Security Rules and Procedures › wp-content › uploads › 2015 › 02 › Security-R… ·...

Security Rules and Procedures

5 February 2015

Notices

Proprietary Rights

The information contained in this document is proprietary and confidential to MasterCard International Incorporated, one or more of its affiliated entities (collectively “MasterCard”), or both.

This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard.

Trademarks

Trademark notices and symbols used in this document reflect the registration status of MasterCard trademarks in the United States. Please consult with the Customer Operations Services team or the MasterCard Law Department for the registration status of particular product, program, or service names outside the United States.

All third-party product and service names are trademarks or registered trademarks of their respective owners.

Disclaimer

MasterCard makes no representations or warranties of any kind, express or implied, with respect to the contents of this document. Without limitation, MasterCard specifically disclaims all representations and warranties with respect to this document and any intellectual property rights subsisting therein or any part thereof, including but not limited to any and all implied warranties of title, non-infringement, or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is otherwise in fact aware of any information) or achievement of any particular result. Without limitation, MasterCard specifically disclaims all representations and warranties that any practice or implementation of this document will not infringe any third party patents, copyrights, trade secrets or other rights.

Translation

A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any translated document to its customers “AS IS” and makes no representations or warranties of any kind with respect to the translated document, including, but not limited to, its accuracy or reliability. In no event shall MasterCard be liable for any damages resulting from reliance on any translated document. The English version of any MasterCard document will take precedence over any translated version in any legal proceeding.

Information Available Online

MasterCard provides details about the standards used for this document—including times expressed, language use, and contact information—on the Publications Support page available on MasterCard Connect™. Go to Publications Support for centralized information.

Notices

©1991–2015 MasterCard. Proprietary. All rights reserved.Security Rules and Procedures • 5 February 2015 SP

Summary of Changes

This manual reflects changes associated with announcements in MasterCard bulletins from 1 August 2014 to 15 January 2015, and additional terminology changes.

To locate the changes listed below online, on the Adobe toolbar, click Find. In the Find box, type >>> and then press ENTER. To move to the next change, press ENTER again.

Description of Change Where to Look

Updated references from South Asia/Middle East/Africa Region to Middle East/Africa Region throughout this manual.

Entire manual

Updated references from Member Alert to Control High-risk (Merchants) (MATCH™) to MasterCard Alert to Control High-risk (Merchants) (MATCH™) throughout this manual.

Entire manual

Updated references from magnetic stripe profile Contactless Chip Transaction to Magnetic Stripe Mode Contactless Transaction throughout this manual.

Entire manual

Updated applicable references from MasterCard Transaction to MasterCard POS Transaction throughout this manual.

Entire manual

Updated applicable references from Maestro Transaction to Maestro POS Transaction throughout this manual.

Entire manual

Updated references from Contactless Chip Transaction to Contactless Transaction throughout this manual.

Entire manual

Removed definitions of the following terms: Hybrid ATM Terminal; Hybrid MPOS Terminal; Hybrid PIN-based In-Branch Terminal; Maestro Transaction; MasterCard Transaction; Settlement; Settlement Date.

Definitions

Updated definitions of the following terms: Activity(ies); Automated Teller Machine (ATM); Contactless Payment Device; Contactless Transaction; Cross-border Transaction; Customer; EMV Mode Contactless Transaction; Hybrid Terminal; Interchange System; Interregional Transaction; Intracountry Transaction; Intraregional Transaction; Maestro Access Device; Magnetic Stripe Mode Contactless Transaction; Participation; Payment Application; Payment Facilitator; PIN-based In-Branch Terminal; Point-of-Sale (POS) Terminal; Program; Standards; Terminal; Transaction.

Definitions

Summary of Changes

©1991–2015 MasterCard. Proprietary. All rights reserved.Security Rules and Procedures • 5 February 2015 3


Added definitions of the following terms: Acceptance Mark; Account PAN; Account PAN Range; Area of Use; ATM Access Fee; Brand Fee; Brand Mark; Cardholder Communication; Cardholder Verification Method (CVM); Chip-only MPOS Terminal; Cirrus Acceptance Mark; Cirrus Brand Mark; Cirrus Word Mark; Competing ATM Network; Competing EFT POS Network; Competing International ATM Network; Competing North American ATM Network; Control, Controlled; Credentials Management System; Customer Report; Device Binding; Digital Activity(ies); Digital Activity Agreement; Digital Activity Customer; Digital Activity Service Provider (DASP); Digital Wallet; Digitization, Digitize; Electronic Money; Electronic Money Institution; Electronic Money Issuer; Gateway Customer; Gateway Processing; Gateway Transaction; Host Card Emulation (HCE); Licensee; Maestro Acceptance Mark; Maestro Brand Mark; Maestro Word Mark; MasterCard Acceptance Mark; MasterCard Brand Mark; MasterCard Cloud-Based Payments; MasterCard Digital Enablement Service; MasterCard Token; MasterCard Token Account Range; MasterCard Word Mark; Merchandise Transaction; On-Device Cardholder Verification; Ownership, Owned; Processed Transaction; Remote Transaction; Settlement Obligation; Shared Deposit Transaction; Solicitation, Solicit; Special Issuer Program; Sub-licensee; Submerchant Agreement; Token; Tokenization, Tokenize; Token Requestor; Wallet Provider; Wallet Token Requestor; Word Mark.

Definitions

NOTE The changes to the Definitions chapter cannot be located online using the Find box. Please scroll to the Definitions chapter at the end of the manual to locate these changes.

Added compliance requirements for Issuers of contact Chip Cards. 3.6

Updated the manual references for Issuers using M/Chip 4 or M/Chip Advance. 3.6.1

Added compliance requirements for Issuers of Contactless Cards or Contactless Payment Devices.

3.7

Updated references from PayPass M/Chip Requirements to M/Chip Requirements.

3.7

3.9

Updated the requirements for Mobile Payment Devices. 3.8

Updated the service code requirements for Debit MasterCard Issuers. 3.10.1

Clarified the recommendations for setting the authorization parameters for Issuers.

3.10.1

Summary of Changes



Updated references from POI Terminal to Terminal. 3.10.2

4.7

4.8

6.3.2.2

8.2.3

Updated references from Hybrid POI Terminal to Hybrid Terminal. 3.10.2

4.9

Updated the definitions of the service code values. Table 3.3

Removed the note regarding support of Purchase of Goods and Services with Cash Back Transactions for Debit MasterCard cards.

3.10.3

Removed the space requirement for the sales clerk’s or teller’s initials or department number on the retail sale, credit, or cash disbursement formset.

3.11.1

Removed the space requirement for the Merchant’s signature on credit slips or receipts.

3.11.1

3.11.2

Updated the POS Terminal receipt content requirements. 3.11.2

Updated references from MasterCard Worldwide Network to MasterCard Network.

4.3

Table 4.1

10.4

10.4.1

Clarified the PIN authorization request message label. 4.4

Added fraud loss control requirements for Digital Activity Customers. 6.1

Updated references from Fraud Management Program (FMP) to Global Risk Management Program.

6.1

6.2.3

6.3.3

6.3.3.1

6.4.3

Chapter 13

Summary of Changes



Updated references from FMP Level 3 Customer review to Customer Risk Review.

6.3.3.1

8.3.5

8.5.3

Chapter 13

Updated references from Customer Security and Risk Services to Customer Fraud Management.

6.4.1

6.4.3

Removed section 7.1.1—Screening Procedures. 7.1.1 (deleted)

Added section 7.1.1—Merchant Screening Procedures. 7.1.1

Added section 7.1.2—Submerchant Screening Procedures. 7.1.2

Added section 7.1.3—ATM Owner Screening Procedures. 7.1.3

Clarified the Merchant and Submerchant monitoring requirements for Acquirers.

7.2

Removed telecom Merchants and Submerchants from the types of entities that must comply with the registration and monitoring requirements of the MRP.

7.3

9.1

9.2.1

9.3

9.4.1 (deleted)

Removed MCC 7273 from the types of non-face-to-face adult content and services Merchants required to be registered using the MRP.

9.1

9.4.1 (renumbered)

Removed the quarterly submission of monthly Transaction data for Merchants registered via the MRP from the monitoring requirements for Acquirers.

9.3

Added the definitions of Digital Activity Customer, Point-of-Sale (POS) Transaction, and Wallet Token Requestor to the list of Account Data Compromise Event terminology.

10.2

Clarified the PCI levels of Merchants. 10.2.4

Added Digital Activity Customers to the types of entities that must comply with the Payment Card Industry Data Security Standard.

10.3.1

Removed Warning regarding MATCH information. 11.1

Updated MATCH fraud detection features and risk assessment options. 11.1.1

Summary of Changes



Added the following MATCH fields: Doing Business As (DBA) Name; Alternate Phone Number (Merchant); Merchant URL Website Address; Alternate Phone Number (PO).

Table 11.1

Updated the MATCH field names. Table 11.1

Table 11.2

Added a note regarding the population of the Merchant URL Website Address field in MATCH.

11.1.2.2

Updated the descriptions of MATCH reason codes 01, 02, 04, and 14. Table 11.4

Removed MATCH reason code 06 (Violation of Merchant Agreement). 11.5.1

Table 11.5 (deleted)

Removed section 11.6—MATCH System Disclaimer. 11.6 (deleted)

Added section 11.7—Legal Notice. 11.7

Added section 12.2.1—Digital Secure Remote Payment Transactions and Tokenized Account Data.

12.2.1

Updated references from FMP Level 1 review to Customer Onboarding Review. Chapter 13

Updated references from FMP Level 2 Non-Customer review to Third Party Risk Review.

Chapter 13

Updated references from FMP Level 4 Customer Consultative review to Customer Consultative Review.

Chapter 13

Moved section 3.11.3—Standard Wording to section B.1.2. B.1.2

Summary of Changes


Contents

Summary of Changes.................................................................................................3

Chapter 1: Customer Obligations...................................................................... 151.1 Compliance with the Standards..................................................................................161.2 Conflict with Law.......................................................................................................161.3 The Security Contact.................................................................................................. 16

Chapter 2: Card Production Standards............................................................172.1 Compliance with Card Production Standards..............................................................182.2 Monitoring of Personnel.............................................................................................182.3 Contracting with Card Registration Companies.......................................................... 192.4 Working with Vendors............................................................................................... 20

2.4.1 Order Request Required to Produce Cards...........................................................202.4.2 Stockpiling Plastics..............................................................................................21

2.5 Cards Without Personalization................................................................................... 212.6 Card Count Discrepancies.......................................................................................... 212.7 Reporting Card Loss or Theft......................................................................................212.8 Disposition of Unissued Cards and Account Information.............................................22

Chapter 3: Card and TID Design Standards.................................................. 233.1 Principles of Standardization...................................................................................... 243.2 MasterCard Account Number.....................................................................................243.3 Maestro and Cirrus Account Numbers........................................................................253.4 Signature Panel.......................................................................................................... 263.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................... 26

3.5.1 Card Validation Code 1 (CVC 1)......................................................................... 263.5.2 Service Code...................................................................................................... 263.5.3 Cardholder Name............................................................................................... 273.5.4 Expiration Date...................................................................................................28

3.6 Chip Cards.................................................................................................................293.6.1 Chip Card Applications.......................................................................................303.6.2 Multiple Application Chip Cards......................................................................... 313.6.3 Use of M/Chip Card Application Specifications....................................................31

3.7 Contactless Cards and Payment Devices..................................................................... 313.8 Mobile Payment Devices.............................................................................................323.9 Card Validation Code (CVC)....................................................................................... 33

3.9.1 Issuer Requirements for CVC 1........................................................................... 343.9.2 Issuer Requirements for CVC 2........................................................................... 34

Contents


3.9.3 Issuer Requirements for CVC 3........................................................................... 353.9.4 Acquirer Requirements for CVC 2....................................................................... 353.9.5 CVC Calculation Methods.................................................................................. 35

3.10 Service Codes...........................................................................................................373.10.1 Issuer Information.............................................................................................373.10.2 Acquirer Information........................................................................................ 383.10.3 Valid Service Codes...........................................................................................383.10.4 Additional Service Code Information.................................................................39

3.11 Transaction Information Documents (TIDs)................................................................403.11.1 Formset Contents............................................................................................. 403.11.2 POS Terminal Receipt Contents......................................................................... 413.11.3 Primary Account Number Truncation and Expiration Date Omission.................. 42

Chapter 4: Terminal and PIN Security Standards....................................... 434.1 Personal Identification Numbers (PINs)........................................................................444.2 PIN Selection and Usage.............................................................................................444.3 PIN Verification...........................................................................................................454.4 PIN Authorization Requests........................................................................................ 454.5 PIN Encipherment.......................................................................................................454.6 PIN Key Management.................................................................................................46

4.6.1 PIN Transmission Between Customer Host Systems and the Interchange System........................................................................................................................ 464.6.2 On-behalf Key Management...............................................................................47

4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions....................................... 484.8 Terminal Security Standards........................................................................................484.9 Hybrid Terminal Security Standards.............................................................................494.10 PIN Entry Device Standards.......................................................................................494.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS Terminal Security Standards............................................................................................................514.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)....................... 514.13 Component Authentication......................................................................................524.14 Triple DES Migration Standards.................................................................................52

Chapter 5: Card Recovery and Return Standards...................................... 535.1 Card Recovery and Return..........................................................................................54

5.1.1 Card Retention by Merchants............................................................................. 545.1.2 ATM Card Retention...........................................................................................555.1.3 Payment of Rewards...........................................................................................575.1.4 Reporting Fraudulent Use of Cards..................................................................... 585.1.5 Reporting Lost and Stolen Cards.........................................................................59

5.2 Criminal and Counterfeit Investigations......................................................................605.2.1 Initiating an Investigation....................................................................................60

Contents


5.2.2 Providing a Progress Report................................................................................ 605.2.3 Requesting an Arrest and Criminal Prosecution................................................... 615.2.4 Fees and Reimbursement of Expenses.................................................................615.2.5 Investigation of Counterfeits and Major Criminal Cases...................................... 61

Chapter 6: Fraud Loss Control Standards...................................................... 626.1 Customer Responsibility for Fraud Loss Control.......................................................... 646.2 MasterCard Fraud Loss Control Program Standards.................................................... 64

6.2.1 Issuer Fraud Loss Control Programs.....................................................................646.2.2 Acquirer Fraud Loss Control Programs................................................................ 666.2.3 Noncompliance with Fraud Loss Control Program Standards............................... 67

6.3 MasterCard Counterfeit Card Fraud Loss Control Standards....................................... 686.3.1 Counterfeit Card Notification..............................................................................686.3.2 Responsibility for Counterfeit Loss...................................................................... 686.3.3 Acquirer Counterfeit Liability Program................................................................ 69

6.4 Maestro Issuer Loss Control Program (LCP)................................................................. 716.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls......................................... 726.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls.................................... 726.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels (“High Fraud”)............................................................................................................ 736.4.4 Fraud Detection Tool Implementation................................................................. 746.4.5 Cardholder Communication Strategy..................................................................74

Chapter 7: Merchant, Submerchant, and ATM Owner Screening and Monitoring Standards....................................................................................75

7.1 Screening New Merchants, Submerchants, and ATM Owners..................................... 767.1.1 Merchant Screening Procedures..........................................................................767.1.2 Submerchant Screening Procedures.................................................................... 777.1.3 ATM Owner Screening Procedures...................................................................... 787.1.4 Evidence of Compliance with Screening Procedures............................................ 787.1.5 Retention of Investigative Records.......................................................................797.1.6 Assessments for Noncompliance with Screening Procedures............................... 80

7.2 Ongoing Monitoring.................................................................................................. 807.3 Merchant Education...................................................................................................817.4 Additional Requirements for Certain Merchant and Submerchant Categories............. 81

Chapter 8: MasterCard Fraud Control Programs........................................828.1 Presenting Valid Transactions......................................................................................84

8.1.1 Notifying MasterCard—Acquirer Responsibilities.................................................848.1.2 Notifying MasterCard—Issuer Responsibilities..................................................... 848.1.3 MasterCard Audit...............................................................................................84

Contents


8.2 Global Merchant Audit Program.................................................................................868.2.1 Acquirer Responsibilities..................................................................................... 878.2.2 Tier 3 Special Merchant Audit.............................................................................878.2.3 Chargeback Responsibility.................................................................................. 898.2.4 Exclusion from the Global Merchant Audit Program............................................908.2.5 Notification of Merchant Identification................................................................928.2.6 Merchant Online Status Tracking (MOST) System................................................ 93

8.3 Excessive Chargeback Program...................................................................................948.3.1 ECP Definitions...................................................................................................948.3.2 Reporting Requirements..................................................................................... 958.3.3 Assessments....................................................................................................... 968.3.4 Issuer Reimbursement.........................................................................................988.3.5 Additional Tier 2 ECM Requirements.................................................................. 98

8.4 Questionable Merchant Audit Program (QMAP)..........................................................998.4.1 QMAP Definitions...............................................................................................998.4.2 MasterCard Commencement of an Investigation.............................................. 1018.4.3 MasterCard Notification to Issuers.................................................................... 1018.4.4 MasterCard Notification to Acquirers................................................................ 1028.4.5 Merchant Termination.......................................................................................1028.4.6 MasterCard Determination............................................................................... 1028.4.7 Chargeback Responsibility................................................................................ 1038.4.8 Fraud Recovery................................................................................................. 1038.4.9 QMAP Fees.......................................................................................................104

8.5 Issuer Monitoring Program (IMP).............................................................................. 1048.5.1 Identification Criteria........................................................................................ 1048.5.2 MasterCard Audit and Questionnaire................................................................1048.5.3 Subsequent Issuer Identifications in the IMP......................................................105

Chapter 9: MasterCard Registration Program........................................... 1069.1 MasterCard Registration Program Overview..............................................................1079.2 General Registration Requirements...........................................................................107

9.2.1 Merchant Registration Fees and Noncompliance Assessments...........................1089.3 General Monitoring Requirements............................................................................1099.4 Additional Requirements for Specific Merchant Categories....................................... 109

9.4.1 Non-face-to-face Adult Content and Services Merchants.................................. 1099.4.2 Non–face-to-face Gambling Merchants.............................................................1099.4.3 Pharmaceutical and Tobacco Product Merchants............................................... 1119.4.4 State Lottery Merchants (U.S. Region Only).......................................................1129.4.5 Skill Games Merchants (U.S. Region Only).........................................................113

Contents


Chapter 10: Account Data Protection Standards and Programs...... 11510.1 Account Data Protection Standards........................................................................ 11610.2 Account Data Compromise Events......................................................................... 116

10.2.1 Policy Concerning Account Data Compromise Events and Potential Account Data Compromise Events...........................................................................................11710.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events......11810.2.3 Forensic Report...............................................................................................12210.2.4 Alternative Standards Applicable to Certain Merchants...................................12310.2.5 MasterCard Determination of ADC Event or Potential ADC Event................... 12410.2.6 Assessments and/or Disqualification for Noncompliance................................. 13010.2.7 Final Financial Responsibility Determination.................................................... 130

10.3 MasterCard Site Data Protection (SDP) Program......................................................13110.3.1 Payment Card Industry Data Security Standards.............................................. 13110.3.2 Compliance Validation Tools........................................................................... 13210.3.3 Acquirer Compliance Requirements................................................................ 13210.3.4 Implementation Schedule............................................................................... 133

10.4 Connecting to MasterCard—Physical and Logical Security Requirements................ 14010.4.1 Minimum Security Requirements.....................................................................14010.4.2 Additional Recommended Security Requirements............................................14110.4.3 Ownership of Service Delivery Point Equipment.............................................. 141

Chapter 11: MATCH System................................................................................14211.1 MATCH Overview...................................................................................................143

11.1.1 System Features..............................................................................................14311.1.2 How does MATCH Search when Conducting an Inquiry?................................ 144

11.2 MATCH Standards..................................................................................................14711.2.1 Certification................................................................................................... 14711.2.2 When to Add a Merchant to MATCH..............................................................14811.2.3 Inquiring about a Merchant............................................................................ 14811.2.4 MATCH Noncompliance Assessments............................................................. 14811.2.5 Exceptions to MATCH Standards.....................................................................14911.2.6 MATCH Record Retention...............................................................................149

11.3 Merchants Listed by MasterCard............................................................................ 14911.3.1 Questionable Merchants.................................................................................150

11.4 Merchant Removal from MATCH............................................................................15011.5 MATCH Reason Codes........................................................................................... 151

11.5.1 Reason Codes for Merchants Listed by the Acquirer........................................15111.5.2 Reason Codes for Merchants Listed by MasterCard.........................................153

11.6 Requesting Access to and Using MATCH................................................................ 15411.7 Legal Notice........................................................................................................... 155

Contents


Chapter 12: System to Avoid Fraud Effectively (SAFE) Reporting Standards.....................................................................................................................156

12.1 SAFE Overview....................................................................................................... 15712.2 SAFE Fraud Reporting Standards............................................................................ 157

12.2.1 Digital Secure Remote Payment Transactions and Tokenized Account Data......15712.3 SAFE Reason Codes................................................................................................15812.4 Data Accuracy and Integrity................................................................................... 15912.5 Timely Reporting of MasterCard and Debit MasterCard Transactions...................... 159

12.5.1 Tier I Reporting Requirement.......................................................................... 16012.5.2 Tier II Reporting Requirement ........................................................................ 16012.5.3 Tier III Reporting Requirement.........................................................................160

12.6 Timely Reporting of Maestro Transactions...............................................................16012.7 Timely Reporting of Cirrus Transactions.................................................................. 16012.8 Fraud-related Chargebacks.....................................................................................16112.9 High Clearing Transaction Volume..........................................................................16112.10 Transaction Amount.............................................................................................16112.11 Resubmitting Rejected Transactions...................................................................... 16112.12 Noncompliance Assessments................................................................................16212.13 Variances ............................................................................................................ 162

Chapter 13: Global Risk Management Program....................................... 16313.1 About the Global Risk Management Program.........................................................164

13.1.1 Customer Onboarding Reviews.......................................................................16413.1.2 Third Party Risk Reviews..................................................................................16513.1.3 Customer Risk Reviews................................................................................... 16513.1.4 Customer Consultative Reviews...................................................................... 166

13.2 Global Risk Management Program Review Topics................................................... 16613.2.1 Issuer Global Risk Management Program Review Topics.................................. 16613.2.2 Acquirer Global Risk Management Program Review Topics..............................167

13.3 Global Risk Management Program Reports.............................................................16813.4 Customer Risk Review Conditions.......................................................................... 168

13.4.1 Customer Risk Review Issuer Criteria ..............................................................16813.4.2 Customer Risk Review Acquirer Criteria.......................................................... 16813.4.3 Basis Points Calculation.................................................................................. 169

13.5 Global Risk Management Program Fees..................................................................16913.6 Noncompliance with Fraud Loss Control Standards.................................................169

Appendix A: Track Data Content and Format........................................... 171A.1 Track 1 Data Content and Format............................................................................ 172A.2 Track 2 Data Content and Format............................................................................ 175

Contents


Appendix B: Formset Specifications...............................................................179B.1 MasterCard Formset Specifications...........................................................................180

B.1.1 Formset Physical Dimensions.............................................................................180B.1.2 Standard Wording............................................................................................ 180B.1.3 Number of Copies and Retention Requirements................................................180B.1.4 Paper Stock Characteristics............................................................................... 181B.1.5 Color of Interchange Copy............................................................................... 181B.1.6 Carbon.............................................................................................................181B.1.7 Registration Mark............................................................................................. 181B.1.8 Formset Numbering..........................................................................................181B.1.9 Information Slip Specifications.......................................................................... 182

B.2 Formset Printing Standards ......................................................................................182B.2.1 Financial Transaction Formsets.......................................................................... 182B.2.2 Information Slip Formsets................................................................................. 183B.2.3 Imprinters.........................................................................................................184

Appendix C: Contact Information................................................................... 185C.1 Security and Risk Services.........................................................................................186C.2 Merchant Fraud Control...........................................................................................186C.3 Account Data Compromise Events........................................................................... 187C.4 Card Design Management....................................................................................... 187C.5 MasterCard Connect

™ Applications......................................................................... 188

C.6 Customer Operations Services..................................................................................188C.7 Questionable Merchant Activity............................................................................... 189

Appendix D: Best Practices Guides................................................................. 191D.1 Acquirers’ Best Practices Guide................................................................................ 192D.2 MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide............................. 192D.3 Issuers’ Best Practices Guide.....................................................................................192D.4 Prepaid Card Fraud and Risk Management Best Practices Guide............................... 192D.5 Security Guidelines for Merchants’ Terminals............................................................193D.6 How to Access the “Best Practices” Guides..............................................................193

Appendix E: Card Production Services.......................................................... 194E.1 Card Production Services.......................................................................................... 195

Definitions...................................................................................................................197

Contents


Chapter 1 Customer ObligationsThis chapter describes general Customer compliance and Program obligations relating to MasterCard Card issuing and Merchant acquiring Program Activities.

1.1 Compliance with the Standards.............................................................................................. 161.2 Conflict with Law....................................................................................................................161.3 The Security Contact...............................................................................................................16

Customer Obligations


1.1 Compliance with the Standards

This manual contains Standards. Each Customer must comply fully with these Standards.

All of the Standards in this manual are assigned to noncompliance category A under the compliance framework set forth in Chapter 2 of the MasterCard Rules manual (“the compliance framework”), unless otherwise specified in the table below. The noncompliance assessment schedule provided in the compliance framework pertains to any Standard in the Security Rules and Procedures manual that does not have an established compliance Program. The Corporation may deviate from the schedule at any time.

Section Number Section Title Category

1.3 The Security Contact C

2.3 Contracting with Card Registration Companies

C

7.1.5 Retention of Investigative Records

C

B.1.2 Standard Wording B

1.2 Conflict with Law

A Customer is excused from compliance with a Standard in any country or region of a country only to the extent that compliance would cause the Customer to violate local applicable law or regulation, and further provided that the Customer promptly notifies the Corporation, in writing, of the basis for and nature of an inability to comply. The Corporation has the authority to approve local alternatives to these Standards.

1.3 The Security Contact

Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers in the Member Information tool on MasterCard Connect™.

Customer Obligations1.1 Compliance with the Standards


Chapter 2 Card Production StandardsThis chapter may be of particular interest to Customers that issue Cards, and includes requirements for personnel responsible for the tasks associated with producing Cards.

2.1 Compliance with Card Production Standards...........................................................................182.2 Monitoring of Personnel......................................................................................................... 182.3 Contracting with Card Registration Companies.......................................................................192.4 Working with Vendors............................................................................................................ 20

2.4.1 Order Request Required to Produce Cards....................................................................... 202.4.2 Stockpiling Plastics.......................................................................................................... 21

2.5 Cards Without Personalization................................................................................................ 212.6 Card Count Discrepancies....................................................................................................... 212.7 Reporting Card Loss or Theft...................................................................................................212.8 Disposition of Unissued Cards and Account Information......................................................... 22

Card Production Standards


2.1 Compliance with Card Production Standards

As used in this section, and unless otherwise specified, the term “Card production” is applicable with respect to Cards and other types of Access Devices, including Contactless Payment Devices and Mobile Payment Devices.

An Issuer engaged in Card production must comply with all applicable Standards, including but not limited to those set forth in this chapter and in the following documents:

• Card Design Standards• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical Security Requirements documents are available on the Payment Card Industry Security Standards Council (PCI SSC) website under the Card Production tab at www.pcisecuritystandards.org/security_standards/documents.php.

An Issuer that uses a Card production vendor to produce Cards on its behalf must also comply with the Standards set forth in section 2.4 of this manual.

It is recommended that an Issuer that issues and/or personalizes Cards onsite at a bank branch, retail store, or other location outside of a Card production vendor facility refer to the Security Guidelines for Instant Card Issuance and Instant Card Personalization manual for information relating to the secure issuance of Cards and protection of Cardholder data at such locations.

Card production activities subject to compliance with these Standards include, by way of example and not limitation, the treatment and safeguarding of Cards, Card manufacture, printing, embossing, encoding, and mailing, as well as to any phase of the production and distribution of Cards or Card account information.

Refer to Appendix E of this manual for detailed descriptions of Card production activities.

2.2 Monitoring of Personnel

Where permissible by law, Issuers must conduct credit and criminal record checks for all personnel handling embossed or unembossed Cards, including part-time and temporary personnel.

In addition, where permissible by law, Issuers may not employ such personnel with one or more known criminal convictions, high credit risk backgrounds, or both, in Card storage and processing areas.

Issuers also may not allow such personnel access to account numbers, embossed or unembossed Cards, embossing or encoding equipment, nor may they engage such personnel in security or waste processing work.

Card Production Standards2.1 Compliance with Card Production Standards


2.3 Contracting with Card Registration Companies

A card registration company (“Company”) is any entity that stores Card account numbers and, upon notification by the Cardholder, reports the loss or theft of the Card(s) to the Issuer(s).

Any Issuer having a contractual agreement with a Company pursuant to which the Company registers that Issuer’s Cardholder account numbers must ensure that the contract includes the following obligations on the part of the Company:

• The Company shall maintain any Cardholder information, including, without limitation, names, addresses, phone numbers, and account numbers in strictest confidence and disclose them only to the Issuer. The Company shall keep any media containing this type of information in an area limited to selected personnel having access on a need-to-know basis. Before discarding such media, the Company shall destroy it in a manner that will render the data unreadable.

• The Company shall control and limit access to account numbers stored in a computer environment by establishing procedures that must include, but are not limited to, a password system for computer remote terminal (CRT) access and control over dial-up lines or any other means of access.

• The Company may not use the name of MasterCard in any promotion or advertising, except as provided by a contractual agreement with the Issuer for purposes of soliciting and providing services to the Issuer’s Cardholders. MasterCard reserves the right to approve any such materials.

• The Company must maintain a 24-hours-per-day, seven-days-per-week service to receive Cardholder reports on lost or stolen Cards. The Company shall transmit each report immediately and in any event no later than two hours after receiving the report, by the most expeditious means, for example, phone or fax, to the appropriate Issuer.

At a minimum, the notification must include:

– Account number– Issuer’s name– Cardholder’s name, address, and phone number– Phone number where the Cardholder can be reached– Whether the Card was lost or stolen– Time and location of the reported loss or theft

• The Company shall report any loss or theft of Cardholder information whether due to act or omission, to MasterCard and to the Issuer with which it has a contract within 24 hours of discovery of the loss or theft.

• The Company must convey a Cardholder request for a replacement Card to the Issuer.• The contract must include an indemnification clause holding MasterCard, its officers, its

directors and employees, its Customers, and the Issuer having the contract with the Company not liable for any loss or damage claimed by or on behalf of the Cardholder, Issuer, or other person or entity alleged to be attributable to the Company’s failure to

Card Production Standards2.3 Contracting with Card Registration Companies


properly provide the services described in the contract or failure to safeguard account information.

• The Company must be covered by liability, fidelity, fire, and theft insurance and must have a disaster recovery plan to ensure continuity of services in the event of natural or other events that disrupt or threaten to disrupt service unless otherwise agreed to in writing by MasterCard. Coverage must be reasonable and adequate in consideration of the nature and volume of work performed, the plant location, physical condition, and security of the plant, and the number and duties of employees.

• The Company must comply with all applicable laws, rules, and regulations, including, without limitation, consumer protection laws, applicable to the services offered and performed by the Company.

2.4 Working with Vendors

Before employing the services of a vendor to perform any of the Card production services described in Appendix E of this manual, a Customer must ensure that the vendor has been certified by MasterCard under the Global Vendor Certification Program (GVCP).

Prior to certification and annual recertification of a vendor facility under the GVCP, MasterCard conducts an on-site audit of the facility to evaluate its compliance with the applicable physical, logical, and mobile payment provisioning security Standards set forth in the following documents:

• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

A certified vendor facility is issued a compliance certification, which is subject to annual renewal provided the vendor facility remains in good standing. The “List of Certified Vendors,” as published monthly in the Global Security Bulletin, contains the name of each vendor facility then certified and a description of the specific services that the facility is authorized to perform.

Any agreement between an Issuer and a vendor for Card production service(s) should contain terms stating that the vendor agrees to safeguard and control usage of account data and to comply with all applicable Standards then in effect, including but not limited to those set forth in this section 2.4 and in the Card Design Standards manual.

For more information about the GVCP, please contact MasterCard by sending an e-mail to [email protected].

2.4.1 Order Request Required to Produce Cards

No vendor may print or manufacture any Card, sample, or facsimile, on plastic or any other material, except in response to a specific order from a Customer or from MasterCard. A Customer may order Cards by using the Card Order Request (Form 488), available in the Library section of MasterCard Connect™, or an equivalent document that provides the same information.

Card Production Standards2.4 Working with Vendors


mailto:[email protected]

Form 488 (or an equivalent document) must be completed and retained by the vendor and Customer, and must be made available to MasterCard upon request.

MasterCard reserves the right to request, from time to time, Card samples for review, and will communicate any such request via the Submit a Card Design Request (Manufacturer) process on MasterCard Connect.

2.4.2 Stockpiling Plastics

An Issuer may not encourage a vendor to stockpile plastics or Cards or use a vendor known to engage in the practice of stockpiling plastics or Cards. Stockpiling is the practice of manufacturing excess plastics or Cards in anticipation of future orders from Customers.

2.5 Cards Without Personalization

A Customer must not send “unfinished” Cards (as used herein, “unfinished” means a Card that has not yet been personalized with a primary account number [PAN] or expiration date) via the mail. Unfinished Cards must be shipped via secure shipping methods as described in the Card Production Physical Security Requirements. In the rare event that rapid delivery is required and secure shipping methods are infeasible, the Issuer may use an express courier service that provides shipment tracking, recipient authentication, and receipt confirmation for the shipment of no more than 500 unfinished Cards per day.

2.6 Card Count Discrepancies

Upon receiving a shipment of Cards, the Issuer must verify that the correct Card quantity was delivered and take immediate action to resolve any Card count discrepancy and recover any missing Cards. The Issuer may use the Card count noted on each sealed carton in the Card count verification. Sealed cartons may also be opened at random, audited, and resealed. All open cartons and all sealed cartons with no Card count noted on the carton must have the contents counted.

2.7 Reporting Card Loss or Theft

Within 24 hours of discovery, a Customer must report to MasterCard the suspected or confirmed loss or theft of any Cards while in transit from a vendor or in the Customer’s possession. The report must be sent via e-mail to [email protected] and contain the following information:

• Issuer name and Member ID/ICA number• Card type and quantity• With respect to the loss or theft of Cards while in transit from a vendor:

– The vendor name

Card Production Standards2.5 Cards Without Personalization



– The location from which the Cards were shipped– The date and method of shipment– The address to which the Cards were shipped

• Pertinent details about the loss and the investigation• Name and phone number of contact for additional information• Name and phone number of person reporting the loss or theft

2.8 Disposition of Unissued Cards and Account Information

A Customer that ceases to issue Cards must promptly destroy or otherwise properly dispose of all unissued Cards and all media containing Card Account information.

Card Production Standards2.8 Disposition of Unissued Cards and Account Information


Chapter 3 Card and TID Design StandardsThis chapter may be of particular interest to Issuers and vendors certified by MasterCard responsible for the design, creation, and control of Cards. It provides specifications for all MasterCard, Maestro, and Cirrus Card Programs worldwide.

3.1 Principles of Standardization................................................................................................... 243.2 MasterCard Account Number................................................................................................. 243.3 Maestro and Cirrus Account Numbers.....................................................................................253.4 Signature Panel.......................................................................................................................263.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................................26

3.5.1 Card Validation Code 1 (CVC 1)...................................................................................... 263.5.2 Service Code................................................................................................................... 263.5.3 Cardholder Name............................................................................................................273.5.4 Expiration Date................................................................................................................28

3.6 Chip Cards..............................................................................................................................293.6.1 Chip Card Applications....................................................................................................30

3.6.1.1 Compliance Assessment and Security Testing........................................................... 303.6.1.2 Integrated Circuit Chip Providers..............................................................................31

3.6.2 Multiple Application Chip Cards...................................................................................... 313.6.3 Use of M/Chip Card Application Specifications................................................................ 31

3.7 Contactless Cards and Payment Devices..................................................................................313.8 Mobile Payment Devices......................................................................................................... 323.9 Card Validation Code (CVC)....................................................................................................33

3.9.1 Issuer Requirements for CVC 1........................................................................................ 343.9.2 Issuer Requirements for CVC 2........................................................................................ 343.9.3 Issuer Requirements for CVC 3........................................................................................ 353.9.4 Acquirer Requirements for CVC 2....................................................................................353.9.5 CVC Calculation Methods............................................................................................... 35

3.10 Service Codes....................................................................................................................... 373.10.1 Issuer Information......................................................................................................... 373.10.2 Acquirer Information..................................................................................................... 383.10.3 Valid Service Codes....................................................................................................... 383.10.4 Additional Service Code Information............................................................................. 39

3.11 Transaction Information Documents (TIDs).............................................................................403.11.1 Formset Contents..........................................................................................................403.11.2 POS Terminal Receipt Contents......................................................................................413.11.3 Primary Account Number Truncation and Expiration Date Omission............................... 42

Card and TID Design Standards


3.1 Principles of Standardization

All Cards must be usable in all standard magnetic stripe Card-reading devices, and if a chip is present, in all hybrid terminals and devices, so that the electronic interchange of Transaction data is possible.

All embossed Cards must be usable in all standard imprinters—the embossed information must produce a clear imprint and comply with all positioning and type font Standards.

All Cards containing a chip must be EMV-compliant. Such Cards are called Chip Cards.

All Chip Cards must have a single primary application defined by MasterCard that resides on the chip and on the magnetic stripe; the Account information appearing on the Card front must be for the primary application resident on the magnetic stripe. No Payment Application resident on the chip of a Card issued in the United States Region may have a higher application priority than the Card’s primary application.

All Payment Applications on a Chip Card must have a valid date (if applicable) and expiration date within or the same as the dates present on the Card front. The valid dates appearing on the Card front must be those of the primary application on the Card.

NOTE

A Hybrid Point-of-Sale (POS) Terminal can read both magnetic-stripe and chip Transactions and must be EMV-compliant, as set forth in section 4.8 of this manual.

NOTE

In 1996, Europay (now a wholly owned subsidiary of MasterCard and renamed MasterCard Europe SPRL), MasterCard, and Visa developed Standards for integrated circuit Cards (ICCs), terminals, and applications. EMVCo, LLC, established in 1999, is the organization that oversees and maintains the EMV specifications.

All Issuers must comply with the Card Design Standards, available on MasterCard Connect™, including but not limited to requirements relating to:

• Physical Card materials, dimensions, and measurements for the Card's embossing, magnetic stripe, chip, Marks, and other Card features;

• Card design; and• Use of Card activation and selective authorization disclosure stickers.

3.2 MasterCard Account Number

The account number identifies the Issuer’s bank identification number (BIN), Issuer-assigned portion of the account number, and check digit, as shown in Table 3.1.

Card and TID Design Standards3.1 Principles of Standardization


Table 3.1—MasterCard Account Number Sample Configuration

MasterCard Account number = 5412 75XX XXXX 9999

Configuration is as follows:

5412 75

Issuer BIN assigned by MasterCard

XX XXXX 999

Issuer-assigned portion of the Account number

9

Check digit

MasterCard assigns BINs from a block of numbers reserved by the International Organization for Standardization (ISO) for the exclusive use of MasterCard. MasterCard BINs range from 510000–559999.

The check digit is calculated using the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”) Check Digit.

3.3 Maestro and Cirrus Account Numbers

The primary account number (PAN) of a Maestro Account or Cirrus Account must be no less than 12 numeric digits and no more than 19 numeric digits in length. The PAN includes the Issuer identification number (IIN, or BIN), the Issuer-assigned portion of the individual Account number, and a check digit calculated using the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”) Check Digit.

The IIN typically appears in the first six digits of the PAN, and must be assigned by the ISO Registration Authority, or a delegated authority such as MasterCard. In the event that an Issuer is found to be using an IIN that has been assigned by ISO to another entity, then within three months from the date on which ISO makes its final determination of the proper assignment of the IIN, the Issuer must replace all Cards using such IIN and MasterCard will reassign the IIN to the appropriate entity in its routing tables.

A Customer may request MasterCard to assign an IIN(s) for Maestro and Cirrus Cards. In the Europe Region, MasterCard assigns IINs from the 639000 to 639099 and 670000 to 679999 ranges, with IINs in the ranges 675900 to 675999 and 676770 to 676774 assigned only for Maestro Card issuance in the United Kingdom. These ranges are reserved by ISO for exclusive use by MasterCard. IINs from these ranges are assigned to Customers for the issuance of Cards and may not be used for any other purpose without the prior written agreement of MasterCard. These ranges must not be used to issue cards bearing competing global or regional brands.

Card and TID Design Standards3.3 Maestro and Cirrus Account Numbers


3.4 Signature Panel

Upon issuance or re-issuance, an Issuer must include written notice to all Cardholders to sign all Cards immediately when received and before initial use. Only the authorized Cardholder (the person whose name appears on the Card front) may sign the Card back. The name signed by the authorized Cardholder must match the name that appears on the Card front, regardless of the language used by the Cardholder to sign his or her name. The Issuer must state this as a condition of Card use. (The vehicle-assigned MasterCard Corporate Fleet Card is exempt from this requirement.)

3.5 Magnetic Stripe or MasterCard HoloMag Encoding

The specifications for the physical and magnetic characteristics of the magnetic stripe on Cards must comply with ISO 7813 Credit Cards—Magnetic Stripe Encoding for Tracks 1 and 2. Production of Card plastics with low coercivity magnetic tape is prohibited. Alternatively, the Issuer may use MasterCard HoloMag™ in place of the magnetic stripe.

The Issuer of a MasterCard Card must ensure that the encoded magnetic stripe contains Track 1 and Track 2 data, and also includes the information specified in this chapter.

For a Maestro Card or Cirrus Card, only the encoding of Track 2 data is required; the encoding of Track 1 data is optional. If Track 3 is encoded, the encoding must comply with ISO 4909 Bank Cards—Magnetic Stripe Content for Track 3.

An Acquirer must transmit the full unedited magnetic stripe data with each magnetic stripe-based electronically authorized Transaction.

NOTE

The transmission of the entire contents of Track 1 or Track 2 data must be unaltered and unedited, and cannot be truncated.

3.5.1 Card Validation Code 1 (CVC 1)

Track 1 and Track 2 of the magnetic stripe must be encoded with a CVC 1 value. Refer to section 3.9.5 of this manual for Card validation code requirements, calculation methods, and verification data.

3.5.2 Service Code

Track 1 and Track 2 of the magnetic stripe must contain an encoded three-digit service code value. Refer to section 3.10 of this manual for service code usage requirements.

Card and TID Design Standards3.4 Signature Panel


3.5.3 Cardholder Name

NOTE

The Cardholder’s name must be present in the Account Information Area and encoded on the magnetic stripe.

The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with a maximum length of 26 characters within (up to) three subfields. Due to the variable length of the field, the starting position of each remaining field depends on the ending position of the Cardholder name. The Cardholder Name and Content Format table shown in Appendix A defines the specifications for encoding the Cardholder name on the magnetic stripe.

NOTE

Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, because they are used only for specified encoding purposes.

Use the following specifications to encode the Cardholder name on the magnetic stripe of all Cards:

• If the Card is a MasterCard Corporate Card product, the Cardholder name encoded on Track 1 and the name present in the Account Information Area should be the same, although the formats are different.

For example:

BROWN/ROBERT S• Issuers engaged in the instant issuance and/or instant personalization of Cards under the

MasterCard Unembossed or MasterCard Electronic Programs or the issuance of non-personalized prepaid Cards must ensure that when a Program name appears on the Card front in place of the Cardholder name, the same Program name is also encoded in the Cardholder Name field in Track 1.

• The magnetic stripe may encode a Cardholder’s title, such as Dr., Sir, or Mrs. A separator period (.) must precede the title.

For example:

BROWN/ROBERT S.DR

• If two Cardholder names are present in the Account Information Area on the same Card, encode in any of the following four formats:

BROWN/ROBERT S or

BROWN/AGNES T or

BROWN/ROBERT AGNES or

BROWN/ROBERT S.MR MRS• If a Card has a company name present in the Account Information Area, in addition to a

Cardholder name, encode the Cardholder name.

Card and TID Design Standards3.5 Magnetic Stripe or MasterCard HoloMag Encoding


For example:

Present in the Account Information Area: ROBERT S. BROWN

ALPHA COMPANY

Encoded on the magnetic stripe: BROWN/ROBERT S

NOTE

The subfields surname, initials or first name, and title may contain spaces. For example:

Present in the Account Information Area: RT REV ROBERT J SMITH

Encoded on the magnetic stripe: SMITH/ROBERT J.RT REV

3.5.4 Expiration Date

The following guidelines apply for the encoded expiration date:

• The Card-read stripe must include the encoded Account’s expiration date. Acceptable expiration date values are:

Year 00–99

Month 01–12• The format for the encoded expiration date is YYMM to comply with ISO specifications.• The encoded expiration date on Track 1 must be the same as the expiration date encoded

on Track 2 and present in the Account Information Area.• Do not encode the start date for dual dating, except as part of the Discretionary Data field

on Track 1 and Track 2 of the magnetic stripe.

A Maestro or Cirrus Card must not use a maximum validity period of more than 20 years from the date of issuance or, for non-expiring Cards, the designated default value of 4912 (December 2049) must be used. For a Maestro or Cirrus Card issued in the Europe Region and using the Europay Security Platform (ESP) PIN Verification Value (PVV), the maximum validity period is the current year plus four (effectively a five-year validity period).

The expiration date of a Chip Card must not exceed the expiration date of any of the certificates contained within the chip. In the case of a non-expiring Chip Card:

1. The settings within the chip must force every Transaction online for authorization or decline the Transaction if online authorization is not possible;

2. The Chip Card must not contain an offline Card Authentication Method (CAM) certificate; and

3. The Issuer must utilize full EMV processing.

Card and TID Design Standards3.5 Magnetic Stripe or MasterCard HoloMag Encoding


3.6 Chip Cards

Chip Cards, also known as integrated circuit or smart Cards, are credit or debit Cards containing computer chips with memory and interactive capabilities and can be used to identify and store additional data about the Cardholder, Cardholder account, or both. Chip Cards may have contact functionality or both contact and contactless functionality.

Issuers of Chip Cards must comply with all applicable Standards, including but not limited to the Standards set forth in the M/Chip Requirements manual and other M/Chip documentation, and with the EMV specifications.

The Issuer of a Chip Card must implement M/Chip as the EMV payment application on the Card, in accordance with a current M/Chip Card application specification.

A contact Chip Card may be issued or re-issued under an online-only Card Program (herein, an “online-only contact chip Card”). An online-only contact chip Card is configured to always require a POS Terminal to obtain online authorization from the Issuer for a contact chip Transaction.

>>>Effective as of the dates described below, the Issuer of a contact Chip Card must perform an online Card authentication method (online CAM) for each online-authorized contact Chip Transaction by validating the Authorization Request Cryptogram (ARQC) contained in the Authorization Request/0100 or Financial Transaction Request/0200 message and populating DE 55, including an Authorization Response Cryptogram (ARPC), in the Authorization Request Response/0110 or Financial Transaction Request Response/0210 message. Alternatively, if the Issuer’s host system does not support ARQC validation, the Issuer must be enrolled in the MasterCard M/Chip Cryptogram Pre-Validation Service.>

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or Middle East/Africa Region that is not in compliance must establish a compliance action plan by 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or Middle East/Africa Region must be in compliance by 17 April 2015.

• All Issuers located in the United States Region must be in compliance by 1 October 2015.

• Must, at a minimum, support DDA as the offline CAM for contact chip Transactions, except Cards issued under an online-only Card Program; and

• Must not support SDA.

Any Chip Card issued or re-issued in the United States Region, if configured to support offline authorization, must support DDA or both DDA and CDA as the offline CAM(s) for contact chip Transactions and must not support SDA.

NOTE

Issuers must define their priority of PIN verification methods within the chip. Offline PIN verification is recommended as the first priority.

Support of CDA on Chip Cards is optional.

3.6.1 Chip Card Applications

All Payment Applications must be type-approved by MasterCard, prior to Chip Card production. Furthermore, the composition of the chip, operating system (if present), and the EMV application must have successfully passed a Compliance Assessment and Security Testing (CAST) security evaluation.

Issuers must define within the chip the preferred verification method for Point-of-Interaction (POI) Transactions. A non-Customer that personalizes Payment Applications acts on behalf of the Card Issuer and must conform to MasterCard security Standards.

>>>Issuers using M/Chip 4 should refer to the M/Chip Personalization Data Specifications and Profiles and the M/Chip 4 Version 1.1 Issuer Guide to Debit and Credit Parameter Management for more information.>Issuers using M/Chip Advance should refer to the M/Chip Advance Personalization Data Specifications and the M/Chip Advance—Issuer Guide for more information.

3.6.1.2 Integrated Circuit Chip Providers

An Issuer must obtain all EMV chips for embedding on a Card from an EMV chip manufacturer that has been approved in advance by MasterCard.

MasterCard publishes a list of approved EMV chip manufacturers periodically in a Global Security Bulletin. Or for more information, contact the Chip Help Desk at [email protected].

3.6.2 Multiple Application Chip Cards

Any Card Program may reside on a chip, and any combination of Card Programs may reside together on a single Chip Card. All credit, debit, charge, and stored-value applications residing on a single Chip Card must be offered by, and are the responsibility of, the Card Issuer.

Additionally, all other applications stored on a Chip Card by any Issuer, or any other party at an Issuer’s request, must conform to all relevant technical specifications of MasterCard or its agent.

3.6.3 Use of M/Chip Card Application Specifications

Chip Card products that incorporate any implementation of the MasterCard M/Chip Card application specifications may only be used on MasterCard, Maestro, and Cirrus Cards and Access Devices, unless otherwise agreed in writing by MasterCard.

The M/Chip Card application specifications are available on MasterCard Connect in the Chip Information Center.

3.7 Contactless Cards and Payment Devices

MasterCard prohibits the encoding of the Cardholder name in the contactless chip of a contactless-enabled Card ("Contactless Card") or Contactless Payment Device that allows such information to be transmitted via the radio frequency (RF) contactless interface. This restriction applies to all newly issued and re-issued contactless-enabled Cards and Contactless Payment Devices.

>>>Effective as of the dates described below, the Issuer of a Contactless Card or Contactless Payment Device must perform an online CAM for each online-authorized EMV Mode Contactless Transaction by validating the Authorization Request Cryptogram (ARQC) contained in the Authorization Request/0100 or Financial Transaction Request/0200 message. Alternatively, if the Issuer's host system does not support ARQC validation, the Issuer must be enrolled in the MasterCard M/Chip Cryptogram Pre-Validation Service.>

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or Middle East/Africa Region that is not in compliance must establish a compliance action plan by 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or Middle East/Africa Region must be in compliance by 17 April 2015.

Card and TID Design Standards3.7 Contactless Cards and Payment Devices



• All Issuers located in the United States Region must be in compliance by 1 October 2015.

>Refer to the M/Chip Requirements for additional details.>or different>and/or Digital Secure Remote Payment (DSRP)>Secure Element (SE)-based> Mobile MasterCard PayPass User Interface Application Requirements, >M/Chip Mobile Issuer Implementation Guide v1.1,>For Mobile Payment Devices supporting MasterCard contactless payment or DSRP functionality that do not use an SE, Issuers should refer to the MasterCard Cloud-Based Payment (MCBP) documentation.

CAST approval. Prior to issuance of the >>>SE-based>M/Chip Mobile Issuer Implementation Guide v1.1M/Chip Requirements

Refer to the M/Chip Processing Services—Service Description manual for information about the Chip-to-Magnetic Stripe Conversion Service.

3.9.1 Issuer Requirements for CVC 1

MasterCard Issuers must:

• Encode the CVC 1 on Tracks 1 and 2• Verify the encoded CVC 1 when processing a Card-read authorization request

The Issuer verifies the CVC 1 value from the Card-read data as transmitted in the authorization request during the online authorization process. The Issuer’s host can perform the verification.

NOTE

Certification is required for Issuers to validate the CVC 1 value during the authorization process and to signal CVC 1 validation errors. Refer to Chapter 4 of the Authorization Manual for more information.

When an Issuer is “timed out” or unavailable, the Stand-In Processing Service provides an authorization request response. If an Issuer is signed up for CVC 1 verification, the Stand-In Processing Service performs an additional test to verify that the CVC 1 value is valid.

MasterCard may mandate participation in the CVC 1 verification in the Stand-In Processing Service for an Issuer with both 35 basis points of Transactions authorized by means of Stand-In processing and significant counterfeit activity within a calendar quarter. Refer to Chapter 6 of the Authorization Manual for more information.


An Issuer must verify the CVC 2 value when provided by the Merchant and transmitted by the Acquirer in Data Element (DE) 48 (Additional Data—Private Use), subelement 92 (CVC 2) of the Authorization Request/0100 message. Issuers must verify the CVC 2 value by providing a valid CVC 2 response code of M (valid CVC 2 [match]), N (invalid CVC 2 [non-match]), or P (CVC 2 not processed—Issuer temporarily unavailable) in DE 48, subelement 87 (Card Validation Code Result) of the Authorization Request Response/0110 message.

For Intracountry Maestro POS Transactions occurring within the U.K., Ireland, and France only, the following applies:

• If an Issuer receives CVC 2 data in an authorization request and it is invalid (for example, DE 48, subelement 92 [CVC 2] is not blank and the data does not match the data held in the Issuer's records), the authorization request must be declined.

• If an authorization request with invalid CVC 2 data is approved, the Issuer cannot use a fraud-related message reason code to charge back the Transaction.

Card and TID Design Standards3.9 Card Validation Code (CVC)



An Issuer must enable a dynamic CVC 3 on the contactless chip for all magnetic stripe profile Contactless Transactions performed by magnetic stripe profile Contactless Chip Cards and Contactless Payment Devices.

All new contactless-enabled Chip Cards and Contactless Payment Devices issued on or after 1 January 2010 that are capable of performing magnetic stripe profile Contactless Transactions must generate a dynamic CVC 3.

An Issuer must verify the CVC 3 value and provide the result in the response when processing the authorization received from a Contactless Transaction.

3.9.4 Acquirer Requirements for CVC 2

When the Merchant provides the indent-printed CVC 2 value, the Acquirer must include the CVC 2 value in DE 48, subelement 92 of the Authorization Request/0100 message. The Acquirer is also responsible for ensuring that the Merchant receives the CVC 2 response code provided by the Issuer in DE 48, subelement 87 of the Authorization Request Response/0110 message.

All non-face-to-face gambling Transactions conducted with a MasterCard Card must include the CVC 2 value in DE 48, subelement 92 of the Authorization Request/0100 message.

3.9.5 CVC Calculation Methods

The Issuer may calculate the CVC 1, CVC 2, and Chip CVC by one of two methods:

• Issuer proprietary calculation—which gives the Issuer the option to derive the CVC algorithmically.

• Data Encryption Standard (DES) software—where the Issuer can perform the calculation through a DES software application within a host system or through use of a tamper-resistant security module (TRSM).

Issuers that choose the DES software method must use the DES algorithm procedure to generate the CVC 1, CVC 2, and Chip CVC.

The DES algorithm procedure is described below and is also published in the following documents:

• ANSI X3.92-1981 American National Standard, Data Encryption Algorithm• ISO/IEC 18033-3:2010, Information technology—Security techniques—Encryption

algorithms—Part 3: Block ciphers (see Annex A)

The DES method algorithm generates the three-digit CVC 1 for the Discretionary Data field of Track 1 and Track 2. The Issuer also uses this method to develop the three-digit CVC 2 and Chip CVC. This algorithm procedure applies only to Issuers that implement the CVC generation process in their host systems.

MasterCard requires two 64-bit cryptographic DES keys for use in the generation process. An Issuer may use the same two 64-bit DES keys for generating the CVC 1, CVC 2, and Chip CVC (but not the CVC 3) provided that separate service codes are used. The same keys should

Card and TID Design Standards3.9 Card Validation Code (CVC)


not be shared among multiple Issuers, such as when Issuers use a common Service Provider for CVC 1, CVC 2, and Chip CVC processing.

MasterCard strongly discourages Issuers from using a CVC 2 value of “000”.

The DES algorithm procedure is performed by following the 8 steps below:

1. If the primary account number (PAN) is longer than 16 digits, extract the last 16 digits of the PAN.

2. Construct a string of bits by concatenating (left to right) the sequence of 4-bit values (or nibbles), each of which is the binary representation of a numeric digit in the CVC Data Elements, in the order indicated in Table 3.2:

NOTE

The Issuer must perform independent calculations to produce each CVC value.

Table 3.2—CVC Data Elements

For CVC 1 For CVC 2 For Chip CVC Length (all)

Output from Step 1 Output from Step 1 Output from Step 1 16

Card expiration date (as presented in Track 2 encoding)

Card expiration date (as presented in the Account Information Area of the Card front)

Card expiration date (as presented in Track 2 Equivalent Data encoding)

41

Service code value must NOT be “000”

Servi

Security Rules and Procedures › wp-content › uploads › 2015 › 02 › Security-R… ·...

Documents

Transcript of Security Rules and Procedures › wp-content › uploads › 2015 › 02 › Security-R… ·...