 (i.e. data objects listed with source "Card") must be supported by the PayPass reader. The PayPass reader must recognize the tag and must be able to store the value of the data object if it is returned by the card. Data objects with the label MSDA in the support column must be supported if the PayPass reader supports SDA. Data objects with the flag MCDA in the support column must be supported if the PayPass reader supports CDA.
May be generated before application activation if the EMV Entry Point is used.
2008 MasterCard
46
2008 MasterCard
47
Reader
'81'
b, 4
n 12, 6
Reader
'9F04'
b, 4
Reader
'9F03'
n 12, 6
Application Cryptogram
Card
'9F26'
b, 8
2008 MasterCard
48
Data Object Name Description Application Currency Indicates the currency in which the account is managed in accordance with Code [ISO 4217]. Application Currency Indicates the implied position of the decimal point from the right of the Exponent amount represented in accordance with [ISO 4217]. The decimal point location of amounts expressed in the currency code specified in the Application Currency Code. Application Effective Date from which the application may be used. Date The date is expressed in the YYMMDD format. For MasterCard branded applications if the value of YY ranges from '00' to '49' the date reads 20YYMMDD. If the value of YY ranges from '50' to '99', the date reads 19YYMMDD. Application Expiration Date Date after which application expires. The date is expressed in the YYMMDD format. For MasterCard applications, if the value of YY ranges from '00' to '49' the date reads 20YYMMDD. If the value of YY ranges from '50' to '99' the date reads 19YYMMDD.
Support M M
Card
'5F25'
n 6 (YYMMDD), 3
Card
'5F24'
n 6 (YYMMDD), 3
2008 MasterCard
49
Data Object Name Description Application File Locator (AFL) Indicates the location (SFI range of records) of the Application Elementary Files associated with a particular AID, and read by the terminal during a transaction. The AFL is a list of entries of 4 bytes each. Each entry codes an SFI and a range of records as follows: The five most significant bits of the first byte indicate the SFI. The second byte indicates the first (or only) record number to be read for that SFI. The third byte indicates the last record number to be read for that SFI. When the third byte is greater than the second byte, all the records ranging from the record number in the second byte to and including the record number in the third byte must be read for that SFI. When the third byte is equal to the second byte, only the record number coded in the second byte must be read for that SFI.
Source Card
Tag '94'
Support M
The fourth byte indicates the number of records involved in offline data authentication starting with the record number coded in the second byte. The fourth byte may range from zero to the value of the third byte less the value of the second byte plus 1. Card Reader '4F' '9F06' b, 5-16 M M
2008 MasterCard
50
Data Object Name Description Application Interchange Profile Indicates the capabilities of the card to support specific functions in the application. The AIP is returned in the response message of the GET PROCESSING OPTIONS. It is coded as specified in Annex C.1 of [EMV BOOK 3]. This specification extends the definition by allocating the RFU bit b8 in byte 2 to indicate the PayPass profile supported (M/Chip profile or Mag Stripe profile). Byte 2 of the AIP for PayPass transactions is therefore as specified here:
b8 x 1 0 x 0 x 0 x 0 x 0 x 0 x 0 x 0 b7 b6 b5 b4 b3 b2 b1 Meaning PayPass profile M/Chip profile is supported Only Mag Stripe profile supported
Source Card
Tag '82'
Support M
RFU Other values RFU Card Card Card '50' '9F12' '5A' ans, 1-16 ans, 1-16 cn var. up to 19, var. up to 10 M M M
Application Label Application Preferred Name Application Primary Account Number (PAN) Application Primary Account Number (PAN) Sequence Number Application Priority Indicator
Name associated with the AID, in accordance with [ISO/IEC 7816-5]. Preferred name associated with the AID (e.g. a domestic debit brand name). Valid cardholder account number.
Card
'5F34'
n 2, 1
Card
'87'
b, 1
2008 MasterCard
51
Data Object Name Description Application Template Contains one or more data objects relevant to an application directory entry, in according with [ISO/IEC 7816-5]. Application Counter maintained by the application in the card (incrementing the ATC is Transaction Counter managed by the card). (ATC) Application Usage Control Indicates issuer's specified restrictions on the geographic use and services allowed for the application. The Application Usage Control is coded as specified in Annex C.2 of [EMV BOOK 3]. Version number assigned by the payment system for the application.
Support M M
Card
'9F07'
b, 2
Card Reader
b, 2 b, 2 b, var. up to 252
M M M
Card Risk Management Data Object List 1 (CDOL1) Cardholder Verification Method (CVM) List Cardholder Verification Method (CVM) Results
A data object in the card that provides the reader with a list of data objects that must be passed to the card in the first GENERATE AC command.
Card
Identifies the methods of verification of the cardholder supported by the application. The CVM List is coded as specified in Annex C.3 of [EMV BOOK 3]. Indicates the results of the last CVM performed. The CVM Results are coded as specified in Annex A.4 of [EMV BOOK 4].
Card
'8E'
b, var. up to 252
Reader
'9F34'
b, 3
Certification A check value calculated on the concatenation of all parts of the Certification Authority Public Key Authority Public Key (RID, Certification Authority Public Key Index, Check Sum Certification Authority Public Key Modulus, Certification Authority Public Key Exponent) using SHA-1.
Reader
b, 20
MSDA,CDA
2008 MasterCard
52
Data Object Name Description Certification Value of the exponent part of the Certification Authority Public Key. Authority Public Key Exponent Certification Identifies the certification authority's public key in conjunction with the RID. Authority Public Key Index
Source Reader
Tag -
Support MSDA,CDA
'8F' '9F22' -
Certification Value of the modulus part of the Certification Authority Public Key. Authority Public Key Modulus Command Template Cryptogram Information Data CVC3TRACK1 CVC3TRACK2 Data Authentication Code (DAC) DDCARD,TRACK1 Identifies the data fields of a command message. Indicates the type of cryptogram and the actions to be performed by the terminal The CVC3TRACK1 is a 2-byte cryptogram returned by the card in the response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command. The CVC3TRACK2 is a 2-byte cryptogram returned by the card in the response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command. An issuer-assigned value that is retained by the terminal during the verification process of the Signed Static Application Data. If Track 1 Data is present, then DDCARD,TRACK1 contains a copy of the discretionary data field of Track 1 Data as returned by the card in the file read using the READ RECORD command during a PayPass Mag Stripe transaction (i.e. without UN (Numeric), ATC, CVC3TRACK1 and nUN included).
M M M M MSDA M
2008 MasterCard
53
Data Object Name Description DDCARD,TRACK2 DDCARD,TRACK2 contains a copy of the discretionary data field of Track 2 Data as returned by the card in the file read using the READ RECORD command during a PayPass Mag Stripe transaction (i.e. without UN (Numeric), ATC, CVC3TRACK2 and nUN included). Identifies the name of the DF, as described in [ISO/IEC 7816-4]. The Default UDOL is the UDOL to be used for constructing the value field of the COMPUTE CRYPTOGRAPHIC CHECKSUM command if the UDOL in the card is not present. The Default UDOL must always be present and must contain as its only entry the tag and length of the UN (Numeric). The value of the Default UDOL must be: '9F6A04'. File Control Information (FCI) Issuer Discretionary Data Issuer discretionary part of the FCI.
Source Reader
Tag -
Support M
Card Reader
'84' -
b, 5-16 b, 3
M M
Card
'BF0C'
File Control Identifies the data object proprietary to this specification in the FCI template, Information (FCI) in accordance with [ISO/IEC 7816-4]. Proprietary Template File Control Information (FCI) Template Identifies the FCI template, in accordance with [ISO/IEC 7816-4].
Card
'A5'
var., var.
Card
'6F'
Integrated Circuit Time-variant number generated by the card, to be captured by the reader. Card (ICC) Dynamic Number Integrated Circuit Card (ICC) Public Key Certificate Integrated Circuit Card (ICC) Public Key Exponent ICC Public Key certified by the issuer.
Card
'9F4C'
b, 8
MCDA
Card
'9F46'
b, NI
MCDA
Exponent used for the verification of the Signed Dynamic Application Data.
Card
'9F47'
b, 1 or 3
MCDA
2008 MasterCard
54
Data Object Name Description Integrated Circuit Card (ICC) Public Key Remainder Remaining digits of the ICC Public Key Modulus.
Source Card
Tag '9F48'
Support MCDA
Interface Device Unique and permanent serial number assigned to the IFD by the manufacturer. (IFD) Serial Number Issuer Action Code Specifies the issuer's conditions that cause a transaction to be rejected if it Default might have been approved online, but the terminal was unable to process the transaction online. Issuer Action Code Specifies the issuer's conditions that cause the denial of a transaction without Denial attempt to go online. Issuer Action Code Specifies the issuer's conditions that cause a transaction to be transmitted Online online. Issuer Application Data Issuer Code Table Index Contains proprietary application data for transmission to the issuer in an online transaction. Indicates the code table, in accordance with [ISO 8859], for displaying the Application Preferred Name. The Issuer Code Table Index is coded as specified in Annex C.4 of [EMV BOOK 3].
Reader Card
'9F1E' '9F0D'
an, 8 b, 5
M M
b, 5 b, 5 b, var. up to 32 n 2, 1
M M M M
Issuer Country Code Indicates the country of the issuer, in accordance with [ISO 3166-1]. Issuer Public Key Certificate Issuer Public Key Exponent Issuer Public Key Remainder Issuer public key certified by a certification authority. Exponent used for the verification of the Signed Static Application Data. Remaining digits of the Issuer Public Key Modulus.
n 3, 2 b, NCA b, 1 or 3 b, NI - NCA + 36
2008 MasterCard
55
Data Object Name Description Language Preference 1-4 languages stored in order of preference, each represented by two alphabetical characters, in accordance with [ISO 639]. Mag Stripe Application Version Number Version number assigned by the payment system for the specific PayPass Mag Stripe functionality of the application.
Support M M M M M M
Classifies the type of business being done by the merchant, represented in accordance with [ISO 8583:1993] for Card Acceptor Business Code. Indicates for each AID whether the PayPass Mag Stripe profile is supported or not by the PayPass reader. Its value is implementation specific.
PayPass Third Party The PayPass Third Party Data contains proprietary information from a third Data party. If present, the PayPass Third Party Data must be present in a file read using the READ RECORD command. The value field of the PayPass Third Party Data is not interpreted by the PayPass reader. The value field must be coded with the following sub-fields, in the order shown:
Sub-field Country Code according to [ISO 3166-1] Unique identifier assigned by MasterCard Proprietary data Format n 3, 2 bytes b, 2 bytes b, 1 to 28 bytes
Processing Options Data Object List (PDOL) Response Message Template Format 1
Contains a list of resident data objects (tags and lengths) resident in the reader that are needed by the card in processing the GET PROCESSING OPTIONS command. Contains the data objects (without tags and lengths) returned by the card in response to a command.
Card
'9F38'
b, var.
Card
'80'
var., var.
2008 MasterCard
56
Data Object Name Description Response Message Template Format 2 Service Code Signed Dynamic Application Data Signed Static Application Data Static Data Authentication Tag List Terminal Action Code Default Terminal Action Code Denial Terminal Action Code Online Terminal Capabilities Contains the data objects (with tags and lengths) returned by the card in response to a command. Service code as defined in Track 1 Data and Track 2 Data. Digital signature on critical application parameters for CDA. Digital signature on critical application parameters for SDA. List of tags of primitive data objects defined in this specification for which the value fields must be included in the Signed Static or Dynamic Application Data. Specifies the acquirer's conditions that cause a transaction to be rejected if it might have been approved online, but the terminal is unable to process the transaction online. Specifies the acquirer's conditions that cause the denial of a transaction without attempt to go online. Specifies the acquirer's conditions that cause a transaction to be transmitted online. Indicates the card data input, CVM, and security capabilities of the terminal and PayPass reader. This data element is instantiated with values depending on the transaction amount. The Terminal Capabilities is coded according to Annex A.2 of [EMV BOOK 4]. Terminal Capabilities CVM Required Indicates the card data input, CVM, and security capabilities of the terminal and PayPass reader when the transaction amount is greater than or equal to the Terminal CVM Required Limit. The Terminal Capabilities CVM Required is coded according to Annex A.2 of [EMV BOOK 4].
Reader
b, 5
'9F33'
b, 5 b, 5 b, 3
M M M
Reader
b, 3
2008 MasterCard
57
Data Object Name Description Terminal Capabilities No CVM Required Indicates the card data input, CVM, and security capabilities of the terminal and PayPass reader when the transaction amount is below the Terminal CVM Required Limit. The Terminal Capabilities No CVM Required is coded according to Annex A.2 of [EMV BOOK 4].
Source Reader
Tag -
Support M
Terminal Contactless Indicates the transaction amount limit for the related AID above which Floor Limit PayPass transactions must be authorized online. Terminal Contactless Indicates the transaction amount limit for the related AID above which the Transaction Limit selection of the AID on the card is not allowed. Terminal CVM Required Limit Specifies the transaction amount limit for the related AID at or below which the reader must set "No CVM" to be its only supported verification method.
M M M M
Terminal Contactless Indicates for the related AID if the Terminal Contactless Floor Limit is Floor Limit Exceeded exceeded. Flag Terminal Contactless Indicates for the related AID if the Terminal Contactless Transaction Limit is Transaction Limit exceeded. Exceeded Flag Terminal CVM Required Limit Exceeded Flag Terminal Country Code Terminal Type Indicates for the related AID if the Terminal CVM Required Limit is exceeded.
Reader
Reader
Indicates the country of the terminal, represented in accordance with [ISO 3166-1]. Indicates the environment of the terminal, its communications capability, and its operational control. The Terminal Type is coded according to Annex A.1 of [EMV BOOK 4].
Reader Reader
'9F1A' '9F35'
M M
Terminal Verification Status of the different functions from the terminal perspective. Results The Terminal Verification Results is coded according to Annex C.5 of [EMV BOOK 3].
Reader
'95'
b, 5
2008 MasterCard
58
Data Object Name Description Track 1 Bitmap for CVC3 (PCVC3TRACK1) Track 1 Bitmap for UN and ATC (PUNATCTRACK1) Track 1 Data PCVC3TRACK1 indicates to the PayPass reader the positions in the discretionary data field of the Track 1 Data where the qTRACK1 CVC3TRACK1 digits have to be copied. PUNATCTRACK1 indicates to the PayPass reader the positions in the discretionary data field of the Track 1 Data where the nUN UN (Numeric) digits and tTRACK1 ATC digits have to be copied. Track 1 Data contains the data objects of the track 1 according to [ISO/IEC 7813] Structure B, excluding start sentinel, end sentinel and LRC. It is described as follows:
Sub-field Format Code ('42' (B)) Identification Number (PAN) Field Separator ('5E' (^)) Name (see ISO/IEC 7813) Field Separator ('5E' (^)) Expiry Date (YYMM) Service Code Discretionary Data Format 1 byte var. up to 19 bytes 1 byte 2 to 26 bytes 1 byte 4 bytes 3 bytes balance of available bytes
Source Card
Tag '9F62'
Support M
Card
'9F63'
b, 6
Card
'56'
ans, var. up to 76
The Track 1 Data may be present in the file read using the READ RECORD command during a PayPass Mag Stripe transaction. The PayPass reader copies the required digits of the UN (Numeric), CVC3TRACK1, ATC and nUN into the discretionary data field of the Track 1 Data and stores the modified Track 1 Data in the Data Record to be sent to the terminal. Track 1 Discretionary Data Discretionary part of track 1 according to [ISO/IEC 7813]. Card '9F1F' ans, var. M
2008 MasterCard
59
Data Object Name Description Track 1 Number of ATC Digits (NATCTRACK1) Track 2 Bitmap for CVC3 (PCVC3TRACK2) Track 2 Bitmap for UN and ATC (PUNATCTRACK2) Track 2 Data The value of NATCTRACK1 represents the number of digits of the ATC to be included in the discretionary data field of the Track 1 Data. PCVC3TRACK2 indicates to the PayPass reader the positions in the discretionary data field of the Track 2 Data where the qTRACK2 CVC3TRACK2 digits have to be copied. PUNATCTRACK2 indicates to the PayPass reader the positions in the discretionary data field of the Track 2 Data where the nUN UN (Numeric) digits and tTRACK2 ATC digits have to be copied. Track 2 Data contains the data objects of the track 2 according to [ISO/IEC 7813], excluding start sentinel, end sentinel and LRC. It is described as follows:
Sub-field Identification Number (PAN) Field Separator ('D') Expiry Date (YYMM) Service Code Discretionary Data Padded with 'F' to ensure whole bytes. Format n, var. up to 19 digits b n 4 n 3 n, balance of available digits
Source Card
Tag '9F64'
Support M
Card
'9F65'
b, 2
Card
'9F66'
b, 2
Card
'9F6B'
b, var. up to 19
The Track 2 Data is present in the file read using the READ RECORD command during a PayPass Mag Stripe transaction. The PayPass reader copies the required digits of the UN (Numeric), CVC3TRACK2, ATC and nUN into the discretionary data field of the Track 2 Data and stores the modified Track 2 Data in the Data Record to be sent to the terminal. Track 2 Discretionary Data Discretionary part of track 2 according to [ISO/IEC 7813]. Card '9F20' cn var., var. M
2008 MasterCard
60
Data Object Name Description Track 2 Equivalent Data Contains the data objects of the track 2, in accordance with [ISO/IEC 7813], excluding start sentinel, end sentinel, and LRC as follows:
Sub-field Primary Account Number Field Separator ('D') Expiration Date (YYMM) Service Code Discretionary Data Padded with 'F' if needed to ensure whole bytes. Format n, var. up to 19 digits b n, 4 n, 3 n, var. b
Source Card
Tag '57'
Support M
Track 2 Number of ATC Digits (NATCTRACK2) Transaction Category Code Transaction Currency Code Transaction Currency Exponent Transaction CVM
The value of NATCTRACK2 represents the number of digits of the ATC to be included in the discretionary data field of the Track 2 Data. This is a data object defined by MasterCard which indicates the type of transaction being performed, and which may be used in Card Risk Management. Indicates the currency code of the transaction, in accordance with [ISO 4217]. Indicates the implied position of the decimal point from the right of the transaction amount represented, in accordance with [ISO 4217]. Data object used to indicate to the terminal the outcome of the CVM Selection function. Possible values are: No CVM Signature Online PIN The coding of the value is implementation specific.
Card
'9F67'
b, 1
Reader
'9F53'
an, 1
'5F2A' '5F36' -
n 3, 2 n 1, 1 Implementation specific
M M M
2008 MasterCard
61
Data Object Name Description Transaction Date Local date that the transaction was authorized.
Tag '9A' -
Support M M
Transaction Outcome Data object used to indicate to the terminal the outcome of the transaction processing. Possible values are:
Approved
The PayPass reader is satisfied that the transaction is acceptable with the selected card application and wants the transaction to be offline approved. Online Request The PayPass reader has found that the transaction requires an online authorization. Declined The PayPass reader has found that the transaction is not acceptable with the selected card application and wants the transaction to be offline declined. Try Another The PayPass reader is unable to complete the transaction Interface with the selected card application, but knows that another interface (e.g. contact or magnetic-stripe) may be available. End Application The PayPass reader experienced an application error (e.g. missing data) Reader Reader Reader '9F21' '9C' '9F37' n 6 (HHMMSS), 3 n 2, 1 b, 4 M M M
The coding of the value is implementation specific. Transaction Time Transaction Type Unpredictable Number Local time that the transaction was authorized. Indicates the type of financial transaction, represented by the first two digits of [ISO 8583:1987] Processing Code. Value to provide variability and uniqueness to the generation of a cryptogram during a PayPass M/Chip transaction.
2008 MasterCard
62
Data Object Name Description Unpredictable The UDOL is the DOL that specifies the data objects to be included in the data Number Data Object field of the COMPUTE CRYPTOGRAPHIC CHECKSUM command. The UDOL must at least include the UN (Numeric). The UDOL is not mandatory for the List (UDOL) card. There will always be a Default UDOL, including as its only entry the tag and length of the UN (Numeric) (tag '9F6A'). Unpredictable Number (Numeric) Unpredictable number generated by the PayPass reader during a PayPass Mag Stripe Transaction. The UN (Numeric) is passed to the card in the data field of the COMPUTE CRYPTOGRAPHIC CHECKSUM command. The (8-nUN) most significant digits must be set to zero.
Source Card
Tag '9F69'
Support M
Reader
'9F6A'
n, 8
Legend:
MSDA MCDA This data object is mandatory if the PayPass reader supports SDA. This data object is mandatory if the PayPass reader supports CDA.
2008 MasterCard
63
2008 MasterCard
64