PERSONALIZATION DATA SPECIFICATIONS

FOR DEBIT AND CREDIT ON CHIP

© MasterCard International Incorporated August 1998

Notice:

The information contained in this manual is proprietary and confidential to MasterCard International Incorporated and its members. This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard International Incorporated.

Trademarks:

All products, names, and services are trademarks or registered trademarks of their respective companies.

Personalization Data Specification August 1998

© 1998 MasterCard International Incorporated

Table of Contents

ABBREVIATIONS AND NOTATIONS Abbreviations ............................................................................. iv Notations ..................................................................................... v SECTION 1 OBJECTIVE AND SCOPE 1.1 Purpose .............................................................................. 1-1 1.2 Objective and Scope .......................................................... 1-2 SECTION 2 REFERENCES 2.1 Related Information ........................................................... 2-1 SECTION 3 PERSONALIZATION DATA ELEMENTS 3.1 Organization ...................................................................... 3-1 3.2 Conventions ....................................................................... 3-1 3.3 Cardholder and Card Specific Data .................................... 3-3 3.3.1 Application Default Action........................................ 3-3 3.3.2 Application Effective Date ........................................ 3-4 3.3.3 Application Expiration Date ...................................... 3-4 3.3.4 Application Primary Account Number (PAN) ........... 3-5 3.3.5 Application PAN Sequence Number.......................... 3-5 3.3.6 Cardholder Name ...................................................... 3-5 3.3.7 Cardholder Name Extended ....................................... 3-6 3.3.8 Data Authentication Code ......................................... 3-6 3.3.9 Language Preference ................................................. 3-7 3.3.10 Reference PIN ......................................................... 3-7 3.3.11 SDA Tags for Signing ............................................. 3-8 3.3.12 Track 2 Discretionary Data ...................................... 3-8 3.3.13 Track 2 Equivalent Data .......................................... 3-9 3.4 MCPA— Application Data ............................................... 3-10 3.4.1 Application Currency Code ..................................... 3-10 3.4.2 Application Currency Exponent .............................. 3-10 3.4.3 Application File Locator (AFL) ............................... 3-11 3.4.4 Application Identifier (AID) .................................... 3-12 3.4.5 Application Interchange Profile ............................... 3-13 3.4.6 Application Label .................................................... 3-14
Personalization Data Specifications August 1998 i

........................... 3......9...6..................................................6............................. 3................ 3................1 Certification Authority Public Key Index ................................................8.....................1 Cardholder Verification Method (CVM) List...................................9 Application Reference Currency ..............................6...4................4 Issuer Public Key Certificate ...................................5 Issuer Action Code–Online...............6 Issuer Public Key Remainder ....................................... 3................1 Dynamic Data Authentication Data Object List (DDOL) .......... 3............... 3............................ 3.........5 CVM/PIN Data ..................5......................2 Hash Algorithm Indicator .2 PIN Try Limit .............2 Card Risk Management Data Object List 2 (CDOL2) ............. 3.......................................9....3 Issuer Action Code–Default.............. 3.....................................5...................................... 3....3 ICC Dynamic Data Length ... 3..................4...................................2 Derivation Key Index ......... 3.........8... 3......................... 3...................4.........6............ 3. 3..........7 Application Preferred Name ....12 Application Version Number .........1 Card Risk Management Data Object List 1 (CDOL1) .......6......10 Upper Cumulative Domestic Offline Transaction Amount .....14 Processing Options Data Object List (PDOL) .............. 3...............8 DDA-Related Data..............8......... 3............................................................ 3. 3.9.....6........... 3..........6..............4.....6 Card Risk Management Data ....10 Application Reference Currency Exponent .............. 3..............................15 Service Code ........ 3..6..........................................................................9 Additional Cryptographic Data (from Issuer) ...... 3.......11 Application Usage Control ..........................9......................... 3. 3...........4.....................Table of Contents 3.9.4... 3.......6.........7 SDA-Related Data ......................5 Issuer Public Key Exponent.............4..............9.... 3.......13 Issuer Country Code ......7 Lower Cumulative Domestic Offline Transaction Amount ..........9 Upper Consecutive Offline Limit......................6................. 3.........3 Issuer Private Key ..................7........4.............4.... 3........8 Application Priority Indicator ......................... 3..... 3.......4 Issuer Action Code–Denial . 3.....................8 Maximum Domestic Offline Transaction Amount ..... 3...............6 Lower Consecutive Offline Limit .......................................... Personalization Data Specification August 1998 ii 3-15 3-15 3-16 3-16 3-17 3-18 3-18 3-19 3-19 3-20 3-20 3-21 3-22 3-22 3-23 3-25 3-25 3-26 3-26 3-27 3-27 3-28 3-28 3-29 3-29 3-30 3-30 3-30 3-31 3-32 3-32 3-32 3-33 3-33 3-34 3-34 © 1998 MasterCard International Incorporated ...........................1 Cryptogram Version Number ................. 3.......

...........3 ICC Asymmetric Secret Key Data ...10.............................. 3............................................Table of Contents 3............ Glossary-1 Personalization Data Specifications August 1998 iii ........................9...................9...9 Issuer Master Key for ICC PIN DEA Keys .8 PIN DEA Key ....10......................9..................1 Overview ................... 3..................... Glossary-1 Terms ....2 Cryptogram DEA Key .........10.....10... 3..... 3.....................1 Application Transaction Counter (ATC) .......10....................................4 ICC Public Key Certificate ...................10...............7 Issuer Master Key for ICC Cryptogram DEA Keys.......................... 5-1 GLOSSARY Overview .1 Overview ......... 3..........10......6 ICC Public Key Remainder ............................... 3..........................................10 Various Indicators/Counters .................... 3.10...10.............................9 Signed Static Application Data .. 3.......................................................7 Message Authentication Code (MAC) DEA Key ...... SECTION 4 EXAMPLE OF DATA STRUCTURE 3-34 3-35 3-35 3-36 3-36 3-37 3-37 3-38 3-38 3-38 3-39 3-39 3-40 3-40 4...................................................................................... 3.............................................. 4-1 SECTION 5 PRIVATE CLASS TAGS 5......................... 3.........5 ICC Public Key Exponent ........................8 Issuer Master Key for ICC MAC DEA Keys .... 3. 3..... 3...............10....10 Cryptographic/Internal Data ............................

refer to the Glossary at the back of this document. MasterCard. a AAC AAR AC ADF AFL AID AIP an ans ARPC ARQC ATM b cn CAM CAT CDOL CVC CVM CVR DDA DDOL DEA DES EMV ICC IEC ISO LCOL LRC M MAC MCC MCPA™ n NCA Alphabetic character(s) Application Authentication Cryptogram Application Authorization Referral Application Cryptogram Application Definition File Application File Locator Application Identifier Application Interchange Profile Alphanumeric character(s) Alphanumeric and special character(s) Authorization Response Cryptogram Authorization Request Cryptogram Automated Teller Machine Binary character(s) Compressed numeric character(s) Card Authentication Method Cardholder Activated Terminal Card Risk Management Data Object List Card Validation Code Cardholder Verification Method Card Verification Results Dynamic Data Authentication Dynamic Data Authentication Data Object List Data Encryption Algorithm (= DES) Data Encryption Standard (= DEA) Europay. digits Length of the Certification Authority Public Key modulus © 1998 MasterCard International Incorporated Personalization Data Specification August 1998 iv .Abbreviations and Notations ABBREVIATIONS USED IN THIS MANUAL This manual uses the following abbreviations and notations. and Visa Integrated Circuit Card International Electrotechnical Commission International Organization for Standardization Lower Consecutive Offline Limit Longitudinal Redundancy Check Mandatory Message Authentication Code Merchant Category Code MasterCard Chip Payment Application Numeric character(s). For definitions of these terms.

00’ Personalization Data Specifications August 1998 v . For example. a binary field that is one byte in length and has a value of zero would be represented as ‘ . Length of the Issuer Public Key modulus Length of the ICC Public Key modulus Optional Primary Account Number Personal Identification Number Point of Interaction Payment System Environment Recommended Registered Identifier Reserved for Future Use Static Data Authentication Short File Identifier Secure Hash Algorithm-1 Transaction Certificate Tag Length Value Upper Consecutive Offline Limit Variable NOTATIONS Values surrounded by single quotes are hexadecimal values.Abbreviations and Notations NI NIC O PAN PIN POI PSE R RID RFU SDA SFI SHA-1 TC TLV UCOL var.

.

1 PURPOSE This document is intended for issuers implementing the MasterCard Chip Payment Application (MCPA™ ). The purpose of this document is to specify the data elements that need to be input to the first stage of the personalization process— the creation of an Application Load File (ALF). to help guide issuers in their selection. MCPA is based on the Europay. which allows chip-based credit and debit cards issued under any of the three brands to be accepted by the same chip card terminals worldwide. and Visa (EMV) specifications. Some will be used to generate card data. and Maestro® and Cirrus® debit transactions.Objective and Scope 1. The MCPA enables card issuers to support MasterCard credit and debit transactions. The primary audience for this document is: • MasterCard issuers intending to issue MCPA cards. • Developers of MCPA Application Load File (ALF) generation systems. as magnetic-stripe cards are accepted on the same terminals.1 Purpose 1. Personalization Data Specifications August 1998 1-1 . The document addresses generic data requirements which are independent of any particular card supplier or card operating system. • Personalization bureaus intending to provide facilities for MCPA applications. MasterCard recommendations have been made wherever possible. • Owners and developers of card operating systems. + Not all of these data elements will be input to the card. Issuers do not have to follow these recommendations if there are particular overriding reasons for alternatives. MasterCard.

Objective and Scope 1. 30 June 96 1996. However. Issuer Master DEA Keys.2 Objective and Scope 1.2 OBJECTIVE AND SCOPE Issuers use data elements described in this document as input into an MCPA Application Load File (ALF) generation system. This system formats the data and generates the necessary cryptographic keys and other internal data required by a particular card operating system. The output of an ALF generation system is a file of MCPA application load data that can be handed to a personalization bureau to load these applications into a batch of cards. The output ALF file and record formats also will vary according to the requirements of the card operating system. Issuer Private Key. they should all accept the data elements as described in this document. Other data elements are defined in the EMV ’ ICC Specifications for Payment Systems. This document identifies data elements that are proprietary to MasterCard International. and Reference PIN) between the issuer and the bureau must be addressed separately. The security procedures for the transmission of data elements are outside the scope of this document. Further data elements may be required to satisfy the requirements of particular card operating systems. In the latter case the transfer of sensitive data (such as. The specific input record formats required by different ALF generations systems will vary. this document includes a list of data elements which are created by the ALF generation system. The ALF generation system may be located at the issuer or at a (secure) third-party bureau. Personalization Data Specification August 1998 1-2 © 1998 MasterCard International Incorporated . In addition to the data elements that must be supplied by the issuer.

iso.0. The MasterCard Chip Card Help Desk also provides issuers with technical support. EMV96ICC MCIMCR EMV ’ ICC Specifications for Payment Systems.References 2. 24 October 1997— Published by MasterCard International Codes for the representation of names and languages Codes for the representation of names of countries Codes for the representation of currencies and funds Identification cards— Financial transaction cards Identification cards— Integrated circuit(s) cards with contacts— Part 5: Numbering system and registration procedure for application identifiers ISO 639:1988 ISO 3166:1993 ISO 4217:1990 ISO/IEC 7813:1990 ISO/IEC 7816-5:1994 Contact the ISO Web site at www. Version 1.1 RELATED INFORMATION The following documents and resources provide information related to the subjects discussed in this manual. Personalization Data Specifications August 1998 2-1 . Contact the Card Help Desk via e-mail at chip_help@mastercard.ch for more information.1 Related Information 2.com. 31 May 1998 96 Minimum Card Requirements for Debit and Credit on Chip.

.

1 Organization 3. For definition of the format codes see the “Glossary” section at the end of this manual. F’ Personalization Data Specifications August 1998 3-1 . (R) = Recommended. 0’ 9’ A’ F’ Tag: Length: Value: When the length defined for the data object (Length above) is greater than the length of the actual data (Format above). the following rules apply: • A data element in format “n” is right justified and padded with leading hexadecimal zeros. 3.2 CONVENTIONS The following conventions are used: Name: Format: (M) = Mandatory. see the “Abbreviation and Notation” section at the beginning of this manual.Personalization Data Elements 3. • A data element in format “cn” is left justified and padded with trailing ‘ characters.1 ORGANIZATION The data elements are organized into the following functional groups to facilitate understanding and management: • • • • • • • • * Cardholder/Card-specific Data MCPA— Application Data Cardholder Verification Method/Personal Identification Number (CVM/PIN) Data Card Risk Management Data Static Data Authentication (SDA)-related Data DDA-related Data* Cryptographic/internal Data (issuer supplied) Cryptographic/internal Data (created by Application Load File (ALF) system) Not required if issuer chooses to implement Static Data Authentication. Tag from EMV96ICC Expressed in bytes The values of bytes are shown as four-bit nibbles (hexadecimal characters) within the range ‘ –‘ and ‘ –‘ . (O) = Optional For the format codes.

Personalization Data Elements 3. See EMV96ICC. it is right-justified and padded with leading hexadecimal zeros. Personalization Data Specification August 1998 3-2 © 1998 MasterCard International Incorporated . • When a nibble (four bits) is stored in a byte. Annex B for more information.2 Conventions • A data element in format “an” is left-justified and padded with trailing hexadecimal zeros. • A data element in format “ans” is left-justified and padded with trailing hexadecimal zeros.

Personalization Data Elements 3.3. Issuers may decide to make other data elements card-specific: Application Default Action Application Effective Date Application Expiration Date Application PAN Application PAN Sequence Number Cardholder Name Cardholder Name Extended Data Authentication Code Language preference Reference PIN Static Data Authentication (SDA) Tag for Signing Track 2 Discretionary Data Track 2 Equivalent Data 3.3 Cardholder and Card Specific Data 3.) 2 Byte 1: bit 8: bit 7: bit 6: ‘ 1’= If issuer authentication fails. The following personalization data elements are included in section 3.1 Application Default Action (R) Format Tag Length Value b ‘ DF00’(See table in section 5. transmit next transaction online ‘ 1’= If issuer authentication fails. In the personalization process.3. decline transaction (recommended) ‘ 1’= If issuer authentication is mandatory and no Authorization Response Cryptogram (ARPC) received. transmit transaction online ‘ 1’= If new card.3 CARDHOLDER AND CARD SPECIFIC DATA This section contains data elements that are intended to be specific to a particular card. decline transaction (recommended) ‘ 0’= RFU ‘ 0’= RFU ‘ 0’= RFU ‘ 0’= If new card. This is a default list. it may be possible to load these data elements in a final customization stage. decline if unable to transmit transaction online bit 5: bit 4: bit 3: bit 2: bit 1: Personalization Data Specifications August 1998 3-3 .

3.1. 3.3 Application Expiration Date (M) Format Tag Length Value Description n 6 (YYMMDD) ‘ 5F24’ 3 Cardholder data— input by issuer Date after which the card application expires.3 Cardholder and Card Specific Data Byte 2: = Non-Domestic Control Factor (see the ICC Application Specification manual. the date must be the same as the expiration date in other media on the card— embossing and magnetic stripe. This is the power of two by which the LCOL and UCOL are reduced for non-domestic transactions.1).5) and the UCOL would be 5.3.2 Application Effective Date (O) Format Tag Length Value Description n 6 (YYMMDD) ‘ 5F25’ 3 Cardholder data— input by issuer Date from which the card application may be used. If this is the Primary Application. 3. If this is the Primary Application. and the resulting non-domestic LCOL would be 2 (truncated from 2. © 1998 MasterCard International Incorporated Personalization Data Specification August 1998 3-4 . Description Data element indicating action for the card to take for certain exception conditions. the date must be the same as the effective date in other media on the card–embossing and magnetic stripe. paragraph 6.Personalization Data Elements 3. The date also is included in Track 2 Equivalent Data (YYMM). UCOL = 20 and Non Domestic Control = ’ 00000002’ the LCOL and UCOL would be divided by 4 (22) .4. Default value is zero— ‘ 00000000’ . Example: If LCOL = 10.

5 Application PAN Sequence Number (M*) Format Tag Length Value Description n2 ‘ 5F34’ 1 1–9 Identifies and differentiates cards and cardholders that have the same PAN. 3.Personalization Data Elements 3.6 Cardholder Name (M*) Format Tag Length Value ans 2–26 ‘ 5F20’ 2–26 Cardholder data— input by issuer Personalization Data Specifications August 1998 3-5 .— up to 19 ‘ 5A’ var.3.3 Cardholder and Card Specific Data 3.3.3.— up to 10 Cardholder data— input by issuer Valid cardholder account number. * This data element is mandatory when more than one cardholder has the same PAN. Also included in Track 2 Equivalent Data. 3.4 Application Primary Account Number (PAN) (M) Format Tag Length Value Description cn var.

according to ISO 7813 (magnetic stripe— Track 1).3.7 Cardholder Name Extended (O) Format Tag Length Value Description ans 27–45 ‘ 9F0B’ 27–45 Cardholder data— input by issuer Indicates whole cardholder name when greater than 26 characters. 3. * This data element is mandatory when the cardholder name appears on the magnetic stripe Track 1.8 Data Authentication Code (R*) Format Tag Length Value Description b ‘ 9F45’ 2 Issuer assigned value Issuer-assigned value recommended for inclusion in Signed Application Data used to indicate that static offline data authentication was performed.3 Cardholder and Card Specific Data Description Indicates cardholder name according to ISO 7813 (magnetic stripe— Track 1). it is only included with the Public Key Certificate. Must be consistent with the name in other media on the card.Personalization Data Elements 3. Personalization Data Specification August 1998 3-6 © 1998 MasterCard International Incorporated . * The DAC is not put on the card. 3.3. Must be consistent with the name in other media on the card.

3.10 Reference PIN (O/M*) Format Tag Length Value cn 4–12 ‘ DF01’(See table in section 5. encrypted in an 8-byte block + Description PIN stored in the card that is compared with the PIN.3. left-justified. Personalization Data Specifications August 1998 3-7 .3 Cardholder and Card Specific Data 3. The recommended format of the plaintext data block is: Length of PIN (4-12 digits) PIN Data 1 byte (cn) 7 bytes (cn. which uses a secure cryptographic device and secure loading procedures. * This data element is optional for MasterCard (credit) and Cirrus (ATM) cards.3.) 2–6 bytes Cardholder data— input by issuer. entered by the cardholder. ‘ filled) F’ The key used to encrypt the data block is required input to the ALF generation system. but mandatory for Maestro (debit) card.9 Language Preference (M) Format Tag Length Value Description an 2 ‘ 5F2D’ 2–8 Cardholder data— input by issuer One to four languages stored in order of preference. For example. English = “en”. Language codes are specified in ISO 639.Personalization Data Elements 3.

to produce the Signed Static Application Data (see 3. 3.3. The data is signed using the Issuer Private Key. The value of CVC must be 000. section 6). This means that the discretionary data will be different from that on the magnetic stripe.10. Personalization Data Specification August 1998 3-8 © 1998 MasterCard International Incorporated .3 Cardholder and Card Specific Data 3.— up to 17 (recommended) The following are the recommended tags: Application Effective Date Application Expiration Date Application Identifier Application Interchange Profile Application PAN Application PAN Sequence Number Application Usage Control Issuer Action Code-Default Issuer Action Code-Denial Issuer Action Code-Online ‘ 5F25’ ‘ 5F24’ ‘ 4F’ ‘ 82’ ‘ 9F07’ ‘ 5A’ ‘ 5F34’ ‘ 9F0D’ ‘ 9F0E’ ‘ 9F0F’ Description The tags indicate the data to be signed for Static Data Authentication (SDA)— see MCIMCR. table 6-2.11 SDA Tags for Signing (M) Format Tag Length Value b ‘ DF02’(See table in section 5) var.9).3.12 Track 2 Discretionary Data (O) Format Tag Length Value Description cn ‘ 9F20’ var. Cardholder data— input by issuer Discretionary Data from Track 2 of the magnetic stripe according to ISO/IEC 7813.Personalization Data Elements 3. SDA is the EMV offline card authentication method (CAM) using static data— Offline Static CAM (see MCIMCR.

Personalization Data Specifications August 1998 3-9 . This means that the discretionary data will be different from that on the magnetic stripe. end sentinel. a magnetic stripe security feature. and longitudinal redundancy check (LRC). and may actually compromise magnetic stripe security when included in electronic commerce transactions.— up to 37 ‘ 57’ var. 3. Description + CVC. Service Code. it is unlikely that this data element will be necessary. PVV shall be identical to the data encoded on track 2 of the magnetic stripe.3.Personalization Data Elements 3. The value of CVC must be 000. serves little purpose for chip-based transactions.IEC 7813. The PAN. excluding start sentinel.3 Cardholder and Card Specific Data + Format Tag Length Value Since Track 2 Equivalent Data is mandatory and this includes Track 2 Discretionary Data. Expiration Date.13 Track 2 Equivalent Data (M) cn var.— up to 19 Cardholder data— input by issuer Contains the data elements of track 2 of the magnetic stripe according to the ISO.

4. 3.4 MCPA— Application Data 3. according to ISO 4217.2 Application Currency Exponent (M*) Format Tag Length Value Description n1 ‘ 9F44’ 1 = 2 for decimal currencies Indicates the implied position of the decimal point according to ISO 4217. © 1998 MasterCard International Incorporated Personalization Data Specification August 1998 3-10 . * Mandatory if issuer uses the recommended card risk management functions for Maximum Domestic Offline Transaction Amount or Cumulative Amount Check. * Mandatory if issuer uses the card risk management functions for Maximum Domestic Offline Transaction Amount or Cumulative Amount Check.1 Application Currency Code (M*) Format Tag Length Value Description n3 ‘ 9F42’ 2 Cardholder data— input by issuer Indicates the currency in which the account is managed.4 MCPA— APPLICATION DATA This section contains the following personalization data elements: Application Currency Code Application Currency Exponent Application File Locator (AFL) Application Identifier (AID) Application Interchange Profile Application Label Application Preferred Name Application Priority Indicator Application Reference Currency Application Reference Currency Exponent Application Usage Control Application Version Number Issuer Country Code Processing Options Data Object List (PDOL) Service Code 3.4.Personalization Data Elements 3.

this byte value should be ‘ .3 Application File Locator (AFL) (M) Format Tag Length Value b ‘ 94’ 8 Byte 1: Bits 8–4: Bits 3–1: Byte 2: = SFI–Default value = ‘ 00001’ =‘ 000’ First record number to be read for that SFI (never equal to zero) Last record number to be read for that SFI (shall be greater than or equal to value in Byte 2) Number of consecutive records signed in Signed Application Data. and a typical record size. starting with record number in Byte 2.Personalization Data Elements 3. Byte 3: Byte 4: + Based on the recommended SDA tags for Signing (see 3.4 MCPA— Application Data 3. range of records) of the file area(s) related to a given application. or sequences of records within a file. Personalization Data Specifications August 1998 3-11 .3. 01’ Bytes 1–4 may be repeated for other files. Description Indicates the location (SFI.4.11).

4. The following values are currently valid: ‘ A0000000041010’= MasterCard (credit) card ‘ A0000000046000’= Cirrus card ‘ A0000000043060’= Maestro (debit) card.Personalization Data Elements 3. next two bytes (xxxx above) are the MasterCard applications identifier (PIX in ISO terms).4 MCPA— Application Data 3. Personalization Data Specification August 1998 3-12 © 1998 MasterCard International Incorporated . The first five bytes are the MasterCard Registered Identifier (RID) = ‘ A000000004’ The . ‘ A000000004xxxx’ Identifies the application as described in ISO 7816-5. + Value Description Allow for maximum length of 16 bytes.4 Application Identifier (AID) (M) Format Tag Length b ‘ 4F’ 7— in this version of the specification.

Personalization Data Elements 3. Personalization Data Specifications August 1998 3-13 . section 5. The 0’ 1’ recommended value is ‘ — supported.4 MCPA— Application Data 3. 1’ ‘ 0’= RFU ‘ 0’= RFU ‘ 00000000’ RFU — Description Indicates the capabilities of the card to support specific functions in the application.3): Byte 1: bit 8: bit 7: bit 6: bit 5: bit 4: bit 3: bit 2: bit 1: Byte 2: ‘ 0’= Initiate (not supported) ‘ 1’= Application authentication is supported (may be zero for ATM-only cards) ‘ 0’= RFU ‘ 1’= Cardholder verification is supported ‘ 1’= Terminal risk management is to be performed ‘ or ‘ = Issuer authentication is/is not supported.5 Application Interchange Profile (M) Format Tag Length Value b ‘ 82’ 2 The following values are mandatory (see MCIMCR.4.

4. Personalization Data Specification August 1998 3-14 © 1998 MasterCard International Incorporated . and resident in the terminal.Personalization Data Elements 3. The following labels are currently valid: PIX ‘ 1010’ ‘ 6000’ ‘ 3060’ Label* MasterCard Cirrus Debit * The labels can be expressed in upper and lower case letters.6 Application Label (M) Format Tag Length Value Description an ‘ 50’ Up to 16 See table below Description of the application specified by MasterCard.4 MCPA— Application Data 3.

Label* MasterCard Cirrus Debit * The labels can be expressed in upper and lower case letters.Personalization Data Elements 3. 3.7 Application Preferred Name (R) Format Tag Length Value Description ans ‘ 9F12’ Up to 16 See table below Description of the application specified by the issuer and located in the card. Personalization Data Specifications August 1998 3-15 . If present.4. — Description Indicates the priority of a given application or group of applications in a directory. + PIX ‘ 1010’ ‘ 6000’ ‘ 3060’ The issuer should use the same name as the Application Label wherever possible. this is the name to be displayed to the cardholder.4 MCPA— Application Data 3. Recommended value = ‘ 0001’ highest priority.8 Application Priority Indicator (R) Format Tag Length Value b ‘ 87’ 1 bit 8: bits 7–5: bits 4–1: ‘ 1’ = Application shall not be selected without cardholder confirmation (recommended) ‘ 000’ = RFU ‘ 0001’ = Priority of the application.4.

4.Personalization Data Elements 3.4. Personalization Data Specification August 1998 3-16 © 1998 MasterCard International Incorporated . + Reference currencies may not be supported in terminals. up to 4 currencies ‘ 9F3B’ 2–8 Issuer assigns value One to four currencies used between terminal and card when Transaction Currency Code differs from Application Currency Code. MasterCard does not recommend reliance on reference currencies for card decision making. up to 4 currencies ‘ 9F43’ 1–4 Issuer assigns value Indicates position of decimal point for 1–4 Application Reference Currencies (see 3. 3.10 Application Reference Currency Exponent (O*) Format Tag Length Value Description n per currency. * Mandatory if the issuer uses the Application Reference Currency (Tag ‘ 9F3B’ ).9).9 Application Reference Currency (O) Format Tag Length Value Description 3n per currency.4 MCPA— Application Data 3.4.

Personalization Data Specifications August 1998 3-17 .4 MCPA— Application Data 3.11 Application Usage Control (M) Format Tag Length Value Byte 1 Bit 8 7 6 5 4 3 2 1 2 8 7 6 5 4 3 2 1 b ‘ 9F07’ 2 See table below Meaning Domestic cash transaction International cash transaction Domestic goods International goods Domestic services International services ATM’ s Terminals other than ATM’ s Domestic cashback allowed International cashback allowed RFU RFU RFU RFU RFU RFU MasterCard 1 1* 1 1* 1 1* 1 1 0 0 0 0 0 0 0 0 Maestro 0 or 1 1* 0 or 1 1* 0 or 1 1* 0 or 1 1 0 0 0 0 0 0 0 0 Cirrus 0 or 1 1* 0 or 1 0 0 or 1 0 1 0 0 0 0 0 0 0 0 0 * May be 0 for domestic use only cards. Description Indicates issuer-specified restrictions on the geographic usage and services allowed for the card application.Personalization Data Elements 3.4.

The value ‘ 0001’ is valid for 1998.4.12 Application Version Number (M) Format Tag Length Value Description b ‘ 9F08’ 2 ‘ 0001’ Version number assigned by MasterCard for the application. issuers should contact the Chip Card Help Desk. 3. Beginning in 1999.13 Issuer Country Code (M) Format Tag Length Value Description n3 ‘ 5F28’ 2 Issuer assigns value Indicates the country of the issuer.4 MCPA— Application Data 3.Personalization Data Elements 3. represented according to ISO 3166.4. Personalization Data Specification August 1998 3-18 © 1998 MasterCard International Incorporated .

(tag and length) needed by the Integrated Circuit Card (ICC) in processing the GET PROCESSING OPTIONS command.Personalization Data Elements 3.— example below is 14 bytes The following list of values (tags and lengths) are an example (see MCIMCR.4. Personalization Data Specifications August 1998 3-19 . Also included in Track 2 Equivalent Data. 3.15 Service Code (M) Format Tag Length Value Description n3 ‘ 5F30’ 2 Cardholder data— input by issuer Service code as defined on Track 2 of the magnetic stripe according to ISO/IEC 7813.14 Processing Options Data Object List (PDOL) (O) Format Tag Length Value an ‘ 9F38’ var. 1 EMV96ICC uses codes for this value from ISO 8583:1993.4 MCPA— Application Data 3.4. Table 5-1): ‘ 9F3501’ ‘ 9F3303’ ‘ 9F1502’ ‘ 9C01’ ‘ 9F1A02’ Terminal Type Terminal Capabilities Merchant Category Code1 (MCC) Transaction Type Terminal Country Code Description List of terminal resident data objects.

Cardholder Verification Rules for MasterCard® Cards: CVM Offline PIN Signature Online PIN No CVM M/O O M M M Byte 9 ‘ 41’ ‘ 5E’ ‘ 42’ ‘ 1F’ Byte 10 ‘ 03’ ‘ 03’ ‘ 03’ ‘ 03’ Terminal Type ATM.— up to 32 (recommended) Bytes 1–4: Bytes 5–8: Bytes 9–10: =‘ 00000000’ Amount “X” (unsupported) — =‘ 00000000’ Amount “X” (unsupported) — Card Verification Rules (see table below) Byte 9 = CVM Code Byte 10 = CVM Condition Code MasterCard strongly recommends that issuers use the following values.5.5 CVM/PIN DATA This section contains the following personalization data elements: Cardholder Verification Method (CVM) List PIN Try Limit 3. CAT1 CAT2.1 Cardholder Verification Method (CVM) List (M) Format Tag Length Value b ‘ 8E’ var. CAT1 Attended POI ATM. CAT3 Personalization Data Specification August 1998 3-20 © 1998 MasterCard International Incorporated .5 CVM/PIN Data 3.Personalization Data Elements 3. Attended POI.

) 1 ‘ — recommended value by MasterCard.5 CVM/PIN Data Cardholder Verification Rules for Maestro® Cards: CVM Offline PIN* Online PIN Signature M/O M M O Byte 9 ‘ 41’ ‘ 02’ ‘ 30’ Byte 10 ‘ 03’ ‘ 03’ ‘ 03’ Terminal Type ATM.2 PIN Try Limit (M*) Format Tag Length Value Description b ‘ DF03’(See table in section 5. Attended POI. Bank Terminal Description Identifies a prioritized list of cardholder verification methods supported by the card application.Personalization Data Elements 3. Bank Terminal Attended POI * Waiver for terminals in parts of Europe. CAT1. Personalization Data Specifications August 1998 3-21 . The value of the PIN try limit also will be used for the initial setting of the PIN Try Counter field (Tag: ‘ 9517’ ). * Mandatory if the issuer supports offline PIN. 03’ Allowed consecutive wrong PINs.5. Cardholder Verification Rules for Cirrus® Cards: CVM Offline PIN Online PIN M/O O M Byte 9 ‘ 41’ ‘ 02’ Byte 10 ‘ 03’ ‘ 00’ Terminal Type ATM. 3.

Issuer Application Data): Personalization Data Specification August 1998 3-22 © 1998 MasterCard International Incorporated .Personalization Data Elements 3.1 Card Risk Management Data Object List 1 (CDOL1) (M*) Format Tag Length Value an ‘ 8C’ 38 bytes MasterCard recommends the following data elements (tags and lengths). Cryptogram Information Data. minus the data elements output by the GENERATE AC command (Application Cryptogram. ATC.6.6 CARD RISK MANAGEMENT DATA This section contains the following personalization data elements: Card Risk Management Data Object List 1 (CDOL1) Card Risk Management Data Object List 2 (CDOL2) Issuer Action Code–Default Issuer Action Code–Denial Issuer Action Code–Online Lower Conservative Office Limit Lower Cumulative Domestic Offline Transaction Amount** Maximum Domestic Offline Transaction Amount** Upper Consecutive Offline Limit (UCOL) Upper Cumulative Domestic Offline Transaction Amount ** MasterCard Proprietary Data Element 3.6 Card Risk Management Data 3. MasterCard derived this list from the list of ICC data elements which the acquirer must return to the issuer.

2 1 1 1 3 3 + 1: 2: Data element listed as mandatory in both authorization and clearing messages (see MCIMCR. This is an error and an errata has been raised. section 11. The data element will eventually be mandatory.Personalization Data Elements 3.6 Card Risk Management Data Tag/Length ‘ 9F0305’ ‘ 9F0206’ ‘ 8202’ ‘ 9505’ ‘ 9A03’ ‘ 9C01’ ‘ 9F3704’ ‘ 9F1A02’ ‘ 5F2A02’ Description Amount.6. in order to report the results of card authentication. and output from the card in the Issuer Application Data. Data element not listed as mandatory in MCIMCR.2 Card Risk Management Data Object List 2 (CDOL2) (M*) Format Tag Length an ‘ 8D’ 38 bytes Personalization Data Specifications August 1998 3-23 .6). Transaction Application Interchange Profile Terminal Verification Results Transaction Date Transaction Type Unpredictable Number Terminal Country Code Transaction Currency Code Note(s) 1 1 1 1.6. section 11. Other Amount. List of data objects (tag and length) to be passed to the card application with the first GENERATE AC command. 3: Description 3. Terminal Verification Results is mandatory if Card Verification Results (CVR) is implemented. CVR is a MasterCard proprietary data element used in card risk management.

in order to report the results of card authentication. Other Amount. Issuer Application Data): Tag/Length ‘ 8A02’ ‘ 9F0306’ ‘ 9F0206’ ‘ 8202’ ‘ 9505’ ‘ 9A03’ ‘ 9C01’ ‘ 9F3704’ ‘ 9F1A02’ ‘ 5F2A02’ Description Authorization Response Code Amount. Terminal Verification Results is mandatory if Card Verification Results (CVR) is implemented. and output from the card in the Issuer Application Data. This is an error and an errata has been raised. Cryptogram Information Data.2 1 1 1 3 3 + 1: 2: Data element listed as mandatory in both authorization and clearing messages (see MCIMCR. This list is derived from the list of ICC data elements which the acquirer is obliged to return to the issuer.6. Transaction Application Interchange Profile Terminal Verification Results Transaction Date Transaction Type Unpredictable Number Terminal Country Code Transaction Currency Code Note(s) 4 1 1 1 1. ATC.6). and minus the data elements output by the GENERATE AC command (Application Cryptogram. plus the Authorization Response Code. Mandatory List of data elements (tag and length) to be passed to the card application with the second GENERATE AC command. 3: 4: Description Personalization Data Specification August 1998 3-24 © 1998 MasterCard International Incorporated . CVR is a MasterCard proprietary data element used in card risk management. The data element will eventually be mandatory. section 11.Personalization Data Elements 3. Data element not listed as mandatory in MCIMCR. section 11.6 Card Risk Management Data Value MasterCard recommends the following list of data elements (tags and lengths).

4 Issuer Action Code–Denial (M) Format Tag Length Value b ‘ 9F0E’ 5 MasterCard recommends the following values (see MCIMCR.2): Byte 1: Byte 2: Byte 3: Byte 4: Byte 5: ‘ F8’ ‘ 40’ ‘ 64’ ‘ for MasterCard.2): Byte 1: Byte 2: Byte 3: Byte 4: Byte 5: ‘ 00’ ‘ 10’ ‘ 88’ ‘ 00’ ‘ 00’ Description Specifies the issuer’ conditions that cause the transaction to be declined s without attempting to go online.Personalization Data Elements 3. Personalization Data Specifications August 1998 3-25 .6.6 Card Risk Management Data 3. ‘ 20’ A0’ for Maestro ‘ 00’ Description Specifies the issuer’ conditions that cause the transaction to be declined if s it might have been approved online.6.3 Issuer Action Code–Default (M) Format Tag Length Value b ‘ 9F0D’ 5 MasterCard recommends the following values (see MCIMCR. 3. but the terminal is unable to process the transaction online. section 10. section 10.

+ Terminal risk management and. 3.6.6. Personalization Data Specification August 1998 3-26 © 1998 MasterCard International Incorporated . section 10.6 Card Risk Management Data 3.Personalization Data Elements 3.2): Byte 1: Byte 2: Byte 3: Byte 4: Byte 5: ‘ F8’ ‘ E0’ ‘ 64’ ‘ F8’ ‘ 00’ Description Specifies the issuer’ conditions that cause a transaction to be transmitted s online. card risk management will use this data element. possibly.5 Issuer Action Code–Online (M) Format Tag Length Value b ‘ 9F0F’ 5 MasterCard recommends the following values (see MCIMCR.6 Lower Consecutive Offline Limit (R) Format Tag Length Value Description b ‘ 9F14’ 1 Issuer assigns value Issuer-specified data element indicating a preference for maximum number of consecutive offline transactions allowed for the card application before the terminal goes online.

Personalization Data Specifications August 1998 3-27 .7 Lower Cumulative Domestic Offline Transaction Amount (R) (MasterCard Proprietary Data Element) Format Tag Length Value Description b ‘ 9F50’ 6 Issuer assigns value Issuer specified data element indicating a preference for the maximum cumulative offline transaction amount allowed for the card application before the terminal goes online. 3.Personalization Data Elements 3.6.6.8 Maximum Domestic Offline Transaction Amount (R) (MasterCard Proprietary Data Element) Format Tag Length Value Description b ‘ 9F51’ 6 Issuer assigns value Issuer-specified data element indicating maximum offline transaction amount.6 Card Risk Management Data 3.

and may also be used in card risk management.Personalization Data Elements 3.6.6 Card Risk Management Data 3. 3.10 Upper Cumulative Domestic Offline Transaction Amount (R) (MasterCard Proprietary Data Element) Format Tag Length Value Description b ‘ 9F52’ 6 Issuer assigns value Issuer specified data element indicating the required maximum cumulative offline amount allowed for the application before the transaction goes online.6. + This data element will be used in terminal risk management. Personalization Data Specification August 1998 3-28 © 1998 MasterCard International Incorporated .9 Upper Consecutive Offline Limit (UCOL) (R) Format Tag Length Value Description b ‘ 9F23’ 1 Issuer assigns value Issuer specified data element indicating the required maximum number of consecutive offline card transactions for this application allowed before the transaction goes online.

Personalization Data Elements 3.7 SDA-Related Data 3.7.7 SDA-RELATED DATA This section contains information of the Certification Authority Public Key Index data element.1 Certification Authority Public Key Index (M) Format Tag Length Value Description b ‘ 8F’ 1 ‘ 01’ Identifies the certification authority’ public key in conjunction with the s Registered Identifier (RID) for use in static and dynamic data authentication. Personalization Data Specifications August 1998 3-29 . 3.

if DDA supported.Personalization Data Elements 3.8.8 DDA-RELATED DATA This section includes the following personalization data elements: Dynamic Data Authentication Data Object List (DDOL) Hash Algorithm Indicator ICC Dynamic Data Length 3.2 Hash Algorithm Indicator (M*) Format Tag Length Value Description b ‘ DF04’(See table in section 5. * Mandatory. Personalization Data Specification August 1998 3-30 © 1998 MasterCard International Incorporated .) 1 ‘ = SHA-1 algorithm 01’ Algorithm used to compress data prior to signing for dynamic data authentication. 3. * Mandatory if DDA supported.1 Dynamic Data Authentication Data Object List (DDOL) (M*) Format Tag Length Value an ‘ 9F49’ 11 MasterCard recommends the following values: ‘ 950206’ ‘ 9F1C08’ ‘ 9A03’ ‘ 9F3704’ Amount Authorized Terminal Identification Transaction Date Unpredictable Number Description List of data objects (tag and length) used for dynamic data authentication.8.8 DDA-Related Data 3.

8 DDA-Related Data 3.8.3 ICC Dynamic Data Length (M*) Format Tag Length Value Description b ‘ DF05’(See table in section 5. if DDA supported. * Mandatory.Personalization Data Elements 3. Personalization Data Specifications August 1998 3-31 .) 1 ‘ — for version 1 of the MasterCard Debit and Credit Specification 08’ Length of the ICC Dynamic Data generated/stored by the ICC.

1 Cryptogram Version Number (M) Format Tag Length Value Description b ‘ DF06’(See table in section 5.9.) 1 ‘ 01’ Data element indicating the version of the TC/AAC/ARQC algorithm used by the application that is transmitted in the Issuer Application Data.7. Beginning in 1999.9. Personalization Data Specification August 1998 3-32 © 1998 MasterCard International Incorporated .9.Personalization Data Elements 3.9) used to produce the various ICC DEA keys. check with the Chip Card Help Desk. MasterCard assigns this value.9.9 ADDITIONAL CRYPTOGRAPHIC DATA (FROM ISSUER) This section includes the following personalization data elements: Cryptogram Version Number Derivation Key Index Issuer Private Key Issuer Public Key Certificate.8. 01’ Indicates derivation keys (Issuer Master Keys— see 3. Issuer Public Key Exponent Issuer Public Key Remainder Issuer Master Keys: – for ICC Cryptogram DEA Keys – for ICC MAC DEA Keys – for ICC PIN DEA Keys 3. 3. and 3.9.) 1 ‘ in 1998. 3.9 Additional Cryptographic Data (From Issuer) 3.2 Derivation Key Index (M) Format Tag Length Value Description b ‘ DF07’(See table in section 5.

+ The input of the Issuer Private Key requires it be done using a secure cryptographic device and using secure procedures. Personalization Data Specifications August 1998 3-33 .9).10.9.9.4).10.4 Issuer Public Key Certificate (M) Format Tag Length Value Description b ‘ 90’ NCA (= 128 in this version 1 of the MCPA specifications) Issuer assigns value Issuer’ public key certified by a certification authority for use in static or s dynamic data authentication.3 Issuer Private Key (M) Format Tag Length Value Description b NI (= 96 in version 1 of the MCPA specifications) Issuer assigns value Used to produce the Signed Static Application Data (see 3. 3.Personalization Data Elements 3.9 Additional Cryptographic Data (From Issuer) 3. and to sign the ICC Public Key Certificate (see 3.

using the Application PAN and its sequence number as diversification data.NCA + 36 (= 4 in this version of the MasterCard Debit and Credit Specification) Issuer assigns value Remaining digits of the issuer’ Public Key modulus.5 Issuer Public Key Exponent (M) Format Tag Length Value Description b ‘ 9F32’ 1 Issuer assigns value Exponent used to verify signed data.9 Additional Cryptographic Data (From Issuer) 3. The double-length key is required input to the ALF generation system. which uses a secure cryptographic device and secure loading procedures.7 Issuer Master Key for ICC Cryptogram DEA Keys (M) Format Tag Length Value Description b 16 Issuer assigns value A double-length master DEA key used to derive all ICC Cryptogram DEA keys (see 3. 3.9.10.2).6 Issuer Public Key Remainder (M) Format Tag Length b ‘ 92’ NI .9. s Value Description 3.9.Personalization Data Elements 3. © 1998 MasterCard International Incorporated Personalization Data Specification August 1998 3-34 .

using the Application PAN and its sequence number as diversification data. The double-length key is required input to the ALF generation system.9. which uses a secure cryptographic device and secure loading procedures.9 Issuer Master Key for ICC PIN DEA Keys (M) Format Tag Length Value Description b 16 Issuer assigns value A double-length master DEA key used to derive all ICC PIN DEA keys (see 3.8 Issuer Master Key for ICC MAC DEA Keys (M) Format Tag Length Value Description b 16 Issuer assigns value A double-length master DEA key used to derive all ICC MAC DEA keys (see 3. 3.Personalization Data Elements 3. The double-length key is required input to the ALF generation system.9 Additional Cryptographic Data (From Issuer) 3.10.8).9.7).10. using the Application PAN and its sequence number as diversification data. Personalization Data Specifications August 1998 3-35 . which uses a secure cryptographic device and secure loading procedures.

MAC DEA Key.9) are not required. 3. Signed Static Authentication Data. ICC Asymmetric Secret Key Data. 3.9. In this case. many of the fields may be generated prior to input to the ALF system.10 CRYPTOGRAPHIC/INTERNAL DATA Since these data elements can be created by the ALF generation system the issuer does NOT normally need to be input them.10 Cryptographic/Internal Data 3.9.3) and the Issuer Master DEA Keys (see 3. PIN DEA Key).Personalization Data Elements 3.9. Such fields might include the diversified DEA keys (Cryptogram DEA Key. the Issuer Private Key (see 3.9. This KEK is also required input to the ALF generation system. However. and 3. ICC Public Key Certificate/ Exponent/Remainder.10. which uses a secure cryptographic device and secure loading procedures. Personalization Data Specification August 1998 3-36 © 1998 MasterCard International Incorporated .7. depending on the issuer’ system configurations and s security requirements. The ALF system should set this to zero (new card).1 Application Transaction Counter (ATC) (M) Format Tag Length Value Description b ‘ 9F36’ 2 ‘ 0000’ Transaction counter maintained by the application in the card.8. they must be encrypted using a Key Encryption Key (KEK). This section includes the following personalization data elements: Application Transaction Counter (ATC) Cryptogram DEA Key * ICC Asymmetric Secret Key Data ICC Public Key Certificate ICC Public Key Exponent * ICC Public Key Remainder Message Authentication Code (MAC) DEA Key * PIN DEA Key * Signed Static Application Data Various indicators/counters If these data elements are input to the ALF generation system.

Personalization Data Elements
3.10 Cryptographic/Internal Data

3.10.2 Cryptogram DEA Key (M)
Format Tag Length Value Description

b ‘ DF0B’(See table in section 5.) 16 Issuer assigns value A double-length DEA key used for Application Cryptogram generation using the GENERATE AC command to produce ARQC, AAC, AAR and TC cryptograms. The key also is used to verify incoming cryptograms (ARPC), using the EXTERNAL AUTHENTICATE command.

3.10.3 ICC Asymmetric Secret Key Data (M)
Format Tag Length

b ‘ DF0C’(See table in section 5.) = 5NIC/2 (if Chinese Remainder Theorem is used) = 2 NIC (with standard exponentiation). Where NIC is the length of the ICC Public Key modulus. NIC = 768, 896, or 1024 bits (96, 112, or 128 bytes) for 1998. Beginning in 1999, check with the Chip Card Help Desk.

Value Description

Issuer assigns value The data necessary to enable the application to sign critical data for dynamic data authentication in response to an INTERNAL AUTHENTICATE command.

Personalization Data Specifications August 1998 3-37

Personalization Data Elements
3.10 Cryptographic/Internal Data

3.10.4 ICC Public Key Certificate (M)
Format Tag Length Value Description

b ‘ 9F46’ NI Issuer assigns value ICC Public Key certified by the issuer using the Issuer Private Key.

3.10.5 ICC Public Key Exponent (M)
Format Tag Length Value Description

b ‘ 9F47’ 1 Issuer assigns value Exponent used to verify the signed dynamic application data.

3.10.6 ICC Public Key Remainder (M)
Format Tag Length Value Description

b ‘ 9F48’ NIC – NI + 42 Issuer assigns value Remaining digits of the ICC Public key modulus.

Personalization Data Specification August 1998 3-38

© 1998 MasterCard International Incorporated

Personalization Data Elements
3.10 Cryptographic/Internal Data

3.10.7 Message Authentication Code (MAC) DEA Key (R)
Format Tag Length Value Description

b ‘ DF0D’(See table in section 5.) 16 Issuer assigns value A double-length DEA key used to support Secure Messaging for Integrity and Authentication in an Issuer Script message. The key is used to verify the MAC in the script message.

3.10.8 PIN DEA Key (R)
Format Tag Length Value Description

b ‘ DF0E’(See table in section 5.) 16 Issuer assigns value A double-length DEA key used to support the confidentiality requirement in Secure Messaging for Issuer Script processing. The key is used to decipher the enciphered PIN data component in the PIN CHANGE/UNBLOCK command message.

Personalization Data Specifications August 1998 3-39

3.10 Various Indicators/Counters (M) The following data elements need to be created in the ALF generation process.10. The signature is checked in static data authentication. The formats and values of the data elements will depend on the particular card operating system.9 Signed Static Application Data (M) Format Tag Length Value Description b ‘ 93’ 40–128 Bytes (= NI — length of the Issuer Public Key modulus) Issuer assigns value Digital signature on critical application parameters. • Application Status (unblocked/blocked/permanently blocked) • PIN Lock Status • PIN Installation Status • PIN Retry Counter • Personalization Date Personalization Data Specification August 1998 3-40 © 1998 MasterCard International Incorporated .Personalization Data Elements 3.10 Cryptographic/Internal Data 3.10.

MAC DEA Key. either when the application data is configured. The cryptograms are used by the: • application to verify the input data • issuer to verify the transaction data • terminal to authenticate the application Examples: Cryptogram DEA Key. Personalization Data Specifications August 1998 4-1 . The data structure in the chip will depend on the card operating system. ICC Asymmetric Secret Key Data.1 OVERVIEW This section is intended for developers of chip card operating systems. The data in this area does not need to be altered.1 Overview 4. or at any subsequent time. and control vectors pointing to code modules. and card loading systems. Hash Algorithm Indicator. This data includes the command table used to verify the commands. The MCPA application static data is divided into four areas: Area 1: Application Control Data This data consists of data elements that control the MCPA application program. ICC Dynamic Data Length. Area 2: Symmetric/Asymmetric Key Data The MCPA application program uses key-related data to generate cryptograms. This section describes how the data elements output by the ALF system might be configured within the chip.Example of Data Structure 4. Application Load File (ALF) systems. PIN DEA Key. The data elements described in section 3 are input to the card personalization process. The following discussion provides an example of how the data can be structured.

Data required for SDA or DDA. Area 4: Issuer Data The issuer supplies this data. The entry for the PSE must use a separate SFI. The terminal accesses the data issuing GET DATA or GET PROCESSING OPTIONS commands. Record Number. and define the operation of the application. and Application Priority Indicator.. Application Version No. CVM List. The Issuer Data is held in a single file with SFI = 1. Personalization Data Specification August 1998 4-2 © 1998 MasterCard International Incorporated . Examples: Application Status. + Area 3 also includes a Record Table used by the READ RECORD command to access data in Area 4. PIN Installed Status. The initial record must contain the Track 2 Equivalent Data and the Cardholder Name. Application Usage Control. Examples: Application PAN. and Lower/Upper Cumulative Domestic Offline Transaction Amounts. PIN Lock Status. The terminal accesses this data issuing a s READ RECORD command.Example of Data Structure 4. Lower/Upper Consecutive Offline Limits. Application Currency Code. CDOL2. Application Label. Length of Record. AFL. Application Preferred Name. The PSE Directory (DIR) File would include AID. The second record contains the data elements that are used to check the SDA signature. Application Default Action. CDOL1. and Address of Record Start. The variable length data elements are stored in TLV format.1 Overview Area 3: Application Operational Data These data elements indicate the status of the application. The size of each record is variable. The record may contain other data elements. Issuer Country Code etc. Issuer Action Codes. which is required by the application and the terminal. Expiration Date. AIP. The order of subsequent data elements/records is not significant. but is limited by the size of the chip card’ output buffer. Each record in the table includes SFI.

Annex C— Data Objects Personalization Data Specifications August 1998 5-1 . The use of these tags is optional. Reference 3.8.10.1 3. MasterCard included this list of tags to reduce the number of ad hoc and incompatible tag allocations by Issuers and Personalization bureaus. Since many issuers will want to present the data in their personalization input files in TagLength-Value (TLV) format2.3.9.10.2 3.1 OVERVIEW Most of the data elements described in section 3 have tags that have been allocated in EMV96ICC.3.10.3 3.10 3.10. and are used during transactions. These MCPA tags ensure interoperability of MCPA transactions.7 3.2 3.9.1 Overview 5.2 3.3 3. The data elements not used during an EMV transaction do not have MCPA allocated tags.11 3.1 3. the following Private Class tags have been allocated.Private Class Tags 5.8.5.8 Description Application Default Action Reference PIN SDA Tags for Signing PIN Try Limit Hash Algorithm Indicator ICC Dynamic Data Length Cryptogram Version Number Derivation Key Index Cryptogram DEA Key ICC Asymmetric Secret Key Data MAC DEA Key PIN DEA Key Tag ‘ DF00’ ‘ DF01’ ‘ DF02’ ‘ DF03’ ‘ DF04’ ‘ DF05’ ‘ DF06’ ‘ DF07’ ‘ DF0B’ ‘ DF0C’ ‘ DF0D’ ‘ DF0E’ 2 For a description of TLV coding see EMV96ICC.3.2 3.

.

Glossary Overview OVERVIEW This section defines various terms. as definitions for any legal or technical purpose. nor should serve. AFL See application file locator. MasterCard specifically reserves the right to add to. These terms and definitions appear for convenience only and are not intended to serve. and abbreviations that are used throughout the Business Functional Requirements for Debit and Credit on Chip manual. ADF See application definition file. AID See application identifier. delete from. TERMS AAC See application authentication cryptogram. application The protocol between the card and the terminal and its related set of data. Personalization Data Specifications August 1998 Glossary-1 . acquirer A member that maintains the merchant relationship and acquires the data relating to a transaction from the merchant or card acceptor. or otherwise change any term appearing herein and specifically cautions members and agents therefor not to rely upon any term appearing herein for any legal or technical purpose. account number A unique sequence of numbers assigned to a card account that identifies the issuer and type of financial transaction card. AIP See application interchange profile. concepts. AC See application cryptogram. acronyms.

application cryptogram (AC) A cryptogram returned by an IC card to a terminal in response to a GENERATE AC command. decline. application expiration date The date after which. The ADF tree structure: • Enables the attachment of data files to an application. • Ensures the separation between applications. the last day on which the application may be used. which is used in this decision process. not for online authorization. application elementary file (AEF) Set of data units or records that share the same file identifier. An AEF in the range1–10. It cannot be the parent of another file. application currency code Indicates the currency in which the account is managed according to ISO 4217. contains one or more primitive Basic Encoding Rules— Tag Length Value (BER-TLV) data objects grouped into constructed BER-TLV data objects (records).Glossary Terms application authentication cryptogram (AAC) A value computed by the ICC for a declined transaction. • Allows access to the logical structure of an application by ADF selection. Personalization Data Specifications August 1998 Glossary-2 © 1998 MasterCard International Incorporated . the application expires. The ADF identifies an application and contains important data used by the terminal during the application selection process. This command also communicates terminal resident information to the IC card. The GENERATE AC is issued by the terminal to request an IC card decision to either: accept. application definition file (ADF) The ADF provides the entry point to one or more application elementary files (AEFs). application effective date The date from which the application can be used. application file locator (AFL) The Application File Locator contains data associated with the selected application and identifies the files and records to be used for processing a transaction. In other words. or go online.

The terminal attempts to execute only those functions that the IC card supports. if available. The Application Identifier is comprised of two components: the Registered Application Identifier or “RID” and the Proprietary Application Identifier Extension or PIX. ARQC See authorization request cryptogram. application preferred name Preferred mnemonic associated with the AID. overrides the application label. application label Mnemonic associated with the AID according to ISO/IEC 7816-5. ATC See application transaction counter. application reference currency 1-4 currency codes to be used between the terminal and the ICC in cases where the terminal currency code is different from the application currency code. Each code is 3 digits in accordance with ISO 4217. as specified by the issuer. Personalization Data Specifications August 1998 Glossary-3 . This field is up to 16 characters in length. application transaction counter (ATC) Counter maintained by the application in the ICC (incrementing the ATC is managed by the ICC).Glossary Terms application identifier (AID) A numbering system and registration procedure for identifying specific companies and their chip-based products. See Application Preferred Name. if available. This field is up to 16 characters in length. but the application preferred name. as defined by ISO/IEC 7816-5. See Application Label. The application preferred name. overrides the application label. ARPC See authorization response cryptogram. application interchange profile (AIP) Specifies the application functions that are supported by the IC card. The application label allows for global interoperability. application version number Version number assigned by the payment system for the application.

chip or magnetic stripe reading terminal that dispenses cash. A byte is made up of eight bits. and enables a bank customer to order transfers among accounts and make account inquiries. automated teller machine (ATM) An unattended. members can offer value-added services to their cardholders. the byte may express any of 256 characters. charge card. binary character(s) (b) A computer format that uses a series of bits to store numeric values in which all values from hexadecimal ‘ to hexadecimal ‘ are acceptable. A credit card. By incorporating multiple payment options on one card. The merchant receives. accepts deposits and loan payments. CAM See card authentication method. or other character. authorization request cryptogram (ARQC) A value computed by the ICC for online application authentication. Personalization Data Specifications August 1998 Glossary-4 © 1998 MasterCard International Incorporated . this approval to process the transaction. Through arrangement of the bits 0 and 1 values. number. ATM/debit card. via telephone or authorization terminal. bankcard.Glossary Terms ATM See Automated Teller Machine. card A rectangular plastic medium used to carry information relating to its issuer and user. 00’ FF’ byte A single unit of information. authorization Approval of a transaction by or on behalf of an issuer according to defined operations regulations. such as a letter. or the account associated with any such card that is issued by a licensee of the Associations. authorization response cryptogram (ARPC) A value that defines the disposition of a message.

CVC 2 differs from CVC1 and is indent printed into the secure signature panel on the card.e. card risk management data object list 2 (CDOL2) List of data objects (tag and length) to be passed to the ICC in the second generated application cryptogram command. This data can be communicated to the issuer. Self-Service Terminal/Level 2. or In-Flight Commerce Terminal/Level 4 in accordance with MasterCard rules. card risk management data object list 1 (CDOL1) List of data objects (tag and length) to be passed to the ICC in the first generated application cryptogram command. card validation code (CVC) A two-part card security feature. In MasterCard Cash.Glossary Terms card authentication method (CAM) The process to determine if a card is genuine. online authentication occurs when information is exchanged between the processor on the chip card and the issuer's host system. CAT See cardholder activated terminal. Personalization Data Specifications August 1998 Glossary-5 . use of a PIN). CVC 1 is a 3-digit code encoded on track 1 and track 2 in three contiguous positions in the "discretionary data" field of a magnetic stripe on a MasterCard card. Limited Amount Terminal/Level 3. cardholder verification method (CVM) A system and/or technology used to verify the authenticity of the cardholder (i. that dispenses a product or provides a service.. cardholder The authorized user of a card issued by a licensed member. and that is an Automated Dispensing Machine/Level 1. (usually unattended). offline authentication occurs when information is exchanged between the processor on the chip card and the POI terminal to determine card validity. The CVC is intended to inhibit the alteration of card data and enhance the authentication of the card. cardholder activated terminal (CAT) A customer-activated chip or magnetic stripe reading terminal. card verification results (CVR) Proprietary data element used by the card to store the results of card risk management.

The microprocessor chip has an operating memory. closed system A card system. a programming memory. card issuer number. semiconductor material that has been chemically processed to have a specific set of electrical characteristics such as circuits. operates the international ATM sharing association known as the "Cirrus® ATM Network. Cirrus® Cirrus System Incorporated. chip card A plastic card into which one or more integrated circuits are inserted. certification authority Trusted third party that establishes a proof that links a public key and other relevant information to its owner." clearing The process of exchanging financial transaction details between an acquirer and an issuer to facilitate posting of a cardholder's account and reconciliation of a customer's settlement position. certificate A code usually generated via cryptography. terminal identifier. is transmitted from the card to the terminal. making it difficult for counterfeiters or unscrupulous merchants to defraud the system. and/or logic elements. such as the amount. and a data memory that allows internal processing to take place and provides additional storage capacity. The certificate. The chip card conforms to all ISO standards. which represents several pieces of information about a transaction. instead of the simple amount of the transaction. chip A small square of thin. The opposite of an Open System. storage. Personalization Data Specifications August 1998 Glossary-6 © 1998 MasterCard International Incorporated . a wholly owned subsidiary of MasterCard International Incorporated. If fraud is suspected in the system. involving a single card issuer that can be used to access services or purchase products at a single or multiple service providers. the certificate provides the audit trail. etc. CDOL2 See card risk management data object list 2.Glossary Terms CDOL1 See card risk management data object list 1.

CVC See card validation code.Glossary Terms command A message sent by the terminal to the ICC that initiates an action and solicits a response from the ICC. CVV See card verification value. CVM See cardholder verification method. compressed numeric characters (cn) Numeric data that is left justified and padded with trailing ‘ characters. data encryption algorithm (DEA) A cryptographic algorithm adopted by the National Bureau of Standards for data security. Personalization Data Specifications August 1998 Glossary-7 . for which a cardholder is subsequently billed by an issuer for repayment of the credit extended at once or on an installment basis. cryptogram The output from the process of transforming cleartext into ciphertext for security or privacy. and to obtain cash disbursements on credit. data encryption standard (DES) An encryption standard approved for secure messaging and is defined in ISO 8731-1. and ISO/IEC 10116. DDOL See Dynamic Data Authentication Data Object List. credit card A plastic card bearing an account number assigned to a cardholder with a credit limit that can be used to purchase goods and services. FF’ cn See compressed numeric characters. ISO 8372. Encryption scrambles PINs (personal identification numbers) and transaction data for safe transmission.

decline. and the sender against forgery by the recipient. digital signature An asymmetric cryptographic transformation of data that allows the recipient of the data to prove the origin and integrity of the data. DES See data encryption standard. for which the cardholder's asset account is debited by the issuer. DEA See data encryption algorithm. The IC card’ response communicates to the terminal the IC card s decision to either: accept. EMV Europay International S. function A process accomplished by one or more commands and resultant actions that are used to perform all or part of a transaction. and protect the sender and the recipient of the data against forgery by third parties. encryption The technique of modifying a known bit stream on a transmission line so that it appears to be a random sequence of bits to an unauthorized observer. and Visa International Service Association. these transactions are used primarily to purchase goods and services and to obtain cash. It often is done automatically in the terminal or computer before data is transmitted. MasterCard International Incorporated. GENERATE AC.A. Personalization Data Specifications August 1998 Glossary-8 © 1998 MasterCard International Incorporated .Glossary Terms debit card A plastic card used to initiate a debit transaction. Dynamic Data Authentication Data Object List ( DDOL) List of data objects (tag and length) to be passed to the ICC in the internal Authenticate Command. or go online. In general.. This command is issued by the terminal and used when exchanging risk management data between the terminal and the IC card. GENERATE AC (command) The command. stands for “to generate an application cryptogram”. embossing Characters raised in relief from the front surface of a card.

this group works with the International Organization for Standardization (ISO) and covers the field of electrical and electronic engineering. ISO supports specific technical committees and work groups to promulgate and maintain financial services industry standards. Cirrus® ) should have the same characteristics everywhere as perceived by the cardholder. ISO works in conjunction with the Consultive Committee for International Telephone and Telegraph (CCITT) for standards that impact telecommunications. International Organization for Standardization (ISO) An international body that provides standards for financial transactions and telecommunication messages.Glossary Terms hybrid card A card that contains both a magnetic stripe and a microprocessor chip. International Electrotechnical Commission (IEC) Formerly known as the International Electromechanical Commission. ICC See Integrated Circuit Card. electronic products. such as bank identification numbers and merchant category codes. applicable to the two members participating in the transaction as issuer and acquirer. 96 Personalization Data Specifications August 1998 Glossary-9 . MasterCard® credit. Also called a smart card or chip card. IEC See International Electrotechnical Commission integrated circuit card (ICC) An International Organization for Standardization (ISO) standard card with an embedded integrated circuit chip containing memory and optional logic capability. interchange fee A fee applied to an interchange transaction.. and organizations to effectively work together in an open environment. with all other subject areas being attributed to ISO. and services from different vendors. interoperability Within the product range of MasterCard International. manufacturers. The ability of computers. the brand/product (i. compliant with the Joint Integrated Circuit Card and Terminal Specifications For Payment Systems. associations. ISO collaborates closely with the IEC on all matters of electrotechnical standardization. Also. also known as the EMV ‘ Specifications. Maestro® .e. interchange The exchange of transaction data between acquirers and issuers in accordance with MasterCard rules.

The issuer is responsible for: resolving cardholder disputes. language preference One to four languages stored in order of preference. LCOL See lower consecutive offline limit. MAC See message authentication code. reflects transaction and outstanding balance information. longitudinal redundancy check (LRC) A character recorded on a magnetic track and used to check the integrity of data read from the track (defined in ISO 7811 for ISO standard identification cards). each represented by 2 alphabetical characters according to ISO 639. Personalization Data Specifications August 1998 Glossary-10 © 1998 MasterCard International Incorporated . lower consecutive offline limit (LCOL) Issuer-specified preference for the maximum number of consecutive offline transactions for a given ICC application allowed in a terminal with online capability. handling cardholder information requests.Glossary Terms ISO See International Organization for Standardization issuer Cardholder’ bank or non-bank which has issued a credit. receives transaction information from MasterCard International. LRC See longitudinal redundancy check. The entity that issues the card. key A sequence of symbols that controls the operation of a cryptographic transformation. and carries consumer loans in the form of bankcard accounts. and processing cardholder refunds. The issuer selects the card risk management parameters and other cardholder specific data and personalizes this on the chip card. charge. ATM and/or debit card to an s individual or cardholder. as warranted. issuer country code Indicates the country of the issuer according to ISO 3166. controls the allocation of the areas of memory to application providers and provides the cardholder information common to all applications.

offline An operating mode in which terminals or ATMs are not connected to a central computer source. clearing. 7811.Glossary Terms magnetic stripe The magnetically encoded stripe on the bankcard plastic that contains information pertinent to the cardholder account. meaning that current active files are not being viewed during the time the transaction is conducted. and Cirrus transactions. No communications (header. merchant A retailer. Responses are governed by the parameters or guidelines set within the terminal or supporting device as defined by the issuer. MCC See merchant category code. or character code) or security implications are assumed or identified. against forgery by third parties. or any other person. or corporation that (pursuant to a merchant agreement) agrees to accept card products. trailer. protocol. firm. Maestro. The accessibility of information is not in a live environment. Personalization Data Specifications August 1998 Glossary-11 . when properly presented. MCPA™ See MasterCard Chip Payment Application. and 7813. merchant category code (MCC) Four-digit classification codes used in authorization. MasterCard Chip Payment Application (MCPA™ ) The payment application loaded on a chip card operating system that provides the capability to process MasterCard. message A set of data elements used to exchange information between institutions (or their agents). and other transactions or reports to identify the type of merchant. The physical and magnetic characteristics of the magnetic stripe are specified in ISO Standards 7810. message authentication code (MAC) A symmetric cryptographic transformation of data that protects the sender and the recipient of the data.

personal identification number (PIN) A four. The PAN consists of a major industry identifier. private key In public-key cryptography. PIN verification A procedure that enables the issuer to validate the cardholder identity when making a comparison with the PIN and cardholder account number. the card issuer can exercise control over their card. the half of a public-key/private-key pair that is known only to the encoder that resides on the user's system.to 12-character secret alphanumeric code that enables an issuer to positively authenticate the cardholder for the purpose of approving an ATM or terminal transaction occurring at a pointof-interaction device. and file changes. encoded. PAN See primary account number. individual account identifier. issuer identifier. PIN See Personal Identification Number. The POI terminal through a dialogue with the chip automatically executes the issuer specified pre-programmed parameters set forth. and check digit.Glossary Terms online An operating mode in which terminals or ATMs are connected to a central computer system and have access to the database for authorization. primary account number (PAN) The number that is embossed. personalization Personalization is the process whereby the issuer defines parameters that are programmed in the memory within the chip during card production to manage risk and tailor the product on an individual or segmented cardholder basis. POI See point of interaction. Personalization Data Specifications August 1998 Glossary-12 © 1998 MasterCard International Incorporated . Hence. point of interaction (POI) The location at which a transaction occurs. Live files are accessed for each transaction. inquiry. on a MasterCard card that identifies the issuer and the particular cardholder account. or both. Also referred to a point of sale (POS) or point of service.

For MasterCard. SDA See static data authentication. This code identifies the specific company that provides the chip-based product. registered identifier (RID) The first five bytes of the Application Identifier (AID) as assigned according to ISO/IEC 7816-5. secret key A key used with symmetric cryptographic techniques and usable only by a set of specified entities. response A message returned by the ICC to the terminal after the processing of a command message received by the ICC. the half of a public-key/private-key pair that is known to the public and can be used to decrypt messages that were encoded by the corresponding private key. script A command or a string of commands transmitted by the issuer to the terminal for the purpose of being sent serially to the ICC as commands. the code is ‘ A000000004’ . public key certificate The public key information of an entity signed by the Certification Authority and thereby cannot be forged. rules Refers to the “international operating regulations” inclusive of standards set for the brand established by MasterCard International. Personalization Data Specifications August 1998 Glossary-13 .Glossary Terms processor An organization that is connected with MasterCard International Incorporated and provides authorization and/or clearing and settlement services on behalf of a member. public key In public-key cryptography. RID See registered identifier.

The reduced data length relieves computational requirements for data encryption. It is a binary field with the three high order bits set to zero. A message digest is a value generated for a message or document that is unique to that message.. with a very high probability. tracks 1 and 2) and chip of a bankcard which gives instructions to the terminal about the conditions under which the card may be used. service code The service code is a three digit value on the magnetic stripe (i. s tag length value (TLV) Standardized structure defined by ISO to identify and define data within the IC Card where: Tag: Data object identifier Length: Length expressed in bytes Value: Actual data identified by the tag terminal A device that allows a user to send data to. any subsequent change to the original data will.Glossary Terms secure hash algorithm-1 (SHA-1) A one-way cryptographic function which takes a message of less than 264 bits in length and produces a 160-bit message digest. which had security flaws. SFI See short file identifier. and is sometimes referred to as a fingerprint” of that message or data. cause a change in the message digest. SHA-1 See secure hash algorithm-1.e. without online contact to the issuer. receive data from. and the signature will fail to verify. Personalization Data Specifications August 1998 Glossary-14 © 1998 MasterCard International Incorporated . This process is used by MasterCard to compress large data strings to a 20-byte length which is used in a cryptographic process. SHA-1 provides greater security than the original Secure Hash Algorithm (SHA). The card is passive and the terminal is active: the terminal verifies the card’ fixed cryptographic signature. and invoke functions of a remote computer system. short file identifier (SFI) A data object used as an abbreviated file identifier. Service codes are defined by ISO. Once a message digest is computed. static data authentication (SDA) Authentication of an IC card as a result of interaction between a hybrid card acceptance device and a chip card.

upper consecutive offline limit (UCOL) Issuer-specified preference for the maximum number of consecutive offline transactions for a given ICC application allowed in a terminal without online capability.Glossary Terms terminal country code Indicates the country of the terminal. This is an issuer-defined parameter. TLV See tag length value. transaction counter A transaction counter controls the number of transactions that can be processed offline before an online request for authorization is initiated (often referred to as a “1 in N” parameter). represented according to ISO 3166 terminal verification results Status of the different functions as seen from the terminal. Personalization Data Specifications August 1998 Glossary-15 . UCOL See upper consecutive offline limit.

Sign up to vote on this title
UsefulNot useful