PayPass M/Chip Requirements. 10 April 2014

(1)

PayPass—M/Chip

Requirements

10 April 2014

(2)

Notices

Following are policies pertaining to proprietary rights, trademarks, translations, and details about the availability of additional information online.

Proprietary Rights

The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively “MasterCard”), or both.

This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard.

Trademarks

Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Customer Operations Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States.

All third-party product and service names are trademarks or registered trademarks of their respective owners.

Disclaimer

MasterCard makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. Without limitation, MasterCard specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, MasterCard specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third party patents, copyrights, trade secrets or other rights.

Translation

A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any translated document to its customers “AS IS” and makes no representations or warranties of any kind with respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall MasterCard be liable for any damages resulting from reliance on any translated document. The English version of any MasterCard document will take precedence over any translated version in any legal proceeding.

Information Available Online

MasterCard provides details about the standards used for this document—including times expressed, language use, and contact information—on the Publications Support page available on MasterCard Connect™. Go to PublicationsSupportfor centralized information.

(3)

Summary of Changes, 10 April 2014

This document reflects changes associated with the 10 April 2014 publication. To locate these changes online, click the hyperlinks in the following table.

Description of Change Where to Look

Removed “Purchase with Cash Back is not supported on Maestro PayPass” Chapter 2, sectionPayPass Transaction Types

Added information that the contactless interface must not be used for transactions identified with specific MCCs

Chapter 2, sectionPayPass Transaction Types

Removed General Requirements, topic “PayPass Enrollment” Chapter 3, Issuer Requirements Removed “Maestro cards must not support Purchase with Cash Back on the

contactless interface.” from the topic “Purchase with Cash Back”

Chapter 3, section Card Requirements

Added information in “Application Selection”:

R ALL Issuers must configure the Kernel Identifier in each directory entry of the PPSE on the card.

Chapter 3, section “Card Requirements”, topic “Application Selection”

Added information in “Personalization Requirements”:

BP ALL Issuers should be aware of the ricks and limitations associated with using proprietary tags in their card personalization.

BP ALL If present in the card personalization, it is recommended that Third Party Data be included in the FCI Issuer Discretionary Data that is returned when the application is selected.

Added “Issuers should be aware that the contents of the Proprietary Data subfield of Third Party Data can be freely read, and therefore should not contain sensitive cardholder information”

BP ALL Issuers should respect relevant local data privacy laws when personalizing the Proprietary Data subfield of Third Party Data on the card.

Chapter 3, section “Card Requirements”, topic Personalization Requirements

Added the following information regarding “PayPass—M/Chip Personalization Requirements”:

If the card application supports the configuration of a maximum transaction amount then this must only be used to influence the decision to authorize the transaction online or offline. A transaction must not be declined based solely on this parameter.

R ALL If a maximum transaction amount in the contactless card configuration is used, it must not lead to transactions being declined offline.

To facilitate ATC monitoring, issuers should able to distinguish card identifiers read from separate cardholder devices, even if they are linked. This can be done by using different PAN values and/or PAN Sequence Numbers. Chapter 3, section “Card Requirements”, topic PayPass—M/Chip Personalization Requirements

(4)

Description of Change Where to Look BP ALL The issuer should not use the same combination of PAN and

PAN Sequence Number on separate cardholder devices, even if linked.

Issuers may choose to use an Application PAN on the contactless interface which is different to the PAN present on the magnetic stripe or that appears on the face of the card.

Added the following information regarding “Card Delivery”:

In order to fully benefit from new payment opportunities that contactless offers, issuers must inform cardholders that contactless functionality is available and provide directions on using it with the card.

R ALL Issuers must alert cardholders that contactless functionality exists when issuing/providing new cards.

Chapter 3, section Card Delivery

Updated DE 22, subfield 1 values in topic “Authorization Messages” Chapter 3, section “Issuer Host Requirements”, topic Authorization Messages Updated the following information regarding “Authorization Decisions”:

Although the information in DE 55 is normally consistent with other fields, there may be some difference for certain data elements. Issuers should not routinely decline transactions when differences occur in the data.

BP ALL If the ARQC is correct, the issuer should not decline a transaction simply because the data in DE 55 is different from the values in the following data elements:

• DE 3–Processing Code • DE 4–Amount, Transaction • DE 13–Date, Local Transaction • DE 43–Card Acceptor, Name/Location • DE 49–Currency Code, Transaction • DE 54–Additional Amounts

Chapter 3, section “Issuer Host Requirements”, topic Authorization Decisions

Added the following information regarding “Authorization Responses:” As a result of contactless-specific risk management the issuer may wish to decline and prompt the cardholder to perform a contact transaction with CVM where possible. In this case the issuer should use an authorization response code 65 exceeds withdrawal count limit.

BP ALL If the issuer declines a contactless transaction on a dual interface card, but wants to offer the cardholder the option to perform a contact transaction, an authorization response code 65 exceeds withdrawal count limit should be used.

Chapter 3, section “Issuer Host Requirements”, topic Authorization Responses

Clarified wording regarding “PayPass—M/Chip Personalization Requirements”

Chapter 3, section Card Requirements

(5)

Added the following information regarding “PayPass Acceptance”:

R ALL A contactless-enabled terminal that supports EMV contact chip transactions must also support EMV mode contactless transactions.

Chapter 4, section “General Requirements”, topic PayPass Acceptance Added the following information regarding terminal approvals and testing:

All existing contactless readers that comply with PayPass—M/Chip version 3.0 or EMVCo Book C-2 must support the Terminal Risk Management Data data object (as defined in Data Requirements) before 1 January 2015.

R ALL Contactless readers that comply with PayPass—M/Chip version 3.0 or EMVCo Book C-2 must support the Terminal Risk Management Data data object by 1 January 2015.

Chapter 4, section “Terminals”, topic Approvals and Testing

Added the following information regarding terminal design and ergonomics: Additional actions must not be required on the terminal in order to enable a contactless transaction. This includes:

• Inserting a card

• Pressing extra buttons on the POS terminal (with respect to contact transactions)

• Entering the amount a second time on the POS terminal

R ALL Additional actions must not be required on the payment terminal in order to activate the contactless reader.

Chapter 4, “Terminals”, topicTerminal Design and Ergonomics

Updated information regarding “Purchase with Cash Back” Chapter 4, section “Terminals”, topic Transaction Types—Purchase with Cash Back

Updated information regarding “Manual Cash Advance” Chapter 4, section “Terminals”, topic Manual Cash Advance

Updated information regarding “Reader Specifications” Chapter 4, section “Terminals”, topic Reader Specifications

Clarified information regarding “Visual Card Checks” Chapter 4, section “Terminals”, topic Visual Card Checks

Updated information regarding the presence of CVM Results (tag ‘9F34’) being mandatory for all authorization messages containing DE 55 that are transmitted from acquirer chip systems certified by MasterCard on or after 13 April 2012

Chapter 4, section

Authorization Requirements

Updated information regarding “POI Currency Conversion” Chapter 4, section Terminals

(6)

Updated information regarding “Terminal Action Codes” Chapter 5, sectionTerminal Action Codes

Updated references:

From: chargeback protection amount

To: CVM limit

(7)

Chapter 1 Using This Manual... 1-i

Purpose... 1-1 Scope ... 1-1 Audience... 1-2 Requirements and Best Practices ... 1-2 Terminology... 1-3 Reference Information ... 1-4 Conventions... 1-5

Chapter 2 PayPass Introduction... 2-i

Introduction ... 2-1 Participation... 2-1

PayPass Operating Modes ... 2-2 PayPass Cards... 2-2 PayPass Transaction Types ... 2-2 PayPass Acceptance... 2-3 PayPass Transaction Flow... 2-4

Other Transaction Environments ... 2-7

Chapter 3 Issuer Requirements... 3-i

Card Requirements ... 3-1 Card Delivery... 3-15 Issuer Host Requirements ... 3-15 Clearing Requirements... 3-19 Chargeback and Exception Processing ... 3-20

Chapter 4 Acquirer Requirements ... 4-i

General Requirements ... 4-1 Terminals ... 4-2 Offline Card Authentication ... 4-13 Cardholder Verification ... 4-14 Terminal Risk Management... 4-17 Terminal Action Codes ... 4-17

(8)

Table of Contents

Authorization Responses... 4-18 Cardholder Receipts... 4-18 Subsequent Contact Transactions... 4-19 Terminated Transactions ... 4-20 Cardholder Activated Terminals... 4-20 Automated Teller Machines ... 4-21 Vending Machines... 4-21 Acquirer Network Requirements... 4-21 Authorization Requirements... 4-23 Clearing Requirements... 4-24 Exception Processing ... 4-25 On-behalf Services... 4-25

Chapter 5 Data Requirements... 5-i

Terminal Action Codes ... 5-1 Payment Scheme Specific Data Objects ... 5-5 Application Capabilities Information ... 5-5 Terminal Risk Management Data ... 5-6 Third Party Data ... 5-8 Track 1 Data ... 5-9 Track 2 Data ... 5-10

Appendix A Abbreviations ... A-i

Abbreviations...A-1

(9)

Chapter 1 Using This Manual

This section provides information on the purpose, overview, and conventions used within this manual as well as other related information.

Purpose... 1-1 Scope ... 1-1 Audience... 1-2 Requirements and Best Practices ... 1-2 Terminology... 1-3 Reference Information ... 1-4 Conventions... 1-5

(10)

Using This Manual

Purpose

Purpose

This document provides the MasterCard requirements and best practices for issuers and acquirers when using contactless chip technology with their MasterCard M/Chip™ products.

It contains the requirements relating to MasterCard®, Debit MasterCard and Maestro® PayPass™ card programs, and the requirements for performing contactless transactions at attended and unattended terminals.

This document does not provide an introduction to PayPass or explanation as to how PayPass works, nor does it duplicate or reproduce existing standards such as EMV or the existing MasterCard requirements for other technologies. The purpose of the manual is to:

• Define the PayPass requirements that MasterCard has established for use with MasterCard brands

• Propose recommendations that constitute best practices for PayPass implementations

• Define when and how the functions must be used as a requirement or should be used as a best practice

Scope

This document does not discuss general brand rules or requirements, except to explain how certain rules are implemented in PayPass.

In general, the brand rules continue to apply to PayPass transactions except when modified for PayPass and as explained in this document. For example, chargeback rights are the same for PayPass except in connection with CVM limits described here. For full details of the rules and requirements for specific card brands, refer to the relevant documentation on MasterCard Connect (see the Reference Information below).

These requirements have been written for PayPass—M/Chip deployments. In that context they also cover PayPass—Mag Stripe functionality. They do not apply to PayPass-Mag Stripe only deployments.

(11)

Audience

The following products, services, or environments are not in the scope of this document because they are already addressed in other dedicated documents: • Card Application Specifications (for example, M/Chip Advance,

PayPass—M/Chip 4)

• Terminal and reader specifications

• EMV contact chip card interface and transactions (for example, M/Chip

Requirements)

• Personalization Data

• Data Storage applications used with PayPass • MasterCard Cash

Audience

This document is intended for use by MasterCard customers and product vendors involved in PayPass implementation projects who already have a general understanding of how the contactless chip product works.

The target audience includes:

• Staff working on PayPass—M/Chip implementation projects

• Operations staff who need to understand the impact of PayPass on their activities

Requirements and Best Practices

Requirements are functional elements which must be implemented as stated in the text to achieve the required level of acceptance for MasterCard or Maestro branded PayPass cards on PayPass-enabled terminals.

Requirements are always expressed using the word must. Requirements are contained in tables and are indicated by a capitalRin the left column.

Best practices are MasterCard recommendations for the best ways to implement different options. If customers choose not to follow them, their PayPass implementation will still work but may not be as effective or efficient as it could be.

Best practices are written using the word should. Best practices are formatted in the same way as requirements but are preceded by the letters BP.

Requirements and best practices include an indication of whether they apply to all products or just to the MasterCard or Maestro brand.

(12)

Terminology

R All Requirement applies to all PayPass cards or terminals.

R MC Requirement applies to MasterCard branded PayPass cards or terminals.

R MS Requirement applies to Maestro branded PayPass cards or terminals.

Terminology

The following terms and their meanings are used throughout this manual.

PayPass Cards and Devices

PayPass devices can be issued in form factors other than that of a traditional

payment card, for example: mobile phones, key fobs, watches. Throughout this document a reference to PayPass cards includes other devices unless specifically excluded.

A dual interface card refers to a chip card that can perform both EMV contact and contactless chip transactions.

A hybrid card refers to a card that has a magnetic stripe and a chip with a contact interface. The chip carries an EMV payment application that supports the same payment product that is encoded on the magnetic stripe.

PayPass Terminals and Readers

Functionality for the acceptance of PayPass cards may be provided by the

PayPass reader or by the accompanying terminal. Throughout this document

a reference to a PayPass terminal includes both the reader and terminal functionality and unless specifically stated does not imply the function should be in a specific part of the terminal system.

A hybrid terminal refers to a payment device that can accept transactions using both contact chip and magnetic stripe technologies.

Magnetic Stripe Grade Issuers

Magnetic stripe grade issuers receive additional information produced during a chip transaction, but do not process it. If the magnetic stripe grade issuer uses the Chip Conversion service, the issuer does not receive the additional information.

On Device Cardholder Verification

Devices such as a mobile phone may allow the cardholder to verify themselves to the device, for example by entering a PIN, either before or during a PayPass transaction. When required, the device confirms to the terminal that cardholder verification has been performed during the transaction processing. This is known as On Device Cardholder Verification but is also referred to as “mPIN”.

(13)

Reference Information

Reference Information

The following references are used in, or are relevant to, this document. The latest version applies unless a publication date is explicitly stated.

• Chargeback Guide

• M/Chip Card Personalization Standard Profiles

• M/Chip Requirements

• MasterCard Contactless ATM Implementation Requirements

• Maestro PayPass Branding Standards

• MasterCard PayPass Branding Standards

• Transaction Processing Rules

• Quick Reference Booklet

• PayPass—Mag Stripe Acquirer Implementation Requirements

• PayPass On-behalf Services Guide

• PayPass Personalization Data Specification

• M/Chip Advance Personalization Data Specifications

• PayPass Vendor Product Approval Process Guide (Cards and Devices)

• PayPass Vendor Product Approval Process Guide (Terminals)

• Mobile PayPass Issuer Implementation Guide

• PayPass—M/Chip Issuer Guide

• PayPass Mag Stripe Issuer Implementation Requirements

(14)

Conventions

Conventions

A generic reference to PayPass includes all applicable products. The terms MasterCard PayPass or Maestro PayPass are used to identify specific product requirements.

A reference to the MasterCard product or MasterCard brand includes MasterCard and Debit MasterCard® unless specifically addressed.

MasterCard brands refers to MasterCard and Maestro products.

Values expressed in hexadecimal form (‘0’ to ‘9’ and ‘A’ to ‘F’) are enclosed in single quotes. For example, a hexadecimal value of ABCD is indicated as ‘ABCD’.

Values expressed in binary form are followed by a lower case b. For example, 1001b.

EMV Card commands are indicated in bold capitals, for example, GENERATE AC.

Specific byte/bit references within a data object are included in square brackets. For example, [1][3] means the third bit of the first byte of the given data object.

(15)

Chapter 2 PayPass Introduction

This section provides information on PayPass participation, transaction types, and transaction flows.

Introduction ... 2-1 Participation... 2-1

PayPass Operating Modes ... 2-2 PayPass Cards... 2-2 PayPass Transaction Types ... 2-2 PayPass Acceptance... 2-3 PayPass Transaction Flow... 2-4

(16)

PayPass Introduction

Introduction

Introduction

PayPass is the proximity payments program from MasterCard Worldwide.

It allows cardholders to make payments without having to hand over, dip or swipe a payment card. To make a payment, the cardholder simply taps their

PayPass card onto a PayPass terminal. The details are read from the card over

a contactless interface using radio frequency communications and a transaction is performed over the existing MasterCard payment networks and infrastructure. Primary characteristics of PayPass transactions are speed and convenience for merchants and cardholders.

PayPass is supported on the MasterCard and Maestro brands. The PayPass

contactless functionality can be used at any merchant location that has PayPass terminals and accepts the underlying payment brand. The merchant segments where PayPass is expected to be most attractive include those environments with high transaction volumes and where fast transaction times are important.

PayPass contactless functionality can also be used at ATMs.

Participation

To issue PayPass cards or acquire PayPass transactions customers must enroll in the PayPass program.

Vendors are required to obtain a license agreement before developing and selling PayPass cards and devices.

All cards, devices and readers used for performing PayPass transactions must have been approved and licensed by MasterCard. Customers must only purchase and deploy cards and terminals from properly licensed vendors. Detailed information about the type approval process can be found in the

PayPass Vendor Product Approval Process Guide (Cards and Devices) and the PayPass Vendor Product Approval Process Guide (Terminals) documents.

Issuers and acquirers must start a project with the relevant MasterCard project team in order to define and complete various certification steps that are required. Unless otherwise stated within the Project Implementation Plan issuers will complete Issuer NIV, CPV and Issuer End-to-end Demonstration and acquirers will complete Acquirer NIV, TIP and Acquirer End-to-end Demonstration. Questions about the PayPass license process should be directed to

(17)

PayPass Operating Modes

PayPass Operating Modes

PayPass supports two modes of operation as detailed below.

• PayPass—Mag Stripe mode

• PayPass—M/Chip mode

PayPass—Mag Stripe transactions are authorized online by the issuer, either in real-time or deferred. PayPass—Mag Stripe is designed for contactless transactions using authorization networks that currently support only magnetic stripe authorization for MasterCard cards.

PayPass—M/Chip transactions use transaction logic similar to EMV contact chip. They may require online authorization but may be approved offline by the card and terminal. The PayPass—M/Chip mode is designed for contactless transactions in markets that have migrated to chip technology for EMV contact transactions.

EMV mode (PayPass—M/Chip) is the preferred transaction mode for contactless MasterCard transactions, however to ensure interoperability all contactless MasterCard cards and terminals support Mag-Stripe mode (PayPass—Magstripe). Maestro contactless cards and terminals are configured to support only

PayPass—M/Chip transactions for the Maestro product.

PayPass Cards

PayPass functionality may be:

• Included in a standard ISO 7816 ID-1 card

• Issued in another form factor, such as a mobile phone or key fob

All PayPass cardholder devices are valid for acceptance at PayPass terminals; not just cards.

PayPass Transaction Types

Different transaction types are available for PayPass.

PayPass issuers and acquirers must support purchase transactions. Refunds

must be supported by issuers for contactless MasterCard transactions. Refunds must be supported by acquirers for contactless MasterCard and Maestro transactions, although they may not be available at every PayPass terminal.

PayPass data should only be used for card present transactions. Electronic

commerce or Mail Order/Telephone Order transactions should not be performed with PayPass data read through the contactless interface.

(18)

PayPass Acceptance

The contactless interface may be used for Purchase with Cash Back transactions based on the existing product rules. Cardholder verification is always required for Purchase with Cash Back transactions.

The contactless interface may be used for payment transactions based on the existing product rules.

The contactless interface must not be used for transactions identified with the following MCCs:

• Gambling Transactions (MCC 7995)

• Gambling-Horse Racing, Drag Racing, Non-Sports Intrastate Internet Gambling (MCC 9754)

• Money Transfer (MCC 4829)

• Quasi Cash-Customer Financial Institution (MCC 6050) • Quasi Cash-Merchant (MCC 6051)

For MCC descriptions, refer to Chapter 3 of the Quick Reference Booklet.

PayPass Acceptance

PayPass cards may be accepted at attended and unattended terminals. PayPass

cards may be used at ATMs. Card Checking

PayPass transactions are carried out by the cardholder; therefore, the card does

not need to be given to the merchant. Since the PayPass card may remain in the hands of the cardholder, the merchant is exempt from the visual inspection requirement to determine if the PayPass card is valid. The card only needs to be given to the merchant after the contactless interaction is complete if signature verification is to be performed.

Transaction Amount

The transaction amount is usually known before the PayPass transaction is initiated to ensure fast processing of PayPass transactions. The amount should be displayed to the cardholder.

If the transaction amount exceeds the maximum amount for PayPass transactions, for the product or terminal, the terminal or merchant should prompt the cardholder to use a different technology to complete the transaction (for example an EMV contact chip transaction). This ensures cardholders are not denied service when they have a valid MasterCard product for the transaction.

(19)

PayPass Transaction Flow

Limits

Appendix C of the Chargeback Guide lists, per market, a limit to be used for contactless transactions. Transactions equal to or less than this limit do not need cardholder verification. In addition, receipts need only be provided on request of the cardholder.

For Maestro PayPass, apart from some markets listed in Appendix C of the

Chargeback Guide, transactions are not allowed above this limit. In that

context, it is referred to as a “ceiling limit”.

In this document the term “CVM limit” is used generically to refer to this limit. A maximum transaction amount, above which contactless transactions are not permitted, may be published separately for MasterCard PayPass in some specific markets.

Floor limits for contactless transactions are for EVM contact chip

(PayPass—M/Chip) or magnetic stripe (PayPass—Mag Stripe) transactions. The floor limit may vary per market.

Fallback

If the contactless technology fails the transaction may be completed by any other technology available. A subsequent transaction is not considered a technical fallback transaction.

PayPass Transaction Flow

Several steps are involved in the PayPass transaction. Technology Selection

The cardholder decides whether to use PayPass or an alternative interface on the card. PayPass technology is used for the transaction when the PayPass card is presented by the cardholder to the PayPass reader.

If the card application selected and the terminal supports PayPass—M/Chip mode, then it is automatically used by the terminal to complete the transaction. Otherwise, PayPass—Mag Stripe mode is used.

Application Selection

If the cardholder has chosen to pay by PayPass, the terminal attempts to find an application via the contactless interface to complete the transaction. When the terminal detects more than one application that it supports on the

PayPass card, the terminal automatically selects the application with the highest

priority set by the issuer. To improve transaction speed, interactive cardholder selection or confirmation is not supported for PayPass.

(20)

If there are no available applications, given any relevant transaction limits, then the PayPass transaction cannot proceed.

For MasterCard products, the same Application Identifiers (AID) are used for PayPass transactions as for EMV contact chip transactions. There are no

PayPass specific AIDs.

Card Authentication

For all PayPass transactions the card being used is authenticated. For

PayPass—M/Chip transactions the card can be authenticated:

• Offline by the terminal OR

• Online by the issuer

All offline approved Maestro PayPass transactions must be authenticated by the terminal using CDA.

All offline MasterCard PayPass—M/Chip transactions must be authenticated by the terminal using either:

• CDA

OR • SDA1

While older cards may support SDA, the only offline card authentication method allowed for new cards is CDA. All PayPass—M/Chip terminals support CDA. PayPass does not support DDA.

For online PayPass—M/Chip transactions the issuer should perform online authentication by verifying the application cryptogram received in the online authorization.

For PayPass—Mag Stripe transactions, transactions are authorized online by the issuer, either in real time or deferred. The PayPass card produces a unique password, referred to as dynamic CVC3, for each transaction. The value is placed by the terminal in issuer defined positions within the existing track data fields. The issuer should perform online authentication by verifying the dynamic CVC3 received in the online authorization.

If PayPass—Mag Stripe profile transactions are not authorized by the issuer, then the acquirer may be liable for any disputed transactions.

1. SDA authenticates the card, but not the transaction data. New PayPass cards cannot be issued supporting SDA. Newly deployed PayPass terminals do not support SDA, and are not configured to support SDA.

(21)

Offline-only terminals may be configured to:

• decline transactions performed with PayPass—Mag Stripe cards.

• allow transactions where an ARQC is provided by the PayPass—M/Chip card.

Cardholder Verification

PayPass purchase transactions for amounts less than or equal to the CVM limit

do not require cardholder verification.

For transaction amounts above the CVM limit, cardholder verification is required or the acquirer may be liable for disputed transactions.

For MasterCard PayPass, acceptable cardholder verification methods are: • Online PIN

• Signature

• On Device Cardholder Verification

For Maestro PayPass, acceptable cardholder verification methods are: • Online PIN

• On Device Cardholder Verification

PayPass does not support offline PIN.

For PayPass—Mag Stripe transactions, the CVM to be used for transactions above the CVM limit is determined by the terminal. This can be done in a similar way to swiped magnetic stripe transactions, based on the methods supported by the terminal and data read from the card. The cardholder device notifies the terminal if On Device Cardholder Verification is supported, in which case this method is used if supported by the terminal and cardholder verification is required.

For PayPass—M/Chip transactions, the CVM is determined by the PayPass reader application in the terminal, based on the CVM List or other information contained in the card. The actual CVM is completed after the interaction with the card is complete, except for On Device Cardholder Verification which is completed before the interaction begins.

Card Risk Management

The card risk management performed is at the discretion of the issuer. Online/Offline Authorization

PayPass—M/Chip transactionsmay be authorized offline by the PayPass card or the card may request online authorization by the issuer.

(22)

Other Transaction Environments

If PayPass—Mag Stripe transactions are not authorized online, then the acquirer may be liable for any disputed transactions.

If online PIN has been identified as the cardholder verification method for the transaction, the PIN is verified as part of the online authorization request. End of Transaction

A PayPass—M/Chip terminal ends the interaction with the card once the response to the first GENERATE AC command is received by the terminal. A PayPass—Mag Stripe terminal ends the interaction with the card once the response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command is received by the terminal. This is not the end of the PayPass transaction. The PayPass terminal completes the transaction based on:

• An offline approval or decline response from the card for PayPass—M/Chip transactions.

OR

• An online authorization response (approve or decline) when requested for

PayPass—M/Chip or PayPass—Mag Stripe transactions

When the printing of a receipt is supported by the point of sale, for PayPass transactions less than or equal to the CVM limit, a receipt must be available if requested by the cardholder. A receipt must be provided for transactions above the CVM limit amount if the terminal is capable of producing a receipt. See

Transaction Processing Rules for exemptions.

Neither Issuer Authentication Data nor issuer scripts are returned to the card during a PayPass—M/Chip transaction.

Other Transaction Environments

There are additional transaction types and environments in which PayPass cards may or may not be used.

Cardholder Activated Terminals

MasterCard defines several types of cardholder activated terminals (CATs).

PayPass may be used at CAT Level 1, 2, 3 and 4 terminals (see the Chargeback Guide for full definitions).

As CAT Level 1 terminals require PIN based cardholder verification, only

PayPass cards that support online PIN or On Device Cardholder Verification

may be used at these terminals. Automated Teller Machines

(23)

Chapter 3 Issuer Requirements

This section includes information on requirements for the issuer.

Card Requirements ... 3-1 Card Delivery... 3-15 Issuer Host Requirements ... 3-15 Clearing Requirements... 3-19 Chargeback and Exception Processing ... 3-20

(24)

Issuer Requirements

Card Requirements

Card Requirements

Various requirements and best practices exist for the PayPass card. Approvals and Testing

All PayPass cards issued are required by MasterCard to have MasterCard vendor product approval. It is the issuer’s responsibility to confirm all products have received this approval. A full PayPass card Letter of Approval is only granted to a card when it has successfully completed all of the following:

• Interface and Application Testing

• Compliance Assessment and Security Testing • Card Quality Management

When ordering cards from a card manufacturer, the issuer must ensure that the card manufacturer has a current PayPass Letter of Approval for the product being purchased. The Letter of Approval is valid for the duration of the time the cards are held in stock prior to being issued.

All PayPass products must have a valid PayPass Letter of Approval at the time the product is issued.

R ALL Issuers must ensure that all PayPass cards are covered by a valid Letter of Approval at the time they are issued.

Branding, Appearance and Physical Requirements

For the brand standards and design elements required for PayPass cards, please refer to the MasterCard PayPass Branding Standards and the Maestro PayPass

Branding Standards. Issuers must obtain approval from MasterCard Card

Design Management for their PayPass card design, even if a similar design has already been approved for use on a non-PayPass card.

R ALL Cards must comply with the PayPass branding requirements.

PayPass Cards

If PayPass—M/Chip is implemented on an ISO 7816 compliant ID-1 plastic card then the card must support an EMV contact chip and optionally a magnetic stripe.

R ALL _{PayPass—M/Chip cards that are of ID-1 format and ISO 7816 compliant}

(25)

A MasterCard PayPass card that supports EMV contact chip transactions on the contact interface normally also supports PayPass—M/Chip.

BP MC An EMV contact chip capable MasterCard branded PayPass card should support PayPass—M/Chip.

Non-card Devices

PayPass functionality can be present in form factors other than traditional

payment cards. Examples of different forms are: • Mobile phones

• Key fobs • Watches

All PayPass non-card devices conduct PayPass transactions in the same way as PayPass cards. They may support special functionality, such as On Device Cardholder Verification.

When PayPass—M/Chip cards use offline risk management features, an interaction with the card is required to manage the offline risk management counters. This cannot be performed in a normal PayPass transaction since response data from the issuer is not returned to the card. This interaction may be achieved:

• By performing a transaction through the EMV contact chip interface of a hybrid card

• By over-the-air messages, for example to a mobile phone

• Through the contactless interface in a special terminal designed for this purpose, if supported by the cardholder device.

PayPass cards which support offline transactions must be able to support

the management of the offline risk management counters. PayPass—M/Chip non-card devices that cannot support the management of the offline risk management counters must be configured as online only.

All PayPass non-card device programs must be approved by MasterCard. The MasterCard PayPass device given to the cardholder can be linked to a MasterCard card account assigned to that same cardholder accessed by a standard MasterCard card. This card does not have to be a PayPass card. The expiration date of the PayPass device must not be later than the card that it is linked to. If the MasterCard card is cancelled, the issuer must simultaneously cancel the companion PayPass device.

It is not necessary for the PayPass device to display an account number. As a result, a non-card form factor that is issued without a companion card may be limited in use. Issuers must highlight this to the account holder at the time of issuance.

(26)

Devices other than mobile phones should accommodate a signature panel where possible. Those devices that cannot accommodate a signature panel should contain a customization area or unique identification number. A minimal space on small form factors is sufficient to provide cardholders with an opportunity to customize the device with their initials or another mark to identify it as belonging to them.

R ALL All PayPass non-card device programs must be approved in advance by MasterCard.

R ALL If linked to a card, the expiration date of the PayPass device must not exceed the expiration date of the card to which it is linked.

R ALL If linked to a card, the PayPass device must be cancelled if the card is cancelled.

BP ALL The PayPass device, other than a mobile phone, should accommodate a signature panel.

R ALL PayPass—M/Chip non-card devices that do not provide a mechanism

to reset offline risk management counters must be configured as online only.

R ALL PayPass—M/Chip non-card devices must be issued with clear

instructions for the account holder regarding the limitations of their use. Card Application

PayPass—M/Chip must be implemented using approved applications. Examples

are:

• M/Chip Advance

• PayPass—M/Chip 4

• Mobile PayPass

• PayPass—M/Chip Flex

R ALL All PayPass—M/Chip cards must use approved applications.

Support of PayPass—M/Chip and PayPass—Mag Stripe A PayPass card using the MasterCard brand:

• Must support PayPass—Mag Stripe transactions (unless for domestic use only)

• May support PayPass—M/Chip transactions

R MC A MasterCard PayPass card that is not exclusively for domestic use must support PayPass—Mag Stripe transactions.

(27)

A PayPass card using the Maestro brand: • Must support PayPass—M/Chip transactions

• Must not support PayPass—Mag Stripe transactions for Maestro

R MS A Maestro PayPass card must support PayPass—M/Chip transactions.

R MS Unless explicitly allowed in the Transaction Processing Rules, a Maestro

PayPass card must not support PayPass—Mag Stripe transactions.

PayPass technology may not currently be used on MasterCard Fleet or MultiCard

products as data positions required by PayPass are already used in the product personalization requirements of these products.

R MC MasterCard Fleet or MultiCard products must not support contactless transactions.

ATM

The CVM used for ATM transactions is online PIN.

Issuers should support ATM transactions on the contactless interface.

Because not all ATMs validate the settings of the card, issuers should be aware that they may receive transactions from ATMs even if:

• support for ATM is not indicated in the Application Usage Control • support for online PIN is not included in the CVM list

BP ALL The Application Usage Control should indicate support for ATM transactions.

Online and Offline Capability

PayPass—Mag Stripe transactions are always authorized online, either in

real-time or deferred. The card has no input into the decision to seek authorization.

In PayPass—M/Chip cards the transaction counters and decision making capability of the chip are used to control risk. To support fast transactions, it is recommended that PayPass—M/Chip cards be configured to support offline transaction approval.

As some terminals operate online only, PayPass—M/Chip cards should be configured to support online transaction approval.

PayPass—M/Chip cards issued in the U.S. region must be configured to support

(28)

To meet special market requirements MasterCard may approve cards that are online only or offline only; however, issuers should be aware that these cards do not work in some terminals.

R ALL PayPass—M/Chip cards issued in the U.S. region must be configured

to support both online and offline transaction approval.

BP ALL PayPass—M/Chip cards should be configured to support offline

transaction approval. They should not be configured to be online only.

BP ALL PayPass—M/Chip cards should be configured to support online

transaction approval. They should not be configured to be offline only. Service Codes

A value for the service code may be found several times on a PayPass—M/Chip card. For example:

• on the magnetic stripe of the card in both Track 1 and Track 2

• Track 1 Data (tag ‘56’) and Track 2 Data (tag ‘9F6B’) accessed via the contactless interface

• Track 2 Equivalent Data (tag ‘57’) accessed via the contactless interface • Track 2 Equivalent Data (tag ‘57’) accessed via the EMV contact chip

interface

It is recommended that cards be personalized to use the service code appropriate for the product. The service code values that are used in the

PayPass application should be consistent in each data object when the service

code appears. Although not recommended, PayPass issuers may choose to use service code values in the PayPass application that differ from those used on the magnetic stripe of the same card.

If the issuer does use a different service code value on the contactless interface, the value may be acted on by some terminals. In particular, terminals that process the service code may reject international cards that have a service code value starting with ‘5’ (National use only).

BP ALL Issuers should use a value of the service code appropriate for the product.

BP ALL Issuers should use the same value of the service code each time the service code is used.

Expiry Dates

The expiry date of the card should be consistent across all technologies supported.

BP ALL The expiry date in the PayPass application should be consistent with the expiry date of the card.

(29)

Purchase with Cash Back

Debit MasterCard cards and Maestro cards may support Purchase with Cash Back on the contactless interface.

Purchase with Cash Back on the contactless interface may only be supported by MasterCard credit cards in European markets.

Purchase with Cash Back transactions always require cardholder verification, regardless of the amount.

R MC MasterCard credit cards issued outside the Europe region must not be configured to support Purchase with Cash Back through the contactless interface.

Application Selection

PayPass terminals normally perform application selection using the PPSE on

the card. All PayPass cards must contain a PPSE.

Issuers must configure the Application Priority Indicator in each directory entry of the FCI of the PPSE to show the preferred sequence of choice of all PayPass applications on the card. Issuers must set a different priority for each directory entry in the FCI of the PPSE. Cardholder confirmation must not be requested. The AID value used for PayPass is the same AID used for the EMV contact chip interface. There are no specific AIDs for PayPass.

Supported AIDs are:

• MasterCard ‘A0000000041010’ • Maestro ‘A0000000043060’

Identification of PayPass cards use the product AID without any extension, as shown above. PIX extensions may be used by issuers and are considered as a successful match by the terminal when partial AID matching is supported. However, it is recommended not to use PIX extensions, as some legacy PayPass terminals do not support partial AID matching.

If the same account is accessed through the contact and contactless interfaces, the AID used on each interface may be different if supported by the card implementation.

The Application Label (tag ‘50’) must be present in a PayPass card. This may appear on any receipts.

A MasterCard card must be configured with an appropriate Application Label such as MasterCard, MASTERCARD, Debit MasterCard, or DEBIT MASTERCARD.

A Maestro card must be configured with an appropriate Application Label such as Maestro or MAESTRO.

(30)

Issuers may personalize the Application Preferred Name (tag ‘9F12’) and Issuer Code Table Index (tag ‘9F11’). The Application Preferred Name may be used on receipts instead of the Application Label if the terminal supports the code table indicated.

R ALL All PayPass cards must contain a PPSE.

R ALL Issuers must set a unique value for the Application Priority Indicator in each directory entry in the FCI of the PPSE.

R ALL Issuers must not set the Cardholder Confirmation bit in the Application Priority Indicator in the FCI of the PPSE.

R ALL Issuers must use the appropriate Application Label.

BP ALL PIX extensions should not be used in the AID for PayPass.

Card Authentication

MasterCard requires the use of dynamic CVC3 by all PayPass—Mag Stripe capable cards. This includes PayPass—M/Chip cards that perform

PayPass—Mag Stripe transactions.

For PayPass—M/Chip online transactions the application cryptogram should be validated to prevent counterfeit fraud.

For MasterCard PayPass—M/Chip:

• New cards issued in the Europe or U.S. regions must support CDA and must not support SDA

• New cards issued outside of the Europe or U.S. regions that do not support CDA must operate as online only. Cards must not support SDA. Cards that do not support CDA may experience interoperability issues and may not work with some merchants such as mass transit agencies.

MasterCard recommends that the issuer support CDA.

Issuers of old cards that support only SDA should note that SDA will not be performed on PayPass readers that comply with EMVCo Book C-2 and therefore all transactions at these readers will require online authorization.

All Maestro PayPass cards must support CDA and must not support SDA for Maestro PayPass—M/Chip.

PayPass does not support DDA.

R MS Maestro PayPass—M/Chip cards must support CDA and must not support SDA.

R MC MasterCard PayPass—M/Chip cards must not support SDA.

R MC MasterCard PayPass—M/Chip cards issued in the Europe or U.S. regions must support CDA.

(31)

R MC MasterCard PayPass—M/Chip cards issued outside of the Europe or U.S. regions that do not support CDA must be configured as online only.

BP MC Issuers outside the Europe and U.S. regions are strongly recommended to use CDA on MasterCard PayPass—M/Chip cards.

R ALL PayPass—M/Chip cards must not support DDA on the PayPass

interface.

R MC MasterCard PayPass—M/Chip cards must use a dynamic CVC3 for

PayPass—Mag Stripe transactions.

BP ALL Issuers are strongly recommended to validate the application cryptogram for online PayPass—M/Chip transactions.

The payment system public keys for PayPass—M/Chip have the same values and expiry dates as those used for MasterCard EMV contact chip transactions. It is recommended to use the same Issuer Key pair for transactions on the contact and contactless interface of a PayPass—M/Chip card; therefore, the same Issuer Public Key certificate may be used.

It is recommended to use the same ICC Key pair for transactions on the contact and contactless interface of a PayPass—M/Chip card. The ICC Public Key Certificate cannot be shared between the contact and contactless interface even if the same keys are used since some of the data elements signed in the certificate are different.

BP ALL Issuers should use the same Issuer and ICC Public Keys across both the contact and contactless interface.

Cardholder Verification

A signature or PIN is not required for a PayPass transaction less than or equal to the CVM limit regardless of the setting of the Service Code for PayPass—Mag Stripe, or CVM List for PayPass—M/Chip.

For transactions greater than the CVM limit, cardholder verification is normally requested. If transactions are completed offline with no cardholder verification above the CVM limit then the acquirer may be liable for disputed transactions. For PayPass—Mag Stripe transactions, the cardholder verification method is determined by the terminal in a similar manner to swiped magnetic stripe transactions. The terminal is not required to refer to the Service Code, which appears in multiple data elements. If the device supports On Device Cardholder Verification, this is communicated to the terminal as part of the transaction. For PayPass—M/Chip transactions, the CVM is determined by the PayPass reader application in the terminal based on the terminal capabilities and CVM List or other data in the cardholder device.

(32)

NOTE

For the remainder of this section a distinction is made between cardholder devices that support On Device Cardholder Verification (mobile phones) and all other cardholder devices (cards).

MasterCard PayPass—M/Chip cards: • Must support Signature

• Must support Online PIN • Must support No CVM

MasterCard PayPass—M/Chip mobile phones: • Must support No CVM

• Must support Signature

• Must support Online PIN or On Device Cardholder Verification, or both. Support for both Online PIN and On Device Cardholder Verification is recommended for MasterCard mobile phones.

The issuer may elect for either Signature or Online PIN to be preferred and personalize the CVM List accordingly. On Device Cardholder Verification is performed above the CVM limit if supported by the mobile phone and the terminal.

If issuers require support for MasterCard PayPass—M/Chip mobile phones at ATMs, then Online PIN must be supported.

Maestro PayPass cards and mobile phones must support No CVM.

If the issuer supports Maestro PayPass transactions above the CVM limit, then: • Maestro PayPass cards must support Online PIN.

• Maestro PayPass mobile phones must support Online PIN or On Device Cardholder Verification or both.

If issuers require support for Maestro PayPass—M/Chip cards or mobile phones at ATMs then Online PIN must be supported.

Support for On Device Cardholder Verification is recommended for all MasterCard and Maestro PayPass mobile phones.

CVM List entries should not make use of the X and Y values to influence the availability of a particular CVM. This means that condition codes: ‘06’, ‘07’, ‘08’ or ‘09’ should not be used.

Offline PIN is not supported for PayPass—M/Chip transactions. Offline PIN may be supported on the same card but only for EMV contact chip transactions. Issuers must not include offline PIN options in the CVM List read through the contactless interface.

(33)

R ALL All PayPass—M/Chip cards and mobile phones must support No CVM in the CVM List read through the contactless interface.

R ALL PayPass—M/Chip cards and mobile phones must not support either

offline plain text PIN or offline enciphered PIN in the CVM List read through the contactless interface.

R MC MasterCard PayPass—M/Chip cards must support Online PIN and Signature in the CVM List read through the contactless interface.

R MC MasterCard PayPass—M/Chip mobile phones must support Signature in the CVM List read through the contactless interface.

R MC MasterCard PayPass—M/Chip mobile phones must support Online PIN, in the CVM List read through the contactless interface, or On Device Cardholder Verification, or both.

R MS If the issuer allows Maestro PayPass transactions above the CVM limit, then cards must support Online PIN in the CVM List read through the contactless interface.

R MS If the issuer allows Maestro PayPass transactions above the CVM limit, then mobile phones must support Online PIN in the CVM List read through the contactless interface, or On Device Cardholder Verification, or both.

BP MS Support for Online PIN is recommended for all Maestro PayPass cards and mobile phones.

BP ALL Support for On Device Cardholder Verification is recommended for all

PayPass—M/Chip mobile phones.

BP ALL CVM List entries should not make use of the X and Y values to influence the availability of a particular CVM.

Magnetic Stripe Based PVV

It may not be possible or easy to change some of the data on a PayPass card. Any existing magnetic stripe processes that rely on rewriting data to the magnetic stripe after the card has been issued need to be evaluated. In particular this may affect magnetic stripe based PVV solutions for online PIN verification if PIN change is supported.

BP ALL Magnetic stripe based PVV methods should not be used for online PIN verification if PIN change is supported.

Managing the Contactless Controls

The issuer should manage the offline counters and parameters for the contactless interface during the authorization response to a contact chip transaction. They cannot be managed during a PayPass transaction as the Issuer Authentication Data from the authorization response is never delivered to the card.

(34)

The PayPass—M/Chip application may trigger an online authorization request at the next contact transaction to enable management of the offline counters. Personalization Requirements

The PayPass personalization requirements are detailed in the PayPass

Personalization Data Specifications and the M/Chip Advance Personalization Data Specifications.

MasterCard requires that the personalization of each card configuration be approved using the CPV service before cards are issued.

R ALL CPV must be successfully completed for all PayPass cards issued.

Proprietary data objects included in the card personalization that are not documented in the MasterCard specifications may require dedicated functionality on the terminal. Issuers should be aware of potential conflicts when using such tags.

BP ALL Issuers should be aware of the risks and limitations associated with using proprietary tags in their card personalization.

MasterCard prohibits encoding the cardholder name in the data read through the contactless interface to prevent unauthorized disclosure. It is recommended to use a space character followed by the surname separator “/” in the Track 1 Data.

R ALL The name of the cardholder must not be readable over the contactless interface.

BP ALL Issuers should use “ /” for the cardholder name in the data read through the contactless interface.

Third Party Data may be used by a terminal for proprietary processing. Issuers that intend to participate in a scheme utilizing this data object must request a Unique Identifier from MasterCard. A sub-field of this data object is also used to carry the Device Type. Refer to Data Requirementsfor more information. If Third Party Data is personalized on the card, it is recommended that it be added to the FCI Issuer Discretionary Data that is returned during application selection.

BP ALL If present in the card personalization, it is recommended that Third Party Data be included in the FCI Issuer Discretionary Data that is returned when the application is selected.

R ALL If the Third Party Data included in the PayPass card is intended to be used to carry proprietary data, then the issuer must contact MasterCard to obtain the Unique Identifier.

(35)

R ALL Non-card form factors must be personalized with the Device Type present in the Third Party Data data object.

R ALL U.S. and Canada region issuers must ensure that each newly issued or reissued PayPass-enabled card, access device, and mobile payment device is personalized with the appropriate Device Type value. Issuers should be aware that the contents of the Proprietary Data subfield of Third Party Data can be freely read and therefore should not contain sensitive cardholder information.

BP ALL Issuers should respect relevant local data privacy laws when personalizing the Proprietary Data subfield of Third Party Data on the card.

Data objects may be personalized in the card organized in the pre-defined file structure detailed in the PayPass Personalization Data Specifications to allow efficient data capture by the PayPass terminal resulting in a faster transaction.

R ALL If data objects are not organized according to the rules specified for the pre-defined file structure, then the pre-defined values for the AFL must not be used.

PayPass—M/Chip Personalization Requirements

Some data elements are unique for the contactless interface and some are shared with the contact interface.

For PayPass the issuer may operate in full chip grade, semi-grade or magnetic stripe grade on the contact profile.

Issuers must use a different value for Chip CVC on the contactless interface to the CVC1 encoded on the magnetic stripe. This prevents compromised PayPass data being used to fraudulently create valid counterfeit magnetic stripe cards.

R ALL Issuers must support a Chip CVC in Track 2 Equivalent Data on the contactless interface that is different to the CVC1 if present.

Maestro cards that do not have a CVC1 encoded on the magnetic stripe do not need to include a Chip CVC.

However to protect against the risk of counterfeiting, it must not be possible to reproduce the Track 2 on the magnetic stripe from the PayPass data in the chip. This means that some aspect of the magnetic stripe data must be unique to the stripe, unpredictable and validated during the authorization.

(36)

R ALL Issuers that have the capability to distinguish between chip-read and magnetic stripe-read transactions must support a Chip CVC in Track 2 Equivalent Data on the contactless interface that is different to the CVC1 if present.

R ALL The genuine CVC1, as found on the physical magnetic stripe, must not appear in any data element that can be read through the contactless interface.

R MS Issuers of Maestro PayPass cards that do not have a Chip CVC in Track 2 Equivalent Data must ensure that the Track 2 data found on the magnetic stripe cannot be reproduced from the PayPass data on the chip. Some aspect of the magnetic stripe data must be unique to the magnetic stripe, unpredictable and validated during the authorization. To facilitate ATC monitoring, issuers should able to distinguish card identifiers read from separate cardholder devices, even if they are linked. This can be done by using different PAN values and/or PAN Sequence Numbers.

BP ALL The issuer should not use the same combination of PAN and PAN Sequence Number on separate cardholder devices, even if linked. Issuers may choose to use an Application PAN on the contactless interface which is different to the PAN present on the magnetic stripe or that appears on the face of the card.

If this option is chosen, the issuer must be aware of the requirements to return the value of the embossed PAN in the response message for PayPass transit transactions.

To protect critical data used in the transaction, if the card supports offline card authentication then the data elements shown in the table below must be stored in records that are signed.

Data Element Tag

Application Currency Code ‘9F42’

Application Expiration Date ‘5F24’

Application Effective Date1 _‘5F25’

Application PAN Sequence Number ‘5F34’ Application Primary Account Number ‘5A’

Application Usage Control ‘9F07’

CDOL1 ‘8C’

CDOL2 ‘8D’

(37)

Data Element Tag

CVM List ‘8E’

Issuer Action Code—Default ‘9F0D’

Issuer Action Code—Denial ‘9F0E’

Issuer Action Code—Online ‘9F0F’

Issuer Country Code ‘5F28‘

SDA Tag List ‘9F4A’

R ALL The data elements shown in the table above, if present, must all be stored in records that are signed.

If the card application supports the configuration of a maximum transaction amount, then it must only be used to influence the decision to authorize the transaction online when possible. A transaction must not be declined based solely on this parameter on online capable terminals.

R ALL If a maximum transaction amount in the contactless card configuration is used, it must not lead to transactions being declined offline on online capable terminals.

PayPass—Mag Stripe Personalization Requirements

The first and only record of the file SFI 1 must include the data objects necessary to perform the PayPass -Mag Stripe transactions.

The last digit of both Track 1 and Track 2 must not be used by the issuer as this is used by the terminal to indicate the number of digits of the unpredictable number (nUN). The length of the unpredictable number must not be fewer than 2 digits.

The positions where the PayPass reader stores the ATC, UN, and CVC3 in the discretionary data in Track 1 Data and Track 2 Data, should be filled with zeroes. This is a requirement if PayPass On Behalf CVC validation services are used. If the issuer intends to make use of MasterCard’s On-behalf Service for dynamic CVC3 verification, then the value of NATCTRACK1 and the value of NATCTRACK2

must be greater than or equal to 3 for the CVC3 Validation in Stand-in Service, or greater than or equal to 2 for the dynamic CVC3 Pre-validation Service or the

PayPass Mapping Service (processing only option). In both cases, a value of at

least 4 for NATCTRACK1and NATCTRACK2 is recommended.

R MC Record 1 of SFI 1 must contain the data to perform a PayPass—Mag Stripe transaction. Record 1 must be the only record included in SFI 1.

R MC The last digit of both Track 1 and Track 2 must not be used by the issuer.

(38)

Issuer Host Requirements

R MC Placeholders for dynamic CVC3 data which is inserted by the terminal in either Track 1 or Track 2 must be zero filled if PayPass-on behalf CVC validation services are used.

R ALL The Unpredictable Number must be at least 2 digits in length.

R ALL Users of on-behalf services must use the appropriate minimum values for NATCTRACK1and NATCTRACK2.

Card Delivery

PayPass data can be read by any reader that can power the contactless chip

and send the correct commands.

In order to fully benefit from new payment opportunities that contactless offers, issuers must inform cardholders that contactless functionality is available and provide directions on using it with the card.

R ALL Issuers must alert cardholders that contactless functionality exists when issuing/providing new cards.

Issuer Host Requirements

Issuer host must meet requirements to accommodate authorization messages and decisions.

Authorization Messages

PayPass issuers must ensure host systems are capable of correctly receiving

and processing authorization messages containing specific values for the data element (DE) 22 (POS Entry Mode) and DE 61 (POS Data) that identify PayPass transactions.

• DE 22 (POS Entry Mode), subfield 1, values of 06, 07 and 08 are used for PayPass—M/Chip transactions. The values of 91 and 92 are used for

PayPass—Mag Stripe transactions even if performed at a PayPass—M/Chip

terminal.

• DE 61 (POS Card Data Terminal Input Capability Indicator), subfield 11, value of 3indicates that the terminal supports PayPass—M/Chip and

PayPass—Mag Stripe transactions. A value of 4 indicates support for

PayPass—Mag Stripe transactions. Note that these values may be used even

in the context of a contact transaction.

R ALL Issuers must support on their network interface and host system