VSDC And Visa PayWave US Acquirer Implementation Guide V2 Smart Debit Credit Pay Wave U.S. V2.0 Apr 2014
User Manual:
Open the PDF directly: View PDF .
Page Count: 141 [warning: Documents this large are best viewed by clicking the View PDF Link!]
- About This Guide
- 1 Overview
- 2 VSDC Transaction Flow
- 2.1 Initiating a Transaction
- 2.2 Application Selection
- 2.3 Initiating Application Processing
- 2.4 Reading the Application Data
- 2.5 Risk Management Checks
- 2.6 Terminal Action Analysis
- 2.7 Card Risk Management
- 2.8 Online Processing
- 2.9 VisaNet Processes Acquirer Authorization Request
- 2.10 Issuer Receives Authorization Request
- 2.11 VisaNet Processes the Issuer Response
- 2.12 Transaction Conclusion
- 2.13 Clearing and Settlement
- 3 Visa payWave Transaction Flow
- 4 Visa’s Chip Terminal and Reader Requirements
- 4.1 Terminal Types
- 4.2 Application Identifiers (AIDs)
- 4.3 Language
- 4.4 VSDC Requirements
- 4.4.1 Contact EMV Application Selection
- 4.4.2 Cardholder Application Selection/Confirmation
- 4.4.3 Contact Application Selection and Routing Options
- 4.4.4 Processing Restrictions
- 4.4.5 Cardholder Verification
- 4.4.6 Cardholder Verification and Selectable Kernels
- 4.4.7 Terminal Risk Management
- 4.4.8 Terminal Action Analysis
- 4.4.9 Implementation Activities
- 4.4.10 Online Processing
- 4.4.11 Completion
- 4.4.12 Implementation Activities
- 4.5 Visa payWave Reader Requirements
- 4.6 Additional Requirements for VCPS 2.1
- 5 Additional Terminal Considerations
- 5.1 Magnetic Stripe Transaction Terminal Requirements
- 5.2 Card Data in Online Messages
- 5.3 Support for up to 19 Digit PANs
- 5.4 Terminal Display Messages
- 5.5 PIN Length and Character Set
- 5.6 Cardholder Receipt Requirements
- 5.7 Transaction Routing
- 5.8 Acquirer Stand-In
- 5.9 Deferred Authorization
- 5.10 Transaction Type Requirements
- 5.11 EMV Transactions in Specific Industries
- 5.12 Purchase with Cash-back
- 5.13 Terminal PIN Requirements
- 5.14 Terminal Types and Configurations
- 5.15 Terminal Requirements for CVM
- 6 Terminal Selection and Approval
- 6.1 Terminal and Reader Selection Criteria
- 6.2 VSDC Terminal Approvals
- 6.3 Considerations for EMV Approval
- 6.4 Contactless Reader Approvals and Renewals
- 6.5 Payment Card Industry Requirements
- 6.6 Acquirer Device Validation Toolkit
- 6.7 Contactless Device Evaluation Toolkit
- 6.8 qVSDC Device Module
- 6.9 Additional Toolkit Requirements
- 6.10 Visa Chip Vendor Enabled Service (CVES)
- 6.11 Acquirer Host Testing
- 6.12 Implementation Activities
- 7 Terminal Testing and Maintenance
- 8 Terminal Management Systems
- 9 Acquirer System Changes
- 10 Acquirer Host Testing
- 11 Acquirer Back-Office Changes
- 12 Merchant Support
- 12.1 Merchant Agreement
- 12.2 Merchant Registration
- 12.3 Technology Innovation Program
- 12.4 Contactless Reader Migration
- 12.5 Merchant Services
- 12.6 Merchant Systems Changes
- 12.7 Contactless Reader Branding and Placement
- 12.8 Merchant Training
- 12.8.1 Merchant Training Plan
- 12.8.2 Cardholder Application Selection
- 12.8.3 Cardholder Verification
- 12.8.4 Fallback Transactions
- 12.8.5 Other Transactions
- 12.8.6 Care of the Terminal
- 12.8.7 International Transactions
- 12.8.8 Terminated Visa payWave Transactions
- Appendix A Planning Checklist
- Appendix B V.I.P. System Message Requirements
- Appendix C Reference Materials
- Appendix D Standard EMV Terminal Logic
- Appendix E Special Terminal Logic
- E.1 Contact Terminal Application Selection/Routing Option Logic
- E.2 Processing
- E.3 Flow Example using Visa US Common Debit AID
- E.4 Flow Example using BIN / IIN Logic
- E.5 Flow Example using Consumer Indication
- E.6 Flow Example for Visa US Common Debit
- E.7 Contactless Reader Application Selection and Routing Option Logic
- E.8 Contact CVM Processing and Selectable Kernels Logic
Visa Smart Debit/Credit and Visa payWave
U.S. Acquirer Implementation Guide
Version 2.0
April 2014
Visa Smart Debit/Credit and Visa payWave
U.S. Acquirer Implementation Guide
Version 2.0
Visa International Operating Regulations Extension
April 2014
April 2014 VISA CONFIDENTIAL ii
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
THIS PAGE INTENTIONALLY LEFT BLANK.
April 2014 VISA CONFIDENTIAL iii
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
Important Note on Confidentiality and Copyright
The Visa Confidential label signifies that the information in this document is confidential and proprietary to
Visa and is intended for use only by Visa Clients subject to the confidentiality restrictions in Visa's
Operating Regulations, non-Client Third Party Processors that have an executed and current Exhibit K on
file with Visa, and terminal vendors and other third parties that have a current license agreement or
nondisclosure agreement (NDA) with Visa that covers the information contained herein.
This document is protected by copyright restricting its use, copying, distribution, and decompilation. No
part of this document may be reproduced in any form by any means without prior written authorization of
Visa.
Visa and other trademarks are trademarks or registered trademarks of Visa.
All other product names mentioned herein are the trademarks of their respective owners.
THIS PUBLICATION COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL
ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN: THESE
CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THE PUBLICATION. VISA MAY MAKE
IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S)
DESCRIBED IN THIS PUBLICATION AT ANY TIME.
If you have technical questions or questions regarding a Visa service or capability, contact your Visa
representative.
April 2014 VISA CONFIDENTIAL iv
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
Table of Contents
About This Guide ...........................................................................9
Out of Scope ........................................................................................ 9
Assumptions ....................................................................................... 10
Audience ............................................................................................ 10
Document Organization ..................................................................... 10
Summary of Changes ........................................................................ 11
1 Overview ................................................................................ 12
1.1 Compliance Documents and Reference Documentation .......... 12
1.2 Terminology .............................................................................. 13
2 VSDC Transaction Flow ......................................................... 16
2.1 Initiating a Transaction .............................................................. 16
2.2 Application Selection ................................................................. 16
2.3 Initiating Application Processing ............................................... 17
2.4 Reading the Application Data ................................................... 17
2.5 Risk Management Checks ........................................................ 17
2.6 Terminal Action Analysis ........................................................... 20
2.7 Card Risk Management ............................................................ 20
2.8 Online Processing ..................................................................... 21
2.9 VisaNet Processes Acquirer Authorization Request ................ 21
2.10 Issuer Receives Authorization Request .................................... 21
2.11 VisaNet Processes the Issuer Response ................................. 22
2.12 Transaction Conclusion ............................................................ 22
2.13 Clearing and Settlement ........................................................... 22
3 Visa payWave Transaction Flow ........................................... 23
3.1 Acquirer Approaches ................................................................ 23
3.2 U.S. Contactless Acceptance Requirements ............................ 23
3.3 Contactless Processing Requirements ..................................... 24
3.4 Initiating a Visa payWave Transaction ...................................... 24
3.5 qVSDC Transactions ................................................................ 25
3.6 MSD Transaction Flow .............................................................. 28
3.7 Visa payWave for Mobile .......................................................... 30
4 Visa’s Chip Terminal and Reader Requirements ................. 31
4.1 Terminal Types ......................................................................... 31
4.2 Application Identifiers (AIDs)..................................................... 32
4.3 Language .................................................................................. 34
April 2014 VISA CONFIDENTIAL v
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
4.4 VSDC Requirements ................................................................. 34
4.5 Visa payWave Reader Requirements ....................................... 44
4.6 Additional Requirements for VCPS 2.1 ..................................... 48
5 Additional Terminal Considerations ..................................... 49
5.1 Magnetic Stripe Transaction Terminal Requirements .............. 49
5.2 Card Data in Online Messages ................................................. 51
5.3 Support for up to 19 Digit PANs ................................................ 52
5.4 Terminal Display Messages ...................................................... 52
5.5 PIN Length and Character Set .................................................. 53
5.6 Cardholder Receipt Requirements ........................................... 53
5.7 Transaction Routing .................................................................. 54
5.8 Acquirer Stand-In ...................................................................... 55
5.9 Deferred Authorization .............................................................. 55
5.10 Transaction Type Requirements ............................................... 55
5.11 EMV Transactions in Specific Industries .................................. 59
5.12 Purchase with Cash-back ......................................................... 60
5.13 Terminal PIN Requirements ..................................................... 60
5.14 Terminal Types and Configurations .......................................... 61
5.15 Terminal Requirements for CVM .............................................. 63
6 Terminal Selection and Approval .......................................... 64
6.1 Terminal and Reader Selection Criteria .................................... 64
6.2 VSDC Terminal Approvals ........................................................ 66
6.3 Considerations for EMV Approval ............................................. 67
6.4 Contactless Reader Approvals and Renewals ......................... 68
6.5 Payment Card Industry Requirements ...................................... 69
6.6 Acquirer Device Validation Toolkit ............................................ 70
6.7 Contactless Device Evaluation Toolkit ...................................... 72
6.8 qVSDC Device Module ............................................................. 73
6.9 Additional Toolkit Requirements ............................................... 73
6.10 Visa Chip Vendor Enabled Service (CVES) ............................. 74
6.11 Acquirer Host Testing ............................................................... 74
6.12 Implementation Activities .......................................................... 74
7 Terminal Testing and Maintenance ....................................... 76
7.1 Terminal Testing Process ......................................................... 76
7.2 Interoperability Problems .......................................................... 78
7.3 Chip Interoperability Compliance Program ............................... 80
8 Terminal Management Systems ............................................ 82
8.1 EMV Functions .......................................................................... 82
8.2 Data Elements .......................................................................... 82
April 2014 VISA CONFIDENTIAL vi
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
8.3 Software Updates ..................................................................... 84
8.4 EMV Functionality Considerations ............................................ 84
9 Acquirer System Changes ..................................................... 86
9.1 U.S. Acquirer Processor Mandate ............................................ 86
9.2 Terminal-to-Acquirer Interface .................................................. 86
9.3 Host System Changes .............................................................. 87
9.4 Implementation Activities .......................................................... 89
10 Acquirer Host Testing ............................................................ 90
10.1 Testing Environment ................................................................. 90
10.2 Testing Process ........................................................................ 91
10.3 End-to-End Testing ................................................................... 94
10.4 Pilot Testing .............................................................................. 94
11 Acquirer Back-Office Changes .............................................. 95
11.1 Dispute Resolution Management .............................................. 95
11.2 EMV Liability Shift ..................................................................... 96
11.3 Chargebacks and Representments .......................................... 96
11.4 Reporting................................................................................... 97
11.5 Visa Reporting .......................................................................... 98
11.6 Internal Staff Training ................................................................ 98
11.7 Implementation Activities .......................................................... 99
12 Merchant Support ................................................................. 100
12.1 Merchant Agreement .............................................................. 100
12.2 Merchant Registration ............................................................. 100
12.3 Technology Innovation Program ............................................. 100
12.4 Contactless Reader Migration ................................................ 102
12.5 Merchant Services .................................................................. 102
12.6 Merchant Systems Changes ................................................... 105
12.7 Contactless Reader Branding and Placement ........................ 105
12.8 Merchant Training ................................................................... 106
Appendix A Planning Checklist ................................................ 112
Appendix B V.I.P. System Message Requirements................. 116
Appendix C Reference Materials .............................................. 119
Appendix D Standard EMV Terminal Logic ............................. 123
Appendix E Special Terminal Logic ......................................... 124
April 2014 VISA CONFIDENTIAL vii
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
List of Tables
Table 1: EMV and VSDC Terminal Types ...................................................... 31
Table 2: Application Identifiers (AIDs) for Visa ISO RID................................. 33
Table 3: Application Identifier (AID) for Visa US Common Debit AID ............ 33
Table 4: Types of Cardholder Verification Methods ....................................... 39
Table 5: Acquirer Host Testing Steps ............................................................. 91
Table 6: Policy Related Tasks ...................................................................... 112
Table 7: Operational Related Tasks ............................................................. 113
Table 8: Technical Related Tasks ................................................................ 114
Table 9: V.I.P. System Field 55 Mandated Data Tags ................................. 116
Table 10: V.I.P. System Chip-related Fields ................................................. 118
Table 11: Reference Materials ...................................................................... 119
List of Figures
Figure 1: Card Requests Terminal and Transaction Data .............................. 26
Figure 2: EMV Terminal Logic ...................................................................... 123
Figure 3: Special Application Selection Using Visa US Common Debit AID 127
Figure 4: Special Application Selection Using BIN / IIN Logic ...................... 128
Figure 5: Special Application Selection Using Consumer Indication ............ 129
Figure 6: US Common Debit Application Acceptance Overview .................. 131
Figure 7: Special Contactless Application "Pre-Selection" ........................... 136
Figure 8: Combined CVM Processing and Selectable Kernel ...................... 139
•
April 2014 VISA CONFIDENTIAL viii
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
About This Guide
This guide is referenced in, and has the same authority as, the Visa International Operating
Regulations. The Visa International Operating Regulations governs in the event of any
inconsistency or contradiction, unless Visa specifically grants a variance.
• This guide is designed to help U.S. acquirers prepare the terminal, host and back-office
infrastructure to support a combined Visa Smart Debit/Credit (VSDC) and Visa
payWave program. Because the U.S. is an always online or ‘zero floor limit’
environment, the cost and complexity of a traditional chip implementation is reduced.
This guide includes:
• Best practices, suggestions, considerations and descriptions of step-by-step activities to
assist with the implementation.
• Information to assist acquirers in supporting their merchants as they migrate to chip.
• A Section on implementation activities to highlight the support required in each section.
• Given the nature of the U.S. payment environment, where all transactions are authorized
online, this guide focuses solely on the implementation requirements relating to online-
only terminals and does not discuss offline processing requirements in detail.
• This guide also outlines requirements for supporting VSDC and Visa payWave using the
qVSDC and MSD paths.
• This guide references a number of other Visa and industry documents that are essential
for implementing a chip program. Refer to Appendix C Reference Materials.
Out of Scope
• This guide is not intended to aid acquirers in making the decision to begin deployment of
chip devices but, provide information on benefits and features of the service or provide
in-depth educational background on chip cards, terminals or systems.
• This guide will not address the capability of other networks to carry full chip data if the
transaction is routed over a non-Visa network.
• It does not address requirements relating to:
• Tasks related to implementing a new card acceptance program.
• Offline Processing: Acquirers considering offline processing support should review the
global VSDC Acquirer Implementation Guide and the Visa payWave Acquirer
Implementation Guide.
• Support for Visa Contactless Payment Specification (VCPS )1.4.2 readers.
April 2014 VISA CONFIDENTIAL 9
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Chip processing at ATMs
Assumptions
• This document assumes that the:
• Acquirer currently accepts Visa cards at its terminals.
• Acquirer currently accepts Visa Interlink cards at its terminals.
• Acquirer is familiar with V.I.P. processing requirements.
• Acquirer is connected to VisaNet.
• Acquirer has an established mechanism for installing and configuring all devices.
Audience
• The Visa Smart Debit/Credit and Visa payWaveU.S. Acquirer Implementation Guide is
intended for acquirers, acquirer processors, and direct connect merchants in the U.S.
responsible for the implementation, testing and activation of a dual-interface acceptance
program combining support for VSDC and Visa payWave.
Document Organization
• Section 1, Overview – This Section provides an overview of chip technology and the
EMV global foundation for chip-based payment services.
• Section 2, VSDC Transaction Flow – This Section describes the VSDC chip
transaction steps at the terminal/card level and the host level.
• Section 3, Visa payWave Transaction Flow – This Section describes the Visa
payWave steps at the terminal/card level and the host level.
• Section 4, Visa's Chip Terminal and Reader Requirements – This Section describes
the requirements for deploying EMV-compliant VSDC terminals and VCPS compliant
contactless readers.
• Section 5, Additional Terminal Considerations – This Section discusses the
additional consideration for the requirements outlined in Section 2.
• Section 6, Terminal Selection and Approval – This Section is intended to assist
acquirers in creating selection criteria for chip terminals and provides background
information on the terminal approval process before deployment in the field.
• Section 7,Terminal Testing and Maintenance – This Section outlines Visa's
recommendations for acquirers to undertake post deployment testing to address and
resolve acceptance and interoperability problems that may be inadvertently introduced
during rollout.
April 2014 VISA CONFIDENTIAL 10
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Section 8, Terminal Management Systems – This Section provides the recommended
functions to be supported by a Terminal Management System (TMS) in a chip
environment.
• Section 9, Acquirer System Changes – This Section outlines acquirer system changes
to support EMV chip.
• Section 10, Acquirer Host Testing – This Section addresses acquirer host testing to
support VSDC and Visa payWave transactions. It assumes the acquirer is already a
VisaNet endpoint.
• Section 11, Acquirer Back-Office Changes – This Section addresses the technical
changes to back-office functions that acquirers will need to support an EMV chip
program.
• Section 12, Merchant Support – This Section reviews the tasks related to supporting
merchants as they make the transition to chip card acceptance. It focuses on the
merchant support needs in areas such as system changes and training.
• Appendix A, Planning Checklist – This appendix is designed to help acquirers plan the
implementation of their chip program and develop a detailed work plan.
• Appendix B, V.I.P. System Message Requirements – This appendix outlines the
mandated tags that must be supported, and the related chip fields.
• Appendix C, Reference Materials – This appendix lists all the key guides referenced
throughout the document.
• Appendix D, Standard EMV Terminal Logic – This appendix provides an overview of
standard EMV terminal logic.
• Appendix E, Special Terminal Logic – This appendix includes the special terminal
logic that is necessary for a merchant to determine the AID to be selected for an eligible
transaction. Also this appendix illustrates the special contact terminal CVM logic that is
necessary for a merchant participating in Visa’s VEPS program or a merchant that
supports cash-back.
Summary of Changes
Since this document was last published in June 2013, Visa has updated and expanded the
appendix that illustrates special terminal logic. Special terminal logic could be necessary when
accepting debit transactions. An appendix was also added to describe Standard EMV
Terminal Logic, providing an overview of standard EMV terminal logic with a specific focus on
the selection process discussed in Section 4 Visa’s Chip Terminal and Reader Requirements.
April 2014 VISA CONFIDENTIAL 11
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
1 Overview
• New technology is presenting Visa with exciting opportunities to provide enhanced
payment services. Chip technology based on EMV can help prevent the compromise of
sensitive cardholder data while providing consumers and merchants with fast and
convenient ways to complete purchases across various form factors including mobile.
• Because EMV provides a global foundation for chip-based payment services, adherence
to its specifications ensures global interoperability and offers enhanced security and
greater functionality to today’s Visa products. Using the EMV foundation layer, Visa has
developed additional specifications, for example, the Visa Integrated Circuit Card
Specification (VIS), the Visa Contactless Payment Specification (VCPS) and payment
service rules and implementation guidelines. Visa Smart Debit/Credit (VSDC) is a
program specifically designed to aid Visa acquirers in migrating magnetic stripe Visa
card programs and acceptance infrastructure to a chip-based payment service.
• Additionally Visa payWave provides a flexible and globally interoperable approach to
contactless transactions. It offers several implementation options – all while ensuring the
Visa payWave cards and other contactless form factors receive the same level of
acceptance whether used at home or abroad.
• To implement acceptance for VSDC and Visa payWave, as part of their migration to
chip, acquirers will need to consider various changes to their existing terminals and host
processing, including:
• New terminal applications and support for selectable EMV kernels
• Compliance with Visa and industry requirements for contact and contactless chip
terminals
• Testing and approval processes for chip terminals
• Changes to terminal and host messaging
• Changes to host systems to process new or additional data
• Back office changes
• Impact to merchants and additional training
NOTE: The term “acquirer,” as used in this Guide, will be defined as the acquirer or acquirer
processor.
1.1 Compliance Documents and Reference Documentation
• To facilitate requirements while ensuring global interoperability, terminals accepting Visa
cards must comply with the following documents:
April 2014 VISA CONFIDENTIAL 12
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Visa International Operating Regulations
• Visa Transaction Acceptance Device Requirements
NOTE: Refer to Appendix C Reference Materials for a more complete list of reference
documents and for information on where to obtain the documents listed in this
Section and throughout the Guide.
• Contact chip terminals must comply with the EMV Integrated Circuit Card Specifications
for Payment Systems, available from the EMVCo website (www.emvco.com) including
any specification updates released by EMVCo.
• Visa payWave readers must comply with the EMV Contactless Specifications, including
Book C-3, and the Visa Contactless Payment Specification (VCPS), Version 2.1
including all published updates.
• Devices accepting personal identification numbers (PINs) must comply with the Payment
Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular
Security Requirements available from www.pcisecuritystandards.org and with the Visa
PCI PIN Security Requirements.
• A number of best practice documents are also available to assist acquirers in
determining their terminal requirements:
• Best practices relating to the deployment of acceptance terminals that support magnetic
stripe, contact chip and contactless chip can be found in the Visa Transaction
Acceptance Device Guide (TADG).
• Best practices relating to the Visa Easy Payment Service (VEPS) can be found on
www.visa.com in the Visa Easy Payment Service – Merchant Program Guide.
• Best practices relating to payment acceptance for retail petroleum merchants can be
found in the Visa Payment Acceptance Best Practices for Retail Petroleum Merchants.
• Risk management best practices for prepaid programs that will utilize a self-service kiosk
can be found in the Prepaid Product Risk Management Best Practices.
• In addition to complying or following best practices outlined in the above-mentioned
documents, acquirers can customize their programs beyond these minimum
requirements through adoption of optional functionality and proprietary processing.
Proprietary processing, however, must not interfere with global interoperability.
NOTE: Visa acquirers must download Visa chip documentation from the Visa Chip and Contactless
webpage on Visa Online. Please see Appendix C for information on enrolling and gaining
entitlement. Licensed vendors may download licensed Visa materials from the Visa
Technology Partner site (https://technologypartner.visa.com).
1.2 Terminology
• The following terms are used throughout this guide:
April 2014 VISA CONFIDENTIAL 13
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Acquirer – A Member that signs a Merchant or disburses currency to a Cardholder in a
Cash Disbursement, and directly or indirectly enters the resulting Transaction Receipt
into Interchange. Visa International Operating Regulations ID#: 010410-010410-
0024219.
• AID – A data element that identifies the application in a card or terminal, such as Visa
Debit/Credit or Visa Electron. It is composed of the Registered Application Provider
Identifier (RID) and the Proprietary Application Identifier Extension (PIX).
• Card (Visa Card) – A Magnetic Stripe and/or a Visa contactless card bearing the Visa
Brand Mark, or a non-Card form Contactless Payment device bearing the Visa Brand
Mark, that enables a Visa Cardholder to obtain goods, services, or cash from a Visa
Merchant or an Acquirer. All Visa Cards must bear the Visa Brand Mark.
• Chip Card – A Card embedded with a Chip that communicates information to a
Transaction Acceptance Device (TAD).
• Dual-interface Terminals – A terminal that supports both contact and contactless chip
cards and complies with the EMV Specifications and VCPS. Support for contactless may
be either as a reader separate from the POS device or via a reader integrated into a
POS device.
• EMV® Specifications – EMV Integrated Circuit Card Specifications for Payment
Systems encompassing all 4 books which make the contact chip specifications and the
EMV Contactless Specifications for Payment Systems encompassing 4 books which
make up the contactless specification plus any updates published in specification
bulletins on the EMVCo website.
• Merchant Routing Option – the option provided to U.S. merchants pursuant to the
Dodd-Frank Act and Federal Reserve Board Regulation II to route covered debit
transactions over one of at least two unaffiliated payment networks enabled on a card.
• Reader, Contactless Reader – The merchant device communicating with the card.
• There are two scenarios in which typically a reader is used for a contactless transaction:
• Either as a reader, also called a dongle or Proximity Coupling Device (PCD), separated
from, but communicating with, a POS device.
• Or as a reader integrated into a POS device.
• The word reader in this guide will cover both scenarios unless explicitly stated otherwise.
It is not intended to imply in which physical component (the reader or the POS device) a
specific action is performed.
• Terminal – A transaction acceptance device.
• US Common Debit AID – See Visa US Common Debit Application Identifier.
April 2014 VISA CONFIDENTIAL 14
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• US Covered Visa Debit Card – A Visa US debit card as defined in VIOR for debit and
prepaid products covered by the unaffiliated network requirements of the Dodd-Frank
Act and Federal Reserve Board Regulation II.
• Visa Contactless Payment Specification (VCPS) – The Visa Contactless Payment
Specification, which covers versions 2.1 and all published updates.
• Visa Operating Regulations – The Visa International Operating Regulations including
any U.S. specific operating regulations.
• Visa US Common Debit Application Identifier – An EMV-compliant Application
Identifier licensed for use with Visa’s EMV and VIS-based applications for the purpose of
processing a transaction for debit and prepaid products covered by the unaffiliated
network requirements of the Dodd-Frank Act and Federal Reserve Board Regulation II.
In this document referred to as the Visa US Common Debit AID.
April 2014 VISA CONFIDENTIAL 15
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2 VSDC Transaction Flow
• To better understand the impact of chip on an acquirer’s systems and processes it is
important to understand the various steps in a VSDC chip transaction. This Section
describes the steps at the terminal/card level and the host level.
• All activities, prior to the transaction going online for issuer approval, are transparent to
the acquirer and occur between the card and the terminal. Some of these functions will
not apply to terminals in the U.S. which operate as online-only terminals, and are so
noted.
• These functions are included in this Section to provide acquirers with an overall
understanding of the processing that may occur in an EMV chip transaction. Their
presence does not indicate the need to support them.
2.1 Initiating a Transaction
• The chip card is inserted into the terminal or swiped through a magnetic stripe reader. If
swiped, the terminal checks the service code in the magnetic stripe. If the first digit of the
service code indicates a chip card, the terminal prompts the sales clerk or cardholder to
insert the card into the terminal.
NOTE: To provide a faster transaction, merchants should be trained to insert the card into the
chip reader when presented with a chip card rather than swiping the magnetic stripe.
2.2 Application Selection
• The terminal determines the applications supported by the card and compares them to
the applications supported by the terminal. Application Selection is mandatory and
follows these rules:
• If the chip card and terminal have no applications in common and no application can be
selected, the device should display a message noting the card type is not supported and
fall back to magnetic stripe processing.
• If the chip card and terminal have one application in common and cardholder
confirmation is not required, that application is used.
• If the chip card and terminal have more than one application in common or if there is
a single application and cardholder confirmation is required, the terminal should display
a list of applications for cardholder selection.
• The cardholder then selects his or her preferred application from the available options
or the application is selected automatically based on the issuer priority list (including
whether or not cardholder confirmation is required) unless the Visa US Common Debit
AID selection logic described later in this document is used.
April 2014 VISA CONFIDENTIAL 16
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
All transactions initiated with a Visa owned Application Identifier (AID – see Section 4.2)
other than the Visa US Common Debit AID must be routed to VisaNet and be processed
according to Visa or Visa Interlink (as applicable) network operating rules and technical
standards. Some products may be personalized with more than one AID, with the other
AID(s) representing products with their own specific network and routing option(s), for
instance the Visa US Common Debit AID. To initiate a transaction using such a preferred
AID, certain terminal logic must be executed as part of the outlined VSDC transaction flow.
This logic is defined in Section 4.4.3.
2.3 Initiating Application Processing
• The terminal signals to the card that the transaction is about to begin. The card response
to the terminal includes data and risk management information for use during the
transaction. Before responding, the card performs the following steps:
1. Restrictions Check (Optional)
The card may determine if the transaction is taking place in an environment that the card
does not allow. When the transaction is not allowed for this application, the card directs
the terminal to a different application or alternatively terminates the transaction.
2. Card sends the Application Interchange Profile (AIP) and Application File Locator (AFL)
to terminal (mandatory).
The card may send a different AIP or AFL depending on the transaction environment.
For example, the card might send a different AIP and AFL for domestic versus
international transactions.
• AIP specifies the application functions that are supported by the application in the
chip card.
• AFL designates which records the terminal should read from the chip card.
2.4 Reading the Application Data
• The terminal uses the AFL to determine the card data it should read to process the
transaction. Once the terminal reads the data, it uses the AIP to determine what
processing is needed for the transaction.
2.5 Risk Management Checks
• Risk management checks are performed (if present on the card and supported by the
terminal) to determine how the transaction should be processed.
• In the U.S. all transactions require online processing, thus the terminal will send the
transaction online.
April 2014 VISA CONFIDENTIAL 17
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2.5.1 Offline Data Authentication
• Offline Data Authentication allows the terminal to confirm that the card data has not been
tampered with after the card was issued by the issuer and in the case of Dynamic Data
Authentication (DDA) and Combined DDA/Application Cryptogram Generation (CDA),
protects against the re-use of copied chip data in an offline environment. This process is
important for offline capable devices where there may be a possibility of an offline
approved transaction.
• For online-only devices, Offline Data Authentication is superfluous and devices are
therefore not required to support Offline Data Authentication.
NOTE: Since all transactions in the U.S. will be sent online for issuer approval due to a
zero floor limit, support for Offline Data Authentication is not required and not
recommended. Acquirers or merchants that do not obtain an online approval do so
at their own liability.
• Depending on the card capabilities, one of the following Offline Data Authentication
methods may be performed if the terminal supports Offline Data Authentication:
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA)
• Combined DDA/Application Cryptogram Generation (CDA) (optionally supported)
• SDA is performed by the terminal using static data read from the card. DDA and CDA
are performed by the card and the terminal using dynamic data from the card and
terminal. Offline capable devices need to support SDA and DDA.
• U.S. acquirers that consider supporting Offline Data Authentication should review the
global VSDC Acquirer Implementation Guide for further details.
2.5.2 Processing Restrictions
• The processing restrictions function is used to determine the degree of compatibility
between the application in the card and the terminal. These checks include determining
whether there are any geographic or transaction-type limitations or whether the
application on the card has expired.
• The terminal performs the following checks using data read from the card:
• Effective/Expiration Date Checking
• Application Usage Control Checking
• Application Version Number Checking
• Further information regarding Processing Restrictions can be found in the EMV
Specifications and in Section 4.
April 2014 VISA CONFIDENTIAL 18
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2.5.3 Cardholder Verification
• The terminal reads the Cardholder Verification Method (CVM) List on the card to
determine the CVM to use for the transaction. It selects the CVM based on the CVMs
mutually supported (between card and terminal) and the circumstances of the
transaction.
• CVM is used by the terminal and/or the merchant to verify that the cardholder is
legitimate and that the card is not lost or stolen. The following CVM options are available
in EMV:
• Online PIN
• Signature
• Offline Plaintext PIN
• Offline Enciphered PIN
• No CVM required
• More information regarding support by terminals for each of the CVMs can found in
Section 4.4.5 Cardholder Verification, and in the Visa Operating Regulations and the
Transaction Acceptance Device Requirements.
• Terminal request of specific CVMs for specific transaction types may be supported by
selectable kernels as defined in contact EMV (see Section 4.4.6 and 8.4.2).
2.5.4 Terminal Risk Management
• The terminal performs checks based on the acquirer risk control features and the
capabilities of the terminal. For offline capable terminals, some of the checks are
mandatory whereas others are optional and at the discretion of the acquirer. The checks
include:
• Floor limit check
• Random selection
• Transaction velocity checking
• Exception file check (optional)
• Offline transaction limit check (optional)
• The results of these checks are used to determine how the terminal processes the
transaction. For online-only terminals in the U.S., these checks are not required as all
transactions will be sent online. However any acquirer considering use of offline-capable
terminals needs to ensure that terminals support floor limit checks and the floor limits are
set according to the Visa International Operating Regulations.
April 2014 VISA CONFIDENTIAL 19
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2.6 Terminal Action Analysis
• The results of the previous steps are used in Terminal Action Analysis to determine the
disposition of the transaction. The results of the previous checks are stored in the
Terminal Verification Results (TVR) data element, which is then compared to specific
rules that are set by the issuer (in the card) and Visa (in the terminal).
• Depending on the results, the terminal will request a cryptogram from the card. A
cryptogram is data element dynamically generated by the card using transaction specific
data and a cryptographic key stored in the card. It allows the issuer to confirm data
integrity and that the transaction was undertaken using a valid card. The result of
Terminal Action Analysis determines which of the following cryptogram is generated:
• Transaction Certificate (TC)
• Application Authentication Cryptogram (AAC)
• Authorization Request Cryptogram (ARQC)
• For online-only terminals in the U.S., other than in some exception situations, the
terminals will always request an ARQC and go online.
• The cryptogram is generated by the card and its generation is transparent to the
terminal. Further information regarding the generation of the cryptograms and Terminal
Action Analysis processing, including exceptions, can be found in the EMV
Specifications and the Visa Integrated Circuit Card Specification (VIS).
2.7 Card Risk Management
• Card Risk Management is transparent to the acquirer, merchant and terminal. However
its outcome confirms the disposition of the transaction. It allows the card to perform
velocity checking and other risk management checks on behalf of the issuer to see if it
agrees with the terminal’s decision. The card may perform the following checks:
• New Card check
• Checking results from previous transactions (such as PIN Tries exceeded, Issuer Script
results and result of Offline Data Authentication)
• Offline spending amounts and transaction counts (Velocity) checking
• Once the card has completed the risk management checks, it responds to the terminal’s
request for a cryptogram with one of three cryptograms listed in Section 2.6 Terminal
Action Analysis.
• In the U.S., where the terminal will request to go online, the card will agree and respond
with an ARQC.
April 2014 VISA CONFIDENTIAL 20
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2.8 Online Processing
• Once the card generates an ARQC for online processing, the terminal captures the
ARQC, the original data elements used by the chip card to generate the ARQC and
information regarding the selected application and the interface used. This information,
together with standard transaction data and the results of the risk management checks
are forwarded online to the acquirer.
• Acquirers format this data into the authorization message and forward the information to
VisaNet. For authorization and full financial messages, acquirers send the chip data in
Field 55 in TLV (Tag-Length-Value) format. It is critical that acquirers do not alter any of
the data received from the card and terminal as these are used by the issuer, or Visa on
its behalf, when authorizing the transaction. Altering data or data quality issues may
have serious consequences that may result in a decline of the transaction by the issuer.
2.9 VisaNet Processes Acquirer Authorization Request
• VisaNet may perform the following functions after it receives the authorization request:
• If the message format of the acquirer is different from the message format of the Full
Data issuer (Field 55 acquirer to third bit map issuer), VisaNet converts the authorization
to the issuer’s message format.
• VisaNet uses the pre-processing chip indicators to help determine whether to route to
the issuer. If the transaction is processed in Stand-In (STIP), these chip transaction
indicators influence the approve/decline decision.
• VisaNet forwards the authorization request to the issuer if it has not been processed in
STIP. If processed in STIP, the transaction proceeds as outlined in Section 2.11 VisaNet
Processes the Issuer Response.
2.10 Issuer Receives Authorization Request
• When the authorization request is received, the issuer or issuer processor will validate
the cryptogram. In certain cases Visa may validate the cryptogram on the issuer’s
behalf.
• The issuer may additionally review the chip data received in the authorization to
determine whether to authorize or decline the transaction.
• The issuer decides whether to approve or decline the transaction and sends the
authorization response to VisaNet to transmit to the acquirer. The response may
optionally include:
• An Authorization Response Cryptogram (ARPC), which is an equivalent to the ARQC
but generated by the issuer, which the card will validate.
• An Issuer Script that is typically used to reset risk parameters on the card.
April 2014 VISA CONFIDENTIAL 21
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
2.11 VisaNet Processes the Issuer Response
• If the issuer is participating in the Visa Chip Authenticate, VisaNet generates the ARPC
on behalf of the issuer and includes it in the authorization response to the acquirer.
Otherwise VisaNet forwards the issuer response to the acquirer.
2.12 Transaction Conclusion
• The acquirer receives the authorization response and sends it to the terminal. The card
and terminal perform final processing to complete the transaction including:
• If an ARPC is returned in the authorization response, the card validates the ARPC
to ensure that the authorization response came from a valid issuer.
• Card authenticates and executes Issuer Script commands, if present.
• The card generates the final cryptogram, a TC for approval or an AAC for decline. Once
the transaction is completed the terminal prompts the cashier or the customer to remove
the card.
2.13 Clearing and Settlement
• For approved transactions, the card generates a TC as the final cryptogram. The
acquirer then submits the approved transaction to VisaNet for clearing and settlement.
• Acquirers send TCR 0 with POS Terminal Capability Code = 5 and POS Entry Mode =
05 or 95.
• Acquirers send TCR1 if cash-back is supported.
• Acquirers send TCR 5 and TCR 7 with new chip data. Acquirers and merchants in the
U.S. deploying online-only terminals or terminals set with a Zero Floor Limit and that
obtain an online authorization for all transactions are not required to support TCR 7 in
the clearing record.
NOTE: TCR 7 is still required if a transaction is offline approved. If you plan to support
offline approved transactions please refer to the global VSDC Acquirer
Implementation Guide.
April 2014 VISA CONFIDENTIAL 22
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
3 Visa payWave Transaction Flow
• To better understand the impact of Visa payWave on an acquirer’s systems and
processes it is important to understand the various steps in a Visa payWave transaction.
This Section describes the steps at the terminal/card level and the host level.
• All activities, prior to the transaction going online for issuer approval, are transparent to
the acquirer and occur between the card, the reader and terminal.
• Section 4 Visa’s Chip Terminal and Reader Requirements provides further detail on
some of the steps outlined in this Section and their implementation impacts. Section 9
Acquirer System Changes provides further information regarding host processing steps.
3.1 Acquirer Approaches
• Acquirers must support Visa payWave qVSDC and MSD transactions (as per Section
3.1.2). To provide support for the long term development of the contactless platform, and
its dependent propositions such as mobile proximity and transit, Visa introduced new
requirements relating to the support of qVSDC and MSD in the U.S.
• The two approaches and Visa’s requirements are outlined in more detail in the following
sections.
3.1.1 Quick Visa Smart Debit/Credit (qVSDC)
• qVSDC transactions follow an expedited EMV-processing model and chip-processing
rules. These transactions can be sent online and validated using one of three dynamic
authentication methods, Cryptogram Version Number 17 (CVN 17), CVN 10, or CVN 18.
• The issuer decides whether to support CVN 17, CVN 10, or CVN 18, which is
personalized on the card and carried during transaction processing. qVSDC is only
suited for acceptance environments with EMV infrastructure including support for chip
data by the acquirer host.
3.1.2 Magnetic Stripe Data (MSD)
• MSD contactless transactions follow magnetic stripe processing rules. MSD transactions
are sent online and validated using CVN 17 (MSD CVN 17) or dynamic Card Verification
Value (dCVV) (MSD Legacy). MSD is best suited for magnetic stripe acceptance
environments.
3.2 U.S. Contactless Acceptance Requirements
• Effective 1 April 2013, all new Visa payWave accepting contactless readers deployed in
the U.S. must actively support both MSD and the qVSDC transaction path of VCPS 2.1
including all published updates. qVSDC may be supported on an online only basis
(i.e.no support for offline authorizations).
April 2014 VISA CONFIDENTIAL 23
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
NOTE: Existing Visa payWave accepting contactless readers that can only support
transactions as specified in VCPS 1.4.2 may remain in market until their natural
retirement.
• New Visa payWave accepting contactless readers deployed between 1 December 2011
and 1 April 2013 must be configured to either:
• Support only transactions as specified in VCPS 1.4.2, or
• Actively support both the MSD and the qVSDC transaction path of VCPS 2.1 including
all published updates and transmit the resulting chip data to VisaNet.
• Effective 1 January 2015, Visa contactless readers connected to acquirer platforms that
are certified for chip data no longer need to support the MSD transaction path.
• Further details can be found in the Visa Business News article dated December 22,
2011 or from a Visa representative.
3.3 Contactless Processing Requirements
• All transactions initiated with a Visa owned Application Identifier (AID – see Section 4.2)
other than the Visa US Common Debit AID must be routed to VisaNet and be processed
according to Visa or Visa Interlink (as applicable) network operating rules and technical
standards. Some products may be personalized with more than one AID, with other
AID(s) representing products with their own specific network and routing option(s). To
initiate a transaction using an AID that is not the highest priority mutually supported AID
(as specified by the card) certain terminal logic must be executed before the outlined
qVSDC transaction flow. This logic is defined in Section 4.5.1.
• Acquirers are responsible for their merchants’ compliance with Visa rules governing Visa
Contactless transactions, including ensuring proper transaction routing.
3.4 Initiating a Visa payWave Transaction
• During a Visa payWave transaction, consumers briefly hold their Visa payWave card
near the reader when prompted, instead of inserting their card in the reader as with
VSDC transactions or swiping the magnetic stripe. The Visa payWave card is embedded
with an antenna and a chip. The chip, through the antenna, communicates with the
merchant’s contactless reader to enable the transaction.
• Acquirers should be aware that Visa payWave transactions may be initiated not only
from a traditional plastic card but also from other form factors and devices such as Near
Field Communication (NFC) enabled mobile devices and key fobs.
April 2014 VISA CONFIDENTIAL 24
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
3.5 qVSDC Transactions
3.5.1 Preliminary Processing
• Before the card and reader begin their interaction, the transaction amount is typically
received by the reader before it performs its preliminary processing. Preliminary
Processing expedites the transaction by allowing the reader to perform several risk
management steps prior to interacting with the card.
• During Preliminary Processing, the reader may use the transaction amount to perform
the following checks:
• Reader Contactless Transaction Limit: Transactions for amounts above this limit are
terminated and may be processed only by using a different interface.
NOTE: Contactless readers are required to either have the reader contactless transaction
limit disabled or set to its maximum amount. This limit is not used in the U.S. region.
• Reader Cardholder Verification Method (CVM) Limit: Transaction amounts above this
limit require cardholder verification for the contactless transaction.
• Reader Contactless Floor Limit: Transactions above this limit require an online
authorization by the card issuer. For the U.S. region this limit is set to zero or is not
supported to ensure all transactions are sent online to be authorized by the issuer.
• The reader sets the results of these checks in the Terminal Transaction Qualifiers (TTQ),
a reader data element. The TTQ provides the card with the reader’s capabilities and
requirements. For U.S. readers the TTQ must reflect online-only transactions with no
contact transaction limits.
3.5.2 Application Selection
• Once the reader has completed Preliminary Processing, the reader signals to the
consumer that the reader is ready for the contactless card. The cardholder briefly waves
or holds the Visa payWave card close to the contactless reader to initiate the
transaction. The reader determines whether it shares a contactless application with the
card by selecting the card’s list of contactless AIDs (called the Proximity Payment
Systems Environment [PPSE]). If there is an AID in common, that AID is automatically
selected; otherwise the reader terminates the transaction and the transaction may
proceed via another interface such as magnetic stripe or contact chip.
• If there are two or more AIDs in common, the AID with the highest priority is
automatically selected as per EMV Contactless standards. For example, a card may
have both credit and debit AIDs, in which case the issuer or consumer will have defined
one of those AIDs as a higher priority than the other.
NOTE: For qVSDC readers supporting a merchant routing option, a pre-select step as defined
in Section 3.3 may be required to identify the AIDs supported on the card/consumer
device and thereby the possible routing options that are available to the merchant.
Section 4.5.1 provides further information on this issue.
April 2014 VISA CONFIDENTIAL 25
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
3.5.3 Dynamic Reader Limits (Optional)
• Once the application has been selected, readers that support Dynamic Reader Limits
(DRL) examine the Application Program Identifier (Program ID) returned by the
application to determine the applicable reader limits for the transaction.
• When the Program ID returned by the card does not match a reader Program ID (or the
card does not return a Program ID), the reader processes the transaction using the
reader limits and results determined during Preliminary Processing.
3.5.4 Card Request Terminal and Transaction Data
• Once the application is selected, the Visa payWave card responds by requesting
information such as the transaction amount, TTQ, and the reader’s currency code for
use during the transaction. The reader responds with the requested information.
• Figure 1 below provides a processing overview of the card requesting terminal and
transaction data.
Figure 1: Card Requests Terminal and Transaction Data
• The TTQ advises the Visa payWave card of the reader’s requirements and capabilities
for processing the specific transaction as follows:
• Whether it supports qVSDC or MSD as well as whether it supports contact VSDC
• Whether it supports Signature, Online PIN, Offline PIN through the Contact Interface,
and/or Consumer Device CVM
NOTE: A Consumer Device CVM is a CVM that is performed on and validated by the
consumer’s payment device, independent of the reader.
• Whether cardholder verification is required for the transaction
• Whether the reader supports Issuer Update Processing
• In qVSDC transactions, the card uses the information provided in the TTQ to make risk
management decisions before responding to the reader.
April 2014 VISA CONFIDENTIAL 26
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
3.5.5 Transaction Terminated
• Rather than decline a transaction needlessly, if a Visa payWave transaction cannot be
completed as a contactless transaction, the contactless transaction is terminated and
may be processed as a physical contact chip or magnetic stripe transaction. If either the
card or the reader decides to terminate the transaction, the transaction is terminated and
the transaction may be completed using another interface (such as contact chip). In
these instances the reader should power down the contactless interface and direct the
cardholder to use the alternate interface.
• Terminated transactions differ from declined transactions because declined transactions
may not be reinitiated. The acquirer’s merchant environment may have specific best
practices or requirements for situations where it is preferred to terminate the transaction
and proceed with a contact interface.
3.5.6 Online Processing
• The reader indicates to the cardholder that the card can be removed from the reader’s
field. The reader uses the information provided by the card and transmits the transaction
to the acquirer.
• The reader sends the data from the transaction including the cryptogram, information
regarding the selected application and the interface used together with standard
transaction data to the acquirer. The acquirer then formats the corresponding VisaNet
authorization message including the relevant data fields. For qVSDC transactions the
following V.I.P. Field values are included:
• Field 22 – POS Entry Mode with a value of 07
• Field 23 – Card sequence number that uniquely identifies the card used to initiate the
transaction
• Field 55 – Including relevant Tags to support the Cryptogram, Form Factor Indicator
(Tag 9F6E) and if present in the card the Customer Exclusive Data (Tag 9F7C)
• Field 60.2 – Terminal Entry Capability with a value of 5 (contact or contact and
contactless chip capable terminal) or 8 (contactless chip capable terminal)
• VisaNet performs processing on the authorization message to determine if the issuer
participates in Visa Chip Authenticate. If not then authorization is sent directly to the
issuer.
• During a qVSDC transaction, the issuer validates the card using CVN 17, CVN 10, or
CVN 18. Based on the results of online card verification, along with other standard risk
management checks (such as ensuring that the card is not expired, and verifying that
the account is in good standing and has available funds), the issuer either approves or
declines the transaction in the authorization response.
April 2014 VISA CONFIDENTIAL 27
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• The authorization response is sent to the acquirer which logs the response and forwards
the response to the merchant terminal.
3.5.7 Transaction Outcome
• The reader conveys the issuer’s authorization response by displaying whether the
transaction is approved or declined. If approved, depending on Visa rules, the
transaction may not require a cardholder signature or a receipt.
3.6 MSD Transaction Flow
• During an MSD transaction, the consumer briefly holds their Visa card near the
contactless reader, instead of swiping or inserting it. The Visa payWave card is
embedded with an antenna and a chip. The chip, via the antenna, communicates with
the merchant’s contactless reader to conduct the transaction. The card and reader
exchange information in less than a half of a second and the transaction is processed
and completed.
• The transaction follows magnetic stripe processing and rules except that it includes
enhanced online card authentication using CVN 17 or dCVV. Depending on
requirements and rules, transactions below a certain defined value may not require
cardholder verification (signature or online PIN) or a receipt. Regional rules and
requirements define the Cardholder Verification Method for particular transactions.
Acquirers should contact their Visa representative for specific information. The following
sections outline the steps involved in a MSD transaction.
3.6.1 Application Selection
• Unlike qVSDC, MSD readers do not support preliminary processing but otherwise
Application Selection is identical to qVSDC transaction processing as defined in Section
3.5.2.
3.6.2 Card Request Terminal and Transaction Data
• Once the contactless application is selected, the Visa payWave card requests
information from the reader to use during the transaction by sending the Processing
Options Data Object List (PDOL) to the reader. The reader responds with the requested
information.
• The information includes the transaction amount, the reader’s capabilities and
requirements in the Terminal Transaction Qualifiers and other transaction data. The card
uses the TTQ to ascertain the capabilities of the reader including whether the reader
supports MSD CVN 17. After reviewing the TTQ, the card completes its part of the MSD
transaction by sending data to the reader such as the Track 2 data and a CVN 17
cryptogram. The reader then indicates to the cardholder that the card can be removed
from the reader’s field.
• Acquirers must support qVSDC and MSD CVN 17 and continue to support dCVV (MSD
Legacy) until 1 January 2015.
April 2014 VISA CONFIDENTIAL 28
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• After the exchange, the reader prompts the cardholder to remove the card from the
reader’s field.
3.6.3 Online Processing
• The reader sends the data from the transaction including the cryptogram to the acquirer.
If the transaction is to be routed to VisaNet the acquirer then formats the corresponding
VisaNet authorization message including the relevant data fields. For MSD transactions
the following V.I.P. Field values are included:
• Field 22 – POS Entry Mode with a value of 91.
• Field 23 – Card sequence number that uniquely identifies the card used to initiate the
transaction (If personalized on the card this field must be present in the authorization
message)
• Field 55 – Including relevant Tags to support the Cryptogram, Form Factor Indicator
(Tag 9F6E) and if present in the card the Customer Exclusive Data (Tag 9F7C)
• Field 60.2 – Terminal Entry Capability with a value of 8 (contactless chip capable
terminal)
NOTE: For MSD transactions where a dCVV (MSD Legacy) card was used, Field 23
and Field 55 will not be sent in the authorization message.
• VisaNet performs processing on the authorization message to determine if the issuer
participates in Visa Chip Authenticate. If not then the authorization request message is
sent directly to the issuer.
• The issuer (or Visa, on the issuer’s behalf) performs enhanced online card
authentication using CVN 17 or validates the dCVV if a legacy card was used. The
authorization response is determined by the cryptogram results along with other
standard risk management checks such as checking the cardholder’s Online PIN, if
applicable, ensuring that the card is not expired, and making sure that the account is in
good standing and has available funds. The issuer sends the authorization response to
the reader.
3.6.4 Transaction Outcome
• The acquirer formats the issuer response and forwards it to the terminal. The terminal or
reader conveys the issuer’s authorization response by displaying whether the
transaction is approved or declined. If approved, depending on Visa rules, the
transaction may not require a cardholder signature or a receipt.
• If the transaction is approved, it is later submitted as part of clearing and settlement.
April 2014 VISA CONFIDENTIAL 29
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
3.7 Visa payWave for Mobile
• Visa payWave for mobile brings the contactless payment experience to the mobile
device through support of the Visa Mobile Contactless Payment Specification (VMCPS).
The Visa payment application developed to VMCPS is called Visa Mobile Payment
Application (VMPA).
• From the acceptance perspective, mobile devices containing a VMPA can be accepted
in any version of contactless readers that are developed to different versions of the Visa
Contactless Payment Specification (VCPS); for instance Version 2.1 including all
published updates and EMV Contactless Kernel 3. Visa payWave transactions that
originate from mobile devices have the same processing requirements as Visa payWave
transactions that originate from cards. There is no difference between a card and a
mobile Visa payWave transaction from the point of view of the transaction processing,
authorization, and settlement data that is passed through V.I.P. and BASE II systems.
•
•
April 2014 VISA CONFIDENTIAL 30
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
4 Visa’s Chip Terminal and Reader Requirements
• This Section describes the requirements for deploying EMV-compliant Visa Smart
Debit/Credit (VSDC) terminals and Visa Contactless Payment Specification (VCPS)-
compliant contactless readers. These are terminals and readers that meet the security,
interoperability and functionality requirements outlined in the EMV Specifications, VCPS
and comply with Visa’s terminal requirements.
• The focus is on requirements for online-only terminals. Some of the functions discussed
in Section 2 and Section 3 relating to VSDC and VCPS processing are not covered in
the following sections as they do not require action by acquirers and should be built into
EMV-compliant terminals. Acquirers considering support for offline processing, for
example, support for offline authorization, should review the global VSDC Acquirer
Implementation Guide.
• An overview of each function requiring action by acquirers is provided in the following
sections. Further details can be found in the EMV Specifications, VCPS and in the Visa
Transaction Acceptance Device Requirements. Acquirers should work with vendors to
outline the support vendors will provide and the activities that should be handled
internally by acquirers.
4.1 Terminal Types
• A number of different terminal types are defined in the EMV Specifications as outlined in
the table below. Depending on the nature of the merchant, its location and profile,
acquirers can determine which type better supports the merchant’s requirements.
Selection of the type is also dependent on the nature of the domestic market.
• The U.S. market is a zero floor-limit market, meaning all transactions need to be
authorized online by the card issuer in order to protect the acquirer from liability.
Therefore, it is expected that most U.S. acquirers and merchants will deploy online-only
terminals and not offline capable terminals.
• Acquirers may deploy terminals that are offline capable but any offline processing is at
the acquirer’s risk and accordingly may increase its liability. Acquirers considering this
option should review the global VSDC Acquirer Implementation Guide requirements for
offline capable terminals.
Table 1: EMV and VSDC Terminal Types
T
YPE
D
ESCRIPTION
Offline/online
terminals Capable of processing both offline and online transaction authorization.
For example, an online capable terminal with a floor limit above zero will
execute both offline and online transactions.
April 2014 VISA CONFIDENTIAL 31
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
T
YPE
D
ESCRIPTION
Online-only
terminals Cannot approve transactions offline. For authorization processing, the
transaction must be sent online to the issuer. These terminals may,
however, decline transactions offline. For example, under EMV, ATMs
are considered online-only terminals.
It is expected that most U.S. acquirers will deploy online-only terminals
since all transactions in the U.S. need to be authorized online.
Online-capable
terminals Includes online-only terminals, as well as offline/online terminals.
•
NOTE: Offline PIN processing is not directly related to online or offline authorization.
For example, offline PIN processing may be performed for online authorized
transactions.
4.2 Application Identifiers (AIDs)
• The terminal must contain the Application Identifiers (AIDs) for all chip payment
applications that it supports. If the terminal cannot match one of its AIDs with an AID
from the card, a chip transaction cannot be completed. The AID consists of two
components:
• Registered Application Provider Identifier (ISO RID) – indicates the payment system.
Visa owned RIDs are:
o The Visa ISO RID is A000000003
o The Visa US Common Debit RID for debit and prepaid products covered by the
unaffiliated network requirements of the Dodd-Frank Act and Federal Reserve
Board Regulation II is A000000098
• Proprietary Application Identifier Extension (PIX) – indicates the application.
o The Visa globally interoperable PIXs are listed in Section 4.2.1
• The AIDs used for Visa globally interoperable cards use the Visa ISO RID and are
outlined in the following:
• Table 2: Application Identifiers (AIDs) for Visa ISO RID by product type.
• The PIX used to define the Visa US Common Debit AID is listed in Table 3: Application
Identifier (AID) for Visa US Common Debit AID.
• The AID used for debit and prepaid products covered by the unaffiliated network
requirements of the Dodd-Frank Act and Federal Reserve Board Regulation II is defined
in Table 3: Application Identifier (AID) for Visa US Common Debit AID.
April 2014 VISA CONFIDENTIAL 32
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
4.2.1 Visa AIDs
• The AIDs used for Visa globally interoperable cards uses the Visa ISO RID and are
outlined below.
Table 2: Application Identifiers (AIDs) for Visa ISO RID
A
PPLICATION
RID
+
PIX
Visa (e.g., Visa Credit or Visa Debit) A000000003 1010
Visa Electron A000000003 2010
Visa Interlink A000000003 3010
PLUS A000000003 8010
•
4.2.2 Visa US Common Debit AID
• The AID used for debit and prepaid products covered by the unaffiliated network
requirements of the Dodd-Frank Act and Federal Reserve Board Regulation II is defined
below.
Table 3: Application Identifier (AID) for Visa US Common Debit AID
APPLICATION RID + PIX
Visa US Common Debit A000000098 0840
•
4.2.3 Rules for Visa AIDs
• An Application Selection Indicator associated with each terminal AID designates whether
the terminal AID must exactly match the card AID or whether the terminal AID may
match only the first portion of the card AID (partial selection). For Visa AIDs, this
indicator must be set to allow partial selection.
• All terminals accepting Visa must support the Visa AID.
• All POS contact chip terminals that contain the Visa AID must also contain the Visa
Electron AID if the merchant accepts Visa Electron magnetic stripe cards.
• All POS terminals accepting Visa Interlink must support the Visa AID, Visa Interlink AID
and the Visa US Common Debit AID.
• Acquirers should take care in using the AIDs listed above. Terminals must not use only
the Visa ISO RID (i.e. without a PIX) with Partial AID Selection for Application Selection
as some cards may contain ISO RID+PIX combinations for domestic applications that
are not valid in other countries.
April 2014 VISA CONFIDENTIAL 33
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Note that in addition to the AIDs beginning with the Visa ISO RID, Visa cards may
contain one or more non-Visa AIDs – some AIDs may represent specific network or
routing options, others may be for non-payment functions or domestic applications from
another country.
• Note that ATMs may have different rules for presence of AIDs.
4.2.4 Implementation Activities
• Acquirers should determine which AIDs to support in their terminals depending on the
card programs accepted.
• If a merchant accepts Visa cards, they must support the Visa AID.
• Online capable terminals must also support the Visa Electron AID.
• If a merchant accepts Visa Interlink cards, they must support the Visa AID, the Visa
Interlink AID, and the Visa US Common Debit AID. Visa Interlink can only be accepted
at terminals capable of processing online transactions with online PIN verification.
4.3 Language
• Acquirers must decide the languages their terminals will offer to customers. EMV-
compliant terminals may display messages in multiple languages. At least one language
must be supported.
4.3.1 Implementation Activities
• Acquirers should ensure that terminals always display messages in English. If customers
in specific locations speak other languages or are frequented by international visitors,
acquirers may want to consider support for additional languages.
4.4 VSDC Requirements
• The following sections outline the requirements relating to acceptance of contact chip
VSDC cards. Requirements relating to acceptance of Visa payWave cards are outlined
in Section 4.5 Visa payWave Reader Requirements.
4.4.1 Contact EMV Application Selection
• When a VSDC card is presented to a terminal, the terminal determines which
applications are supported by both the card and terminal by comparing the Application
Identifiers (AIDs) on the card with the AIDs maintained by the terminal. The terminal
builds a list of the applications jointly supported by the card and terminal using either the
Directory Selection Method or the List of AIDs Method. Support for the Directory
Selection Method is optional for the card and terminal, while the List of AIDs Method is
mandatory.
April 2014 VISA CONFIDENTIAL 34
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• If both the card and terminal support the Directory Selection Method, the terminal reads
a list of the payment applications maintained on the card from the Payment Systems
Environment (PSE) file. The terminal compares the applications listed in the card PSE to
the applications it supports and builds the Candidate List, which is the terminal's internal
list of applications jointly supported by the card and terminal. If the card does not have a
PSE or the terminal does not support the Directory Selection Method, the terminal uses
the List of AIDs Method.
• With the List of AIDs Method, the terminal goes through its list of applications and asks
the card whether it also has the application. Common applications are put on the
Candidate List created by the terminal.
• Further information regarding both methods can be found in the EMV Specifications.
Additional information on application selection when the Visa US Common Debit AID is
present can be found in Section 4.4.3.
4.4.1.1 Implementation Activities
• The List of AIDs Method is mandatory and is supported by all terminals. All contact
EMV-compliant terminals include this functionality.
• Because the Directory Selection Method is optional, acquirers should evaluate its
benefits for the domestic environment. If either or both of the following factors are true,
acquirers may want to support the Directory Selection Method in addition to the List of
AIDs Method:
• If domestic issuers are planning to support the Directory Selection Method on their
cards; it will only be used when both the card and terminal support it. Otherwise, the
List of AIDs Method will apply.
• If the acquirer’s terminal supports many applications, increased efficiency may be
realized when the Directory Selection Method is implemented.
• Terminal vendors will cover development of application selection, so no internal
technical resources are required. If the Directory Selection Method is controlled by a
predefined parameter, acquirers should ensure that the Terminal Management System
accommodates that parameter.
4.4.2 Cardholder Application Selection/Confirmation
• Visa strongly recommends that merchants and acquirers implement cardholder
application selection at acceptance terminals so that cardholders can choose their
desired application for a transaction when their card supports more than one application.
NOTE: If a cardholder selects an AID to be used for the transaction then the transaction must
be processed using the selected AID unless the cardholder confirms that they accept a
different AID to be used. If a Visa AID that begins with the Visa ISO RID as defined in
Section 4.2.1 is selected, the transaction must be routed to VisaNet. An acceptance
terminal may support cardholder application selection by either of the following two
April 2014 VISA CONFIDENTIAL 35
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
methods when the acceptance terminal and the card support more than one
application in common
• The acceptance terminal displays all of the commonly supported applications to the
cardholder at once in the priority sequence specified by the issuer (recommended), or
• The acceptance terminal displays each commonly supported application to the
cardholder, one-by-one in the priority sequence specified by the issuer, and allows the
cardholder to confirm the displayed application or to advance to the next application.
• If more than one AID is mutually supported by the card and the terminal and the AID is
not chosen by the cardholder or the issuer, the terminal must clearly communicate the
selected application label of the AID to the cardholder.
• Further information regarding Application Selection can be found in Section 4.4.3 and
the EMV Specifications and the Visa Transaction Acceptance Device Guide.
4.4.2.1 Implementation Activities
• Visa strongly recommends that cardholder selection be implemented as some issuers
may require cardholder confirmation. If the acceptance terminal does not support this
function, it may not be possible to perform the transaction.
4.4.3 Contact Application Selection and Routing Options
To provide for multiple transaction routing options (as required for debit and prepaid
products covered by the unaffiliated network requirements of the Dodd-Frank Act and
Federal Reserve Board Regulation II), more AIDs may be present on a Visa card. When a
transaction is performed using an AID that begins with the Visa ISO RID as defined in
Section 4.2.1, then the transaction must be routed to Visa. (The application associated with
the Visa ISO RID AID is often simply referred to as the “Visa AID” to distinguish it from the
Visa US Common Debit AID.) Additional routing options may be supported by the presence
of the Visa US Common Debit AID or one or more non-Visa owned AIDs on the card, each
representing a different product with their own routing options.
NOTE: Not all Visa cards will support multiple AIDs, as some products will not support multiple
routing options. The presence of multiple AIDs in itself is not an indication that multiple
routing options are supported by the card, as the non-Visa AIDs could be non-payment
related or may relate to a non-US domestic payment system.
NOTE: Visa cards that support multiple AIDs, of which one supports multiple routing option(s)
for debit and prepaid, may also include a separate AID for a product that is not
covered by the Dodd-Frank Act and Federal Reserve Board Regulation I – for instance
a multi-application card with both credit and debit AIDs.
• As a result, merchants that prefer to determine the network to which a transaction is
routed will need to deploy specific logic in their terminals to ensure that the AID
corresponding to their preferred network is selected (otherwise the cardholder selection
or the hierarchy the issuer has specified on the card will determine the AID and
corresponding routing of the transaction).
April 2014 VISA CONFIDENTIAL 36
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• For terminals supporting Cardholder Application selection (see Section 4.4.2), there is
no need for any special logic as it will be the cardholder choice that defines the routing.
The Cardholder will choose an AID and thereby the possible networks to which the
transaction can be routed via the Application Label displayed during the Cardholder
Application Selection process.
• However for terminals not offering Cardholder Application selection, the terminal will
need to have a defined process to select amongst the AIDs present on the card and
have the result of the selection process be communicated to the cardholder.
• In general for terminals not offering Cardholder Application selection, the Application
Priority Indicator returned by the card for each AID should be used to decide a specific
routing option by selecting the AID having an Application Priority Indicator with the
highest priority.
• If a terminal does not offer Cardholder Selection or does not use the Application Priority
Indicator method, as described in Appendix D Standard EMV Terminal Logic, the
terminal must include specific logic to determine the AID and routing. This logic and the
process for determining the AID is as defined in Appendix E.1 Contact Terminal
Application Selection/Routing Option Logic. For such terminals, it is necessary to
understand whether the card product represented by an AID allows the merchant to
control the transaction routing.
• For terminals connected to acquirer networks, where the acquirer processor decides the
routing option, the terminal may need to transport to the acquirer some indication of the
selected AID (for example the AID itself) to be able to recognize routing limitations as
defined by the selected AID (e.g., for a Visa AID that begins with the Visa ISO RID as
defined in Section 4.2.1).
NOTE: It is important to communicate to the cardholder the Application Label selected,
otherwise the cardholder may wrongly assume what rights and benefits are available
for the transaction. Chargeback rights, rewards and sweepstakes entry are examples
of the rights and benefits cardholders may expect to receive as part of their banking
relationship. These benefits and rewards may differ depending on the selected AID
and routing option. If these rights and benefits are expected by the cardholder but are
not honored by the merchant, consumer dissatisfaction with the payment experience at
that merchant may result.
4.4.3.1 Implementation Activities
• As outlined in Section 4.4.2.1, Visa recommends that acquirers and merchants support
cardholder selection in which case routing options will follow cardholder selection and
eliminate the need for special terminal logic.
April 2014 VISA CONFIDENTIAL 37
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• If the terminal does not offer Cardholder Selection or apply Application Priority Indicator
as described in Appendix D Standard EMV Terminal Logic, the acquirer may need to
request the terminal vendor to support the logic as described in Appendix E.1 Contact
Terminal Application Selection/Routing Option Logic. Also the acquirer needs to ensure
that terminals are equipped to determine whether a specific product allows the merchant
to control the transaction routing. In order to make this determination, the acquirer will
need to receive an indication of which AID was selected at the terminal.
4.4.4 Processing Restrictions
• The terminal performs Processing Restrictions to see whether the transaction should be
allowed. The terminal checks whether the effective date for the card has been reached,
the card has not expired, the application versions of the card and terminal match, and if
any Application Usage Control restrictions are in effect. An issuer may use Application
Usage Controls to restrict a card’s use for domestic or international transactions, as well
as cash, goods and services or cash-back.
• Processing Restrictions is a mandatory feature in EMV and must be performed by all
terminals. Further information about processing restrictions may be found in the EMV
Specifications.
4.4.4.1 Implementation Activities
• Acquirers do not need to undertake any specific activities relating to Processing
Restrictions. They should ensure that their terminal vendor has loaded the correct
Application Version Number in the terminal, which corresponds to the most current
version of VIS.
4.4.5 Cardholder Verification
• Cardholder verification is used to ensure that the cardholder is legitimate and the card
has not been lost or stolen. The terminal uses a CVM List from the card to determine the
type of verification to be performed, for example, signature or online PIN. The CVM List
establishes a priority of CVMs to be used relative to the capabilities of the terminal and
characteristics of the transaction.
• Certain terminal types, as defined by Visa (e.g., ATMs), require an online PIN entry even
when the card’s CVM List does not include it. The table below lists the most common
types of CVMs supported by terminals in the U.S. market. Acquirers may also determine
whether support for other EMV provided CVMs, for example, offline PIN, would be
advantageous.
April 2014 VISA CONFIDENTIAL 38
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
Table 4: Types of Cardholder Verification Methods
CARDHOLDER
VERIFICATION METHOD DESCRIPTION
Signature Normally, operates in the same manner as in the magnetic stripe
environment. The cardholder signs the transaction receipt and
the merchant compares this signature to the signature on the
card. Signature support may be implemented by selecting the
Visa AID (see Appendix D) or via special processing (see
Appendix E)
Online PIN Operates in the same manner as in the magnetic stripe
environment. The cardholder-entered PIN is encrypted by the
terminal and is sent online to the issuer for verification.
No CVM Required Operates in the same manner as in the magnetic stripe
environment where transaction authorization is independent of
cardholder verification. No cardholder verification is currently
allowed for low value transactions in some merchant
environments, such as certain unattended terminals, quick
service restaurants and qualifying VEPS transactions.
Fail CVM Processing This is a catch-all option to ensure CVM processing is deemed to
have failed. EMV requires that this CVM is always supported.
• From a VSDC perspective, it is mandatory that terminals perform Cardholder Verification
by reviewing the card’s CVM List, if present, to determine the verification method for the
transaction.
• The specific CVMs supported by terminals are based on business needs, types of card
programs accepted and Visa mandates. The following general guidelines are provided to
assist acquirers to determine the types of CVMs to support at their POS terminals1.
• Signature must continue to be supported as the default for international Visa and Visa
Electron card transactions, as well as domestic transactions (except for Visa Interlink
and Unattended Cardholder Activated Terminals (UCATs)). Signature support may be
implemented by selecting the Visa AID (see Appendix D) or via special processing (see
(see Appendix E).
• Online PIN for chip transactions is not mandatory for POS, but may be necessary where
the terminal already supports online PIN verification to preserve support of existing
programs.
• Dual-interface terminals that support online PIN for contact chip should also support
online PIN for contactless transactions.
• Card acceptance terminals need to support a minimum level of cardholder verification,
as determined by Visa.
1 Note that for ATMs, there are different guidelines for CVM
April 2014 VISA CONFIDENTIAL 39
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Transactions that qualify under the VEPS program do not require cardholder verification
unless required under Visa rules. Acquirers should refer to the Visa International
Operating Regulations for requirements relating to VEPS including transaction value
limits.
4.4.5.1 CVM List Processing Exceptions
• Terminals need to support a minimum level of cardholder verification, as determined by
Visa or by law, even when the card does not support CVM processing, no CVM List is
present, or the last CVM processed in the CVM List is No CVM Required. If CVM
processing does not result in the required CVM, the terminal may additionally perform
the default CVM designated in the Visa Operating Regulations or in law for the terminal
and transaction type. This may be accomplished through use of selectable kernels or, in
some cases, code outside of the kernel.
• Alternatively, if the terminal determines that CVM Processing has failed (for example,
when the cardholder is unable to enter a PIN and the CVM list only supports PIN entry),
the transaction is sent online and the issuer responds with an approval, Visa
recommends that:
• The terminal prints a signature line on the receipt, and
• The terminal prompts the merchant to request a signature.
• If a specific CVM is required for certain transactions (e.g., cash-back or low value
transactions), the EMV concept of selectable kernels can be used to suppress certain
CVMs for a specific transaction. See Section 4.4.6 for further details.
NOTE: Merchants should carefully consider the impact of using the selectable kernel feature,
which could lead to PIN being the only option offered to a cardholder. Some
cardholders may be unable to enter the PIN at the POS terminal, or unwilling to do so
due to security concerns or certain disabilities. Terminals may therefore need to
support functionality that allows merchants to offer an alternative CVM for such
cardholders in accordance with merchant protection and local, state or federal disability
legislation. This functionality may, in effect, reverse the logic of the selectable kernel
for such situations.
4.4.5.2 Implementation Activities
• Acquirers need to determine the CVMs to implement at the terminal level, based on Visa
applicable requirements. Some other factors acquirers should consider include:
• If an acquirer decides to implement signature and PIN, Visa recommends that the
terminal omit printing of the signature line on those transactions that are PIN-based and
instead print “Verified by PIN” or “PIN verified” in place of the signature line. In addition,
acquirers should educate merchants to expect that the CVM will vary among
transactions and the terminal will prompt some cardholders for a PIN and others for a
signature.
April 2014 VISA CONFIDENTIAL 40
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• PIN Entry Devices (PEDs) or PIN pads must conform to PCI PIN Transaction Security
(PTS) requirements. If the PED has been integrated with the card-reading terminal, the
entire terminal must meet the security requirements. Refer to Section 6.5 Payment Card
Industry Requirements.
4.4.6 Cardholder Verification and Selectable Kernels
• In order to support the use of Cardholder Verification methods that vary based on
transaction characteristics, it is necessary for a terminal supporting cash-back or the
VEPS program to support Selectable Kernel processing (see Section 8.4.2 Configurable
and Selectable Kernels). This process ensures that the appropriate CVM is requested
for the transaction, by invoking a terminal kernel that only supports the CVM appropriate
to the transaction. The principle in using selectable kernels for Cardholder Verification is
outlined in Appendix E Contact CVM Processing and Selectable Kernels Logic.
4.4.6.1 Implementation Activities
• Acquirers supporting cash-back or VEPS need to ensure that their terminals support
selectable kernels and that they can be configured to support the necessary CVM
selection for a specific transaction.
4.4.7 Terminal Risk Management
• Terminal Risk Management consists of a series of checks to protect the acquirer, issuer
and system from potential fraud. The nature of online-only terminals means that all
transactions have to be approved by the issuer and the functions in Terminal Risk
Management are not necessary.
• Acquirers may consider supporting Floor Limit checking although the U.S. is a Zero
Floor Limit market, which results in all transactions going online. If Floor Limits are
supported, to provide maximum flexibility, Visa suggests that acquirers set up devices to
support the following limits, even if the values for magnetic stripe and chip transactions
are currently the same:
• International Floor Limit for magnetic stripe transactions
• International Floor Limit for chip-initiated transactions
• Domestic Floor Limit for magnetic stripe transactions
• Domestic Floor Limit for chip-initiated transactions
4.4.8 Terminal Action Analysis
• Terminal Action Analysis is mandatory and uses the results of Processing Restrictions,
Terminal Risk Management, and Cardholder Verification, as well as rules set in the card
and terminal, to determine whether the transaction should be approved offline, sent
online for authorization, or declined offline.
April 2014 VISA CONFIDENTIAL 41
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• After determining the disposition of the transaction, the terminal requests an Application
Cryptogram from the card, corresponding to the transaction disposition:
• Authorization Request Cryptogram (ARQC) – Online authorization
• Application Authentication Cryptogram (AAC) – Offline decline
• The card rules are set in Issuer Action Codes (IACs) fields, which are read by the
terminal from the card. The Visa rules are stored in the terminal as Terminal Action
Codes (TACs).
• Issuer Action Codes (IACs): Card-based rules the terminal uses during terminal action
analysis. IAC values are defined by the issuer and stored in the card. There are three
types of IACs: IAC – Denial, IAC – Online, and IAC – Default.
• Terminal Action Codes (TACs): Terminal-based rules for Terminal Action Analysis. TAC
values are mandated by Visa and must be supported. There are three types of TACs:
TAC – Denial, TAC – Online, and TAC – Default. The Visa TACs are defined in the Visa
Transaction Acceptance Device Requirements.
• An online-only terminal always attempts to go online with the authorization request,
unless declined offline due to IAC – Denial settings. During IAC – Denial and TAC –
Denial processing, if a Terminal Verification Results (TVR) bit is set and the
corresponding IAC – Denial or TAC – Denial bits are set (or it is set in both), the
terminal declines the transaction. The only relevant TAC setting for a transaction at an
online-only terminal is “Service not allowed.”
• An online-only terminal may perform or omit IAC – Online and TAC – Online processing
and IAC – Default and TAC – Default processing. For IAC – Online and TAC – Online
processing, if performed, the only relevant TVR setting for an online-only terminal is
“Transaction value exceeds the floor limit.”
• Because the floor limit is set to zero, the transaction always goes online and all other
values in TAC – Online or IAC – Online are irrelevant. The IAC – Default and TAC –
Default processing, if performed, will always cause a transaction to be declined if an
online authorization could not be performed.
• Visa recommends that online-only terminals do not perform IAC – Online and TAC –
Online processing, as all transactions are sent online for approval. If the terminal is
unable to go online, the terminal may either:
• Approve the transaction at the acquirer/merchant’s risk and subsequently perform a
deferred authorization.
• Request an AAC to decline the transaction and notify the cardholder that the service
cannot be performed due to a communication failure.
• If the terminal and card determine that the card was to be declined offline, the
transaction is not sent online and the card generates an AAC.
April 2014 VISA CONFIDENTIAL 42
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• For transactions initiated with the Visa US Common Debit AID, the same online only
terminal action analysis principles apply. The terminal may omit TAC/IAC-Online and
TAC/IAC-Default processing, eliminate the associated TAC-Online and TAC-Default
values, and always request to go online with an ARQC. However, if TAC/IAC-Online or
TAC/IAC-Default processing is performed, the TAC-Online and TAC-Default values must
be 0xFFFFFFFFFF.
4.4.9 Implementation Activities
• Acquirers should ensure that terminal vendors have loaded the Visa TACs correctly.
Information regarding the TACs should also be provided to merchant service and
technical areas to ensure they are used when troubleshooting or reviewing terminal
problems.
4.4.10 Online Processing
• The outcome of Terminal Action Analysis (and corresponding Card Action Analysis) will
be for the transaction to be sent online or declined offline. If the transaction is to be sent
online, the card returns a set of data including the Authentication Request Cryptogram
(ARQC) which will be used by the issuer to determine whether the transaction is coming
from a valid card.
4.4.10.1 Implementation Activities
• Acquirers need to determine the requirements for sending transactions online. Further
information regarding the authorization message requirements can found in Section 9:
Acquirer System Changes.
4.4.11 Completion
• The card and terminal perform final processing to complete the transaction.
• When the online authorization is successfully completed, a final Application Cryptogram
is generated by the card. The card uses the transaction disposition, Issuer
Authentication results and issuer-encoded to determine whether to return a TC or an
AAC.
• Although terminals are not required to retain the cryptogram (TC or AAC) for online-
approved transactions at single-message (SMS) or host-capture terminals, the terminal
must request the final cryptogram to allow the chip card to complete Issuer
Authentication to avoid unnecessary online requests during subsequent POS
transactions.
• A reversal must be generated for online approved transactions that are subsequently
declined by the card.
April 2014 VISA CONFIDENTIAL 43
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• For terminal-capture terminals, the terminal transmits the TC and the related cryptogram
data in the clearing message. SMS and host-capture acquirers may transmit the ARQC
and the related cryptogram data in the clearing message, if the authorization code
returned by the issuer is included.
• If during processing the terminal needs to terminate the transaction, the terminal must
display a message to the cardholder and merchant indicating why the transaction cannot
be completed and that the card should be removed.
4.4.12 Implementation Activities
• Acquirers need to determine the requirements for transmitting or storing the final
Application Cryptogram especially if they are considering supporting offline transactions.
• Acquirers should also review changes required to reverse a transaction when the card
declines the transaction after the issuer has approved it.
NOTE: For submitting offline clearing transactions see Section 9.3 Host System Changes.
4.5 Visa payWave Reader Requirements
4.5.1 Application Selection and Routing Options
• To provide for multiple transaction routing options on debit and prepaid products covered
by the unaffiliated network requirements of the Dodd-Frank Act and Federal Reserve
Board Regulation II, more AIDs may be present on a Visa payWave enabled product.
When a transaction is performed using an AID that begins with the Visa ISO RID as
defined in Section 4.2.1, the transaction must be routed through Visa. Additional routing
options may be supported by the presence of the Visa US Common Debit AID or one or
more non-Visa owned AIDs on the consumer device, each representing a different
routing option. Alternatively additional routing options may be supported via use of the
contact chip or physical magnetic stripe of a contactless card.
• Contactless transactions do not support Cardholder Application Selection in the same
way as contact chip transactions due to the minimal interaction between the contactless
reader and the consumer device. Instead the reader will always select the highest
priority AID on the consumer device.
• Merchants that prefer to control the network to which a transaction is routed will need to
deploy specific logic in their readers/terminals to ensure that the AID corresponding to
their preferred network is selected. Since contactless application selection – again due
to the short interaction between reader and card – does not have a special "elimination
process" for AIDs, the special logic needs to take place before the standard contactless
application selection process begins. The special logic necessary to provide merchant
reader control over AID selection does not impact the standard contactless kernel, but
will take place in a separate reader application executed before the normal contactless
transaction flow begins. The logic for such a "pre-select" reader application is as defined
in Appendix E Contactless Reader Application Selection and Routing Option Logic.
April 2014 VISA CONFIDENTIAL 44
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Only readers that are not using the standard application selection process (based on
Application Priority Indicator) need the special logic.
• For such terminals, it is necessary to understand whether the card product represented
by an AID is eligible for merchant controlled routing. If so, this can be achieved by
maintaining a BIN-table/routing table on the terminal or within the merchant system, or
by asking the cardholder for an indication of the chosen product (e.g., via a dedicated
button on the terminal).
• For terminals connected to acquirer networks where the acquirer processor decides the
routing option, the terminal must transport to the acquirer sufficient information for the
acquirer to perform the actual routing (for example the AID used for a qVSDC
transaction).
NOTE: It is important to communicate to the cardholder the Application Label selected,
otherwise the cardholder may wrongly assume what rights and benefits are available for
the transaction. Chargeback rights, rewards and sweepstakes entry are examples of the
rights and benefits cardholders may expect as part of their banking relationship. These
benefits and rewards may differ depending on the selected AID. If these rights and
benefits are expected by the cardholder but are not honored by the merchant, consumer
dissatisfaction with the payment experience at that merchant may result.
4.5.2 Transaction Speed
• Visa payWave transactions are designed to be fast. Interaction between the card and
the reader for both MSD and qVSDC must not exceed 500 milliseconds.
NOTE: The 500-millisecond requirement is for "card-in-field" time, and does not include qVSDC
preliminary processing nor any processing after the reader has indicated that card read
is complete.
4.5.3 Terminal Transaction Qualifiers
• The Terminal Transaction Qualifiers (TTQ) is a data element provided by the terminal to
the card during Preliminary Processing. The card uses this information to understand the
terminal’s capabilities and requirements in deciding how to process the transaction.
• For qVSDC, the TTQ indicates:
• Whether the reader supports qVSDC.
• Whether the reader supports EMV contact chip.
• Whether the reader supports online processing.
• Whether the reader requests online processing.
• The Cardholder Verification Methods supported by the reader. This information can
either be the same for all transactions or be dynamically set on a transaction-by-
transaction basis.
April 2014 VISA CONFIDENTIAL 45
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Whether a CVM is required for the specific transaction.
• Whether the reader supports Issuer Update Processing.
• For the detailed layout of the TTQ, refer to VCPS.
• For MSD, the TTQ should indicate support for MSD and CVN 17 if the acquirer has
migrated and can support CVN 17 data. If the acquirer has not migrated and cannot
support CVN 17 data, this data element should not be set. (CVN 17 support is indicated
by setting the bit associated with “online cryptogram required.”) The TTQ does not
change based on the transaction. No other TTQ settings are required.
• The TTQs are defined by VCPS as a 4 byte field and acquirers need to ensure their
terminals are passing all 4 bytes to ensure issuers are able to process the transaction
correctly. Failure to do this may lead to interoperability problems.
4.5.4 Reader Limits – qVSDC
• The qVSDC reader performs preliminary processing to expedite the transaction. The
reader compares the transaction amount against one or more of the following limits:
• Reader Contactless Floor Limit: for U.S. region this limit is set to zero to ensure all
transactions are authorized by the issuer.
• Reader Cardholder Verification Method (CVM) Limit: transactions for amounts above
this limit require cardholder verification.
4.5.5 Reader Cardholder Verification Method – qVSDC
• The card and terminal work together to determine the cardholder verification requirement
for each transaction. On a qVSDC contactless transaction, the cardholder (or consumer
using a mobile device) is either able to complete the transaction without cardholder
verification or the cardholder provides a signature, enters an online PIN or enter a
passcode on his or her mobile phone.
• Step 1 – The reader determines if cardholder verification is required and provides CVMs
it supports to the card.
• The reader determines whether it requires cardholder verification for the transaction by
checking the transaction amount against the Reader CVM Limit. If the transaction
amount is above this limit, the reader requires cardholder verification; if it is below the
limit, the reader does not require cardholder verification. It also provides the card with
the reader-supported CVMs (signature, online PIN, No CVM) in the TTQ.
NOTE: Support for the Consumer Device CVM by the reader is required for readers supporting
VCPS 2.1 including all published updates.
• The reader has two approaches for providing the Cardholder Verification Methods it
supports to the card in the TTQ:
April 2014 VISA CONFIDENTIAL 46
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• The reader can provide the card with all the Cardholder Verification Methods it supports.
This is the simplest approach.
• The reader can tailor the Cardholder Verification Methods to each transaction. For
example, the device might accept No CVM for transactions below a specific amount
while requiring an Online PIN for specific transaction types (e.g., cash-back).
• Acquirers and merchants should be aware of these approaches when selecting a reader
as this may require additional vendor development.
• Note that signature support may be implemented by selecting the Visa AID see
(Appendix D) or via special processing (see Appendix E).
• Step 2 – Card determines if cardholder verification is required.
• The card reviews the TTQ. If the reader requires cardholder verification, the card cannot
override this. If the device does not require cardholder verification, the card determines
whether to require cardholder verification.
• Step 3 – If CVM is required, the card determines which CVM to use.
• If cardholder verification is required, the card reviews the CVMs supported by the device
and compares these methods to the ones it supports. If there is only one CVM in
common, the card selects that CVM. If there is more than one common CVM, the card
selects the first common CVM based on a predefined hierarchy/priority of contactless
CVMs. The CVM hierarchy is shown in order below:
• Online PIN
• Consumer Device CVM (only for mobile phones)
• Signature
• Step 4 – Card communicates CVM selection to reader.
• If a CVM is required, the card indicates the selected CVM to the reader in the Card
Transaction Qualifiers (CTQ).
4.5.6 Reader Cardholder Verification Method – MSD
• The terminal determines the cardholder verification requirement as per magnetic stripe
processing rules. The cardholder may be validated using one of the following methods:
• No cardholder verification. The cardholder does not have to sign the receipt or provide a
PIN. Some Visa environments allow transactions below a specific amount to take place
without cardholder verification.
• Signature
• Online PIN
April 2014 VISA CONFIDENTIAL 47
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
4.5.7 Expiration Date Check
• During a contactless transaction, the reader checks the expiration date in the Track 2
Equivalent Data to ensure that the contactless application is not expired. If the card is
expired, the reader declines the contactless transaction.
4.5.8 Online Card Verification
• Full-chip data acquirers must support either Cryptogram Version Number 17,
Cryptogram Version Number 10, or Cryptogram Version Number 18 for online card
verification of qVSDC transactions.
• Acquirers must support the data associated with CVN 17 in authorization messages for
online card verification of MSD transactions. Acquirers must also continue to support
dCVV (MSD Legacy) until 1 January 2015.
NOTE: MSD supports CVN 17, which is supported in qVSDC. CVN 10 and CVN 18 do not apply
to MSD.
NOTE: Regardless of the cryptogram type supported all chip data must be sent in Field 55 of
the authorization message.
4.6 Additional Requirements for VCPS 2.1
• In addition to the requirements listed in Section 4.5 Visa payWave Reader
Requirements, VCPS 2.1 introduces additional functionality which acquirers need to
consider. These additional items are listed in the sections below. For further details,
acquirers should refer to VCPS 2.1 including all published updates.
4.6.1 Consumer Device CVM (CDCVM)
• Contactless readers that support VCPS Version 2.1, including all published updates,
must enable support for a Consumer Device CVM. The Consumer Device CVM is a
CVM performed on the consumer's payment device (independent of the reader).
• Reader support for the Consumer Device CVM is mandatory, as is indication of its
support in the Terminal Transaction Qualifiers. In addition to supporting the Consumer
Device CVM, the reader may then support other CVMs such as signature and/or online
PIN.
4.6.2 Support for Pre-Tap
• As part of application processing, if a mobile device with Visa payWave capabilities is
being used, the device may respond to the reader with an error when a CDCVM is
required for the transaction and has not yet been performed. This is referred to as a Pre-
Tap. Once the consumer performs the CDCVM, the mobile device is re-presented to
complete the transaction.
April 2014 VISA CONFIDENTIAL 48
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5 Additional Terminal Considerations
• In addition to the requirements outlined in Section 2, other considerations may apply to
terminals, along with optional features. This Section discusses these additional
considerations.
• The items in this Section are covered in more detail in the Visa Transaction Acceptance
Device Guide. Additionally, acquirers can discuss the requirements with their Visa
representative.
5.1 Magnetic Stripe Transaction Terminal Requirements
• Existing rules governing magnetic stripe transactions continue to govern transactions
performed at magnetic stripe terminals. These rules also apply to magnetic stripe
transactions performed at chip-reading terminals, including EMV-compliant terminals.
Acquirers should implement fallback policies and procedures at the point of transaction,
as well as support for new chip service code values. These policies and procedures are
only applicable to contact-only or dual-interface cards.
5.1.1 Service Codes
• The migration to chip has introduced new service code values. Visa chip cards must
contain a service code beginning with 2, indicating an international chip card, or 6,
indicating a domestic only usage chip card. Current Visa rules require all terminals to
recognize and act on the service code.
• Acquirers must ensure this new service code value will not cause a rejection at magnetic
stripe-only terminals. This is not a new rule, although it may require magnetic stripe
terminal software changes if terminals are not currently meeting this requirement.
• For further details, acquirers should refer to the Visa Operating Regulations.
5.1.2 Fallback
• Fallback transactions are non-chip transactions performed with chip cards at chip
terminals. EMV-compliant terminals must accept both chip and magnetic stripe cards
and have both a chip and magnetic stripe reader. When a chip card is accepted at these
terminals, the card should be read via the chip reader and not the magnetic stripe
reader.
• There are situations when the chip terminal cannot accept a chip card (for example
when the chip on the card is faulty or damaged or the terminal chip reader is
malfunctioning). When a chip card is accepted via its magnetic stripe, the resulting
transaction is referred to as a fallback transaction. These transactions are deemed less
secure because magnetic stripe acceptance circumvents the control and risk
management protection available with chip acceptance.
April 2014 VISA CONFIDENTIAL 49
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Unattended Cardholder Activated Terminals (UCATs) do not allow fallback beyond
magnetic stripe transactions. In addition, fallback is not permitted for declined
transactions.
• The Visa Operating Regulations state that chip cards must be accepted by the chip
reader unless the chip card or chip-accepting terminal is malfunctioning. In that case, the
transaction can be processed using the magnetic stripe. This rule must be followed for
international transactions and should be followed for domestic transactions.
• The Global Fallback Monitoring Program was introduced to help reduce excessive
international (and domestic) fallback transactions and to establish a global regulatory
framework for these transactions. The intent is to motivate the timely repair or
replacement of faulty equipment, and/or the correction of inaccurately flagged
transactions.
• The program identifies acquirer-country combinations with a ratio of international fallback
to international chip-capable transactions that exceeds the global average international
fallback ratio by one and one half times. Domestic fallback reporting can also use Global
Fallback Monitoring Program thresholds. POS activity is reported separately from ATM
activity. The program also identifies acquirer-country combinations that have fallback
activity nearing program thresholds, which allows acquirers to take proactive measures
to avoid exceeding thresholds.
• Acquirers may incur a fine for each fallback transaction over their allowance. Acquirers
should contact their Visa representative for more information regarding the Global
Fallback Monitoring Program and its application in the U.S. market.
5.1.2.1 Fallback Prevention and Processing
• Acquirers must have software in their terminals to request for the contact chip be used to
prevent fallback transactions. A special chip service code (2xx or 6xx) is encoded on the
magnetic stripe of chip cards. When the magnetic stripe reader reads a chip service
code, the terminal does not process the transaction but displays a message that the card
should be read by the using contact chip. This check helps to ensure that chip cards are
used for chip transactions at chip-reading terminals and minimizes the chance of
inadvertent fallback transactions.
• In a V.I.P. message, Terminal Entry Capability (Field 60.2), Service Code (Field 35 or
45) and POS Entry Mode (Field 22) are used to determine whether it is a fallback
transaction.
• According to the Visa Operating Regulations, after a chip read failure, the terminal must
send the next consecutive magnetic stripe read transaction online to the issuer,
indicating a fallback transaction. The fallback transaction must be identified by
populating the correct authorization message fields. If the transaction is not correctly
identified, the issuer may have recourse via a chargeback. See Section 9.3.1 Host
System Fallback Considerations and Section 11.4.2 Fallback Transactions for more
information about fallback.
April 2014 VISA CONFIDENTIAL 50
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• When online authorization is not available, the merchant may be given the option to
perform voice authorization to complete the transaction. If the magnetic stripe cannot be
read, or if an online authorization is not available, merchants can use existing card
acceptance and transaction processing procedures.
5.1.2.2 Fallback Implementation Activities
• Fallback implementation activities include:
• Follow the Visa Operating Regulations recommendations for fallback transactions.
• The terminal should contain logic between the magnetic stripe reader and chip reader to
invoke fallback if the chip cannot be read.
• Ensure that terminals do not indicate they are chip-capable until the terminal, merchant
and acquirer are fully chip functional and can send all the required chip data. Terminals
that indicate they are chip capable, while continuing to process only magnetic stripe
transactions for chip-capable cards, are a common reason for acquirers to be selected
for fines under the Global Fallback Monitoring Program.
• Monitor transaction activity for fallback. Excessive fallbacks can indicate failure of chip
reading hardware.
• There are also merchant education needs related to fallback. Refer to Section 12.7
Contactless Reader Branding and Placement for further details.
NOTE: A terminal’s capability must take into account both hardware and software, and should
only ever indicate a terminal’s true ability to process a payment transaction. If a terminal
has the hardware to read a chip but not the software to process the payment, it is not
considered chip-enabled because it cannot read and transmit full chip data. Acquirers
that are beginning to deploy hardware for chip terminals should continue to use the TEC
value of “2” until the terminal application is enabled to accept chip technology. Once the
application is enabled, the TEC should be updated to the value of “5.”
5.2 Card Data in Online Messages
5.2.1 Use of Track 2 Equivalent Data
• The terminal must always transmit the full, unmodified contents of the Track 2 Equivalent
Data in the chip to the acquirer including the Issuer Discretionary data. The terminal
should not construct the data in the magnetic stripe field in the online authorization
message based on the individual data elements in the magnetic stripe or chip. The
device should also ensure that if a transaction is processed as magnetic stripe, the track
data used in the transaction is read from the magnetic stripe and correspondingly, if a
transaction is processed as chip, the track data used should be read from the chip.
NOTE: For more information on Track Data, refer to the Visa Contactless Payment
Specification.
April 2014 VISA CONFIDENTIAL 51
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• The Track 2 Equivalent Data in the chip also contains critical information relating to the
card being used, which an issuer may rely upon to authorize a transaction.
• Because the data on the chip may differ from the data on the magnetic stripe, the POS
Entry Mode Code field (V.I.P. Field 22) in the online authorization message that
indicates the source of the track data (magnetic stripe or chip) must be accurate to avoid
unnecessary declines.
NOTE: For either VSDC or qVSDC transactions Track 1 is not supported in the authorization
message.
5.2.2 Form Factor Indicator
• Dual-interface terminals will need to pass the Form Factor Indicator (Tag 9F6E) in V.I.P.
Field 55 for a Visa payWave transaction, if present.
5.2.3 Selected AID
• Terminals that support a merchant controlled option on eligible products will need to
pass information of the selected AID (for instance the AID itself) to the acquirer (or
routing decision maker) in order for the acquirer to determine eligible routing options for
the transaction.
5.3 Support for up to 19 Digit PANs
• Both the Visa Operating Regulations and the EMV Specifications require that all chip
terminals that accept Visa and Visa Electron cards must support variable-length PANs
up to and including 19 digits. The terminal is not required to transmit the 19-digit PAN to
the acquirer and the acquirer is not required to transmit the 19-digit PAN to VisaNet,
unless explicitly mandated, such as for Plus transactions. If the acquirer does not
support 19-digit PANs and a 19-digit PAN is read from the chip, the terminal should
indicate that the card type is not supported and end the transaction.
5.4 Terminal Display Messages
• Terminal messages are displayed to let the merchant or cardholder know the status of a
transaction and what action to take next. To ensure clear and effective transaction
messages, acquirers and terminal vendors should follow a few basic principles,
including:
• The message displayed must clearly instruct the merchant or cardholder on what action
to take.
• Where the message is based on an issuer response, the message should clearly
communicate the meaning of the response.
April 2014 VISA CONFIDENTIAL 52
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• It is recommended that the transaction amount should be displayed to the customer prior
to PIN entry. The cardholder should be prompted to confirm the transaction amount; PIN
entry is an acceptable method of confirmation. If PIN entry is requested before the
transaction amount is known for throughput reasons, an explicit amount confirmation
message should be displayed to the cardholder once the amount is known.
• The message displayed must clearly indicate the status of the transaction. Once the
status of the transaction is determined, the terminal must be able to communicate the
next action. Clear instructions are especially important when an error occurs and the
transaction is terminated. In this case, the transaction message should not indicate a
“decline” but rather that an error has occurred. Error messages for chip transactions
should be closely aligned with messages for magnetic stripe transactions. Messages for
magnetic stripe transactions should be upgraded if they do not already meet these
principles.
• For contactless transactions, the terminal or the reader should have visual and audible
indicators to assist the cardholder. Visual indicators may take the form of LEDs or a
display that allows a graphical representation of indicators.
• For more information and recommendations regarding terminal messages refer to the
Visa Transaction Acceptance Device Guide or alternatively the EMV Contactless
Specifications, Book A, Architecture and General Requirements which is available from
www.emvco.com. This guide includes a list of suggested terminal messages .
5.5 PIN Length and Character Set
• The minimum PIN length is 4 digits. PEDs must be able to accept online PINs of 4, 5,
and 6 digits2,3.
• PEDs may visually indicate that a digit has been entered, such as with an asterisk (*).
This visual indication should occur for each digit entered by the cardholder. For example,
a PED should not display only four asterisks when six digits have been entered.
Similarly, if audible tones are used, the tone should be generated each time that a digit
is entered. The tone must be the same regardless of the digit entered.
• The PIN character set is 0
−
9.
5.6 Cardholder Receipt Requirements
• EMV and Visa require that the terminal should always print the AID and Application
Label (or Application Preferred Name) on the receipt.
• Receipts are optional for transactions up to the VEPS limit. For transactions above this
limit, terminals must generate a receipt.
2 Note that for ATMs, there may be different requirements for PINs.
3 PCI PTS requires support for up to 12-digit PINs.
April 2014 VISA CONFIDENTIAL 53
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Further information regarding receipts can be found in the Visa Transaction Acceptance
Device Guide. Further information regarding VEPS can be found in the Visa Easy
Payment Service – Acquirer Program Guide.
5.7 Transaction Routing
• Final routing decision of a specific transaction is normally determined in the same
manner as it is for magnetic stripe transactions, which is primarily through the use of BIN
tables. However for chip transactions, the choice of routing possibilities at the acquirer
level may be constrained by the AID used for the transaction as decided during
application selection (see Section 4.4.3 or 4.5.1)4.
• For a chip transaction that has been initiated from a Visa AID that begins with the Visa
ISO RID as defined in Section 4.2.1, the transaction must be routed to a Visa processing
network, but the actual Visa processing network utilized for the transaction will be
defined by the acquirer typically via the use of BIN tables.
• This means that a transaction may be initiated from any Visa AID as defined in Section
4.2.1, but the transaction could be routed to a specific Visa affiliated network. Some
examples of this behavior are:
• A transaction initiated using the Visa AID on a Visa/Interlink card can be routed to either
the Visa network or the Visa Interlink network.
• A transaction initiated using the Visa AID on a Visa card can be routed to either the Visa
network or the Visa Interlink network.
• An transaction initiated using the Visa Interlink AID on a Visa Interlink card will be routed
to the Visa Interlink network.
• These examples assume that all other eligibility criteria for the network in question have
been met, such as the selected CVM and BIN routing table.
• It is very important to ensure routing decisions are not negatively affected by chip
processing. Acquirers and terminal vendors must ensure that Visa, Visa Interlink and
Plus routing function normally for chip-initiated transactions. This includes transactions
initiated for chip cards that contain only the Plus AID, for example, non-Visa proprietary
cards that are enrolled to use Plus or transactions initiated for chip cards that contain
only the Visa Interlink AID, for example, non-Visa branded cards, where Visa Interlink is
used as an alternate network.
4 Thus the acquirer must receive information about the selected AID used for a specific transaction.
April 2014 VISA CONFIDENTIAL 54
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5.8 Acquirer Stand-In
• The rules relating to acquirer stand-in for magnetic stripe continue to be applicable to
chip transactions. Acquirers should refer to the Visa Operating Regulations for further
details or contact a Visa representative.
5.9 Deferred Authorization
• Deferred or delayed authorization occurs when an online authorization is performed after
the card is no longer available. This occurs when the terminal requests an ARQC. The
terminal then informs the card that it cannot go online and requests a TC, obtaining
either a TC or AAC. Later, the terminal uploads a batch of authorization requests that
include the ARQCs for those transactions that received AACs and clearing records for
those transactions that received TCs. The acquirer submits the authorization requests,
some of which are approved online. The acquirer formats and submits a clearing record
for each approved transaction, using the ARQC. A deferred or delayed authorization
may occur when a ferry is out of range of shore, for in-flight sales, or when the device
does not have online capability (for example, unattended kiosks where the transactions
are offloaded nightly to a server and submitted in batches). Merchants performing
deferred or delayed authorizations should complete such authorizations within 24 hours
of the transaction.
5.10 Transaction Type Requirements
• As with magnetic stripe transactions, chip terminals must support a variety of transaction
types. For many of these transactions types, chip transactions should flow similarly to
magnetic stripe transactions. In many cases, the Visa requirements and regulations for
chip transactions are no different from those for magnetic stripe transactions. In some
cases, however, change is unavoidable.
• Transactions where either the card or the terminal has not completed all required
components of EMV processing, including generating an Application Cryptogram, are
not EMV transactions. The same applies for contactless transactions and VCPS
processing. This includes any transaction where data such as a PAN and expiration date
are extracted and used to complete the transaction.
• The following sections highlight some differences in transaction type processing that
acquirers should be aware of and whether there are any differences between contact
and contactless processing.
5.10.1 Pre-Authorizations
• A pre-authorization is when an authorization takes place before the final amount is
determined. It is usually employed for travel and entertainment transactions. Specific
T&E environments have specific Visa rules and best practice regarding how estimated
amounts are determined. Pre-authorizations are subject to Visa rules but normally will be
EMV transactions (for contact chip) or VCPS transactions (for contactless).
April 2014 VISA CONFIDENTIAL 55
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5.10.2 Incremental Authorizations
• Where the final amount will exceed or is likely to exceed the amount of the pre-
authorization, a further incremental authorization may be obtained. The incremental
authorization will be for the difference between the original pre-authorization and the
actual or estimated final amount. A merchant may process as many incremental
authorizations as are necessary to ensure the authorized amount is equal to or greater
than the final transaction amount. Market practice or Visa rules may allow variances
above the pre-authorized amount to be cleared for specific transaction scenarios.
• Incremental authorizations are usually manual or key entered and are not chip
transactions. The original chip data obtained during pre-authorization should not be
resubmitted during incremental authorizations. No chip data (except the PAN and expiry
date) nor the full Track 2 data should be stored or used for this purpose. Merchants can
store the card’s PAN and expiry date in order to perform incremental authorizations, as
allowed by the Payment Card Industry Data Security Standard (PCI DSS) and Visa
rules.
5.10.3 Sale Completion
• A sale completion is the financial settlement of a previously pre-authorized transaction,
often where the cardholder and card are no longer present. The final transaction amount
may differ from the authorized amount, within a range defined by Visa.
NOTE: Typically used for travel and entertainment where the final amount is not known.
• The POS Entry Mode for a sale completion should be set to “chip read” only if the
original online authorization contains a cryptogram and all of the chip data elements
used to generate the cryptogram.
• Transactions should not be identified as “chip read” unless all mandatory chip functions
are performed, including reading all of the required chip data. Transactions identified as
chip read, but with incomplete chip data, may be declined.
5.10.4 Status Check and Account Number Verification
• A Status Check is an online authorization for a single currency unit. Status Checks are
used as authorizations limited to automated fuel dispensing, implicitly allowing up to a
set amount to be used during completion. Status Checks must be sent online because
the chip does not have any mechanism to recognize the implicit value of this special
transaction.
• Account Number Verification is an online message formatted as an authorization for a
zero amount. It can be used to validate that the card used to pay for services in advance
of delivery or to make a reservation is authentic. However, it is not an authorization and
cannot be used to indicate that a clearing transaction was approved.
• Except where specifically allowed, if an online validation is desired, an Account Number
Verification transaction should be used rather than a Status Check.
April 2014 VISA CONFIDENTIAL 56
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5.10.5 Refunds
• A refund occurs when the cardholder is credited with the value of returned goods or mis-
performed services. Both full and partial refunds of the original transaction may be
performed. A refund consists only of a clearing message.
NOTE: In some environments, the refund may be sent online. However, it is sent as an advice
to the acquirer and the acquiring host does not forward the message.
• Visa strongly recommends that refunds for contact chip cards be performed by following
the normal EMV transaction flow to obtain the Track 2 Equivalent Data field from the
chip. If this field is not present on the chip, the terminal should obtain the contents of the
PAN and expiration date fields instead. Performing cardholder verifications, as
performed for purchases, will help protect the merchant and acquirer against fraudulent
refunds.
• Once the required data (either Track 2 Equivalent Data or PAN and expiration date) is
obtained, the terminal should then stop the transaction flow. The terminal must not
request a TC and should request an AAC with the Amount Authorized field set to zero.
The terminal completes refund processing normally using the PAN and expiration date.
• For a contactless refund, a similar approach is taken by following a normal VCPS
transaction flow to obtain the Track 2 Equivalent Data. An ARQC should be requested
with the Cryptogram Amount set to the refund amount for a qVSDC transaction and set
to zero for an MSD transaction and in both cases the transaction type set to “20.”
• Once the terminal has read the Track 2 Equivalent Data information from the contactless
chip, the subsequent decision of the contactless chip to approve or decline the
transaction is not relevant. Therefore, merchant systems should be able to process the
refund irrespective of the cryptogram produced by the card (ARQC or AAC). The
decision to approve or decline the refund should be made by the acquirer or merchant in
the same way as for magnetic stripe.
• If an attempted chip refund fails (for example if the chip cannot be read or chip
technology fails during the transaction), the merchant should re-initiate the refund
transaction either by using the magnetic stripe or by using manual key entry.
• Further information regarding processing of refunds can be found in the Visa
Transaction Acceptance Device Guide.
5.10.6 Reversals
• Reversals are a function of the transaction network or of the device application and do
not require interaction with the card for generation of the reversal message itself.
• A reversal should be generated any time an approval is received for an online
authorization request but where the transaction cannot be completed.
April 2014 VISA CONFIDENTIAL 57
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• In certain circumstances, the issuer may have approved the transactions but the card
may override this and decline the transaction. This is primarily due to an Issuer
Authentication failure where the cryptogram sent by the issuer in the response message
failed verification by the card. In this case, the terminal should initiate a reversal.
5.10.7 Referral
• A referral is intended as a fraud control tool for issuers to use when more information is
needed to verify the identity of the cardholder or the validity of the card prior to approving
a transaction. A referral is not a “transaction”; it is an exception process for a purchase.
Referrals are generally not recommended for Visa payWave transactions as they
impede the convenience of a fast transaction which is associated with Visa payWave.
• When a referral authorization response is received from the card issuer, the terminal
should request an AAC from the card. Generation of an AAC completes the EMV
transaction flow so that the referral procedure can take place. The cryptogram produced
by the card should be disregarded by the terminal as any subsequent approval of the
transaction is dependent on the outcome of the referral process.
• Depending on the implementation, the referral process will most likely result in a
completely new transaction taking place generally when the card issuer has removed the
referral block. Alternatively, the chip data can be used to create a clearing record to
which the authorization code from the voice authorization is added. The clearing record
can contain the ARQC and related data. However, because the chip data was not
presented to the issuer at time of authorization, the POS Entry Mode must indicate
manual entry.
5.10.8 Cancellation
• A cancellation occurs when a purchase or sale completion transaction is aborted either
during or after processing. In a dual-message environment cancellation should only
occur before the transaction is “cleared” to the acquirer.
• There are a number of reasons why cancellation may occur, for example, an error in the
amount entered by the merchant which the merchant may seek to correct by pressing a
cancel button on the terminal. Cancellations also occur when a merchant does not
approve the cardholder’s signature.
• In all cases, initiation of a cancellation should result in the cessation of processing and
clearing of any data elements.
• If the transaction has not reached the point where an ARQC has been requested, the
card can simply be powered off. If an ARQC has been requested and the transaction
has been routed online, then cancellation processing should also generate an
authorization reversal. The transaction should be removed from the clearing batch or
marked ‘void’.
• If the terminal has received a TC or AAC from the card, the transaction is completed and
can be cancelled (removed from the batch or marked as void).
April 2014 VISA CONFIDENTIAL 58
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• It is recommended that the terminal produce a receipt for the cardholder showing that
the original transaction has been cancelled.
5.10.9 Cryptogram Generation in Multi-Currency Scenarios
• Certain terminals have dynamic currency conversion capabilities and are able to handle
multiple currencies. It is critical that the currency code used in the generation of the
cryptogram (ARQC or TC) is the same as is included in the authorization and clearing
messages (V.I.P. Field 55 Tag 5F2A) and is not altered by any intermediary networks. A
change in the currency code could lead to the issuer declining the transaction as the
cryptogram validation will fail.
• In most scenarios, the transaction currency, V.I.P. Field 49, should contain the same
value as the chip data related currency in V.I.P. Field 55 Tag 5F02. There may be
instances where these differ. It is critical that the chip related field is not modified from
the transaction currency that was sent from the terminal to the card and was used by the
card to generate the cryptogram.
5.10.10 Implementation Activities
• Acquirers should review the requirements for supporting transaction types in a chip
environment and work with their terminal vendors to ensure terminals support the chip
requirements. Further details are provided in the Visa Transaction Acceptance Device
Guide.
5.11 EMV Transactions in Specific Industries
• Certain industries have specific payment requirements besides the traditional purchase.
For each scenario, the presence of a chip card may or may not have an impact on
existing processing requirements. The following industries are affected by the
introduction of chip:
• Hotels and car rentals
• Petrol/Fuel dispensing
• In-Flight transactions
• Restaurants
• Visa recommends that acquirers review the Visa and EMVCo guidelines regarding each
industry to ensure any impact is addressed. For more information regarding changes for
specific industries, acquirers should refer to the following documents:
• Visa Transaction Acceptance Device Guide
• Visa Payment Acceptance Best Practices for Retail Petroleum Merchants
April 2014 VISA CONFIDENTIAL 59
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Recommendations for EMV Processing for Industry-Specific Transaction Types,
available from www.emvco.com
5.12 Purchase with Cash-back
• Visa allows cash-back with a purchase at the point of service for domestic transactions,
under certain conditions. Cash-back is sometimes referred to as cash-back or cash-out.
Current Visa rules do not allow cash-back to be provided on credit cards or when the
cardholder has selected to use a credit facility. Cash-back is also not recommended for
Visa payWave transactions as they diminish the speed and convenience factors that are
key features of Visa payWave. However issuers may elect to support cash-back with
their Visa payWave cards and terminals should process the transactions according to
cash-back rules.
• Where permitted, a terminal must send the cash-back amount to the card when
requested and then send the following cryptogram data to the acquirer for inclusion in
the online message:
• Cryptogram Amount (V.I.P. Field 55 Tag 9F02) – The total of the purchase amount plus
the cash-back amount
• Cryptogram Cash-back Amount (V.I.P. Field 55 Tag 9F03) – The cash-back amount
• If the transaction involves cash-back, the Cryptogram Cash-back Amount must be
present and included in the ARQC algorithm. If the transaction does not involve cash-
back, the ARQC is calculated with a zero cash-back amount and the field is not present
or is zero-filled.
5.13 Terminal PIN Requirements
• Acquirers must ensure that their terminals are capable of supporting PIN as required by
the Visa Operating Regulations and PCI PIN Transaction Security (PTS) requirements.
The terminal must have either a PIN pad or a port capable of supporting a PIN pad.
• If a PIN pad is present and active, it must comply with Visa’s requirements. If the PIN
pad is inactive or not present, the terminal must have the capability to support the
required software to enable a PIN pad to be connected and to comply with Visa’s
requirements.
• Acquirers should refer to the Visa Operating Regulations or contact their Visa
representative for further information regarding PIN pad requirements.
April 2014 VISA CONFIDENTIAL 60
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5.14 Terminal Types and Configurations
• Acquirers should consider all the possible terminal configurations and ensure that each
terminal type is reviewed against the possible impact of migrating to chip acceptance. It
is also important for acquirers to review the Visa Operating Regulations and other Visa
documentation and ensure specific terminal type requirements are incorporated into their
selection criteria and requirements.
5.14.1 Shared Display and Separate Display Terminals
• Attended terminals may have a shared display or separate displays for the customer and
the merchant to carry out the transaction. The terminal type used at a merchant is
dependent on the terminal itself and the merchant environment.
• Terminals may have a single display shared by the merchant and the customer during
the transaction process.
• Terminals with a separate display have a dedicated display for the merchant and one for
the customer. These typically comprise a fixed enclosure for the merchant terminal and
a tethered PIN pad with a dedicated display for the customer.
• In general and unless specifically stated, all requirements and best practices apply to
both types of terminals. Support for application selection by cardholders may require
special considerations where there are separate displays.
5.14.2 Unattended Cardholder Activated Terminals
• An Unattended Cardholder Activated Terminal (UCAT) is an acceptance terminal
managed by a merchant that dispenses goods or services without the assistance of an
attendant to complete the transaction. Cardholder verification and authorization of such
transactions occurs electronically, if required. These terminals include automated
dispensing machines and self-service payment terminals in parking garages.
NOTE: The Visa Operating Regulations prohibit Visa card products from being used for scrip
transactions. (Scrip is a two-part paper receipt redeemable for goods, services or cash.)
• UCATs fall into two categories:
• Unattended Authorized – Transactions are authorized and cardholder verification is not
performed.
• Unattended Authorized with PIN – Transactions are authorized and online PIN entry is
performed.
• A UCAT needs to support “No CVM Required” to ensure CVM processing can be
completed. Otherwise UCATs that support chip need to adhere to the general Visa
requirements for chip terminals.
• The following are not considered UCATs and are not required to meet UCAT
requirements:
April 2014 VISA CONFIDENTIAL 61
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• ATMs, which must meet a different set of requirements.
• Attended cardholder activated terminals, for example, self-checkout terminals in
supermarkets, where an attendant is available to help complete transactions.
5.14.3 Dual-Interface Terminal Configurations
• The physical architecture of a terminal that supports both contact and contactless
transactions can be any of the following:
• Fully integrated terminal: All elements included in a single device.
• Intelligent card reader: The reader handles most of the contactless transaction
processing, passing the results for completion by the terminal.
• Combination of terminal and transparent card reader: The reader provides
communication with the card, while kernels and other processes are in the terminal.
• Acquirers need to determine which architecture best suits their needs and those of the
merchants, including whether some of their existing infrastructure can be reused to
support their migration to VSDC and Visa payWave acceptance.
• Further information regarding contactless terminal configurations and requirements can
be found in the EMV Contactless Specification for Payment Systems, Book A.
5.14.4 Automated Fuel Dispensers
• An Automated Fuel Dispenser (AFD) is a self-service terminal or an automated
dispensing machine that dispenses fuel such as gasoline, diesel fuel or propane. AFDs
have some specific processing requirements, the majority of which are not affected by
the support of chip. The Visa Operating Regulations have specific requirements relating
to the amount that an AFD can authorize before fuel is dispensed. These limits vary
between chip and magnetic stripe and acquirers should review the Visa Operating
Regulations for further information.
• AFDs must do one of the following:
• Obtain an authorization for the exact amount of the transaction
• Use the Status Check Procedure
• Process the transaction using Real Time Clearing
• The above-mentioned processing requirements are not affected by support for chip.
However the terminal needs to adhere to the general Visa requirements for chip
terminals.
• Acquirers should also note that the rules relating to AFDs and the liability shift for chip
transactions are different to other device types. Further details are provided in Section
11.2 EMV Liability Shift.
April 2014 VISA CONFIDENTIAL 62
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
5.14.5 Automated Teller Machines
Information regarding ATM requirements is not in scope of this document.
5.15 Terminal Requirements for CVM
• Visa CVM requirements for terminals include:
• An attended POS terminal must support signature (for transactions that require a CVM)
and it may support PIN. A terminal must not prompt international cardholders for PIN
unless required by the chip card.
• A UCAT must support “No CVM Required.”
• VCPS 2.1, including all published updates, readers must enable support for a Consumer
Device CVM. The Consumer Device CVM is a CVM performed on the consumer's
payment device (independent of the reader).
• Requirement:
• If Visa Interlink is supported, online PIN must be supported for both contact chip and
Visa payWave.
• In addition, some cardholders may be unable to enter a PIN at the POS terminal, or
unwilling to do so due to security concerns or certain disabilities. Terminals may need to
support functionality that allow merchants to offer an alternative CVM than PIN for such
cardholders in accordance with merchant protection and state or federal disability
legislation.
April 2014 VISA CONFIDENTIAL 63
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
6 Terminal Selection and Approval
• This Section is intended to assist acquirers in creating selection criteria for chip terminals
and provides background information on the terminal approval process before
deployment in the field. It includes the following topics:
• Terminal and Reader Selection Criteria
• Terminal and Reader Approvals
• Considerations for EMV Approval for Contact And Contactless
• Payment Card Industry Requirements
• Acquirer Testing Toolkits and Host Testing
• Implementation Activities
• The information included in Sections 4 and 5 should be considered when creating the
selection criteria and as part of any requirements documentation provided to terminal
vendors.
6.1 Terminal and Reader Selection Criteria
• Prior to meeting with vendors and reviewing their available products, acquirers should
develop their terminal requirements. Acquirers should begin the process by determining
the minimum required, and recommended terminal requirements as outlined by Visa and
the local environment.
• This Section provides an overview of information acquirers could include in their terminal
selection criteria. This is not meant to be an exhaustive list; it is intended to provide
some guidelines to assist acquirers. Acquirers should:
• Ensure any terminals support and are in compliance with:
− EMV requirements as outlined in the EMV Specifications and specification bulletins.
− PCI requirements relating to PIN security (PCI-PTS) and Application Security (PCI
PA-DSS)
− Visa requirements as defined in the Visa Operating Regulations, Visa Transaction
Acceptance Device Requirements and other Visa documentation.
− Ensure contactless readers comply with Visa’s contactless reader requirements
(refer to Section 3.2 U.S. Contactless Acceptance Requirements)
− The reader has been tested and approved by Visa and is on the approved Visa
Approved Product list.
• Ensure that the EMV-compliant chip-reading terminal:
− Reads a magnetic stripe
April 2014 VISA CONFIDENTIAL 64
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
− Reads the chip, if an EMV-compliant chip is present, and does not allow for
overriding the chip authorization controls by manually prompting the cardholder to
use the magnetic stripe. The magnetic stripe may be read only if the chip is not
EMV/VSDC-compliant or if the chip or chip reader is inoperable (resulting in a
fallback transaction).
− Supports transaction type requirements; for example, pre-authorizations, reversals,
referrals and refunds.
− Supports magnetic stripe terminal requirements, such as fallback processing and
compliance with requirements for reading service codes.
− Supports Application Selection by the cardholder from a list of both domestic and
non-domestic payment applications as mutually supported by the card and terminal.
− Supports cardholder Account Selection.
• Identify terminal types to be supported; for example, stand-alone point-of-transaction
terminals, integrated POS terminals (“ECR”), mobile POS terminals, or UCATs.
• Identify requirements for a terminal-based exception file if any.
• Identify cardholder verification requirements and how they are used for supported
environments (online PIN and signature), including PIN length requirements.
• Ensure terminals are equipped with ports that support peripherals capable of prompting,
and accepting, a PIN based upon the CVM list on the card.
• Evaluate price versus functionality, hardware, and software peripherals, warranty
conditions, and service and support agreements.
• Ensure that: the terminal is approved to EMV Level 1 and Level 2, EMVCo approval
letters are available, the terminal is listed in the EMVCo website as having current
approval and has an adequate approval period remaining.
• Ensure the terminal complies with Payment Card Industry (PCI) requirements and the
terminal is listed in the PCI published list of approved terminals.
• Confirm with the terminal vendor that the terminal was developed in compliance with the
Visa Operating Regulations, including the Transaction Acceptance Device
Requirements.
• Determine merchant requirements for terminal configuration, for example whether to
require a separate chip acceptance terminal or a peripheral PIN pad unit, and that these
terminals meet Visa’s requirements.
• Verify product availability.
• Determine requirements for transaction speed and estimate the transaction volume to be
supported.
April 2014 VISA CONFIDENTIAL 65
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Identify which components of the complete merchant configuration are affected by chip,
and identify:
− Components that can be modified by software changes
− Components that require new hardware
− All of the involved vendors
• Conclude whether existing terminals can be upgraded or new terminals are required.
• Identify any additional technological features required, such as cell phone capability, or
Internet connectivity.
• Determine if the terminal can be supported with the acquirer’s existing Terminal
Management System or if there is an impact to an existing one.
• Determine whether it is necessary for the terminal or reader to
− Have incorporated terminal logic to perform special application selection process to
support merchant routing preferences.
− Be able to transfer the result of special application selection process to the acquirer –
in support of merchant routing preferences.
− Support selectable kernels in support of specific CVM conditions (cash-back and
VEPS).
• Complete ADVT, CDET and for stand-alone reader implementations, qVSDC DM
(Device Module) terminal testing prior to deployment.
6.2 VSDC Terminal Approvals
• Acquirers must select a product that meets all the various requirements related to EMV
and VSDC and has been approved accordingly. At a minimum a terminal must meet
EMV Level 1 and EMV Level 2 requirements and be noted as an approved product by
EMVCo and listed in the EMVCo website. Information regarding the EMVCo approval
process can be obtained from the EMVCo website at www.emvco.com.
• All terminals that accept Visa cards must also comply with the Visa Operating
Regulations. Many requirements specific to acceptance terminals, including for contact
chip, are included in the Terminal Acceptance Device Requirements document, a Visa
Operating Regulations extension document. For additional information on the Visa-
specific terminal requirements and best practices, refer to the Visa Transaction
Acceptance Device Guide.
• Terminals must comply with the PCI Data Security Standards (DSS), and often with the
PCI Payment Application Data Security Standards (PA-DSS) relating to application
security. Terminals accepting PINs must comply with the Payment Card Industry (PCI)
PIN Transaction Security (PTS) Pin Security Requirements ,Point of Interaction (POI)
Modular Security Requirements and the Visa PCI PIN Security Requirements.
April 2014 VISA CONFIDENTIAL 66
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• For more information on PCI PIN PTS testing including the Visa PIN Security
requirements, refer to www.visa.com/pinsecurity and
www.pcisecuritystandards.org/security_standards/ped.
• The following sections provide further details on the various approvals required that
acquirers need to consider as part of their VSDC migration project.
6.3 Considerations for EMV Approval
• To accept Visa chip transactions, terminals must comply with the most current version of
the EMV Specifications and be approved for EMV Level 1 and Level 2 by an EMVCo-
accredited laboratory. Compliance to the latest specification will ensure that the terminal
is able to more easily satisfy the testing requirements to gain approval.
6.3.1 EMV Level 1
• EMV Level 1 approval is given for the interface modules (IFMs) – that is, the chip card
reader – rather than for the terminal on which it is tested. An IFM consists of the
hardware and software that powers the chip card and supports communication between
the terminal and the card up to the transport layer. The three main functional
components are the mechanical, electrical and logical chip card interfaces.
• An approved IFM can be used for any terminal, as long as the IFM is not modified and
can be used with any approved EMV application kernel. It is important to identify the IFM
component separately from the terminal, using a unique identifier.
6.3.2 EMV Level 2
• EMV Level 2 Type Approval tests comply with the debit/credit application requirements
defined in the EMV Specifications. EMV Level 2 approval is not tied to a particular model
of a particular type of hardware platform. The approval letter notes the hardware
configuration to be used for testing. The portion of the application that performs EMV
functions and is tested as part of the Level 2 Type Approval is commonly referred to as
the “kernel.”
• An application kernel is approved to run on any terminal that has an approved IFM and
supports the environment used during testing. If the kernel can be used on a terminal
without recompilation, the kernel retains its EMV approval. EMV Level 2 test cases are
performed only against EMV functions. Acquirer, payment scheme and national
specifications are not part of EMV testing.
• An application provider may simulate any non-EMV functions necessary for the
completion of the test cases, for example, message formats, communications protocols,
terminal prompt sequences, or payment scheme settings. These other functionalities,
however, do not necessarily represent the end product because some level of
customization may be required for each acquirer, country or payment scheme.
• Rigorous testing needs to be performed to ensure that customizations and application
changes have no adverse impact on the EMV kernel and functions.
April 2014 VISA CONFIDENTIAL 67
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• A terminal must have an IFM that has been approved for EMV Level 1 before its EMV
application kernel can be tested for Level 2.
6.3.3 EMVCo Approvals and Renewals
• EMVCo has a renewal policy requiring all IFMs and kernels to be re-tested on a regular
basis.
• An IFM approval is valid for 4 years and an application kernel approval is for 3 years.
This validity period applies to static and configurable kernels.
• At expiration of the approval, EMVCo evaluates whether the product, either the IFM or
the kernel, demonstrates sufficient conformance to the current EMV specification and
may grant an extension. IFMs or kernels that do not pass the evaluation will not be
granted an extension and their approval will be considered expired.
• EMVCo may also revoke an approval of an IFM or kernel if a significant interoperability
problem arises in the field.
• Visa policy relating to terminal approvals requires that ADVT be performed only on
terminals that are EMVCo approved. Acquirers should ensure that any new terminal
installations contain IFMs or kernels that have a current EMVCo approval.
• Further information on the EMVCo renewal policy can be found in the EMVCo website at
www.emvco.com.
6.4 Contactless Reader Approvals and Renewals
• Visa oversees testing of card acceptance devices that support Visa contactless
payments. This process allows Visa to ensure that the devices are developed to Visa
specifications and will support Visa applications.
• Additionally, Visa recognizes the contactless Level 1 (analog and digital) testing offered
by EMVCo for devices. Visa recommends that contactless devices have their
contactless Level 1 tested and approved by EMVCo prior to submitting the device to
Visa for application testing. The approval and renewal process for contactless devices is
similar to that for contact chip as outlined in Section 6.3.3 EMVCo Approvals and
Renewals.
• Further information regarding EMVCo contactless approval can be obtained from the
EMVCo website at www.emvco.com.
• To facilitate the testing of devices, Visa has recognized a number of independent
laboratories to functionally test devices containing Visa payment applications on behalf
of Visa.
• If the device is successfully tested, Visa issues a letter of approval to the device vendor
that submitted the device for testing. The approval applies internationally, unless
restrictions are specified in the letter of approval.
April 2014 VISA CONFIDENTIAL 68
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
NOTE: Approval is not transferable from one vendor’s product to another.
• Upon successful completion of official testing, the card acceptance device will appear on
one of the Approved Acceptance Device Products Lists located at Visa Technology
Partner site (https://technologypartner.visa.com).
• When a device product is approved by Visa, it is assigned a renewal date which is
communicated to the device vendor in the letter of approval and also appears on the
Visa Approved Products List.
NOTE: The renewal date is typically two years after the date of approval unless otherwise
noted.
• As a device approaches its renewal date, Visa reviews the product details to ensure that
it complies with all current Visa policies and includes a payment application(s) that Visa
continues to support. Further information regarding Visas current renewal policies is
available from Visa Technology Partner site (https://technologypartner.visa.com).
6.5 Payment Card Industry Requirements
• The Payment Card Industry (PCI) Security Standards Council (SSC) is an open global
forum, launched in 2006, that is responsible for the development, management,
education and awareness of the PCI Security Standards, including:
• Data Security Standards (PCI DSS)
• Payment Application Data Security Standards (PA-DSS)
• PIN Transaction Security (PTS) requirements
• The Council's five founding global payment brands, (American Express, Discover
Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.), have
agreed to incorporate the PCI DSS technical requirements into their data security
compliance programs.
6.5.1 PIN Entry Devices
• A PIN Entry Device (PED) is any device used by a cardholder to enter a PIN. (It may
also have other functions.) A PED that supports online PIN where the PED and chip
reader are not integrated must contain an Encrypting PIN pad (EPP) used for entering
a cardholder PIN.
• The PED and EPP may be integrated, as in some standalone POS terminals, or the EPP
may be just one component of a PED, as in a UCAT. Further information regarding
requirements for PEDs can be found in the Visa Transaction Acceptance Device Guide.
April 2014 VISA CONFIDENTIAL 69
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
6.5.2 PED Testing Requirements
• Visa requires testing of PEDs against the PCI PIN Transaction Security (PTS)
requirements if they are used in the acceptance of Visa card products with offline PIN or
online PIN verification. PEDs and EPPs must undergo a physical and logical security
evaluation performed at a PCI recognized test laboratory.
• For information on PCI PIN entry device security requirements, see www.visa.com/PIN
and www.pcisecuritystandards.org/security_standards/.
6.5.3 Payment Application Data Security
• Visa has introduced compliance mandates requiring all new merchants to be PCI-DSS
compliant, including using payment application software that uses Payment Application
Data Security Standard (PA-DSS) compliant applications.
• Acquirers must ensure that their merchants and agents use PA-DSS compliant payment
applications. For purposes of the mandates, payment applications apply only to third-
party payment application software that stores, processes or transmits cardholder data
as part of an authorization or settlement of a payment card transaction. POS terminals
are an example of this.
• PA-DSS does not apply to merchant or agent in-house developed applications, stand-
alone hardware terminals or PEDs. Payment application vendors must validate the
conformance of their products to the PA-DSS. Acquirers should insist that their
merchants and agents use compliant applications and upgrade or patch applications to
ensure the storage of sensitive cardholder data meets the Visa mandates.
• More information can be found at www.visa.com and
https://www.pcisecuritystandards.org/security_standards/.
6.6 Acquirer Device Validation Toolkit
• Visa recognizes that acquirers and terminal vendors need a clear and easy way to
validate that their contact chip terminals are configured to meet their domestic and
regional market needs and that international chip cards entering their countries
experience the same level of acceptance.
• To help ensure that terminals acquirers deploy do not contribute to interoperability
problems, Visa has developed the Acquirer Device Validation Toolkit (ADVT), which is a
set of test cards and test scripts that acquirers or vendors can use on terminals that
have already received EMV Level 1 and Level 2 approval and are configured for
deployment (that is, after the country code, floor limits, and other processing parameters
are set up in the terminal).
• Chip acquirers must use the ADVT on each type of contact chip terminal if:
• A new hardware, payment application software or payment-related configuration is
introduced, or
April 2014 VISA CONFIDENTIAL 70
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Significant hardware or software modifications are made to existing terminals, or
• Changes have been made that impact EMV transaction processing.
• The ADVT User Guide provides guidelines with details of the specific conditions that
determine the use of ADVT and is part of the ADVT package.
• As described in the Visa Operating Regulations, an acquirer that fails to utilize the ADVT
on a terminal that causes a chip interoperability issue may be subject to penalties as
defined in the Visa Chip Interoperability Compliance Program. Refer to Section 7.3 Chip
Interoperability Compliance Program, for more information.
• Acquirers shall also use a subset of the test cards in the toolkit or an ADVT simulator to
conduct online transactions with VCMS.
6.6.1 ADVT and EMVCo Approval
• Use of the ADVT does not preclude the requirement that contact chip terminal
components be approved by an EMVCo-accredited laboratory. EMVCo approval is a
prerequisite for a terminal to be validated by acquirers using the ADVT. Use of the ADVT
is intended to ensure basic chip functionality is not compromised during application
integration and that basic Visa requirements are met, as well as to uncover exposures to
some common interoperability issues. Use of the ADVT does not imply or guarantee that
a terminal is fully compliant with EMV specifications or Visa requirements.
6.6.2 Chip Compliance Reporting Tool and ADVT Submission Requirements
• Visa developed the Chip Compliance Reporting Tool (CCRT) as a centralized, server-
based solution for the systematic reporting of ADVT, CDET, and qVSDC DM test results.
The CCRT facilitates a more efficient submission and management process of ADVT
compliance reporting by chip acquirers.
• CCRT provides Visa acquiring clients with an appropriate level of security and
confidentiality in managing their ADVT results, and enable the CCRT service to be
consolidated with other services currently provided. CCRT is available on Visa Online
(Visa’s online solution for providing secure access to Visa content and services for
clients globally).
• It reduces potential errors in manual entry by guiding users to choose from applicable
options and providing mandatory information. A user can re-use existing reports as a
starting point for new reporting, reducing time spent completing the reports.
• Acquirers or their processors are required to use the CCRT to submit their ADVT test
results; it is the only method under which Visa will accept ADVT test results.
• Further information regarding the use of CCRT can be found in the Chip Compliance
Reporting Tool User Guide for Chip Acquirers.
April 2014 VISA CONFIDENTIAL 71
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
6.6.3 ADVT and Expired EMV Approvals
• To encourage the deployment of modern kernels and interface modules (IFMs) that are
less susceptible to interoperability issues, Visa requires that an acquirer must not submit
ADVT testing results to Visa for terminals containing kernels and IFMs that have expired.
• This rule only applies where the results of ADVT testing are to be made available to
Visa. Other uses of ADVT, such as for internal regression testing, are not affected.
• This will not affect deployed terminals or the deployment of terminals already approved
against ADVT. However, it will prevent the deployment of new and updated terminal
configurations that use expired hardware or software.
• More information on the requirements and rules can be found in the ADVT User Guide.
6.6.4 ADVT Ordering Process
• The ADVT test card packs can be obtained from Visa’s third party fulfillment service
(Merrill Corporation). If you prefer to use a test tool, ADVT card profiles are available
from confirmed third-party test tool vendors. For a list of confirmed tool vendors, see
Product Toolkits at https://technologypartner.visa.com.
• Visa may continue to enhance tools and procedures associated with ADVT and will
notify acquirers in advance of such changes. The goal of this strategy is to provide a
more comprehensive end-to-end testing environment and process that enables
acquirers to validate terminal configurations with the ADVT. For example, the use of host
or network simulators for online transaction validation is key to more efficiently and
effectively validating the acquiring process.
6.7 Contactless Device Evaluation Toolkit
• In addition to the use of ADVT, terminals that support Visa payWave must comply with
Visa’s Contactless Device Evaluation Toolkit (CDET). Similar to ADVT, CDET is a set of
test cards and an accompanying user guide that allows acquirers to validate the correct
configuration of their contactless readers. The toolkit is also a self-administered solution.
• Further information can be found in the Visa Contactless Device Evaluation Toolkit User
Guide.
• The CDET test card packs are available from Visa. If you prefer to use a test tool, CDET
card profiles are available from confirmed third-party test tool vendors. For a list of
confirmed tool vendors, see the Visa-Confirmed Third-party Chip Tool Suppliers list
located on Visa’s Chip and Contactless Implementation page at VOL Visa Online (list
can also be found at Visa Technology Partner website
https://technologypartner.visa.com/ under Product Toolkits).
April 2014 VISA CONFIDENTIAL 72
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
6.8 qVSDC Device Module
• Visa has introduced a contactless component to the ADVT, the qVSDC Device Module
(DM). It was developed to address specific product approval self-testing requirements for
Visa payWave acquirers, deploying contactless readers compliant to the Visa
Contactless Payment Specification (VCPS) and supporting quick Visa Smart Debit and
Credit (qVSDC). Prior to activation and deployment of these readers, Visa payWave
acquirers are required to use the qVSDC DM and validate successful results as part of
the overall contactless reader approval process.
• Use of the qVSDC DM is governed by the same rules and policies that exist for the
standard ADVT, i.e. use of this toolkit is mandatory for stand-alone readers prior to
deployment in situations where an acquirer has either modified software on an existing
device or is in the process of installing a new device to support Visa payWave
acceptance. In the specific case of a Visa payWave acquirer deploying a new qVSDC-
supporting stand-alone reader into their existing acceptance environment, use of the
qVSDC DM is required in order to complete the self-testing component of the device
approval process, and is a Visa requirement prior to deployment of such readers.
• For further information regarding the use of ADVT-qVSDC DM acquirers should refer to
the qVSDC Device Module Test Cases document.
• Use of ADVT-qVSDC DM is confined to contactless readers supporting qVSDC. It does
not apply to readers supporting MSD Legacy such as those currently deployed in the
U.S.
6.9 Additional Toolkit Requirements
• Acquirers are required to use the ADVT, CDET and qVSDC DM (conditional) toolkits
prior to initial terminal deployment (including all variations of hardware, software, and
parameter settings) to ensure that the terminal has been set up and configured correctly.
It is expected that acquirers will run every applicable test to gain the full benefit of the
toolkit. When the acquirer’s test results do not match the expected outcome of the test,
the acquirer should work with its terminal vendor (and Visa, if necessary) to correct the
problem. The acquirer will continue to perform the test until the problem is resolved and
the acquirer’s test result matches the expected outcome. An acquirer that fails to use the
ADVT, CDET and qVSDC DM (conditional) toolkits on a device that causes
interoperability issues may be subject to fines as defined in the Visa Chip Interoperability
Compliance Program.
• In addition, it is strongly recommended that acquirers use the toolkits on previously
deployed terminals in order to ascertain if there are potential acceptance problems.
• Use of the ADVT and CDET toolkits is intended to ensure basic EMV contact chip and
contactless functionality is not compromised during application integration and Visa
requirements are met, as well as to uncover exposure to some common interoperability
issues. Use of the toolkits does not imply or guarantee that a terminal is fully compliant
with EMV specifications or Visa requirements.
April 2014 VISA CONFIDENTIAL 73
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• The ADVT and CDET toolkits can be obtained through Visa’s third party fulfillment
service (Merrill Corporation). Substantially similar tools are also available from Visa-
confirmed third party vendors. For a list of Visa-confirmed tool vendors, see Product
Toolkits at https://technologypartner.visa.com/.
• After an acquirer successfully completes the ADVT and CDET Toolkits testing as well as
qVSDC DM testing (if applicable), the test results are provided to Visa by submitting the
results into the Chip Compliance Reporting Tool (CCRT). The submission of the
applicable test results for compliance reporting needs to be completed to ensure chip
and contactless acquirers minimize the risk of interoperability problems.
6.10 Visa Chip Vendor Enabled Service (CVES)
• This service, launched in October 2013, will help streamline the testing and reporting
requirements for the deployment of ATM and point-of-sale chip-acceptance devices in
the U.S. CVES engages third-party chip tool vendors to execute mandatory Acquirer
Device Validation Toolkit and Contactless Device Evaluation Toolkit testing on behalf of
acquirers and processors, analyze the results and submit reports to Visa using the Chip
Compliance Reporting Tool.
• Vendors choosing to participate in CVES must complete a confirmation process by
which the vendors’ eligibility is verified and the ability to effectively deliver the required
services is demonstrated. Approved vendors are included on the Visa-Confirmed Third-
party Chip Tool Suppliers list which can be found on Visa Online and the Visa
Technology Partner website.
6.11 Acquirer Host Testing
• CDET, ADVT, qVSDC DM (if applicable) terminal testing needs to be completed prior to
host testing. An acquirer will use a production ready terminal (EMVCo and Visa
approved) which has completed terminal testing for host testing. An acquirer can also
run the host test cards through a terminal prior to host testing. Further information
regarding host testing can found in Section 10, Acquirer Host Testing.
6.12 Implementation Activities
• Development of an EMV/VSDC-compliant terminal is a lengthy process and must be
considered in the project timelines. To launch a program in the shortest timeframe, Visa
recommends selecting a vendor that is already approved. A list of EMVCo-approved
products and vendors may be found at www.emvco.com.
• Develop terminal requirements using the information in this Section as a guideline as
well as the requirements and considerations outlined in Section 3 and Section 4.
• Review vendor products to determine which vendors meet the requirements. This may
be accomplished through a Request For Proposal (RFP) process.
April 2014 VISA CONFIDENTIAL 74
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
• Ensure that the vendor selected has obtained approval for EMV Level 1 and Level 2 or is
in the approval process and EMV Level 1 contactless approval.
• Ensure that the contactless reader selected has obtained Visa approval and is listed on
the Visa Approved Vendor List.
• Ensure that if PIN is a requirement in the selection criteria that terminal vendors have
received PCI approval and the terminal is listed in the PCI website.
• Once terminals and reader have been selected, it is important to work with any preferred
vendor to ensure they comply with Visa’s requirements as well as any U.S. market
requirements.
• The vendor should also integrate ADVT and CDET testing as part of their delivery
schedule and ensure enough time is allowed to ensure adequate testing.
April 2014 VISA CONFIDENTIAL 75
Notice: This information is proprietary and CONFIDENTIAL to Visa. It is distributed to Visa participants for use
exclusively in managing their Visa programs. It must not be duplicated, published, distributed or disclosed, in whole
or in part, to merchants, cardholders or any other person without prior written permission from Visa. © 2014 Visa.
All Rights Reserved.
Visa Smart Debit/Credit and Visa payWave U.S. Acquirer Implementation Guide
7 Terminal Testing and Maintenance
• This Section outlines Visa’s recommendations for acquirers to undertake post
deployment testing to address and resolve acceptance and interoperability problems that
may be inadvertently introduced during rollout. Visa has developed a number of toolkits
that can assist acquirers.
• The Section includes an approach and guidelines acquirers can follow to minimize the
chance of terminals or contactless readers creating interoperability problems and the
potential impacts, including Visa penalties, if interoperability issues are not addressed as
defined in the Visa Chip Compliance Program.
7.1 Terminal Testing Process
• Maintaining the reliable and efficient operation of acceptance terminals is critical to
ensuring Visa cardholders continue to trust the payment system. The introduction of chip
terminals may lead to unforeseen issues being introduced due to the complexity and
possible lack of experience by acquirers or merchants. Problems could be created due
to a lack of controls and processes around the deployment of production terminals in the
field which could lead to:
• Incorrectly configured terminals or readers
• Deployment of untested or unapproved terminals or readers
• Deployment of outdated terminal