Card Risk Management
Presented by
David Cole
Chip End-to-End process
AUTHORISATIONS
Offline PIN
Validation
Card holder
verification method
Terminal Risk
Management
Card Risk
Management
iCVV checking
ATC checking
Online CAM
Online PIN
Script processing
ISSUER HOS
Chip issuer decisions
ISSUER
Magnetic stripe Issuer decisions
 At the POS – Minimal
 Card provides service code and account information. Terminal
processes accordingly
 At Visa
 Stand In Processing (STIP) decisions plus CVV checking
 At Issuer host
 Authorisations decisions based on transaction processing (e.g.
successful CVV) plus risk processing (e.g. available credit, account
status, previous transactional data)
Card Risk
Management
Chip issuer decisions
ISSUER
Chip Issuer decisions
 At the POS – Substantially more than magnetic stripe
 Card is interactive. Contains card risk parameters
 Card is able to make decisions at POS based on Issuer’s choice
 At Visa
 Additional Chip Stand In Processing (STIP) decisions
 At Issuer host
 New authorisations data available to the Issuer based on chip
transaction processing
 Ability to change the card’s chip parameters and status
Card Risk
Management
Chip issuer decisions
Chip card risk parameters
 Set at card level as part of personalisation
 Parameter is set to:
 Decline if triggered (Denial)
 Go Online if triggered (Online)
 Decline or Approve if unable to go online (Default)
 Called Issuer Action Codes (IAC’s)
 Combination of:
 Transaction errors (e.g. PIN failed)
 Domestic and International counters (e.g. offline spend)
 Traditional triggers (e.g. Floor limit exceeded)
Card Risk
Management
Card action analysis
Terminal Request
to the card
Can this transaction proceed?
Record events so far
Have any exceptions been triggered such as
PIN failed, counters exceeded?
Record ‘position statement’ in the Card
Verification Result (CVR)
Apply actions provided by the Issuer (IAC’s)
Apply Issuer Action Codes
Provide a response to the terminal
(Online, Decline, Approve)
Card Risk
Management
Card action analysis
Card Action Analysis
Counter checks
Previous Txn
checks
Domestic LCOL
Not completed
Issuer script failed
Int’l LCOL
Decision
SDA failed
Domestic currency
Offline spend
DDA failed
New Card
2nd currency
Offline spend
PIN exceeded
Card Verification results (CVR)
Card Risk
Management
Card action analysis
Terminal
requests
Card Risk
Management
Card can respond with
Decline
Decline
Online
Decline
Online
Approve
Decline
Online
Approve
Card action analysis
Condition
Visa
Recommendations
See Visa Perso
Templates
Card Risk
Management
Response
IAC Denial decline offline
IAC Online go online
Offline Data Authentication Not performed
0
1
IAC Default decline offline if
unable to go online
1
Offline Static Data Authentication Failure
0
1
1
Chip Data Missing
0
0
0
Primary Account Number on terminal exception file
0
1
1
Offline Dynamic Data Authentication Failure
0
0
0
Combined DDA/AC Generation failure
0
0
0
Chip and terminal are different versions
0
0
0
Expired Application
0
1
1
Application not active (effective date check)
0
1
0
Service not allowed for card product
1
0
0
New Card
0
1
0
Cardholder verification failed
0
1
1
CVM not recognized
0
0
0
PIN try limit exceeded
0
1
1
Card action analysis
Condition
Card Risk
Management
Response
IAC Denial decline offline
IAC Online go online
IAC Default decline offline if
unable to go online
PIN entry required and PIN pad not working or not
present
0
1
0
PIN entry required, PIN pad working but no PIN
entered
0
1
1
Online PIN entered
0
1
1
Reserved for future use
00
00
00
Transaction exceeds floor limit
0
1
0
Lower offline limit exceeded
0
1
0
Upper offline limit exceeded
0
1
1
Transaction selected randomly for online
transmission:
0
1
0
Merchant forced transaction online
0
1
1
Issuer Authentication Failed
0
0
0
Script processing failed prior to generating final
cryptogram
0
0
0
Script processing failed after generating final
cryptogram
0
0
0
Card action analysis
 Value of Total Consecutive Offline Spend Limit and
what to do if unable to go online
 International offline counters
 Value of Lower Consecutive Offline Limit
 Value of Upper Consecutive Offline Limit
 Value of PIN try limit
 2nd Currency values
Card Risk
Management
Card action analysis
Card provides terminal with one of the following:
 A decline message containing an end of transaction certificate for audit
purposes. Called an AAC (Application Authentication Cryptogram)
 An approval message containing an end of transaction certificate for audit
purposes. Called a TC (Transaction Certificate)
 An online message request containing an online cryptogram message that
can be validated by the Issuer. Called an ARQC (Authorisation ReQuest
Cryptogram)
Card Risk
Management
Summary




Traditionally, terminals execute risk management at the POS
Now the card has a major impact in the POS decision process
Cards need to be personalised with Issuer Action Codes (IAC’s)
Card decisions should not be made in isolation of the host decisions as
they are linked
 The terminal will request a Decline, Go Online or Approve. The card:
 Must agree with a decline request
 Cannot overturn an online request with an approval
 Can choose the outcome of a transaction if the terminal is happy to
approve
Card Risk
Management
Lets assume an online reque
and see what Risk tools are
available when we go online
Importance of Issuer Action Codes (IACs)
 The Issuer Action Codes are a list of up to 37
conditions that if they occur the card then decides
what it will do:
 Authorise offline
 Go online
 Decline
 An example is. Is this the first transaction on a new
card. If so Go Online and if you cant go online decline