Security Rules and Procedures · 2020-06-11 · 3.8 Mobile Payment Devices ... 9.4.4...

Security Rules andProcedures

31 March 2016

SP

Summary of Changes, 31 March 2016

This manual reflects changes associated with announcements in MasterCard bulletins from 13March 2015 to 1 March 2016, and additional terminology changes.

The changes to this manual no longer can be located online using the Find box.Please click the hyperlinked section numbers to locate the changes listed below.

Description of Change Where to Look

Updated definitions of the following terms: Cardholder Verification Method(CVM); Cross-border Transaction; Interregional Transaction; IntracountryTransaction; Intraregional Transaction; MasterCard Account; MasterCardEurope; On-Device Cardholder Verification; Payment Application; Point-of-Sale (POS) Terminal; Transaction.

Appendix D (relettered)

Added definitions of the following terms: Account Enablement System; BIN;Consumer Device Cardholder Verification Method, Consumer Device CVM,CDCVM; Inter-European Transaction; Intra-European Transaction; Intra-Non-SEPA-Transaction; MasterCard Token Vault; Token Vault; TransactionManagement System; Trusted Service Manager.

Appendix D (relettered)

Added the Asia/Pacific Region and the Middle East/Africa Region to thescope of requirements for Payment Applications resident on the Chip of aCard.

3.1

Updated reference from MasterCard Europe SPRL to MasterCard Europe SA. 3.1

Added 222100 to 272099 to the BIN range for MasterCard Account PANs. 3.2

Removed the IIN requirements for Maestro Accounts and Cirrus Accounts. 3.3

Updated the ISO BIN assignment requirements for Issuers of Maestro Cardsand Cirrus Cards.

3.3

Updated the offline authorization support requirements for Chip Cards. 3.6

Added section 3.9—Consumer Device Cardholder Verification Methods. 3.9

Added section 3.9.1—MasterCard Qualification of Consumer Device CVMs. 3.9.1

Added section 3.9.2—CDCVM Functionality. 3.9.2

Added section 3.9.3—Persistent Authentication. 3.9.3

Added section 3.9.4—Prolonged Authentication. 3.9.4

Added section 3.9.5—Maintaining MasterCard-qualified CVM Status. 3.9.5

Added section 3.9.6—Issuer Responsibilities. 3.9.6

Clarified the parameter limit requirements for prolonged Cardholderauthentication.

3.9.6


©1991–2016 MasterCard. Proprietary. All rights reserved.Security Rules and Procedures • 31 March 2016 2


Added section 3.9.7—Use of a Vendor. 3.9.7

Removed section 3.11—Transaction Information Documents (TIDs). 3.11 (deleted)

Removed section 3.11.1—Formset Contents. 3.11.1 (deleted)

Removed section 3.11.2—POS Terminal Receipt Contents. 3.11.2 (deleted)

Removed section 3.11.3—Primary Account Number Truncation andExpiration Date Omission.

3.11.3 (deleted)

Clarified the performance indicator requirements relating to an Issuer’s frauddetection tool.

6.2.1.7

Clarified MATCH compliance requirements for Acquirers. 7.1.2

Updated references from state lottery Merchants/Submerchants/Transactionsto government-owned lottery Merchants/Submerchants/Transactions for thetypes of entities that must comply with the registration and monitoringrequirements of the MRP.

7.4

9.1

9.3

Added high-risk cyberlocker Merchants and Submerchants to the types ofentities that must comply with the registration and monitoring requirementsof the MRP.

7.4

9.1

9.2.1

9.3

Removed section 8.1—Presenting Valid Transactions. 8.1 (deleted)

Added section 8.1—Notifying MasterCard. 8.1

Removed section 8.1.1—Notifying MasterCard—Acquirer Responsibilities. 8.1.1 (deleted)

Added section 8.1.1—Acquirer Responsibilities. 8.1.1

Removed section 8.1.2—Notifying MasterCard—Issuer Responsibilities. 8.1.2 (deleted)

Added section 8.1.2—Issuer Responsibilities. 8.1.2

Removed section 8.1.3—MasterCard Audit. 8.1.3 (deleted)

Removed section 8.1.3.1—Initiation of MasterCard Audit. 8.1.3.1 (deleted)

Removed section 8.1.3.2—Information Required by MasterCard. 8.1.3.2 (deleted)

Removed section 8.1.3.3—Notification to Customers of Chargeback Period. 8.1.3.3 (deleted)

Updated cross-reference to the Valid Transactions Rule of the MasterCardRules manual.

8.2.1

Updated MATCH annual usage fee to USD 5,000. 8.2.6.1

11.2




Moved the contents of section 8.4.3—MasterCard Notification to Issuers tosection 8.4.3.1—Investigations Concerning Cardholder Bust-out Accounts(new).

8.4.3.1

Added new content to section 8.4.3—MasterCard Notification to Issuers. 8.4.3

Added section 8.4.3.2—Investigations Not Concerning Cardholder Bust-outAccounts.

8.4.3.2

Added MCC 9406 to the types of government-owned lottery Merchantsrequired to be registered using the MRP.

9.1

Added section 9.4.6—High-Risk Cyberlocker Merchants. 9.4.6

Moved section 9.4.4—State Lottery Merchants (U.S. Region Only) to section9.4.4.1.

9.4.4.1

Added section 9.4.4—Government-owned Lottery Merchants. 9.4.4

Added section 9.4.4.2—Government-owned Lottery Merchants (SpecificCountries).

9.4.4.2

Clarified the purpose and location of the PCI Security Standards. 10.1

Clarified the scope of the list of Account Data Compromise Eventterminology.

10.2

Clarified the ADC Event/Potential ADC Event awareness criteria forCustomers and Customers’ Agents.

10.2.2.1

Added references of other Agents to applicable references of Merchants. 10.2.2.1

10.2.4

10.2.5.3

Clarified the required contents of the final forensic report. 10.2.3

Updated the number of Accounts to 30,000 for Criterion A. 10.2.4

Updated the responsible Customer requirements for Criterion C. 10.2.4

Updated reference from Merchant Acquirer Contact to Account DataCompromise Contact.

10.2.5.2

Updated the Issuer participation criteria for the reimbursement componentof the ADC Program.

10.2.5.3

Updated the responsible Customer financial liability requirements relating toan ADC Event.

10.2.5.3

Updated the ADC OR determination process. 10.2.5.4




Updated references from Dual Interface Hybrid POS Terminals to Hybrid POSTerminals.

10.2.5.4

10.2.5.5

10.3.4.2

Updated the ADC FR determination process. 10.2.5.5

Updated the SAFE reporting requirements for Issuers regarding Accountsplaced at risk from an ADC Event or Potential ADC Event.

10.2.5.5

Added a Chargeback Deduction section header. 10.2.5.5

Added a Chip Liability Shift Impact section. 10.2.5.5

Clarified the ADC fraud recovery eligibility criteria for Accounts disclosed fordifferent ADC Events.

10.2.5.5

Removed section 10.2.5.6—Investigation and Other Costs. 10.2.5.6 (deleted)

Updated the final financial responsibility determination process. 10.2.7

Clarified the description of MATCH reason code 04. Table 11.4

Clarified the SAFE reporting requirements for Issuers. 12.1

Updated the SAFE reporting requirements for Digital Secure Remote PaymentTransactions.

12.2.1

Removed Appendix B—Formset Specifications. Appendix B (deleted)

Removed Appendix D—Best Practices Guides. Appendix D (deleted)



Contents

Summary of Changes, 31 March 2016...............................................................2

Chapter 1: Customer Obligations...................................................................... 131.1 Compliance with the Standards..................................................................................141.2 Conflict with Law.......................................................................................................141.3 The Security Contact.................................................................................................. 14

Chapter 2: Card Production Standards............................................................152.1 Compliance with Card Production Standards..............................................................162.2 Monitoring of Personnel.............................................................................................162.3 Contracting with Card Registration Companies.......................................................... 172.4 Working with Vendors............................................................................................... 18

2.4.1 Order Request Required to Produce Cards...........................................................192.4.2 Stockpiling Plastics..............................................................................................19

2.5 Cards Without Personalization................................................................................... 192.6 Card Count Discrepancies.......................................................................................... 192.7 Reporting Card Loss or Theft......................................................................................192.8 Disposition of Unissued Cards and Account Information.............................................20

Chapter 3: Card and Access Device Design Standards............................ 213.1 Principles of Standardization...................................................................................... 233.2 MasterCard Account Number.....................................................................................233.3 Maestro and Cirrus Account Numbers........................................................................243.4 Signature Panel.......................................................................................................... 243.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................... 25

3.5.1 Card Validation Code 1 (CVC 1)......................................................................... 253.5.2 Service Code...................................................................................................... 253.5.3 Cardholder Name............................................................................................... 253.5.4 Expiration Date...................................................................................................26

3.6 Chip Cards.................................................................................................................273.6.1 Chip Card Applications.......................................................................................283.6.2 Multiple Application Chip Cards......................................................................... 293.6.3 Use of M/Chip Card Application Specifications....................................................29

3.7 Contactless Cards and Payment Devices..................................................................... 303.8 Mobile Payment Devices.............................................................................................303.9 Consumer Device Cardholder Verification Methods.................................................... 31

3.9.1 MasterCard Qualification of Consumer Device CVMs..........................................323.9.2 CDCVM Functionality......................................................................................... 32

Contents


3.9.3 Persistent Authentication....................................................................................333.9.4 Prolonged Authentication...................................................................................333.9.5 Maintaining MasterCard-qualified CVM Status................................................... 343.9.6 Issuer Responsibilities..........................................................................................343.9.7 Use of a Vendor..................................................................................................34

3.10 Card Validation Code (CVC)..................................................................................... 343.10.1 Issuer Requirements for CVC 1......................................................................... 353.10.2 Issuer Requirements for CVC 2......................................................................... 363.10.3 Issuer Requirements for CVC 3......................................................................... 363.10.4 Acquirer Requirements for CVC 2..................................................................... 363.10.5 CVC Calculation Methods................................................................................ 37

3.11 Service Codes...........................................................................................................383.11.1 Issuer Information.............................................................................................393.11.2 Acquirer Information........................................................................................ 393.11.3 Valid Service Codes...........................................................................................403.11.4 Additional Service Code Information.................................................................41

Chapter 4: Terminal and PIN Security Standards....................................... 424.1 Personal Identification Numbers (PINs)........................................................................434.2 PIN Selection and Usage.............................................................................................434.3 PIN Verification...........................................................................................................444.4 PIN Authorization Requests........................................................................................ 444.5 PIN Encipherment.......................................................................................................444.6 PIN Key Management.................................................................................................45

4.6.1 PIN Transmission Between Customer Host Systems and the InterchangeSystem........................................................................................................................ 454.6.2 On-behalf Key Management...............................................................................46

4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions....................................... 474.8 Terminal Security Standards........................................................................................474.9 Hybrid Terminal Security Standards.............................................................................484.10 PIN Entry Device Standards.......................................................................................484.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS TerminalSecurity Standards............................................................................................................504.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)....................... 504.13 Component Authentication......................................................................................514.14 Triple DES Migration Standards.................................................................................51

Chapter 5: Card Recovery and Return Standards...................................... 525.1 Card Recovery and Return..........................................................................................53

5.1.1 Card Retention by Merchants............................................................................. 535.1.2 ATM Card Retention...........................................................................................545.1.3 Payment of Rewards...........................................................................................56

Contents


5.1.4 Reporting Fraudulent Use of Cards..................................................................... 575.1.5 Reporting Lost and Stolen Cards.........................................................................58

5.2 Criminal and Counterfeit Investigations......................................................................595.2.1 Initiating an Investigation....................................................................................595.2.2 Providing a Progress Report................................................................................ 595.2.3 Requesting an Arrest and Criminal Prosecution................................................... 595.2.4 Fees and Reimbursement of Expenses.................................................................595.2.5 Investigation of Counterfeits and Major Criminal Cases...................................... 60

Chapter 6: Fraud Loss Control Standards...................................................... 616.1 Customer Responsibility for Fraud Loss Control.......................................................... 636.2 MasterCard Fraud Loss Control Program Standards.................................................... 63

6.2.1 Issuer Fraud Loss Control Programs.....................................................................636.2.2 Acquirer Fraud Loss Control Programs................................................................ 666.2.3 Noncompliance with Fraud Loss Control Program Standards............................... 68

6.3 MasterCard Counterfeit Card Fraud Loss Control Standards....................................... 686.3.1 Counterfeit Card Notification..............................................................................696.3.2 Responsibility for Counterfeit Loss...................................................................... 696.3.3 Acquirer Counterfeit Liability Program................................................................ 70

6.4 Maestro Issuer Loss Control Program (LCP)................................................................. 726.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls......................................... 726.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls.................................... 736.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels(“High Fraud”)............................................................................................................ 746.4.4 Fraud Detection Tool Implementation................................................................. 756.4.5 Cardholder Communication Strategy..................................................................75

Chapter 7: Merchant, Submerchant, and ATM Owner Screeningand Monitoring Standards....................................................................................76

7.1 Screening New Merchants, Submerchants, and ATM Owners..................................... 777.1.1 Merchant Screening Procedures..........................................................................777.1.2 Submerchant Screening Procedures.................................................................... 787.1.3 ATM Owner Screening Procedures...................................................................... 797.1.4 Evidence of Compliance with Screening Procedures............................................ 797.1.5 Retention of Investigative Records.......................................................................807.1.6 Assessments for Noncompliance with Screening Procedures............................... 80

7.2 Ongoing Monitoring.................................................................................................. 817.3 Merchant Education...................................................................................................817.4 Additional Requirements for Certain Merchant and Submerchant Categories............. 82

Contents


Chapter 8: MasterCard Fraud Control Programs........................................838.1 Notifying MasterCard.................................................................................................85

8.1.1 Acquirer Responsibilities..................................................................................... 858.1.2 Issuer Responsibilities..........................................................................................85

8.2 Global Merchant Audit Program.................................................................................858.2.1 Acquirer Responsibilities..................................................................................... 868.2.2 Tier 3 Special Merchant Audit.............................................................................868.2.3 Chargeback Responsibility.................................................................................. 888.2.4 Exclusion from the Global Merchant Audit Program............................................898.2.5 Notification of Merchant Identification................................................................918.2.6 Merchant Online Status Tracking (MOST) System................................................ 92

8.3 Excessive Chargeback Program...................................................................................938.3.1 ECP Definitions...................................................................................................938.3.2 Reporting Requirements..................................................................................... 948.3.3 Assessments....................................................................................................... 958.3.4 Issuer Reimbursement.........................................................................................978.3.5 Additional Tier 2 ECM Requirements.................................................................. 97

8.4 Questionable Merchant Audit Program (QMAP)..........................................................988.4.1 QMAP Definitions...............................................................................................988.4.2 MasterCard Commencement of an Investigation.............................................. 1008.4.3 MasterCard Notification to Issuers.................................................................... 1008.4.4 MasterCard Notification to Acquirers................................................................ 1018.4.5 Merchant Termination.......................................................................................1018.4.6 MasterCard Determination............................................................................... 1018.4.7 Chargeback Responsibility................................................................................ 1028.4.8 Fraud Recovery................................................................................................. 1028.4.9 QMAP Fees.......................................................................................................103

8.5 Issuer Monitoring Program (IMP).............................................................................. 1038.5.1 Identification Criteria........................................................................................ 1038.5.2 MasterCard Audit and Questionnaire................................................................1048.5.3 Subsequent Issuer Identifications in the IMP......................................................104

Chapter 9: MasterCard Registration Program........................................... 1059.1 MasterCard Registration Program Overview..............................................................1069.2 General Registration Requirements...........................................................................106

9.2.1 Merchant Registration Fees and Noncompliance Assessments...........................1079.3 General Monitoring Requirements............................................................................1089.4 Additional Requirements for Specific Merchant Categories....................................... 108

9.4.1 Non-face-to-face Adult Content and Services Merchants.................................. 1089.4.2 Non–face-to-face Gambling Merchants.............................................................109

Contents


9.4.3 Pharmaceutical and Tobacco Product Merchants............................................... 1109.4.4 Government-owned Lottery Merchants............................................................ 1119.4.5 Skill Games Merchants (U.S. Region Only).........................................................1129.4.6 High-Risk Cyberlocker Merchants......................................................................114

Chapter 10: Account Data Protection Standards and Programs...... 11610.1 Account Data Protection Standards........................................................................ 11710.2 Account Data Compromise Events......................................................................... 117

10.2.1 Policy Concerning Account Data Compromise Events and Potential AccountData Compromise Events...........................................................................................11810.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events......11910.2.3 Forensic Report...............................................................................................12310.2.4 Alternative Standards Applicable to Certain Merchants or Other Agents......... 12410.2.5 MasterCard Determination of ADC Event or Potential ADC Event................... 12510.2.6 Assessments and/or Disqualification for Noncompliance................................. 13410.2.7 Final Financial Responsibility Determination.................................................... 134

10.3 MasterCard Site Data Protection (SDP) Program......................................................13510.3.1 Payment Card Industry Data Security Standards.............................................. 13510.3.2 Compliance Validation Tools........................................................................... 13610.3.3 Acquirer Compliance Requirements................................................................ 13610.3.4 Implementation Schedule............................................................................... 137

10.4 Connecting to MasterCard—Physical and Logical Security Requirements................ 14410.4.1 Minimum Security Requirements.....................................................................14410.4.2 Additional Recommended Security Requirements............................................14510.4.3 Ownership of Service Delivery Point Equipment.............................................. 145

Chapter 11: MATCH System................................................................................14611.1 MATCH Overview...................................................................................................147

11.1.1 System Features..............................................................................................14711.1.2 How does MATCH Search when Conducting an Inquiry?................................ 147

11.2 MATCH Standards..................................................................................................15011.2.1 Certification................................................................................................... 15111.2.2 When to Add a Merchant to MATCH..............................................................15111.2.3 Inquiring about a Merchant............................................................................ 15111.2.4 MATCH Noncompliance Assessments............................................................. 15211.2.5 Exceptions to MATCH Standards.....................................................................15211.2.6 MATCH Record Retention...............................................................................153

11.3 Merchants Listed by MasterCard............................................................................ 15311.3.1 Questionable Merchants.................................................................................153

11.4 Merchant Removal from MATCH............................................................................15311.5 MATCH Reason Codes........................................................................................... 154

Contents


11.5.1 Reason Codes for Merchants Listed by the Acquirer........................................15411.5.2 Reason Codes for Merchants Listed by MasterCard.........................................156

11.6 Requesting Access to and Using MATCH................................................................ 15711.7 Legal Notice........................................................................................................... 158

Chapter 12: System to Avoid Fraud Effectively (SAFE) ReportingStandards.....................................................................................................................159

12.1 SAFE Overview....................................................................................................... 16012.2 SAFE Fraud Reporting Standards............................................................................ 160

12.2.1 Digital Secure Remote Payment Transactions ..................................................16112.3 SAFE Reason Codes................................................................................................16112.4 Data Accuracy and Integrity................................................................................... 16312.5 Timely Reporting of MasterCard and Debit MasterCard Transactions...................... 163

12.5.1 Tier I Reporting Requirement.......................................................................... 16312.5.2 Tier II Reporting Requirement ........................................................................ 16412.5.3 Tier III Reporting Requirement.........................................................................164

12.6 Timely Reporting of Maestro Transactions...............................................................16412.7 Timely Reporting of Cirrus Transactions.................................................................. 16412.8 Digital Goods Transactions..................................................................................... 16412.9 Fraud-related Chargebacks.....................................................................................16412.10 High Clearing Transaction Volume........................................................................16512.11 Transaction Amount.............................................................................................16512.12 Resubmitting Rejected Transactions...................................................................... 16512.13 Noncompliance Assessments................................................................................16512.14 Variances ............................................................................................................ 166

Chapter 13: Global Risk Management Program....................................... 16713.1 About the Global Risk Management Program.........................................................168

13.1.1 Customer Onboarding Reviews.......................................................................16813.1.2 Third Party Risk Reviews..................................................................................16913.1.3 Customer Risk Reviews................................................................................... 16913.1.4 Customer Consultative Reviews...................................................................... 169

13.2 Global Risk Management Program Review Topics................................................... 17013.2.1 Issuer Global Risk Management Program Review Topics.................................. 17013.2.2 Acquirer Global Risk Management Program Review Topics..............................170

13.3 Global Risk Management Program Reports.............................................................17113.4 Customer Risk Review Conditions.......................................................................... 172

13.4.1 Customer Risk Review Issuer Criteria ..............................................................17213.4.2 Customer Risk Review Acquirer Criteria.......................................................... 17213.4.3 Basis Points Calculation.................................................................................. 173

13.5 Global Risk Management Program Fees..................................................................173

Contents


13.6 Noncompliance with Fraud Loss Control Standards.................................................173

Appendix A: Track Data Content and Format........................................... 174A.1 Track 1 Data Content and Format............................................................................ 175A.2 Track 2 Data Content and Format............................................................................ 177

Appendix B: Contact Information................................................................... 181B.1 Security and Risk Services......................................................................................... 182B.2 Merchant Fraud Control...........................................................................................182B.3 Account Data Compromise Events........................................................................... 183B.4 Card Design Management....................................................................................... 183B.5 MasterCard Connect

™ Applications..........................................................................184

B.6 Customer Operations Services.................................................................................. 184B.7 Questionable Merchant Activity................................................................................185

Appendix C: Card Production Services..........................................................187C.1 Card Production Services..........................................................................................188

Appendix D: Definitions.......................................................................................190

Notices...........................................................................................................................223

Contents


Chapter 1 Customer ObligationsThis chapter describes general Customer compliance and Program obligations relating toMasterCard Card issuing and Merchant acquiring Program Activities.

1.1 Compliance with the Standards.............................................................................................. 141.2 Conflict with Law....................................................................................................................141.3 The Security Contact...............................................................................................................14

Customer Obligations


1.1 Compliance with the Standards

This manual contains Standards. Each Customer must comply fully with these Standards.

All of the Standards in this manual are assigned to noncompliance category A under thecompliance framework set forth in Chapter 2 of the MasterCard Rules manual (“thecompliance framework”), unless otherwise specified in the table below. The noncomplianceassessment schedule provided in the compliance framework pertains to any Standard in theSecurity Rules and Procedures manual that does not have an established compliance Program.The Corporation may deviate from the schedule at any time.

Section Number Section Title Category

1.3 The Security Contact C

2.3 Contracting with CardRegistration Companies

C

7.1.5 Retention of InvestigativeRecords

C

1.2 Conflict with Law

A Customer is excused from compliance with a Standard in any country or region of a countryonly to the extent that compliance would cause the Customer to violate local applicable lawor regulation, and further provided that the Customer promptly notifies the Corporation, inwriting, of the basis for and nature of an inability to comply. The Corporation has theauthority to approve local alternatives to these Standards.

1.3 The Security Contact

Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers inthe Member Information tool on MasterCard Connect™.

Customer Obligations1.1 Compliance with the Standards


Chapter 2 Card Production StandardsThis chapter may be of particular interest to Customers that issue Cards, and includes requirementsfor personnel responsible for the tasks associated with producing Cards.

2.1 Compliance with Card Production Standards...........................................................................162.2 Monitoring of Personnel......................................................................................................... 162.3 Contracting with Card Registration Companies.......................................................................172.4 Working with Vendors............................................................................................................ 18

2.4.1 Order Request Required to Produce Cards....................................................................... 192.4.2 Stockpiling Plastics.......................................................................................................... 19

2.5 Cards Without Personalization................................................................................................ 192.6 Card Count Discrepancies....................................................................................................... 192.7 Reporting Card Loss or Theft...................................................................................................192.8 Disposition of Unissued Cards and Account Information......................................................... 20

Card Production Standards


2.1 Compliance with Card Production Standards

As used in this section, and unless otherwise specified, the term “Card production” isapplicable with respect to Cards and other types of Access Devices, including ContactlessPayment Devices and Mobile Payment Devices.

An Issuer engaged in Card production must comply with all applicable Standards, includingbut not limited to those set forth in this chapter and in the following documents:

• Card Design Standards• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical SecurityRequirements documents are available on the Payment Card Industry Security StandardsCouncil (PCI SSC) website under the Card Production tab at www.pcisecuritystandards.org/security_standards/documents.php.

An Issuer that uses a Card production vendor to produce Cards on its behalf must also complywith the Standards set forth in section 2.4 of this manual.

It is recommended that an Issuer that issues and/or personalizes Cards onsite at a bankbranch, retail store, or other location outside of a Card production vendor facility refer to theSecurity Guidelines for Instant Card Issuance and Instant Card Personalization manual forinformation relating to the secure issuance of Cards and protection of Cardholder data at suchlocations.

Card production activities subject to compliance with these Standards include, by way ofexample and not limitation, the treatment and safeguarding of Cards, Card manufacture,printing, embossing, encoding, and mailing, as well as to any phase of the production anddistribution of Cards or Card account information.

Refer to Appendix C of this manual for detailed descriptions of Card production activities.

2.2 Monitoring of Personnel

Where permissible by law, Issuers must conduct credit and criminal record checks for allpersonnel handling embossed or unembossed Cards, including part-time and temporarypersonnel.

In addition, where permissible by law, Issuers may not employ such personnel with one ormore known criminal convictions, high credit risk backgrounds, or both, in Card storage andprocessing areas.

Issuers also may not allow such personnel access to account numbers, embossed orunembossed Cards, embossing or encoding equipment, nor may they engage such personnelin security or waste processing work.

Card Production Standards2.1 Compliance with Card Production Standards


2.3 Contracting with Card Registration Companies

A card registration company (“Company”) is any entity that stores Card account numbersand, upon notification by the Cardholder, reports the loss or theft of the Card(s) to theIssuer(s).

Any Issuer having a contractual agreement with a Company pursuant to which the Companyregisters that Issuer’s Cardholder account numbers must ensure that the contract includes thefollowing obligations on the part of the Company:

• The Company shall maintain any Cardholder information, including, without limitation,names, addresses, phone numbers, and account numbers in strictest confidence anddisclose them only to the Issuer. The Company shall keep any media containing this type ofinformation in an area limited to selected personnel having access on a need-to-knowbasis. Before discarding such media, the Company shall destroy it in a manner that willrender the data unreadable.

• The Company shall control and limit access to account numbers stored in a computerenvironment by establishing procedures that must include, but are not limited to, apassword system for computer remote terminal (CRT) access and control over dial-up linesor any other means of access.

• The Company may not use the name of MasterCard in any promotion or advertising,except as provided by a contractual agreement with the Issuer for purposes of solicitingand providing services to the Issuer’s Cardholders. MasterCard reserves the right to approveany such materials.

• The Company must maintain a 24-hours-per-day, seven-days-per-week service to receiveCardholder reports on lost or stolen Cards. The Company shall transmit each reportimmediately and in any event no later than two hours after receiving the report, by themost expeditious means, for example, phone or fax, to the appropriate Issuer.

At a minimum, the notification must include:

– Account number– Issuer’s name– Cardholder’s name, address, and phone number– Phone number where the Cardholder can be reached– Whether the Card was lost or stolen– Time and location of the reported loss or theft

• The Company shall report any loss or theft of Cardholder information whether due to actor omission, to MasterCard and to the Issuer with which it has a contract within 24 hoursof discovery of the loss or theft.

• The Company must convey a Cardholder request for a replacement Card to the Issuer.• The contract must include an indemnification clause holding MasterCard, its officers, its

directors and employees, its Customers, and the Issuer having the contract with theCompany not liable for any loss or damage claimed by or on behalf of the Cardholder,Issuer, or other person or entity alleged to be attributable to the Company’s failure to

Card Production Standards2.3 Contracting with Card Registration Companies


properly provide the services described in the contract or failure to safeguard accountinformation.

• The Company must be covered by liability, fidelity, fire, and theft insurance and must havea disaster recovery plan to ensure continuity of services in the event of natural or otherevents that disrupt or threaten to disrupt service unless otherwise agreed to in writing byMasterCard. Coverage must be reasonable and adequate in consideration of the natureand volume of work performed, the plant location, physical condition, and security of theplant, and the number and duties of employees.

• The Company must comply with all applicable laws, rules, and regulations, including,without limitation, consumer protection laws, applicable to the services offered andperformed by the Company.

2.4 Working with Vendors

Before employing the services of a vendor to perform any of the Card production servicesdescribed in Appendix C of this manual, a Customer must ensure that the vendor has beencertified by MasterCard under the Global Vendor Certification Program (GVCP).

Prior to certification and annual recertification of a vendor facility under the GVCP,MasterCard conducts an on-site audit of the facility to evaluate its compliance with theapplicable physical, logical, and mobile payment provisioning security Standards set forth inthe following documents:

• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical SecurityRequirements documents are available on the PCI SSC website under the Card Productiontab at www.pcisecuritystandards.org/security_standards/documents.php.

A certified vendor facility is issued a compliance certification, which is subject to annualrenewal provided the vendor facility remains in good standing. The “List of CertifiedVendors,” as published monthly in the Global Security Bulletin, contains the name of eachvendor facility then certified and a description of the specific services that the facility isauthorized to perform.

Any agreement between an Issuer and a vendor for Card production services should containterms stating that the vendor agrees to safeguard and control usage of account data and tocomply with all applicable Standards then in effect, including but not limited to those set forthin section 2.4 and in the Card Design Standards manual.

For more information about the GVCP, contact MasterCard by sending an email to [email protected].

Card Production Standards2.4 Working with Vendors


mailto:[email protected]:[email protected]

2.4.1 Order Request Required to Produce Cards

No vendor may print or manufacture any Card, sample, or facsimile, on plastic or any othermaterial, except in response to a specific order from a Customer or from MasterCard. ACustomer may order Cards by using the Card Order Request (Form 488), available in theLibrary section of MasterCard Connect™, or an equivalent document that provides the sameinformation.

Form 488 (or an equivalent document) must be completed and retained by the vendor andCustomer, and must be made available to MasterCard upon request.

MasterCard reserves the right to request, from time to time, Card samples for review, and willcommunicate any such request via the Submit a Card Design Request (Manufacturer)process on MasterCard Connect™.

2.4.2 Stockpiling Plastics

An Issuer may not encourage a vendor to stockpile plastics or Cards or use a vendor known toengage in the practice of stockpiling plastics or Cards. Stockpiling is the practice ofmanufacturing excess plastics or Cards in anticipation of future orders from Customers.

2.5 Cards Without Personalization

A Customer must not send “unfinished” Cards (as used herein, “unfinished” means a Cardthat has not yet been personalized with a primary account number [PAN] or expiration date)via the mail. Unfinished Cards must be shipped via secure shipping methods as described inthe Card Production Physical Security Requirements. In the rare event that rapid delivery isrequired and secure shipping methods are infeasible, the Issuer may use an express courierservice that provides shipment tracking, recipient authentication, and receipt confirmation forthe shipment of no more than 500 unfinished Cards per day.

2.6 Card Count Discrepancies

Upon receiving a shipment of Cards, the Issuer must verify that the correct Card quantity wasdelivered and take immediate action to resolve any Card count discrepancy and recover anymissing Cards. The Issuer may use the Card count noted on each sealed carton in the Cardcount verification. Sealed cartons may also be opened at random, audited, and resealed. Allopen cartons and all sealed cartons with no Card count noted on the carton must have thecontents counted.

2.7 Reporting Card Loss or Theft

Within 24 hours of discovery, a Customer must report to MasterCard the suspected orconfirmed loss or theft of any Cards while in transit from a vendor or in the Customer’s

Card Production Standards2.5 Cards Without Personalization


possession. The report must be sent via email to [email protected] and containthe following information:

• Issuer name and Member ID/ICA number• Card type and quantity• With respect to the loss or theft of Cards while in transit from a vendor:

– The vendor name– The location from which the Cards were shipped– The date and method of shipment– The address to which the Cards were shipped

• Pertinent details about the loss and the investigation• Name and phone number of contact for additional information• Name and phone number of person reporting the loss or theft

2.8 Disposition of Unissued Cards and Account Information

A Customer that ceases to issue Cards must promptly destroy or otherwise properly dispose ofall unissued Cards and all media containing Card Account information.

Card Production Standards2.8 Disposition of Unissued Cards and Account Information


mailto:[email protected]

Chapter 3 Card and Access Device Design StandardsThis chapter may be of particular interest to Issuers and vendors certified by MasterCard responsiblefor the design, creation, and control of Cards. It provides specifications for all MasterCard, Maestro,and Cirrus Card Programs worldwide.

3.1 Principles of Standardization................................................................................................... 233.2 MasterCard Account Number................................................................................................. 233.3 Maestro and Cirrus Account Numbers.....................................................................................243.4 Signature Panel.......................................................................................................................243.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................................25

3.5.1 Card Validation Code 1 (CVC 1)...................................................................................... 253.5.2 Service Code................................................................................................................... 253.5.3 Cardholder Name............................................................................................................253.5.4 Expiration Date................................................................................................................26

3.6 Chip Cards..............................................................................................................................273.6.1 Chip Card Applications....................................................................................................28

3.6.1.1 Compliance Assessment and Security Testing........................................................... 293.6.1.2 Integrated Circuit Chip Providers..............................................................................29

3.6.2 Multiple Application Chip Cards...................................................................................... 293.6.3 Use of M/Chip Card Application Specifications................................................................ 29

3.7 Contactless Cards and Payment Devices..................................................................................303.8 Mobile Payment Devices......................................................................................................... 303.9 Consumer Device Cardholder Verification Methods.................................................................31

3.9.1 MasterCard Qualification of Consumer Device CVMs...................................................... 323.9.2 CDCVM Functionality...................................................................................................... 323.9.3 Persistent Authentication.................................................................................................333.9.4 Prolonged Authentication................................................................................................333.9.5 Maintaining MasterCard-qualified CVM Status................................................................ 343.9.6 Issuer Responsibilities...................................................................................................... 343.9.7 Use of a Vendor.............................................................................................................. 34

3.10 Card Validation Code (CVC)..................................................................................................343.10.1 Issuer Requirements for CVC 1...................................................................................... 353.10.2 Issuer Requirements for CVC 2...................................................................................... 363.10.3 Issuer Requirements for CVC 3...................................................................................... 363.10.4 Acquirer Requirements for CVC 2..................................................................................363.10.5 CVC Calculation Methods............................................................................................. 37

3.11 Service Codes....................................................................................................................... 38

Card and Access Device Design Standards


3.11.1 Issuer Information......................................................................................................... 393.11.2 Acquirer Information..................................................................................................... 393.11.3 Valid Service Codes....................................................................................................... 403.11.4 Additional Service Code Information............................................................................. 41

Card and Access Device Design Standards


3.1 Principles of Standardization

All Cards must be usable in all standard magnetic stripe Card-reading devices, and if a chip ispresent, in all hybrid terminals and devices, so that the electronic interchange of Transactiondata is possible.

All embossed Cards must be usable in all standard imprinters—the embossed informationmust produce a clear imprint and comply with all positioning and type font Standards.

All Cards containing a chip must be EMV-compliant. Such Cards are called Chip Cards. AllChip Cards must have a single primary application defined by MasterCard that resides on thechip and on the magnetic stripe; the Account information appearing on the Card front mustbe for the primary application resident on the magnetic stripe. No Payment Applicationresident on the chip of a Card issued in the Asia/Pacific Region, Middle East/Africa Region, orUnited States Region may have a higher application priority than the Card’s primaryapplication.

All Payment Applications on a Chip Card must have a valid date (if applicable) and expirationdate within or the same as the dates present on the Card front. The valid dates appearing onthe Card front must be those of the primary application on the Card.

NOTE: A Hybrid Point-of-Sale (POS) Terminal can read both magnetic-stripe and chipTransactions and must be EMV-compliant, as set forth in section 4.8 of this manual.

NOTE: In 1996, Europay (now a wholly owned subsidiary of MasterCard and renamedMasterCard Europe SA), MasterCard, and Visa developed Standards for integrated circuitCards (ICCs), terminals, and applications. EMVCo, LLC, established in 1999, is the organizationthat oversees and maintains the EMV specifications.

All Issuers must comply with the Card Design Standards, available on MasterCard Connect™,including but not limited to requirements relating to the following:

• Physical Card materials, dimensions, and measurements for the Card's embossing,magnetic stripe, chip, Marks, and other Card features

• Card design• Use of Card activation and selective authorization disclosure stickers.

3.2 MasterCard Account Number

The primary account number (PAN) of a MasterCard Account identifies the Issuer’s bankidentification number (BIN), Issuer-assigned portion of the account number, and check digit, asshown in Table 3.1. A MasterCard Account PAN begins with a BIN in the range of 222100 to272099 or 510000 to 559999. A MasterCard Account must use a MasterCard-assigned BIN.

Card and Access Device Design Standards3.1 Principles of Standardization


Table 3.1—MasterCard Account Number Sample Configuration

MasterCard Account number = 5412 75XX XXXX 9999

Configuration is as follows:

5412 75

Issuer BIN assigned byMasterCard

XX XXXX 999

Issuer-assigned portion of theAccount number

9

Check digit

The check digit is calculated using the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”) Check Digit.

3.3 Maestro and Cirrus Account Numbers

The PAN of a Maestro Account or Cirrus Account must be no less than 12 numeric digits andno more than 19 numeric digits in length. The PAN includes the Issuer identification number(IIN, or BIN), the Issuer-assigned portion of the individual Account number, and a check digitcalculated using the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”)Check Digit.

A Customer may request MasterCard to assign a BIN for Maestro and Cirrus Cards.MasterCard does not allow a Maestro program to be added to a BIN which is not assigned byMasterCard or be verified as having been assigned to the Issuer under ISO 7812. In the eventof any dispute relating to ISO BIN assignments, it is the Issuer’s responsibility toresolve that conflict with ISO.

3.4 Signature Panel

Upon issuance or reissuance, an Issuer must include written notice to all Cardholders to signall Cards immediately when received and before initial use. Only the authorized Cardholder(the person whose name appears on the Card front) may sign the Card back. The namesigned by the authorized Cardholder must match the name that appears on the Card front,regardless of the language used by the Cardholder to sign his or her name. The Issuer muststate this as a condition of Card use. (The vehicle-assigned MasterCard Corporate Fleet Card isexempt from this requirement.)

Card and Access Device Design Standards3.3 Maestro and Cirrus Account Numbers


3.5 Magnetic Stripe or MasterCard HoloMag Encoding

The specifications for the physical and magnetic characteristics of the magnetic stripe onCards must comply with ISO 7813 Credit Cards—Magnetic Stripe Encoding for Tracks 1 and 2.Production of Card plastics with low coercivity magnetic tape is prohibited. Alternatively, theIssuer may use MasterCard HoloMag™ in place of the magnetic stripe.

The Issuer of a MasterCard Card must ensure that the encoded magnetic stripe contains Track1 and Track 2 data, and also includes the information specified in this chapter.

For a Maestro Card or Cirrus Card, only the encoding of Track 2 data is required; the encodingof Track 1 data is optional. If Track 3 is encoded, the encoding must comply with ISO 4909Bank Cards—Magnetic Stripe Content for Track 3.

An Acquirer must transmit the full unedited magnetic stripe data with each magnetic stripe-based electronically authorized Transaction.

NOTE: The transmission of the entire contents of Track 1 or Track 2 data must be unalteredand unedited, and cannot be truncated.

3.5.1 Card Validation Code 1 (CVC 1)

Track 1 and Track 2 of the magnetic stripe must be encoded with a CVC 1 value. Refer to section 3.10.5 of this manual for Card validation code requirements, calculation methods, andverification data.

3.5.2 Service Code

Track 1 and Track 2 of the magnetic stripe must contain an encoded three-digit service codevalue. Refer to section 3.11 of this manual for service code usage requirements.

3.5.3 Cardholder Name

NOTE: The Cardholder’s name must be present in the Account Information Area and encodedon the magnetic stripe.

The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with amaximum length of 26 characters within (up to) three subfields. Due to the variable length ofthe field, the starting position of each remaining field depends on the ending position of theCardholder name. The Cardholder Name and Content Format table shown in Appendix Adefines the specifications for encoding the Cardholder name on the magnetic stripe.

NOTE: Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, becausethey are used only for specified encoding purposes.

Use the following specifications to encode the Cardholder name on the magnetic stripe of allCards:

Card and Access Device Design Standards3.5 Magnetic Stripe or MasterCard HoloMag Encoding


• If the Card is a MasterCard Corporate Card product, the Cardholder name encoded onTrack 1 and the name present in the Account Information Area should be the same,although the formats are different.

For example:

BROWN/ROBERT S• Issuers engaged in the instant issuance and/or instant personalization of Cards under the

MasterCard Unembossed or MasterCard Electronic Programs or the issuance of non-personalized prepaid Cards must ensure that when a Program name appears on the Cardfront in place of the Cardholder name, the same Program name is also encoded in theCardholder Name field in Track 1.

• The magnetic stripe may encode a Cardholder’s title, such as Dr., Sir, or Mrs. A separatorperiod (.) must precede the title.

For example:

BROWN/ROBERT S.DR

• If two Cardholder names are present in the Account Information Area on the same Card,encode in any of the following four formats:

BROWN/ROBERT S or

BROWN/AGNES T or

BROWN/ROBERT AGNES or

BROWN/ROBERT S.MR MRS• If a Card has a company name present in the Account Information Area, in addition to a

Cardholder name, encode the Cardholder name.

For example:

Present in the Account Information Area: ROBERT S. BROWN

ALPHA COMPANY

Encoded on the magnetic stripe: BROWN/ROBERT S

NOTE:

The subfields surname, initials or first name, and title may contain spaces. For example:

Present in the Account Information Area: RT REV ROBERT J SMITH

Encoded on the magnetic stripe: SMITH/ROBERT J.RT REV

3.5.4 Expiration Date

The following requirements apply for the encoded expiration date:

Card and Access Device Design Standards3.5 Magnetic Stripe or MasterCard HoloMag Encoding


• The Card-read stripe must include the encoded Account’s expiration date. Acceptableexpiration date values are the following:

Year 00–99

Month 01–12• The format for the encoded expiration date is YYMM to comply with ISO specifications.• The encoded expiration date on Track 1 must be the same as the expiration date encoded

on Track 2 and present in the Account Information Area.• Do not encode the start date for dual dating, except as part of the Discretionary Data field

on Track 1 and Track 2 of the magnetic stripe.

A Maestro or Cirrus Card must not use a maximum validity period of more than 20 years fromthe date of issuance or, for non-expiring Cards, the designated default value of 4912(December 2049) must be used. For a Maestro or Cirrus Card issued in the Europe Region andusing the Europay Security Platform (ESP) PIN Verification Value (PVV), the maximum validityperiod is the current year plus four (effectively a five-year validity period).

The expiration date of a Chip Card must not exceed the expiration date of any of thecertificates contained within the chip. In the case of a non-expiring Chip Card:

1. The settings within the chip must force every Transaction online for authorization ordecline the Transaction if online authorization is not possible;

2. The Chip Card must not contain an offline Card Authentication Method (CAM) certificate;and

3. The Issuer must utilize full EMV processing.

3.6 Chip Cards

Chip Cards, also known as integrated circuit or smart Cards, are credit or debit Cardscontaining computer chips with memory and interactive capabilities and can be used toidentify and store additional data about the Cardholder, Cardholder account, or both. ChipCards may have contact functionality or both contact and contactless functionality.

Issuers of Chip Cards must comply with all applicable Standards, including but not limited tothe Standards set forth in the M/Chip Requirements manual and other M/Chipdocumentation, and with the EMV specifications.

The Issuer of a Chip Card must implement M/Chip as the EMV payment application on theCard, in accordance with a current M/Chip Card application specification.

A contact Chip Card may be issued or re-issued under an online-only Card Program (herein,an “online-only contact chip Card”). An online-only contact chip Card is configured to alwaysrequire a POS Terminal to obtain online authorization from the Issuer for a contact chipTransaction.

Effective as of the dates described below, the Issuer of a contact Chip Card must perform anonline Card authentication method (online CAM) for each online-authorized contact ChipTransaction by validating the Authorization Request Cryptogram (ARQC) contained in the

Card and Access Device Design Standards3.6 Chip Cards


Authorization Request/0100 or Financial Transaction Request/0200 message and populatingDE 55, including an Authorization Response Cryptogram (ARPC), in the Authorization RequestResponse/0110 or Financial Transaction Request Response/0210 message. Alternatively, if theIssuer’s host system does not support ARQC validation, the Issuer must be enrolled in theMasterCard M/Chip Cryptogram Pre-Validation Service.

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region that is not in compliance must establish a compliance action planby 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region must be in compliance by 17 April 2015.

• All Issuers located in the United States Region must be in compliance by 1 October 2015.

The following requirements apply to any Chip Card configured to support offlineauthorization.

In this region…

Support of DDA is required andSDA must not be supported forChip Cards issued on or after…

Support of CDA is required forChip Cards issued on or after…

Asia/Pacific Region 16 October 2015 1 January 2017

Canada Region 16 October 2015 1 January 2017

Europe Region 1 January 2011 1 January 2016

Latin America and the CaribbeanRegion

16 October 2015 16 October 2015

Middle East/Africa Region 16 October 2015 1 January 2017

United States Region Applies to all Chip Cards 1 January 2017

The following requirements apply in all Regions:

• Chip Cards supporting SDA as an offline CAM must expire or be replaced as of 1 January2020; and

• Chip Cards supporting DDA as the only offline CAM must expire or be replaced as of 1January 2022.

NOTE: Issuers must define their priority of PIN verification methods within the chip. OfflinePIN verification is recommended as the first priority.

3.6.1 Chip Card Applications

All Payment Applications must be type-approved by MasterCard, prior to Chip Cardproduction. Furthermore, the composition of the chip, operating system (if present), and theEMV application must have successfully passed a Compliance Assessment and Security Testing(CAST) security evaluation.



Issuers must define within the chip the preferred verification method for Point-of-Interaction(POI) Transactions. A non-Customer that personalizes Payment Applications acts on behalf ofthe Card Issuer and must conform to MasterCard security Standards.

Issuers using M/Chip 4 should refer to the M/Chip Personalization Data Specifications andProfiles and the M/Chip 4 Version 1.1 Issuer Guide to Debit and Credit ParameterManagement for more information.

Issuers using M/Chip Advance should refer to the M/Chip Advance Personalization DataSpecifications and the M/Chip Advance—Issuer Guide for more information.

3.6.1.1 Compliance Assessment and Security Testing

MasterCard has established the CAST process to assist its Issuers in promoting the continuousimprovement of security Standards for the implementation of all Chip Cards by MasterCard.Issuers may only issue Chip Cards that have been certified under the CAST process and appearon the CAST Approved Products list (Chip Cards that have undergone a successful evaluationagainst the CAST Security Guidelines using a recognized evaluation laboratory). Cards willtypically remain on the CAST Approved Products list for three years from the evaluation date.

Prior to Chip Card production, purchase, and distribution, Issuers must confirm with theirvendor(s) that the Chip Card will be on the CAST Approved Products list over the intendedperiod of issuance and adjust their procurement quantities accordingly.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual or contact the Chip Help Desk at [email protected].

3.6.1.2 Integrated Circuit Chip Providers

An Issuer must obtain all EMV chips for embedding on a Card from an EMV chipmanufacturer that has been approved in advance by MasterCard.

MasterCard publishes a list of approved EMV chip manufacturers periodically in a GlobalSecurity Bulletin. Or for more information, contact the Chip Help Desk at [email protected].

3.6.2 Multiple Application Chip Cards

Any Card Program may reside on a chip, and any combination of Card Programs may residetogether on a single Chip Card. All credit, debit, charge, and stored-value applications residingon a single Chip Card must be offered by, and are the responsibility of the Card Issuer.

Additionally, all other applications stored on a Chip Card by any Issuer, or any other party atan Issuer’s request, must conform to all relevant technical specifications of MasterCard or itsagent.

3.6.3 Use of M/Chip Card Application Specifications

Chip Card products that incorporate any implementation of the MasterCard M/Chip Cardapplication specifications may only be used on MasterCard, Maestro, and Cirrus Cards andAccess Devices, unless otherwise agreed in writing by MasterCard.



mailto:[email protected]:[email protected]

The M/Chip Card application specifications are available on MasterCard Connect™ in the ChipInformation Center.

3.7 Contactless Cards and Payment Devices

MasterCard prohibits the encoding of the Cardholder name in the contactless chip of acontactless-enabled Card ("Contactless Card") or Contactless Payment Device that allowssuch information to be transmitted via the radio frequency (RF) contactless interface. Thisrestriction applies to all newly issued and re-issued contactless-enabled Cards and ContactlessPayment Devices.

Effective as of the dates described below, the Issuer of a Contactless Card or ContactlessPayment Device must perform an online CAM for each online-authorized EMV ModeContactless Transaction by validating the Authorization Request Cryptogram (ARQC)contained in the Authorization Request/0100 or Financial Transaction Request/0200 message.Alternatively, if the Issuer's host system does not support ARQC validation, the Issuer must beenrolled in the MasterCard M/Chip Cryptogram Pre-Validation Service.

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region that is not in compliance must establish a compliance action planby 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region must be in compliance by 17 April 2015.

• All Issuers located in the United States Region must be in compliance by 1 October 2015.

A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued orre-issued in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or MiddleEast/Africa Region:

• Must support CDA as the offline CAM, unless it supports online-only authorization ofContactless Transactions; and

• Must not support SDA as the offline CAM.

A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued orre-issued in the United States Region:

• Must be configured to support both online and offline authorization of ContactlessTransactions; and

• Must support CDA as the offline CAM and must not support SDA.

Refer to the M/Chip Requirements for additional details.

3.8 Mobile Payment Devices

There is no limitation on the type of account that may co-reside on the same Mobile PaymentDevice user interface, so long as such accounts are not linked, but rather exist independently

Card and Access Device Design Standards3.7 Contactless Cards and Payment Devices


and are accessed by a separate and distinct Payment Application hosted on the same ordifferent user interfaces.

Mobile Payment Devices may support MasterCard contactless payment and/or Digital SecureRemote Payment (DSRP) functionality. If an Issuer chooses to add this functionality to a SecureElement (SE)-based Mobile Payment Device, the application software, personalization data,and all other aspects of the functionality must comply with the requirements set forth in theStandards, including but not limited to the following as may be published by MasterCard fromtime to time:

• Mobile MasterCard PayPass User Interface Application Requirements,• M/Chip Mobile Issuer Implementation Guide v1.1,• the contactless branding Standards, and• any other applicable technical specifications.

For Mobile Payment Devices supporting MasterCard contactless payment or DSRP functionalitythat do not use an SE, Issuers should refer to the MasterCard Cloud-Based Payment (MCBP)documentation.

Issuers should also refer to the mobile payment security guidelines set forth in the SecurityGuidelines for Mobile Payment Solutions.

The SE must be CAST-approved and have received a mobile payment certificate number(MPCN). Issuers may choose a CAST-approved SE (with corresponding MPCN) from the listpublished on MasterCard Connect. The Mobile Payment Device itself does not undergo aCAST approval. Prior to issuance of the SE-based Mobile Payment Device, the PaymentApplication must also pass the functional and security testing program, for which a letter ofapproval will be issued by MasterCard.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual. For information regarding a letter of approval, refer to the M/Chip MobileIssuer Implementation Guide v1.1.

3.9 Consumer Device Cardholder Verification Methods

Consumer authentication technologies used on consumer devices, such as personalcomputers, tablets, mobile phones, and watches, are designed to verify a person as anauthorized device user based on one or more of the following:

• “Something I know”—Information selected by and intended to be known only to thatperson, such as a passcode or pattern

• “Something I am”—A physical feature that can be translated into biometric informationfor the purpose of uniquely identifying a person, such as a face, fingerprint, or heartbeat

• “Something I have”—Information intended to uniquely identify a particular consumerdevice

Any such consumer authentication technology must be approved by MasterCard as a“MasterCard-qualified CVM” before it may be used as a Consumer Device CardholderVerification Method (CDCVM) to process a Transaction.

Card and Access Device Design Standards3.9 Consumer Device Cardholder Verification Methods


3.9.1 MasterCard Qualification of Consumer Device CVMs

Before a Customer (such as an Issuer or Wallet Token Requestor) may use, as a CDCVM, aconsumer authentication technology in connection with the payment functionality of aparticular Access Device type (of a specific manufacturer and model), the technology must besubmitted to MasterCard by the Customer for certification and testing.

Certification and testing of a proposed CDCVM is performed by or on behalf of MasterCard,in accordance with MasterCard requirements and at the expense of the Customer or thirdparty, as applicable. Certification requires both successful security and functional testing.

Upon the completion of certification and testing, MasterCard, in its discretion, may approve aproposed consumer authentication technology as a “MasterCard-qualified CVM.” Summaryreport information about such certification and testing results and the successful completionof certification testing may be disclosed to Customers by MasterCard or a third party thatconducts certification and testing on MasterCard’s behalf. Any proposed update, change, ormodification of the consumer authentication technology that could impact the functionality orsecurity of the CDCVM must be submitted to MasterCard for certification and testing as anewly proposed consumer authentication technology. MasterCard reserves the right to changethe requirements for a MasterCard-qualified CVM at any time, and to establish new or changecertification and testing requirements.

3.9.2 CDCVM Functionality

MasterCard requires testing and certification of each of the following proposed CDCVMfunctionalities prior to use to effect a Transaction:

1. Shared Authentication Functionality—The method used to verify the credentialsestablished by a person in connection with the use of the Access Device or a Digital Walleton the Access Device also is the method used as the default CDCVM for Transactionsinvolving Accounts accessed by means of the Access Device.

2. CVM Result Based on Authentication and Explicit Consent—The PaymentApplication on the Access Device analyzes the combined result of authentication andconsent actions and sets the CDCVM results accordingly. Both Cardholder authenticationand explicit Cardholder consent must occur before the Payment Application will completea Transaction, as follows:

a. Cardholder authentication—The Cardholder may be prompted by the Access Deviceto perform the CDCVM action at the time of the Transaction, or the CDCVM mayconsist of a persistent authentication or prolonged authentication in which theCDCVM action is initiated and may also be completed before the Transaction occurs,as described in sections 3.9.3 and 3.9.4.

b. Explicit Cardholder consent—The Cardholder takes a specific Issuer-approved actionthat serves to confirm that the Cardholder intends a Transaction to be performed. Thismust consist of an action involving the Access Device that is separate from the act oftapping the Access Device to the Merchant’s POS Terminal; for example, the clicking ofa button.

3. Connected Consumer Devices—If two or more devices in the control of a Cardholderare able to be connected or linked to provide common payment functionality, so that each



such device can be an Access Device for the same Account, then Cardholder consent mustoccur on the Access Device used to effect the Transaction.

4. Device Integrity—Upon initiation and continuing throughout Cardholder authentication,the use of the CDCVM must depend on strong device integrity checks. Examples includedevice runtime integrity checks, remote device attestation, or a combination of both, andchecks to ensure that prolonged CVM velocity is intact; for example, the device lockfunctionality was not disabled.

CDCVM functionality requirements apply only to the extent that a CVM is requested by theMerchant or Terminal or required by the Issuer for completion of a Transaction.

3.9.3 Persistent Authentication

Persistent authentication means that authentication of a person as a Cardholder occurscontinuously throughout the person’s operation of the Access Device, typically throughcontinual contact or biometric monitoring (for example, the monitoring of a heartbeat).

MasterCard requires testing and certification of proposed CDCVM functionality for persistentauthentication with respect to the following:

1. A MasterCard-qualified persistence check mechanism is used to detect a change in theperson using the device;

2. The device on which authentication is initiated is able to detect without interruption thatthe authenticated person remains in close proximity to such device or to any connecteddevice with which it shares common payment functionality;

3. The device has the capability to prompt for explicit Cardholder consent (for example, byrequiring the Cardholder to click a button or tap on the device) before a Transaction maybe effected; and

4. The consumer authentication technology complies with MasterCard Standards.

3.9.4 Prolonged Authentication

Prolonged authentication occurs when a Cardholder authentication (for example, the entryand positive verification of a passcode) remains valid for a period of time (the “open period”)and, during that open period, no further authentication is requested or required in order forthe Cardholder to effect a Transaction.

MasterCard requires testing and certification of proposed CDCVM functionality for prolongedauthentication with respect to the following:

1. The Digital Wallet or Payment Application residing on the device is able to prompt for anew Cardholder authentication based on defined parameter limits;

2. The device is able to prompt for an Issuer-approved form of explicit Cardholder consent(for example, by requiring the Cardholder to click a button or tap on the device) before aTransaction may be effected;

3. The open period of a prolonged Cardholder authentication may be shared by connectedor linked consumer devices that are Access Devices for the same Account, provided theAccess Devices remain in proximity to one another; and

4. The consumer authentication technology complies with MasterCard Standards.



3.9.5 Maintaining MasterCard-qualified CVM Status

MasterCard may require additional testing of a MasterCard-qualified CDCVM as a conditionfor the CDCVM to remain a MasterCard-qualified CVM; such requirement may arise, by wayof example and not limitation, in the event of any operational, hardware, software, or othertechnological change that could directly or indirectly impact CDCVM security or otherfunctionality.

MasterCard reserves the right to withdraw MasterCard-qualified CVM status with respect to aCDCVM at any time should MasterCard have reason to believe that the security of theCDCVM is insufficient. MasterCard will notify Customers should a MasterCard-qualified CVMstatus be withdrawn. Upon publication by MasterCard of such notice, a Customer mustimmediately cease offering or permitting the use of such consumer au

Security Rules and Procedures · 2020-06-11 · 3.8 Mobile Payment Devices ... 9.4.4...

Documents

Transcript of Security Rules and Procedures · 2020-06-11 · 3.8 Mobile Payment Devices ... 9.4.4...