Application Control Usage

The following sections describe the usage of the Application Control data element.

3.2.2.1 Magstripe Grade Issuer Activated

The M/Chip 4 applications check the Magstripe Grade Issuer Activated bit during the second GENERATE AC when the Issuer Authentication Data is not present.

If the Magstripe Grade Issuer Activated bit set to ‘1’, it allows the card to accept the transaction when the Issuer Authentication Data is not present. The Magstripe Grade Issuer Activated must be set:

• When the chip to magstripe service is used

• When the authorization system does not use cryptography (Magstripe grade issuer mode)

3.2.2.2 Skip CIAC – Default on CAT3

The application checks the Skip CIAC – Default on CAT3 bit in the first

GENERATE AC, when the terminal is a CAT level 3 terminal.

If … Then the M/Chip 4 application….

Skip CIAC – Default on CAT3 bit = ‘1b’

Skips the check on the Card Issuer Action Code – Default in the first GENERATE AC on a CAT level 3 terminal. This allows the M/Chip 4 applications to approve low-value transactions when offline limits are exceeded.

Skip CIAC – Default on CAT3 bit = ‘0b’

Check the Card Issuer Action Code – Default in the first

GENERATE AC on a CAT level 3 terminal. The M/Chip 4

applications treat CAT level 3 terminals in the same way as other offline-only terminals.

Note This only applies to MasterCard credit transactions.

3.2.2.3 Key for Offline Encrypted PIN Verification

The M/Chip Select 4 application checks the Key for Offline Encrypted PIN Verification bit during the VERIFY, when offline encrypted PIN verification is

If … Then the M/Chip 4 Select application….

Key for Offline Encrypted PIN Verification bit = ‘1b’

Uses a dedicated PIN Encryption key for offline encrypted PIN decryption.

Key for Offline Encrypted PIN Verification bit = ‘0b’

Uses the DDA key for offline encrypted PIN decryption. The advantage of using the DDA key for encrypted PIN is that personalization can be simplified and transaction time is shorter.

Note The M/Chip Lite 4 application does not use this bit. In an M/Chip Lite 4 implementation, the Key for Offline Encrypted PIN Verification bit must therefore be set to '0b'.

3.2.2.4 Offline Encrypted PIN Verification

The M/Chip Select 4 application checks the Offline Encrypted PIN Verification bit during the VERIFY, when offline encrypted PIN verification is performed. By selecting to check this bit, you enjoy the advantage of greater protection against attack but also the disadvantage of a longer transaction time.

If … Then the M/Chip 4 Select application….

Offline Encrypted PIN Verification bit = ‘1b’

Supports the offline encrypted PIN. Offline Encrypted PIN

Verification bit = ‘0b’

Does not support the offline encrypted PIN.

Note The M/Chip Lite 4 application does not use this bit. In an M/Chip Lite 4

implementation, the Offline Encrypted PIN Verification bit must therefore be set to '0b'.

3.2.2.5 Offline Plaintext PIN Verification

The M/Chip application checks the Offline Plaintext PIN Verification bit during the VERIFY, when offline plaintext PIN verification is performed.

3.2 Configuring the Application Control Data Element

If … Then the M/Chip 4 application….

Offline Plaintext PIN Verification bit = ‘1b’

Supports offline plaintext PIN. Offline Plaintext PIN

Verification bit = ‘0b’

Does not support offline plaintext PIN.

3.2.2.6 Session Key Derivation

The M/Chip 4 application checks the Session Key Derivation bit whenever a session key is derived. The M/Chip 4 application also checks the Session Key Derivation bit during the first and second GENERATE AC to construct the value of the Cryptogram Version Number in the Issuer Application Data.

If … Then the M/Chip 4 application….

Session Key

Derivation bit = ‘1b’

Uses the session key derivation method as specified in EMV 2000.

Session Key

Derivation bit = ‘0b’

Uses the EPI/MCI session key derivation method. This is the method already used by the M/Chip Select 2 and M/Chip Lite 2.1 applications.

3.2.2.7 Encrypt Offline Counters

The M/Chip 4 application uses the Encrypt Offline Counters bit to decide whether the offline counters are sent in clear or encrypted in the Issuer

Application Data.

By selecting to encrypt the offline counters, you enjoy the advantage of protecting data deemed private. The disadvantage of encryption is that your authorization system has to decrypt the counters before using them. However, your authorization system can perform verification of the ARQC without decrypting the offline counters.

If … Then the M/Chip 4 application….

Encrypt Offline Counters bit = ‘1b’

Sends the offline counters encrypted in the Issuer Application Data.

Encrypt Offline Counters bit = ‘0b’

Sends the offline counters in clear in the Issuer Application Data.

3.2.2.8 Activate Additional Check Table

The M/Chip 4 application checks the Activate Additional Check Table bit during the processing of the first GENERATE AC to control the activation of the optional Card Risk Management check on the Additional Check Table.

If … Then the M/Chip 4 application….

Activate Additional Check Table bit = ‘1b’

Checks the Additional Check Table and performs the additional test as defined.

Activate Additional Check Table bit = ‘0b’

Does not check the Additional Check Table.

3.2.2.9 Allow Balance Retrieval

The M/Chip 4 application checks the Allow Balance Retrieval bit during the

GET DATA processing to control retrieval of the Offline Balance.

If … Then the M/Chip 4 application….

Allow Balance Retrieval bit = ‘1b’

Can access the Offline Balance with the GET DATA command.

Allow Balance Retrieval bit = ‘0b’

Cannot access the Offline Balance with the GET DATA command.

3.2.2.10 Include Counters in AC

The M/Chip 4 application checks the Include Counters in AC bit during the first and second GENERATE AC to construct:

• The input to the AC computation

• The value of the Cryptogram Version Number in the Issuer Application

Data

If … Then the M/Chip 4 application….

Include Counters in AC bit = ‘1b’

Includes the offline counters as part of the input to the AC. Include Counters in AC

bit = ‘0b’

Does not include the offline counters as part of the input to the AC.

If you choose to include the offline counters in the AC computation, the counters cannot be altered.

If you are migrating from M/Chip Select 2 and M/Chip Lite 2.1, MasterCard recommends that you exclude the counters.