Technical - Specifications-PayPass - PDS v1.9 (June 2014)

PayPass Personalization
Data Specifications
Version 1.9 – June 2014
Notices
Following are policies pertaining to proprietary rights, trademarks, translations, and
details about the availability of additional information online.
Proprietary Rights
The information contained in this document is proprietary and confidential to
MasterCard International Incorporated, one or more of its affiliated entities
(collectively “MasterCard”), or both.
This material may not be duplicated, published, or disclosed, in whole or in part,
without the prior written permission of MasterCard.
Trademarks
Trademark notices and symbols used in this document reflect the registration status
of MasterCard trademarks in the United States. Please consult with the Customer
Operations Services team or the MasterCard Law Department for the registration
status of particular product, program, or service names outside the United States.
All third-party product and service names are trademarks or registered trademarks of
their respective owners.
Disclaimer
MasterCard makes no representations or warranties of any kind, express or implied,
with respect to the contents of this document. Without limitation, MasterCard
specifically disclaims all representations and warranties with respect to this
document and any intellectual property rights subsisting therein or any part thereof,
including but not limited to any and all implied warranties of title, non-infringement,
or suitability for any purpose (whether or not MasterCard has been advised, has
reason to know, or is otherwise in fact aware of any information). Without
limitation, MasterCard specifically disclaims all representations and warranties that
any practice or implementation of the document will not infringe any third party
patents, copyrights, trade secrets or other rights. Without limitation, MasterCard
specifically disclaims all representations and warranties in relation to the document,
including but not limited to any and all implied warranties of suitability for any
purpose (whether or not MasterCard has been advised, has reason to know, or is
otherwise in fact aware of any information) or achievement of any particular result.
Address
MasterCard Worldwide
Chaussée de Tervuren, 198A
B-1410 Waterloo
Belgium
E-mail: contactless@mastercard.com
Version 1.9 – June 2014 © 2014 MasterCard

ii PayPass Personalization Data Specifications
Table of Contents
Table of Contents
Table of Contents ...........................................................................................iii
Using this Manual ..........................................................................................vii
Scope ........................................................................................................................... vii
Audience ..................................................................................................................... vii
Related Publications................................................................................................... viii
Notational Conventions ............................................................................................. viii
Abbreviations ............................................................................................................... ix
Document Overview .................................................................................................... xi
Revision History ......................................................................................................... xii
1 Proximity Payment System Environment (PPSE) ..............................1

2 MasterCard PayPass – Mag Stripe Personalization Data ..................3
2.1 Data Objects for Application Selection ................................................................3
2.2 Data Objects Referenced in the AFL (DGI '0101') ..............................................4
2.3 Data Objects for CVC3 Generation (DGI 'A001') ...............................................6
2.4 Secret Key (DGI 'A002') ......................................................................................6
3 MasterCard PayPass – M/Chip Flex Personalization Data ................7

3.1 Contact Data .........................................................................................................7
3.2 Generic Contactless Data .....................................................................................7
3.2.1 Data Objects for Application Selection .............................................................. 7
3.2.2 Transaction Processing ....................................................................................... 8
3.2.3 Offline CAM .................................................................................................... 12
3.2.4 Application Interchange Profile ....................................................................... 13
3.2.5 Application File Locator................................................................................... 13
3.2.6 Mag Stripe Mode .............................................................................................. 15
3.2.7 Card Risk Management .................................................................................... 17
3.2.8 Secret Keys ....................................................................................................... 19
3.2.9 Miscellaneous ................................................................................................... 20
3.2.10 Counter Limits and Previous Transaction ........................................................ 21
3.2.11 Data Objects with a Fixed Initial Value ........................................................... 21
3.3 Profile Dependent Contactless Data ...................................................................22
3.3.1 Offline Profile................................................................................................... 22
3.3.2 Standard Profile ................................................................................................ 23
3.3.3 Online-Only Profile .......................................................................................... 24
© 2014 MasterCard Version 1.9 – June 2014

PayPass Personalization Data Specifications iii
Table of Contents
4 Maestro PayPass – M/Chip Flex Personalization Data ................... 25

4.1 Contact Data .......................................................................................................25
4.2 Generic Contactless Data ...................................................................................25
4.2.1 Data Objects for Application Selection ............................................................ 25
4.2.2 Transaction Processing ..................................................................................... 26
4.2.3 Offline CAM .................................................................................................... 30
4.2.4 Application Interchange Profile ....................................................................... 31
4.2.5 Application File Locator................................................................................... 31
4.2.6 Mag Stripe Mode .............................................................................................. 33
4.2.8 Secret Keys ....................................................................................................... 34
4.2.9 Miscellaneous ................................................................................................... 35
4.3.1 Offline Profile................................................................................................... 37
4.3.3 Online Preferring .............................................................................................. 39
5 MasterCard PayPass – M/Chip 4 Personalization Data .................. 41

5.1 Contact Data .......................................................................................................41
5.1.1 Data Objects Referenced in the AFL (Contact)................................................ 41
5.2.3 Offline CAM .................................................................................................... 47
5.2.4 Application Interchange Profile (PayPass) ....................................................... 49
5.2.5 Application File Locator (PayPass) .................................................................. 49
5.2.6 Mag Stripe Mode .............................................................................................. 51
5.2.8 Secret Keys ....................................................................................................... 54
5.2.9 Miscellaneous ................................................................................................... 55
5.3.1 Offline Profile................................................................................................... 59
6 Maestro PayPass – M/Chip 4 Personalization Data ........................ 63

6.1 Contact Data .......................................................................................................63
6.1.1 Data Objects Referenced in the AFL (Contact)................................................ 63
6.1.2 Card Risk Management (Contact) .................................................................... 64

iv PayPass Personalization Data Specifications
Table of Contents

6.2.3 Offline CAM .................................................................................................... 70
6.2.4 Application Interchange Profile (PayPass) ....................................................... 71
6.2.5 Application File Locator (PayPass) .................................................................. 72
6.2.6 Mag Stripe Mode .............................................................................................. 74
6.2.8 Secret Keys ....................................................................................................... 75
6.2.9 Miscellaneous ................................................................................................... 76
6.3.1 Offline Profile................................................................................................... 80
6.3.3 Online Preferring Profile .................................................................................. 82
7 MasterCard PayPass – M/Chip 4 Mag Stripe Only Personalization

Data ...................................................................................................... 85
7.1 Data Objects for Application Selection ..............................................................85
7.2 Data Objects Referenced in the AFL .................................................................86
7.3 Get Processing Options ......................................................................................88
7.4 Card Risk Management ......................................................................................88
7.5 Data Objects for CVC3 Generation ...................................................................88
7.6 Secret Key ..........................................................................................................89
7.7 Miscellaneous .....................................................................................................89

PayPass Personalization Data Specifications v
Using this Manual
Scope
Using this Manual

This chapter contains information that helps you understand and use this document.
Scope
This document defines a set of personalization profiles supporting the MasterCard and
Maestro products for the following contactless card applications:
 PayPass – Mag Stripe
 PayPass – M/Chip 4
 PayPass – Flex
The personalization data given for the PayPass – M/Chip 4 application covers the different
available application versions (v1.0, v1.1a, v1.1b). However, it covers only the contactless
interface. The personalization data given for the PayPass – M/Chip Flex application does
not include data for the co-application on the card.
For information on the personalization data for the contact interface, refer to the M/Chip
Personalization Data Specifications and Profiles, as indicated in each chapter.
The personalization of mobile applications and M/Chip Advance applications is out of
scope.
The personalization of non-card form factors, such as stickers, key fobs, etc. must follow
these requirements, normally using an online-only profile.
A card compliant with the values in this document will be accepted by the Chip
Personalization Validation process. If a card is not compliant, MasterCard will evaluate the
adherence to brand rules and the impact on interoperability and if there is a potential risk,
the card may be rejected.
Audience
This document is intended for:
 Issuers intending to issue contactless enabled cards or devices
 Personalization bureaus intending to provide facilities for contactless applications
 Developers of Application Load File generation systems
It is assumed that the audience already has an understanding of contactless chip card
technology.

PayPass Personalization Data Specifications vii
Using this Manual
Related Publications
Related Publications
The following publications contain information directly related to this document or are
referenced by it.
Reference Document
[PPMAG] PayPass – Mag Stripe Technical Specifications, Version 3.3 – December 2007
[PPMCFLEX] PayPass – M/Chip Flex Technical Specifications, Version 1.1 – October 2006
[PPMCHIP4] PayPass – M/Chip 4 Technical Specifications, Version 1.3.1 – September 2008
[MCHIP410] M/Chip 4 Card Application Specifications for Debit and Credit – October
2002
[MCHIP411] M/Chip 4 Version 1.1 Card Application Specifications for Debit and Credit –
October 2006
[MCHIPPDS] M/Chip Personalization Data Specifications and Profiles – December 2011
Notational Conventions
The following conventions are used throughout the document.
Notation Description
'0' to '9' and 'A' to 'F' Hexadecimal notation. Values expressed in hexadecimal form are
enclosed in single quotes (i.e. '_').
"abcd" an or ans string
[…] Optional part
xx Undefined value
Application Control[2][4] For multi-byte data objects, a byte index and a bit index are used
under brackets. This example references the fourth bit of the second
byte of the Application Control data object.

viii PayPass Personalization Data Specifications
Using this Manual
Abbreviations
Abbreviations
Abbreviation Meaning
AC Application Cryptogram
AFL Application File Locator
AID Application Identifier
AIP Application Interchange Profile
ARQC Authorization Request Cryptogram
ASCII American Standard Code for Information Interchange
ATC Application Transaction Counter
ATM Automated Teller Machine
C Conditional
CAM Card Authentication Method
CAT3 Cardholder Activated Terminal Level 3
CCD Common Core Definition
CDA Combined DDA/AC Generation
CDOL Card Risk Management Data Object List
CFDC Consecutive Failed Derivation Counter
CIAC Card Issuer Action Code
CRM Card Risk Management
CVC Card Validation Code
CVM Cardholder Verification Method
DDA Dynamic Data Authentication
DES Data Encryption Standard
DGI Data Group Identifier
EMV Europay, MasterCard, VISA
EMV CSK EMV Common Session Key derivation
FCI File Control Information
HVT High Value Transactions (above CVM limit)
ICC Integrated Circuit Card
IEC International Electrotechnical Commission
ISO International Standards Organisation
IVCVC3 Initialization Vector for CVC3
KDCVC3 Key Derivation for CVC3
LVT Low Value Transactions (below CVM limit)

PayPass Personalization Data Specifications ix
Using this Manual
Abbreviations
Abbreviation Meaning
M Mandatory
MAC Message Authentication Code
MKAC Master Key for Application Cryptogram Generation
MKIDN Master Key for ICC Dynamic Number Generation
NATCTRACK1 Track 1 Number of ATC Digits
NATCTRACK2 Track 2 Number of ATC Digits

NCA Length of the Certification Authority Public Key Modulus
NI Length of the Issuer Public Key Modulus
NIC Length of the ICC Public Key Modulus
nUN Number of positions in the discretionary data of Track 1 Data and Track 2
Data for transporting UN
O Optional
OBS On-behalf Services
PAN Primary Account Number
PCVC3TRACK1 Track 1 Bit Map for CVC3
PCVC3TRACK2 Track 2 Bit Map for CVC3

PDOL Processing Options Data Object List
PICC Proximity Integrated Circuit Card
PIN Personal Identification Number
PIX Proprietary Application Identifier Extension
PPSE Proximity Payment System Environment
PUNATCTRACK1 Track 1 Bit Map for UN and ATC
PUNATCTRACK2 Track 2 Bit Map for UN and ATC

PVV PIN Verification Value
RFU Reserved for Future Use
SDA Static Data Authentication
SFI Short File Identifier
TC Transaction Certificate
TVR Terminal Verification Results
UKIS UK ICC Specification
UN Unpredictable Number

x PayPass Personalization Data Specifications
Using this Manual
Document Overview
Document Overview
This document is organized in five chapters. Each section provides the complete set of
personalization data to configure the indicated application according to either MasterCard or
Maestro product rules.
Chapter
1 Proximity Payment System Environment (PPSE)
2 MasterCard PayPass – Mag Stripe Personalization Data
3 MasterCard PayPass – M/Chip Flex Personalization Data
4 Maestro PayPass – M/Chip Flex Personalization Data
5 MasterCard PayPass – M/Chip 4 Personalization Data
6 Maestro PayPass – M/Chip 4 Personalization Data
7 MasterCard PayPass – M/Chip 4 Mag-stripe Only Personalization Data

PayPass Personalization Data Specifications xi
Using this Manual
Revision History
Revision History
Version Description
V1.5  Various editorial corrections made.
 Document restructured to present contactless data as generic or profile-
dependent.
 Profile options (offline, standard, online) added to each chapter as appropriate.
 Updated CIAC and selected IAC bit settings to be profile dependent.
 In PayPass – M/Chip 4 offline profiles, different CRM settings for Maestro and
MasterCard to reflect issuer choices regarding use of shared limits.
 Contact profiles aligned with new contact PDS.
 Security counter limits adjusted.
 Added recommendation to use CDA in MasterCard contactless profiles.
 MasterCard profiles modified to include Debit MasterCard.
 Added recommendation regarding use of PIX extensions.
 Modified "PTL Exceeded" bit in CIACs and IACs.
V1.6  Various editorial corrections made
 Updated contact profiles that may be used. No longer restriction on full grade
only for Maestro
 Added warning to avoid signing too much extra data if alternative file structure
is used
 Updated recommendation to “fail CVM processing” in CVM List if signature is
attempted and unsuccessful (in line with M/Chip Requirements).
 Emphasized that cash back is optional for Debit MasterCard on the contactless
interface
 Added note about sharing and/or padding of Additional Check Table
 Added Application Control options and recommended values.
 Discontinuation of support for SDA on MasterCard
 New online-only profile for MasterCard (no CAM)
 New CIAC options (PTL Exceeded, Go online) in Offline Profile
 New CIAC options (PTL Exceeded, Go online) in Standard Profile
 Table 5.18 and Table 6.17 – added note that ICC PIN Encipherment keys not
used by contactless interface.
 Added option to issue M/Chip 4 cards with PTH set to '08'
V1.7  Various editorial corrections made
 New section added for M/Chip 4, mag-stripe mode only
 Structure of each chapter amended as "predefined file structure" no longer
recommended
 SDA removed as option
 Note added regarding allocation of Unique Identifier & Device Type (Third
Party Data)
 Soft limit Maestro CVM options included
 CVC1 on magstripe must not be repeated in CVC3 placeholders in Track 1
Data, Track 2 Data
 IAC values for Maestro contactless in soft limit market must decline transaction

xii PayPass Personalization Data Specifications
Using this Manual
Revision History
Version Description
if PIN not entered correctly
 Added recommendation regarding CRM on CAT3 devices for online-only
MasterCard profiles
 Notes added regarding use of PVV in online PIN change, and personalization of
track data
 Modified statements regarding use of pre-defined AFL, for both MasterCard
and Maestro chapters
 Added option in CVM List entry: if Online PIN fails then option to apply next
or fail CVM processing
 Added recommendation regarding values of NATCTRACK1 and NATCTRACK2 in
mag-stripe data
V1.8  Clarification of document scope (re mobile and other non-card form factors)
 Various editorial changes
 Addition of new chapter describing PPSE (and re-numbering of subsequent
chapters)
 Several modifications & clarifications to requirements regarding CVC3
dynamic data & configuration
 Re-ordering of table notes throughout the document
 Removed the notion of "recommended" values from table headings. All data
object values listed are expected to be found during CPV
 Application Capabilities Information added (with associated note) to FCI
(BF0C) template in all chapters
 US-specific requirements concerning Third Party Data added
 Removed profile-specific settings for IAC in all chapters (concerning CDA
failure) and added a note regarding offline-oriented behavior
 Add a note regarding requirements for offline CAM and online capability of the
card (with extra qualification for US region)
 Added Track 2 Equivalent Data to the proposed pre-defined file structure
 Chip CVC must always be different from the CVC in the magnetic strip – the
exception regarding OBS is removed
 Clarified options available in the setting of Previous Transaction History
 Application Currency Code made mandatory throughout
 For Maestro profiles, requirement on IAC[3][4-5] changed to recommendation
 Added note regarding alternative AFL to cope with faulty reader
implementations
 Clarified the options available for CIAC[2][4] for PayPass – M/Chip 4 profiles
 Added requirement regarding Issuer Code Table Index in FCI Template
V1.9  Various editorial corrections
 Updated legal notices at beginning of document
 Removed unnecessary references to "PayPass" where possible
 Removed references to "hard limit" and "soft limit" markets for Maestro;
replaced "ceiling limit" with "CVM limit
 Corrected references to Application Version Number ('9F6C')
 Aligned references to "mag-stripe mode" and "EMV mode" with EMV
documentation

PayPass Personalization Data Specifications xiii
Using this Manual
Revision History
Version Description
 Added Canada to Device Type requirement (previously only US Region)
 Ch 2 App Selection; removed PDOL from list of possible data objects in FCI
 Maestro profiles: support for Purchase with Cash Back is allowed
 PayPass-M/Chip 4 chapters, App Selection: modified text to allow for separate
instances of AID for each interface
 Chapter 7, App Selection: corrected the references to notes c & d
 Added clarification of what a "dummy" record is where appropriate.
 Maestro chapters: added statement about absence of mag-stripe data ('9F6B')
 Kernel Identifier made optional in PPSE entry
 Support for cash withdrawals at ATM becomes mandatory in Central & Eastern
Europe

xiv PayPass Personalization Data Specifications
Proximity Payment System Environment (PPSE)
Data Objects for Application Selection
1 Proximity Payment System

Environment (PPSE)
This chapter describes the persistent data objects which will be read during application
selection, regardless of the product or application supported.
Table 1.1 defines the File Control Information Template for the PPSE in the Card. It
contains, within the File Control Information Issuer Discretionary Data, the list of
applications supported by the Card for the contactless interface.
The file name of the PPSE is defined as '2PAY.SYS.DDF01'. The presence of the PPSE is
mandatory if the card supports applications on the contactless interface.
Table 1.1—Content of File Control Information Template in PPSE
Tag Data Element Name Presence

'6F' File Control Information Template M
'84' DF Name M
'A5' File Control Information Proprietary Template M
'BF0C' File Control Information Issuer Discretionary Data M
The File Control Information Issuer Discretionary Data is a constructed data object of
which the value field is comprised of one or more Application Templates (tag '61') as
described in Table 1.2.
Table 1.2—Format of FCI Issuer Discretionary Data
'BF0C' Length '61' Length of Directory … '61' Length of Directory

directory entry 1 directory entry n
entry 1 entry n
Each directory entry is the value field of an Application Template and contains the
information described in Table 1.3. The same data may appear in the FCI specific to the
selected ADF. The same value should be used in each occurrence for a given application.
Table 1.3—Directory Entry Format

Tag Data Element Name Presence
'4F' ADF Name (See notes a and b) M
'50' Application Label (See note c) O
'87' Application Priority Indicator (See Table 1.4) M
'9F2A' Kernel Identifier (see note d) O

PayPass Personalization Data Specifications 1
Proximity Payment System Environment (PPSE)
 Note a See individual chapters for full details of AID values.
 Note b Some legacy contactless readers do not support partial AID matching so
applications that are personalized in the PPSE are recommended not to have PIX
extensions.
 Note c See individual chapters for full details of Application Label values.
 Note d The Kernel Identifier must have the value '02'.
Table 1.4 describes the structure of the Application Priority Indicator. Issuers must set a
unique value for the Application Priority Indicator in each contactless application on the
card. The cardholder confirmation bit must not be set for contactless applications.
Table 1.4— Application Priority Indicator

b8 b7-b5 b4-b1 Definition
1 Application cannot be selected without confirmation by the
cardholder
0 Application may be selected without confirmation by the
cardholder
xxx RFU
xxxx Order in which the application is to be listed or selected,
ranging from 1–15, with 1 being highest priority

2 PayPass Personalization Data Specifications
MasterCard PayPass – Mag Stripe Personalization Data
2 MasterCard PayPass – Mag Stripe

Personalization Data
This chapter includes the personalization values for a contactless mag-stripe card or device
supporting the MasterCard brand.
2.1 Data Objects for Application Selection

Table 2.1—Application Selection
Data Object Name Tag Value

AID '4F' 'A0000000041010'
DF Name '84' 'A0000000041010'
(Must match value of AID)
Application Label '50' "MasterCard" or "MASTERCARD" or
"Debit MasterCard" or
"DEBIT MASTERCARD"
 Note a Dependent on the implementation, data objects for application selection may
already be personalized during pre-personalization. In this case, the AID and
Application Label must be specified when ordering the contactless card or
device.
 Note b Other optional data objects that may be present in the FCI (Application Priority
Indicator, Language Preference, Issuer Code Table Index, Application Preferred
Name and FCI Issuer Discretionary Data) are not used by the contactless mag-
stripe card or device.

Data Objects Referenced in the AFL (DGI '0101')
2.2 Data Objects Referenced in the AFL (DGI '0101')

Table 2.2—Persistent Data Objects in Record 1, SFI 1
Data Object Name Tag Value Presence

Application Version Number '9F6C' '0001' M
PCVC3TRACK1 '9F62' Determined by issuer M
(See notes a and b below)
PUNATCTRACK1 '9F63' Determined by issuer M
(See notes a and c below)
Track 1 Data '56' Determined by issuer M
(See notes d, e, f and h
below)
NATCTRACK1 '9F64' Determined by issuer M
(See notes c and g below)
Track 2 Data '9F6B' Determined by issuer M
(See note e, f and h below)
Third Party Data '9F6E' Determined by issuer O
(See note i below)
 Note a The PCVC3 and PUNATC bit maps must only have non-zero bits that refer to
available positions in the discretionary data field of the corresponding Track
Data.
The least significant bit of the bit maps must be set to zero.
 Note b The number of non-zero bits in the PCVC bit maps must be greater than or equal
to 3.
 Note c The number of non-zero bits in PUNATCTRACK1 minus the value of NATCTRACK1 :
 must be greater than or equal to 2
 should be greater than or equal to 3, and
 must be less than or equal to 5.
It must be equal to the number of non-zero bits in PUNATCTRACK2 minus the
value of NATCTRACK2.
 Note d The storage of the cardholder name in the Track 1 Data read via the contactless
interface is prohibited by MasterCard. It is therefore recommended to use a
space character followed by the surname separator (i.e. " /").

Data Objects Referenced in the AFL (DGI '0101')
 Note e The placeholders for the dynamic data in the discretionary data (i.e. at the
positions where the contactless reader stores the ATC, UN, CVC3 and nUN)
should be filled with zeroes (hexadecimal zeroes ('0') for Track 2 Data and ASCII
zeroes ('30') for Track 1 Data).
The least significant position of the discretionary data is used by the reader to
store nUN.
 Note f If a PVV is encoded in the discretionary part of track 1 and track 2 on the
magnetic stripe and used for Online PIN verification, then this must also be
encoded in the Track 1 Data (tag '56') and Track 2 Data (tag '9F6B') read through
the contactless interface.
 Note g If the issuer intends to make use of the on-behalf service for Dynamic CVC3
Validation, then the value of NATCTRACK1 and the value of NATCTRACK2 must be
 greater than or equal to 3 for the CVC3 Validation in Stand-in Service, or
 greater than or equal to 2 for the Dynamic CVC3 Pre-validation Service or the
Mapping Service (processing only option).
In both cases, a value of at least 4 for NATCTRACK1 and NATCTRACK2 is
recommended if sufficient space is available.
If the PAN Sequence Number is present in the discretionary data and if the PAN
Sequence Number is used for the derivation of KDCVC3, then the length of the
PAN Sequence Number must be maximum 1 significant digit.
 Note h The values of Track 1 Data (tag '56') and Track 2 Data (tag '9F6B') read through
the contactless interface must not be identical to the corresponding value on
the magnetic stripe in order to prevent a counterfeit magnetic stripe being
created from data read from the contactless interface. The CVC1 found on the
magnetic stripe must not be repeated in Track 1 Data or Track 2 Data.
 Note i Optional data object containing the Device Type and proprietary non-payment
information (e.g. loyalty information). If proprietary non-payment information is
included, then the value of the Unique Identifier sub-field that is part of the Third
Party Data must be allocated by MasterCard. It is recommended to always
include Third Party Data with the relevant Device Type, even when there is no
proprietary information. In the latter case the Unique Identifier can be set to all
zeroes.
In US and Canada regions inclusion of the Third Party Data, with Device Type, is
mandatory.

Data Objects for CVC3 Generation (DGI 'A001')
2.3 Data Objects for CVC3 Generation (DGI 'A001')

Table 2.3—Persistent Data Objects for CVC3 Generation
Data Object Tag Value

IVCVC3TRACK1 'DC' Determined by issuer
IVCVC3TRACK2 'DD' Determined by issuer
 Note a It is strongly recommended to use for IVCVC3TRACK1 the two least significant
bytes of the result of a MAC over the Track 1 Data as stored in Record 1, SFI 1.
In the same way IVCVC3TRACK2 should be the two least significant bytes of the
result of a MAC calculated over the Track 2 Data as stored in Record 1, SFI 1.
If the issuer intends to make use of the on-behalf service for Dynamic CVC3
Validation, then for IVCVC3 generation the method recommended above must
be used, and the placeholders for the dynamic data in the discretionary data of
Track 1 Data and Track 2 Data (i.e. at the positions where the reader stores the
ATC, UN, CVC3 and nUN) must be filled with zeroes (hexadecimal zeroes ('0') for
Track 2 Data and ASCII zeroes ('30') for Track 1 Data).
 Note b It is strongly recommended to use for IVCVC3 generation the ISO/IEC 9797-1
MAC algorithm 3 with DES block cipher and an initial vector of zero (8 bytes).
Validation, then this algorithm must be used.
2.4 Secret Key (DGI 'A002')

Table 2.4—KDCVC3
KDCVC3 – Determined by issuer

MasterCard PayPass – M/Chip Flex Personalization Data
Contact Data
3 MasterCard PayPass – M/Chip Flex

3.1 Contact Data

For information on personalization data specific to the contact interface, refer to
[MCHIPPDS]. Any of the MasterCard contact profiles listed may be used together with the
contactless data listed in this chapter.
3.2 Generic Contactless Data
3.2.1 Data Objects for Application Selection

AID '4F' 'A0000000041010' M
(See note a below)
DF Name '84' 'A0000000041010' M
Application Label '50' "MasterCard", or M
"MASTERCARD" or
"DEBIT MASTERCARD"
Application Priority Indicator '87' Determined by issuer O
Language Preference '5F2D' Determined by issuer O
Issuer Code Table Index '9F11' Determined by issuer C
(See note b below)
Application Preferred Name '9F12' Determined by issuer O
FCI Issuer Discretionary Data 'BF0C' Determined by issuer O
(See note c below)
Application Capabilities Information '9F5D' Determined by issuer O
(See note d below)
 Note a It is recommended not to use PIX extensions, as some legacy contactless

readers do not support partial AID matching.

Generic Contactless Data
 Note b Issuer Code Table Index is mandatory if Application Preferred Name is present.
 Note c Optional data object containing the Device Type and proprietary non-payment
zeroes.
In US and Canada regions, inclusion of the Third Party Data, with Device Type,
is mandatory.
 Note d Contains information to alert the terminal to functionality available on the card.
3.2.2 Transaction Processing
Table 3.2—Data Objects used in Transaction Processing
Data Object Tag Value Presence

Application Currency Code '9F42' Determined by issuer M
Application Primary Account Number '5A' Determined by issuer M
(See note a below)
Application PAN Sequence Number '5F34' Determined by issuer M
Application Effective Date '5F25' Determined by issuer O
Application Expiration Date '5F24' Determined by issuer M
(See note a below)
Application Usage Control '9F07' See Table 3.4 M
Application Version Number '9F08' '0002' M
CDOL1 '8C' '9F02069F03069F1A029505 M
5F2A029A039C019F37049F
35019F4502'
CDOL2 (See note b below) '8D' '9F3704' M
CVM List '8E' See Section 3.2.2.3 M
Issuer Action Code – Default '9F0D' See Table 3.5 M
Issuer Action Code – Denial '9F0E' See Table 3.5 M
Issuer Action Code – Online '9F0F' See Table 3.5 M
Issuer Country Code '5F28' Determined by issuer M
SDA Tag List '9F4A' '82' (See note c below) M
Track 2 Equivalent Data '57' Determined by issuer M
(See notes a, d and e below)
 Note a The contents of the Track 2 Equivalent Data (Tag '57') must be consistent with
the PAN (Tag '5A') and Expiration Date (Tag '5F24') data objects.

 Note b Although CDOL2 is not used during contactless transactions, CDOL2 must be
present because some legacy contactless readers check the presence of
CDOL2.
 Note c The SDA Tag List data object is mandatory even if offline CAM is not supported
because some legacy contactless readers check the presence of SDA Tag List
even if offline data authentication is not performed.
 Note d The Chip CVC in the Track 2 Equivalent Data must differ from the CVC1 in the
track 2 data on the magnetic stripe.
 Note e If a PVV is encoded in the discretionary part of track 1 and track 2 on the
encoded in the Track 2 Equivalent Data (tag '57') read through the contactless
interface.
Table 3.3 lists the data objects that must not be included in the records referenced in the
AFL.
Table 3.3—Data Objects that Must Not Be Included

Data Object Name Tag
Cardholder Name '5F20'
3.2.2.1 Application Usage Control
Table 3.4—Application Usage Control
Byte Bit Meaning Value

1 8 Valid for domestic cash transactions 0/1 (See note a below)
7 Valid for international cash transactions 0/1 (See note a below)
6 Valid for domestic goods 0/1
5 Valid for international goods 1
4 Valid for domestic services 0/1
3 Valid for international services 1
2 Valid at ATMs 0/1 (See note a below)
1 Valid at terminals other than ATMs 1
2 8 Domestic cashback allowed 0/1 (See note b below)
7 International cashback allowed 0/1 (See note b below)
6-1 RFU 000000
 Note a Support for cash withdrawals at ATMs is mandatory for cards issued in Albania,
Austria, Bosnia, Bulgaria, Croatia, Czech Republic, Hungary, Israel, Macedonia,
Montenegro, Poland, Romania, Serbia, Slovakia, and Slovenia.

 Note b Cash back is optional for Debit MasterCard applications on the contactless
interface. Cash back is optional for MasterCard credit applications issued in
Europe region.
 Note c Cards that are part of a prepaid program may, with prior approval, restrict card
acceptance to certain environments or merchants. For such programs, the
Application Usage Control may be varied to restrict acceptance as appropriate.
3.2.2.2 Issuer Action Codes
Table 3.5—Issuer Action Codes
Byte Bit Meaning Denial Online Default

1 8 Data authentication was not performed 0/1 1 1
7 Offline static data authentication failed 0 0 0
6 ICC data missing 0/1 1 1
5 Card appears on terminal exception file 0/1 1 1
4 Offline dynamic data authentication failed 0 0 0
3 Combined DDA/AC Generation failed 0/1 1 1
2-1 RFU 00 00 00
2 8 Chip card and terminal have different application 0 0 0
versions
7 Expired application 0/1 1 1
6 Application not yet effective 0 0/1 0
5 Requested service not allowed for card product 0/1 1 1
4 New card 0 0 0
3-1 RFU 000 000 000
3 8 Cardholder verification was not successful 0/1 1 1
7 Unrecognized CVM 0 0 0
6 PIN Try Limit Exceeded 0 0 0
(See note b below)
5 PIN entry required but PIN pad not 0 0 0
present/working
4 PIN entry required, PIN pad present but PIN not 0 0 0
entered
3 Online PIN entered 0 1 1
2-1 RFU 00 00 00
4 8 Transaction exceeds floor limit 0 1 0
7 Lower Consecutive Offline Limit exceeded 0 0 0
6 Upper Consecutive Offline Limit exceeded 0 0 0


5 Transaction selected randomly for online 0 0 0
processing
4 Merchant forced transaction online 0 0 0
3-1 RFU 000 000 000
5 8 Default TDOL used 0 0 0
7 Issuer Authentication was unsuccessful 0 0 0
6 Script processing failed before final GENERATE 0 0 0
AC
5 Script processing failed after final GENERATE AC 0 0 0
4-1 RFU 0000 0000 0000
 Note a If a bit in the Issuer Action Code – Denial is set to 1, then the corresponding bits
in the Issuer Action Code – Online and Issuer Action Code – Default may be set
to 0.
 Note b The corresponding bit is never set in the TVR in the contactless reader,
therefore the setting of this bit has no impact on the transaction.
 Note c If offline-oriented behavior is required, then, where the option is given, the
'denial' bits should be set. The 'online' bit should not be set.
 Note d If CDA is not supported, a setting of 0, 0, 0 may be used in Byte 1, bit 3.
3.2.2.3 CVM List
Table 3.6—CVM List MasterCard Contactless (Option 1)
CVM Bit 7 of byte 1 if CVM not Byte 1 Byte 2 Meaning of Byte 2

successful setting setting
Signature Fail '1E' '03' If supported
Online PIN Fail or Apply next '02' or '42' '03' If supported
No CVM Fail '1F' '03' If supported


3.2.3 Offline CAM

Neither SDA nor DDA may be used on the contactless interface. Cards must either:
 Support CDA, or
 Support no offline CAM
Cards that do not support offline CAM must be configured to be online only. Cards in
Europe or US Regions must support CDA.
Table 3.8—Data Objects used if Contactless Interface Supports CDA

Certification Authority Public Key Index '8F' Determined by issuer C
ICC Public Key Certificate '9F46' Determined by issuer C
ICC Public Key Exponent '9F47' Determined by issuer C
ICC Public Key Remainder '9F48' Determined by issuer C
(See note b below)
Issuer Public Key Certificate '90' Determined by issuer C
Issuer Public Key Exponent '9F32' Determined by issuer C
Issuer Public Key Remainder '92' Determined by issuer C
(See note c below)
 Note a Support for CDA is mandated for MasterCard contactless cards unless
configured as online only.
 Note b The ICC Public Key Remainder is present if NIC > (NI – 42).
 Note c The Issuer Public Key Remainder is present if N I > (NCA – 36).
Table 3.9—Data Objects That Must be Authenticated

Data Object Tag
Application Currency Code '9F42'
Application Effective Date (see note) '5F25'
Application Expiration Date '5F24'
Application Primary Account Number '5A'
Application PAN Sequence Number '5F34'
Application Usage Control '9F07'
CDOL1 '8C'
CDOL2 '8D'

Data Object Tag

CVM List '8E'
Issuer Action Code – Default '9F0D'
Issuer Action Code – Denial '9F0E'
Issuer Action Code – Online '9F0F'
Issuer Country Code '5F28'
SDA Tag List '9F4A'
 Note If present.
3.2.4 Application Interchange Profile
Table 3.10—Application Interchange Profile

1 8 RFU 0
7 Offline static data authentication is supported 0
6 Offline dynamic data authentication is supported 0
5 Cardholder verification supported 1
4 Terminal risk management to be performed 1
3 Issuer authentication data supported 0
2 RFU 0
1 Combined DDA/AC Generation supported (See note below) 0/1
0: CDA not supported
1: CDA supported
2 8 M/Chip profile is supported 1
7-1 RFU 0000000
 Note Cards issued in Europe must support CDA. Cards issued outside Europe are
recommended to support CDA, but may be configured as exclusively online and
support no offline CAM.
3.2.5 Application File Locator

Some legacy contactless readers make use of a predefined file structure. If the AFL read
from the card has a specific value, the reader assumes the file structure and knows where to
find specific data objects.
If the AFL has the value '08010100100101011801020020010200' then the data objects
must be included in the specified records shown in Table 3.11.

If the AFL has the value '080101001001010118010200' then the data objects must be
included in the specified records shown in Table 3.11 (excluding SFI 4). Such a card
would not support CDA so must be configured as online only. Suitable dummy records
must be included in Record 1, SFI 3 and Record 2, SFI 3 in line with the predefined AFL
value. A dummy record should contain:
 at least one valid tag
 data object of non-zero length
 optionally, padding characters
If the data objects are not organized as shown in Table 3.11, then the above values must not
be used. However
 the first four bytes must always be equal to '08010100' (see section 3.2.6).
 it is recommended not to sign the last record referenced by the AFL, as some reader
implementations cannot process this correctly.

Table 3.11—Predefined File Structure

Record 1, SFI 1 Mag-stripe mode data See section 3.2.6
Record 1, SFI 2 Application Primary Account Number '5A'
Application Effective Date '5F25'
CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
Application Version Number '9F08'
SDA Tag List '9F4A'
Track 2 Equivalent Data '57'
Record 1, SFI 3 Certification Authority Public Key Index '8F'
Issuer Public Key Exponent '9F32'
Issuer Public Key Remainder '92'
Issuer Public Key Certificate '90'
Record 2, SFI 3 Signed Static Application Data '93'
(See note a below)
Record 1, SFI 4 ICC Public Key Exponent '9F47'
ICC Public Key Remainder '9F48'
Record 2, SFI 4 ICC Public Key Certificate '9F46'
 Note a As SDA is not supported a suitable dummy record must be included in Record
2, SFI 3.
 Note b SFI 4 is only present when CDA is supported (AIP (PayPass)[1][7]=1).
3.2.6 Mag-stripe Mode

A MasterCard contactless card that is not exclusively for domestic use must support mag-
stripe mode transactions. The data objects to support mag-stripe mode (see Table 3.12)

must always be included in Record 1 of SFI 1. No other records that are read through the
contactless interface may be included in SFI 1. The first four bytes of the AFL must always
be equal to '08010100'.
Table 3.12—Data Objects in SFI 1, Record 1 for Mag-stripe Mode

(See notes d, e, f and h below)
Data.
The least significant bit of the bit map must be set to zero.
 Note b The number of non-zero bits in the PCVC3 bit maps must be greater than or
equal to 3.

store nUN.
 Note f If the issuer intends to make use of the on-behalf service for Dynamic CVC3
recommended.
Sequence Number is used for the derivation of KDCVC3, then the length of the
 Note g If a PVV is encoded in the discretionary part of track 1 and track 2 on the
3.2.7 Card Risk Management
Table 3.13—Persistent Data Objects for Card Risk Management

Lower Consecutive Offline Limit '9F14' Determined by issuer (See note a below)
Upper Consecutive Offline Limit '9F23' Determined by issuer
Lower Cumulative Offline Transaction 'CA' Determined by issuer (See note a below)
Amount
Upper Cumulative Offline Transaction 'CB' Determined by issuer
Amount
Card Issuer Action Code – Decline 'C3' Profile dependent. See Section 3.3.
Card Issuer Action Code – Default 'C4' Profile dependent. See Section 3.3.
Card Issuer Action Code – Online 'C5' Profile dependent. See Section 3.3.
CDOL1 Related Data Length 'C7' '20'


CRM Country Code 'C8' Same value as Issuer Country Code
CRM Currency Code 'C9' Same value as Application Currency Code
Currency Conversion Table 'D1' Determined by issuer (See note b below)
Additional Check Table 'D3' Determined by issuer. Should be padded
‘000000FFFFFFFFFFFFFFFFFFFFFFFFFFF
FFF’ if present but not used.
Application Control 'D5' See Table 3.14
 Note a When the Cumulative Offline Transaction Amount exceeds the Lower
Cumulative Offline Transaction Amount or the Consecutive Offline Transactions
Number exceeds the Lower Consecutive Offline Limit, the PayPass – M/Chip
Flex application will modify bit 2 of the PayPass Options Indicator of
[PPMCFLEX] in order to force the co-application to go online at the next
transaction.
The issuer should therefore pay special attention to the values of these limits at
personalization.
 Note b If currency conversion is not used, it is recommended that the currency code in
each entry in the Currency Conversion Table be set to the same value as the
CRM Currency Code.
Table 3.14—Application Control

1 8 Magstripe grade issuer (Not used) 0
7 Skip CIAC – Default on CAT3 0/1
0: Do not skip CIAC – Default
1: Skip CIAC – Default
6 Offline only 0
5 Key for offline encrypted PIN 0
4 Offline encrypted PIN verification 0
3 Offline plaintext PIN verification 0
2 Session key derivation (Not used) 0
1 Encrypt offline counters (Not used) 0
2 8-5 RFU 0000
4 Always add to Consecutive Transactions Number 0/1
3 Activate Additional Check Table 0/1
2 Retrieval of balance 0/1
1 Include counters in AC (Not used) 0
3 8 Static CVC3 (Not used) 0


7 Include ATC in CVC3 generation 1
6-1 RFU 000000
 Note The recommended value for the Application Control is '000040'.
3.2.8 Secret Keys

The Triple DES keys listed in Table 3.15 are derived from their corresponding issuer
master keys using a unique identifier from the card such as the PAN, and so are often
referred to as diversified keys.
Table 3.15—Triple DES Keys

ICC Dynamic Number Master Key (MKIDN) – Determined by issuer (see note below)
ICC Derived Key for CVC3 Generation – Determined by issuer
(KDCVC3)
AC Master Key (MKAC) – Determined by issuer
Table 3.16—RSA Keys

Length of ICC Public Key Modulus – Determined by issuer (see note below)
ICC Private Key – Determined by issuer (see note below)
 Note Only required if the card supports CDA (AIP [1][1]=1).

3.2.9 Miscellaneous
Table 3.17—Miscellaneous Persistent Data Objects

Key Derivation Index – Determined by issuer
Application Life Cycle Data '9F7E' Depending on the possible separation
between the loading of the application code
and the personalization data on the
hardware, only part of the Application Life
Cycle Data may be personalized.
Co-application Indicator 'DE' '00': M/Chip Lite 2.1
'01': M/Chip Select 2.05
'02': UKIS-compliant application
'03': CCD-compliant application
Static CVC3TRACK1 'DA' '0000'
Static CVC3TRACK2 'DB' '0000'
 Note a It is strongly recommended to use for IVCVC3 TRACK1 the two least significant
Validation, then for IVCVC3 generation the placeholders for the dynamic data in
the discretionary data of Track 1 Data and Track 2 Data (i.e. at the positions
where the contactless reader stores the ATC, UN, CVC3 and nUN) must be filled
with zeroes (hexadecimal zeroes for Track 2 Data and ASCII zeroes ('30') for
Track 1 Data).

3.2.10 Counter Limits and Previous Transaction
Table 3.18—Counter Limits and Previous Transaction

Application Transaction Counter Limit – '4E20'
Previous Transaction History – '00'
AC Session Key Counter Limit – '4E20'
3.2.11 Data Objects with a Fixed Initial Value
Table 3.19—Data Objects with a Fixed Initial Value

Cumulative Offline Transaction Amount – '000000000000'
Consecutive Offline Transactions Number – '00'
Application Transaction Counter '9F36' '0000'
AC Session Key Counter – '0000'

Profile Dependent Contactless Data
3.3 Profile Dependent Contactless Data
3.3.1 Offline Profile

Table 3.20 shows the Card Issuer Action Codes for offline-oriented behavior. With these
settings the PayPass – M/Chip Flex application will never return an ARQC in response to a
GENERATE AC command requesting a TC. Once the relevant upper limit (Upper
Consecutive Offline Limit or Upper Cumulative Offline Limit) is exceeded all transactions
are declined offline.
Table 3.20—Card Issuer Action Codes (Offline)
Byte Bit Meaning Decline Online Default

1 8 RFU 0 0 0
7 Unable To Go Online Indicated 0 0 0
6 Offline PIN Verification Not Performed 0 0 0
5 Offline PIN Verification Failed 0 0 0
3 International Transaction 0 0 0
2 Domestic Transaction 0 0 0
1 Terminal Erroneously Considers Offline PIN OK 0 0 0
2 8 Lower Consecutive Offline Limit Exceeded 0 0 0
7 Upper Consecutive Offline Limit Exceeded 1 0 0/1
(See note)
6 Lower Cumulative Offline Limit Exceeded 0 0 0
5 Upper Cumulative Offline Limit Exceeded 1 0 0/1
(See note)
4 Go Online On Next Transaction Was Set 0 0 0
3 Issuer Authentication Failed 0 0 0
2 Script Received 0 0 0
1 Script Failed 0 0 0
3 8-3 RFU 000000 000000 000000
2 Match Found In Additional Check Table 0 0 0
1 No Match Found In Additional Check Table 0 0 0
 Note The transaction that causes one of the upper limits (Upper Cumulative Offline
Limit or Upper Consecutive Offline Limit) to be exceeded is not declined.

3.3.2 Standard Profile

Table 3.21 shows the Card Issuer Action Codes for standard card behavior. When the
upper limit is exceeded, transactions are sent online on online-capable terminals and
declined offline on offline-only terminals.
Table 3.21—Card Issuer Action Codes (Standard)

1 8 RFU 0 0 0
3 International Transaction 0 0/1 0
2 Domestic Transaction 0 0/1 0
7 Upper Consecutive Offline Limit Exceeded 0 1 1
5 Upper Cumulative Offline Limit Exceeded 0 1 1
3 8-3 RFU 000000 000000 000000

3.3.3 Online-Only Profile

Table 3.22 shows the Card Issuer Action Codes for online-only card behavior. All
transactions are sent online on online-capable terminals and declined offline on offline-only
terminals.
Online-Only cards may either support CDA or be issued with no offline CAM support.
PayPass – M/Chip cards issued in the U.S. region may not be configured as online-only.
Table 3.22—Card Issuer Action Codes (Online-Only)

1 8 RFU 0 0 0
3 8-3 RFU 000000 000000 000000
Issuers of the online-only profile that do not support CDA are recommended not to use the
predefined file structure as neither SFI 3 nor SFI 4 are required.
Issuers of the online-only profile should not set Application Control [1][7] "Skip CIAC-
default on CAT 3" in order to prevent offline transactions being approved by the card.

Maestro PayPass – M/Chip Flex Personalization Data
Contact Data
4 Maestro PayPass – M/Chip Flex

4.1 Contact Data

[MCHIPPDS]. Any of the contact profiles listed may be used together with the contactless
data listed in this chapter.
Issuers using a magnetic stripe grade card profile for the contact interface should
understand the potential risk if the card supports offline transactions.

AID '4F' 'A0000000043060' M
(See note a below)
DF Name '84' 'A0000000043060' M
Application Label '50' "Maestro" or "MAESTRO" M
(See note b below)
(See note c below)
(See note d below)


zeroes.
is mandatory.

Application Expiration Date '5F24' Determined by issuer (See M
note a below)
Application Primary Account Number '5A' Determined by issuer (See M
note a below)
CDOL1 '8C' '9F02069F03069F1A029505 M
5F2A029A039C019F37049F
35019F4502'
CDOL2 (See note b below) '8D' '9F3704' M
CVM List '8E' See Table 4.6 M

CDOL2.
 Note d If present, the Chip CVC in the Track 2 Equivalent Data must differ from the
CVC1 in the track 2 data on the magnetic stripe.
interface.
AFL.
Table 4.3—Data Objects that Must Not be Included


2 8 Domestic cashback allowed 0/1
7 International cashback allowed 0/1
6-1 RFU 000000

 Note b Cards that are part of a prepaid program may, with prior approval, restrict card
Table 4.5 describes the personalization values for the Issuer Action Codes.

2-1 RFU 00 00 00
versions
7 Expired Application 0/1 1 1
4 New card 0 0 0
3-1 RFU 000 000 000
6 PIN Try Limit exceeded 0 0 0
(See note b below)
5 PIN entry required but PIN pad not 0/1 0 0
present/working (See note c below)
4 PIN entry required, PIN pad present but PIN not 0/1 0 0
entered (See note c below)
3 Online PIN entered 0 0/1 0/1
(See note d below)
2-1 RFU 0 0 0


processing
3-1 RFU 000 000 000
6 Script processing failed before final Generate AC 0 0 0
5 Script processing failed after final Generate AC 0 0 0
4-1 RFU 0000 0000 0000
to 0.
 Note c A value of 1,0,0 is recommended if online PIN is supported.
 Note d A value of 0,1,1 must be used if online PIN is supported.
 Note e If offline-oriented behavior is required, then, where the option is given, the
 Note f If CDA is not supported, a setting of 0, 0, 0 may be used in Byte 1, bit 3.
4.2.2.3 CVM List
This section describes the personalization value of the CVM List.

In markets where transactions are not permitted above the CVM limit, the CVM List must
be as shown in Table 4.6.
Cards issued in these markets but that are likely to be used in markets where transactions
are permitted above the CVM limit may use the CVM List in Table 4.7.
Table 4.6—CVM List Maestro Contactless - LVT only

In markets where transactions are permitted above the CVM limit, the CVM List must be as
shown in Table 4.6.

Table 4.7—CVM List Maestro Contactless - HVT support

4.2.3 Offline CAM

Neither SDA nor DDA may be used on the contactless interface. All Maestro cards must
support CDA.
Table 4.8—Data Objects used to support CDA

Certification Authority Public Key Index '8F' Determined by issuer M
ICC Public Key Certificate '9F46' Determined by issuer M
ICC Public Key Exponent '9F47' Determined by issuer M
(See note a below)
Issuer Public Key Certificate '90' Determined by issuer M
Issuer Public Key Exponent '9F32' Determined by issuer M
(See note b below)
 Note a The ICC Public Key Remainder is present if NIC > (NI – 42).
 Note b The Issuer Public Key Remainder is present if N I > (NCA – 36).

Data Object Tag
CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'

Data Object Tag

SDA Tag List '9F4A'
4.2.4 Application Interchange Profile
Table 4.10—Application Interchange Profile

1 8 RFU 0
2 RFU 0
1 Combined DDA/AC Generation supported 1
7-1 RFU 0000000
4.2.5 Application File Locator

Some legacy contactless readers make use of a predefined file structure. If the AFL read
from the card has a specific value, the reader assumes the file structure and knows where to
find specific data objects.
If the AFL has the value '08010100100101011801020020010200' then the data objects
must be included in the specified records shown in Table 4.11.
If the data objects are not organized as shown in Table 4.11, then
 the data objects must be organised such that the first four bytes of the AFL are different
from '08010100'.

If dummy records are included in order to respect the predefined AFL value, then the
dummy records should contain:

CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
SDA Tag List '9F4A'
(See note below)
 Note As SDA is not supported a suitable dummy record must be included in Record
2, SFI 3.


Mag-stripe mode transactions are not supported for Maestro contactless. A value of 'FFFF'
for the Application Version Number must be included in Record 1 of SFI 1 if the
predefined file structure is used. The Track 2 Data (tag ('9F6B') must not be included.
Table 4.12—Data Objects for Card Risk Management

Lower Consecutive Offline Limit '9F14' Determined by issuer
(See note a below)
Lower Cumulative Offline Transaction 'CA' Determined by issuer
Amount (See note a below)
Amount
Card Issuer Action Code – Decline 'C3' Profile dependent. See Section 4.3
Card Issuer Action Code – Default 'C4' Profile dependent. See Section 4.3
Card Issuer Action Code – Online 'C5' Profile dependent. See Section 4.3
CDOL1 Related Data Length 'C7' '20'
Currency Conversion Table 'D1' Determined by issuer (See note b below)
Additional Check Data 'D3' Determined by issuer. Should be padded
‘000000FFFFFFFFFFFFFFFFFFFFFFFFFF
FFFF’ if present but not used.
Application Control 'D5' See Table 4.13
 Note a When the Cumulative Offline Transaction Amount exceeds the Lower
Cumulative Offline Transaction Amount or the Consecutive Offline Transactions
Number exceeds the Lower Consecutive Offline Limit, the PayPass – M/Chip
Flex application will modify bit 2 of the PayPass Options Indicator of
[PPMCFLEX] in order to force the co-application to go online at the next
transaction.
The issuer should therefore pay special attention to the values of these limits at
personalization.
 Note b If currency conversion is not used, it is recommended that the currency code in
CRM Currency Code.

Table 4.13—Application Control

7 Skip CIAC – Default on CAT3 0
6 Offline only 0
2 Session key derivation (Not used) 0
1 Encrypt offline counters (Not used) 0
2 8-5 RFU 0000
4 Always add to Consecutive Transactions Number 0/1
2 Allow retrieval of balance 0/1
1 Include counters in AC (Not used) 0
3 8 Static CVC3 (See note a below) 1
6-1 RFU 000000
 Note a For security reasons, it is recommended to set bit 8 of byte 3 to 1.
 Note b The recommended value for the Application Control is '000080'.
4.2.8 Secret Keys


ICC Dynamic Number Master Key (MK IDN) – Determined by issuer
ICC Derived Key for CVC3 Generation – Not used. Random non-zero value
(KDCVC3) recommended.


Length of ICC Public Key Modulus) – Determined by issuer
ICC Private Key – Determined by issuer
4.2.9 Miscellaneous

Application Life Cycle Data '9F7E' Depending on the possible separation
between the loading of the application code
and the personalization data on the
hardware, only part of the Application Life
Cycle Data may be personalized.
Co-application Indicator 'DE' '00': M/Chip Lite 2.1
'01': M/Chip Select 2.05
'02': UKIS-compliant application
'03': CCD-compliant application
IVCVC3TRACK1 'DC' '0000'
IVCVC3TRACK2 'DD' '0000'
Table 4.17—Counter Limits and Previous Transaction
Data Object Name Tag Tag

Previous Transaction History – '00'
AC Session Key Counter Limit – '4E20'
Table 4.18—Data Objects with a Fixed Initial Value
Data Object Name Tag Recommended Value


Data Object Name Tag Recommended Value



Table 4.14 shows the Card Issuer Action Codes for offline-oriented behavior. With these
settings the PayPass – M/Chip Flex application will never return an ARQC in response to a
GENERATE AC command requesting a TC. Once the relevant upper limit (Upper
Consecutive Offline Limit or Upper Cumulative Offline Limit) is exceeded all transactions
are declined offline.
Table 4.19—Card Issuer Action Codes (Offline)

1 8 RFU 0 0 0
(See note)
(See note)
3 8-3 RFU 000000 000000 000000


Table 4.20 shows the Card Issuer Action Codes for standard card behavior. When the
upper limit is exceeded, all transactions are sent online on online-capable terminals and
declined offline on offline-only terminals.
Table 4.20—Card Issuer Action Codes (Standard)

1 8 RFU 0 0 0
3 8-3 RFU 000000 000000 000000

4.3.3 Online Preferring

Table 4.21 describes the personalization values for the Card Issuer Action Codes for online-
oriented behavior. They are used when the issuer chooses to send all contactless
transactions online on online-capable terminals.
Table 4.21—Card Issuer Action Codes (Online)

1 8 RFU 0 0 0
(See note below)
(See note below)
3 8-3 RFU 000000 000000 000000
 Note The setting of the 'International Transaction' and 'Domestic Transaction' bits to
(0,1,0) results in online contactless transactions on online-capable terminals.
With this setting, the PayPass – M/Chip Flex application will always generate an
ARQC on an online-capable terminal in response to a GENERATE AC command
requesting either a TC or an ARQC.


terminals.

1 8 RFU 0 0 0
3 8-3 RFU 000000 000000 000000

MasterCard PayPass – M/Chip 4 Personalization Data
Contact Data
5 MasterCard PayPass – M/Chip 4

PayPass – M/Chip 4 is a dual-interface application. Unless otherwise stated, this chapter
gives only the personalization data for the contactless interface. Where possible, data
objects listed may be shared between the contact and contactless interfaces.
The contactless personalization data given in this chapter is listed according to whether the
data is generic or profile specific.
5.1 Contact Data

[MCHIPPDS]. Any of the MasterCard contact profiles listed may be used together with the
contactless data listed in this chapter.
5.1.1 Data Objects Referenced in the AFL (Contact)

There are no recommended values for the AFL (Contact). The organization of the data
objects included in the files referenced in the AFL (Contact) are organized as determined
by the issuer.
Some records may be shared between the contact and contactless interfaces, regardless of
the file organization indicated by the AFL (PayPass). This section addresses data objects
referenced in the AFL (Contact) that do not have the same value for both interfaces (and
thus must not be shared).
 Note This section does not contain a complete list of all data objects referenced in
the AFL (Contact).
Table 5.1 lists the data objects that do not have the same value for both interfaces. These
data objects cannot be included in records shared by both interfaces.
Table 5.1—Data Objects that Do Not Have the Same Value

Application Usage Control (See note below) '9F07'
CVM List '8E'
Signed Static Application Data '93'


ICC Public Key Certificate '9F46'
 Note The values on the contact and contactless interfaces may be the same or may
be different.

Table 5.2 lists the persistent data objects for application selection. All data objects listed
that are shared between the contactless and contact interface need to be personalized only
once with a value common for both interfaces. Some implementations may allow data
objects such as the AID to be personalized with separate values for each interface. In that
case the value listed here is for the contactless interface.
Table 5.2—Persistent Data Objects for Application Selection

AID '4F' 'A0000000041010' M
(See note below)
DF Name '84' 'A0000000041010' M
Application Label '50' "MasterCard" or M
"MASTERCARD" or
"DEBIT MASTERCARD"
(See note b below)
Log Entry '9F4D' Byte 1: Lower bits contain O
the SFI of the transaction
log file (11)
Byte 2: Maximum number
of records in the transaction
log file
(See note c below)


(See note d below)

zeroes.
is mandatory.

note a below)
note a below)
CDOL1 '8C' PayPass – M/Chip Select 4: M
'9F02069F03069F1A029505
5F2A029A039C019F37049F
35019F45029F4C089F3403'
PayPass – M/Chip Lite 4:
'9F02069F03069F1A029505
5F2A029A039C019F37049F
35019F45029F3403'


CDOL2 '8D' PayPass – M/Chip Select 4: M
(See note b below) '910A8A0295059F37049F4
C08'
PayPass – M/Chip Lite 4:
'910A8A029505'
CVM List '8E' See Section 5.2.2.3 M
Track-2 Equivalent Data '57' Determined by issuer M
CDOL2.
 Note d The Chip CVC in the Track 2 Equivalent Data must differ from the CVC1 in the
track 2 data on the magnetic stripe.
interface.

Cardholder Name '5'5F20'

Table 5.5 describes the personalization values of the Application Usage Control for the
contactless interface.

2 8 Domestic cashback allowed 0/1 (See note b below)
7 International cashback allowed 0/1 (See note b below)
6-1 RFU 000000
 Note b Cashback is optional for Debit MasterCard applications on the contactless

interface. Cash back is optional for MasterCard credit applications issued in
Europe region.
 Note c Cards that are part of a prepaid program may, with prior approval, restrict card
Table 5.6 describes the personalization values of the Issuer Action Codes for the contactless
interface.



2-1 RFU 00 00 00
2 8 Chip card and terminal have different 0 0 0
application versions
7 Expired application 0/1 1 1
4 New card 0 0 0
3-1 RFU 000 000 000
(See note b below)
5 PIN entry required but PIN pad not 0 0 0
present/working
4 PIN entry required, PIN pad present but PIN not 0 0 0
entered
3 Online PIN entered 0 1 1
2-1 RFU 00 00 00
processing
3-1 RFU 000 000 000
6 Script processing failed before final Generate 0 0 0
AC
4-1 RFU 0000 0000 0000
to 0.

 Note c If offline-oriented behavior is required, then, where the option is given, the
 Note d If CDA is not supported, a setting of 0, 0, 0 may be used in Byte 1, bit 3.
5.2.2.3 CVM List
This section describes the personalization values of the CVM List for the contactless
interface.

Table 5.8—CVM List for MasterCard Contactless (Option 2)

5.2.3 Offline CAM

Neither SDA nor DDA may be used on the contactless interface. Cards must either:
 Support CDA, or
 Support no offline CAM
Cards that do not support offline CAM must be configured to be online only. Cards in
Europe or US Regions must support CDA.

Table 5.9—Data Objects used if contactless interface supports CDA

Certification Authority Public Key Index '8F' ‘04’, ‘05’ or ‘06’ C
ICC Public Key Exponent '9F47' Determined by issuer C
(See note b below)
ICC Public Key Certificate '9F46' Determined by issuer C
Issuer Public Key Exponent '9F32' Determined by issuer C
(See note c below)
Issuer Public Key Certificate '90' Determined by issuer C
 Note a Support for CDA is mandated for MasterCard contactless cards unless
configured as online only.
 Note b The ICC Public Key Remainder is present if NIC > (NI – 42).
 Note c The Issuer Public Key Remainder is present if N I > (NCA – 36).

Data Object Tag
CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
SDA Tag List '9F4A'

5.2.4 Application Interchange Profile (PayPass)
Table 5.11—AIP (PayPass)

1 8 RFU 0
2 RFU 0
1 Combined DDA/AC Generation supported (See note below) 0/1
0: CDA not supported
1: CDA supported
7-1 RFU 0
 Note Cards issued in Europe must support CDA. Cards issued outside Europe are
recommended to support CDA, but may be configured as exclusively online and
support no offline CAM.
5.2.5 Application File Locator (PayPass)

Some legacy contactless readers make use of a predefined file structure. If the AFL
(PayPass) read from the card has a specific value, the reader assumes the file structure and
knows where to find specific data objects.
If the AFL (PayPass) has the value '08010100100101011801020020010200' then the data
objects must be included in the specified records shown in Table 5.12.
If the AFL (PayPass) has the value '080101001001010118010200' then the data objects
must be included in the specified records shown in Table 5.12. (excluding SFI 4). Such a
card would not support CDA so must be configured as online only. Suitable dummy
records must be included in Record 1, SFI 3 and Record 2, SFI 3 in line with the predefined
AFL value. A dummy record should contain:
If the data objects are not organized as shown in Table 5.12, then the above values must not
be used. However
 the first four bytes must always be equal to '08010100' (see section 5.2.6).


CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
SDA Tag List '9F4A'
(See note a below)
 Note a As SDA is not supported a suitable dummy record must be included in Record
2, SFI 3.
 Note b SFI 4 is only present when CDA is supported (AIP (PayPass)[1][7]=1).


A MasterCard contactless card that is not exclusively for domestic use must support mag-
stripe mode transactions. The data objects to support mag-stripe mode (see Table 5.13)
must always be included in Record 1 of SFI 1. No other records that are read through the
contactless interface may be included in SFI 1. The first four bytes of the AFL (PayPass)
must always be equal to '08010100'.
Table 5.13—Data Objects in SFI 1, Record 1 for Mag-stripe Mode

(See notes d, e, f and h below)
Data.
equal to 3.

store nUN.
 Note g If the issuer intends to make use of on-behalf service for Dynamic CVC3
recommended.
Sequence Number is used for the derivation of KD CVC3, then the length of the

Unless otherwise indicated, card risk management data objects are shared between the
contact and contactless interface and must be configured in the same way as for the
M/Chip 4 application.
Table 5.14—Persistent Data Objects for Card Risk Management

Lower Consecutive Offline Limit '9F14' Determined by issuer
Lower Cumulative Offline Transaction 'CA' Determined by issuer
Amount


Amount
Application Control (PayPass) 'D7' See Table 5.15
Card Issuer Action Code (PayPass) – 'CF' Profile dependent. See Section 5.3.
Decline
Card Issuer Action Code (PayPass) – 'CD' Profile dependent. See Section 5.3.
Default
Card Issuer Action Code (PayPass) – 'CE' Profile dependent. See Section 5.3.
Online
CDOL1 Related Data Length 'C7' PayPass – M/Chip Lite 4: '23'
PayPass – M/Chip Select 4: '2B'
Currency Conversion Table 'D1' Determined by issuer (See note a below)
Additional Check Table 'D3' Determined by issuer (See note b below)
 Note a If currency conversion is not used, it is recommended that the currency code in
CRM Currency Code.
 Note b The Additional Check Table is shared with the contact interface.
Table 5.15—Application Control (PayPass)

7 Skip CIAC – Default on CAT3 0/1
0: Do not skip CIAC (PayPass) – Default
1: Skip CIAC (PayPass) – Default
6 RFU 0
2 Session key derivation (See note a below) 0/1
1 Encrypt offline counters 0/1
2 8-4 RFU 00000
1 Include counters in AC 0/1


3 8 Static CVC3 (Not used) 0
6-1 RFU 000000
 Note a The definition of bit 2 of byte 1 of Application Control (PayPass) depends on the
version of the PayPass – M/Chip 4 application (v1.0, v1.1a, or v1.1b). Refer to
Table 5.16 for more information.
 Note b The recommended value for the Application Control (PayPass) is '000040'.
Table 5.16—Session Key Derivation Algorithm

Version Application Control[1][2] = 0 Application Control[1][2] = 1
v1.0 MasterCard Proprietary EMV2000
v1.1a MasterCard Proprietary Value not allowed
v1.1b MasterCard Proprietary EMV CSK
5.2.8 Secret Keys


ICC Dynamic Number Master Key – Determined by issuer (see note below)
(MKIDN)
SM for Integrity Master Key (MKSMI) – Determined by issuer
SM for Confidentiality Master Key – Determined by issuer
(MKSMC)
(KDCVC3)

Length of ICC Public Key Modulus – Determined by issuer (see note below)
ICC Private Key – Determined by issuer (see note below)

 Note Only required if the card supports CDA.
5.2.9 Miscellaneous

Application Life Cycle Data '9F7E' Depending on the possible separation between
the loading of the application code and the
personalization data on the hardware, only part
of the Application Life Cycle Data may be
personalized.
Log Format '9F4F' The content of records in the Log of
Transactions
If the issuer intends to make use of on-behalf service for Dynamic CVC3
Validation, then for IVCVC3 generation the placeholders for the dynamic data in
the discretionary data of Track 1 Data and Track 2 Data (i.e. at the positions
where the contactless reader stores the ATC, UN, CVC3 and nUN) must be filled
with zeroes (hexadecimal zeroes for Track 2 Data and ASCII zeroes ('30') for
Track 1 Data).
If the issuer intends to make use of on-behalf service for Dynamic CVC3

Table 5.20—Counter Limits and Previous Transaction (M/Chip 4 Version 1.0)

Previous Transaction History – '00' or ‘08’ (See note below)
Bad Cryptogram Counter Limit – '0400'
MAC in Script Counter Limit – '0F'
Global MAC in Script Counter Limit – '004E20'
CFDC_Limit for Integrity Session Key – 3
CFDC_Limit for Confidentiality Session – 3
Key
CFDC_Limit for AC Session Key – 3
 Note The personalization of the Previous Transaction History value to '08' is used to
manage new card behavior. Contactless transactions may be forced online or
declined (pending the completion of a contact transaction). The appropriate
value for CIAC 'Go Online On Next Transaction Was Set' (Byte 2, bit 4) must be
set.
Table 5.21—Counters and Previous Transaction (M/Chip 4 Version 1.1.a)

set.
Table 5.22—Counters and Previous Transaction (M/Chip 4 Version 1.1.b)

Previous Transaction History – '00' or ‘08’ (See note a below)
AC Session Key Counter Limit – '0400' (See note b below)


SMI Session Key Counter Limit – '0400'
 Note a The personalization of the Previous Transaction History value to '08' is used to
set.
 Note b If a magnetic stripe grade profile is used for the contact interface, then the AC
Session Key Counter Limit must be set to the same value as the Application
Transaction Counter Limit ('4E20').
Table 5.23—Data Objects with a Fixed Initial Value (M/Chip 4 Version 1.0)
Consecutive Offline Transactions – '00'
Number
Script Counter '9F5F' '00'
Log of The Current Transaction x – '00…00'
(x=1...10 or more)
Global MAC in Script Counter – '000000'
Bad Cryptogram Counter – '0000'
CFDC for Integrity Session Key – 0
CFDC for Confidentiality – 0
Session Key
CFDC for AC Session Key – 0
Table 5.24—Data Objects with a Fixed Initial Value (M/Chip 4 Version 1.1.a)
(x=1...10 or more)


Table 5.25—Data Objects with a Fixed Initial Value (M/Chip 4 Version 1.1b)
(x=1...10 or more)
SMI Session Key Counter – '0000'
Security Limits Status 'DF02" '00'


Table 5.26 shows the Card Issuer Action Codes (PayPass) for offline-oriented behavior.
With this profile, the PayPass – M/Chip 4 application will never return an ARQC in
response to a GENERATE AC command requesting a TC over the contactless interface.
Once the relevant lower limit (Lower Consecutive Offline Limit or Lower Cumulative
Offline Limit) is exceeded all contactless transactions are declined offline.
Table 5.26—Card Issuer Action Codes (PayPass) (Offline Profile)

1 8 RFU 0 0 0
4 PIN Try Limit Exceeded 0/1 0/1 0/1
1 Terminal Erroneously Considers Offline 0 0 0
PIN OK
2 8 Lower Consecutive Offline Limit Exceeded 1 0 0/1
(See note)
6 Lower Cumulative Offline Limit Exceeded 1 0 0/1
(See note)
3 8-3 RFU 000000 000000 000000
 Note The transaction that causes one of the lower limits (Lower Cumulative Offline
Limit or Lower Consecutive Offline Limit) to be exceeded is not declined.


Table 5.27 shows the Card Issuer Action Codes (PayPass) for standard card behavior. With
this profile, a contactless transaction that causes one of the upper limits (Upper Cumulative
Offline Limit Exceeded or Upper Consecutive Offline Limit Exceeded) to be exceeded is
sent online on online-capable terminals, and declined offline on offline-only terminals.
Table 5.27—Card Issuer Action Codes (PayPass) (Standard Profile)

1 8 RFU 0 0 0
2 8 Lower Consecutive Offline Limit Exceeded 0 0/1 0
6 Lower Cumulative Offline Limit Exceeded 0 0/1 0
4 Go Online On Next Transaction Was Set 0/1 1 1
3 8-3 RFU 000000 000000 000000

terminals.
Online-Only cards may either support CDA or be issued with no offline CAM support.



1 8 RFU 0 0 0
4 PIN Try Limit Exceeded 0/1 0 0
3 8-3 RFU 000000 000000 000000
Issuers of the online-only profile that do not use CDA are recommended not to use the
predefined file structure as neither SFI 3 nor SFI 4 are required.

Maestro PayPass – M/Chip 4 Personalization Data
Contact Data
6 Maestro PayPass – M/Chip 4

PayPass – M/Chip 4 is a dual-interface application. Where possible, data objects listed
may be shared between the contact and contactless interfaces. The personalization profile
given in this section is only applicable for the PayPass – M/Chip Select 4 platform.
The contactless personalization data given in this chapter is listed according to whether the
data is generic or profile specific.
6.1 Contact Data

[MCHIPPDS]. Any of the contact profiles listed may be used together with the contactless
data listed in this chapter.
Issuers using a magnetic stripe grade card profile for the contact interface should
understand the potential risk if the card supports offline transactions.
6.1.1 Data Objects Referenced in the AFL (Contact)

There are no recommended values for the AFL (Contact). The organization of the data
objects included in the files referenced in the AFL (Contact) are organized as determined
by the issuer.
Some records may be shared between the contact and contactless interfaces, regardless of
the file organization indicated by the AFL (PayPass). This section addresses data objects
referenced in the AFL (Contact) that do not have the same value for both interfaces (and
thus must not be shared).
 Note This section does not contain a complete list of all data objects referenced in
the AFL (Contact).
Table 6.1 lists the data objects that do not have the same value for both interfaces. These
data objects cannot be included in records shared by both interfaces.

Contact Data
Table 6.1—Data Objects that Do Not Have the Same Value

CVM List '8E'
Signed Static Application Data '93'
ICC Public Key Certificate '9F46'
6.1.2 Card Risk Management (Contact)

Table 6.2 lists the values of the Card Issuer Action Codes for the contact interface when the
issuer wants to force every contact transaction online. This allows the use of the offline
counters to be restricted for contactless transactions only.
Otherwise, the Card Issuer Action Codes for the contact interface should be configured as
described in [MCHIPPDS].
Table 6.2—Card Issuer Action Codes (Contact) (Online-only)

1 8 RFU 0 0 0
(See note below)
(See note below)


3 8-3 RFU 000000 000000 000000
(0,1,1) results in online contact transactions. With this setting, the PayPass –
M/Chip 4 application will always generate an ARQC during a contact transaction
on an online-capable terminal, and will decline every contact transaction on an
offline-only terminal or when the terminal is unable to go online.

that are shared between the contactless and contact interface need to be personalized only
once with a value common for both interfaces. Some implementations may allow data
objects such as the AID to be personalized with separate values for each interface. In that
case the value listed here is for the contactless interface.

AID '4F' 'A0000000043060' M
(See note a below)
DF Name '84' 'A0000000043060' M
Application Label '50' "Maestro" or "MAESTRO" M
(See note b below)


the SFI of the transaction log
file (11)
Byte 2: Maximum number of
records in the transaction log
file
(See note c below)
(See note d below)

zeroes.
is mandatory.

note a below)
note a below)


CDOL1 '8C' '9F02069F03069F1A0295055 M
F2A029A039C019F37049F3
5019F45029F4C089F3403'
CDOL2 '8D' '910A8A0295059F37049F4C M
(See note b below) 08'
CVM List '8E' See Table 6.8 M
CDOL2.
 Note d If present, the Chip CVC in the Track 2 Equivalent Data must differ from the
CVC1 in the track 2 data on the magnetic stripe.
interface.
AFL (PayPass).


Table 6.6 describes the personalization values of the Application Usage Control.

2 8 Domestic cashback allowed 0/1
7 International cashback allowed 0/1
6-1 RFU 000000
 Note b Cards that are part of a prepaid program may, with prior approval, restrict card
Table 6.7 describes the personalization values of the Issuer Action Codes.

2-1 RFU 00 00 00


versions
7 Expired Application 0/1 1 1
4 New card 0 0 0
3-1 RFU 000 000 000
(See note b below)
5 PIN entry required but PIN pad not 0/1 0 0
present/working (See note c below)
4 PIN entry required, PIN pad present but PIN not 0/1 0 0
entered (See note c below)
3 Online PIN entered 0 0/1 0/1
(See note d below)
2-1 RFU 0 0 0
processing
3-1 RFU 000 000 000
6 Script processing failed before final Generate AC 0 0 0
4-1 RFU 0000 0000 0000
to 0.
 Note c A value of 1,0,0 is recommended if online PIN is supported.

 Note d A value of 0,1,1 must be used if online PIN is supported.
 Note e If offline-oriented behavior is required, then, where the option is given, the
 Note f If CDA is not supported, a setting of 0, 0, 0 may be used in Byte 1, bit 3.
6.2.2.3 CVM List
In markets where transactions are not permitted above the CVM limit, the CVM List must
be as shown in Table 6.8.
Cards issued in these markets but that are likely to be used in markets where transactions
are permitted above the CVM limit may use the CVM List in Table 6.9.
Table 6.8—CVM List Maestro Contactless - LVT only

In markets where transactions are permitted above the CVM limit, the CVM List must be as
shown in Table 6.9.
Table 6.9—CVM List Maestro Contactless - HVT support

6.2.3 Offline CAM

Neither SDA nor DDA may be used on the contactless interface. All Maestro cards must
support CDA.
Table 6.10—Data Objects used to support CDA

Certification Authority Public Key Index '8F' Determined by issuer M
ICC Public Key Certificate '9F46' Determined by issuer M
ICC Public Key Exponent '9F47' Determined by issuer M
(See note a below)


Issuer Public Key Certificate '90' Determined by issuer M
Issuer Public Key Exponent '9F32' Determined by issuer M
(See note b below)
 Note a The ICC Public Key Remainder is present if NIC > (NI – 42).
 Note b The Issuer Public Key Remainder is present if N I > (NCA – 36).
Data Object Tag

CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
SDA Tag List '9F4A'
6.2.4 Application Interchange Profile (PayPass)
Table 6.12—AIP (PayPass)

1 8 RFU 0


2 RFU 0
1 Combined DDA/AC Generation supported 1
7-1 RFU 0000000
6.2.5 Application File Locator (PayPass)

Some legacy contactless readers make use of a predefined file structure. If the AFL
(PayPass) read from the card has a specific value, the reader assumes the file structure and
knows where to find specific data objects.
If the AFL (PayPass) has the value '08010100100101011801020020010200' then the data
objects must be included in the specified records shown in Table 6.13.
If the data objects are not organized as shown in Table 6.13, then
 the data objects must be organized such that the first four bytes of the AFL (PayPass)
are different from '08010100'.
 it is recommended not to sign the last record referenced by the AFL (PayPass), as some
reader implementations cannot process this correctly.
If dummy records are included in order to respect the predefined AFL value, then the
dummy records should contain:


CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
SDA Tag List '9F4A'
(See note below)
 Note As SDA is not supported a suitable dummy record must be included in

Record 2, SFI 3.


Mag-stripe mode transactions are not supported for Maestro contactless. A value of 'FFFF'
for the Application Version Number must be included in Record 1 of SFI 1 if the
predefined file structure is used. The Track 2 Data (tag ('9F6B') must not be included.
Table 6.14— Persistent Data Objects for Card Risk Management

Lower Consecutive Offline Limit '9F14' Determined by issuer.
Lower Cumulative Offline Transaction 'CA' Determined by issuer.
Amount
Amount
Application Control (PayPass) 'D7' See Table 6.15
Card Issuer Action Code (PayPass) – 'CF' Profile dependent. See Section 6.3.
Decline
Card Issuer Action Code (PayPass) – 'CD' Profile dependent. See Section 6.3.
Default
Card Issuer Action Code (PayPass) – 'CE' Profile dependent. See Section 6.3.
Online
CDOL1 Related Data Length 'C7' '2B'
CRM Country Code 'C8' Same value as Issuer Country Code.
CRM Currency Code 'C9' Same value as Application Currency Code.
Currency Conversion Table 'D1' Determined by issuer (See note a below)
Additional Check Table 'D3' Determined by issuer (See note b below)
 Note a If currency conversion is not used, it is recommended that the currency code in
CRM Currency Code.
 Note b The Additional Check Table is shared with the contact interface.
Table 6.15—Application Control (PayPass)

7 Skip CIAC – Default on CAT3 0


6 RFU 0
2 Session key derivation 0/1 (See note a below)
1 Encrypt offline counters 0/1
2 8-4 RFU 00000
1 Include counters in AC 0/1
3 8 Static CVC3 1 (See note b below)
6-1 RFU 000000
 Note a The definition of bit 2 of byte 1 depends on the version of the PayPass –
M/Chip 4 application (v1.0, v1.1a, or v1.1b). Refer to Table 6.16 for more
information.
 Note b For security reasons, it is recommended to set bit 8 of byte 3 to 1.
 Note c The recommended value for the Application Control (PayPass) is '000080'.
Table 6.16—Session Key Derivation Algorithm

Version Application Control(PayPass)[1][2] = 0 Application Control(PayPass)[1][2] = 1
v1.0 MasterCard Proprietary EMV2000
v1.1a MasterCard Proprietary Value not allowed
v1.1b MasterCard Proprietary EMV CSK
6.2.8 Secret Keys

Table 6.17—Triple DES keys

ICC Dynamic Number Master Key – Determined by issuer
(MKIDN)


SM for Integrity Master Key (MKSMI) – Determined by issuer
SM for Confidentiality Master Key – Determined by issuer
(MKSMC)
ICC Derived Key for CVC3 Generation – Not used. Random non-zero value
(KDCVC3) recommended.
Table 6.18—RSA keys

Length of ICC Public Key Modulus – Determined by issuer
ICC Private Key – Determined by issuer
Length of ICC PIN Encipherment Public – Determined by issuer (see note below)
Key Modulus
ICC PIN Encipherment Private Key – Determined by issuer (see note below)
 Note Not used by contactless interface.
6.2.9 Miscellaneous

Application Life Cycle Data '9F7E' Depending on the possible separation of the
loading of the application code and the
personalization data, only part of the
Application Life Cycle Data may be
personalized.
Log Format '9F4F' Content of records in Log of Transactions.
IVCVC3TRACK1 'DC' '0000'
IVCVC3TRACK2 'DD' '0000'


CFDC_Limit for Integrity Session Key – 3
CFDC_Limit for Confidentiality Session – 3
Key
CFDC_Limit for AC Session Key – 3
set.
Table 6.21—Counters and Previous Transaction (M/Chip 4 Version 1.1.a)

set.
Table 6.22—Counters and Previous Transaction (M/Chip 4 Version 1.1.b)

AC Session Key Counter Limit – '0400'


SMI Session Key Counter Limit – '0400'
manage new card behavior. Transactions may be forced online or declined
(pending the completion of a contact transaction). The appropriate value for
CIAC 'Go Online On Next Transaction Was Set' (Byte 2, bit 4) must be set.
(x=1...10 or more)
CFDC for Confidentiality Session Key – 0
(x=1...10 or more)


(x=1...10 or more)


Table 6.26 shows the Card Issuer Action Codes (PayPass) for the offline-oriented card
behavior. With this profile, the PayPass – M/Chip 4 application will never return an
ARQC in response to a GENERATE AC command requesting a TC over the contactless
interface.
Once the relevant upper limit (Upper Consecutive Offline Limit or Upper Cumulative
Offline Limit) is exceeded all contactless transactions are declined offline.
Table 6.26—Card Issuer Action Codes (PayPass) (Offline Profile)

1 8 RFU 0 0 0
(See note )
(See note)
3 8-3 RFU 000000 000000 000000


Table 6.27 shows the Card Issuer Action Codes (PayPass) for standard card behavior.
When an upper limit is exceeded, contactless transactions are sent online on online-capable
terminals and declined offline on offline-only terminals.
Table 6.27—Card Issuer Action Codes (PayPass) (Standard Profile)

1 8 RFU 0 0 0
2 8 Lower Consecutive Offline Limit Exceeded 0 0/1 0
6 Lower Cumulative Offline Limit Exceeded 0 0/1 0
3 8-3 RFU 000000 000000 000000

6.3.3 Online Preferring Profile

Table 6.28 lists the values of the Card Issuer Action Codes (PayPass) for online-oriented
behavior. They are used when the issuer chooses to send all contactless transactions online
on online-capable terminals. On offline-only terminals, transactions will be accepted until
an upper limit is exceeded.
Table 6.28—Card Issuer Action Codes (PayPass) (Online Profile)

1 8 RFU 0 0 0
(See note below)
(See note below)
3 8-3 RFU 000000 000000 000000
(0,1,0) results in online contactless transactions on online-capable terminals.
With this setting, the PayPass – M/Chip 4 application will always generate an
ARQC during a contactless transaction on an online-capable terminal.


terminals.

1 8 RFU 0 0 0
3 8-3 RFU 000000 000000 000000

MasterCard PayPass – M/Chip 4 Mag-stripe Only Personalization Data
7 MasterCard PayPass – M/Chip 4 Mag-

stripe Only Personalization Data
This chapter includes the personalization values for an M/Chip 4 card personalized to
support only mag-stripe mode transactions for the MasterCard brand. EMV mode is not
supported.
7.1 Data Objects for Application Selection

are shared between the contactless and contact interface and need to be personalized only
once with a value common for both interfaces.
Table 7.1—Persistent Data Objects for Application Selection

AID '4F' 'A0000000041010' M
(See note a below)
DF Name '84' 'A0000000041010' M
Application Label '50' "MasterCard" or M
"MASTERCARD" or
"DEBIT MASTERCARD"
(See note b below)
the SFI of the transaction
log file (11)
Byte 2: Maximum number
of records in the transaction
log file
(See note c below)
(See note d below)

Data Objects Referenced in the AFL

zeroes.
In US and Canada rRegions, inclusion of the Third Party Data, with Device Type,
is mandatory.
7.2 Data Objects Referenced in the AFL

The mag-stripe mode data objects must always be included in Record 1 of SFI 1. No other
records that are read through the contactless interface may be included in SFI 1. The AFL
(PayPass) must always be equal to '08010100'.
Table 7.2—Persistent Data Objects in Record 1, SFI 1

(See notes d, e, f and h
below)

Data Objects Referenced in the AFL
Data.
equal to 3.
store nUN.
 Note g If the issuer intends to make use of the on-behalf service for Dynamic CVC3
recommended.
Sequence Number is used for the derivation of KD CVC3, then the length of the

Get Processing Options
7.3 Get Processing Options

Table 7.3—Get Processing Option Response

AFL (PayPass) 'D9' '08010100'
AIP (PayPass) 'D8' '0000'
7.4 Card Risk Management

Card risk management data objects are mostly shared between the contact and contactless
interface. The data objects listed below have specific values for the contactless interface.
Table 7.4—Card Risk Management

Application Control (PayPass) 'D7' '000040'
Card Issuer Action Code (PayPass) – 'CF' Not required in mag-stripe mode.
Decline Set to 'FFFFFF' if implementation requires
to be personalized.
Card Issuer Action Code (PayPass) – 'CD' Not required in mag-stripe mode.
Default Set to '000000' if implementation requires
to be personalized.
Card Issuer Action Code (PayPass) – Online 'CE' Not required in mag-stripe mode.
Set to '000000' if implementation requires
to be personalized.
7.5 Data Objects for CVC3 Generation

Table 7.5—Persistent Data Objects for CVC3 Generation

Secret Key
Validation, then for IVCVC3 generation the method recommended above must
be used, and the placeholders for the dynamic data in the discretionary data of
Track 1 Data and Track 2 Data (i.e. at the positions where the reader stores the
ATC, UN, CVC3 and nUN) must be filled with zeroes (hexadecimal zeroes ('0') for
Track 2 Data and ASCII zeroes ('30') for Track 1 Data).
7.6 Secret Key

Table 7.6—KDCVC3
(KDCVC3)
7.7 Miscellaneous
Application Life Cycle Data '9F7E' Depending on the possible separation between
the loading of the application code and the
personalization data on the hardware, only part
of the Application Life Cycle Data may be
personalized.
Log Format '9F4F' The content of records in the Log of
Transactions

Miscellaneous

Previous Transaction History – Set as appropriate for contact interface
Bad Cryptogram Counter Limit – Set as appropriate for contact interface
MAC in Script Counter Limit – Set as appropriate for contact interface
Global MAC in Script Counter Limit – Set as appropriate for contact interface
CFDC_Limit for Integrity Session Key – Set as appropriate for contact interface
CFDC_Limit for Confidentiality Session – Set as appropriate for contact interface
Key
CFDC_Limit for AC Session Key – Set as appropriate for contact interface
Table 7.9—Counter Limits and Previous Transaction (M/Chip 4 Version 1.1.a)

MAC in Script Counter Limit – Set as appropriate for contact interface
Global MAC in Script Counter Limit – Set as appropriate for contact interface
Table 7.10—Counter Limits and Previous Transaction (M/Chip 4 Version

1.1.b)
AC Session Key Counter Limit – Set as appropriate for contact interface
SMI Session Key Counter Limit – Set as appropriate for contact interface


Miscellaneous

Consecutive Offline Transactions – '00'
Number
(x=1...10 or more)
CFDC for Confidentiality – 0
Session Key
(x=1...10 or more)
(x=1...10 or more)

Miscellaneous

End of Document


Technical - Specifications-PayPass - PDS v1.9 (June 2014)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Technical - Specifications-PayPass - PDS v1.9 (June 2014)

Uploaded by

Copyright:

Available Formats

PayPass Personalization

Version 1.9 – June 2014 © 2014 MasterCard

1 Proximity Payment System Environment (PPSE) ..............................1

3 MasterCard PayPass – M/Chip Flex Personalization Data ................7

© 2014 MasterCard Version 1.9 – June 2014

4 Maestro PayPass – M/Chip Flex Personalization Data ................... 25

5 MasterCard PayPass – M/Chip 4 Personalization Data .................. 41

6 Maestro PayPass – M/Chip 4 Personalization Data ........................ 63

Version 1.9 – June 2014 © 2014 MasterCard

6.2 Generic Contactless Data ...................................................................................65

7 MasterCard PayPass – M/Chip 4 Mag Stripe Only Personalization

© 2014 MasterCard Version 1.9 – June 2014

Using this Manual

© 2014 MasterCard Version 1.9 – June 2014

Version 1.9 – June 2014 © 2014 MasterCard

© 2014 MasterCard Version 1.9 – June 2014

NATCTRACK2 Track 2 Number of ATC Digits

PCVC3TRACK2 Track 2 Bit Map for CVC3

PUNATCTRACK2 Track 2 Bit Map for UN and ATC

Version 1.9 – June 2014 © 2014 MasterCard

© 2014 MasterCard Version 1.9 – June 2014

Version 1.9 – June 2014 © 2014 MasterCard

© 2014 MasterCard Version 1.9 – June 2014

Version 1.9 – June 2014 © 2014 MasterCard

1 Proximity Payment System

Table 1.1—Content of File Control Information Template in PPSE

Tag Data Element Name Presence

Table 1.2—Format of FCI Issuer Discretionary Data

'BF0C' Length '61' Length of Directory … '61' Length of Directory

Table 1.3—Directory Entry Format

© 2014 MasterCard Version 1.9 – June 2014

 Note a See individual chapters for full details of AID values.

 Note d The Kernel Identifier must have the value '02'.

Table 1.4— Application Priority Indicator

Version 1.9 – June 2014 © 2014 MasterCard

2 MasterCard PayPass – Mag Stripe

2.1 Data Objects for Application Selection

Data Object Name Tag Value

© 2014 MasterCard Version 1.9 – June 2014

2.2 Data Objects Referenced in the AFL (DGI '0101')

Data Object Name Tag Value Presence

Version 1.9 – June 2014 © 2014 MasterCard

© 2014 MasterCard Version 1.9 – June 2014

2.3 Data Objects for CVC3 Generation (DGI 'A001')

Data Object Tag Value

2.4 Secret Key (DGI 'A002')

Version 1.9 – June 2014 © 2014 MasterCard

3 MasterCard PayPass – M/Chip Flex

3.1 Contact Data

3.2 Generic Contactless Data

3.2.1 Data Objects for Application Selection

Table 3.1—Application Selection

Data Object Name Tag Value Presence

 Note a It is recommended not to use PIX extensions, as some legacy contactless

© 2014 MasterCard Version 1.9 – June 2014

3.2.2 Transaction Processing

Table 3.2—Data Objects used in Transaction Processing

Data Object Tag Value Presence

Version 1.9 – June 2014 © 2014 MasterCard

Table 3.3—Data Objects that Must Not Be Included

3.2.2.1 Application Usage Control

Table 3.4—Application Usage Control

Byte Bit Meaning Value