Welcome to

Visa Integrated Circuit Card Application Overview
The Visa Integrated Circuit Card (ICC) Application Overview has been updated. Please see the Chapter 1, Section 1.6, “Impact Summary” for information on what has changed from Visa ICC Specification (VIS) version 1.3.2. This document is the final copy of the Visa ICC Specification version 1.4.0. It reflects changes from the copy published on the Visa website in April 2001. These changes are noted in a separate changes list available on the Visa website. It is important that Visa staff, members, and vendors review the changes list. If you have any comments regarding this manual, please contact your regional representative. Your opinion is important to us.

Effective: 31 October 2001

Visa Integrated Circuit Card

Application Overview Version 1.4.0
Effective: 31 October 2001

 Visa International 1998, 1999, 2001
Visa Public

5101-03

Permission to copy and implement the material contained herein is granted subject to the conditions that (i) any copy or re-publication must bear this legend in full. All rights reserved. 1999. trade secrets. or otherwise use the patents. but not limited to. 2001 Visa International Service Association. patents on public key encryption technology. copyrights. Printed on recycled paper. Any party seeking to implement this Specification is solely responsible for determining whether their activities require a license to any technology including. and thus any person who implements any part of this Specification should consult an intellectual property attorney before any such implementation. and/or other intellectual property of third parties. . and (iii) Visa shall have no responsibility or liability whatsoever to any other party arising from the use or publication of the material contained herein. Visa International Service Association shall not be liable for any party’s infringement of any intellectual property right. trademarks. infringe. 1998. know-how. Visa makes no representation or warranty regarding whether any particular physical implementation of any part of this Specification does or does not violate. (ii) any derivative work must bear a notice that it is not the Visa Integrated Circuit Card Specification published by Visa.

. . . . 1–6 1. . . . . . . 1–2 1. . . . . . .1 Volume Overview 1. . . . . . . 1–7 1.2. . . . . . . . . 1–4 1. . . . . . . . . . 1–6 1. . .3. 1–3 1. . . . .5 Revisions to This Specification . . . 1–7 1. . . . . . . . . . . . . . . . . . . . . . . .6. . . . . . . . . . . . . . . . . . .6. . . . . . . . . . . . . . . . . . . . .2 VIS Update . . . . . 1–8 1. . . . . .4. . . . . . . . . . . . . . . . . . . .2 Chapter Overview . . .2 Optional .1 Mandatory . 1–3 1. . . . . . .1 Audience . . . . . . . . . . . . . . . . . . .2 Optional . .1. . . . .2 Card/Integrated Circuit . 1–2 1.1 Terminal . . . . . . . . .6 Impact Summary . .6. . . . . . . . . . . . .3. . . . . .6. . . . . . . . 1–4 . . 1–7 1. 1–7 1. . . .6. . . . . . . . . . . . . . . . . .1. . . . . . . . . . . . . .1 Mandatory . . . .4 Document Structure . . .2. . . . . . . . . 1–3 1. . . . . .3.3 Subheading Overview . . . 1–4 1. . . . . . . . . . . 1–8 Draft 12/18/00 31 Oct 2001 Visa Public i . . . .3 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Card . . . . . . . .3 Terminated Transactions . . .4. . . 1–3 . . . . . . . . . . . . . . 1–8 1. . . . . . . . . . . . . . . .1 Mandatory/Required/Recommended/Optional 1. .Contents Chapter 1 • About This Specification 1. . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . . . .6. . . . . . . . . . . . . . . . . .

Contents

Visa Integrated Circuit Card Application Overview, Version 1.4.0

1.7 Reference Materials

. . . . . . . . . . . . . . . . . . . . . . . 1–10

1.7.1 International Organisation for Standardisation (ISO) Documents . . . . 1–10 1.7.2 EMV Documents 1.7.3 Visa Documents . . . . . . . . . . . . . . . . . . . . . . 1–11 . . . . . . . . . . . . . . . . . . . . . . 1–11

Chapter 2 • Processing Overview
2.1 Functional Overview . . . . . . . . . . . . . . . . . . . . . . . . 2–1

2.1.1 Application Selection (mandatory) . . . . . . . . . . . . . . . . . 2–1 2.1.2 Initiate Application Processing/Read Application Data (mandatory) . . . . 2–2 2.1.3 Offline Data Authentication . . . . . . . . . . . . . . . . . . . 2–2

2.1.4 Processing Restrictions (mandatory) . . . . . . . . . . . . . . . . 2–3 2.1.5 Cardholder Verification (mandatory) . . . . . . . . . . . . . . . . 2–3 2.1.6 Terminal Risk Management (mandatory) . . . . . . . . . . . . . . 2–3 2.1.7 Terminal Action Analysis (mandatory) . . . . . . . . . . . . . . . 2–4

2.1.8 Card Action Analysis (mandatory) . . . . . . . . . . . . . . . . . 2–4 2.1.9 Online Processing . . . . . . . . . . . . . . . . . . . . . . . 2–4 2.1.10 Issuer-to-Card Script Processing . . . . . . . . . . . . . . . . . 2–5 2.1.11 Completion (mandatory) . . . . . . . . . . . . . . . . . . . . 2–5 2.2 Mandatory and Optional Functionality . . . . . . . . . . . . . . . . . 2–7

2.2.1 Card Functional Requirements . . . . . . . . . . . . . . . . . . 2–7 2.2.2 Terminal Functional Requirements . . . . . . . . . . . . . . . . 2–9

2.2.3 Command Support Requirements . . . . . . . . . . . . . . . . 2–11 2.3 Visa Low-Value Payment (VLP) Feature . . . . . . . . . . . . . . . . 2–12 2.3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 2–12

Chapter 3 • Application Selection
3.1 Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–2

3.2 Terminal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–3 3.3 Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–3

Draft 12/18/00
ii
Visa Public

31 Oct 2001

Visa Integrated Circuit Card Application Overview, Version 1.4.0

Contents

3.4 Building the Candidate List . . . . . . . . . . . . . . . . . . . . . 3–4 3.5 Identifying and Selecting the Application . . . . . . . . . . . . . . . . 3–4 3.5.1 Terminal Makes Application Decision . . . . . . . . . . . . . . . 3–4 3.5.2 Cardholder Makes Account Decision . . . . . . . . . . . . . . . 3–5 3.5.2.1 Terminal Supports Cardholder Confirmation . . . . . . . . . . 3–5 3.5.2.2 Terminal Supports Cardholder Selection . . . . . . . . . . . 3–5 3.6 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–6 3.7 Subsequent Related Processing . . . . . . . . . . . . . . . . . . . 3–7

Chapter 4 • Initiate Application Processing
4.1 Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–2 4.2 Terminal Data . . . . . . . . . . . . . . . . . . . . . . . . . . 4–3

4.3 GET PROCESSING OPTIONS Command . . . . . . . . . . . . . . . 4–3 4.4 Terminal Processing . . . . . . . . . . . . . . . . . . . . . . . . 4–3 4.5 Card Processing . . . . . . . . . . . . . . . . . . . . . . . . . 4–4 4.6 Terminal Processing . . . . . . . . . . . . . . . . . . . . . . . . 4–4 4.7 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–5 4.8 Prior Related Processing . . . . . . . . . . . . . . . . . . . . . . 4–6 4.9 Subsequent Related Processing . . . . . . . . . . . . . . . . . . . 4–6

Chapter 5 • Read Application Data
5.1 Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2 5.2 Terminal Data . . . . . . . . . . . . . . . . . . . . . . . . . . 5–3

5.3 READ RECORD Command . . . . . . . . . . . . . . . . . . . . . 5–3 5.4 Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–3

5.5 Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–4 5.6 Prior Related Processing . . . . . . . . . . . . . . . . . . . . . . 5–5 5.7 Subsequent Related Processing . . . . . . . . . . . . . . . . . . . 5–5

Draft 12/18/00
31 Oct 2001
Visa Public

iii

Contents

Visa Integrated Circuit Card Application Overview, Version 1.4.0

Chapter 6 • Offline Data Authentication
6.1 Keys and Certificates . . . . . . . . . . . . . . . . . . . . . . . . 6–3 6.1.1 Visa Certificate Authority (CA) . . . . . . . . . . . . . . . . . . 6–3 6.1.2 RSA Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . 6–3

6.1.2.1 Visa Public/Private Keys . . . . . . . . . . . . . . . . . . 6–3 6.1.2.2 Issuer Public/Private Keys 6.1.2.3 ICC Public/Private Keys . . . . . . . . . . . . . . . . . 6–3 . . . . . . . . . . . . . . . . . . 6–4 . . . . . . . . . . 6–4 . . . . . . . . . . 6–5

6.1.3 SDA Key, Certificate, and Signature Relationships 6.1.4 DDA Key, Certificate, and Signature Relationships 6.2 Determining Whether to Perform SDA or DDA 6.3 Static Data Authentication (SDA)

. . . . . . . . . . . . . . 6–7

. . . . . . . . . . . . . . . . . . . 6–8

6.3.1 SDA Processing . . . . . . . . . . . . . . . . . . . . . . . . 6–9 6.4 Dynamic Data Authentication (DDA) . . . . . . . . . . . . . . . . . 6–11 6.4.1 Data Elements for DDA Processing . . . . . . . . . . . . . . . 6–11 6.4.2 Standard DDA Processing . . . . . . . . . . . . . . . . . . . 6–13 6.4.3 Combined DDA/AC Generation Processing . . . . . . . . . . . . 6–14 6.5 Prior Related Processing . . . . . . . . . . . . . . . . . . . . . 6–16

6.6 Subsequent Related Processing . . . . . . . . . . . . . . . . . . . 6–16

Chapter 7 • Processing Restrictions
7.1 Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–2

7.2 Terminal Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–3 7.3 Application Version Number . . . . . . . . . . . . . . . . . . . . . 7–4

7.4 Application Usage Control . . . . . . . . . . . . . . . . . . . . . . 7–4 7.5 Application Effective Date . . . . . . . . . . . . . . . . . . . . . . 7–4

7.6 Application Expiration Date . . . . . . . . . . . . . . . . . . . . . . 7–5 7.7 Prior Related Processing . . . . . . . . . . . . . . . . . . . . . . 7–7

7.8 Subsequent Related Processing . . . . . . . . . . . . . . . . . . . . 7–7

Draft 12/18/00
iv
Visa Public

31 Oct 2001

. . . . . . . . . . . . . . . . . . . . . . .10 Prior Related Processing . .2. . . . . . . . . . . . . . . . . . . . . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2. . 8–11 8.7 Random Transaction Selection . . . . . . . . 8–6 . . . . . . . . . . . . . . . . . . . . .8 Terminal Velocity Checking . . . . . . . . . . . .4. .2 CVM Processing . . .2. . . . . . . . . 9–4 9. . . . . .5 Merchant Forced Transaction Online 9. . . . . . . . .4. . . . . . 9–8 .4. . . . . . . . . . . . . .3 Online PIN . . . . . . . . . . . . . . . . . . . . . . . .2.4 Signature . . . 8–7 . . . . 9–4 9. . . 8–14 Chapter 9 • Terminal Risk Management 9. . . . . . .Visa Integrated Circuit Card Application Overview. . 8–10 8. . . . . .2. . . . . . . . . . . . . . . . . . . . . . . . .4 Terminal Exception File . . . . . . . . . . .4. . . . . .4.4. . . . . 8–11 8. . . . . . . . . . . . .4. .2 Terminal Data 8. . . . . . . . . . . . . . . . . . . . . 8–8 8. . . 8–10 8. . . . . 8–14 8.5 Prior Related Processing . . . . . . . . . . . . .11 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public v . . . . 9–5 9. . . . . . . . 9–8 9. . . . . . . . . . . . . 8–10 8. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Offline Enciphered PIN . . . . . . . . . . . . . . . . . . . . . . . 9–2 9. . . . . . 9–4 9. . . . . . .6 Fail CVM . . . . . . .4 Processing . . . 9–3 9.9 New Card Checking . . . 8–3 8. . . . . .1 Card Data . . . . .1 Card Data . .6 Subsequent Related Processing . . . 8–11 8. . . . . . .0 Contents Chapter 8 • Cardholder Verification 8. . . .6 Floor Limit Checking . . . . . . . . . . . . . . . . . 9–5 9. 9–4 . . . . . . . . .1 Offline Plaintext PIN . . . . . . . . . .4. . . . . .2 Terminal Data . . . . . . . . . .1 CVM List Processing . . . . . . . . .5 No CVM Required .4. . . . . . . . . 9–4 9. . . . . . . . 8–11 8. . . . . Version 1. . .3 Commands 8. . . . . . . . . . 8–8 8. . .3 GET DATA Command . . . . . . .

. . . . . . . . . .2 Request Application Cryptogram . . . . . . . . . . . . . . . . . . . 11–2 11.4. . . . . . . 11–7 Chapter 12 • Online Processing 12. . .6 Subsequent Related Processing . . . . . . . .4.2 Terminal Data . . . . . . .1 Card Data . . . 11–4 11. . . . . . . . . . . . . 11–7 11. . 10–3 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . .0 Chapter 10 • Terminal Action Analysis 10. 10–5 10. .Contents Visa Integrated Circuit Card Application Overview. . . . . . .4 Processing . . . . . . . .4. . . . . . . .1 Card Data . . . . . . . . . . . . . . . .1 Card Risk Management . . 11–2 11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–5 11. . . . . 10–6 10. . . . . . .2 Card Response Decision . .2 Terminal Data . . .2. . . . . . . . . . . .3 Online Request and Response Data . . . 12–3 Draft 12/18/00 vi Visa Public 31 Oct 2001 . . . . . . . . 10–4 10. 12–2 12. . . . . . . . . . . .1 Card Data . . . . . . . . . . . . . .2 Terminal Data . 11–3 11. . . . . . . . . .3 GENERATE APPLICATION CRYPTOGRAM (AC) Command . . . . . . . .6 Prior Related Processing . . . . . . . . . . . .5 Prior Related Processing . .3 Processing Flow . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . 10–7 Chapter 11 • Card Action Analysis 11. . . . . . . . . . . . . . . . 12–3 12. . . . . . . . . . . . . . . . . .2. . . . . .7 Subsequent Related Processing . 10–4 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 GENERATE APPLICATION CRYPTOGRAM (AC) Command . . . . .4 Processing . . . . . . .4. . . . . . . 11–6 11. 11–4 11. 10–2 10. . . . . . . . . . . .4. . . . . . . . . . . . . . . . . . . . . . . . .4. . . . . . 11–3 11. . Version 1. . . . . .1 Standard Response to GENERATE AC . . . . . . . . .5 Flow . . . .1 Review Offline Processing Results . . . . . . .2 Response to GENERATE AC for Combined DDA/AC Generation . . . . . . . . . . 10–7 10. . . . . . . . 11–2 11. . . . .4. 10–4 10. . .

. . . . . .1 Online Request . . . . . 12–8 12.2 Online Response . . . . . 12–5 . . .3 Terminal Completes Transaction . . . . . . .1 Card Data . . . 13–4 13. . . . . . . . . . . . . 13–7 13. . . . . . . .2 Terminal Data . . . . . . . . . .4.5. . .5. . . . . . . . . .5 Processing . . . . . . . . .4 Processing . . . . . . . .6 Prior Related Processing . . . . . . . . . . . . . . . 13–10 . . . . . .5.4. . . . .1. . .1 Transaction Authorized Offline . . . . . .5.4. . . . . . . 12–7 . . . . . . . . . . . . . . . . . . 13–4 13. . . . .1. . . . . . . . . . .6 Prior Related Processing Draft 12/18/00 31 Oct 2001 Visa Public vii . 12–8 . . . . . 13–5 13. . . .4. . . . . . . . . . . . . . . . . . 13–5 13.4. . Version 1. . . . . . . . . . . . . . .2 Online Authorization Unable to Complete . .2 Online Authorization Completed Successfully . . . . . . . . . .5. . . . . . . . . . . . . . . .0 Contents 12. 12–5 12. .2. . 12–6 12. . . .5. . . .1 Online Authorization Completed . 12–4 12. . . . . . . 12–5 12. . . . . . . . . . .1 Combined DDA/AC Generation Processing 12. . . . . . . . . . . . .7 Subsequent Related Processing Chapter 13 • Completion 13. . . . . . . . . . . . . . . .2 Card Responds to Final GENERATE AC Command .4. .3 Issuer Authentication . .3 GENERATE Application Cryptogram (AC) Command . . . . . . . . . . . . . . . . . . . . .Visa Integrated Circuit Card Application Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Online Authorization Unable to Complete . . . . . . .1. 13–5 13. . . . . .2. . . . .5 Flow .4. . .1 Terminal Determines Transaction Disposition . . . . . . . . . . . . . . . . 13–9 13. . .2 Standard Online Processing . . . . . . . . . 13–6 13. 13–3 13. . . . . . .4. . . . . . 12–5 12. . . . . . . . . . . . . . .4.1. . 12–5 12. .4 Commands . . . . . . . 13–7 13. . . . .4 Processing Flow 12. . . . . . . 13–8 13. . . 13–6 13. . . . . .1. 13–11 13. . .

. . .0 Chapter 14 • Issuer-to-Card Script Processing 14.5 Commands 14. . . . . . . . . . . . . . .1 Message Authentication Code Keys . . . . . . . . . . . . . . . . . . 14–9 14.4. .7 Processing Flow . . . 14–3 14. . . . . . .1. . 14–5 14. . . . . . . . 14–8 14. . . . . . . .4 Online Response Data . . . . . . . . . . . . . . . . . . . . . . . . . .1. . . . . . . . . . . .1 Script-Related Keys . . . . . . .3 Terminal Data . . . . . . . . . . . . . . .6. . . . . . . .6. 14–11 14. . . . . . .6. . . . . . . . . . . .Contents Visa Integrated Circuit Card Application Overview. . . . . . . . .2 Data Encipherment Keys . . . . . . . Version 1. . . . . . .9 Subsequent Related Processing . . . . . 14–8 14. . . . 14–5 14. . . . . . . 14–3 14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14–11 Appendix A • Acronyms Glossary Index Draft 12/18/00 viii Visa Public 31 Oct 2001 . . . . . . . . . . . . . . . . . .2 Command Processing . . . . . .6 Processing . . . . . 14–8 14. .1 Issuer Scripts . . . . . . . . . . . . . 14–10 14. . . . . . . . . . .3 Secure Messaging . . . . . . . 14–6 .2 Card Data . . . . . . . . . . . . . . . . . . . . .8 Prior Related Processing . . . . . . . . . . . . . . . 14–3 14. . . 14–4 14.

. 14–10 14–1: Issuer-to-Card Script Processing . . . . . . . . . . . . . . . . . . . . . . Read Application Data Processing Flow . . . . . . . . . . . . . . . 12–1: Online Processing Flow . . . 6–6 6–10 6–15 . . . . . . . . . . . . . . . . . . . . . . . . SDA Key Relationships . . . 10–1: Terminal Action Analysis Flow . . . . . . . . . . . . . . . 4–5 . . . . . . . . . . . . . . . . 6–5 . . . . . . . . . . . . . . 2–6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13–1: Completion . . . . . . . . . . . . . . . . Processing Restrictions . . . . . . . . . . . . . . 11–1: Card Action Analysis . . . DDA Data—Key Relationships . 8–9 8–12 8–13 . . . . . . . . . . . . . . . . . . . . . . . 13–10 . . . . . . . . . . . CVM List Processing Flow . . . . . . . . . . Draft 12/18/00 31 Oct 2001 Visa Public ix . . 9–7 10–6 11–6 12–7 Initiate Application Processing Flow .Figures 2–1: 3–1: 4–1: 5–1: 6–1: 6–2: 6–3: 6–4: 7–1: 8–1: 8–2: 8–3: 9–1: 9–2: Sample Transaction Flow Application Selection . . . 5–4 . PIN Processing Flow (1 of 2) PIN Processing Flow (2 of 2) Terminal Risk Management Processing Flow (1 of 2) . 7–6 . Terminal Risk Management Processing Flow (2 of 2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–6 . . 9–6 . . . . . . . . . . . . . . . Processing Flow for SDA. . . . . . . . . . . . . Processing Flow for DDA. . . . . . . . . . . . .

Figures Visa Integrated Circuit Card Application Overview. Version 1.4.0 Draft 12/18/00 x Visa Public 31 Oct 2001 .

. 4–3 . . . . . . . . . . . . . . . . . . . . . . . . 7–2 . . . . . . 4–2 . . . . . . . . . . . . Card Data Used in SDA . . Offline Enciphered PIN—Card Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . CVM List Processing—Card Data . . . . . . . . 9–2 . . . . . . . . . . . . . Terminal Data Used in DDA Card Data Used in DDA . . . . . . . . . . . . . . . . . . . 3–3 . . . . . . . . . . . . . . . . . . . . . . . . . 2–9 2–11 . . . . . . . . . . . . 6–8 .Tables 2–1: 2–2: 2–3: 3–1: 3–2: 4–1: 4–2: 5–1: 5–2: 6–1: 6–2: 6–3: 6–4: 6–5: 6–6: 7–1: 7–2: 8–1: 8–2: 8–3: 8–4: 9–1: 9–2: Card Functional Requirements . . . . . . . . . . Offline PIN Processing—Card Data . . Read Application Data—Card Data . CVM Processing—Terminal Data . . . . . . . . . . . . . . Initiate Application Processing—Terminal Data . . . . . . . . . . . . . . . . . . . . . . . 8–6 . 6–8 6–11 6–12 6–12 . . . . . Terminal Data Used in SDA . . . . 7–3 . . . . . . . . . 8–3 . . . 3–2 . Read Application Data—Previously Sent Card Data . . Application Selection—Card Data . . . . 5–2 . . . . . . . . . . . . . . . . . . . 8–5 . . . . . . . 6–7 . . . . . . . . . . . . . . . . . . Terminal Risk Management—Card Data . . . . . Terminal Functional Requirements Command Support Requirements . . . . . . . . . Card Data Used in Combined DDA/AC Generation Processing Restrictions—Card Data . . . . . Terminal Risk Management—Terminal Data 10–1: Review Offline Processing Results—Card Data 10–2: Request Cryptogram Processing—Card Data . . . . . . . . . . . . 2–7 . Application Selection—Terminal Data . . . . . . . . . . . . . . . . . . . . . . . . . Processing Restrictions—Terminal Data . . Offline Data Authentication Processing Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2 . . . . . . . . . . . . . 9–3 10–2 10–2 Initiate Application Processing—Card Data . . Draft 12/18/00 31 Oct 2001 Visa Public xi . . . . . 8–4 . . .

. . . . . . 11–4 . . 14–3: Issuer-to-Card Script Processing—Online Response Data Draft 12/18/00 xii Visa Public 31 Oct 2001 . 10–3 . . . . . . . . . . . . . . . . . 13–4 . 13–4 . . . . . . . . . 12–2: Online Processing Issuer Authentication—Card Data . . 13–3 . . . . . . . . . . 12–2 . 12–4: Online Processing—Online Response Data . . . . . . . . . . . . . 13–1: GENERATE AC Response . . . . . . . . 12–2 . . . 14–2: Issuer-to-Card Script Processing—Terminal Data . . . . . . . . . . . . . 12–3 . . . . 14–5 11–2: Card Response to GENERATE AC Command . . . . 13–7 . 14–4 . . . . . . . . . . .4. . . . . . . . . . . . . .0 10–3: Review Offline Processing Results—Terminal Data 10–4: Request Cryptogram Processing—Terminal Data . . . . . . . 12–1: Online Processing—Card Data . 13–2: Completion—Card Data (Partial List) . . . . . . . . . . . . . . . . 12–3: Online Processing—Terminal Data . . . . . . . . . . . . 11–1: Card Action Analysis—Card Data . . . . .Tables Visa Integrated Circuit Card Application Overview. . . . . . . . . . . 11–2 . 10–3 . . 14–5 . . . . . . . . . . . 13–4: Authorization Response Code for Offline Action Taken 14–1: Issuer-to-Card Script Processing—Card Data . . 12–3 . . . . . . . . Version 1. . . 13–3: Completion—Terminal Data .

However. Draft 12/18/00 31 Oct 2001 Visa Public 1–1 .About This Specification 1 The Visa Integrated Circuit Card Specification (VIS) provides the technical details of chip card and terminal functionality related to Visa Smart Debit and Visa Smart Credit (VSDC) transactions (Visa’s chip-based credit and debit programs). MasterCard. the two specifications should be used together for reference and development purposes. VIS builds on the EMV requirements in order to support the Visa payment service rules. please refer to Chapter 2. To facilitate understanding of the differences between these two specifications. and Visa (EMV) specifications to ease vendor development efforts Aid members and vendors in understanding the changes that chip brings to the credit and debit payment services. It focuses on the functions performed by the chip card and terminal as well as the interaction between the chip card and terminal at the point of transaction. Processing Overview. especially in terms of the processing taking place between the chip card and terminal at the point of transaction Provide Visa’s minimum requirements for chip-based credit and debit programs Identify options that members and vendors can implement to meet market needs Support Visa’s payment service rules and International Operating Regulations for Visa Smart Debit and Visa Smart Credit (VSDC) Define Visa’s implementation of optional EMV features q q q q q Because VIS is based on EMV. The objective of the Visa Integrated Circuit Card Specification is to: q Communicate the implementation details of Europay.

1. An impact summary highlighting the differences between VIS 1.0.2.About This Specification Visa Integrated Circuit Card Application Overview.4. Draft 12/18/00 1–2 Visa Public 31 Oct 2001 .0.1 Audience This document is intended for members.3. VIS 1.3. Version 4. and readers seeking a technical understanding of the functionality of chip cards and terminals supporting Visa Smart Debit and Visa Smart Credit programs.2 and the current version. Version 1.2. The update includes changes reflecting EMV 2000 Integrated Circuit Card Specification for Payment Systems.2 VIS Update This document serves as an update to VIS 1. enhancements to VSDC functionality. is provided later in this chapter. vendors.3. and corrections and clarifications to VIS 1.4.0 1.

3.1 Mandatory/Required/Recommended/Optional Visa’s philosophy is to facilitate market requirements while ensuring global interoperability.3 Terminology This section provides clarification on several terms used throughout the specification. it includes the processing to end the transaction and the display of the message to the cardholder and merchant indicating why the transaction cannot be completed. however. the term “integrated circuit” may be used.3. and “shall.” Markets can customize their programs beyond the minimum requirements through adoption of the optional functions and through proprietary processing.2 Card/Integrated Circuit In general.” Elective data elements and functions are designated using the terms “optional” or “may. Draft 12/18/00 31 Oct 2001 Visa Public 1–3 . When it is necessary to distinguish between the chip itself and another card feature such as the magnetic stripe. “required”. To this end. Visa’s minimum requirements reflect the EMV mandatory items in addition to specific requirements outlined in the Visa payment service rules or International Operating Regulations.3. 1. 1.3 Terminated Transactions When the term “terminal terminates transaction” is used.” Recommended functionality is designated in the document using the term “should.3 Terminology 1.0 1.Visa Integrated Circuit Card Application Overview. Visa’s minimum requirements are designated using the terms “mandatory”.4. 1. Version 1. must not interfere with global interoperability. All other functionality is optional and not required. Proprietary processing. the term “card” is used to describe functions performed by the VSDC application on the card.

Draft 12/18/00 1–4 Visa Public 31 Oct 2001 . a glossary.4. Vendors involved in the creation of the VSDC card application should focus on this document for their development efforts. 1. VIS terminology. Each volume includes a list of acronyms. information is replicated in the three volumes to provide comprehensive information.2 Chapter Overview This guide is organized according to the functions that occur during VSDC transaction flow and is divided into the following sections: Chapter 1. and a list of reference materials. 1.0 1. It also includes additional Visa specific requirements for card functionality. It also includes additional Visa specific requirements for terminal functionality. is followed by an overview of each chapter. where necessary. a summary of revisions for this version of the VIS documents. and concludes with the subheading structure of each chapter. Chapter 3. supported by both the card and terminal. Application Selection—This function determines which of the applications.About This Specification Visa Integrated Circuit Card Application Overview. requirements from EMV may be restated in the various volumes and. Processing Overview—This chapter provides an overview of the each function and highlights whether the function is mandatory or optional. Version 1.4 Document Structure This section provides an overview of the structure of the Visa Integrated Circuit Card Specification. Vendors involved in the creation of the VSDC terminal application should focus on this document for their development efforts. Terminal Volume—This volume specifies the technical details of EMV related to the data and processing performed by the terminal.4. Card Volume—This volume specifies the technical details of EMV related to the data and processing performed by the card. About This Specification—This chapter provides an overview of the VIS specification. will be used to conduct the transaction. q q To provide clarity.4. and an index. q Application Volume—This volume provides a technical overview of the processing between the card and terminal.1 Volume Overview The document is organized into three volumes. Chapter 2. This volume may be used as an overview to understand the processing and sequence of events involved in a VSDC transaction flow. It begins with an overview of the three volumes.

internal to the card. Chapter 9. Terminal Risk Management—During this function. Processing Restrictions—During this function. Chapter 5. Cardholder Verification—During this function. the card and the terminal conclude transaction processing. Offline Data Authentication—During this function. Chapter 10. effective and expiration dates checks.4 Document Structure Chapter 4. the terminal ensures that higher-value transactions are sent online and that chip read transactions go online periodically. is performed.Visa Integrated Circuit Card Application Overview. Read Application Data—During this function. Card Action Analysis—During this function. Chapter 11. Chapter 13. the terminal applies rules set by the issuer in the card and by the acquirer in the terminal to the results of offline processing. Chapter 6. the card applies post-issuance changes sent from the issuer. declined offline. the terminal determines the cardholder verification method (CVM) to be used and performs the selected CVM. This risk management check protects against threats that might be undetectable in an offline environment. Terminal Action Analysis—During this function.4. Chapter 8. and other checks are performed by the terminal at the point of transaction. Chapter 7. Issuer-to-Card Script Processing—During this function.0 1. Online Processing—During this function. Completion—During this function. Initiate Application Processing—During this function. application version checks. Chapter 14. the terminal reads the data records necessary for the transaction from the card. Version 1. This analysis determines whether the transaction should be approved offline. the issuer’s host computer reviews and authorizes or rejects transactions using the issuer’s host-based risk parameters. the terminal authenticates data from the card using RSA public key technology. the card receives any terminal data which was requested by the card during Application Selection. velocity checking and other risk management. or sent online for an authorization. Draft 12/18/00 31 Oct 2001 Visa Public 1–5 . Chapter 12.

Subsequent Related Processing—Outlines subsequent processing to aid in understanding future activities related to this function.About This Specification Visa Integrated Circuit Card Application Overview. q 1. NOTE: Flowcharts are representative of processing and may not include all steps that may be performed. If there are several functions within a process.5 Revisions to This Specification Revisions to this specification may be required to accommodate future EMV changes. q q q q Prior Related Processing—Outlines prior processing to aid in understanding previous activities related to this function. Draft 12/18/00 1–6 Visa Public 31 Oct 2001 . Data element tags are listed when multiple tags are associated with a single data element name. Data element tags are listed when multiple tags are associated with a single data element name.3 Subheading Overview For ease of use. Visa payment service rules. or market needs. they may be listed separately. the main chapters are structured in the same manner: q Card Data—Provides the mandatory and optional data elements required on the card to support the function. Processing—Provides the technical details of the function. Terminal Data—Provides the mandatory and optional data elements needed in the terminal to support the function.4. Commands—Provides the requirements for the commands used to support the function. Version 1.0 1. The impacts of these changes will be communicated in the VIS changes list or in an update to this document.4.

6. The public key encipherment used in the Offline Enciphered PIN processing may occur either in the PIN pad or in the card reader.0. the terminal shall validate that the only tag it contains is the tag for the AIP. q q q q 1.1 Terminal This section includes mandatory and optional changes. Version 4.1 Mandatory q If the Directory method of Application Selection fails. the terminal shall save the Data Authentication Code (if present) and ICC Dynamic Number after recovery. Version 1.0 1. Terminal support for Visa Low-value Payment feature of VSDC.6 Impact Summary 1. If the SDA Tag List is one of the data elements read from the card. ATMs supporting Offline PIN shall support CVM List processing. The EMV Combined DDA/Generate AC option is included as a terminal option.1. 1.4.Visa Integrated Circuit Card Application Overview.0 (April 2001).6.2 Optional q Visa Operating Regulations may permit the terminal to eliminate certain common applications from consideration during Application Selection. During SDA and DDA. migration requirements. Refer to the EMVCo website for information on testing schedules.6 Impact Summary The following is an outline of changes and additional functionality from both a card and terminal perspective for VIS 1. The testing of terminals to support mandatory changes shall be aligned with the EMV 2000.6.1.4. Secure transfer of the PIN from the PIN pad to the card reader is required. the terminal shall switch to the List of AIDs method. q q q Draft 12/18/00 31 Oct 2001 Visa Public 1–7 . The terminal shall not allow Partial Selection during Application Selection if the terminal indicators show it is not supported for the AID. 1.

2 Optional q The Issuer Public Key length may equal that of the corresponding Visa CA Public Key.6.6. q q q q q Draft 12/18/00 1–8 Visa Public 31 Oct 2001 . The ICC Public Key length may equal that of the corresponding Issuer Public Key. The Online Authorization Indicator is no longer reset after offline approval. An Application Default Action bit has been added to allow issuers to decline the transaction and block the application if the PIN Try Limit was exceeded on a previous transaction.2 will continue to work in the new devices. q q q 1. NOTE: Cryptogram Version 14 is not currently supported in VisaNet systems and Issuer’s wishing to implement this option must be aware that they will not be eligible for VisaNet Authentication Services. The results indicated that it was not in use and that the requirement could be added to EMV.4.2.0 1. Changes are backward compatible and cards tested under versions 1. Support of Cardholder Verification must be indicated in the Application Interchange Profile and a CVM List is required. An SDA tag list that does not comply will result in Offline Data Authentication failure in EMV 4. Version 1.6. 1. The EMV optional session key generation method is referenced as a VIS option. A new cryptogram generation method.0 terminals.1 and 1.3.3.1 Mandatory q If a card is personalized with an SDA Tag List. Cumulative amounts are no longer incremented for offline declines.About This Specification Visa Integrated Circuit Card Application Overview. the tag for the Application Interchange Profile.2. To ensure interoperability and backward compatibility cards should begin compliance immediately. Prior to adding this requirement to EMV a survey was conducted to determine if the SDA tag list was being utilized. the only tag in the list must be “82”. is referenced as a VIS option. Contact the CAA for information on testing schedules.2 Card This section includes mandatory and optional changes. The EMV Combined DDA/Generate AC option is included as a VSDC card option. Cryptogram Version 14.

6 Impact Summary q The Online Authorization Indicator is optional in the card unless Issuer Authentication or Issuer Script processing is supported.0 1. A “Cumulative Total Transaction Amount Upper Limit” has been added. q q q Draft 12/18/00 31 Oct 2001 Visa Public 1–9 .Visa Integrated Circuit Card Application Overview.4. Version 1. The Visa Low-value Payment feature of VSDC has been added. An Application Default Action bit has been added to allow issuers to send transactions online if issuer script processing failed on a previous transaction.

Identification Cards—Integrated Circuit Cards with Contacts—Part 4: Interindustry Commands for Interchange. ISO 8859:1987. Version 1. Identification Cards—Identification of Issuers. q q q q q q q q q q q q Draft 12/18/00 1–10 Visa Public 31 Oct 2001 . ISO/IEC 7810:1995. For additional information. Identification Cards—Physical Characteristics. ISO/IEC 7816-5:1994.7. Codes for the Representation of Currencies and Funds. ISO 9564:1991.0 1. Codes for the Representation of Names of Countries.About This Specification Visa Integrated Circuit Card Application Overview. Banking—Personal Identification Number Management and Security. Bank Card Originated Messages—Interchange Message Specifications—Content for Financial Transactions. contact your Visa member representative. ISO 4217:1995. Identification Cards—Financial Transaction Cards ISO/IEC 7816-4:1995.iso. ISO/IEC 7813:1995. Identification Cards—Recording Technique.1 International Organisation for Standardisation (ISO) Documents Information on ordering these documents is available on http://www. Information Processing—8-bit Single-Byte Coded Graphic Character Sets. Financial Transaction Card Originated Messages—Interchange Message Specifications. 1.7 Reference Materials The following documents contain additional information on Visa Smart Debit and Visa Smart Credit.4. Identification Cards—Integrated Circuit Cards with Contacts—Part 5: Numbering System and Registration Procedure for Application Identifiers.ch q ISO 639:1988. ISO 8583:1993. Codes for the Representation of Names and Languages. ISO/IEC 7812:1994. ISO 8583:1987. ISO/IEC 7811:1995. ISO 3166:1997. The websites for obtaining these documents or information on obtaining them are listed below.

cfm q EMV 2000 Integrated Circuit Card Specification for Payment Systems.4. December. 2000. December.com/specifications.com/nt/chip/visdownload. Book 2. policies. December. 2000. Book 4.emvco. Draft 12/18/00 31 Oct 2001 Visa Public 1–11 .4. q q q 1. q Chip Card Products: Testing and Approval Requirements—Describes Visa International requirements for approval of new and upgraded chip card products. Visa supports and recognizes approvals by EMVCo. EMV 2000 Integrated Circuit Card Specifications for Payment Systems.emvco.com/nt/suppliers/vendor q Chip Card Products: Submission Requirements—Describes Visa International requirements for approval of new and upgraded chip card products. and pricing. Version 4.2 EMV Documents Available on the EMVCo Website: http://www.3 Visa Documents Available on the Visa website: http://wwws2.0 1.2 and 1. type approval administrative documentation. EMV 2000 Integrated Circuit Card Specifications for Payment Systems.0. 2000.0. Version 1. Application Specification.7. Attendant and Acquirer Interface Requirements. LLC for EMV level 1 (Interface Module) and EMV level 2 (device application). test requirements and test cases for EMV levels 1 and 2 may be obtained through the EMVCo website www. It summarized Visa’s present testing services.7.0.0) VIS Corrections and Updates q Available on the Visa website: http://visa. EMVCo is the owner of the EMV Integrated Circuit Card Specifications for Payment Systems.html q Visa Integrated Card Specification (Application Overview. December.0.3.versions 1.visa.7 Reference Materials 1. EMV 2000 Integrated Circuit Card Specification for Payment Systems.com. Application Independent ICC to Terminal Interface Requirements. Card Specification. Book 3. Version 4. Book 1. Security and Key Management. Cardholder. EMVCo specifications. 2000.Visa Integrated Circuit Card Application Overview. Version 4. Version 4. and Terminal Specification) (VIS .

business aspects. Visa Smart Debit and Visa Smart Credit Member Implementation Guide for Issuers—Describes best practices. VSDC Service Activation Guide (SAG)—Describes planning considerations. Common Personalization for Visa Smart Debit and Credit (VSDC)—A guide to personalization of VSDC Applications using the Common Personalization Approach. and step-by-step activities to assist with implementation for VSDC Acquirers. NOTE: This guide is the final authority for non-application specific requirements. Visa Smart Debit and Visa Smart Credit Member Implementation Guide for Acquirers—Describes best practices. q q Visa Smart Debit and Visa Smart Credit Certification Authority Key Revocation Visa Policies and Procedures—The Visa-specific policies and procedures related to key revocation. Version 1. Visa Smart Debit/Visa Smart Credit Service Description—A document focusing on the features and benefits of the service. suggestions. Available on Visa InSite Global Products eLibrary: (http://insite/global/Consumer Platform Search/content) or through a regional representative: q Certificate Authority User’s Guide—Visa Smart Debit and Visa Smart Credit.4. considerations. suggestions.About This Specification Visa Integrated Circuit Card Application Overview. considerations. and step-by-step activities to assist with implementation for VSDC Acquirers. q q q q q Draft 12/18/00 1–12 Visa Public 31 Oct 2001 . NOTE: The Visa Smart Debit and Visa Smart Credit Personalization Templates have been added to this document.0 q Common Personalization—A guide to a common approach to personalization of all applications. technical aspects and other regional tasks associated with completing a member implementation of VSCD. Visa Cash—Information and procedures related to the Visa Certificate Authority including Visa Certificate Authority Public Keys and Issuer Public Key Certificates. It describes the components and decisions necessary for program implementation and focuses on what is new and different about implementing a Visa Smart Debit or Visa Smart Credit program. Visa Smart Debit and Visa Smart Credit Planning Guide—A reference guide and roadmap for Acquirers and Issuers implementing Visa Smart Debit or Visa Smart Credit programs.

Visa Smart Payment Operating Principles Guide—Board-approved payment service principles for Visa Smart Debit and Visa Smart Credit. and the management of cryptographic keys as well as the guidelines for encoding account and cardholder data on Track 1 and Track 2 of the magnetic stripe of a Visa card.7 Reference Materials Available on Visa InSite or through a Visa regional representative: http://insite/ref/docs q Card Acceptance Device Reference Guide: Requirements and Best Practices Version 5. Available through Visa regional representative: q Visa Smart Debit/Credit Certificate Authority Internal Procedures—Describes guidelines for enrolling the Visa Certificate Authority and is intended for use by Regional staff supporting VSDC. Member Version—A guide for the VIP System component of the VisaNet Certification Management System.0 1. Visa Certification Management Service (VCMS) Testing and Certification Guide-VIP System.Visa Integrated Circuit Card Application Overview. PIN-related security. Draft 12/18/00 31 Oct 2001 Visa Public 1–13 . q Available by request to the VSDC Hotline: q Visa Smart Debit/Visa Smart Credit Early & Full Data Options for Host Systems—Provide Member center managers with an overview of the Early and Full options for their host systems. Visa Certification Management Service (VCMS) User’s Manual-BASE II System—A guide for the BASE II System component of the VisaNet Certification Management System.0—Provides vendors with insight towards designing their card acceptance devices to meet current and future industry and Visa scheme specific requirements and best practices. Available on Visa InSite or through a Visa regional representative: http://insite/dynaweb/opregs q Visa International Operating Regulations—Specifies standards all Members must meet to operate and participate in Visa Payment Services (Volumes I-IV). Version 1. VisaNet Card Technology Standards Manual—The standards applied to PINs.4.pdf q Visa Smart Debit and Visa Smart Credit System Technical Manual—A document that describes the changes to VisaNet to support VSDC. q q q Available on Visa InSite or through a Visa regional representative: http://insite/dept/buspubs1/library/vsmart/techlet.

.

1 Functional Overview The following functions are used in VSDC transaction processing. Functions not marked mandatory are optional and are performed based upon parameters in the card or terminal.1 Application Selection (mandatory) When a VSDC card is presented to a terminal. 2. 2. and the cardholder selects the application to be used for payment. Functions marked as mandatory are performed for all transactions. Draft 12/18/00 31 Oct 2001 Visa Public 2–1 . Regions may have additional restrictions and requirements. the terminal selects the highest priority application as designated by the issuer during card personalization. the terminal determines which applications are supported by both the card and terminal. Charts at the end of the chapter show functional and command support requirements for cards and terminals. or both. This is followed by a transaction flow showing the order in which these functions may be performed and the commands sent by the terminal to the card for communications. The terminal displays all mutually supported applications to the cardholder.1. though some steps within the mandatory functions may be optional. If these applications cannot be displayed.Processing Overview 2 This chapter provides an overview of a Visa Smart Debit and Visa Smart Credit (VSDC) transaction.

like SDA. The card may indicate different data or different support functions based upon characteristics of the transaction such as domestic or international. The terminal decrypts this dynamic signature using the ICC Public Key recovered from card data. Draft 12/18/00 2–2 Visa Public 31 Oct 2001 . Offline Dynamic Data Authentication (DDA).0 2.1. the terminal requests that the card generate a cryptogram using dynamic (transaction unique) data from the card and terminal and an ICC Private Key.3 Offline Data Authentication The terminal determines whether it should authenticate the card offline using either offline static or dynamic data authentication based upon the card and terminal support for these methods.Processing Overview Visa Integrated Circuit Card Application Overview. The terminal reads the data indicated by the card and uses the supported function list to determine the processing to perform. Version 1. The terminal validates static (unchanging) data from the card using the card’s Issuer Public Key. the terminal requests that the card indicate the data and functions supported for that application and the functions supported. 2. A match of the recovered data to the original data verifies that the card is not a counterfeit card created with data skimmed (copied) from a legitimate card. A match of the recovered hash with a generated hash of the actual application data proves that the data has not been altered.4. which contains a hash of important application data encrypted with the Issuer Private Key.2 Initiate Application Processing/Read Application Data (mandatory) When a VSDC application is selected. With Standard DDA. Offline Static Data Authentication (SDA) validates that important application data has not been fraudulently altered since card personalization. validates that the card data has not been fraudulently altered and additionally validates that the card is genuine. the generation of the dynamic signature is combined with the generation of the card’s Application Cryptogram during Card Action Analysis to assure that the Application Cryptogram came from the valid card. With Combined DDA/AC Generation.1. DDA has two forms: Standard DDA and Combined DDA/Generate AC. which is stored on the card inside a public key certificate and a digital signature.

goods. the account number is on an optional terminal exception file. Visa recommends support for velocity checking by the card and the data elements used card velocity checks are defined by Visa. services. or no cardholder verification required. Card velocity checking results are considered during Card Action Analysis Draft 12/18/00 31 Oct 2001 Visa Public 2–3 .1 Functional Overview 2.1. the terminal prompts the cardholder for a PIN and transmits the cardholder-entered PIN to the card. which compares it to a Reference PIN stored secretly in the card. MasterCard.5 Cardholder Verification (mandatory) Cardholder verification is used to ensure that the cardholder is legitimate and the card is not lost or stolen. the card is a new card. The terminal uses a Card Verification Method (CVM) List from the card to determine the type of verification to be performed.6 Terminal Risk Management (mandatory) Terminal Risk Management checks whether the transaction is over the merchant floor limit. Under certain conditions. Terminal Risk Management also includes optional velocity checking by the terminal using data elements from the card.0 2. 2. or the merchant has forced the transaction online. such as online PIN.4 Processing Restrictions (mandatory) The terminal performs Processing Restrictions to see whether the transaction should be allowed. the limit for consecutive offline transactions has been exceeded. whether the card has expired. whether the application versions of the card and terminal match. Terminal velocity checking results are considered during Terminal Action Analysis. Some transactions are randomly selected for online processing. or cashback.1. The card data elements used are those defined by Europay. and Visa (EMV) specifications. The CVM List may also specify other methods of cardholder verification. which consider the capabilities of the terminal and characteristics of the transaction to prompt the cardholder for a specific method of cardholder verification. signature.Visa Integrated Circuit Card Application Overview. The CVM List establishes a priority of cardholder verification methods.1. the terminal may use a default CVM as defined by Visa International Operating Regulations. Version 1.4. The terminal checks whether the effective date for the card has been reached. 2. An issuer may use Application Usage Controls to restrict a card’s use for domestic or international. and whether any Application Usage Control restrictions are in effect. If the CVM is offline PIN. cash.

1. After determining the transaction disposition.0 2. The card cannot override a terminal decision to decline a transaction.8 Card Action Analysis (mandatory) Upon receiving the application cryptogram request from the terminal. Terminal Risk Management. an Authorization Request Cryptogram (ARQC) for an online request. and indicators showing offline processing results. The issuer may consider these CAM results and the offline processing results in its authorization decision. the card performs Card Action Analysis where Card Risk Management checks may be performed to determine whether to change the transaction disposition set by the terminal. or declined offline. and Cardholder Verification and rules set in the card and terminal to determine whether the transaction should be approved offline. After completion of the checks. the data used to generate the ARQC.9 Online Processing If the card and terminal determine that the transaction requires an online authorization. These may include checks for prior incomplete online transactions. failure of Issuer Authentication or offline data authentication failure on a previous transaction. Version 1.1. the issuer validates the ARQC to authenticate the card in a process called Online Card Authentication (CAM). or both. During online processing. sent online for authorization. The TC may be used as a ‘proof ’ of transaction when a cardholder disputes a transaction and to verify that the transaction data has not been changed by the merchant or acquirer. For offline approved transactions. the card generates the application cryptogram using application data and a secret DES key stored on the card. and the card may convert an online request to an offline decline. For offline declined transactions. The card rules are set in fields called Issuer Action Codes (IACs) sent to the terminal by the card and the terminal rules are set in Terminal Action Codes (TACs). the TC and the data used to generate it are transmitted in the clearing message for future cardholder disputes or chargeback purposes.4.1.Processing Overview Visa Integrated Circuit Card Application Overview. It returns this cryptogram to the terminal. 2. This message includes the ARQC cryptogram. 2. the cryptogram type is an AAC. and an Application Authentication Cryptogram (AAC) for a decline. and count or amount velocity checking limits having been reached.7 Terminal Action Analysis (mandatory) Terminal Action Analysis uses the results of Offline Data Authentication. Processing Restrictions. the terminal transmits an online authorization message to the issuer if the terminal has online capability. The type of application cryptogram is based upon the transaction disposition with a Transaction Certificate (TC) for an approval. The card may convert a terminal request for an offline approval to an online transaction or an offline decline. Draft 12/18/00 2–4 Visa Public 31 Oct 2001 . the terminal requests an application cryptogram from the card.

the card performs Issuer Authentication by validating the ARPC to verify that the response came from the genuine issuer (or its agent). Issuer Authentication results. Supported script commands allow updating offline processing parameters. subsequent transactions for the card will be sent online for authorization until Issuer Authentication is successful.0 2. the card performs security checking to assure that the script came from the valid issuer and was not altered in transit. If the authorization response contains an ARPC and the card supports Issuer Authentication. The Issuer has the option to set up the card to decline the transaction if Issuer Authentication fails. This prevents criminals from circumventing the card’s security features by simulating online processing and fraudulently approving a transaction to reset card counters and indicators. Draft 12/18/00 31 Oct 2001 Visa Public 2–5 .11 Completion (mandatory) The card and terminal perform final processing to complete the transaction.10 Issuer-to-Card Script Processing If the issuer includes script updates in the authorization response message. Prior to applying the updates. blocking the card. the TC is transmitted in the clearing message. 2.1. and issuer-encoded rules to determine whether to reset card-based counters and indicators. If the terminal transmits a clearing message subsequent to an authorization message. The card generates a TC for approved transactions and an AAC for declined transactions. With single message systems or systems involving acquirer host data capture of approved transactions. 2. the terminal must generate a reversal for issuer-approved transactions which are subsequently declined by the card. the terminal passes the script commands to the card.1.4. Version 1. An issuer-approved transaction may be converted to a decline based upon Issuer Authentication results and issuer-encoded parameters in the card. resetting the Offline PIN Try Counter. If Issuer Authentication fails. the Authorization Response Code. and changing the Offline PIN value.1 Functional Overview The authorization response message transmitted back to the terminal may include an issuer-generated Authorization Response Cryptogram (ARPC) (generated from the ARQC. blocking and unblocking the application. and the card’s secret DES key). The response may also include post-issuance updates to the card called Issuer Scripts. Successful Issuer Authentication may be required for resetting certain security-related parameters in the card.Visa Integrated Circuit Card Application Overview. The card uses the transaction disposition.

Number PIN Try Counter Validate PIN Last Online Application Transaction Counter (ATC) Register GET CHALLENGE Command/Response2 GET DATA Command/Response 3 Cardholder Verification VERIFY Command/Response4 GET DATA Command/Response Terminal Risk Management GENERATE APPLICATION CRYPTOGRAM Command Perform Card Action Analysis & Generate Application Cryptogram Terminal Action Analysis GENERATE APPLICATION CRYPTOGRAM Response Online Transaction? Y Online Processing N Validate ARPC Cryptogram EXTERNAL AUTHENTICATE Command/Response Issuer Authentication Perform Final Check & Generate Final Cryptogram GENERATE APPLICATION CRYPTOGRAM Command/Response Completion Apply Script Issuer-to-Card Script Commands/Responses Issuer-to-Card Script Processing Draft 12/18/00 2–6 Visa Public 31 Oct 2001 .Optional for Offline PIN 4 .Processing Overview Visa Integrated Circuit Card Application Overview.If DDA 2 .If Offline Enciphered PIN 3 . Version 1.If Offline PIN Generate Dynamic Cryptogram INTERNAL AUTHENTICATE Command/Response 1 Offline Data Authentication SDA or DDA Processing Restrictions Generate Unpred.4.0 Figure 2–1: Sample Transaction Flow KEY Card Mandatory process List of Supported Applications Mandatory process w/ optional steps SELECT Command/Response READ RECORD Command/Response GET PROCESSING OPTIONS Command/Response Initiate Application Processing Terminal Application Selection Supported Functions & Pointers to Application Data Optional process Provide Application Records READ RECORD Commands/Responses Read Application Data 1 .

0 2. Support for conditional functions is required if the associated condition is true.1 Card Functional Requirements VSDC cards must support the mandatory functions shown in Table 2–1. regional. Table 2–1: Card Functional Requirements (1 of 2) Function Application Selection q Card Support Mandatory Optional (EMV) Mandatory (EMV) Mandatory (EMV) Mandatory (EMV) Optional (EMV) Optional (EMV) Conditional—If DDA supported (VIS) Optional (EMV) Conditional—If Combined DDA/AC Generation supported (VIS) Optional (EMV) Mandatory (EMV) Mandatory (EMV) Optional (EMV) Optional (EMV) Mandatory (EMV) Optional (EMV) Required (VIS) Optional (EMV) Required (VIS) Directory Method Explicit Selection Method q Initiate Application Processing Read Application Data Offline Data Authentication q SDA Standard DDA Combined DDA/AC Generation q q Processing Restrictions q Application Version Number Application Usage Control Effective Date Check Expiration Date Check q q q Cardholder Verification q Individual CVMs Draft 12/18/00 31 Oct 2001 Visa Public 2–7 .2.Visa Integrated Circuit Card Application Overview.2 Mandatory and Optional Functionality 2. Optional functions may be supported at the issuer’s discretion or may be required by market. or Visa rules.2 Mandatory and Optional Functionality 2. Version 1.4.

0 Table 2–1: Card Functional Requirements (2 of 2) Function Terminal Risk Management q Card Support Optional (EMV) Mandatory (VIS) n/a (Card plays no role) n/a (Card plays no role) n/a (Card plays no role) n/a (Card plays no role) n/a (Card plays no role) Optional (EMV) Not supported but not precluded (VIS) Optional (VIS) IACs optional (EMV). Chapter 11. IACs required (VIS) Mandatory (EMV) Mandatory (EMV) Optional (EMV).Processing Overview Visa Integrated Circuit Card Application Overview. Card Action Analysis) Optional (EMV) Algorithm option provided (EMV) Multiple algorithm options provided (VIS) Terminal Exception File Merchant Force Online Floor Limits Transaction Log Random Selection Velocity Checking New Card q q q q q q Terminal Action Analysis Card Action Analysis q Online/offline decision Offline referrals Card Risk Management q q q Advice Messages Application Cryptogram q Online Processing q Online Capability Issuer Authentication Mandatory (EMV) Optional (EMV) Mandatory (EMV) Optional (EMV) Some form is mandatory if scripts supported (EMV) Recommended form (VIS) q Completion Issuer-to-Card Script Processing q Secure Messaging Draft 12/18/00 2–8 Visa Public 31 Oct 2001 . Version 1.4. Not supported (VIS) Optional (EMV) Mandatory (VIS) Some Card Risk Management steps are optional in VIS (refer to the Visa Integrated Circuit Card Specification.

Table 2–2: Terminal Functional Requirements (1 of 2) Function Application Selection q Terminal Support Mandatory Optional (EMV) Mandatory (EMV) Not used for financial interchange (EMV) Mandatory (EMV) Mandatory (EMV) Conditional—If offline capable (EMV) Conditional—If offline capable terminal (EMV) or if DDA supported (EMV) Optional (EMV) Conditional—If DDA/AC Generation supported (VIS) (VIS recommends for offline capable terminals) Optional (EMV) Mandatory (EMV) Mandatory (EMV) Mandatory (EMV) Mandatory (EMV) Mandatory (EMV) Mandatory (EMV) with Operating Regulation exceptions (VIS) Mandatory (EMV) Mandatory (EMV) Optional (EMV) with Operating Regulation exceptions (VIS) Directory Method Explicit Selection Method Implicit Selection Method q q Initiate Application Processing Read Application Data Offline Data Authentication q SDA Standard DDA Combined DDA/AC Generation q q Processing Restrictions q Application Version Number Application Usage Control Effective Date Checking Expiration Date Checking q q q Cardholder Verification q No CVM Required Fail CVM Processing Other CVMs (Offline PIN. etc. Optional functions may be supported at the merchant or acquirer’s discretion or may be required by market.2 Mandatory and Optional Functionality 2.Visa Integrated Circuit Card Application Overview.) q q Draft 12/18/00 31 Oct 2001 Visa Public 2–9 . regional. or Visa operating regulations.2. Support for conditional functions is required if the associated condition is true.2 Terminal Functional Requirements VSDC terminals are required to support the mandatory functions shown in Table 2–2. Version 1.4.0 2. signature. Online PIN.

4.0 Table 2–2: Terminal Functional Requirements (2 of 2) Function Terminal Risk Management q Terminal Support Conditional—If merchant controlled terminal (EMV) Some functions do not apply for online-only or offline-only terminals (EMV) Optional (EMV) Optional (EMV) Mandatory (EMV) Optional (EMV) Conditional—If both online & offline capable (EMV) Conditional—If offline capable Mandatory Mandatory (EMV) n/a (card function) Terminal Exception File Merchant Force Online Floor Limits Transaction Log Random Selection Velocity Checking New Card q q q q q q Terminal Action Analysis Card Action Analysis Online Processing q Online Capability Advice Messages Issuer Authentication Optional (EMV and VIS) Optional (EMV and VIS) Conditional—If online capable Mandatory Conditional—If online capable q q Completion Issuer-to-Card Script Processing Miscellaneous Functions q Cardholder amount validation Voice Referrals Card initiated referrals Merchant forced acceptance Prompt for chip read Recommended (EMV) Recommended Not supported (VIS) Optional (EMV) Mandatory (EMV) q q q q Draft 12/18/00 2–10 Visa Public 31 Oct 2001 .Processing Overview Visa Integrated Circuit Card Application Overview. Version 1.

using APPLICATION UNBLOCK is recommended (VIS) Card blocking capability is recommended.3 Command Support Requirements Card and terminal support for the VSDC commands is shown in Table 2–3. If supported.2 Mandatory and Optional Functionality 2.4. using APPLICATION BLOCK is recommended (VIS) Application unblocking capability is optional. Table 2–3: Command Support Requirements (1 of 2) Command APPLICATION BLOCK Card Support Application blocking capability is optional. must be in issuer controlled environment (VIS) Mandatory (EMV) Conditional—If DDA supported (EMV) Performed at special issuer-controlled devices PIN CHANGE/UNBLOCK Draft 12/18/00 31 Oct 2001 Visa Public 2–11 . Version 1.Visa Integrated Circuit Card Application Overview. If supported. CARD BLOCK command is one method (VIS) Conditional—If Issuer Authentication supported (EMV) Mandatory (EMV) Terminal Support Pass through from Issuer mandatory (VIS) APPLICATION UNBLOCK Pass through from Issuer mandatory (VIS) CARD BLOCK Pass through from Issuer mandatory (VIS) EXTERNAL AUTHENTICATE Conditional—If online-capable (EMV) Mandatory (EMV) GENERATE APPLICATION CRYPTOGRAM (AC) GET CHALLENGE Conditional—If Offline Enciphered PIN supported (EMV) Optional (EMV) Mandatory (VIS) Conditional—If Offline Enciphered PIN supported (EMV) Conditional—If ATM or merchant controlled device (EMV) GET DATA GET PROCESSING OPTIONS INTERNAL AUTHENTICATE Mandatory (EMV) Conditional—If DDA supported (EMV) Unblocking PIN—Conditional if Offline PIN supported.2.0 2. Method used may be PIN CHANGE/UNBLOCK (VIS) PIN Change—Optional.

1 Overview Risk management features may differ from those supported for non-VLP VSDC and are selected by the issuer. For details on VLP.3. VLP supports a cumulative amount limit and a per transaction amount limit. The amount of spending power is reset to the spending limit at any online capable VSDC terminal if an online authorization or status check transaction is approved by the issuer and the card. Since VLP consists of many low-value transactions. 2. Draft 12/18/00 2–12 Visa Public 31 Oct 2001 . A reset without a financial transaction can also take place at a dedicated online unattended device. Version 1. which performs an online status check. adding these transactions to standard VSDC velocity checking counters could cause VSDC transactions to be processed online more frequently than intended by issuers.Processing Overview Visa Integrated Circuit Card Application Overview.4.0 Table 2–3: Command Support Requirements (2 of 2) Command PUT DATA Card Support Optional (VIS) Terminal Support Pass through from Issuer mandatory (VIS) Mandatory (EMV) Mandatory (EMV) Pass through from Issuer mandatory (VIS) Conditional—If Offline PIN supported (EMV) READ RECORD SELECT UPDATE RECORD Mandatory (EMV) Mandatory (EMV) Optional (VIS) VERIFY Conditional—If Offline PIN supported (EMV) 2. Therefore. standard VSDC velocity checking counters are not incremented by VLP transactions. refer to Appendix G of the Card Volume and Appendix D of the Terminal Volume of this specification.3 Visa Low-Value Payment (VLP) Feature The Visa Low-value Payment (VLP) feature of VSDC offers an optional source of pre-authorized spending power that is reserved for rapid processing of offline low-value payments.

The terminal builds a candidate list of mutually supported applications. This chapter is organized into the following sections: 3.5 Identifying and Selecting the Application 3.1 Card Data 3.4 Building the Candidate List 3.3 Commands 3.6 Flow 3.Application Selection 3 Application Selection is the process of determining which of the applications that are supported by both the card and terminal will be used to conduct the transaction. This process takes place in two steps: 1. A single application from this list is identified and selected to process the transaction. 2.7 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 3–1 .2 Terminal Data 3.

language preferred and the priority of the application relative to other applications on the card. Card and Issuer Data Elements Table. The PDOL is a list of tags and lengths for terminal data needed by the card. MasterCard. which contain data elements for the application. A DDF is a file that designates the structure of files beneath it. which is the entry point to application elementary files (AEF). The AID identifying the Visa Debit Credit application is “A0000000031010”. The SFI is a pointer to Elementary Files (EF) Directory Definition File (DDF) Directory File File Control Information (FCI) Payment Systems Directory Payment Systems Environment (PSE) Processing Options Data Object List (PDOL) Short File Identifier (SFI) Draft 12/18/00 3–2 Visa Public 31 Oct 2001 . It is obtained from the card by the terminal using the SELECT command. The terminal provides the data requested in the list to the card in the GET PROCESSING OPTIONS command.DDF01”. For a detailed description of these elements and their usage. The FCI is information from the card about the application that is provided in response to the SELECT command issued by the terminal. The ADF contains information about the application such as the name of the application. The Payment Systems Directory is a directory file containing entries for applications that conform to Europay. A directory file is a file listing files contained within the directory. The PSE is a DDF named “1PAY. Version 1. The directory file designating the structure of the files beneath the PSE is known as the Payment Systems Directory.4.0 3. Table 3–1: Application Selection—Card Data Data Element Application Definition File (ADF) Description The ADF is a file.1 Card Data The card data elements used in Application Selection are listed and briefly described in Table 3–1. and Visa (EMV) specifications. refer to the Visa Integrated Circuit Card Specification. Application Elementary Files (AEF) Application Identifier (AID) The AID is composed of the Registered Application Provider Identifier (RID) and the Proprietary Application Identifier Extension (PIX). AEF contains data elements used by the application in processing.Application Selection Visa Integrated Circuit Card Application Overview. The terminal uses a READ RECORD command to access directory files.SYS. Appendix A.

The command includes the Short File Identifier (SFI) of the file to be read and the record number of the record within the file. Version 1.Visa Integrated Circuit Card Application Overview.3 Commands SELECT The terminal sends the SELECT command to the card to obtain information from the card about an application supported by the card.4. Card and Issuer Data Elements Table. and the language in which information is displayed to the cardholder. In the card response to the SELECT command. Appendix A. if present on the card. the card provides the requested record to the terminal. The PDOL is used during Initiate Application Processing. The AID identifying the Visa Debit Credit application is “A0000000031010”. or only up to the length of the AID in the terminal.2 Terminal Data 3. Draft 12/18/00 31 Oct 2001 Visa Public 3–3 . The terminal shall maintain a list of application AIDs supported by the terminal. In response to the READ RECORD command.2 Terminal Data The terminal data elements used in Application Selection are listed and described in Table 3–2. READ RECORD The terminal sends the READ RECORD command to the card to read the records in the PSE (if Directory Selection is supported) or other DDFs in the List of AIDs Selection Method. This information may be issuer preferences as to the priority in which the application is selected. Indicates whether the associated AID in the terminal must exactly match the AID in the card including the length of the AID. refer to the Visa Integrated Circuit Card Terminal Specification.0 3. response codes are used to indicate processing results. Table 3–2: Application Selection—Terminal Data Data Element Application Identifier (AID) Description The AID is composed of the Registered Application Provider Identifier (RID) and the Proprietary Application Identifier Extension (PIX). The card’s response contains the Processing Options Data Object List (PDOL). There is only one Application Selection Indicator per AID in the terminal and its format is at the discretion of the terminal vendor. the name of the application. Application Selection Indicator List of supported applications 3. For a detailed description of these elements and their usage.

q NOTE: Terminals may eliminate applications from the final candidate list under conditions specified in Visa Operating Principles and Regulations.1 Terminal Makes Application Decision A terminal that does not support cardholder selection or confirmation shall issue a SELECT command to the highest priority application that does not require confirmation. the terminal uses the List of AIDs Method. List of AIDs Selection Method is mandatory for cards and terminals.Application Selection Visa Integrated Circuit Card Application Overview. This file is a list of the applications supported by the card. the processing is as described in the following sections. 3.5.5 Identifying and Selecting the Application If there are no mutually supported applications. If there is at least one mutually supported application. but if supported by the terminal. the terminal reads a file from the card. it is attempted first. If the Directory Selection Method was used to build the list of applications. The terminal includes any applications listed on both the card list and the terminal list on the candidate list. In the List of AIDs Selection Method. If more than one application has the highest priority. the card’s response to the SELECT command may indicate that the application is blocked. If the card response indicates that the card also supports the application. the terminal issues a SELECT command for each terminal-supported application in a list contained in the terminal. the terminal adds the application to the candidate list. 3. In the Directory Selection Method. the transaction is terminated.4 Building the Candidate List There are two approaches used by the terminal to build a list of mutually supported applications. the terminal should issue a SELECT command for the application with the next highest priority. Version 1. the terminal may issue a SELECT command for either application. If the Directory Selection Method is attempted and fails. q Directory Selection Method is optional for cards and terminals. If this occurs. Draft 12/18/00 3–4 Visa Public 31 Oct 2001 .4.0 3. and there are more available applications on the list of available applications.

If this occurs.4.5. The cardholder selects the application from the list and the terminal uses the SELECT command to select the application. the terminal terminates the transaction.2. Version 1. Draft 12/18/00 31 Oct 2001 Visa Public 3–5 .2. 3. and there are more available applications on the list. the card’s response to the SELECT command may indicate that the application is blocked. and there are more available applications on the list.5 Identifying and Selecting the Application 3.5. If the cardholder does not select an application. If the Directory Selection Method was used to build the list of applications.5. If the Directory Selection Method was used to build the list of applications. If the cardholder does not confirm.Visa Integrated Circuit Card Application Overview. If the cardholder confirms the choice. the card’s response to the SELECT command may indicate that the application is blocked.1 Terminal Supports Cardholder Confirmation A terminal that does not support cardholder selection from a list of displayed applications. but supports cardholder confirmation of an application shall first request cardholder confirmation for the highest priority application. If more than one application has the same priority.2 Cardholder Makes Account Decision 3. the terminal may process in the order encountered or choose one of the applications.2 Terminal Supports Cardholder Selection A terminal that supports cardholder selection shall present a list of applications in priority order to the cardholder for selection. If more than one application is given the same priority.0 3. the terminal offers the next highest priority application until the cardholder confirms or there are no more available applications. the terminal may display them to the cardholder in the order encountered or decide the priority. the terminal uses the SELECT command to select the application. the terminal should display “Try Again” and display the list of available applications excluding the rejected applications. the terminal should remove the rejected application from the list of available applications and request confirmation of the next available application. If this occurs.

Version 1.6 Flow Figure 3–1: Application Selection Card Terminal checks for card applications supported and builds candidate list Terminal T B Any mutually supported applications? N Terminal terminates the transation N Y Terminal supports selection by cardholder? Terminal displays applications by priority and asks cardholder to select Cardholder selected application? Y N Terminal displays highest priority application on list for confirmation Terminal supports confirmation by cardholder? N Applications available without confirmation? Y Cardholder confirms? Y Y Terminal identifies highest priority application not requiring confirmation Y N N T Card responds with FCI for requested AID and “9000” (selection successful) or “6283” (application blocked) or other SW1SW2 SELECT command Terminal issues SELECT command with the identified application SELECT response Successful SELECT “9000”? Y Terminal proceeds to Initiate Application Processing N Terminal removes application from list B Draft 12/18/00 3–6 Visa Public 31 Oct 2001 .0 3.Application Selection Visa Integrated Circuit Card Application Overview.4.

Draft 12/18/00 31 Oct 2001 Visa Public 3–7 . If supported. the terminal terminates the transaction and returns to Application Selection for selection of another application. Version 1. the PDOL was included in the SELECT response during Application Selection. If geographic restrictions do not permit the selected application to be initiated.4.7 Subsequent Related Processing Initiate Application Processing The GET PROCESSING OPTIONS command sent to the card by the terminal includes any terminal data elements specified in the PDOL.Visa Integrated Circuit Card Application Overview.7 Subsequent Related Processing 3.0 3.

.

The card responds to the GET PROCESSING OPTIONS command with the Application File Locator (AFL). a list of files and records that the terminal needs to read from the card.1 Card Data 4.4 Terminal Processing 4. This chapter is organized into the following sections: 4. optionally provided by the card to the terminal during Application Selection. a list of functions to be performed in processing the transaction.9 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 4–1 .7 Flow 4. the terminal supplies the card with any recognized data elements requested by the card in a Processing Options Data Objects List (PDOL).5 Card Processing 4. The PDOL is a list of tags and lengths of data elements.Initiate Application Processing 4 During Initiate Application Processing.3 GET PROCESSING OPTIONS Command 4. the terminal issues the GET PROCESSING OPTIONS command to the card to signal that transaction processing is beginning. The card also provides the Application Interchange Profile (AIP).8 Prior Related Processing 4.6 Terminal Processing 4. When issuing this command.2 Terminal Data 4.

For a detailed description of these elements and their usage. Visa proprietary data element indicating the issuer’s country code. The FCI is information from the card about the application that is provided in response to the SELECT command issued by the terminal. international transactions or both. Table 4–1: Initiate Application Processing—Card Data Data Element Application File Locator (AFL) Description Indicates the file location and range of records that contain card data to be read by the terminal for use in transaction processing.4. Dynamic Data Authentication (Standard DDA). and Combined DDA/AC Generation. The terminal provides the data requested in the list to the card in the GET PROCESSING OPTIONS command.1 Card Data The card data elements used in Initiate Application Processing are listed and described in Table 4–1. The PDOL is an optional list of tags and lengths for terminal data requested by the card.Initiate Application Processing Visa Integrated Circuit Card Application Overview. Used in the Geographic Restrictions check if this check is supported by the card. Card and Issuer Data Elements Table.0 4. Version 1. Application Interchange Profile (AIP) File Control Information (FCI) Geographic Indicator Issuer Country Code Processing Options Data Object List (PDOL) Draft 12/18/00 4–2 Visa Public 31 Oct 2001 . Cardholder Verification. refer to the Visa Integrated Circuit Card Specification. It may also be used to determine which records from the card should be read by the terminal based on whether a transaction is domestic or international. It is part of the FCI obtained from the card by the terminal using the SELECT command. Appendix A. Visa proprietary data element indicating whether a card supports domestic transactions. A list that indicates the capability of the card to support specific functions in the application (Static Data Authentication (SDA). Issuer Authentication.

4 Terminal Processing To Initiate Application Processing. Table 4–2: Initiate Application Processing—Terminal Data Data Element Terminal Country Code Description Terminal data indicating the country of the terminal. The terminal includes the data specified in the PDOL in the GET PROCESSING OPTIONS command. Any data elements requested in the PDOL and recognized by the terminal are passed to the card in this command.3 GET PROCESSING OPTIONS Command The GET PROCESSING OPTIONS command from the terminal signals the card that transaction processing is beginning. refer to the Visa Integrated Circuit Card Terminal Specification. Sends the GET PROCESSING OPTIONS command to the card. which was provided by the card during Application Selection.2 Terminal Data The terminal data elements used in Initiate Application Processing are listed and described in Table 4–2. Card and Issuer Data Elements Table. 4. For a detailed description of these data elements and their usage. 2. It is provided to the card in the GET PROCESSING OPTIONS command if requested by the card.2 Terminal Data 4. Appendix A.4. 4. Extracts the Processing Options Data Objects List (if present) from the File Control Information (FCI) provided by the card in response to the SELECT command. Draft 12/18/00 31 Oct 2001 Visa Public 4–3 . the terminal: 1.0 4. Version 1. The terminal also uses a list (if present).Visa Integrated Circuit Card Application Overview. called the Processing Options Data Objects List or PDOL.

to determine if restrictions apply.6 Terminal Processing The terminal processes the response to the GET PROCESSING OPTIONS command from the card as follows: 1. If geographic restrictions are not checked. Performs Geographic Restrictions Check. the terminal: a. the card responds to the GET PROCESSING OPTIONS command with an error code “Conditions of use not satisfied”. Removes the application from the list of available applications b. If Geographic Restrictions are checked and apply.0 4. 4. Determines the files and records that are to be read (they may differ for domestic/international) and locates or builds the AFL. Compares Terminal Country Code (if requested in the PDOL and returned by the terminal) to Issuer Country Code to determine if the transaction is domestic or international.Initiate Application Processing Visa Integrated Circuit Card Application Overview. 2.5 Card Processing Upon receiving the GET PROCESSING OPTIONS command.4. 2. Proceeds to Read Application Data Draft 12/18/00 4–4 Visa Public 31 Oct 2001 . Returns to Application Selection 3. 3. Receives the card response to the GET PROCESSING OPTIONS command If the card responds with “Conditions of use not satisfied”. Version 1. the card increments the Application Transaction Counter (ATC) by 1 and responds to the GET PROCESSING OPTIONS command with the AIP and AFL. The terminal may return a different AIP in the response to GET PROCESSING OPTIONS. if supported. If the card responds with the AFL and the AIP. the card performs the following actions: 1. 4. or are checked and do not apply. the terminal: a.

Version 1.Visa Integrated Circuit Card Application Overview.0 4.7 Flow Figure 4–1: Initiate Application Processing Flow Card Terminal Terminal reads PDOL for terminal data to be provided to the card Card Supports Geographical Restrictions Check? GET PROCESSING OPTIONS command Terminal issues GET PROCESSING OPTIONS (includes data requested by card in PDOL) Y Terminal Country Code = Issuer Country Code? N International Transactions Allowed? Card responds to GET PROCESSING OPTIONS with “Conditions of use not satisfied”? GET PROCESSING OPTIONS response N Y N Card responds to GET PROCESSING OPTIONS with “Conditions of use not satisfied” Y N Domestic Transactions Allowed N Terminal receives AFL and AIP Y Y Card determines which records and files are to be read by the terminal Card returns AFL and AIP Terminal proceeds to Read Application Data (Chapter 5) Terminal eliminates this application from the list of available applications and returns to Application Selection (Chapter 3) Draft 12/18/00 31 Oct 2001 Visa Public 4–5 .4.7 Flow 4.

Version 1.0 4.8 Prior Related Processing Application Selection The card supplies the PDOL (if present) to the terminal as part of the FCI provided in response to the SELECT command.Initiate Application Processing Visa Integrated Circuit Card Application Overview. 4. Offline Data Authentication The AIP provided by the card in response to the GET PROCESSING OPTIONS command is used by the terminal to determine if the card supports Offline Data Authentication. Cardholder Verification The AIP provided by the card in response to the GET PROCESSING OPTIONS command is used by the terminal to determine if the card supports Cardholder Verification. Draft 12/18/00 4–6 Visa Public 31 Oct 2001 .9 Subsequent Related Processing Read Application Data The AFL provided by the card in response to the GET PROCESSING OPTIONS command is used by the terminal to determine what application data to read from the card and what data is to be used in Offline Data Authentication.4. Online Processing The AIP provided by the card in response to the GET PROCESSING OPTIONS command is used by the terminal to determine if the card supports Issuer Authentication.

1 Card Data 5. the terminal reads the card data necessary to process the transaction and determines the data to be authenticated during Static Data Authentication (SDA) or Dynamic Data Authentication (DDA).5 Flow 5.4 Processing 5.6 Prior Related Processing 5.Read Application Data 5 During Read Application Data.7 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 5–1 .2 Terminal Data 5.3 READ RECORD Command 5. This chapter is organized into the following sections: 5.

The READ RECORD command contains a designation of the SFI and record number to be read.Read Application Data Visa Integrated Circuit Card Application Overview. The SFI is a number used to uniquely identify application data files. Version 1. The terminal reads these records using the READ RECORD command. It is listed in the AFL and used by the terminal to identify the files to be read. Card and Issuer Data Elements Table. Appendix A.1 Card Data A detailed description of these card data elements and their usage is found in the Visa Integrated Circuit Card Specification.0 5. Table 5–1: Read Application Data—Previously Sent Card Data Data Element Application File Locator (AFL) Description Indicates the file location and range of records containing card data to be read by the terminal for use in transaction processing.4. Short File Identifier (SFI) Draft 12/18/00 5–2 Visa Public 31 Oct 2001 . An AEF consists of a sequence of records that are addressed by record number. which the terminal obtains from the AFL. The terminal uses the card data structures described in Table 5–2 during Read Application Data. The data element described in Table 5–1 was previously sent from the card to the terminal in the response to GET PROCESSING OPTIONS and is used during Read Application Data. Table 5–2: Read Application Data—Card Data Data Element Application Elementary Files (AEF) Description Card data files containing data used for application processing. Each entry designates the first record and last record numbers to read from the file and which records are to be used for authentication during Offline Data Authentication.

0 5. The terminal processes subsequent AFL entries in the same manner until all AFL entries have been processed. Version 1. When the requested record is received from the card. For each AFL entry. If the AFL entry has specified that the record is needed in authentication of static data during Offline Data Authentication. Draft 12/18/00 31 Oct 2001 Visa Public 5–3 . The terminal continues reading records from the file until it reads the last record designated to be read.3 READ RECORD Command The terminal sends the card a READ RECORD command for each record to be read. the terminal saves the data objects from the record for subsequent processing.2 Terminal Data 5. the terminal puts the record data into the static data authentication input list.4.Visa Integrated Circuit Card Application Overview.4 Processing The terminal uses the Application File Locator (AFL) from the card to determine which records to read from the card. 5. The card’s response to the READ RECORD command contains the requested record. The command includes a Short File Identifier (SFI) that identifies the file and a record number to identify the record within the file. At this point.2 Terminal Data No terminal data is used in the Read Application Data function. 5. the terminal proceeds to Offline Data Authentication. the terminal uses the READ RECORD command to request the first record designated to be read.

Figure 5–1: Read Application Data Processing Flow Card Terminal Terminal completes Initiate Application Processing Terminal selects first entry from AFL Card passes record to terminal.0 5. Version 1.5 Flow Figure 5–1 shows how Read Application Data might be performed.4. READ RECORD command Terminal requests record using READ RECORD command Requested record in READ RECORD response Record to be used for offline data authentication? Y Terminal concatenates data into SDA input list N Record read = last record number in AFL entry? Y N More AFL entries? Y Terminal selects next AFL entry N Terminal proceeds to Offline Data Authentication (see Chapter 6) Draft 12/18/00 5–4 Visa Public 31 Oct 2001 .Read Application Data Visa Integrated Circuit Card Application Overview.

Other Functions Other functions use the data read during Read Application Data for processing. Draft 12/18/00 31 Oct 2001 Visa Public 5–5 .7 Subsequent Related Processing Offline Data Authentication SDA and DDA use the static data authentication list built during Read Application Data to validate the signed static data.6 Prior Related Processing 5.Visa Integrated Circuit Card Application Overview. 5.6 Prior Related Processing Initiate Application Processing The terminal receives the AFL from the card for use in Read Application Data.0 5.4. Version 1.

.

Offline Data Authentication support is optional for cards. SDA ensures that issuer-selected card data elements have not been altered since the card was personalized. During DDA processing. DDA ensures that issuer-selected card data elements have not been altered since the card was personalized. DDA can be performed using either Standard DDA or Combined DDA/Application Cryptogram (AC) Generation. Support for SDA is mandatory for all offline capable terminals and support for DDA is recommended for all offline capable terminals. which the card generates using transactionunique data. DDA also confirms that the card is genuine and has not been created by copying data from a valid card to a counterfeit card (skimming). Offline Data Authentication has two forms: q Static Data Authentication (SDA) Dynamic Data Authentication (DDA) q During SDA processing. the terminal authenticates the static card data and also authenticates a signature. go online for authorization. Draft 12/18/00 31 Oct 2001 Visa Public 6–1 . Online authorization systems may use the results of Offline Data Authentication in their authorization response decision. or decline offline. Offline Data Authentication results are considered in the card and terminal’s decision of whether to approve offline. the terminal authenticates static (unchanging) data from the card.Offline Data Authentication 6 Offline Data Authentication is the process by which the terminal authenticates data from the card using RSA public key technology.

4 Dynamic Data Authentication (DDA) 6.2 Determining Whether to Perform SDA or DDA 6.Offline Data Authentication Visa Integrated Circuit Card Application Overview.1 Keys and Certificates 6.4.6 Subsequent Related Processing Draft 12/18/00 6–2 Visa Public 31 Oct 2001 .3 Static Data Authentication (SDA) 6. Version 1.5 Prior Related Processing 6.0 This chapter is organized into the following sections: 6.

Visa Integrated Circuit Card Application Overview, Version 1.4.0

6.1 Keys and Certificates

6.1 Keys and Certificates
The terminal performs Offline Data Authentication using RSA public key technology to validate digital certificates and signatures from the card. RSA public key technology uses private keys to generate enciphered values (certificates or signatures) of data elements, which are later deciphered (unlocked) for validation and data recovery.

6.1.1 Visa Certificate Authority (CA)
Offline Data Authentication requires a Certificate Authority (CA), which is a highly secure cryptographic facility that signs the issuer’s Public Keys with the Visa CA Private Keys to create an Issuer Public Key (PK) Certificate. Terminals contain the CA’s public keys for every application supported by the terminal. Visa is the CA for Visa Smart Debit and Visa Smart Credit (VSDC) applications.

6.1.2 RSA Key Pairs
6.1.2.1 Visa Public/Private Keys
Visa, as a Certificate Authority (CA), generates up to six RSA public/private key pairs. Visa assigns a unique Public Key Index (PKI) to each key pair. The Visa CA Public Keys and their indexes are loaded into terminals by acquirers. The Visa CA Private Keys are kept secret and used to sign Issuer Public Key Certificates. Terminals supporting SDA, DDA, or Offline Enciphered PIN contain the Visa CA Public Keys with their corresponding Registered Application Identifier (RID) and Certificate Authority Public Key Indexes (PKI) assigned by Visa.

6.1.2.2 Issuer Public/Private Keys
Both SDA and DDA require that the issuer generate an RSA public/private key pair and obtain Issuer Public Key (PK) Certificates from the Visa CA. To do this, the issuer sends its RSA public key to Visa CA, which generates and returns one or more Issuer PK Certificates to the issuer. The Visa CA returns an Issuer PK Certificate for each Visa CA Public Key that is longer than the Issuer Public Key and expires after the expiration date of the Issuer PK Certificate. The Issuer PK Certificate contains the Issuer Public Key enciphered with the Visa Private Key. All cards that support SDA or DDA must contain an Issuer PK Certificate and related data including the index to identify the Visa Public Key the terminal should use to decipher the certificate. The Issuer Private Key is kept in a secure device by the issuer and used to sign cards’ static data (for SDA) and ICC certificates (for DDA) prior to card personalization.

Draft 12/18/00
31 Oct 2001
Visa Public

6–3

Offline Data Authentication

Visa Integrated Circuit Card Application Overview, Version 1.4.0

6.1.2.3 ICC Public/Private Keys
DDA requires that the issuer generate a unique public/private key pair for each card. The ICC Private Key is stored in a secure card location. The ICC Public Key is enciphered with the Issuer Private Key to form an ICC Public Key Certificate that is stored on the card. The ICC public/private keys may also be used during Offline Enciphered PIN processing. See Chapter 8, Cardholder Verification, for details.

6.1.3 SDA Key, Certificate, and Signature Relationships
The following SDA key-related data is personalized on the card:
q

Certificate Authority Public Key Index (PKI) is used with the RID portion of the AID to identify the Certification Authority Public Key used for offline data authentication. The Issuer Public Key Certificate containing the Issuer Public Key signed with the Visa CA Private Key The Issuer Public Key Exponent The Issuer Public Key Remainder, if required, contains the portion of the Issuer Public Key which does not fit into the Issuer Public Key Certificate The Signed Static Application Data (SAD) which is a signature enciphered with the Issuer Private Key and which contains a hash of important card data

q

q

q

q

Draft 12/18/00
6–4
Visa Public

31 Oct 2001

Visa Integrated Circuit Card Application Overview, Version 1.4.0

6.1 Keys and Certificates

The relationship between keys, certificates, and signatures for SDA is shown in Figure 6–1.
Figure 6–1: SDA Key Relationships

Issuer

Certification Authority (Visa)

Acquirer

Initial Setup

Issuer Private Key - SK I

Issuer Public Key - PK I

Visa CA Private Key SKCA

Visa CA Public Key PKCA

Visa CA Public Key PKCA

Issuer PK Certificate (PKI signed w/ SKCA )

Terminal

Personalized on each Card

Signed Applic. Data (signed) with SKI)

Issuer PK Certificate

ICC Card Application

Transaction

ICC Card Application

READ RECORD response containing Issuer CA PK Index Issuer PK Certificate Signed Applic. Data

Terminal

- Uses PKCA to recover PKI from Issuer PK Cert. - Uses PKI to recover Signed Applic. Data

6.1.4 DDA Key, Certificate, and Signature Relationships
The same issuer public/private key pair and Issuer PK Certificate are used for DDA and SDA. For DDA, a unique ICC public/private key pair is required for each card. The ICC Public Key and a hash of static data is signed with the Issuer Private Key to form an ICC Public Key (PK) Certificate, which is personalized on the card. The ICC Private Key is also personalized in a secure card location.

Draft 12/18/00
31 Oct 2001
Visa Public

6–5

PK ICC Issuer PK Certificate ICC Public Key Cert (PKICC signed w/ SKI) Card Transaction Card READ RECORD response with CA PK Index.PK I Certificate Authority (Visa) Visa CA Private Key SKCA Visa CA Public Key PKCA Acquirer Visa CA Public Key PKCA Terminal Issuer PK Certificate (PKI signed w/ SKCA ) Personalized on each card ICC Private Key .Offline Data Authentication Visa Integrated Circuit Card Application Overview. .Calculates Dynamic Signature using SK ICC . .Validates Dynamic Signature using PK ICC Draft 12/18/00 6–6 Visa Public 31 Oct 2001 .Uses PKCA to get PKI from Issr PK Cert.0 The relationship between the data and the cryptographic keys for DDA is shown in Figure 6–2.4. Issuer PK Certificate. Figure 6–2: DDA Data—Key Relationships Issuer Initial Setup Issuer Private Key .Uses PKI to get PKICC from ICC PK Cert. INTERNAL AUTHENTICATE* or GENERATE AC** response with Dynamic Signature * INTERNAL AUTHENTICATE fcommand for Standard DDA ** GENERATE AC command for Combined DDA/AC Generation Terminal . Version 1.SK I Issuer Public Key .SK ICC ICC Public Key .Validates static data hash in ICC PK Cert. & ICC PK Certtificate Terminal Card INTERNAL AUTHENTICATE* or first GENERATE AC** command .

Version 1.2 Determining Whether to Perform SDA or DDA Only one method of Offline Data Authentication is performed during any transaction with Combined DDA/AC Generation given highest priority. Standard DDA next. Table 6–1 indicates the method of offline data authentication to be performed based on card and terminal support.2 Determining Whether to Perform SDA or DDA 6. and Combined DDA/AC Generation SDA Standard DDA SDA Standard DDA Combined DDA/AC Generation Draft 12/18/00 31 Oct 2001 Visa Public 6–7 . Table 6–1: Offline Data Authentication Processing Priority Card Application Interchange Profile indicates card support for: SDA SDA Standard DDA SDA Standard DDA Combined DDA/AC Generation Terminal Supports SDA SDA SDA Terminal Supports SDA and Standard DDA SDA Standard DDA Terminal Supports SDA.0 6.Visa Integrated Circuit Card Application Overview. Standard DDA. and SDA next.4.

The exponent used in the RSA algorithm to recover the PK Certificate. which does not fit into the Issuer Public Key Certificate. The SAD is a signature enciphered with the Issuer Private Key.4. with the Certificate Authority Private Key. the Issuer Public Key Remainder contains the portion of the Issuer Public Key. Data Element Certificate Authority Public Key Index (PKI) Issuer Public Key Certificate Issuer Public Key Exponent Issuer Public Key Remainder SDA Failure Indicator Signed Static Application Data (SAD) Draft 12/18/00 6–8 Visa Public 31 Oct 2001 . which contains a hash of important card data. Table 6–2: Terminal Data Used in SDA Description The Payment System public keys stored in the terminal and used to recover the Issuer PK Certificate from the card.0 6. Used with the RID to designate which Visa CA Public Key to use for offline data authentication. If required. The Issuer Public Key Certificate contains the Issuer Public Key signed with the Visa CA Private Key. Version 1. A portion of the Application Identifier that identifies the Payment System.Offline Data Authentication Visa Integrated Circuit Card Application Overview. which has been signed. An internal indicator set and saved by the card if SDA fails and the transaction is declined offline. Data Element Certificate Authority (CA) Public Keys Certificate Authority (CA) Public Key Index (PKI) Registered Application Identifier (RID) Terminal Verification Results (TVR) Status of processing functions as seen from the terminal perspective. the terminal validates important card data described in Table 6–2 and Table 6–3 to assure that this card data has not been altered. Table 6–3: Card Data Used in SDA Description Each Visa Public Key used for offline data authentication in SDA is identified by the Certificate Authority Public Key Index (PKI) in conjunction with the RID portion of the AID.3 Static Data Authentication (SDA) When SDA is performed.

This hash is compared to the hash in the recovered data. Verification of the Signed Static Application Data The terminal uses the Issuer Public Key to recover the Signed Static Application Data that contains the hash of card data calculated at personalization. The terminal calculates a hash of the actual data elements.4.3. 3. Retrieval of the Issuer Public Key The terminal uses the Visa CA Public Key to recover the Issuer Public Key from the Issuer PK Certificate. 4.0 6. 2. The format of the Issuer PK Certificate is validated. 1. If the hashes are not equal.1 SDA Processing The card performs no processing during SDA. Version 1. The following summarizes the processing by the terminal.3 Static Data Authentication (SDA) 6. the data may have been altered and SDA has failed. SDA Results If all of steps above are executed successfully. If SDA fails. Draft 12/18/00 31 Oct 2001 Visa Public 6–9 . Retrieval of the Certification Authority Public Key The terminal uses the Certification Authority Public Key Index (PKI) and the RID from the card to retrieve the terminal-stored Visa CA Public Key and related information. SDA passes. the terminal sets indicators in the TVR to show SDA results and to use in later processing to determine the disposition of the transaction.Visa Integrated Circuit Card Application Overview.

Offline Data Authentication Visa Integrated Circuit Card Application Overview. Issuer Public Key Certificate.4. Version 1. and SAD Terminal READ RECORD response Retrieve Visa CA Public Key using RID and Public Key Index Recover Issuer Public Key from Issuer PK Certificate using Visa CA Public Key Use Issuer Public Key to recover a hash of static application data from the SAD Calculate hash from Static data used for signing and compare to recovered hash Set SDA failed in the TVR if any of the above steps are not successful Draft 12/18/00 6–10 Visa Public 31 Oct 2001 .0 Figure 6–3: Processing Flow for SDA Card Response to Read Record contains Visa CA Public Key Index.

An unpredictable. Version 1. the terminal validates static data from the card using the Issuer’s Public Key and the Visa CA Public Key in a process similar to SDA. With Combined DDA/AC Generation. Table 6–4: Terminal Data Used in DDA Data Element Default Dynamic Data Authentication Data Object List (default DDOL) Unpredictable Number Description If the card does not provide a DDOL.Visa Integrated Circuit Card Application Overview.0 6. the signed data includes the Application Cryptogram.1 Data Elements for DDA Processing The terminal uses the SDA terminal data and the additional data for DDA described in Table 6–4. The card sends this dynamic signature to the terminal. Draft 12/18/00 31 Oct 2001 Visa Public 6–11 . Recovered data is compared to actual data to determine whether DDA passes. the terminal uses a default DDOL containing the tag for the terminal unpredictable number.4. Successful DDA means that card data has not been altered and that the card is not counterfeit.4. The terminal deciphers the signature from the card using the ICC Public Key. The card signs the terminal challenge data and dynamic data from the card with the ICC Private Key to generate a digital signature called the Signed Dynamic Application Data. 6. transaction-unique number generated by the terminal and sent to the card in the INTERNAL AUTHENTICATE command. which has been recovered from the ICC PK Certificate.4 Dynamic Data Authentication (DDA) If offline DDA is to be performed. After validating the static data. This request uses the INTERNAL AUTHENTICATE command for Standard DDA and the first GENERATE AC command for Combined DDA/AC Generation.4 Dynamic Data Authentication (DDA) 6. the terminal requests a dynamic signature from the card.

Version 1. The ICC Public Key Certificate contains the ICC Public Key signed with the Issuer Private Key.4.0 All of the SDA data except for the Signed Static Application Data is also used for DDA. Table 6–6: Card Data Used in Combined DDA/AC Generation Data Element Application Cryptogram Description A 3DES cryptogram returned by the card in the GENERATE AC response. Information on the type of cryptogram provided by the card and validated by terminal in Combined DDA/AC Generation. the ICC Public Key Remainder contains the portion of the ICC Public Key that does not fit into the ICC Public Key Certificate.Offline Data Authentication Visa Integrated Circuit Card Application Overview. In addition. The exponent used in the RSA algorithm to recover the ICC PK Certificate. In addition. If required. With Combined DDA/AC Generation if an ARQC or TC is returned. List of tags for terminal data objects to be passed to the card in DDA processing. Used by the card to generate a dynamic signature. ICC Private Key ICC Public Key Certificate ICC Public Key Exponent ICC Public Key Remainder All of the data elements used in Standard DDA data except for the DDOL are also used for Combined DDA/AC Generation. Dynamic Data Authentication Data Object List (DDOL) ICC Dynamic Number A unique number generated by the card and validated by the terminal as part of the dynamic signature in Combined DDA/AC Generation. it is validated as part of the dynamic signature. Cryptogram Information Data Draft 12/18/00 6–12 Visa Public 31 Oct 2001 . the data described in Table 6–6 is used. the data described in Table 6–5 is used for DDA. Table 6–5: Card Data Used in DDA Data Element DDA Failure Indicator Description An internal indicator set and saved by the card if Standard DDA fails and the transaction is declined offline.

3. Upon receiving the INTERNAL AUTHENTICATE command.4 Dynamic Data Authentication (DDA) 6.Visa Integrated Circuit Card Application Overview. MasterCard. which was recovered from the ICC PK Certificate. the card generates a dynamic signature by encrypting a hash of the terminal and card dynamic data with the ICC Private Key. Dynamic Signature Verification (Standard DDA only) The terminal decrypts the dynamic signature using the ICC Public Key. The following summarizes this processing. 4. 1. 5. is not supported in this version of the Visa Integrated Circuit Card Specification. Validation of the Certificate Serial Number.4. Retrieval of the Certification Authority Public Key The terminal uses the Certification Authority Public Key Index (PKI) and the RID from the card to retrieve the terminal-stored Visa CA Public Key and related information. and Visa (EMV) specifications. which is listed as optional in Europay. Retrieval of the Issuer Public Key The terminal uses the Visa CA Public Key to recover the Issuer Public Key from the Issuer PK Certificate. Retrieval of the ICC Public Key The terminal uses the Issuer Public Key to decrypt the ICC PK Certificate that contains the ICC Public Key and a hash of static application data. The card passes the dynamic signature to the terminal. Version 1.2 Standard DDA Processing This processing is performed by the terminal except for the card generation of the dynamic signature. If the hashes are not equal. If a terminal-generated hash of the actual dynamic data does not match the recovered hash. The terminal validates the hash by comparing it to a hash of the actual data.4.0 6. The format of the Issuer PK Certificate is validated. 2. DDA fails. Dynamic Signature Generation (Standard DDA only) The terminal passes the card an INTERNAL AUTHENTICATE command that includes dynamic challenge data. Draft 12/18/00 31 Oct 2001 Visa Public 6–13 . DDA fails.

0 6. the transaction is declined offline. The terminal requests the dynamic cryptogram using the first GENERATE AC command. 2. Version 1. If the signature is successfully recovered. the first GENERATE AC command indicates that Combined DDA/AC Generation is to be performed. The requesting and validation of this cryptogram involves the following steps: 1. the terminal performs Standard DDA Steps 1 through 3.4. Draft 12/18/00 6–14 Visa Public 31 Oct 2001 . the terminal deciphers the dynamic signature using the ICC Public Key recovered in Step 3.4. If the signature recovery fails.3 Combined DDA/AC Generation Processing For Combined DDA/AC Generation. If the card decides that the Application Cryptogram is a TC or ARQC. Dynamic Signature Verification (Combined DDA/AC Generation only) During Card Action Analysis if the first GENERATE AC response contains a TC or ARQC. processing continues based upon the type of cryptogram received.Offline Data Authentication Visa Integrated Circuit Card Application Overview. the card signs the Application Cryptogram and related data with the ICC Private Key and returns this dynamic signature in the GENERATE AC response. The INTERNAL AUTHENTICATE command is not used. Dynamic Signature Generation (Combined DDA/AC Generation only) If the terminal is requesting an online cryptogram (ARQC) or offline approval cryptogram (TC) during Terminal Action Analysis.

Visa Integrated Circuit Card Application Overview. Version 1.4 Dynamic Data Authentication (DDA) Card Terminal Retrieve Visa CA Public Key using RID and CA Public Key Index Recover Issuer Public Key from Issuer PK Certificate using Visa CA Public Key Recover hash and ICC Public Key from ICC PK Certificate using Issuer Public Key Calculate hash from Static data used for signing and compare to recovered hash Standard DDA Only Calculate dynamic signature using ICC Private Key INTERNAL AUTHENTICATE command INTERNAL AUTHENTICATE response with dynamic signature Send INTERNAL AUTHENTICATE and dynamic data to card Validate dynamic signature using ICC Public Key Set DDA results in the TVR if DDA fails Draft 12/18/00 31 Oct 2001 Visa Public 6–15 .4.0 Figure 6–4: Processing Flow for DDA 6.

The AFL and the Static Data Authentication Tag List designate the data to be used to validate the static data hash in the Signed Static Application Data during SDA and in the ICC PK Certificate during DDA. the terminal sets the Combined DDA/AC Generation indicator in the GENERATE AC command. This data includes the data required for the supported Offline Data Authentication methods. If SDA or DDA failed and the transaction is to be declined offline.4.0 6. sent online for authorization. When Combined DDA/AC Generation is to be performed and the transaction is to be sent online or approved offline. Combined DDA/AC Generation If the GENERATE AC command received from the terminal indicates that Combined DDA/AC Generation is to be performed. A similar CVR indicator is set if DDA failed on a previous transaction and the transaction was declined offline. Card Action Analysis SDA and Standard DDA The card sets an indicator in the CVR if SDA failed on a previous transaction and the transaction was declined offline. or approved offline. If the decipherment fails. the card returns ARQC and TC Application Cryptograms in a dynamic signature signed with the ICC Private Key. the SDA Failure Indicator or DDA Failure Indicator is set. Version 1. Draft 12/18/00 6–16 Visa Public 31 Oct 2001 . 6.Offline Data Authentication Visa Integrated Circuit Card Application Overview. If the decipherment is successful. the terminal deciphers the signature using the ICC Private Key. the terminal continues processing based upon the Application Cryptogram.5 Prior Related Processing Read Application Data The terminal reads application data from the card. the transaction is declined offline. Online Processing Combined DDA/AC Generation When the returned Application Cryptogram is in a dynamic signature.6 Subsequent Related Processing Terminal Action Analysis The terminal uses the Offline Data Authentication results and card and terminal parameters to determine whether the transaction should be declined offline.

Visa Integrated Circuit Card Application Overview.6 Subsequent Related Processing Completion After an online authorization. the SDA Failure Indicator or DDA Failure Indicator is set. Combined DDA/AC Generation If Combined DDA/AC Generation failed and the Application Cryptogram returned was an ARQC. a second GENERATE AC command requesting an AAC is sent to the card.4.0 6. Version 1. If SDA or DDA failed and the transaction is to be declined offline because an online authorization could not be completed. the transaction is declined offline with no second GENERATE AC requested. If Combined DDA/AC Generation failed and the Application Cryptogram returned was a TC. the card may reset the SDA Failure Indicator and DDA Failure Indicator based upon Issuer Authentication options and results. Draft 12/18/00 31 Oct 2001 Visa Public 6–17 .

.

8 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 7–1 .1 Card Data 7.5 Application Effective Date 7.Processing Restrictions 7 The Processing Restrictions function is performed by the terminal using data elements from the terminal and the card.3 Application Version Number 7. The terminal shall support checks on application versions. and conditions at the point of transaction.2 Terminal Data 7.4 Application Usage Control 7.6 Application Expiration Date 7. This chapter contains the following sections: 7.7 Prior Related Processing 7. effective and expiration dates.

It is used in Application Usage Control checking by the terminal. Version 1.0 7. Appendix A. refer to the Visa Integrated Circuit Card Specification. Card and Issuer Data Elements Table. For a detailed description of these elements and their usage. The Application Effective Date is the date when the application becomes activated for use. Cards complying with this specification should use the value of 140 AUC is an optional data element.4. MasterCard.Processing Restrictions Visa Integrated Circuit Card Application Overview. Application Usage Control (AUC) Issuer Country Code Application Effective Date Application Expiration Date Draft 12/18/00 7–2 Visa Public 31 Oct 2001 . The Issuer Country Code is a Europay. This data element indicates any restrictions set forth by the issuer on the geographic usage and services permitted for the card application. It is used in Application Usage Control checking by the terminal. and Visa (EMV) specification data element indicating the country of the card issuance. The Application Expiration Date is the date after which use of the application is no longer permitted. It is used in application version number checking by the terminal. Table 7–1: Processing Restrictions—Card Data Data Element Application Version Number Description This data element (tag “9F08”) indicates the version of the application on the card.1 Card Data The card data elements used in Processing Restrictions are listed and described in Table 7–1.

Terminal Capabilities Terminal Country Code Transaction Date Transaction Type Draft 12/18/00 31 Oct 2001 Visa Public 7–3 . Terminals complying with this specification should use the value of 140. Version 1. It is used in Application Usage Control checking by the terminal. It is used in Application Usage Control checking by the terminal. and security.2 Terminal Data 7. For a detailed description of these elements and their usage. Card and Issuer Data Elements Table.Visa Integrated Circuit Card Application Overview. This data element indicates the type of financial transaction. verification of the cardholder. It is used in Application Usage Control checking by the terminal. refer to the Visa Integrated Circuit Card Terminal Specification.0 7. This is the local date (in the terminal) on which the transaction processing is taking place.4. Appendix A. This data element indicates the country in which the terminal is located. Indicates the capabilities of the terminal in regard to card data input.2 Terminal Data The card data elements used in Processing Restrictions are listed and described in Table 7–2. It is used in application effective and expiration date checks by the terminal. Table 7–2: Processing Restrictions—Terminal Data Data Element Application Version Number Description This data element (terminal tag ‘9F09’) indicates the version of the application In the terminal.

the terminal indicates in the TVR that the application is not yet effective.4 Application Usage Control Application Usage Control checking is a process in which the terminal checks various conditions at the point of transaction to determine if processing should continue.3 Application Version Number The terminal compares the Application Version Number in the card to the Application Version Number in the terminal to see if they are the same.4. Presence of the Application Effective Data is optional for the card.Processing Restrictions Visa Integrated Circuit Card Application Overview. Draft 12/18/00 7–4 Visa Public 31 Oct 2001 . If the effective date is greater than the Transaction Date. 7. These checks are similar to service code checks performed for magnetic stripe transactions and include checks for restrictions on the following transactions: q Domestic – – – – Cash Goods Services Cashback q International – – – – Cash Goods Services Cashback q ATM Other than ATM q 7.0 7. Application Effective Data checking is mandatory for the terminal if the data element is present in the card. the terminal indicates in the Terminal Verification Results (TVR) that the application versions differ. If they are not the same. Version 1.5 Application Effective Date Application Effective Date checking ensures that the application is active by validating that the card’s Application Effective Date if present is less than or equal to the terminal’s local Transaction Date.

the terminal indicates in the TVR that the application has expired.4.6 Application Expiration Date Application Expiration Date checking validates that the application has not expired by ensuring that the card’s Application Expiration Date is greater than or equal to the terminal’s local Transaction Date. Version 1.Visa Integrated Circuit Card Application Overview.0 7.6 Application Expiration Date 7. If the Application Expiration Date is less than the Transaction Date. Draft 12/18/00 31 Oct 2001 Visa Public 7–5 .

0 Figure 7–1: Processing Restrictions Card Application Version Number for card and terminal present? Terminal Y N Application Version Numbers Identical? Y N Terminal sets ICC and terminal have different application versions bit to “1” in TVR Application Usage Control and Issuer Country Code present? Y Do any restrictions apply? Y Terminal sets requested service not allowed for card product bit to “1” in TVR N N Application Effective Date < Current Date? N Terminal sets application not yet effective bit to “1” in TVR Y Application Expiration Date > Current Date? N Terminal sets expired aplication bit to “1” in TVR Y Terminal proceeds to cardholder verification Draft 12/18/00 7–6 Visa Public 31 Oct 2001 .4. Version 1.Processing Restrictions Visa Integrated Circuit Card Application Overview.

or the requested service is not allowed for the card product. and Application Effective Date are also read from the card.4.0 7. if present.7 Prior Related Processing Read Application Data The terminal uses the READ RECORD command to obtain the Application Version Number.8 Subsequent Related Processing Terminal Action Analysis During Terminal Action Analysis.Visa Integrated Circuit Card Application Overview. cards are not yet effective or expired.7 Prior Related Processing 7. The AUC. Draft 12/18/00 31 Oct 2001 Visa Public 7–7 . Version 1. Issuer Country Code. the terminal checks the Issuer Action Codes and Terminal Action Codes to see what action should be taken if application versions differ. 7. and Application Expiration Date from the card.

.

Offline PIN results are included in the online authorization message and should be considered in the issuer’s authorization decision. as they are adopted. such as biometric methods. The results of CVM processing play a role in later processing. The CVM List also specifies the terminal action if the CVM fails. CVM processing is designed to support additional CVMs. the validation of the PIN is done within the card.Cardholder Verification 8 Cardholder Verification is used to ensure that the cardholder is legitimate and the card is not lost or stolen. the terminal determines the cardholder verification method (CVM) to be used and performs the selected CVM. CVMs supported are: q Offline Plaintext PIN Offline Enciphered PIN Online PIN Signature q q q Signature may be combined with the Offline PIN validation methods. and the capabilities of the terminal. The selection criteria in the CVM List may include the type of transaction (cash or purchase). Draft 12/18/00 31 Oct 2001 Visa Public 8–1 . In Cardholder Verification. The terminal uses rules in the card’s CVM List to select the CVM to be used. With the Offline PIN methods. the transaction amount.

4.0 This chapter is separated into the following sections: 8.1 Card Data 8.2 Terminal Data 8.5 Prior Related Processing 8.3 Commands 8.4 Processing 8.Cardholder Verification Visa Integrated Circuit Card Application Overview. Version 1.6 Subsequent Related Processing Draft 12/18/00 8–2 Visa Public 31 Oct 2001 .

Card and Issuer Data Elements Table.1 Card Data The terminal uses the card data described in Table 8–1 and Table 8–2 for CVM List processing.Visa Integrated Circuit Card Application Overview. This indicator must be set to “1”.1 Card Data 8. A prioritized list of methods of cardholder verification for the card application. Choices are to process the next CVM entry or to fail CVM processing. A CVM List contains the following: q Amount X—An amount that may be used in CVM usage conditions Amount Y—A second amount that may be used in CVM usage conditions CVM entries—The CVM List may contain more than one entry. The type of CVM to perform. for an example showing how issuers might define a CVM List. q q Subfield CVM Code CVM Type CVM Conditions Refer to the Visa Integrated Circuit Card Specification. offline PIN. A detailed description of these card data elements and their usage is in the Visa Integrated Circuit Card Specification. Draft 12/18/00 31 Oct 2001 Visa Public 8–3 .4. A card may contain multiple CVM Lists for use in different circumstances such as international and domestic transactions. with each entry containing the following subfields: Description Designates the action to take if the CVM fails. Table 8–1: CVM List Processing—Card Data Data Element Application Interchange Profile (AIP) Cardholder Verification Method (CVM) List Description Contains an indicator showing whether the card supports cardholder verification. Chapter 8. for example. for example. Appendix A. if the terminal supports the CVM Type (offline PIN). Cardholder Verification.0 8. Version 1. Conditions when this CVM entry should be used.

Contains indicators.4. The terminal may request the PIN Try Counter from the card prior to PIN entry so the terminal may determine whether the PIN tries have already been exceeded and notify the cardholder if only one PIN try remains.Cardholder Verification Visa Integrated Circuit Card Application Overview. if any. The card decrements the PIN Try Counter each time a cardholder-entered offline PIN fails verification. to take if offline PIN tries are exceeded. which is stored in a secure location on the card. The cardholder PIN. PIN Try Limit Reference PIN Draft 12/18/00 8–4 Visa Public 31 Oct 2001 . Issuer-specified maximum number of consecutive incorrect PIN tries allowed for a single application. Version 1. The card resets the PIN Try Counter to the PIN Try Limit when the cardholder-entered PIN matches the Reference PIN stored in the card or when a script command to reset the counter is successfully processed. which the card sets for the following conditions: q Offline PIN verification performed Offline PIN verification failed PIN Try Limit exceeded Application blocked because PIN Try Limit exceeded q q q PIN Try Counter Number of offline PIN tries remaining.0 Table 8–2: Offline PIN Processing—Card Data Data Element Application Default Action (ADA) Card Verification Results (CVR) Description A data element used by the card to determine what action.

Version 1. The issuer may either generate an ICC PIN Encipherment public/private key pair to use solely for PIN encipherment or. Offline Data Authentication).Visa Integrated Circuit Card Application Overview. use the same ICC public/private key pair used for DDA. Table 8–3: Offline Enciphered PIN—Card Data Data Element Certificate Authority Public Key Index (PKI) ICC PIN Encipherment or ICC Private Key ICC PIN Encipherment or ICC Public Key (PK) Certificate ICC PIN Encipherment or ICC Public Key Exponent ICC PIN Encipherment or ICC Public Key Remainder Issuer Public Key Data Description With the RID. Encrypted with the Issuer Private Key. if the card supports DDA. This is the same certificate and other Issuer Public Key data used for DDA and SDA (see Chapter 6. Used to decipher the ICC PIN Encipherment or ICC PK Certificate. if necessary.1 Card Data Support for Offline Enciphered PIN requires card-level RSA public/private key data. Contains the card’s public key to be used in PIN encipherment. Used by the terminal with the Certificate Authority Public Key Index to identify the Visa CA Public Key to be used to recover the Issuer PK Certificate.4. The card shall contain the data elements described in Table 8–3 for whichever key pair is used. Used in the algorithm that deciphers the enciphered PIN. Contains the portion. Used to decipher the enciphered PIN after it is received at the card. Registered Application Provider Identifier (RID) Draft 12/18/00 31 Oct 2001 Visa Public 8–5 . Stored in a secret location on the card. of the public key that does not fit into the public key certificate.0 8. designates the Visa CA Public Key to use to recover the Issuer PK Certificate.

Indicates the CVMs supported by the terminal. Version 1.4. PIN pad present. but PIN was not entered Online PIN entered q q q q q Transaction Personal Identification Number (PIN) Visa CA Public Keys Contains data entered by the cardholder for PIN verification. Must be present if the terminal supports Offline Enciphered PIN.Cardholder Verification Visa Integrated Circuit Card Application Overview. This key is different from the key used for Offline Enciphered PIN.0 8. A detailed description of these data elements and their usage is in the Visa Integrated Circuit Card Terminal Specification. This key is required when the PIN pad and card reader are not integrated into a single tamper-evident device. Indicators are set in the TVR for the following conditions: q Terminal Capabilities Terminal Verification Results (TVR) Cardholder verification was not successful Unrecognized CVM PIN Try Limit exceeded PIN entry required and PIN pad not present or not working PIN entry required. Secret key used by the PIN pad to encipher the entered offline PIN and by the card reader to decipher the enciphered PIN. Table 8–4: CVM Processing—Terminal Data Data Element Enciphered Personal Identification Number (PIN) Data Personal Identification Number (PIN) Pad Secret Key Description Transaction PIN enciphered at the PIN pad for online verification or for offline verification.2 Terminal Data The terminal data described in Table 8–4 is used during CVM processing. Card and Issuer Data Elements Table. Appendix A. Draft 12/18/00 8–6 Visa Public 31 Oct 2001 .

If “n” is equal to “0”. The GET DATA response contains the PIN Try Counter. GET CHALLENGE Used by the terminal to obtain an unpredictable number from the card for use in Offline Enciphered PIN.3 Commands The following commands are used for offline PIN processing: GET DATA Used by the terminal to obtain the PIN Try Counter from the card in order to determine whether the PIN Try Limit was exceeded on a previous transaction or is close to being exceeded. the card returns an error response to GET DATA and the terminal bypasses the checking of the PIN Try Counter and continues with Offline PIN processing.Visa Integrated Circuit Card Application Overview.3 Commands 8. Version 1. The card response indicates one of the following conditions: q The PINs match The PINs do not match and the number of PIN tries remaining is “n”. PIN tries have been exceeded on the current transaction The PIN tries were exceeded on a previous transaction q q The card and terminal support the VERIFY command if they support Offline PIN processing. Draft 12/18/00 31 Oct 2001 Visa Public 8–7 . The GET CHALLENGE response contains a card-generated unpredictable number. The VERIFY command contains the cardholder-entered PIN and initiates the card comparison of this PIN with the Reference PIN stored on the card.4.0 8. VERIFY Used for Offline Enciphered PIN and Offline Plaintext PIN. If the PIN Try Counter is in a proprietary data file. The card and terminal support the GET CHALLENGE command if they support Offline Enciphered PIN. The GET DATA command contains the tag of the PIN Try Counter.

If the terminal reaches the end of the CVM List without a successful CVM. the terminal continues with Cardholder Verification. the terminal proceeds to the next CVM List entry. 8.4. Determines whether to perform Cardholder Verification—If the card supports Cardholder Verification (as indicated in the AIP and if the card provided a CVM List during Read Application Data.4 Processing Cardholder Verification processing is divided into two parts: the processing of the card’s CVM List and the execution of the CVMs specified in the CVM List. the terminal proceeds to Terminal Risk Management. If the condition is not satisfied. If the CVM is not successful (for example. the terminal proceeds to Terminal Risk Management. The terminal performs the following steps: 1. CVM processing fails—The terminal sets the Cardholder Verification Not Successful flag in the TVR to “1” and proceeds to Terminal Risk Management. the terminal performs the following actions: a. Draft 12/18/00 8–8 Visa Public 31 Oct 2001 . If CVM Code is “proceed to next CVM. If none is specified. d. If the CVM is not recognized or is not supported. e. Offline PIN verification failure). Processes the CVM List entries—Starting with the first entry in the CVM List. b. Checks whether the CVM Condition is satisfied. If not.Cardholder Verification Visa Integrated Circuit Card Application Overview. The CVM is considered not successful. the terminal sets Unrecognized CVM to “1” in the TVR.” the terminal sets the Cardholder Verification Not Successful flag to “1” in the TVR and proceeds to Terminal Risk Management.4.0 8. Version 1. If it is “fail CVM. c. Performs the CVM specified.” the terminal processes the next CVM List entry. 3. the terminal shall perform the Visa-specified method of cardholder verification for the terminal. the terminal proceeds with the action specified in the CVM Code in the CVM entry. 2. If the CVM is successful.1 CVM List Processing The card has no role in CVM List processing beyond providing the CVM List and other required data to the terminal.

4.Visa Integrated Circuit Card Application Overview.4 Processing Card Card supports cardholder verification? Terminal Terminal uses default CVM according to Visa Operating Regulations C N Y CVM = No CVM Required? Y Card provided CVM List? Terminal sets chip data missing in TVR N D N Y A Terminal selects first CVM in CVM List CVM Code = go to next CVM? N N CVM List condition satisfied? Y Any more CVM entries? Terminal recognizes & supports CVM? N Terminal sets unrecognized CVM code in TVR Y N Y CVM is signature. Version 1. Terminal prints receipt w/ signature line Y CVM = Fail CVM? B N Terminal selects next CVM in CVM List Y B Terminal sets “cardholder verification not successful” in TVR A CVM = PIN? Y Perform PIN Processing (Figure 8-2) D N Terminal proceeds to Terminal Risk Management C Draft 12/18/00 31 Oct 2001 Visa Public 8–9 .0 Figure 8–1: CVM List Processing Flow 8.

If the card does not support transmitting the PIN Try Counter. the terminal issues a GET CHALLENGE command to the card. If the PIN pad and card reader are not integrated into a single tamper-evident device.4. If there are PIN tries remaining.4.4.4. Offline PIN fails.Cardholder Verification Visa Integrated Circuit Card Application Overview. q 8.2. the terminal requests the cardholder to enter a PIN at the PIN pad. If the PIN Try Counter returned is one. The card returns an unpredictable number. With Offline Plaintext PIN. the card decrements the PIN Try Counter and returns an indicator of the number of PIN tries remaining. If PIN tries remain. if the transaction is processed online.2 Offline Enciphered PIN Offline Enciphered PIN processing works the same as Offline Plaintext PIN processing except that the cardholder-entered Transaction PIN is enciphered at the PIN pad or terminal and remains enciphered until the card receives it. If the PIN Try Counter returned is zero (no more PIN tries left).2. The Offline PIN results are included in the online authorization message. and cardholder verification is complete. the card returns an indicator that the Offline PIN has been verified. the terminal requests that the cardholder enter the PIN again and repeats the verification process. the terminal may issue a GET DATA command to the card requesting the PIN Try Counter. To encipher the PIN. The cardholder-entered Transaction PIN is passed in the clear from the card reader to the card using the VERIFY command.2 CVM Processing 8. which the terminal uses in an RSA algorithm to encipher the PIN. Draft 12/18/00 8–10 Visa Public 31 Oct 2001 . q If they match.0 8. Offline PIN processing fails. Verification of the deciphered PIN is the same as with Offline Plaintext PIN processing. If they do not match. The enciphered PIN is included in the VERIFY command to the card. Version 1. the Offline PIN is not included in the online authorization message. the terminal proceeds to PIN entry. the card checks a Transaction PIN entered by the cardholder against a Reference PIN stored in the card. the terminal displays “Last PIN Try”.1 Offline Plaintext PIN In Offline PIN processing. – – If no PIN tries remain. The card recovers the plaintext PIN from the enciphered PIN using a secret RSA key stored on the card. The card compares the Transaction PIN to the Reference PIN stored on the card. the PIN is enciphered with the PIN Pad Secret Key and deciphered by the card reader. Unlike Online PIN.

4. Version 1. CVM processing is considered to have failed.2.4 Processing In support of this process.4.2. 8.3 Online PIN With Online PIN processing.Visa Integrated Circuit Card Application Overview.4 Signature When signature is the CVM. 8.4. the issuer may either generate a card-unique ICC PIN Encipherment key pair or may use the same ICC key pair used for DDA.2.5 No CVM Required When the CVM is “No CVM Required”. which are outside the scope of this document.6 Fail CVM When the CVM is “Fail CVM”. the PIN is enciphered after entry and is included in the online authorization message for verification by the issuer’s online system. Draft 12/18/00 31 Oct 2001 Visa Public 8–11 . CVM processing is considered to be successful. 8.4. Online PIN processing follows current procedures. 8. the terminal prints a receipt with a line for the cardholder to sign.0 8.4.2.

Cardholder Verification Visa Integrated Circuit Card Application Overview.4.0 The following flow gives an overview of the steps in PIN processing. Figure 8–2: PIN Processing Flow (1 of 2) Card Perform PIN Processing Terminal CVM is online or offline PIN Is PIN PAD operable? N Perform CVM Code action (see A in Figure 8-1) Y Type of PIN? Offline or Online PIN? Offline PIN Online PIN Offline PIN Card allows GET DATA of PIN Try Counter? GET DATA command Issue GET DATA command requesting PIN Try Counter (optional step) return from A on next page) Y Offline PIN Processing Online PIN N Response to GET DATA is “Not Supported” Get Data response Response to GET DATA is PIN Try Counter Y PIN Try Counter returned and = 0? N Prompt for PIN Entry Encipher PIN and include in authorization request PIN entered? Terminal proceeds to Terminal Risk Management (Chapter 9) Y Perform CVM Code action (see A in Figure 8-1) N Perform CVM Code action (see A in Figure 8-1) Draft 12/18/00 8–12 Visa Public 31 Oct 2001 . Version 1.

N Entered PIN = Reference PIN? Y N PIN Try Limit Exeeded? Y PIN Try Limit Exceeded? N Reset PIN Try Counter to PIN Try Limit Set VERIFY return code to Fail with no retries remaining Perform CVM Code action VERIFY response Y Return to PIN Prompt Figure 8-2 Y A Y ADA “If PIN Try Limit exceeded. number Encipher PIN using unpred. number & ICC PIN Encipherment (or ICC) Public Key N (Plaintext PIN) Enciphered PIN? N PIN Try Limit Already Exceeded? VERIFY command w/ PIN Issue VERIFY command with PIN Y Decipher PIN using ICC PIN Encipherment (or ICC) Private Key N VERIFY successful? B Decrement PIN Try Counter by 1.Visa Integrated Circuit Card Application Overview. block applic” = 1? N Set VERIFY return code to Successful Completion Y N Set VERIFY return code to Fail with retries remaining Return VERIFY command response to terminal Card blocks application Terminal proceeds to Terminal Risk Management (Chapter 9) B Draft 12/18/00 31 Oct 2001 Visa Public 8–13 .4.4 Processing Card Terminal Offline PIN Processing Card generates unpredictable number GET CHALLENGE command Y Offline Enciphered PIN? GET CHALLENGE response w/ unpred. Version 1.0 Figure 8–3: PIN Processing Flow (2 of 2) 8.

6 Subsequent Related Processing Terminal Action Analysis The terminal uses cardholder verification results and card and terminal parameters called IACs and TACs to determine whether the transaction should be declined offline. Online Processing CVM results including Offline PIN verification results are included in the authorization request and should be considered in the Issuer’s authorization decision. Draft 12/18/00 8–14 Visa Public 31 Oct 2001 .0 8. is retrieved from the card. which indicates whether the card supports cardholder verification. Completion After a failed attempt to go online for an authorization. Issuer-to-Card Script Processing The PIN CHANGE/UNBLOCK command can be used to reset the PIN Try Counter to equal the PIN Try Limit and to change the Reference PIN. The APPLICATION UNBLOCK command can be used to unblock an application that was blocked during CVM processing. Read Application Data The terminal reads the CVM List and other data used in CVM processing from the card.5 Prior Related Processing Initiate Application Processing The Application Interchange Profile (AIP). 8. or approved offline. the card uses cardholder verification results and parameters in Application Default Action to determine whether to decline the transaction.Cardholder Verification Visa Integrated Circuit Card Application Overview. Version 1. Card Action Analysis The card uses cardholder verification results and parameters in Application Default Action to determine whether to decline the transaction or go online for authorization when the PIN Try Limit is exceeded. sent online. The Offline PIN is not included in the online authorization message.4.

Although issuers are mandated to set the Terminal Risk Management is to be Performed bit to “1” in the Application Interchange Profile (AIP) to trigger Terminal Risk Management.4 Terminal Exception File 9.1 Card Data 9.2 Terminal Data 9.11 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 9–1 .8 Terminal Velocity Checking 9.10 Prior Related Processing 9.3 GET DATA Command 9. This chapter is organized into the following sections: 9.6 Floor Limit Checking 9. terminals shall perform Terminal Risk Management regardless of the card settings.Terminal Risk Management 9 Terminal Risk Management provides issuer authorization for higher-value transactions and ensures that chip-read transactions go online periodically to protect against threats that might be undetectable in an offline environment.7 Random Transaction Selection 9.5 Merchant Forced Transaction Online 9.9 New Card Checking 9.

If terminal velocity checking or new card checking by the terminal is required by the card. It is used in terminal velocity checking. This data element (tag “9F23”) is the Issuer-specified preference for the maximum number of consecutive offline transactions allowed before transactions must be declined offline. The ATC value of the last transaction that went online. refer to the Visa Integrated Circuit Card Specification. This data element (tag “9F14”) is the Issuer-specified preference for the maximum number of consecutive offline transactions allowed before a transaction must be sent online if the terminal is online capable. It is used in terminal velocity checking. Table 9–1: Terminal Risk Management—Card Data Data Element Application Primary Account Number (PAN) Application Transaction Counter (ATC) Last Online ATC Register Description Valid cardholder account number used in terminal exception file checking. Appendix A.0 9. A count of the number of transactions processed by the card since personalization. It is used in terminal velocity checking.Terminal Risk Management Visa Integrated Circuit Card Application Overview.4. For a detailed description of these elements and their usage. Lower Consecutive Offline Limit Upper Consecutive Offline Limit Draft 12/18/00 9–2 Visa Public 31 Oct 2001 .1 Card Data The card data elements used in Terminal Risk Management are listed and described in Table 9–1. this data element and both of the data elements listed below must be present. Version 1. Card and Issuer Data Elements Table.

For a detailed description of these elements and their usage.2 Terminal Data The terminal data elements used in Terminal Risk Management are listed and described in Table 9–2. the terminal may have a transaction log of approved transactions.0 9. It is used in floor limit checking. Version 1.2 Terminal Data 9. Terminal Verification Results (TVR) Threshold Value for Biased Random selection Transaction Log To prevent split sales. This data element (tag ‘9F1B’) indicates the floor limit in the terminal associated with the Application Identifier for the application.Visa Integrated Circuit Card Application Overview. may be used in terminal floor limit checking. Authorized Description This numeric data element stores the amount (excluding adjustments) for the current transaction. This log. A series of indicators in which the results of offline processing from a terminal perspective are recorded. Card and Issuer Data Elements Table. This log minimally contains the Application PAN and transaction amount and optionally contains the Application PAN Sequence Number and Transaction Date. Value used for random selection of transactions for online processing.4. Transaction Status Information (TSI) Draft 12/18/00 31 Oct 2001 Visa Public 9–3 . Appendix A. This data element is not provided in the online authorization and clearing messages but is used by the terminal to indicate that terminal risk management was performed. refer to the Visa Integrated Circuit Card Terminal Specification. It is used to record the results of all terminal risk management checks. It is used in floor limit checking and random selection of transactions for online processing. Value used for random selection of transactions for online processing. The number of transactions to be stored and maintenance of the log is outside the scope of this specification. Indicates the functions performed by the terminal. Maximum Target Percentage to be used for Biased Random Selection Target Percentage to be used for Random Selection Terminal Floor Limit Value used for random selection of transactions for online processing. if present. Table 9–2: Terminal Risk Management—Terminal Data Data Element Amount.

the terminal checks whether the amounts from a previous transaction from the same card combined with the current amount put the transaction over the floor limit. the merchant may indicate to the terminal that the transaction should be processed online. the terminal sets the Card Appears on Terminal Exception File bit to “1” in the Terminal Verification Results (TVR).7 Random Transaction Selection Terminals capable of supporting both offline and online transactions shall randomly select transactions for online processing. the terminal checks whether the Primary Account Number (PAN) on the card is listed on the exception file. Version 1. Even when the floor limit is zero. the terminal sets the Transaction Exceeds Floor Limit bit to “1” in the TVR.4. Terminal Risk Management. 9. If the merchant forces the transaction online. 9.4 Terminal Exception File If a terminal exception file is present.3 GET DATA Command The GET DATA command is used by the terminal to read the Last Online ATC Register and the Application Transaction Counter (ATC).Terminal Risk Management Visa Integrated Circuit Card Application Overview. If the terminal contains a transaction log. The terminal indicates in the TVR if a transaction is randomly selected.5 Merchant Forced Transaction Online At online-capable terminals. 9. If the card is listed on the exception file. the terminal performs this check and sets the Transaction Exceeds Floor Limit bit to “1” in the TVR. Examples of this processing are provided in the Visa Integrated Circuit Card Terminal Specification. Authorized to the Terminal Floor Limit. If the transaction amount is greater than or equal to the floor limit.6 Floor Limit Checking Floor limit checking is performed so that transactions of amounts above the terminal floor limit are sent online for authorization. from the card.0 9. if not previously read by the terminal. 9. the terminal sets the Merchant Forced Transaction Online bit to “1” in the TVR. Chapter 9. The terminal compares the Amount. Draft 12/18/00 9–4 Visa Public 31 Oct 2001 .

The terminal sends the GET DATA command to the card requesting the Last Online ATC Register (if this data element is not already present in the terminal).Visa Integrated Circuit Card Application Overview. Version 1. q NOTE: The card may also perform similar velocity checks during Card Action Analysis.8 Terminal Velocity Checking Velocity checking permits issuers to request online processing after a prespecified number of consecutive offline transactions. If the register is zero. The terminal compares the ATC and the Last Online ATC Register: q If the ATC minus the Last Online ATC Register is greater than the Lower Consecutive Offline Limit. the terminal sets the Lower Consecutive Offline Limit Exceeded bit to “1” in the TVR. the terminal sets the Upper Consecutive Offline Limit Exceeded bit to “1” in the TVR. the terminal sets the New Card bit to “1” in the TVR. If either of these data objects is not present in the card. the terminal checks the Last Online ATC Register if provided by the card. Velocity checking by the card does not result in the setting of the TVR bits. If the ATC minus the Last Online ATC Register is greater than the Upper Consecutive Offline Limit. The terminal checks the Last Online ATC Register.9 New Card Checking In new card checking by the terminal. This register is reset during Completion after an online approval based on Issuer Authentication results and card parameters. The terminal sends a GET DATA command to the card requesting the Last Online ATC Register and the ATC. The card returns these data elements in the command response. if the Upper and Lower Consecutive Offline Limits are present. The terminal shall perform Terminal Velocity Checking if both the Lower Consecutive Offline Limit (tag “9F14”) and Upper Consecutive Offline Limit (tag “9F23”) are provided by the card in Read Application Data processing. The card responds to the GET DATA command with the Last Online ATC Register. the terminal shall bypass this processing.0 9. NOTE: The card may also perform a similar new card check during Card Action Analysis Draft 12/18/00 31 Oct 2001 Visa Public 9–5 . Issuers may elect not to support velocity checking by the terminal.8 Terminal Velocity Checking 9. 9. Offline-capable terminals shall support Terminal Velocity Checking.4.

0 Figure 9–1: Terminal Risk Management Processing Flow (1 of 2) Card Terminal A Terminal exception file present? Transaction log present in terminal? Y Y Card appears on exception file? N N Log Entry Present that matches current transaction? Y Amount. authorized + amount in log > terminal floor limit? Y N N Y Terminal sets card appears on terminal exception file bit to “1” in TVR Transaction amount > terminal floor limit? Y Terminal sets transaction exceeds floor limit bit to “1” in TVR N N Merchant elected to force transaction online? Terminal randomly selects transaction for online processing? Y Terminal sets transaction selected randomly for online processsing bit to “1” in TVR Y N Terminal sets merchant forced transaction online bit to “1” in TVR N B A Draft 12/18/00 9–6 Visa Public 31 Oct 2001 .Terminal Risk Management Visa Integrated Circuit Card Application Overview. Version 1.4.

0 Figure 9–2: Terminal Risk Management Processing Flow (2 of 2) 9.9 New Card Checking Card B Terminal Lower and Upper Consecutive Offline Limits read by terminal? Y Card responds to GET DATA command with ATC and Last Online ATC Register GET DATA command GET DATA response Terminal issues GET DATA to obtain ATC and Last Online ATC Register N Both ATC and Last Online ATC Register returned? N Terminal sets ICC Data Missing bit to “1” in TVR Y ATC minus Last Online ATC Register > Lower Consecutive Offline Limit? Terminal sets both Lower Consecutive Offline Limit Exceeded and Upper Consecutive Offline Limit Exceeded bits to “1” in TVR Y Terminal sets Lower Consecutive Offline Limit Exceeded bit to “1” in TVR N ATC minus Last Online ATC Register > Upper Consecutive Offline Limit N Y Terminal sets Upper Consecutive Offline Limit Exceeded bit to “1” in TVR Last Online ATC Register =0 Y Terminal sets New Card bit in TVR N Terminal proceeds to Terminal Action Analysis (Chapter 10) Draft 12/18/00 31 Oct 2001 Visa Public 9–7 .Visa Integrated Circuit Card Application Overview.4. Version 1.

are used in Terminal Velocity Checking. the terminal determines what action to take if: q The card was on terminal exception file The merchant forced the transaction online The floor limit is exceeded The transaction is randomly selected for online processing Velocity checking amounts or counters are exceeded New card q q q q q Draft 12/18/00 9–8 Visa Public 31 Oct 2001 .Terminal Risk Management Visa Integrated Circuit Card Application Overview.0 9.10 Prior Related Processing Read Application Data The following data is read from the card: q Primary Account Number is used in checking the terminal exception file.4.11 Subsequent Related Processing Terminal Action Analysis Based on card and terminal settings. if present on the card. Upper and Lower Consecutive Limits. q 9. Version 1.

Terminal Action Analysis involves two steps: 1.4 Processing 10. or be declined offline.1 Card Data 10. or sent online for an authorization. This chapter is organized into the following sections: 10. the terminal applies rules set by the issuer in the card and by the acquirer in the terminal to the results of offline processing to determine whether the transaction should be approved offline.5 Prior Related Processing 10. recorded by the terminal in the Terminal Verification Results. A decision for an offline approval or request for online processing made during Terminal Action Analysis is not final.Terminal Action Analysis 10 In Terminal Action Analysis. Decisions to decline offline may not be overridden. As a result of Card Action Analysis (see Chapter 11. Request Cryptogram Processing—The terminal requests a cryptogram from the card.3 GENERATE APPLICATION CRYPTOGRAM (AC) Command 10. Card Action Analysis). to determine whether the transaction should go online.6 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 10–1 . 2.2 Terminal Data 10. be approved offline. This process considers issuer-defined criteria from the card called Issuer Action Codes (IACs) and Visa-defined criteria in the terminal called Terminal Action Codes (TACs). Review Offline Processing Results—The terminal reviews the results of offline processing. declined offline. the card may override the terminal’s decision.

0 10. Table 10–1: Review Offline Processing Results—Card Data Data Element Issuer Action Codes (IACs) Description The IACs are three data elements called IAC Denial. q IAC Denial bits set to “1” reflect the TVR conditions for which the transaction is to be declined offline IAC Online bits set to “1” represent online authorization conditions IAC Default bits set to “1” are the conditions for an offline decline if online processing is not available q q Similar codes called Terminal Action Codes (TACs) are defined in the terminal. The card data element shown in Table 10–2 is used in cryptogram processing. contains detailed descriptions of these elements and their usage. Card and Issuer Data Elements Table. IAC Online. The Visa Integrated Circuit Card Specification. Each IAC consists of a series of bits. Appendix A.1 Card Data The card data elements described in Table 10–1 were previously received from the card and are used during Terminal Action Analysis. and IAC Default.Terminal Action Analysis Visa Integrated Circuit Card Application Overview. which correspond to the bits in the Terminal Verification Results (TVR). Table 10–2: Request Cryptogram Processing—Card Data Data Element Card Risk Management Data Object List 1 (CDOL1) Description The CDOL1 contains the tags and lengths of the terminal data objects that are needed by the card to generate the first application cryptogram and for other processing.4. Version 1. Draft 12/18/00 10–2 Visa Public 31 Oct 2001 .

Table 10–3: Review Offline Processing Results—Terminal Data Data Element Terminal Action Codes (TACs) Description The TACs are three data elements called TAC Denial. Version 1. Chapter 10. and TAC Default. Draft 12/18/00 31 Oct 2001 Visa Public 10–3 . contains detailed descriptions of these elements and their usage. which correspond to the bits in the Terminal Verification Results (TVR).0 10. TAC Online. Table 10–4: Request Cryptogram Processing—Terminal Data Data Element Terminal Data Elements Description The terminal data elements specified in the CDOL1 from the card are included in the GENERATE APPLICATION CRYPTOGRAM (AC) command.2 Terminal Data 10. each TAC consists of a series of bits. The terminal data elements described in Table 10–4 are used in cryptogram processing. Appendix A.4. The terminal data elements described in Table 10–3 are used to review offline processing results. Version 1.0.4. Card and Issuer Data Elements Table. q TAC Denial bits set to “1” reflect the TVR conditions for which the transaction is to be declined offline TAC Online “1”bits represent online authorization conditions TAC Default “1” bits are the conditions for an offline decline if online processing is not available q q The required TAC settings are defined by Visa in the Visa Integrated Circuit Card Terminal Specification. Terminal Verification Results (TVR) The TVR is a series of bits. which are set during transaction processing to represent offline processing results.Visa Integrated Circuit Card Application Overview. Like the IACs.2 Terminal Data The Visa Integrated Circuit Card Terminal Specification.

4. 10.4. The command designates one of the following types of application cryptograms: q Transaction Certificate (TC)—For an approval Application Authentication Cryptogram (AAC)—For a decline Authorization Request Cryptogram (ARQC)—To go online q q The command also includes the terminal data objects requested by the card in the CDOL1. The Visa Integrated Circuit Card Terminal Specification. The command response is not returned during Terminal Action Analysis. contains an example of how IACs and TACs are used with the Terminal Verification Results (TVR) to determine transaction disposition. Draft 12/18/00 10–4 Visa Public 31 Oct 2001 .0 10. The terminal also indicates in this command if Combined DDA/AC Generation is to be performed. Chapter 10. Terminal Action Analysis. it proceeds to Card Action Analysis. Version 1. be approved offline. When the card receives the GENERATE AC command.3 GENERATE APPLICATION CRYPTOGRAM (AC) Command The terminal sends a GENERATE AC command to the card to request an application cryptogram.4 Processing Terminal Action Analysis processing has two steps: q The review of offline processing results The request for an Application Cryptogram q 10.Terminal Action Analysis Visa Integrated Circuit Card Application Overview. This process uses issuer-defined criteria from the card called IACs and Visa-defined criteria in the terminal called TACs.1 Review Offline Processing Results The terminal reviews the results of offline processing to determine whether the transaction should go online. or be declined offline.

2 Request Application Cryptogram The second phase of Terminal Action Analysis involves requesting an Application Cryptogram from the card.0 10. The outcome from the Review Offline Processing step determines the type of cryptogram to request: q Approve offline—TC (Transaction Certificate) Go online for authorization—ARQC (Authorization Request Cryptogram) Decline offline—AAC (Application Authentication Cryptogram) q q The terminal also indicates in this command if Combined DDA/AC Generation is to be performed. Draft 12/18/00 31 Oct 2001 Visa Public 10–5 .4.4.Visa Integrated Circuit Card Application Overview. Version 1.4 Processing 10.

Version 1. Figure 10–1: Terminal Action Analysis Flow Card Any transaction conditions which card or terminal have set to Decline? Terminal N Any transaction conditions that the card or terminal have set to Decline if no online? Y Y Online capable terminal? N Y Any transaction conditions which card or terminal have set for Online Auth? N N Y Cryptogram type = ARQC (Send Online) Cryptogram type = TC (Approve) Cryptogram type = AAC (Decline) Proceed to Card Action Analysis (See Chapter 11) GENERATE AC command with CDOL1 data Request cryptogram from card Draft 12/18/00 10–6 Visa Public 31 Oct 2001 .0 10.4.3 Processing Flow Figure 10–1 shows how Terminal Action Analysis might be performed.Terminal Action Analysis Visa Integrated Circuit Card Application Overview.4.

0 10. Processing Restrictions.5 Prior Related Processing 10. These bit settings are used with the IACs and TACs during Terminal Action Analysis to determine transaction disposition.6 Subsequent Related Processing Card Action Analysis During Card Action Analysis. This data includes the CDOL1 and the IACs. Version 1. Draft 12/18/00 31 Oct 2001 Visa Public 10–7 .5 Prior Related Processing Read Application Data The terminal reads application data from the card.Visa Integrated Circuit Card Application Overview. Cardholder Verification. 10.4. Offline Data Authentication. and Terminal Risk Management These offline functions set bits in the TVR based upon the results of processing. the card performs additional risk management to determine whether to override the terminal’s Terminal Action Analysis decision to approve offline or send online.

.

3 GENERATE APPLICATION CRYPTOGRAM (AC) Command 11.5 Flow 11.6 Prior Related Processing 11.4 Processing 11.2 Terminal Data 11.Card Action Analysis 11 Card Action Analysis allows issuers to perform velocity checking and other risk management that is internal to the card.1 Card Data 11.7 Subsequent Related Processing Draft 12/18/00 31 Oct 2001 Visa Public 11–1 . Visa proprietary card risk management features described in this section include checking: q Activity on previous transactions New card Velocity counters q q This chapter is organized into the following sections: 11.

1 Card Data The card data elements used in Card Action Analysis are listed and described in Table 11–1. Card and Issuer Data Elements Table. for a list of data required.0 11. Version 1.4. Appendix A. q An Application Authentication Cryptogram returned for declines is known as an AAC A Transaction Certificate returned for approvals is known as a TC An Authorization Request Cryptogram returned when online processing is requested is known as an ARQC q q Data Requested in Card Risk Management Data Object List (CDOL1) The terminal provides the data requested by the card in the CDOL1. Cryptogram Versions Supported. 11.3 GENERATE APPLICATION CRYPTOGRAM (AC) Command The GENERATE APPLICATION CRYPTOGRAM (AC) command is used by the terminal to request that the card provide a cryptogram indicating the card’s authorization response. For a detailed description of these elements and their usage.Card Action Analysis Visa Integrated Circuit Card Application Overview.2 Terminal Data No terminal data is used during Card Action Analysis. Refer to the Visa Integrated Circuit Card Specification. Draft 12/18/00 11–2 Visa Public 31 Oct 2001 . refer to the Visa Integrated Circuit Card Specification. The terminal also indicates in this command whether Combined DDA/AC Generation is to be performed. Table 11–1: Card Action Analysis—Card Data Data Element Application Cryptogram Description A cryptogram returned by the card in the response to the GENERATE APPLICATION CRYPTOGRAM (AC) command. Appendix E. 11.

4.4 Processing At the end of Terminal Action Analysis. which the terminal is requesting. send online). the terminal issues the GENERATE AC command to the card to request an application cryptogram and to provide data requested by the card in the CDOL1. 11. Version 1. The GENERATE AC command received from the terminal also indicates if Combined DDA/AC Generation is to be performed.4 Processing 11.Visa Integrated Circuit Card Application Overview. The GENERATE AC command. contains the Cryptogram Type. which the card receives from the terminal.4.0 11. Terminal Action Analysis.1 Card Risk Management The card performs the following Card Risk Management checks if supported by the card and the required data is available: q Activity on previous transactions: – – – – – – Online authorization not completed Issuer Authentication failure on last online transaction SDA failure on last transaction DDA failure on last transaction Issuer script processed on last transaction PIN Try Limit exceeded on previous transaction q New card check Velocity checks to see whether offline processing limits have been exceeded for: – – – – – Total consecutive offline transactions Total consecutive offline international transactions based on currency Total consecutive offline international transactions based on country Total cumulative offline transaction amount in designated currency Total offline transaction amount in the designated currency and a designated secondary currency q Draft 12/18/00 31 Oct 2001 Visa Public 11–3 . decline offline. This processing is described in Chapter 10. This Cryptogram Type indicates the terminal’s transaction decision (approve offline.

Authentication Keys and Algorithms. Data requirements are detailed in the Visa Integrated Circuit Card Specification. Cryptogram Versions Supported. The Cryptogram Type in this response indicates the card’s decision for transaction disposition (approve offline.2 Card Response Decision Based on the results of this card risk management.2. send online). Appendix D.1 Standard Response to GENERATE AC The card generates a DES-based cryptogram utilizing the data provided by the terminal and data from the card. decline offline. Table 11–2: Card Response to GENERATE AC Command Card Responds AAC Decline ARQC — TC — Terminal Requests AAC ARQC Decline Go Online — TC Decline Go Online Approve 11.4. Version 1. The DES key requirements and the algorithms used in the cryptogram generation process are detailed in the Visa Integrated Circuit Card Specification. The card may override the terminal’s decision to go online by deciding to decline offline. The card returns this cryptogram to the terminal in the GENERATE AC response. Draft 12/18/00 11–4 Visa Public 31 Oct 2001 . q These decision rules are shown in Table 11–2.4. the card determines a transaction response. Appendix E. The card’s response may override the terminal’s decision indicated by the Cryptogram Type: q The card may override the terminal’s decision to approve offline by deciding to either send online or decline offline.0 11.4.Card Action Analysis Visa Integrated Circuit Card Application Overview.

0 11.4.4. The card returns the signed data to the terminal in the response to GENERATE AC. Draft 12/18/00 31 Oct 2001 Visa Public 11–5 . Cryptogram Information Data and other data with the ICC Private Key.4 Processing 11. Version 1. the card encrypts the Application Cryptogram.2 Response to GENERATE AC for Combined DDA/AC Generation If the terminal has indicated in the GENERATE AC command that Combined DDA/AC Generation is to be performed and the card is returning a TC or an ARQC in the response to GENERATE AC.2.Visa Integrated Circuit Card Application Overview.

Cons.Cons. Offline Transactions .Issuer Script processed Card First GENERATE AC command Terminal Terminal during Terminal Action Analysis requests a cryptogram (AAC.Issuer Authen.5 Flow Figure 11–1: Card Action Analysis Checks previous transaction processing: . or go online) D Y Y Terminal Requested Decline (AAC)? N Card Response = Decline (AAC) Terminal requested Go Online (ARQC)? N Terminal requested approval (TC) Y D Y Card Response = Decline (AAC)? N GEN AC response = Go Online (ARQC) Y Card Response = Go Online (ARQC)? N Combined DDA/AC Generation? GEN AC response = Approve (TC) N Y Create Dynamic Signature of ARQC or TC D Respond to GENERATE AC First GENERATE AC response Terminal proceeds to Online Processing Draft 12/18/00 11–6 Visa Public 31 Oct 2001 .SDA or DDA failed . Offline Txn.4.Card Action Analysis Visa Integrated Circuit Card Application Overview. Version 1.0 11. decline. ARQC or TC) for the first time Sets indicators based upon results Checks new card & velocity . Amount . Offline Txn. Offline Txns (Int'l—Country) . failed .Cons.Cum.Online Auth not completed .Cum. Offline Txns (Int'l) . Amount (Dual Currency) Uses above results to determine card response (approve.

The card also performs the following card risk management checks to determine final transaction disposition: q Velocity checking for total consecutive offline transactions (Upper Limit) New card Offline PIN verification not performed q q Draft 12/18/00 31 Oct 2001 Visa Public 11–7 . additional card and terminal processing is performed.Visa Integrated Circuit Card Application Overview. Version 1.6 Prior Related Processing Read Application Data The terminal reads the Card Risk Management Data Object List 1 (CDOL1) from the card.7 Subsequent Related Processing Completion If online processing was requested.0 11. but the terminal was unable to send the transaction online.4.6 Prior Related Processing 11. The terminal performs additional analysis (similar to Terminal Action Analysis) using the Issuer Action Code (IAC) Denial and Terminal Action Code (TAC) Denial to determine which cryptogram (AAC or TC) to request in the final GENERATE AC command. 11.

Online Processing

12

Online Processing allows the issuer’s host computer to review and authorize or decline transactions using the issuer’s host-based risk management parameters. In addition to performing traditional online fraud and credit checks, host authorization systems may perform Online Card Authentication using a card-generated dynamic cryptogram and should consider offline processing results in the authorization decision. The response from the issuer may include post-issuance updates to the card and an issuer-generated cryptogram, which the card can validate to assure that the response came from the valid issuer. This validation is called Issuer Authentication. This chapter describes the card and terminal online processing functions, which are new with Visa Smart Debit and Visa Smart Credit (VSDC). Online processing functions, which are also performed with magnetic stripe-read and key-entered transactions, are outside the scope of this document and not described. This chapter is organized in the following manner: 12.1 Card Data 12.2 Terminal Data 12.3 Online Request and Response Data 12.4 Commands 12.5 Processing 12.6 Prior Related Processing 12.7 Subsequent Related Processing

Draft 12/18/00
31 Oct 2001
Visa Public

12–1

Online Processing

Visa Integrated Circuit Card Application Overview, Version 1.4.0

12.1 Card Data
The terminal uses the card data described in Table 12–1 during Online Processing. The Visa Integrated Circuit Card Specification, Appendix A, Card and Issuer Data Elements Table, contains a detailed description of card data elements and their usage.
Table 12–1: Online Processing—Card Data

Data Element
GENERATE APPLICATION CRYPTOGRAM (AC) response data

Description
This response data includes the following:
q

Cryptogram Type (an Authorization Request Cryptogram (ARQC) if transaction is to be authorized online) Application Cryptogram Application Transaction Counter (ATC) Issuer Application Data

q

q

q

Application Interchange Profile (AIP)

The AIP received during Initiate Application Processing contains a bit that indicates whether the card supports Issuer Authentication.

The card uses the card data described in Table 12–2 during Issuer Authentication.
Table 12–2: Online Processing Issuer Authentication—Card Data

Data Element
Authorization Request Cryptogram (ARQC)

Description
The cryptogram generated by the card earlier in the transaction. The ARQC and the Authorization Response Code are the input to the Authorization Response Cryptogram (ARPC) validation process. The DES keys used for ARPC validation. These are the same keys used to generate the ARQC. Contains a bit that is set if Issuer Authentication fails. A bit that is set if Issuer Authentication fails.

Unique DEA Keys (UDK)

Card Verification Results (CVR) Issuer Authentication Failure Indicator

Draft 12/18/00
12–2
Visa Public

31 Oct 2001

The Visa Integrated Circuit Card Terminal Specification. Table 12–3: Online Processing—Terminal Data Data Element Terminal Verification Results (TVR) Transaction Status Information (TSI) Description Contains a bit that is set when Issuer Authentication is unsuccessful. which is the response value to be used in the validation of the ARPC q Issuer Script Contains issuer updates to the card. The VSDC data elements to be transmitted from the terminal are listed in the Visa Integrated Circuit Card Terminal Specification. which is an Issuer-generated cryptogram to be validated by the card Authorization Response Code. Card and Issuer Data Elements Table. which is used to validate the Authorization Request Cryptogram (ARQC) generated by the card.Visa Integrated Circuit Card Application Overview. Appendix A.4. Draft 12/18/00 31 Oct 2001 Visa Public 12–3 . Version 1.3 Online Request and Response Data The online authorization request includes the data required for magnetic stripe transactions as well as additional VSDC data.0 12.2 Terminal Data The terminal data described in Table 12–3 is updated with the Issuer Authentication status. Table 12–4: Online Processing—Online Response Data Data Element Issuer Authentication Data Description Issuer Authentication Data has two components: q Authorization Response Cryptogram (ARPC).2 Terminal Data 12. Contains a bit that is set when Issuer Authentication is performed. contains a detailed description of these data elements and their usage. Online Processing. The online response may contain the data described in Table 12–4. Chapter 12. 12.

The response from the card indicates whether Issuer Authentication passed or failed. The response includes the first Application Cryptogram and the Cryptogram Type.Online Processing Visa Integrated Circuit Card Application Overview. the terminal issues the EXTERNAL AUTHENTICATE command with the Issuer Authentication Data requesting that the card validate the Authorization Response Cryptogram (ARPC). EXTERNAL AUTHENTICATE Command If Issuer Authentication is to be performed.0 12. The GENERATE AC command may indicate that Combined DDA/AC Generation be performed.4. which contains the Application Cryptogram. Draft 12/18/00 12–4 Visa Public 31 Oct 2001 . If the response is an ARQC or a TC and Combined DDA/AC Generation is performed. Version 1. which is included in the command.4 Commands The following commands are used during Online Processing: GENERATE APPLICATION CRYPTOGRAM (AC) Command Response The terminal receives the card’s response to the GENERATE APPLICATION CRYPTOGRAM (AC) command. The GENERATE AC command is sent to the card during Terminal Action Analysis. The card returns the GENERATE AC response at the end of Card Action Analysis. The response is received by the terminal at the beginning of Online Processing. the response is a dynamic signature.

processing includes validation of the dynamic signature.1 Combined DDA/AC Generation Processing If Combined DDA/AC Generation indicated in the GENERATE AC command and the cryptogram returned is an ARQC or a TC.5. 12. the terminal performs Issuer Authentication.4.5 Processing 12.1. to be validated using Issuer Authentication to prove that the response came from the valid issuer. If Combined DDA/AC Generation is to be performed.2 Online Response After the online request message is successfully transmitted to the issuer.1. 12.5. the terminal receives the online response message.1 Online Request Online request processing differs depending on whether Combined DDA/AC Generation has been requested. q q 12. processing the online response. If the hash matches.5. Version 1. standard online processing is performed. If the online response contains the Issuer Authentication Data and the card supports Issuer Authentication. and optionally performing Issuer Authentication. the terminal proceeds to the Completion function. the terminal transmits an online authorization request message. which may include an issuer script containing updates to the card parameters or a cryptogram. the terminal performs the following processing: q The terminal deciphers the dynamic cryptogram using the recovered ICC Public Key to recover the Application Cryptogram. or both.5. Otherwise. If the card does not respond with an ARQC or the terminal is unable to send the transaction online.Visa Integrated Circuit Card Application Overview.2 Standard Online Processing If the card returns an ARQC to the terminal in the GENERATE AC response and the terminal has the capability to go online. Draft 12/18/00 31 Oct 2001 Visa Public 12–5 .0 12. the terminal proceeds to the Completion function. 12.5 Processing Standard Online Processing includes processing the online request. If the hash does not match the terminal indicates in the TVR that Combined DDA/AC Generation failed and proceeds to Completion.

0 12.Online Processing Visa Integrated Circuit Card Application Overview. the Authorization Response Code from the issuer. and the Unique DEA Keys (UDK) stored in a secret location on the card. Both the card and terminal record Issuer Authentication results: q The card sets Issuer Authentication results in the Card Verification Results (CVR) and the Issuer Authentication Failure Indicator and returns the results to the terminal in the EXTERNAL AUTHENTICATE response.5. q Draft 12/18/00 12–6 Visa Public 31 Oct 2001 .4. The card validates the ARPC using the ARQC generated previously by the card.3 Issuer Authentication The terminal transmits an EXTERNAL AUTHENTICATE command to the card instructing the card to perform Issuer Authentication. The terminal sets Issuer Authentication results in the Terminal Verification Results (TVR) and the Transaction Status Information (TSI) before proceeding to the Completion function. Version 1.

4.0 12. approve offline. Figure 12–1: Online Processing Flow Card Card Action Analysis (see Chapter 11) Card sets cryptogram to send online. or decline offline Terminal GENERATE AC command response Y Online Authorization Systems A AAC (decline cryptogram) returned? N Combined DDA/Gen. Version 1.5. the terminal.5 Processing 12. sets IA results indicators. results indicators N Terminal proceeds to Completion (see chapter 13) Draft 12/18/00 31 Oct 2001 Visa Public 12–7 .Visa Integrated Circuit Card Application Overview.4 Processing Flow Figure 12–1 shows the interaction between the card. and returns results EXTERNAL AUTHENTICATE command Y Issuer Authentication to be performed? EXTERNAL AUTHENTICATE command response Terminal sets Issuer Auth. AC requested? Terminal proceeds to Completion (see chapter 13) Y Valid Dynamic Signature? N Terminal indicates in TVR DDA/AC Generation failed Online Response Online Response Perform online authorization processing and return response A N N Y ARQC returned? Y Send transaction online for authorization Card performs Issuer Authentication. and the issuer’s host system for Online Processing.

Draft 12/18/00 12–8 Visa Public 31 Oct 2001 . If an ARQC was requested by the card and Combined DDA/AC Generation was performed and failed.4. an AAC (decline cryptogram) is requested by the terminal in the final GENERATE AC. Issuer-to-Card Script Processing If the online response contains an Issuer Script. 12.0 12. If a TC was requested by the card and Combined DDA/AC Generation was performed and failed the terminal declines the transaction.6 Prior Related Processing Card Action Analysis The card sets the Cryptogram Type to an ARQC if an online authorization is to be done.7 Subsequent Related Processing Completion During Completion. these post-issuance updates are applied.Online Processing Visa Integrated Circuit Card Application Overview. the card uses Issuer Authentication results and card parameters to help determine the disposition of the transaction and whether to reset certain counters and indicators. Version 1.

Completion includes the following actions: q If online processing was requested and the terminal did not support online processing or the online authorization was unable to complete. q q An issuer’s online approval may be changed to a decline based upon Issuer Authentication results and card options. and capturing data for clearing. If Combined DDA/AC Generation was performed and failed the terminal processes as follows: – – If an ARQC was requested by the card. Draft 12/18/00 31 Oct 2001 Visa Public 13–1 . After an online authorization.Completion 13 The terminal and the card perform Completion to conclude transaction processing. the terminal requests an AAC (decline cryptogram) in the second GENERATE AC. the terminal and card perform additional analysis to determine whether the transaction should be approved or declined offline. The terminal may perform additional Completion functions if they do not interfere with the Completion functions defined in the VIS card and terminal volumes. Indicators and counters are set to reflect what has occurred during transaction processing. indicators and counters may be reset based upon Issuer Authentication results and card options. If a TC was requested by the card and Combined DDA/AC Generation was performed and failed the terminal declines the transaction with a Z1 Response Code. printing a receipt. q q The terminal may perform additional functions subsequent to Completion. such as allowing the cardholder signature to be verified.

1 Card Data 13.3 GENERATE Application Cryptogram (AC) Command 13. Version 1.0 This chapter is organized as follows: 13.6 Prior Related Processing Draft 12/18/00 13–2 Visa Public 31 Oct 2001 .Completion Visa Integrated Circuit Card Application Overview.2 Terminal Data 13.4 Processing 13.5 Flow 13.4.

A Visa proprietary data element containing indicators. contains a detailed description of card data elements and their usage. The CVR is included in the clearing transaction as “proof” of card processing. Table 13–1: GENERATE AC Response Data Element Application Cryptogram (AC) Application Transaction Counter (ATC) Cryptogram Information Data Description The cryptogram generated by the card. Appendix A.0 13. A count of card transactions.4. Version 1.Visa Integrated Circuit Card Application Overview.1 Card Data The second GENERATE AC command response.1 Card Data 13. Card Verification Results (CVR) Draft 12/18/00 31 Oct 2001 Visa Public 13–3 . The Visa Integrated Circuit Card Specification. which are set based upon the results of offline processing for current and previous transactions. including the CVR. Card and Issuer Data Elements Table. includes the card data elements described in Table 13–1. which the card returns to the terminal. Contains indicators for q The type of cryptogram: – An Application Authentication Cryptogram (AAC) for a decline – A Transaction Certificate (TC) for an approval – An Authorization Request Cryptogram (ARQC) when online processing is requested (first GENERATE AC only) q Other status information including Service Not Allowed Issuer Application Data Includes Visa discretionary data and issuer discretionary data for transmission to the Issuer.

A list of data objects (tags and lengths) for the terminal to pass to the card with the second GENERATE AC command. Table 13–2: Completion—Card Data (Partial List) Data Element Application Default Action (ADA) CDOL2 Description A Visa proprietary data element indicating the action a card should take when exception conditions occur. Chapter 12. which was received by the terminal during Read Application Data.4.0 The card uses the internal card data elements described in Table 13–2 during Completion. The GENERATE AC command contains the terminal data elements specified by the card in the CDOL2.2 Terminal Data The terminal data elements described in Table 13–3 are used during Completion. Other data elements used are listed in the Visa Integrated Circuit Card Specification. Draft 12/18/00 13–4 Visa Public 31 Oct 2001 . Card and Issuer Data Elements Table. Table 13–3: Completion—Terminal Data Data Element Authorization Response Code Description Provided to the card to indicate if the transaction is approved or declined and if the authorization was performed offline or online. Contains indicators that are set to record offline processing results.3 GENERATE Application Cryptogram (AC) Command The GENERATE APPLICATION CRYPTOGRAM (AC) command is used by the terminal to request a final Application Cryptogram from the card. The Visa Integrated Circuit Card Terminal Specification. such as SDA failure or floor limit exceeded. It may indicate that Combined DDA/AC Generation is to be performed. Completion. Terminal Verification Results (TVR) 13. contains a detailed description of these data elements and their usage. Version 1.Completion Visa Integrated Circuit Card Application Overview. Appendix A. 13. from a terminal perspective.

the online authorization request may have: – – Completed successfully Not completed because the terminal did not support online processing or because an online response was not received. the terminal indicates in the TVR that Combined DDA/AC Generation has failed. the application cryptogram.1.4 Processing The GENERATE AC response includes the card transaction counter. q q 13. 13. 13.1 Terminal Determines Transaction Disposition The terminal processing during Completion varies based upon what has occurred during previous processing of the transaction: q At the end of Card Action Analysis. and the CVR indicating processing results. The card determines the final transaction response and resets card indicators based card parameters and Issuer Authentication status.0 13. Version 1. the cryptogram type indicating the card’s authorization decision. Issuer discretionary data may also be provided.4. the terminal declines the transaction. If a TC was requested by the card and Combined DDA/AC Generation was performed and failed. If the terminal requested in the GENERATE AC command that Combined DDA/AC Generation be performed and an AAC is returned by the card.1 Transaction Authorized Offline When the card responds to the first GENERATE AC command in Card Action Analysis with a Transaction Certificate (TC) or an Application Authentication Cryptogram (AAC). or service not allowed. declined.4 Processing Completion involves three steps: q The terminal determines the transaction disposition and issues a second GENERATE AC command to the card if an online authorization was completed.4. the terminal completes the transaction offline. Draft 12/18/00 31 Oct 2001 Visa Public 13–5 .4. The terminal completes the transaction. the card may have: – – Requested an offline approval or decline Requested an online authorization q During Online Processing.Visa Integrated Circuit Card Application Overview. The terminal displays a message indicating the action taken: approved.

4. the terminal requests an AAC in the second GENERATE AC command. declines. the terminal requests a decline. However. the terminal requests an approval (TC). Draft 12/18/00 13–6 Visa Public 31 Oct 2001 .1. the terminal declines with a Z1 response code. Field and Code Descriptions.3 Online Authorization Unable to Complete If the card requested online processing and the terminal does not support online processing or the online authorization did not complete.4. q 13. If the issuer has requested a referral. System Technical Reference Volume 2. the terminal uses the Issuer Action Code (IAC)—Default and the Terminal Action Code (TAC)—Default to determine the transaction disposition. If an ARQC is returned. 13. the terminal may request an approval (TC) if the issuer has requested a referral. the terminal processes as follows: q If a TC was returned. it is recommended that the terminal request a decline (AAC). q q For valid Authorization Response Codes (field 39) for approvals. the terminal requests an AAC.4. Version 1. and referrals.I. This IAC and TAC processing is similar to the processing in Terminal Action Analysis described in Chapter 10.2 Online Authorization Completed Successfully If the online authorization was successfully completed. refer to the V.0 If Combined DDA/AC Generation was performed and failed. Terminal Action Analysis.P. If the Authorization Response Code does not indicate approve or refer.1. The terminal uses the Authorization Response Code received from the issuer in the online authorization response to determine the type of cryptogram to request from the card: q If the issuer has approved the transaction. the terminal issues a final GENERATE AC command to the card to request additional card analysis and a final Application Cryptogram.Completion Visa Integrated Circuit Card Application Overview. If any TVR bits and the corresponding bit in the IAC or TAC are both “1”.

Table 13–4: Authorization Response Code for Offline Action Taken Terminal Requests TC AAC Authorization Response Code Y3 Z3 Transaction Disposition Unable to go online (offline approved) Unable to go online (offline declined) 13. Prior to responding to the terminal with an AAC. Chapter 13. the terminal issues the final GENERATE AC command to the terminal. This command also includes an Authorization Response Code.2.0 13. the card always returns an AAC in the response.1 Online Authorization Completed When the online authorization completed. shown in Table 13–4. Version 1. the online authorization was completed. q 13.4 Processing Based on the results of this processing.Visa Integrated Circuit Card Application Overview. the card updates indicators and counters as indicated in the Visa Integrated Circuit Card Specification. which indicates that an online authorization was not completed. the online authorization was unable to complete or the terminal did not support online processing.2 Card Responds to Final GENERATE AC Command The card uses the Authorization Response Code received from the terminal in the final GENERATE AC command to determine whether an online authorization was completed.4.4. Draft 12/18/00 31 Oct 2001 Visa Public 13–7 . Completion.4. The Cryptogram Type requested in the final GENERATE AC command indicates whether the transaction is to be declined (AAC) or approved (TC). the card uses the final GENERATE AC Cryptogram Type and results from Issuer Authentication to determine the final transaction disposition: q AAC (Decline) Requested If the terminal requests a decline (AAC) in the final GENERATE AC command. If the Authorization Response Code is not one of the offline codes. q If the Authorization Response Code is one of the offline codes listed in Table 13–4.

These steps are performed whether the terminal has requested an approval or decline.4.Completion Visa Integrated Circuit Card Application Overview.0 q TC (Approval) Requested If the terminal requests an approval (TC) in the final GENERATE AC command. Completion. – New Card If the card is a new card and the card’s Application Default Action (ADA) indicates that a new card transaction should be declined if it cannot be online authorized. 13. Refer to the Visa Integrated Circuit Card Specification. q Card Risk Management The card performs the following optional card risk management checks if they are supported and the required data elements are present in the card: – Velocity Checking for Total Consecutive Transactions (Upper Limit) This optional check causes the card to respond with a decline (AAC) if the upper limit for consecutive offline transactions has been exceeded. the card performs additional card risk management steps prior to responding to the terminal. the card responds with a decline (AAC). Chapter 13. Draft 12/18/00 13–8 Visa Public 31 Oct 2001 . the card responds with an approval. the card responds with a decline (AAC). – PIN Try Limit Exceeded on Previous Transaction If the PIN Try Counter is zero and the card’s ADA indicates that a transaction should be declined if the PIN Try Limit was exceeded on a previous transaction.2 Online Authorization Unable to Complete When the Authorization Response Code in the final GENERATE AC indicates that online processing was requested but not completed.4. Version 1.2. and the ADA indicates that the transaction should be declined if Issuer Authentication is mandatory and not performed q If neither of the above conditions is true. was not performed. the card responds with either an approval or a decline response based on the status of Issuer Authentication processing and card’s Issuer Authentication options. The card converts the approval to a decline if either of the following conditions is true: q Issuer Authentication failed and the ADA indicates that the transaction should be declined if Issuer Authentication fails Issuer Authentication is mandatory. for details on how indicators and counters are set and reset for these conditions.

if an online-approved cash disbursement or account transfer transaction is declined by the card because of an Issuer Authentication failure. Issuer-toCard Script Processing). the ATM shall not display the balance. Chapter 13. the ATM shall transmit a reversal. Chapter 13. a reversal is required if the acquirer’s authorization system is single message or host-data-capture. – Card Approved Transaction If the terminal requested a TC and the results of card risk management indicate that the transaction should be approved. q Terminal requested an approval (TC) in the final GENERATE AC – – If the card responds with a TC. At a POS device. Completion. if an online-approved purchase transaction is declined by the card because of an Issuer Authentication failure. Version 1. 13. the terminal processes the Issuer Script. If the card responds with an AAC.Visa Integrated Circuit Card Application Overview. the card updates internal counters and indicators according to the Visa Integrated Circuit Card Specification. and responds with an AAC.4. the card updates internal indicators and counters as described in the Visa Integrated Circuit Card Specification. and responds with a TC.4. s At an ATM. if present (see Chapter 14.4 Processing q Card Response to Terminal The card responds to the final GENERATE AC command issued by the terminal as follows: – Card Declined Transaction If the terminal requested an AAC or the card risk management steps have determined that the card should decline the transaction. Completion. If a balance inquiry transaction is declined for the same reason.0 13. Final terminal action is determined by the type of cryptogram the terminal requested and the response from the card in the final GENERATE AC: q Terminal requested a decline (AAC) in the final GENERATE AC The terminal completes the transaction and displays a message indicating that the transaction was declined. the terminal completes the transaction and displays a message indicating that the transaction was declined. s Draft 12/18/00 31 Oct 2001 Visa Public 13–9 .3 Terminal Completes Transaction Upon receipt of the card’s response to the GENERATE AC command. the terminal completes the transaction and displays a message indicating that the transaction was approved.

Version 1.4.Completion Visa Integrated Circuit Card Application Overview.5 Flow Figure 13–1: Completion Card Terminal Terminal analyzes first GENERATE AC response Set Authorization Response Code to Y1 (approve) or Z1 (decline) based on card response and results of Combined DDA/AC Generation if performed Card returned ARQC? N Y A Transaction completed online? N Perform Terminal Action Analysis using IAC & TAC . Code = Y3 or Z3 (Unable to go online)? N Card may convert online approval to a decline based on Issuer Authentication results Terminal requests AAC or TC in Final GENERATE AC Y Card performs card risk management checks for the upper offline limit. new card.Default Y Set Authorization Response Code to Y3 (approval) or Z3 (decline) Card receives Final Generate AC Final GENERATE AC Command Set Application Cryptogram to TC (approval) or AAC (decline) Auth Resp. and PIN Try Limit exceeded previously Terminal receives Final GENERATE AC response Card may decline based upon card risk management results Card may reset counters and indicators based upon Issuer Auth results Terminal processes Issues Script if in auth. response Final GENERATE AC Response Terminal completes transaction A Card responds to Final GENERATE AC with TC (approve) or AAC (decline) Draft 12/18/00 13–10 Visa Public 31 Oct 2001 .0 13.

6 Prior Related Processing 13. Draft 12/18/00 31 Oct 2001 Visa Public 13–11 .4.Visa Integrated Circuit Card Application Overview.6 Prior Related Processing Online Processing If the card receives an EXTERNAL AUTHENTICATE command from the terminal. Version 1.0 13. These indicators are used during Completion by the card in the response decision and in determining which card counters and indicators should be reset. the card performs Issuer Authentication processing and sets indicators for Issuer Authentication performed and successful or failed.

.

With this function. Card parameters can be modified to correspond to changing cardholder circumstances.Issuer-to-Card Script Processing 14 Issuer-to-Card Script Processing permits issuers to change personalized data on cards without card reissuance. Commands are supported for: q Updating card parameters Blocking or unblocking the application Blocking the card Unblocking the PIN Try Counter Changing the Offline PIN q q q q Issuer-to-Card Script Processing limits credit and fraud exposure by allowing blocking of overspent and stolen cards. The terminal passes these commands to the card where they are executed if security requirements are satisfied. the issuer transmits commands in issuer scripts contained in the authorization response message. Draft 12/18/00 31 Oct 2001 Visa Public 14–1 .

4. Version 1.6 Processing 14.2 Card Data 14.1 Script-Related Keys 14.Issuer-to-Card Script Processing Visa Integrated Circuit Card Application Overview.8 Prior Related Processing 14.7 Processing Flow 14.5 Commands 14.3 Terminal Data 14.4 Online Response Data 14.9 Subsequent Related Processing Draft 12/18/00 14–2 Visa Public 31 Oct 2001 .0 This chapter is organized in the following manner: 14.

Unique Data Encipherment DEA Key (ENC UDK) is a double-length DES key personalized on the card and used to generate the Data Encipherment Session Key. q q These MAC keys are required if the Visa recommended method of secure messaging is supported. The MAC MDK is used to generate the card’s Unique Message Authentication Code Key (MAC UDK) and the transaction’s MAC Session Key. The ENC MDK is used to generate the card’s Unique Data Encipherment DEA Key (ENC UDK) and the transaction’s Data Encipherment Session Key. Version 1.1.3 use the following card and issuer-based keys.1 Message Authentication Code Keys The Message Authentication Code (MAC) keys are used in the generation and validation of the script command’s MAC.0 14. The MAC is a cryptogram included in script commands that ensures that the command has not been altered (message integrity) and that the command came from the valid issuer (issuer authentication). The MACing process uses three keys: q Master Message Authentication Code Key (MAC MDK) is an issuer-unique double-length DES key. This encipherment process uses three keys: q Master Data Encipherment DEA Key (ENC MDK) is an issuer-unique double-length DES key. Unique Message Authentication Code Key (MAC UDK) is a double-length DES key personalized on the card. Data Encipherment Session Key is a transaction-unique double-length DES key derived from the ENC MDK and used by the issuer host computer to encipher confidential data in the issuer script.4. It is derived from the issuer’s MAC MDK.Visa Integrated Circuit Card Application Overview.2 Data Encipherment Keys The Data Encipherment Keys are used to encipher confidential issuer script data such as Offline PIN values during the transmission of the script from the issuer host computer to the card. 14. The ENC UDK is derived from the ENC MDK.1. The MAC Session Key is a transaction-unique double-length DES key used to generate and validate the script command’s MAC at the time of transaction. The MAC UDK is used to generate a MAC Session Key during the transaction. 14.1 Script-Related Keys The recommended secure messaging methods for Issuer-to-Card Script Processing mentioned in Section 14.6.1 Script-Related Keys 14. q q Draft 12/18/00 31 Oct 2001 Visa Public 14–3 .

4.Issuer-to-Card Script Processing Visa Integrated Circuit Card Application Overview. The Issuer Script Command Counter is used to count the Script Update commands received during a transaction. Appendix A. Card and Issuer Data Elements Table. The Visa Integrated Circuit Card Specification.0 These data encipherment keys are required if the Visa recommended method of secure messaging is supported and the issuer script commands may include confidential data such as Offline PIN values.2 Card Data The indicators and counters in the card described in Table 14–1 are used in processing script commands. Version 1. The Issuer Script Failure Indicator is set when Issuer Script processing fails and remains set until it is reset after a subsequent online transaction. 14. Issuer Script Command Counter Issuer Script Failure Indicator Draft 12/18/00 14–4 Visa Public 31 Oct 2001 . Table 14–1: Issuer-to-Card Script Processing—Card Data Data Element Application Transaction Counter (ATC) Card Verification Results (CVR) Description The ATC is used in the generation of the Message Authentication Code (MAC) and Data Encipherment session keys. The CVR contains flags related to script processing. contains a detailed description of card data elements and their usage. which are updated with the script results.

Issuer Script Identifier Issuer Script Template 2 Draft 12/18/00 31 Oct 2001 Visa Public 14–5 .0 14. Version 1. Appendix A. Table 14–2: Issuer-to-Card Script Processing—Terminal Data Data Element Issuer Script Results Description The Issuer Script Results contains the results of Issuer Script processing and is sent to the issuer in a clearing message or other online message. The TVR contains indicators that are set if Issuer Script processing fails.3 Terminal Data 14. 14. contains a detailed description of terminal data elements and their usage. Terminal Verification Results (TVR) Transaction Status Information (TSI) The TSI contains an indicator that is set if an issuer script is processed.4. The Visa Integrated Circuit Card Specification.4 Online Response Data The data elements described in Table 14–3 are included in the issuer script received in the online response from the issuer. Card and Issuer Data Elements Table.Visa Integrated Circuit Card Application Overview. Table 14–3: Issuer-to-Card Script Processing—Online Response Data Data Element Issuer Script Command Description The Issuer Script command contains the command transmitted from the issuer. The Issuer Script Template 2 contains proprietary issuer data for transmission to the card after the final GENERATE AC command. which is sent to the card. The Issuer Script Identifier is a number used to uniquely identify an issuer script.3 Terminal Data The terminal data elements described in Table 14–2 are used during Issuer Script processing.

0 14.Issuer-to-Card Script Processing Visa Integrated Circuit Card Application Overview. The terminal may select an application that was blocked in order to unblock the application. if this occurs. PIN CHANGE/UNBLOCK The PIN CHANGE/UNBLOCK command provides the issuer with the capability either to unblock the Reference PIN (reset the PIN Try Counter) or to simultaneously change and unblock the Reference PIN. CARD BLOCK The CARD BLOCK command permanently disables all applications on the card. the card does not allow the blocked application to be available for application selection to perform a financial transaction. However.5 Commands The following script commands for Issuer Script processing are supported: APPLICATION BLOCK This command blocks the use of the selected application. If the application is blocked during the processing of a transaction. During any subsequent application selection. PIN changes using PIN CHANGE/UNBLOCK or other methods should only be performed within a secure environment controlled by the issuer. the card and terminal continue to process the transaction through Completion. Version 1. the card is required to return an Application Authentication Cryptogram (AAC) in response to a GENERATE APPLICATION CRYPTOGRAM (AC) command. Draft 12/18/00 14–6 Visa Public 31 Oct 2001 . APPLICATION UNBLOCK This command reverses the status of an application that is blocked. Unblocking of an application occurs only at a special device designated by the issuer.4.

Version 1. are stored in proprietary internal files. the Lower Consecutive Offline Limit and the Upper Consecutive Offline Limit are stored in records and accessible to the terminal using the READ RECORD command.0 14. Draft 12/18/00 31 Oct 2001 Visa Public 14–7 .4. Issuer script commands cannot be used to update the data on the physical magnetic stripe.5 Commands PUT DATA The PUT DATA command allows specific primitive data objects in the card to be updated. only the following data elements should be allowed to be updated using Issuer Script processing: q Lower Consecutive Offline Upper Consecutive Offline Limit Consecutive Transaction Limit (International) Consecutive Transaction Limit (International—Country) Cumulative Total Transaction Amount Limit Cumulative Total Transaction Amount Upper Limit Cumulative Total Transaction Amount Limit (Dual Currency) Currency Conversion Factor VLP Single Transaction Limit VLP Funds Limit q q q q q q q q q If terminal velocity checking is not supported. In this version of the Visa Integrated Circuit Card Specification. It is also required for updates to the Upper and Lower Consecutive Offline Limits if Terminal Velocity Checking is supported by the card. UPDATE RECORD The UPDATE RECORD command is used to update a record in a file with the data provided in the command’s data field. If terminal velocity checking is supported. The UPDATE RECORD command is required to update the PIN Verification Value (PVV) in the track data on the chip to support a PIN change.Visa Integrated Circuit Card Application Overview. all of these card data elements. if present.

In a subsequent version.Issuer-to-Card Script Processing Visa Integrated Circuit Card Application Overview. or alter the data contained on the card only if 1) that command supports secure messaging and 2) secure messaging was performed successfully. command processing. change.6 Processing Issuer-to-Card Script Processing is comprised of issuer scripts. This requirement may be satisfied by successfully performing secure messaging for that command since secure messaging is a form of issuer authentication.2 Command Processing The recommended Issuer Script commands are used to perform the functions described earlier in this chapter. 14.4. The card performs the requested command to update. the same requirements apply. In this version of the Visa Integrated Circuit Card Specification.0 14. If an entity other than the issuer originates the commands. reset. Issuer Scripts transmitted in the response message always have tag “72”.6. Version 1.1 Issuer Scripts The Issuer Script is transmitted to the acquirer by the issuer in the response message. The originator of an Issuer Script Command is assumed to be the card issuer. The issuer uses secure messaging in Issuer Script processing for each command that instructs the card to modify any information contained in the card. indicating that Issuer Script processing is to be performed after the final GENERATE AC command. at most only one Issuer Script shall be transmitted in the response message.6. Visa requires that some form of issuer authentication be successfully performed prior to processing an Issuer Script Command. and secure messaging. multiple Issuer Scripts may be allowed in a response message. Draft 12/18/00 14–8 Visa Public 31 Oct 2001 . 14.

Message integrity and issuer authentication are achieved using a MAC. Issuer authentication ensures that the command came from the valid issuer. of this chapter. message integrity.0 14.3 Secure Messaging The principle objectives of secure messaging are to ensure data confidentiality.6 Processing 14.Visa Integrated Circuit Card Application Overview. Draft 12/18/00 31 Oct 2001 Visa Public 14–9 .6.1 Script-Related Keys. Version 1. Data confidentiality is achieved using encipherment of the plaintext command data (if present). These session keys are unique for each transaction and generated as described in Section 14. Message integrity ensures that commands and command data are not altered during transmission. and issuer authentication.4. Data confidentiality ensures that secret data remains secret during transmission from the issuer to the card. Validation of the MAC and decryption of enciphered data requires the use of session keys.

Version 1.Issuer-to-Card Script Processing Visa Integrated Circuit Card Application Overview.0 14.7 Processing Flow Figure 14–1 illustrates how Issuer-to-Card Script Processing might be performed. Figure 14–1: Issuer-to-Card Script Processing Card Terminal completes Online Processing and Completion Terminal Issuer Script present in response? N Y Terminal parses out Issuer Script command in sequential order Card processes command including performing secure messaging Y Script Command Terminal sends command to card Command processing successful? Y Card sets response code for success Response code shows error? N Another command present? Y Y N Card sets response code to show error Terminal sets Script Processing Failed in TVR bit N Card returns command response with response code Script Command Response Another script present? N Terminal sets Issuer Script Processing Performed in TSI bit Terminal completes transaction processing Draft 12/18/00 14–10 Visa Public 31 Oct 2001 .4.

0 14. 14. the CVR subfields are set to indicate script results from the previous transaction based upon the Issuer Script Failure Indicator and Issuer Script Command Counter stored in the card.8 Prior Related Processing Online Processing The online response received from the acquirer may contain an issuer script to be processed during Issuer-to-Card Script Processing. Draft 12/18/00 31 Oct 2001 Visa Public 14–11 . Completion (subsequent transactions) The card resets the Issuer Script Failure Indicator and Issuer Script Command Counter to “0” after online transactions if any of the following conditions exist: q Issuer Authentication was successful Issuer Authentication was optional and not performed Issuer Authentication was not supported q q The Issuer Script Failure Indicator and Issuer Script Command Counter are not reset if an online authorization is not completed or if the card’s Issuer Authentication requirements are not satisfied.9 Subsequent Related Processing Card Action Analysis (subsequent transactions) During Card Action Analysis for the card’s next transactions. The issuer receives this Card Verification Results (CVR) data in the next clearing record and next online authorization.4. Version 1.8 Prior Related Processing 14.Visa Integrated Circuit Card Application Overview.

.

Acronyms A Acronym a AAC AAR AC ADA ADF AEF AFL AID AIP AMD an ans Meaning alpha Application Authentication Cryptogram Application Authentication Referral Application Cryptogram Application Default Action Application Definition File Application Elementary File Application File Locator Application Identifier Application Interchange Profile Application Management Data alphanumeric alphanumeric special Draft 12/18/00 31 Oct 2001 Visa Public A–1 .

4.0 Acronym APDU ARPC ARQC ATC ATM AUC Auth. CID CLA cn Cons. CPLC Cum. CVM Meaning Application Protocol Data Unit Authorization Response Cryptogram Authorization Request Cryptogram Application Transaction Counter Automated Teller Machine Application Usage Control authentication binary BASE Identification Number conditional Certificate Authority Card Authentication Method Card Risk Management Data Object List certificate Cryptogram Information Data Class Byte of the Command Message compressed numeric consecutive Card Production Life Cycle Data cumulative Cardholder Verification Method Draft 12/18/00 A–2 Visa Public 31 Oct 2001 . b BIN C CA CAM CDOL Cert.Acronyms Visa Integrated Circuit Card Application Overview. Version 1.

Visa Integrated Circuit Card Application Overview. HHMMSS HSM IA IAC Meaning Card Verification Results Card Verification Value Dynamic Data Authentication Directory Definition File Dynamic Data Authentication Data Object List Data Encryption Algorithm Data Encryption Standard dedicated file Electronically Erasable Programmable Read-Only Memory Europay. MasterCard.0 Acronyms Acronym CVR CVV DDA DDF DDOL DEA DES DF EEPROM EMV ENC MDK ENC UDK FCI FCP FMD GPO hex. minutes.4. seconds host security module Issuer Authentication Issuer Action Code Draft 12/18/00 31 Oct 2001 Visa Public A–3 . Visa Master Data Encipherment DEA Key Unique Data Encipherment DEA Key File Control Information File Control Parameters File Management Data GET PROCESSING OPTIONS hexadecimal hours. Version 1.

Acronyms Visa Integrated Circuit Card Application Overview.4.0 Acronym IC ICC IEC IFD INS Int’l ISO Lc Le LD LRC M MAC MAC MDK MAC UDK MCC MDK n N/A NCA NI Meaning integrated circuit integrated circuit card International Electrotechnical Commission interface device Instruction Byte of the Command Message international International Organization for Standardisation Length of the Command Data Field Expected Length of the Response Data Field Length of the plaintext data in the Command Data Field Longitudinal Redundancy Check mandatory Message Authentication Code Master Message Authentication Code DEA Key Unique Message Authentication Code DEA Key Merchant Category Code Master DEA Key numeric not applicable Length of the Certification Authority Public Key Modulus Length of the Issuer Public Key Modulus Draft 12/18/00 A–4 Visa Public 31 Oct 2001 . Version 1.

Adleman Signed Static Application Data Secure Access Module Draft 12/18/00 31 Oct 2001 Visa Public A–5 .0 Acronyms Acronym NIC No. Version 1. O P1 P2 PAN PDOL PIN PIX PK PKI POS PSE PVV R RFU RID ROM RSA SAD SAM Meaning Length of the ICC Public Key Modulus number optional Parameter 1 Parameter 2 Primary Account Number Processing Options Data Object List Personal Identification Number Proprietary Application Identifier Extension public key Certificate Authority Public Key Index point of service payment system environment PIN Verification Value required Reserved for Future Use Registered Application Provider Identifier Read-Only Memory Rivest.4. Shamir.Visa Integrated Circuit Card Application Overview.

0 Acronym SDA SFI SW1.Acronyms Visa Integrated Circuit Card Application Overview.P. SW2 TC TDOL TLV Txn. month. day where Y = right-most digit of the year (0–9) and DDD = Julian day of the year (001–366) year. VLP YDDD Meaning Static Data Authentication Short File Identifier Status Words Transaction Certificate Transaction Certificate Data Object List tag-length-value transaction Transaction Status Information Terminal Verification Results Unique DEA Key variable VisaNet Integrated Payment Visa Low-value Payment year.I. day where DD = day (01–31) YYMM YYMMDD Draft 12/18/00 A–6 Visa Public 31 Oct 2001 . Version 1. month where YY = year (00–99) and MM = month (01–12) year. TSI TVR UDK var. V.4.

it is not intended as a data dictionary. Examples of applications include payment. to shut down the selected application on a card to prevent further use of that application. refer to Appendix A of the Card and Terminal volumes of this specification. standards accreditation organization. Application Authentication Cryptogram (AAC) A cryptogram generated by the card for offline and online declined transactions. acquirer A Visa member that signs a merchant or disburses currency to a cardholder in a cash disbursement. This process does not preclude the use of other applications on the card. stored value. application A computer program and associated data that reside on an integrated circuit chip and satisfy a business function. ANSI American National Standards Institute. Draft 12/18/00 31 Oct 2001 Visa Public Glossary–1 . ATM An unattended terminal that has electronic capability. and loyalty.S. A U. application block Instructions sent to the card by the issuer.Glossary This is a glossary of terms used in this specification. For descriptions of specific card and issuer data elements. and directly or indirectly enters the resulting transaction into interchange. and disburses currency or checks. accepts PINs.

Glossary

Visa Integrated Circuit Card Application Overview, Version 1.4.0

ATM cash disbursement

A cash disbursement obtained at an ATM displaying the Visa, PLUS, or Visa Electron acceptance mark, for which the cardholder’s PIN is accepted.
authentication

A cryptographic process that validates the identity and integrity of data.
authorization

A process where an issuer or a representative of the issuer approves a transaction.
authorization controls

Information in the chip application enabling the card to act on the issuer’s behalf at the point of transaction. The controls help issuers manage their below-floor-limit exposure to fraud and credit losses. Also known as offline authorization controls.
authorization request

A merchant’s or acquirer’s request for an authorization.
Authorization Request Cryptogram (ARQC)

The cryptogram generated by the card for transactions requiring online authorization and sent to the issuer in the authorization request. The issuer validates the ARQC during the Online Card Authentication (CAM) process to ensure that the card is authentic and was not created using skimmed data.
authorization response

The issuer’s reply to an authorization request. Types of authorization responses are:
q

approval decline pickup referral

q

q

q

Authorization Response Cryptogram (ARPC)

A cryptogram generated by the issuer and sent to the card in the authorization response. This cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the Issuer’s authorization response encrypted with the Unique Derivation Key (UDK). It is validated by the card during Issuer Authentication to ensure that the response came from a valid issuer.
Bank Identification Number (BIN)

A 6-digit number assigned by Visa and used to identify a member or processor for authorization, clearing, or settlement processing.

Draft 12/18/00
Glossary–2
Visa Public

31 Oct 2001

Visa Integrated Circuit Card Application Overview, Version 1.4.0 BASE I Authorization System

BASE I Authorization System

The V.I.P. System component that performs message routing, cardholder and card verification, and related functions such as reporting and file maintenance.
BASE II

The VisaNet system that provides deferred clearing and settlement services to members.
byte

8 bits of data.
card acceptance device

A device capable of reading and/or processing a magnetic stripe or chip on a card for the purpose of performing a service such as obtaining an authorization or processing a payment.
card authentication

A means of validating whether a card used in a transaction is the genuine card issued by the issuer.
Card Authentication Method (CAM)

See Online Card Authentication.
card block

Instructions, sent to the card by the Issuer, which shut down all proprietary and non-proprietary applications that reside on a card to prevent further use of the card.
Card Verification Value (CVV)

A unique check value encoded on a card’s magnetic stripe and chip to validate card information during an online authorization.
cardholder

An individual to whom a card is issued or who is authorized to use that card.
cardholder verification

The process of determining that the presenter of the card is the valid cardholder.
Cardholder Verification Method (CVM)

A method used to confirm the identity of a cardholder.
cash disbursement

Currency, including travelers cheques, paid to a cardholder using a card.

Draft 12/18/00
31 Oct 2001
Visa Public

Glossary–3

Glossary

Visa Integrated Circuit Card Application Overview, Version 1.4.0

cashback

Cash obtained in conjunction with, and processed as, a purchase transaction.
CCPS

Chip Card Payment Service, the former name for Visa Smart Debit and Visa Smart Credit (VSDC).
Certificate Authority (CA)

A trusted central administration that issues and revokes certificates.
chargeback

A transaction that an issuer returns to an acquirer.
chip

An electronic component designed to perform processing or memory functions.
chip-capable

A card acceptance device that is designed and constructed to facilitate the addition of a chip reader/writer.
chip card

A card embedded with a chip that communicates information to a point-of-transaction terminal.
clearing

The collection and delivery to the issuer of a completed transaction record from an acquirer.
cleartext

See plaintext.
cryptogram

A numeric value that is the result of data elements entered into an algorithm and then encrypted. Commonly used to validate data integrity.
cryptographic key

The numeric value entered into a cryptographic algorithm that allows the algorithm to encrypt or decrypt a message.
cryptography

The art or science of keeping messages secret or secure, or both.

Draft 12/18/00
Glossary–4
Visa Public

31 Oct 2001

Version 1. Easy Entry is not EMV-compliant and is being phased out.0 CVM List CVM List An issuer-defined list contained within a chip application establishing the hierarchy of methods for verifying the authenticity of a cardholder. digital signature A cryptogram generated by encrypting a message digest (or hash) with a private key that allows the message content and the sender of the message to be verified. decryption The process of transforming ciphertext into cleartext. Data Encryption Standard (DES) The public domain symmetric key cryptography algorithm of the National Institute for Standards and Technology.Visa Integrated Circuit Card Application Overview. data authentication Validation that data stored in the integrated circuit card has not been altered since card issuance. Dynamic Data Authentication (DDA) A type of Offline Data Authentication where the card generates a cryptographic value using transaction-specific data elements for validation by the terminal to protect against skimming. and 8 error-detecting bits set to make the parity of each 8-bit byte of the key odd. consisting of 56 bits that must be independent and random. Easy Entry A replication of the magnetic stripe information on the chip to facilitate payment as part of multi-application programs.4. DES key A secret parameter of the Data Encryption Standard algorithm. Data Encryption Algorithm (DEA) An encipherment operation and an inverse decipherment operation in a cryptographic system. Draft 12/18/00 31 Oct 2001 Visa Public Glossary–5 . double-length DES Key Two secret 64-bit input parameters each of the Data Encryption Standard algorithm. See also Offline Data Authentication.

or printed expiration date has passed.Glossary Visa Integrated Circuit Card Application Overview.0 EMV specifications Technical specifications developed jointly by Europay International. hash The result of a non-cryptographic operation.4. International Organisation for Standardisation (ISO) The specialized international agency that establishes and publishes international technical standards. Integrated Circuit Chip See chip. host data capture system An acquirer authorization system that retains authorized transactions for settlement without notification from the terminal that the transaction was completed. encryption The process of transforming cleartext into ciphertext. which produces a unique value from a data stream. Draft 12/18/00 Glossary–6 Visa Public 31 Oct 2001 . Integrated Circuit Card (ICC) See chip card. MasterCard International. and Visa International to create standards and ensure global interoperability for use of chip technology in the payment industry. encoded. Hardware Security Module (HSM) A secure module used to store cryptographic keys and perform cryptographic functions. expired card A card on which the embossed. interchange The exchange of clearing records between members. Version 1. interoperability The ability of all card acceptance devices and terminals to accept and read all chip cards that are properly programmed. above which online authorization is required. floor limit A currency amount that Visa has established for single transactions at specific types of merchants.

message authentication code (MAC) A digital code generated using a cryptographic algorithm which establishes that the contents of a message have not been changed and that the message was generated by an authorized entity. sent online for an authorization. profession. key management The handling of cryptographic keys and other related security parameters during the entire life cycle of the keys. See Authorization Response Cryptogram (ARPC). distribution. Draft 12/18/00 31 Oct 2001 Visa Public Glossary–7 . including their generation. or proprietary cards bearing the PLUS or Visa Electron Symbol. to validate ARQCs. These keys are used to generate Unique Derivation Keys (UDKs) for personalization. Magnetic Stripe Image The minimum chip payment service data replicating information in the magnetic stripe required to process a transaction that is compliant with EMV. or line of business in which a merchant is engaged.4. entry and use. Master Derivation Keys (MDK) Master DES keys stored in the issuer host system. or declined if online is not available. Issuer Authentication Validation of the issuer by the card to ensure the integrity of the authorization response. storage. and to generate ARPCs. key generation The creation of a new key for subsequent use. Issuer Action Codes (IACs) Card-based rules which the terminal uses to determine whether a transaction should be declined offline.0 issuer issuer A Visa member that issues Visa or Electron cards. deletion or destruction. magnetic stripe The stripe on the back of the card that contains the magnetically coded account information necessary to complete a non-chip electronic transaction. Version 1. and archiving. merchant category code (MCC) A code designating the principal trade.Visa Integrated Circuit Card Application Overview.

Draft 12/18/00 Glossary–8 Visa Public 31 Oct 2001 . offline-only terminal A card acceptance device that is not capable of sending transactions online for issuer authorization. and identification).4. offline-capable A card acceptance device that is able to perform offline approvals.0 multi-application The presence of multiple applications on a chip card (for example. offline authorization A method of processing a transaction without sending the transaction online to the issuer for authorization. VIS includes two forms: Static Data Authentication (SDA) and Dynamic Data Authentication (DDA). offline decline A transaction that is negatively completed at the point of transaction between the card and terminal without an authorization request to the issuer. payment. offline PIN A PIN value stored on the card that is validated at the point of transaction between the card and the terminal. Version 1. offline approval A transaction that is positively completed at the point of transaction between the card and terminal without an authorization request to the issuer. offline PIN verification The process whereby a cardholder-entered PIN is passed to the card for comparison to a PIN value stored secretly on the card. loyalty.Glossary Visa Integrated Circuit Card Application Overview. nibble The four most significant or least significant bits of a byte of data. online authorization A method of requesting an authorization through a communications network other than voice to an issuer or issuer representative. Offline Data Authentication A process whereby the card is validated at the point of transaction using RSA public key technology to protect against counterfeit or skimming.

public key cryptographic algorithm A cryptographic algorithm that allows the secure exchange of information. point of transaction (POT) The physical location where a merchant or acquirer (in a face-to-face environment) or an unattended terminal (in an unattended environment) completes a transaction.Visa Integrated Circuit Card Application Overview. plaintext Data in its original unencrypted form. through the use of two related keys—a public key which may be distributed in the clear and a private key which is kept secret. but does not require a shared secret key. Version 1. See also Card Acceptance Device.4. the key that is kept secret and known only to the owner. private key As part of an asymmetric cryptographic system. the key known to all parties. public key As part of an asymmetric cryptographic system.0 online-capable terminal online-capable terminal A card acceptance device that is able to send transactions online to the issuer for authorization. online PIN A method of PIN verification where the PIN entered by the cardholder into the terminal PIN pad is DES-encrypted and included in the online authorization request message sent to the issuer. personalization The process of populating a card with the application data that makes it ready for use. Online Card Authentication (CAM) Validation of the card by the issuer to protect against data manipulation and skimming. post-issuance update A command sent by the issuer through the terminal via an authorization response to update the electronically stored contents of a chip card. point-of-transaction terminal A device used at the point of transaction that has a corresponding point-of-transaction capability. Draft 12/18/00 31 Oct 2001 Visa Public Glossary–9 . See Authorization Request Cryptogram (ARQC).

Shamir. Shamir.4. It is used to store chip operating systems and permanent data. purchase transaction A retail purchase of goods or services. secret key A key that is used in a symmetric cryptographic algorithm (that is. Version 1. Adleman) A public key cryptosystem developed by Rivest. random selection An EMV online-capable terminal function that allows for the selection of transactions for online processing. such as gaming chips or money orders. and cannot be disclosed publicly without compromising the security of the system. used for data encryption and authentication. This is not the same as the private key in a public/private key pair. Draft 12/18/00 Glossary–10 Visa Public 31 Oct 2001 .Glossary Visa Integrated Circuit Card Application Overview. can allow the secure exchange of information. that are directly convertible to cash. a public key and a private key which. a point-of-sale transaction. RSA (Rivest. secure messaging A process that enables messages to be sent from one entity to another. quasi-cash transaction A transaction representing a merchant’s sale of items. when used with the appropriate public key cryptographic algorithm. without the secure exchange of a secret. and protects against unauthorized modification or viewing. receipt A paper record of a transaction generated for the cardholder at the point of transaction. and Adleman. DES).0 public key pair The two mathematically related keys. Part of Terminal Risk Management. referral response An authorization response where the merchant or acquirer is instructed to contact the issuer for further instructions before completing the transaction. reversal A BASE II or online financial transaction used to negate or cancel a transaction that has been sent through interchange. ROM (Read-Only Memory) Permanent memory that cannot be changed once it is created.

but does not protect against skimming. System VisaNet Integrated Payment System. Single Message System A component of the V. Terminal Action Codes (TACs) Visa-defined rules in the terminal which the terminal uses to determine whether a transaction should be declined offline.P. Draft 12/18/00 31 Oct 2001 Visa Public Glossary–11 .0 session key session key A temporary cryptographic key computed in volatile memory and not valid after a session is ended. Visa Certificate Authority (CA) A Visa-approved organization certified to issue certificates to participants in a Visa payment service.P. Triple DES The data encryption algorithm used with a double-length DES key. System that processes Online Financial and Deferred Clearing transactions.I. settlement The reporting of settlement amounts owed by one member to another or to Visa. or declined if online is not available. the online processing component of VisaNet. Version 1. Static Data Authentication (SDA) A type of Offline Data Authentication where the terminal validates a cryptographic value placed on the card during personalization. V. transaction An exchange of information between a cardholder and a merchant or an acquirer that results in the completion of a financial transaction. sent online for an authorization. as a result of clearing. This validation protects against some types of counterfeit. smart card A commonly used term for a chip card.I.4.Visa Integrated Circuit Card Application Overview. Visa Low-value Payment (VLP) VLP is a feature of VSDC designed to provide an optional source of pre-authorized spending power that is reserved for rapid processing of offline low-value payments.

are supported by VisaNet processing. and settlement services to members.P. including the V. Draft 12/18/00 Glossary–12 Visa Public 31 Oct 2001 .I. Version 1. and BASE II systems. VisaNet The systems and services. authorization. through which Visa delivers online financial processing. clearing. These services.0 Visa Smart Debit and Visa Smart Credit (VSDC) The Visa service offerings for chip-based debit and credit programs. as well as by Visa rules and regulations.Glossary Visa Integrated Circuit Card Application Overview. based on EMV and VIS specifications.4.

See Application Definition File AEF. 11–6 terminal data. 14–8 B biometrics. See Application Cryptogram ADA. 9–1. 4–4. 12–2 Application PAN. 12–4. Authorized. 13–4 for Initiate Application Processing. 4–4. 10–4 to 10–5. 14–6 Application Cryptogram. 3–6 terminal data. 7–2 Application Version Number (‘9F09’). See AAC APPLICATION BLOCK command. 10–2 for Terminal Risk Management. 2–11. 4–4. See Application File Locator AID. 12–2. 12–8 to 13–1. 3–4 processing flow. 4–6. 2–11. 8–8. 4–1 to 4–2. 8–3 Amount Y. 3–3 Application Transaction Counter. 13–1. 9–3 to 9–4 Application Authentication Cryptogram. 9–2 Draft 12/18/00 31 Oct 2001 Visa Public Index–1 . 7–2. 6–14. See ARPC authorization response message. 8–1 C CA Public Key Index. 11–4. 12–2. See Application Usage Control Authorization Request Cryptogram. See AID Application Interchange Profile. 8–14. 13–3 to 13–4. 13–3.Index A AAC. 7–2. 11–2 processing. See ATC APPLICATION UNBLOCK command. 11–2. 13–8 Application Definition File. 1–7. 2–4. 1–7. 12–2 to 12–3. 2–9. 13–4. 11–3 processing flow. 13–5 card data. 3–4 Card Action Analysis. 14–6 AC. 14–4 ATM. 7–4 to 7–5 Application Version Number. 2–10. See PAN Application Primary Account Number. See Application Default Action ADF. 3–2 to 3–3 AIP. 13–3. 13–6 Application Default Action. 3–3 Application Selection Indicator. See PAN Application Selection. building the. 11–7. 13–9 AUC. 3–2 Application Effective Date. 10–4 to 10–5. 4–4. 14–6 card data. 3–1 identifying and selecting the application. 12–2 to 12–4. 14–6 Application Usage Control. 13–3 ATC. 11–2. 13–4. 3–2. 8–3 Amount. 9–4 to 9–5. 13–6 Authorization Response Cryptogram. 2–7. 7–2 for Read Application Data. 7–4 Application Version Number (‘9F08’). 2–8. 8–3. 9–2. See Certificate Authority Public Key Index candidate list. 11–1 to 11–7. 4–2 to 4–3 for Issuer-to-Card Script processing. 7–4 Application Elementary Files. 11–5. 12–2 for Processing Restrictions. 8–14. 4–1 to 4–2. 11–2. 11–2 CARD BLOCK command. 10–1. 12–2 to 12–6. 14–6 card data for Application Selection. 7–3 ARPC. See Application Interchange Profile Amount X. 11–4. 2–1. 11–2 for Completion. 3–1 to 3–7. 6–14. See ARQC Authorization Response Code. 13–5 to 13–9. 12–8 to 13–1. 2–11. 10–4. 7–5 Application File Locator. 1–7. 7–2. 12–8. 12–6. 8–4. 3–2 for Card Action Analysis. 5–2 for Terminal Action Analysis. 12–4 to 12–5. 5–2 to 5–3 Application Identifier. 3–2 functions. 14–4 for Online Processing. 5–2 Application Expiration Date. 12–6 ARQC. See Application Elementary Files AFL. 6–11 to 6–12.

8–10 Card Risk Management. 14–7 VERIFY. 14–3 Draft 12/18/00 Index–2 Visa Public 31 Oct 2001 . 6–16 DDA key relationships. 13–4 GET CHALLENGE. 13–5 terminal data. 11–2. 14–7 Consecutive Transaction Limit (International—Country). 6–11. See CDOL2 Card Risk Management Data Object List. 8–1. 13–4 to 13–5 online processing. 14–3 to 14–4 DDA. 8–8 CVM List. 6–12 Dedicated File Name. 13–4 processing flow. 8–3 CVM List Processing. 2–7. 6–16. 14–7 Cumulative Total Transaction Amount Limit (Dual Currency). See CVV cardholder confirmation. 6–14. 14–7 CVM Code. 2–10. 8–3. 12–5 Combined DDA/AC Generation failure. 13–4 transaction flow example.D Visa Integrated Circuit Card Application Overview. 11–3 DDA Failure Indicator. 13–3. 11–7 Card Risk Management Data Object List 2. 1–9. 13–4 Certificate Authority. 8–3 CVM Entry. 12–4. 6–13 CID. 3–4 to 3–5 Cardholder Verification. 6–17. 8–8 CVM List processing. 14–6 APPLICATION UNBLOCK. See CVM List Cardholder Verification Method. 2–2. 8–7 D Data Authentication Code (DAC). 12–8. 8–9 CVM Type. 14–4 card reader. 13–7 cryptogram version 14. 14–6 PUT DATA. 8–3. 2–3. 8–3. 13–10 Consecutive Transaction Limit (International). 13–8 Card Risk Management checks. 6–11 to 6–17 card data. 11–4. See DF Name default CVM. 1–7 to 1–8. 8–10 processing. 6–6 DDF. 11–3. 2–3 Default DDOL. 6–1. 8–7. 12–4. 2–5. 5–3 UPDATE RECORD. 14–3 Data Encipherment Session Key. 1–8 Cumulative Total Transaction Amount Limit. 4–3 INTERNAL AUTHENTICATE. 12–5 to 12–6. 14–6 EXTERNAL AUTHENTICATE. 14–9 Data encipherment. 6–12. 12–2. 11–5. 14–7 Currency Conversion Factor. 14–6 CARD BLOCK. 5–1. See CVM processing Cardholder Verification Value. Version 1. 3–5 cardholder selection. 6–13 PIN CHANGE/UNBLOCK. 14–7 Cumulative Total Transaction Amount Upper Limit. 8–8 card data. 6–11 DDA failed on last transaction. 8–1 to 8–14.4. 8–3 processing flow. 2–8. 8–3 CVR. 12–8 to 13–1. 13–11 GENERATE AC. 6–4. 2–9. 14–1 Cryptogram Information Data. 14–3 DES keys. 8–8 Cardholder Verification Method List. 14–7 credit. 12–4. 6–12 processing flow. 13–3 cryptogram type. 12–2. 6–12. 1–7 data confidentiality. 10–2 to 10–4. 6–8 to 6–9. 2–2. 11–5. 9–4 GET PROCESSING OPTIONS. 1–7 to 1–8. 11–3. 6–3 Certificate Authority Public Key Index. 2–7. 10–4. 8–7 GET DATA. 13–5 to 13–6 command support requirements. 12–4 to 12–5. See Directory Definition File DDOL. 8–8 CVM Processing. See Cryptogram Information Data Combined DDA/AC Generation. 11–7 CDOL2. 11–2 to 11–3. 6–13. 8–4. 4–6. 2–11 commands APPLICATION BLOCK. 11–3 to 11–4. 2–9. 12–1 credit risk. 14–7 READ RECORD. 6–15 terminal data. See CVR Card Verification Value.0 Completion. 13–1 to 13–11 card data. See CDOL1 card velocity checking. 6–11 DES. 8–8 CVM Conditions. 12–6. 2–3. 10–7 card data. 11–4. 8–5 Certificate Serial Number. card Card Verification Results. 6–7. See velocity checking. See CVV CDOL1.

2–2. 14–8 to 14–9 Issuer Authentication Data. 2–11.0 Directory Definition File. 8–5 ICC PK Certificate. 2–10 terminal. See ICC PK Certificate ICC Public Key Exponent. 12–2. 13–7 to 13–8. 6–13 Issuer Private Key. 4–2 Issuer Country Code “5F28”. 8–6 Europay. 4–4 functions. 12–7 Issuer PK Certificate. 1–7. 14–3 ENC UDK. 4–4 GET CHALLENGE command. 9–1 functions. 8–14. 11–5 ICC Public Key. 1–7. 11–1 Cardholder Verification. 14–6.Visa Integrated Circuit Card Application Overview.4. 14–1 functional overview. MasterCard. 12–4. 14–1 Offline Data Authentication. 8–5 Issuer Public Key Exponent. 12–3. Visa. 3–2 Directory Selection Method. 12–5. 12–3. 3–2 Directory File. 8–1 Completion. 1–6 to 1–7 EMV documentation. 6–4 to 6–5. 6–12 Initiate Application Processing. See DDA dynamic signature. 4–2 to 4–3 card processing. See Issuer PK Certificate Issuer Public Key Component. 6–3. 12–6 I IACs. 13–3 to 13–9. 10–1 to 10–7. 6–13 Issuer Public Key Certificate. 6–4 to 6–5. 13–1. 9–4 fraud risk. 11–2 to 11–5. 6–11 to 6–14. 1–8. See DDA Failure Indicator Dynamic Data Authentication. 12–2. 6–12 ICC Public Key Remainder. 2–2. 3–7. 2–7. 12–5 E EMV. 13–3 Issuer Authentication. 11–7 GENERATE APPLICATION CRYPTOGRAM. 1–8. 2–7 G GENERATE AC command. 8–10 GET DATA command. 12–1. 2–2. Version 1. 2–5. See IACs Issuer Application Data. 4–5 terminal processing. 12–5 Issuer Authentication Failure Indicator. 12–1. 13–5. See File Control Information File Control Information. 6–12 to 6–13 ICC Private Key. 6–8 issuer script. See EMV Expiration Date. 6–3 to 6–5. 8–14 card data. 8–7. 12–4 to 12–5. 6–8 Issuer Public Key Remainder. 2–9 functions Card Action Analysis. 14–8 Terminal Action Analysis. 1–10 Issuer Action Codes. 6–13 ISO documentation. 2–11. 12–5 to 12–6. 13–9 F Fail CVM. 2–11. 6–3. 12–2. 13–6 ICC Dynamic Number. 8–10. 6–11. 6–8 to 6–9. See also Application Expiration Date EXTERNAL AUTHENTICATE command. 12–6 Issuer Authentication Failure on Last Transaction. 2–1 functional requirements card. 10–1 Terminal Risk Management. 6–9. 10–3 to 10–4. 4–2 to 4–3 floor limits. 6–9. 8–11 ICC PIN Encipherment Private Key. 3–2. 2–11. 4–1. 13–1 Issuer-to-Card Script Processing. 6–13 to 6–14. 12–5 ICC Public Key Certificate. 6–8 Issuer Public Key. 14–3 Enciphered PIN Data. 4–3 to 4–4 INTERNAL AUTHENTICATE command. 8–11 FCI. 2–7 miscellaneous terminal. 2–11. 6–14. 8–11 ICC PIN Encipherment key data. See GENERATE AC command Geographic Indicator. 12–4 to 12–5 Geographic Restrictions. 11–3 Issuer Country Code. 6–11. 9–4 to 9–5 GET PROCESSING OPTIONS command. 4–1 processing flow. 2–9. 3–4 to 3–5 Dynamic Data Authentication Failure Indicator. mandatory and optional. 7–1 Read Application Data. 4–2 Draft 12/18/00 Visa Public 31 Oct 2001 Index–3 . 12–1 Processing Restrictions. 6–1 Online Processing. 2–11. 7–2 issuer host. 6–12 ICC key data. 1–3. 4–1. 11–5. 6–13. 6–16. 6–4 to 6–5. 8–7. 1–11 ENC MDK. 4–3 to 4–5 E H hash. 6–4. 6–4 Issuer Public Key data. 5–1 Terminal Action Analysis. 6–14.

Version 1. 9–2. 9–2. 12–4 flow. 14–7 M MAC. 8–5 CVM processing. 11–3. 14–5 processing. 9–4 Message Authentication Code Keys. 2–11. 2–8. 13–8 PIN Verification Value. 14–8 processing flow. 14–3 to 14–4 MAC UDK. 8–7. card data for. 12–3 Processing. 14–4 online response data. 14–5 Issuer Script Template. 13–5. See MAC message integrity. 11–4. 14–5 Issuer Script Failure Indicator. 9–3 merchant floor limit. 12–3 online request. 10–1 Online Authorization Indicator. 14–4 issuer script commands. 14–10 terminal data. 12–1 to 12–8. 14–5 issuer scripts. 2–9. 3–2 to 3–3. 5–2 to 5–3. 14–1 to 14–11 card data. See floor limit checking Merchant Forced Transaction Online. 2–10. 14–3 Keys and Certificates. 4–6. 11–3 Online Card Authentication. 13–11. 8–6. 2–5. 12–5 terminal data. 8–10. 11–3. See MAC Session Key Maximum Target Percentage to be used for Biased Random Selection. See Last Online ATC Register Last Online ATC Register. See MAC MDK Master Message Authentication Code Session Key. 8–4. 9–4 to 9–5 List of AIDs Method. 4–6 Personal Identification Number. 12–2 commands. 14–11 card data. 1–7 processing commands. 2–10. 14–7 mandatory. 3–2 Payment Systems Environment. See Issuer-to-Card Script processing Issuer-to-Card Script Processing. 12–7 online response data. 11–3 Issuer Script Results. 11–7 Offline Plaintext PIN. 1–3 Master Data Encipherment DEA Key. 13–8. 8–4 Offline PIN Verification not Performed (PIN Try Limit Exceeded). See CAM online PIN. 6–1 to 6–17. 8–1. 8–11 O Offline Data Authentication. 14–6 PIN Try Limit. 2–8. 8–7. 14–3 magnetic stripe. 8–10 optional terminal changes. 12–5 online response. 4–6. 1–7. 6–4 to 6–5 L Last Online Application Transaction Register. 14–3. See PIN PIN CHANGE/UNBLOCK command. 14–9 P PAN. 14–5 N new card. 8–1 Offline PIN processing. 1–3 K keys. 8–10 online authorization. See MAC keys Message Authentication Code. 8–4. 8–10. 2–2. 8–12 PIN Try Counter. 14–3 MAC Session Key. 3–2 PDOL. 14–9 MAC MDK. 4–1 to 4–3.0 Issuer Script Command Counter. 11–7.K Visa Integrated Circuit Card Application Overview. 9–4 Payment Systems Directory. 2–7. 9–5 Lower Consecutive Offline Limit “9F58”. 10–7 Offline Enciphered PIN card data. 12–5 optional. 8–11 Online Processing. 8–7 supported CVMs. 9–2. See PVV Draft 12/18/00 Index–4 Visa Public 31 Oct 2001 . 1–8 to 1–9 Online Authorization Not Completed (on previous transaction). 2–4. 8–10 PIN processing flow. 8–7. 2–4 Online Card Authentication. 14–6 PIN Pad Secret Key. 9–5. 14–5 Issuer Script Processed on Last Online Transaction.4. 8–1. 14–4 Issuer Script Identifier. See ENC MDK Master Message Authentication Code Key. 13–8 No CVM Required. 3–4 Lower Consecutive Offline Limit “9F14”. Offline Data Authentication. 8–14.

See POS Entry Mode POS device. 2–9. 1–3 Reference PIN. 7–3 Proprietary Application Identifier Extension. 14–11 Completion. 7–1. 7–7. See Short File Identifier Short File Identifier.0 PIX. 6–9 processing flow. 6–13 to 6–14 Standard Online Processing. 9–4 terminal floor limit. 10–7. 10–6 terminal data. 6–10 SDA failed on last transaction. 9–8. See Certificate Authority Public Key Index PUT DATA command. Adleman. 6–16 SDA key relationships. See also Issuer-to-Card Script Processing Processing Options Data Object List. 3–3 to 3–5 Draft 12/18/00 Visa Public 31 Oct 2001 Index–5 . 6–13. 9–3 TC. 2–7.4. 11–3 SDA Failure Indicator. 13–1 recommended. See PDOL processing overview. 13–9 post-issuance updates. 2–2. 10–3 Terminal Action Codes. cardholder. 8–14 Terminal Action Analysis. 8–14. 8–11 signature. 8–4. 4–3. 12–4 to 12–5. 12–8 to 13–1. 12–3 for Processing Restrictions. 14–5 for Online Processing. 6–8. 14–6 Registered Application Provider Identifier. 13–6 tamper-evident device. cryptographic. 10–7 card data. 3–2 to 3–3 PKI. 8–1. 2–4. 2–12. See Signed Static Application Data Script Processing. 2–9. 8–5 Rivest. 5–4 terminal data. 2–9. 13–3. 10–4 to 10–5. 2–3. 10–3 for Terminal Risk Management. 5–1. 6–4. 3–2. 5–2 to 5–3 signature and offline PIN. 10–4 processing flow. 13–4 for Issuer-to-Card Script Processing. 2–9. See PIX PSE. 9–3 Terminal Exception File. See SDA stolen cards. 2–8. 7–3 for Terminal Action Analysis. 7–3 terminal data for Application Selection. 14–7 R R Random Transaction Selection. 5–2 processing. 8–1.Visa Integrated Circuit Card Application Overview. See Issuer-to-Card Script processing SDA. 13–1 Signature. 8–14. 14–3 to 14–11 SELECT command. 10–1 to 10–7 card data. determining which to perform Offline Data Authentication. 6–8 to 6–9 Standard DDA. 8–6 for Completion. 6–4 Signed Dynamic Application Data. 6–16. 5–3 processing flow. 6–17. 10–1 to 10–7. 2–2. 14–7 PVV. 3–2 to 3–3. 8–14. cryptographic. 6–16. 8–6 Terminal Country Code. 2–12. 6–14. 14–1 Subsequent Related Processing Card Action Analysis. 2–2. 2–1 Processing Restrictions. 6–1. 2–7. 8–10. 3–3 receipt. 7–6 terminal data. See Payment Systems Environment Public Key Index. See SDA Failure Indicator Static Data Authentication. 2–7. 2–10. 6–3 Session Key Generation. 1–8 SFI. 11–7. 9–8 T TACs. 4–6 to 5–1. 11–2. 9–4 Read Application Data. Version 1. 8–14. 12–8 Online Processing. 10–2 processing. 11–7. 6–8 to 6–9. 8–14. 3–3 for Cardholder Verification. 9–3 to 9–4 Terminal Floor Limit. See TACs Terminal Capabilities. 5–3 READ RECORD command. 12–5 Static Data Authentication Failure Indicator. 6–4. 10–7. 6–5 SDA or DDA. 12–8. See RSA RSA. See RID required. 11–4. 6–16. 6–16. See Certificate Authority Public Key Index Point of Sale Entry Mode. 13–5 to 13–9 Terminal Action Analysis. 8–14. Shamir. 6–7 SDA Tag List. 6–8 to 6–17 processing. 8–10 Target Percentage to be used for Random Selection. 11–7 card data. See also floor limit checking S SAD. 1–3 RID. 6–11 Signed Static Application Data. 4–4. 1–7 to 1–8 secure messaging. 7–7. 6–14. 14–11 Issuer-to-Card Script Processing. 7–2 processing. 2–12. 2–7. 6–5 signature. 7–3.

12–6 UDKs. 10–7 card data. 8–6. 13–7 U UDKs. 13–6 Z3 Authorization Response Code. 14–7 terminal velocity checking. 12–3. terminal. 8–8. 1–3 Threshold Value for Biased Random Selection. See Transaction Status Information TVR. 11–7. 9–5.4. See MAC UDK Unpredictable Number. 2–10.0 VLP Single Transaction Limit. 9–1 to 9–8. 8–10 Transaction Status Information (TSI). 14–7 Draft 12/18/00 Visa Public Index–6 31 Oct 2001 . 1–1 impact summary. 12–3. 6–8 to 6–9. 1–11 Visa Integrated Circuit Card Specification. See Visa Public Key Visa documentation. 8–8. 13–7 Z Z1 Authorization Response Code. 14–5 Y Y3 Authorization Response Code. 2–12 Visa Private Key. 9–2. 8–7. See Unique DEA Keys Unique Data Encipherment DEA Key. 6–3 to 6–4. 1–6 update. 9–3 to 9–4 Transaction PIN. 7–3 TSI. 2–3. 9–6 terminal data. sample. 12–6. 13–1. 8–6 VLP Funds Limit. 2–6 Transaction Log. 2–12. 1–7. Version 1. 6–11 UPDATE RECORD command. 13–8 velocity checking. See ENC UDK Unique DEA Keys A and B. 14–7 V velocity checking. See velocity checking. card. 8–10 Visa CA Private Key.U Visa Integrated Circuit Card Application Overview. 6–8 Visa Public Key. 11–7 Upper Consecutive Offline Limit “9F23”. 9–5 Upper Consecutive Offline Limit “9F59”. See TVR terminated transactions. 11–1. 14–5 Transaction Type. 6–3. 6–11. 12–5 to 12–6. See Visa Private Key Visa CA Public Key. 6–8 to 6–9. See TC Transaction Date. 1–2 Visa Low-value Payment. 2–12. 2–8. 12–2. 9–5 VERIFY command. 1–7 revisions. terminal Terminal Verification Results. 8–6. 14–7 Upper Consecutive Offline Limit. 9–2 processing flow. 10–3 to 10–4. 14–7 Terminal Risk Management. 7–3 to 7–5 transaction flow. 7–4 to 7–5. 9–3 Transaction Certificate. 13–4 to 13–6. 1–9. 9–3 to 9–5. See UDKs Unique Message Authentication Code Key. 9–3. 9–3 terminal velocity checking. 11–3. 6–13.

Sign up to vote on this title
UsefulNot useful