© 2016 DFS Services LLC | Confidential and Proprietary
D-PAS U.S. Chip Terminal Guide
Version 1.0 / January 2016
2 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Disclaimer This D-PAS: U.S. Chip Contact Terminal Guide (this “Guide”) provides guidelines to assist Merchants and Value Added Resellers (VARs), including, but not limited to, Independent Software Vendors (ISVs) and Payment Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to the U.S. market when accepting Discover Network and its partners’ chip card products. This guide is subject to change by Discover at any time without notice to any party. Neither this Guide nor any other document or communication creates any binding obligations upon Discover or any third party regarding testing services or Discover approval, which obligations will exist, if at all, pursuant to separate written agreements executed by Discover and such third parties. This Guide is provided “AS IS”, “WHERE IS” and “WITH ALL FAULTS”. Neither Discover, nor Diners Club International (DCI), nor any of their affiliates, subsidiaries, directors, officers or employees (collectively, the “Discover Parties”) assume or accept any liability for any errors or omissions contained in the Guide. The Discover parties specifically disclaim and make no representations or warranties of any kind, express or implied, with respect to this Guide. The Discover parties disclaim all representations and warranties, including the implied warranties of Merchants’ ability and fitness for a particular purpose. The Discover parties further specifically disclaim all representations and warranties with respect to intellectual property subsisting in or relating to the Guide or any part thereof, including but not limited to any and all implied warranties of title, non-infringement or suitability for any purpose (whether or not the Discover parties have been advised, have reason to know or are otherwise in fact aware of any information). The contents of this Guide are proprietary and constitute trade secrets of Discover. This Guide is provided to Participants of the Discover and DCI Networks and their authorized Partners for their exclusive use and shall not be reproduced, published or otherwise disclosed, in whole or in part, to any party outside Discover without the prior written consent of Discover. DFS Services LLC, Discover
® means our officers, directors and employees as well as the network, systems and
processes, including hardware, software and personnel maintained by us to support card issuance and card acceptance programs operated by Issuers, Merchants and Acquirers for the benefit of Cardholders and Merchants, respectively; or, where used to describe products, enhancements or services, means the consumer-facing brand of Discover.
3 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Chapter 1 Getting to Know D-PAS Page 5
1.1 Introduction Page 5
1.2 Purpose of this Guide Page 5
1.3 Target Audience Page 5
1.4 References Page 5
Chapter 2 Understanding Chip Card Transactions Page 6
2.1 EMV Fraud Liability Shift Page 6
2.2 Chip Card Technology Page 7
2.3 Contactless Technology Page 7
2.4 EMVCo Role in Chip Card Specifications Page 8
2.5 D-Payment Application Specification (D-PAS) Page 9
2.6 Understanding Chip Transactions Page 9
Chapter 3 Implementing D-PAS Page 13
3.1 Important Chip Card Implementation Considerations Page 13
3.2 Pre-Transaction Processing (Contactless) Page 13
3.3 Application Selection Page 13
3.4 Offline Data Authentication (ODA) Page 14
3.5 Cardholder Verification Page 15
3.6 Terminal Risk Management Page 18
3.7 First Terminal Action Analysis Page 19
3.8 Transaction Completion Page 20
3.9 Conclusion of Processing/Chip Card Deactivation and Removal
Page 21
3.10 Technical Fallback Page 22
Chapter 4 Point-of-Sale Solution Selection Page 23
4.1 Device Certification Page 23
4.2 End-to-End Certification Requirements Page 24
4.3 Production Validation Requirements Page 25
What’s Inside
4 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Chapter 5 Production Rollout Page 26
5.1 Production Rollout Check List Page 26
5.2 AID Parameters Page 27
Appendix A DFS CA Test Payment System Public Keys Page 31
1. Key Length 1152 Bits – PKI 91 Test Page 31
2. Key Length 1408 Bits – PKI 92 Test Page 32
3. Key Length 1984 Bits – PKI 93 Test Page 33
Appendix B DPAS Acronyms Page 34
Appendix C
Appendix D
DPAS Terminology
DFS IIN/BIN Table
Page 35
Page 38
5
CHAPTER 1: Get to Know D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 1: Getting to Know D-PAS
1.1 Introduction
The Discover® D-Payment Application Specification (D-PAS) is an EMV-compliant smart card payment solution for contact,
contactless and mobile payments. Discover supports and conforms to current EMV standards, enabling easy implementation and integration of the D-PAS solution.
1.2 Purpose of this Guide
This Guide focuses on the U.S. market. It provides high-level guidance to assist Merchants, VARs and other relevant parties with terminal development to support both contact and contactless chip transactions in accordance with D-PAS solutions at the terminal level. Please consult with your Processor or Discover for detailed policy, technical specifications and operating regulations. 1.3 Target Audience
This Guide is primarily intended for Merchants and Value Added Resellers (VARs), including, but not limited to, Independent Software Vendors (ISVs), Payment Gateways VARs and/or other entities responsible for implementing components and services required for accepting contact chip cards on Merchant acceptance terminals.
1.4 References
TITLE SOURCE1 REFERENCE
Terminal Requirements for U.S. Debit Cards Technical Addendum 1 DFS D-PAS: US DB TA, v 1.0
Terminal Requirements for JCB J/Smart™ Cards Technical Addendum
1 DN CT D-PAS: JCB JS TA, v 1.0
EMVCo emvco.com
EMV Migration Forum emv-connection.com
1 Source: 1 means references can be provided upon request to [email protected].
6
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.1 EMV Fraud Liability Shift
In October 2012, Discover announced the alignment of its EMV fraud liability shift policies for contact chip cards across Discover, Diners Club International and PULSE. The Discover Network policy became effective in October 16, 2015 for all point-of-sale (POS) locations and will go into effect in October 2017 for all automated fuel dispensers (AFD). PULSE will introduce a liability shift for ATM transactions on Discover/PULSE EMV contact cards at U.S. terminals effective October 1, 2017. After this date, ATM Acquirers will be financially liable for counterfeit card fraud if a contact EMV card is presented at an ATM that is not EMV-enabled. To ensure simple and consistent dispute management for PULSE participants, PULSE has chosen ATM liability shift dates for PULSE cards that are consistent with the signature brand on the card. The switch to EMV is vital to prevent payment fraud, and Discover is here to help. Our resources and EMV best practices accelerate EMV certification, maximize Cardholder security and drive Merchant profitability. For more information, visit DiscoverNetwork.com/Chip-Card or contact VARConnection.com.
2 Liability is transferred to the party with the direct relationship with Discover®. The EMV Fraud Liability Shift is in effect for contact chip transactions only.
7
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2.2 Chip Card Technology
Chip cards, also known as smart cards or integrated circuit cards (ICC), are plastic cards embedded with a computer chip. Chip cards are capable of storing information, completing calculations, making decisions and running applications.
Chip cards still have a magnetic stripe on the back of the card to permit processing transactions at locations without EMV-enabled terminals and fallback processing in the event of a chip failure.
2.3 Contactless Technology
Contactless technology is being adopted by Merchants that are looking for a faster, easier and more convenient payment method. The execution of a contactless payment transaction requires a contactless card or payment device and terminal/reader. Each contactless card or payment device and terminal, carry a microchip connected to an antenna that enables the exchange of data via near field communication (NFC).
2.3.1 Contactless Transaction Modes
• Contactless D-PAS EMV mode is an operating mode based on the use of the Contactless D-PAS application to create transaction-specific cryptograms that can be used to authenticate the card and the transaction. Contactless transactions can be processed either online or offline.
• Contactless D-PAS Magnetic Stripe (MS) mode uses functionality of Discover® Zip
® v2.0. The Zip application
provides cardholder information based on MS data to the terminal/reader. The terminal processes the transaction online and executes the Issuer decision.
Note: Discover Zip is a contactless payment solution deployed in the U.S. (Discover Zip cards and payment devices should be accepted wherever contactless payments are enabled.)
8
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2.3.2 Contactless Logos
EMVCo licenses the Contactless Indicator and Contactless Symbol (collectively the “Contactless Marks”) for use in accordance with its reproduction requirements. See the EMVCo website for more details.
• The EMVCo Contactless Indicator, shown below, is used on Contactless Cards and Contactless Payment Devices such as key fobs.
• The EMVCo Contactless Symbol, shown below, is used on contactless terminals and may also be used in marketing materials.
2.4 EMVCo Role in Chip Card Specifications
Chip cards and EMV-enabled terminals adhere to standard specifications to ensure interoperability among countries and Payment Networks. EMVCo is the entity that manages and evolves EMV specifications, tests processes and fosters worldwide interoperability of secure payment transactions. The EMV specifications govern chip cards, common payment application (CPA), card personalization and tokenization. EMVCo is co-owned by six member organizations: American Express, Discover, JCB, MasterCard, UnionPay and Visa. The organization is supported by Issuers, Merchants, Acquirers, Acquirer Processors and other industry stakeholders who participate as EMVCo Associates. For more information about EMVCo and chip card specifications visit www.emvco.com
3.
3 Source: EMVCo www.emvco.com
9
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2.5 D-Payment Application Specification (D-PAS)
D-PAS is a specification that enables secure transactions among Discover chip cards, payment devices, terminals and Acquirers. Discover provides a comprehensive program to support markets that are migrating from magnetic stripe cards to chip card transactions, including:
• D-PAS program documents that define the requirements for chip cards and terminals, including:
− Terminal Requirements for U.S. Debit Cards Technical Addendum
− Terminal Requirements for JCB J/Smart™ Cards Technical Addendum
• Test cards
• Production validation cards
• Network support for chip card transactions
• Testing and certification requirements
2.6 Understanding Chip Card Transactions
A chip card transaction differs from a traditional magnetic stripe card transaction in how it interacts with a terminal.
• A magnetic stripe card is swiped through the terminal to initiate the transaction. • A contact chip card is inserted into the chip reader and must remain in the terminal for the duration of the
transaction. • A contactless chip card or payment device is tapped to initiate the transaction.
The following table lists the differences between chip card and magnetic stripe card transactions.
CHIP CARD TRANSACTION TYPICAL MAGNETIC STRIPE CREDIT CARD TRANSACTIONS
Multiple card authentication methods. Basic level of authentication including Card Verification Value (CVV).
Multiple Cardholder verification methods supported, including use of offline and online Personal Identification Number (PIN).
Visual Cardholder verification (request of ID, check signature panel).
Issuer and Acquirer/Processor establishes and manages risk parameters.
Issuer manages most risk parameters.
Secure offline authorization if supported by the terminal and network, and approved by the card.
Offline authorization possible but risky as the authenticity of the card cannot be confirmed.
Use of dynamic data prevents cloning. Use of static data that can be easily copied.
Added level of security of chip cards and chip-enabled terminals prevents counterfeit fraud. Use of PIN reduces fraud from lost and stolen cards.
Magnetic stripe cards and terminals are susceptible to counterfeit fraud.
10
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
The diagrams below provide an overview of the D-PAS transaction process for contact and contactless transactions. Note that some steps may occur simultaneously.
11
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2.6.1 How a Contact D-PAS Transaction Works
The most common transactions between a contact chip card and a terminal consist of:
• Chip and Personal Identification Number (PIN) with verification either offline or online
• Chip and Signature
The following table provides a high-level description of each of these transactions.
STEP CONTACT CHIP AND PIN TRANSACTION CONTACT CHIP AND SIGNATURE TRANSACTION
1 The Cardholder inserts the contact chip card into the terminal/reader.
The Cardholder inserts the contact chip card into the terminal/reader.
2 The transaction amount is displayed on the terminal/reader.
The cardholder validates the amount
The terminal reader prompts the Cardholder to enter PIN.
The transaction amount is displayed on the terminal/reader.
The Cardholder validates the amount.
3 The Cardholder enters PIN on the terminal or PIN pad.
The PIN is displayed as ****.
The Merchant terminal processes the purchase transaction offline or online, depending on the purchase amount, card and terminal parameters.
4 • If offline PIN, terminal sends PIN to chip card, chip card validates PIN and provides response back to terminal.
• If online PIN, terminal sends encrypted PIN to Issuer. Issuer returns authorization response to terminal.
The Merchant terminal validates the PIN and provides Cardholder with the results of the validation.
The Merchant terminal displays to the Cardholder the results of the validation as either “Approved” or “Declined”
5 The Merchant terminal processes the purchase transaction offline or online, depending on the purchase amount, and card and terminal parameters.
For an approved transaction, the Merchant terminal prints a transaction receipt or creates a digital version.
6 On successful processing, the Merchant terminal displays “Approved” or “Declined”.
The terminal instructs the Cardholder to remove the chip card.
7 For an approved transaction, the Merchant terminal can print a transaction receipt if requested, or email an electronic copy.
The Cardholder signs the transaction receipt or digital version that can be emailed to cardholder.
8 The terminal instructs the Cardholder to remove the chip card.
12
CHAPTER 2: Understanding Chip Card Transactions
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2.6.2 How a Contactless D-PAS Transaction Works
The steps below provide an example of a typical transaction executed between a NFC-enabled chip and pin card and a reader connected to a standalone terminal.
STEP CONTACTLESS D-PAS TRANSACTION
1 The Merchant enters the purchase amount on the terminal.
2 The transaction amount is displayed on the terminal and on the reader.
3 The first LED (if present) begins to flash to indicate that the reader is ready to perform a contactless transaction.
4 The Cardholder presents the card close to the landing zone of the terminal/reader.
5 The reader exchanges commands and responses with the card to execute the contactless transaction.
6 The result of the exchange between the card and the reader, together with EMV transaction data, is sent to the terminal.
7 When the data capture is completed, all four LED lights on the reader (if present) normally illuminate in green, and the reader sounds an audible alert.
8 The Cardholder removes the card from the landing zone.
9 Depending on the card and terminal capabilities, as well as the risk management parameters, the Cardholder Verification Method (CVM) will be online PIN, signature or no CVM.
10 The terminal completes the transaction online or offline
11 The transaction result is displayed on the terminal to the Cardholder and the Merchant. It also can be displayed on the reader.
12 A receipt can be printed, if requested, or an electronic copy can be sent by email
This description may differ depending on the contactless POS terminal and reader model.
13
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.1 Important Chip Card Implementation Considerations
This chapter provides an overview of the chip card transaction steps that impact Merchants and VARs, including the technical requirements and best practices to successfully implement D-PAS. Not every transaction step is referenced in this chapter. For additional information on each transaction flow step, contact [email protected].
3.2 Pre-Transaction Processing (Mandatory Step for Contactless D-PAS only)
To minimize the time that a card must be in the RF field, the terminal/reader performs preliminary risk management checks by comparing the Transaction amount to limits set in the terminal.
Note: Terminals that always use a fixed transaction amount (such as vending machines) do not perform risk management checks. If you have any questions contact your Acquirer/Processor.
3.3 Application Selection (Step 1 for Contact and Contactless D-PAS)
There are various ways the application selection step is performed. In a typical credit card transaction, the card and the terminal analyze the supported Application Identifiers (AIDs). If multiple applications are supported, the terminal identifies the priority selected by the Issuer and may allow the Cardholder to choose the application to use. The terminal or peripheral selected for chip card implementation must have the intended AIDs loaded for chip transactions to work. For the U.S. Common Debit AID, Merchants and Acquirers may have proprietary software installed on POS devices to manage the selection of the Common AID over the proprietary/global AIDs–the specifics of which are outside the scope of this document.
14
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Below is a list of AIDs for the Discover Network and its partners that must be supported in terminals used by Merchants and VARs in the United States:
• Contact and Contactless D-PAS (Discover proprietary) AID: A0000001523010
• Discover® Debit U.S. Common AID: A0000001524010
• JCB J/Smart Contact AID: A0000000651010
• Discover Zip AID: A0000003241010
Important AID Notes
• The AID must be set to support partial match AID selection.
• The terminal must support the list of AID methods for building the candidate list.
• The application version number check requires that the terminal store the D-PAS application version number of “0001”.
• It is recommended that terminals hold one additional application version number slot open for future use.
3.4 Offline Data Authentication (ODA) (Step 4 for Contact and Contactless D-PAS)
In this step, the terminal ensures that:
• The chip card has not been altered since its personalization.
• The data on the chip card was created by the authentic Issuer.
ODA must be implemented on all terminals/readers that support offline authorized transactions. For contact D-PAS, depending on the capabilities of the chip card and the terminal, the terminal may perform one of the following Offline Data Authentication (ODA) methods:
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA)
• Combined DDA (CDA)
Note: CDA is the most secure method while SDA is a less secure method that will eventually be phased out.
For contactless D-PAS, CDA is the only method that may be performed. Offline data validation of the card is performed using encryption keys. A key is a numeric value that is used as part of a mathematical operation to encrypt or decrypt data. To perform offline data authentication, terminals must be loaded with DFS Certification Authority Public Keys (CA PKs) and JCB CA PKs. Acquirers and Merchants are responsible for registering, managing and updating keys provided by Discover Network. Please note that both the D-PAS proprietary AID and the Discover
® Debit U.S. Common AID use the same DFS CA PKs.
See Appendix A for DFS Test Payment System Public Keys. DFS Production Payment System Public Keys and J/Smart Test and Production Keys can be requested from [email protected]. A Non-Disclosure Agreement (NDA) may be required.
15
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Important: Do not code CA PKs expiry dates in the terminal as they are subject to change by EMVCo and DFS.
CHIP CARD TERMINAL REQUIREMENTS FOR ODA
ODA Requirements Important: All newly deployed offline-capable contact chip terminals are required to support DDA in addition to supporting SDA. Terminals should also support CDA whenever possible. In addition, Merchants and VARs should consider local market requirements and industry practices when deciding which methods to support.
DFS CA PK Requirements
To support ODA, the terminal must be able to store up to six DFS CA PKs and their associated data elements for each payment brand’s Registered Application Provider Identifier (RID) represented in the Terminal.
3.5 Cardholder Verification (Step 6 for Contact D-PAS and Step 5 for Contactless D-PAS)
Cardholder Verification determines whether the person presenting the chip card is the legitimate Cardholder by using a CVM that is mutually supported by both the chip card and the terminal. Most terminals have the capability to support all CVMs. However, consult with your Processor to understand their ability to support all CVMs, especially the online PIN method. Cardholder verification is mandatory for contact D-PAS transactions. However, it is conditional for contactless D-PAS. If the Terminal Contactless CVM limit is present and the Transaction amount is greater than the Terminal CVM limit, the Terminal requires CVM to be performed.
16
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
The following table describes the CVM types that are available to Merchants and Acquirers.
CVM TYPE DESCRIPTION
Online PIN If “Online PIN” is the selected CVM and is supported by the terminal, the terminal prompts the Cardholder for PIN entry and then enciphers the PIN for inclusion in the authorization message later in the transaction. The remaining processing for the online PIN transaction is conducted in accordance with existing DFS regulations.
Offline PIN (Plaintext and Enciphered)
If “Offline PIN” is the selected CVM for the transaction, the terminal prompts for PIN entry, and the PIN is transmitted from the terminal to the chip card for verification. The PIN can be sent either exactly as it was entered by the Cardholder (plaintext PIN) or encrypted (enciphered PIN). If the chip card cannot successfully verify the PIN, the chip card informs the terminal of the number of PIN try attempts remaining. Enciphering the PIN is strongly recommended. Offline PIN CVM type is not an option for contactless transactions.
Combined Offline PIN and Signature
If “Combined Offline PIN and Signature” is the selected CVM for the transaction, the terminal must complete the processes for both the offline PIN CVM and Signature CVM. This CMV type is not an option for contactless transactions.
Signature If “Signature” is the selected CVM for the transaction, CVM processing is considered complete from a D-PAS perspective. Other processing related to this CVM is executed in accordance with existing DFS regulations (e.g., comparing the Cardholder signature obtained to the signature on the card).
No CVM If “No CVM” is the selected CVM for the transaction, CVM processing is complete from the D-PAS perspective. This CVM must be supported by unattended terminals, please refer to section 3.5.1.1.
Consumer Device CVM (CDCVM)
For contactless payment devices only. Cardholder verification can be completed on the contactless payment device prior to initiating any payment transactions. Verification methods vary by device, such as password and biometrics, among other methods. If CDCVM is used, it must be noted in the Terminal Verification Results (TVRs).
Note: DFS allows no-signature or PIN for card-present sales of $50.00 or less, including applicable taxes, gratuities, surcharges, cash overs and/or Discover Pay with Rewards.
17
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.5.1 CVM Support Considerations
When identifying which CVMs to support in the terminal, first check with your Acquirer and Processor to verify which CVMs they support, and then take the following decision factors into consideration.
DECISION FACTOR DESCRIPTION
Assess Terminal Capabilities
Identify the capabilities of the terminal for supporting each CVM.
Identify the Relative Importance of Gaining Processing Efficiency
A PIN can reduce transaction processing time by eliminating the signature requirement. In addition, an offline PIN can make throughput faster, by eliminating online verification processes and network latencies.
Retain Traditional CVM Processing Capabilities
Merchants and VARs should be aware that magnetic stripe cards will continue to be encountered at the point-of-sale, so traditional processes for swiping the card and signing for the transaction will still need to be supported.
Important: For Acquirers and Merchants to take full advantage of the Fraud Liability Shift for lost or stolen cards, they must support both offline and online PIN authentication for contact chip cards. Discover requires Acquirers and Merchants to support offline and online PIN at parity with Discover when the functionality is being supported for any other Payment Networks.
3.5.1.1 Special Considerations for Unattended Terminals
An unattended POS device is a device that delivers goods or services when the Cardholder is present but a Cashier is not. Examples of unattended POS devices are fuel dispensers, parking meters and vending machines. Many unattended POS devices that execute low-value transactions do not have communication capabilities; therefore, it is imperative that “No CVM” is supported as a CVM method. Note: Unattended POS Devices are often online-capable to allow issuer authorization and batch data capture.
3.5.2 PIN Pad Configuration
Merchants and VARs should consider the following PIN pad best practices:
• If the PIN pad is separate from the terminal, the addition of a chip card reader with PIN pad enables Cardholders to keep possession of their card throughout the transaction, thus reducing opportunities for card skimming.
• Cardholders should be able to reach the landing zone on a contactless PIN pad or reader.
• The placement of a PIN pad should be accessible to all Cardholders.
• PIN pads should be designed and placed in a way that prevents fraudsters from “shoulder surfing” the PIN.
3.5.3. PIN Bypass
The U.S. Market is a “chip and choice” environment, with both signature and PIN preferring Issuers. PIN entry bypass is an optional function supported by EMV that enables a manual override of the PIN CVM process. This option is used when PIN is selected as the preferred CVM, but the Merchant wants to allow a Cardholder to sign instead. An example of PIN bypass is when the Cardholder has forgotten their PIN. If PIN bypass is used, this must be noted in the TVR. Merchants and VARs should check with their Processors before enabling PIN bypass.
18
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.6 Terminal Risk Management (Contact D-PAS Step 7)
Chip-enabled terminals complete several checks to confirm that transaction processing is occurring within the risk limits set by the Payment Brand, Acquirer Processor and the Issuer. The following table outlines both mandatory and optional checks to be programmed in the terminal. Note that the Acquirer Processor may have already pre-programmed these parameters in the terminal.
CHECK MANDATORY / OPTIONAL
DESCRIPTION
Floor Limits Mandatory Merchants/VARs may use the chip card terminal floor limits associated with each Merchant category or choose a zero floor limit.
It is recommended that terminals that are capable of storing multiple floor limits specify separate floor limits for magnetic stripe and chip card transactions. To support a floor limit other than $0 (or local equivalent), the terminal must be able to store a separate floor limit for magnetic stripe and chip card transactions.
Random Transaction Selection
Mandatory Acquirers are advised to work with their Merchants to identify the terminal settings for random transaction selection.
It is recommended that terminal parameters are adjusted to ensure that a bias is applied.
Exception File Optional It is recommended that exception file checking is performed at offline-only terminals. Talk to your Acquirer Processor for more details.
Transaction Forced Online
Optional
Merchants can implement a function that allows the Attendant to manually force a transaction online. This function can be employed if the Attendant is suspicious of the Cardholder and wants to ensure that the Issuer authorizes the transaction. If Merchants would like to implement transaction forced online functionality, Merchants and VARs should work with their Acquirer Processor to set guidelines for when this functionality should be used.
19
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.7 First Terminal Action Analysis (Contact D-PAS Step 8 and Contactless D-PAS Step 7)
A terminal/reader device performs the first Terminal Action Analysis step using different considerations for contact or contactless D-PAS transactions.
3.7.1 Contact D-PAS
The terminal stores the results of the previous steps and analyzes them to make a recommendation to the chip card as to whether it should decline, send online or approve the transaction. Rules governing the levels of acceptable risk for various transaction conditions are set for:
• The terminal by the Payment Brand and the Acquirer via rules called Terminal Action Codes (TACs).
• The chip card by the Issuer via card rules called Issuer Action Codes (IACs).
For the purposes of this Guide, DFS is the Payment Brand responsible for setting the TACs. The applicable D-PAS contact TAC values listed in the following table must be stored in terminals as a prerequisite to the acceptance of chip cards. Terminals must store only the set of TAC values that is relevant to the functionality supported by the terminal. Note that there are no TACs for contactless transactions. For JCB-specific J/Smart TAC values review the document Discover Contact EMV: Terminal Requirements for JCB J/Smart Cards – Technical Addendum. For Discover Debit U.S. Common AID TAC values consult the document Discover Contact D-PAS: Terminal Requirements for U.S. Debit and Prepaid Cards – Technical Addendum.
DISCOVER TERMINAL ACTION CODES FOR CONTACT TRANSACTIONS ONLY DESCRIPTION
VALUE
ODA SUPPORTED ODA NOT SUPPORTED
Denial /Decline Specifies the conditions that cause the denial of a transaction without attempt to go online.
0010000000 0010000000
Online Specifies the conditions that cause a transaction to be transmitted online.
FCE09CF800 30E09CF80
Default Specifies the conditions that cause a transaction to be rejected if a terminal cannot go online.
DC00002000 1000002000
3.7.2 Contactless D-PAS
This step is completed with the contactless card or payment device outside of the landing zone and includes card/device application recommendations collected during Step 2 – Initiate Application Processing. As part of this step the following checks are performed by the terminal: card decision, CDA check results, application expiry date check and processing restrictions results.
20
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.8 Transaction Completion (Contact D-PAS Step 13 & Contactless Step 9)
3.8.1 Transaction Completion for Contact D-PAS
In Step 10, the terminal sends the transaction online to the Issuer. As a response to the online processing request, the Issuer then returns an Authorization Response, which approves or declines the transaction. The terminal may perform a Second Terminal Action Analysis (Step 11). The contact card may also perform a Second Card Action Analysis (Step 12). Transaction completion (Step 13) occurs when the terminal receives either an approval or decline response to one of its cryptogram requests. The terminal then executes the approval or decline requested by the chip card. At the conclusion of processing, the transaction result is displayed to the Cardholder. The receipt is printed or emailed (and signed if required), and the terminal stores any required transaction data.
3.8.2 Transaction Completion for Contactless D-PAS
Please note that for Contactless D-PAS, online processing (Step 8) is conditional. It must be performed only if the final decision taken by the card is to perform an online transaction. Contactless D-PAS Step 9 is the final step of the transaction. This step tells the Cardholder the final decision and processes additional functions depending on the decision taken. The results could be one of the following:
• Offline processing: Approval or decline – Transaction is not sent to the issuer for decisioning.
• Online processing: Approval or decline – Transaction is sent to the Issuer for decisioning.
• Switch to another interface.
3.8.3 Switch to Another Interface (Contactless D-PAS Only)
If the transaction cannot be processed using the contactless interface, and the contactless card or payment device supports another interface, then the terminal will indicate that the cardholder use an alternate interface.
FROM TO COMMENTS
Contactless D-PAS Contact D-PAS The terminal may switch to contact chip interface due to several reasons. The transaction is restarted as a standard Contact D-PAS transaction.
Contactless D-PAS Magnetic Stripe Transaction
If the switch to contact D-PAS is not possible, the transaction must switch to a magnetic stripe transaction. Magnetic stripe transactions have a higher risk than D-PAS; therefore, it must follow specific rules:
• The transaction must go online.
• The transaction must be identified with a specific fallback indicator value. See 3.10 for more details.
21
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.8.4 Receipt Requirements
The following table lists the EMV data that may be added to the receipt.
RECEIPT DATA REQUIREMENT
AID Mandatory
Approval Code Mandatory: Include either an online approval code or an offline approval code created by the terminal.
Cryptogram Optional
Application Preferred Name or Application Label
Optional
PIN Verification Statement Optional
Note: In addition to the EMV receipt requirements listed above, Discover has additional receipt requirements that are listed in the Operating Regulations. Please consult your Processor for complete receipt requirements.
3.9 Conclusion of Processing/Chip Card Deactivation and Removal
3.9.1 Contact Deactivation and Removal (Contact D-PAS Step 15)
The terminal displays the result of the transaction to the Attendant and the Cardholder as follows:
• If the transaction has been declined, the terminal displays an appropriate message and then indicates that the chip card can be removed from the reader.
• If the transaction has been approved, the terminal displays a message indicating that the chip card can be removed from the reader and prints a receipt.
• If a signature was provided, the Attendant compares the signature on the receipt with the signature on the back of the card.
3.9.2 Contactless Transaction Conclusion
The transaction result is displayed on the terminal to the Cardholder and the Merchant. It can also be displayed on the reader. A receipt can be printed or e-mailed as required by Merchant or Cardholder.
22
CHAPTER 3: Implementing D-PAS
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3.10 Technical Fallback
Technical fallback may occur when a chip card is used at a chip-enabled terminal, but a technical failure of the card or the terminal prevents the transaction from being processed using the chip’s functionality. With all chip cards, technical fallback must be correctly identified in the authorization message so that the Issuer can make an informed decision whether to approve or decline the technical fallback transaction. All technical fallback transactions must be sent online.
3.10.1 Fallback Scenarios
The following table shows common scenarios encountered and whether these transactions should be flagged as fallback or not. Please consult your Processor for specific fallback indicators.
MODE TRANSACTION NEEDS TO BE FLAGGED AS FALLBACK
COMMENTS
Unknown AID or AID Not Found
No If the terminal is not able to recognize any of the applications supported by card, the terminal should allow the transaction to be processed as magnetic stripe.
Chip Card Error Yes A technical error in communication between the card and terminal has prevented a chip transaction taking place. The terminal should prompt the Cardholder to swipe the card.
Blocked Application No The terminal should terminate the transaction and it should not allow the Cardholder to initiate a magnetic stripe transaction.
Blocked Card No The terminal should terminate the transaction and it should not allow the Cardholder to initiate a magnetic stripe transaction.
Switch Interface Request from Contactless D-PAS to MS
Yes If a transaction cannot be completed as contactless D-PAS, and if a switch to contact D-PAS interface is not possible, the transaction must switch to a magnetic stripe.
23
CHAPTER 4: Point-of-Sale Solution Selection
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 4: Point-of-Sale Solution Selection Merchants and Issuers should carefully consider the type of point-of-sale (POS) solution that best works for their business model and the needs of their Customers. They also should consider the certification requirements for each option, including device certification and end-to-end certification. The following table outlines solutions available in the market. Please contact your Terminal Manufacturer and Processor for more details and options.
POS TYPE DESCRIPTION
Stand-Alone Chip-enabled terminal device or peripheral is connected directly to the Acquirer Processor. Updates are managed by the Acquirer. Ideal for small Merchants currently using stand-alone terminals.
Semi-Integrated Chip-enabled terminal device or peripheral is integrated into a new or existing POS software application. The payment device can be connected through a payment gateway or directly to the Acquirer. Terminal updates are managed either by the Payment Gateway or the Acquirer.
Integrated Chip-enabled reader is fully integrated into the POS solution or a stand-alone peripheral. Merchant, Payment Gateway and/or Acquirer/Processor may be responsible for managing terminal updates.
4.1 Device Certification
Device certification is completed by the Device Manufacturer or Original Equipment Manufacturer. Below are some common terms used during the device certification process.
• EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction. The kernel will be called from the terminal's payment application and utilize the Interface Device (IFD) to perform necessary data exchanges with the card
4. Note: Contactless EMV
requires a kernel for each Payment Network implemented.
• Level 1 Approval (Hardware): Level 1 tests compliance with the electromechanical characteristics (contact) or the analog characteristics (contactless) and logical protocol requirements defined in the EMV Specifications.
4
• Level 2 Approval (Software): Level 2 type approval process tests compliance with the application requirements as defined in the EMV Specifications.
4
− Please Note: Contactless Level 2 approvals follow the individual Payment Network requirements. A valid contactless Level 1 Letter of Approval (LoA) is a prerequisite to contactless Level 2 certification.
• Discover Type Approval (for EMV contactless devices only): Verification by Discover that a specified composite Target of Evaluation (TOE) has demonstrated sufficient conformance to the Discover Specifications
5 for its stated
purpose and Discover specifications are used5. EMVCo does not have a single common contactless specification
for terminals as there is for contact terminals.
4 Source: EMVCo www.emvco.com
5 Source: Type Approval Process V2.2
24
CHAPTER 4: Point-of-Sale Solution Selection
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
4.1.1 Device Certification Requirements
Device certification should be completed prior to beginning end-to-end (E2E) certification. Because Level 1 and Level 2 approvals do expire, EMVCo and Discover Network require approvals to be renewed at defined intervals to maintain compliance. Please check with your Terminal Provider, Acquirer or Processor for Level 1 and Level 2 expiry dates.
CERTIFICATION TYPE WHAT IT INCLUDES
CERTIFICATION INITIATOR
CONTACT EMV CONTACTLESS EMV
Level 1 Addresses hardware conformance with EMV specifications
EMVCo EMVCo
Level 2 Addresses application software conformance
EMVCo The certification for Discover Network is called "Discover Type Approval"
4.2 End-to-End Certification Requirements
E2E terminal certification must be completed for each Payment Network supported by the terminal. Each terminal application, combined with any middleware software product, should be certified by each Processor. The purpose of E2E testing is to:
• Demonstrate that the deployed terminals meet the requirements of both the Acquirer and the Discover Network.
• Demonstrate the terminals’ acceptance of D-PAS.
• Send authorization requests and receive authorization responses among terminals, Acquirer host systems and Discover Network.
• Demonstrate that terminals can process chip-based functions including PINs, fallback transactions and CVMs as supported by the terminal.
A high-level example of an end-to-end environment is provided in the following figure. For detailed information regarding the system architecture, requirements and configuration refer to the approved Test Tool documentation.
25
CHAPTER 4: Point-of-Sale Solution Selection
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
4.3 Production Validation Requirements
Production validation is required to verify that D-PAS- and J/Smart-certified terminals, and the associated infrastructure, are performing correctly in the production environment. Production validation must be performed in a live environment as part of an initial pilot or rollout for each unique combination of terminal, application and Processor. Production validation test transactions are executed using live D-PAS and J/Smart test cards at deployed terminals or terminals in a live laboratory environment. To request production validation test cards, please contact [email protected].
26 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
CHAPTER 5: Production Rollout
5.1 Production Rollout Check List
The following list highlights important steps in ensuring a successful EMV rollout for Merchants and VARs. This not intended to be a compressive list. Please consult with your Processor or Discover Network for more details.
CERTIFICATION
Check with your terminal provider, acquirer and processor to confirm who is responsible for renewing Level 1 and Level 2 certifications.
Complete E2E certification for each unique terminal application and configuration combination if utilizing a fully-integrated solution.
Confirm that your partner completed E2E certification if utilizing a semi-integrated solution.
TERMINAL CONFIGURATION / TERMINAL MANAGEMENT
Confirm who is responsible for updating your terminals: adding new AIDs, updating or replacing CA PKs, etc.
Verify AIDs have been loaded on the EMV terminals. (See Table 5.2 for details).
Ensure production CA PKs were loaded and replaced test CA PKs.
Ratify the Application Version Number Check is “0001.” It is recommended that terminals hold one additional Application Version Number slot open for future use.
Confirm the terminal can store up to six CA PKs per card brand.
Ensure TACs were properly coded.
Support for the minimum chip card-related data elements for authorization and batch data capture.
IF SUPPORTING CONTACTLESS D-PAS
If supporting contact and contactless D-PAS, terminals must not allow both interfaces to be activated simultaneously. If one interface is powered on, the other interface must be switched off.
Support Zip AID to allow for application switch from Contactless D-PAS to magnetic stripe.
Set terminal amount limits (if any) based on Merchant decision and direction received from your Processor. Please note that Discover does not have any transaction amount limit established for contactless D-PAS transactions.
Add decal signage at your POS advertising your merchant accepts contactless payments
TRAINING AND PILOT
Train your employees on how to process contact and contactless transactions. Review the resources that Discover has created to assist you with this task www.discovernetwork.com/chip-card/merchants/resource_center.html
Request production validation EMV test cards by contacting [email protected].
Complete production validation test transactions.
Validate purchase, refund and cancellations.
Confirm receipt is printing EMV-related data.
Follow fallback to magnetic stripe processing.
27 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
OTHER IMPORTANT CONSIDERATION
Ensure support for all Discover IIN/BIN ranges. (See Appendix D).
Validate acceptance of a variable PAN length of up to 19 bytes.
Support for terminal floor limits.
Terminals accepting a PIN must comply with the PCI PED security requirements.
5.2 Discover EMV Program Matrix (V1.2 Published Nov 2015)
The following table summarizes AID parameters supported by Discover for the US market.
D-PAS (PROPRIETARY CONTACT AND CONTACTLESS)
U.S. DISCOVER DEBIT COMMON AID
JCB J/SMART ZIP. CONTACTLESS MAGNETIC STRIPE
AID A0000001523010 A0000001524010 A0000000651010 A0000003241010
Partial Match Allowed and strongly encouraged
Allowed and strongly encouraged
Allowed and strongly encouraged
Allowed and strongly encouraged
Example of Issuers
Discover Card, Diners Club interaction and Net to Net Partners (BC Card, RuPay).
Discover Debit Card, PULSE Issuers.
JCB-branded cards Discover Card
Interfaces Supported
Contact EMV and Contactless EMV
Contact EMV and Contactless EMV. (Needs details to support Contactless are under development)
Contact EMV Contactless Magnetic stripe
Application Version Number
0001
(Recommend terminals hold one additional slot open for DFS future use.)
0001
(Recommend terminals hold one additional slot open for DFS future use.)
0200 (for EMV v4.x compliance)
0120 (for EMV v3.1.1 compliance)
Fallback to Magnetic Stripe
Supported when chip cannot be read (damaged).
Supported when chip cannot be read (damaged).
Supported when chip cannot be read (damaged).
For AID Not Found
Transaction should be initiated by magnetic stripe but should not be coded as fallback.
Transaction should be initiated by magnetic stripe but should not be coded as fallback.
Transaction should be initiated by magnetic stripe but should not be coded as fallback.
For Application Blocked
Not allowed Not allowed Not allowed
PIN
PIN Support If PIN is supported for any payment brand, Online PIN and Offline PIN must be supported for Discover Network
If PIN is supported for any payment brand, Online PIN and Offline PIN must be supported for Discover Network
N/A
PIN Bypass Supported Supported N/A
(Continued on next page.)
28 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY) U.S. DISCOVER DEBIT COMMON AID
JCB J/SMART ZIP. CONTACTLESS MAGNETIC STRIPE
Contact EMV
TACs for Contact Interface
ODA Supported
ODA Not Supported
ODA Supported
ODA Not Supported
ODA Supported
ODA Not Supported
Denial 0010000000 0010000000 0010000000 0010000000 0010000000
Online FCE09CF800 30E09CF800 FCE09CF800 FFFFFFFFFF FC60ACF800
Default DC00002000 1000002000 DC00002000 FFFFFFFFFF FC6024A800 or FC60242800
Offline Transaction Limit
Allowed, please contact Processor for details. DFS limit is $300.00 (with MCC exceptions).
Online Authorization is required for all transactions originating from Discover U.S. Common Debit AID.
Allowed, please contact processor for details. DFS limit is $300.00 (with MCC exceptions).
EMV Fraud Liability Shift
October 2015, all industries except AFD
October 2017, AFD
October 2015, all industries except AFD
October 2017, AFD
As of publication date, JCB has not announced EMV Fraud Liability Shift for the U.S.
CVM Supported Online PIN
Offline Enciphered PIN
Offline Plaintext PIN
Signature
No CVM
Online PIN
Signature (via No CVM)
No CVM
Online PIN
Offline Enciphered PIN
Offline Plaintext PIN
Signature
No CVM
Terminal ODA Requirement
All offline-capable contactless terminals are required to support CDA.
ATMs should not be configured to support ODA.
ODA support is optional.
If support ODA, terminal must support both SDA and DDA.
CDA support is optional. If it is supported by the terminal, it must be supported using EMV Mode 1.
ATMs should not be configured to support ODA.
All offline-capable contact terminals are required to support SDA and DDA.
(Continued on next page.)
29 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY) U.S. DISCOVER DEBIT COMMON AID
JCB J/SMART ZIP. CONTACTLESS MAGNETIC STRIPE
Contactless EMV
TACs for Contactless Interface
Do not apply. Contactless D-PAS does not require TACs.
Do not apply. Contactless D-PAS do not require TACs.
N/A
Offline Transaction Limit
Allowed, please contact Processor for details. DFS limit is $300.00 (with MCC exceptions).
Online Authorization is required for all transactions originating from Discover U.S. Common Debit AID.
N/A
Contactless Transaction Limit
No limit No limit N/A
EMV Fraud Liability Shift
As of publication of this document, contactless transactions do not fall into EMV Fraud Liability Shift.
As of publication of this document, contactless transactions do not fall into EMV Fraud Liability Shift.
N/A
CVM Supported Online PIN
Signature
No CVM
Online PIN
Signature
No CVM (via No CVM)
N/A
Terminal ODA Requirement
All offline-capable contactless terminals are required to support CDA.
ATMs should not be configured to support ODA.
ODA support is optional.
If support ODA, terminal must support CDA.
ATMs should not be configured to support ODA.
N/A
(Continued on next page.)
30 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY) U.S. DISCOVER DEBIT COMMON AID
JCB J/SMART ZIP. CONTACTLESS MAGNETIC STRIPE
Others
Default DDOL Must include the Unpredictable Number.
TDOL and Terminal Exception File
D-PAS does not require default terminal TDOL and terminal exception file.
No CVM Policy Per DFS Operating Regulations, transactions below $50 do not require CVM.
Please contact your Processor to confirm requirements for No CVM.
Per DFS Operating Regulations, transactions below $50 do not require CVM.
Please contact your Processor to confirm requirements for No CVM.
Per DFS Operating Regulations, transactions below $50 do not require CVM.
Please contact your Processor to confirm requirements for No CVM.
Per DFS Operating Regulations, transactions below $50 do not require CVM.
Please contact your Processor to confirm requirements for No CVM.
Production Validation
Required, using unfunded cards
Required, using unfunded cards
Required, using unfunded cards
CAPKs
Test Environment Yes, same for both Discover Proprietary and Debit Common AIDs
J/Smart Test CAPK with length 1408 bits
Production Environment
Yes, same for both Discover Proprietary and Debit Common AIDs
J/Smart Production CAPKs
Test Cards
Test Environment, Physical Test Cards
One pack contains Contact and Contactless D-PAS, Debit and JCB test cards. Test cards can be purchased from a qualified vendor. JCB contact cards are available upon request to [email protected]
Production Environment, Unfunded Cards
Available upon request. One pack contains Contact and Contactless D-PAS, Debit and JCB test cards, plus JCB Contact test cards
31
APPENDIX A
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Appendix A
DFS CA Test Payment System Public Keys
1. Key Length 1152 Bits – PKI 91 Test
FIELD NAME LENGTH DESCRIPTION VALUE
RID 5b Identifies the payment system to which the CA PK is associated
A0 00 00 01 52
CA Public Key Index 1b Identifies the CA PK in conjunction with the RID
5B
CA Hash Algorithm Indicator
1b Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme
01
CA Public Key Algorithm Indicator
1b Indicates the algorithm to be used with the CA PK
01
CA Public Key Modulus
144b Value of the modulus part of the CA PK
D3 F4 5D 06 5D 4D 90 0F 68 B2 12 9A FA 38 F5 49 AB 9A E4 61 9E 55 45 81 4E 46
8F 38 20 49 A0 B9 77 66 20 DA 60 D6 25
37 F0 70 5A 2C 92 6D BE AD 4C A7 CB 43 F0 F0 DD 80 95 84 E9 F7 EF BD A3 77 87 47 BC 9E 25 C5 60 65 26 FA B5 E4 91 64
6D 4D D2 82 78 69 1C 25 95 6C 8F ED 5E 45 2F 24 42 E2 5E DC 6B 0C 1A A4 B2 E9 EC 4A D9 B2 5A 1B 83 62 95 B8 23 ED DC 5E B6
E1 E0 A3 F4 1B 28 DB 8C 3B 7E 3E 9B 59 79 CD 7E 07 9E F0 24 09 5A 1D 19 DD
CA Public Key Exponent
1b CA PK Exponent equal to 3 03
CA Public Key Check Sum
20b A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1
4D C5 C6 CA B6 AE 96 97 4D 9D C8 B2 43 5E 21 F5 26 BC 7A 60
32
APPENDIX A
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
2. Key Length – 1408 Bits – PKI 92 Test
FIELD NAME LENGTH DESCRIPTION VALUE
RID 5 Identifies the payment system to which the CA PK is associated
A0 00 00 01 52
CA Public Key Index 1 Identifies the CA PK in conjunction with the RID
5C
CA Hash Algorithm Indicator
1 Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme
01
CA Public Key Algorithm Indicator
1 Indicates the algorithm to be used with the CA PK
01
CA Public Key Modulus
176 Value of the modulus part of the CA PK
83 3F 27 5F CF 5C A4 CB 6F 1B F8 80 E5 4D CF EB 72 1A 31 66 92 CA FE B2 8B 69 8C AE CA FA 2B 2D 2A D8 51 7B 1E FB 59 DD EF C3 9F 9C 3B 33 DD EE 40 E7 A6 3C 03 E9 0A 4D D2 61 BC 0F 28 B4 2E A6 E7 A1 F3 07 17 8E 2D 63 FA 16 49 15 5C 3A 5F 92 6B 4C 7D 7C 25 8B CA 98 EF 90 C7 F4 11 7C 20 5E 8E 32 C4 5D 10 E3 D4 94 05 9D 2F 29 33 89 1B 97 9C E4 A8 31 B3 01 B0 55 0C DA E9 B6 70 64 B3 1D 8B 48 1B 85 A5 B0 46 BE 8F FA 7B DB 58 DC 0D 70 32 52 52 97 F2 6F F6 19 AF 7F 15 BC EC 0C 92 BC DC BC 4F B2 07 D1 15 AA 65 CD 04 C1 CF 98 21 91
CA Public Key Exponent
1b CA Public Key Exponent equal to 3
03
CA Public Key Check Sum
20 A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1
60 15 40 98 CB BA 35 0F 5F 48 6C A3 10 83 D1 FC 47 4E 31 F8
33
APPENDIX A
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
3. Key Length – 1984 Bits – PKI 93 Test
FIELD NAME LENGTH DESCRIPTION VALUE
RID 5b Identifies the payment system to which the CA PK is associated
A0 00 00 01 52
CA Public Key Index 1b Identifies the CA PK in conjunction with the RID
5D
CA Hash Algorithm Indicator
1b Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme
01
CA Public Key Algorithm Indicator
1b Indicates the algorithm to be used with the CA PK
01
CA Public Key Modulus
248b Value of the modulus part of the CA PK
AD 93 8E A9 88 8E 51 55 F8 CD 27 27 49 17 2B 3A 8C 50 4C 17 46 0E FA 0B ED 7C BC 5F D3 2C 4A 80 FD 81 03 12 28 1B 5A 35 56 28 00 CD C3 25 35 8A 96 39 C5 01 A5 37 B7 AE 43 DF 26 3E 6D 23 2B 81 1A CD B6 DD E9 79 D5 5D 6C 91 11 73 48 39 93 A4 23 A0 A5 B1 E1 A7 02 37 88 5A 24 1B 8E EB B5 57 1E 2D 32 B4 1F 9C C5 51 4D F8 3F 0D 69 27 0E 10 9A F1 42 2F 98 5A 52 CC E0 4F 3D F2 69 B7 95 15 5A 68 AD 2D 6B 66 0D DC D7 59 F0 A5 DA 7B 64 10 4D 22 C2 77 1E CE 7A 5F FD 40 C7 74 E4 413 79 D1 13 2F AF 04 CD F5 5B 95 04 C6 DC E9 F6 17 76 D8 1C 7C 45 F1 9B 9E FB 37 49 AC 7D 48 6A 5A D2 E7 81 FA 9D 08 2F B2 67 76 65 B9 9F A5 F1 55 31 35 A1 FD 2A 2A 9F BF 62 5C A8 4A 7D 73 65 21 43 11 78 F1 31 00 A2 51 6F 9A 43 CE 09 5B 03 2B 88 6C 7A 6A B1 26 E2 03 BE 7
CA Public Key Exponent
1b CA Public Key Exponent equal to 3
03
CA Public Key Check Sum
20b A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1
B5 1E C5 F7 DE 9B B6 D8 BC E8 FB 5F 69 BA 57 A0 42 21 F3 9B
34 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX B
Appendix B
DPAS Acronyms
ACRONYM MEANING
AC Application Cryptogram
AFD Automated Fuel Dispenser
AID Application Identifier
CA Certification Authority
CA PK Certification Authority Public Key
CA PKI Certification Authority Public Key Index
CDDA Combined Dynamic Data Authentication and Application Cryptogram Generation
CVM Card Verification Method
DDA Dynamic Data Authentication
DFS Discover Financial Services
D-PAS D-Payment Application Specification
E2E End-to-End
EMV Europay, MasterCard, Visa
ICC Integrated Circuit Cards
ISO International Organization for Standardization
NFC Near Field Communication
ODA Offline Data Authentication
OEM Original Equipment Manufacturer
PAN Primary Account Number
PIN Personal Identification Number
POS Point-of-Sale
RID Registered Application Provider Identifier
RFF Radio Frequency Field
SDA Status Data Authentication
TAC Terminal Action Code
TVR Terminal Verification Results
VAR Value-Added Reseller
APPENDIX D
Appendix C
DPAS Terminology
TERM DEFINITION
AC A cryptogram computed by the chip card application and used by the Issuer to verify that a request came from the card.
Acquirer An entity that processes credit and debit card payments on behalf of a Merchant.
Acquirer Processor A third-party entity designated by an Acquirer and approved by DFS for the purpose of performing certain Acquirer obligations under the Acquirer Agreement and/or the Program Guides, subject to the limitations and requirements set forth in the Acquirer Agreement, the Acquirer Processor Agreement and the Program Guides.
AID An application identifier made up of the Registered Application Provider Identifier (RID) and the Proprietary Identifier Extension (PIX).
Application PAN A valid Cardholder account number.
Authorization The process used to determine whether to approve a card sale or cash advance in response to an authorization request.
Authorization Request A request submitted by a Merchant or Acquirer, through DFS or another person acting on our behalf, to the Issuer for authorization of a card sale or cash advance.
CA PK The key of the CA asymmetric key pair that can be made public. Consists of a:
• CA PK Exponent – The value of the exponent part of the CA PK.
• CA PK Modulus – The value of the modulus part of the CA PK.
Cardholder A user of a credit, debit or prepaid payment card product.
CDA An offline authentication method performed by the terminal to verify a card via a dynamic signature that is generated offline by the card and a cryptogram. The offline DDA is a dynamic signature. The online Application Cryptogram Authentication is the second signature.
Chip Card A card with an embedded integrated chip that is a contact chip payment device, a contactless chip payment device or a dual interface payment device.
Chip Card Transaction A card transaction that takes place with a chip card at a chip card terminal that complies with relevant operating regulations and technical specifications.
CVM Method used to ensure that the person presenting the card is the person to whom the application in the card was issued.
DDA Offline Dynamic Data Authentication performed by the terminal to verify the dynamic signature generated by the card for the transaction.
Note: The generated dynamic signature is different for each transaction.
EMV The global standard for credit and debit payment cards based on chip card technology. EMV is a trademark owned by EMVCo, LLC.
(Continued on next page.)
36 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX C
EMVCo The corporation that manages, maintains and enhances the EMV ICC specifications for chip-based payment cards and acceptance devices, including POS terminals and ATMs.
Floor Limit An amount designated in a Merchant Agreement as the amount below which the Merchant is not required to obtain an online authorization for a card sale.
ICC A card that has a chip embedded in it. Chip cards and Discover Contactless D-PAS Cards embed such a chip.
ISO An agency that establishes and publishes international technical standards.
Issuer An entity that has signed a DFS Credit Issuer Agreement for the purpose of issuing DFS payment cards in accordance with the DFS Operating Regulations and other program documents.
JCB A financial services company based in Tokyo, Japan also known as JCB Co., Ltd. that operates as the JCB payment network in Japan and also issues JCB payment partners on its network for acceptance on its network.
Key A binary value that is used as part of an algorithm to encrypt or decrypt data.
Landing Zone The landing zone is the strongest RF point close to the reader. It is identified by the EMVCo contactless symbol.
Merchant An entity engaged in commercial operations that comply with the requirements set out in the Discover Operating Regulations and other program documents.
Merchant Agreement A signed, written agreement between an Acquirer and a Merchant that:
• Permits the Merchant to accept cards as payment for goods and services and cash at the Acquirer’s discretion, but not in exchange for cash, cash equivalents or the funding of value used for future purchases (“quasi-cash”) unless specifically approved in the Acquirer Agreement.
• Describes the terms pursuant to which Acquirer shall pay Settlement Amounts to the Merchant for card transactions accepted by the Merchant.
• Provides a sublicense to the Merchant governing the Merchant’s use of the program marks.
• Describes the program services provided by Acquirer to the Merchant to support card acceptance.
ODA The process of validating a contactless EMV card offline at POS via CDA.
PAN The unique identifying number that is assigned by the Issuer to the card at the time of card issuance.
Payment Brand An organization that manages a network to facilitate payments between Cardholders and Merchants.
Payment Device Contactless D-PAS products can be issued in many different forms such as key fobs, stickers or mobile phones. These devices are collectively known as “contactless payment devices.”
PIN The personal identification number or code assigned by an Issuer that may be used by the Cardholder to facilitate a card sale or cash advance on a POS device.
PIX An optional data element assigned by the application provider of up to 11 bytes which is part of the structure of the AID.
(Continued on next page.)
37 D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX C
PKI Identifies a CA PK pair used in CDA.
Plaintext Unenciphered information.
POS Device An electronic card reader, chip card terminal, cash register or terminal and any necessary software, located at the physical premises of a Merchant that is capable of electronically capturing data from cards and receiving electronic evidence of authorization responses and which may also be capable of transmitting electronic evidence of sales data.
Reader A device that can communicate with a contactless D-PAS card using the RF interface. Readers may be physically separate from a terminal or integrated inside.
RF Field Radio Frequency Field. Contactless field generated by the Contactless Reader. The Contactless Card must enter the RF field near the Reader landing zone to initiate a Contactless Transaction.
RID Part of an AID that is unique to an application provider and assigned according to ISO/IEC 7816-5.
SDA An authentication performed by the terminal to verify the static signature placed on a card during the card personalization process.
Terminal An electronic device that accepts and processes payment transactions.
Terminal Contactless CVM Limit
This data sets the CVM limit for a particular AID based on the amount of the transaction. If the amount of the transactions is greater than or equal to this limit, the terminal will ask the card to perform Cardholder Verification.
Token A surrogate value for a PAN that limits exposure to the PAN.
VAR An entity that adds features or services to an existing product, then resells it (usually to end-users) as an integrated product or complete turnkey solution.
APPENDIX D
Appendix D
Issuer Identification Number (IIN) Ranges that Operate on the Discover network:
DISCOVER IIN (BIN) RANGE TABLE
Start End Issuing Network Credit / Debit Min Digits Max Digits
30000000 30599999 DCI Credit 16 19
30950000 30959999 DCI Credit 16 19
35280000 35899999a JCB Credit 16 19
36000000 36999999b DCI Credit 14 19
38000000 39999999 DCI Credit 16 19
60110000 60110399 DN Both 16 19
60110400 60110499 PayPal Credit 16 19
60110500 60110999 DN Both 16 19
60112000 60114999 DN Both 16 19
60117400 60117499 DN Both 16 19
60117700 60117999 DN Both 16 19
60118600 60119999 DN Both 16 19
62212600 62292599c UnionPay Both 16 19
62400000 62699999c UnionPay Credit 16 19
62820000 62889999c UnionPay Credit 16 19
64400000 65059999 DN Both 16 19
65060000 65060099 PayPal Credit 16 19
65060100 65060999 DN Both 16 19
65061000 65061099 PayPal Credit 16 19
65061100 65999999 DN Both 16 19
a. This IIN Range (35280000 to 35899999) shall be enabled only by Merchants, Acquirers or their Processors in connection with Merchant
relationships, POS Devices or otherwise, within the 50 States of the United States of America and the District of Columbia, Puerto Rico, the US Virgin Islands, the Northern Mariana Islands, Palau, and Guam, subject to certain exceptions in Acquirer Agreements where applicable.
b. The PAN length for this IIN Range (36000000 to 36999999) is 14 digits. c. The UnionPay IIN Ranges shall be enabled only by Merchants, Acquirers, or their Processors in connection with Merchant relationships,
POS Devices or otherwise, in the United States, Mexico, and the Caribbean.