1. No category

D-PAS US Chip Terminal Guide

D-PAS U.S. Chip
Terminal Guide
Version 1.0 / January 2016
© 2016 DFS Services LLC | Confidential and Proprietary
Disclaimer
This D-PAS: U.S. Chip Contact Terminal Guide (this “Guide”) provides guidelines to assist Merchants and Value Added
Resellers (VARs), including, but not limited to, Independent Software Vendors (ISVs) and Payment Gateways, in
meeting chip card point-of-sale (POS) terminal requirements that are specific to the U.S. market when accepting
Discover Network and its partners’ chip card products. This guide is subject to change by Discover at any time without
notice to any party. Neither this Guide nor any other document or communication creates any binding obligations upon
Discover or any third party regarding testing services or Discover approval, which obligations will exist, if at all, pursuant
to separate written agreements executed by Discover and such third parties.
This Guide is provided “AS IS”, “WHERE IS” and “WITH ALL FAULTS”. Neither Discover, nor Diners Club International
(DCI), nor any of their affiliates, subsidiaries, directors, officers or employees (collectively, the “Discover Parties”)
assume or accept any liability for any errors or omissions contained in the Guide.
The Discover parties specifically disclaim and make no representations or warranties of any kind, express or implied,
with respect to this Guide. The Discover parties disclaim all representations and warranties, including the implied
warranties of Merchants’ ability and fitness for a particular purpose. The Discover parties further specifically disclaim all
representations and warranties with respect to intellectual property subsisting in or relating to the Guide or any part
thereof, including but not limited to any and all implied warranties of title, non-infringement or suitability for any purpose
(whether or not the Discover parties have been advised, have reason to know or are otherwise in fact aware of any
information).
The contents of this Guide are proprietary and constitute trade secrets of Discover. This Guide is provided to
Participants of the Discover and DCI Networks and their authorized Partners for their exclusive use and shall not be
reproduced, published or otherwise disclosed, in whole or in part, to any party outside Discover without the prior written
consent of Discover.
®
DFS Services LLC, Discover means our officers, directors and employees as well as the network, systems and
processes, including hardware, software and personnel maintained by us to support card issuance and card acceptance
programs operated by Issuers, Merchants and Acquirers for the benefit of Cardholders and Merchants, respectively; or,
where used to describe products, enhancements or services, means the consumer-facing brand of Discover.
2
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
What’s Inside
Chapter 1
Chapter 2
Chapter 3
Chapter 4
3
Getting to Know D-PAS
Page 5
1.1 Introduction
Page 5
1.2 Purpose of this Guide
Page 5
1.3 Target Audience
Page 5
1.4 References
Page 5
Understanding Chip Card Transactions
Page 6
2.1 EMV Fraud Liability Shift
Page 6
2.2 Chip Card Technology
Page 7
2.3 Contactless Technology
Page 7
2.4 EMVCo Role in Chip Card Specifications
Page 8
2.5 D-Payment Application Specification (D-PAS)
Page 9
2.6 Understanding Chip Transactions
Page 9
Implementing D-PAS
Page 13
3.1 Important Chip Card Implementation Considerations
Page 13
3.2 Pre-Transaction Processing (Contactless)
Page 13
3.3 Application Selection
Page 13
3.4 Offline Data Authentication (ODA)
Page 14
3.5 Cardholder Verification
Page 15
3.6 Terminal Risk Management
Page 18
3.7 First Terminal Action Analysis
Page 19
3.8 Transaction Completion
Page 20
3.9 Conclusion of Processing/Chip Card Deactivation and
Removal
Page 21
3.10 Technical Fallback
Page 22
Point-of-Sale Solution Selection
Page 23
4.1 Device Certification
Page 23
4.2 End-to-End Certification Requirements
Page 24
4.3 Production Validation Requirements
Page 25
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
Chapter 5
Production Rollout
Page 26
5.1 Production Rollout Check List
Page 26
5.2 AID Parameters
Page 27
DFS CA Test Payment System Public Keys
Page 31
1. Key Length 1152 Bits – PKI 91 Test
Page 31
2. Key Length 1408 Bits – PKI 92 Test
Page 32
3. Key Length 1984 Bits – PKI 93 Test
Page 33
Appendix B
DPAS Acronyms
Page 34
Appendix C
DPAS Terminology
Page 35
Appendix D
DFS IIN/BIN Table
Page 38
Appendix A
4
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 1: Get to Know D-PAS
CHAPTER 1: Getting to Know D-PAS
1.1 Introduction
®
The Discover D-Payment Application Specification (D-PAS) is an EMV-compliant smart card payment solution for contact,
contactless and mobile payments. Discover supports and conforms to current EMV standards, enabling easy
implementation and integration of the D-PAS solution.
1.2 Purpose of this Guide
This Guide focuses on the U.S. market. It provides high-level guidance to assist Merchants, VARs and other relevant
parties with terminal development to support both contact and contactless chip transactions in accordance with D-PAS
solutions at the terminal level. Please consult with your Processor or Discover for detailed policy, technical specifications
and operating regulations.
1.3 Target Audience
This Guide is primarily intended for Merchants and Value Added Resellers (VARs), including, but not limited to,
Independent Software Vendors (ISVs), Payment Gateways VARs and/or other entities responsible for implementing
components and services required for accepting contact chip cards on Merchant acceptance terminals.
1.4 References
TITLE
SOURCE1
REFERENCE
Terminal Requirements for U.S. Debit Cards Technical Addendum
1
DFS D-PAS: US DB TA, v 1.0
Terminal Requirements for JCB J/Smart™ Cards Technical
Addendum
1
DN CT D-PAS: JCB JS TA, v 1.0
EMVCo
emvco.com
EMV Migration Forum
emv-connection.com
1
5
Source: 1 means references can be provided upon request to [email protected].
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
CHAPTER 2: Understanding Chip Card Transactions
2.1 EMV Fraud Liability Shift
In October 2012, Discover announced the alignment of its EMV fraud liability shift policies for contact chip cards across
Discover, Diners Club International and PULSE. The Discover Network policy became effective in October 16, 2015 for all
point-of-sale (POS) locations and will go into effect in October 2017 for all automated fuel dispensers (AFD).
PULSE will introduce a liability shift for ATM transactions on Discover/PULSE EMV contact cards at U.S. terminals
effective October 1, 2017. After this date, ATM Acquirers will be financially liable for counterfeit card fraud if a contact
EMV card is presented at an ATM that is not EMV-enabled. To ensure simple and consistent dispute management for
PULSE participants, PULSE has chosen ATM liability shift dates for PULSE cards that are consistent with the signature
brand on the card.
The switch to EMV is vital to prevent payment fraud, and Discover is here to help. Our resources and EMV best practices
accelerate EMV certification, maximize Cardholder security and drive Merchant profitability. For more information, visit
DiscoverNetwork.com/Chip-Card or contact VARConnection.com.
2
6
Liability is transferred to the party with the direct relationship with Discover®. The EMV Fraud Liability Shift is in effect
for contact chip transactions only.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.2 Chip Card Technology
Chip cards, also known as smart cards or integrated circuit cards (ICC), are plastic cards embedded with a computer chip.
Chip cards are capable of storing information, completing calculations, making decisions and running applications.
Chip cards still have a magnetic stripe on the back of the card to permit processing transactions at locations without EMVenabled terminals and fallback processing in the event of a chip failure.
2.3 Contactless Technology
Contactless technology is being adopted by Merchants that are looking for a faster, easier and more convenient payment
method. The execution of a contactless payment transaction requires a contactless card or payment device and
terminal/reader. Each contactless card or payment device and terminal, carry a microchip connected to an antenna that
enables the exchange of data via near field communication (NFC).
2.3.1 Contactless Transaction Modes
• Contactless D-PAS EMV mode is an operating mode based on the use of the Contactless D-PAS application to
create transaction-specific cryptograms that can be used to authenticate the card and the transaction. Contactless
transactions can be processed either online or offline.
®
®
• Contactless D-PAS Magnetic Stripe (MS) mode uses functionality of Discover Zip v2.0. The Zip application
provides cardholder information based on MS data to the terminal/reader. The terminal processes the transaction
online and executes the Issuer decision.
Note: Discover Zip is a contactless payment solution deployed in the U.S. (Discover Zip cards and payment devices
should be accepted wherever contactless payments are enabled.)
7
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.3.2 Contactless Logos
EMVCo licenses the Contactless Indicator and Contactless Symbol (collectively the “Contactless Marks”) for use in
accordance with its reproduction requirements. See the EMVCo website for more details.
• The EMVCo Contactless Indicator, shown below, is used on Contactless Cards and Contactless Payment Devices
such as key fobs.
• The EMVCo Contactless Symbol, shown below, is used on contactless terminals and may also be used in
marketing materials.
2.4 EMVCo Role in Chip Card Specifications
Chip cards and EMV-enabled terminals adhere to standard specifications to ensure interoperability among countries and
Payment Networks. EMVCo is the entity that manages and evolves EMV specifications, tests processes and fosters
worldwide interoperability of secure payment transactions. The EMV specifications govern chip cards, common payment
application (CPA), card personalization and tokenization.
EMVCo is co-owned by six member organizations: American Express, Discover, JCB, MasterCard, UnionPay and Visa.
The organization is supported by Issuers, Merchants, Acquirers, Acquirer Processors and other industry stakeholders who
3
participate as EMVCo Associates. For more information about EMVCo and chip card specifications visit www.emvco.com .
3
8
Source: EMVCo www.emvco.com
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.5 D-Payment Application Specification (D-PAS)
D-PAS is a specification that enables secure transactions among Discover chip cards, payment devices, terminals and
Acquirers. Discover provides a comprehensive program to support markets that are migrating from magnetic stripe cards
to chip card transactions, including:
• D-PAS program documents that define the requirements for chip cards and terminals, including:
− Terminal Requirements for U.S. Debit Cards Technical Addendum
− Terminal Requirements for JCB J/Smart™ Cards Technical Addendum
• Test cards
• Production validation cards
• Network support for chip card transactions
• Testing and certification requirements
2.6 Understanding Chip Card Transactions
A chip card transaction differs from a traditional magnetic stripe card transaction in how it interacts with a terminal.
•
•
•
A magnetic stripe card is swiped through the terminal to initiate the transaction.
A contact chip card is inserted into the chip reader and must remain in the terminal for the duration of the
transaction.
A contactless chip card or payment device is tapped to initiate the transaction.
The following table lists the differences between chip card and magnetic stripe card transactions.
9
CHIP CARD TRANSACTION
TYPICAL MAGNETIC STRIPE CREDIT CARD TRANSACTIONS
Multiple card authentication methods.
Basic level of authentication including Card Verification
Value (CVV).
Multiple Cardholder verification methods supported,
including use of offline and online Personal Identification
Number (PIN).
Visual Cardholder verification (request of ID, check
signature panel).
Issuer and Acquirer/Processor establishes and manages risk
parameters.
Issuer manages most risk parameters.
Secure offline authorization if supported by the terminal and
network, and approved by the card.
Offline authorization possible but risky as the authenticity of
the card cannot be confirmed.
Use of dynamic data prevents cloning.
Use of static data that can be easily copied.
Added level of security of chip cards and chip-enabled
terminals prevents counterfeit fraud. Use of PIN reduces
fraud from lost and stolen cards.
Magnetic stripe cards and terminals are susceptible to
counterfeit fraud.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
The diagrams below provide an overview of the D-PAS transaction process for contact and contactless transactions.
Note that some steps may occur simultaneously.
10
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.6.1 How a Contact D-PAS Transaction Works
The most common transactions between a contact chip card and a terminal consist of:
• Chip and Personal Identification Number (PIN) with verification either offline or online
• Chip and Signature
The following table provides a high-level description of each of these transactions.
11
STEP
CONTACT CHIP AND PIN TRANSACTION
CONTACT CHIP AND SIGNATURE TRANSACTION
1
The Cardholder inserts the contact chip card into the
terminal/reader.
The Cardholder inserts the contact chip card into the
terminal/reader.
2
The transaction amount is displayed on the
terminal/reader.
The cardholder validates the amount
The terminal reader prompts the Cardholder to
enter PIN.
The transaction amount is displayed on the
terminal/reader.
The Cardholder validates the amount.
3
The Cardholder enters PIN on the terminal or PIN pad.
The PIN is displayed as ****.
The Merchant terminal processes the purchase
transaction offline or online, depending on the purchase
amount, card and terminal parameters.
4
• If offline PIN, terminal sends PIN to chip card,
chip card validates PIN and provides response back
to terminal.
• If online PIN, terminal sends encrypted PIN to Issuer.
Issuer returns authorization response to terminal.
The Merchant terminal validates the PIN and provides
Cardholder with the results of the validation.
The Merchant terminal displays to the Cardholder the
results of the validation as either “Approved” or
“Declined”
5
The Merchant terminal processes the purchase
transaction offline or online, depending on the purchase
amount, and card and terminal parameters.
For an approved transaction, the Merchant terminal
prints a transaction receipt or creates a digital version.
6
On successful processing, the Merchant terminal
displays “Approved” or “Declined”.
The terminal instructs the Cardholder to remove the
chip card.
7
For an approved transaction, the Merchant terminal can
print a transaction receipt if requested, or email an
electronic copy.
The Cardholder signs the transaction receipt or digital
version that can be emailed to cardholder.
8
The terminal instructs the Cardholder to remove the
chip card.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 2: Understanding Chip Card Transactions
2.6.2 How a Contactless D-PAS Transaction Works
The steps below provide an example of a typical transaction executed between a NFC-enabled chip and pin card and a
reader connected to a standalone terminal.
STEP
CONTACTLESS D-PAS TRANSACTION
1
The Merchant enters the purchase amount on the terminal.
2
The transaction amount is displayed on the terminal and on the reader.
3
The first LED (if present) begins to flash to indicate that the reader is ready to perform a contactless transaction.
4
The Cardholder presents the card close to the landing zone of the terminal/reader.
5
The reader exchanges commands and responses with the card to execute the contactless transaction.
6
The result of the exchange between the card and the reader, together with EMV transaction data, is sent to the
terminal.
7
When the data capture is completed, all four LED lights on the reader (if present) normally illuminate in green, and
the reader sounds an audible alert.
8
The Cardholder removes the card from the landing zone.
9
Depending on the card and terminal capabilities, as well as the risk management parameters, the Cardholder
Verification Method (CVM) will be online PIN, signature or no CVM.
10
The terminal completes the transaction online or offline
11
The transaction result is displayed on the terminal to the Cardholder and the Merchant. It also can be displayed on
the reader.
12
A receipt can be printed, if requested, or an electronic copy can be sent by email
This description may differ depending on the contactless POS terminal and reader model.
12
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
CHAPTER 3: Implementing D-PAS
3.1 Important Chip Card Implementation Considerations
This chapter provides an overview of the chip card transaction steps that impact Merchants and VARs, including the
technical requirements and best practices to successfully implement D-PAS. Not every transaction step is referenced in
this chapter. For additional information on each transaction flow step, contact [email protected].
3.2 Pre-Transaction Processing (Mandatory Step for Contactless D-PAS only)
To minimize the time that a card must be in the RF field, the terminal/reader performs preliminary risk management
checks by comparing the Transaction amount to limits set in the terminal.
Note: Terminals that always use a fixed transaction amount (such as vending machines) do not perform risk management
checks. If you have any questions contact your Acquirer/Processor.
3.3 Application Selection (Step 1 for Contact and Contactless D-PAS)
There are various ways the application selection step is performed. In a typical credit card transaction, the card and the
terminal analyze the supported Application Identifiers (AIDs). If multiple applications are supported, the terminal identifies
the priority selected by the Issuer and may allow the Cardholder to choose the application to use. The terminal or
peripheral selected for chip card implementation must have the intended AIDs loaded for chip transactions to work.
For the U.S. Common Debit AID, Merchants and Acquirers may have proprietary software installed on POS devices to
manage the selection of the Common AID over the proprietary/global AIDs–the specifics of which are outside the scope of
this document.
13
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
Below is a list of AIDs for the Discover Network and its partners that must be supported in terminals used by Merchants
and VARs in the United States:
• Contact and Contactless D-PAS (Discover proprietary) AID: A0000001523010
®
• Discover Debit U.S. Common AID: A0000001524010
• JCB J/Smart Contact AID: A0000000651010
• Discover Zip AID: A0000003241010
Important AID Notes
• The AID must be set to support partial match AID selection.
• The terminal must support the list of AID methods for building the candidate list.
• The application version number check requires that the terminal store the D-PAS application version number
of “0001”.
• It is recommended that terminals hold one additional application version number slot open for future use.
3.4 Offline Data Authentication (ODA) (Step 4 for Contact and Contactless D-PAS)
In this step, the terminal ensures that:
• The chip card has not been altered since its personalization.
• The data on the chip card was created by the authentic Issuer.
ODA must be implemented on all terminals/readers that support offline authorized transactions.
For contact D-PAS, depending on the capabilities of the chip card and the terminal, the terminal may perform one of the
following Offline Data Authentication (ODA) methods:
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA)
• Combined DDA (CDA)
Note: CDA is the most secure method while SDA is a less secure method that will eventually be phased out.
For contactless D-PAS, CDA is the only method that may be performed.
Offline data validation of the card is performed using encryption keys. A key is a numeric value that is used as part of a
mathematical operation to encrypt or decrypt data. To perform offline data authentication, terminals must be loaded with
DFS Certification Authority Public Keys (CA PKs) and JCB CA PKs. Acquirers and Merchants are responsible for
registering, managing and updating keys provided by Discover Network.
®
Please note that both the D-PAS proprietary AID and the Discover Debit U.S. Common AID use the same DFS CA PKs.
See Appendix A for DFS Test Payment System Public Keys. DFS Production Payment System Public Keys and J/Smart
Test and Production Keys can be requested from [email protected]. A Non-Disclosure Agreement (NDA)
may be required.
14
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
Important: Do not code CA PKs expiry dates in the terminal as they are subject to change by EMVCo and DFS.
CHIP CARD TERMINAL REQUIREMENTS FOR ODA
ODA Requirements
Important: All newly deployed offline-capable contact chip terminals are required to support DDA in
addition to supporting SDA. Terminals should also support CDA whenever possible. In addition,
Merchants and VARs should consider local market requirements and industry practices when deciding
which methods to support.
DFS CA PK
Requirements
To support ODA, the terminal must be able to store up to six DFS CA PKs and their associated data
elements for each payment brand’s Registered Application Provider Identifier (RID) represented in the
Terminal.
3.5 Cardholder Verification (Step 6 for Contact D-PAS and Step 5 for Contactless D-PAS)
Cardholder Verification determines whether the person presenting the chip card is the legitimate Cardholder by using a
CVM that is mutually supported by both the chip card and the terminal. Most terminals have the capability to support all
CVMs. However, consult with your Processor to understand their ability to support all CVMs, especially the online
PIN method.
Cardholder verification is mandatory for contact D-PAS transactions. However, it is conditional for contactless D-PAS.
If the Terminal Contactless CVM limit is present and the Transaction amount is greater than the Terminal CVM limit, the
Terminal requires CVM to be performed.
15
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
The following table describes the CVM types that are available to Merchants and Acquirers.
CVM TYPE
DESCRIPTION
Online PIN
If “Online PIN” is the selected CVM and is supported by the terminal, the terminal prompts the
Cardholder for PIN entry and then enciphers the PIN for inclusion in the authorization message later in
the transaction. The remaining processing for the online PIN transaction is conducted in accordance
with existing DFS regulations.
Offline PIN
(Plaintext and
Enciphered)
If “Offline PIN” is the selected CVM for the transaction, the terminal prompts for PIN entry, and the PIN
is transmitted from the terminal to the chip card for verification. The PIN can be sent either exactly as it
was entered by the Cardholder (plaintext PIN) or encrypted (enciphered PIN). If the chip card cannot
successfully verify the PIN, the chip card informs the terminal of the number of PIN try attempts
remaining. Enciphering the PIN is strongly recommended. Offline PIN CVM type is not an option for
contactless transactions.
Combined Offline
PIN and Signature
If “Combined Offline PIN and Signature” is the selected CVM for the transaction, the terminal must
complete the processes for both the offline PIN CVM and Signature CVM. This CMV type is not an
option for contactless transactions.
Signature
If “Signature” is the selected CVM for the transaction, CVM processing is considered complete from a
D-PAS perspective. Other processing related to this CVM is executed in accordance with existing DFS
regulations (e.g., comparing the Cardholder signature obtained to the signature on the card).
No CVM
If “No CVM” is the selected CVM for the transaction, CVM processing is complete from the D-PAS
perspective. This CVM must be supported by unattended terminals, please refer to section 3.5.1.1.
Consumer Device
CVM (CDCVM)
For contactless payment devices only. Cardholder verification can be completed on the contactless
payment device prior to initiating any payment transactions. Verification methods vary by device, such
as password and biometrics, among other methods. If CDCVM is used, it must be noted in the
Terminal Verification Results (TVRs).
Note: DFS allows no-signature or PIN for card-present sales of $50.00 or less, including applicable taxes, gratuities,
surcharges, cash overs and/or Discover Pay with Rewards.
16
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.5.1 CVM Support Considerations
When identifying which CVMs to support in the terminal, first check with your Acquirer and Processor to verify which
CVMs they support, and then take the following decision factors into consideration.
DECISION FACTOR
DESCRIPTION
Assess Terminal
Capabilities
Identify the capabilities of the terminal for supporting each CVM.
Identify the Relative
Importance of Gaining
Processing Efficiency
A PIN can reduce transaction processing time by eliminating the signature requirement.
In addition, an offline PIN can make throughput faster, by eliminating online verification processes
and network latencies.
Retain Traditional CVM
Processing
Capabilities
Merchants and VARs should be aware that magnetic stripe cards will continue to be encountered
at the point-of-sale, so traditional processes for swiping the card and signing for the transaction
will still need to be supported.
Important: For Acquirers and Merchants to take full advantage of the Fraud Liability Shift for lost or stolen cards, they
must support both offline and online PIN authentication for contact chip cards. Discover requires Acquirers and Merchants
to support offline and online PIN at parity with Discover when the functionality is being supported for any other Payment
Networks.
3.5.1.1 Special Considerations for Unattended Terminals
An unattended POS device is a device that delivers goods or services when the Cardholder is present but a Cashier is not.
Examples of unattended POS devices are fuel dispensers, parking meters and vending machines. Many unattended POS
devices that execute low-value transactions do not have communication capabilities; therefore, it is imperative that
“No CVM” is supported as a CVM method.
Note: Unattended POS Devices are often online-capable to allow issuer authorization and batch data capture.
3.5.2 PIN Pad Configuration
Merchants and VARs should consider the following PIN pad best practices:
• If the PIN pad is separate from the terminal, the addition of a chip card reader with PIN pad enables Cardholders to
keep possession of their card throughout the transaction, thus reducing opportunities for card skimming.
• Cardholders should be able to reach the landing zone on a contactless PIN pad or reader.
• The placement of a PIN pad should be accessible to all Cardholders.
• PIN pads should be designed and placed in a way that prevents fraudsters from “shoulder surfing” the PIN.
3.5.3. PIN Bypass
The U.S. Market is a “chip and choice” environment, with both signature and PIN preferring Issuers. PIN entry bypass is
an optional function supported by EMV that enables a manual override of the PIN CVM process. This option is used when
PIN is selected as the preferred CVM, but the Merchant wants to allow a Cardholder to sign instead. An example of PIN
bypass is when the Cardholder has forgotten their PIN. If PIN bypass is used, this must be noted in the TVR. Merchants
and VARs should check with their Processors before enabling PIN bypass.
17
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.6 Terminal Risk Management (Contact D-PAS Step 7)
Chip-enabled terminals complete several checks to confirm that transaction processing is occurring within the risk limits
set by the Payment Brand, Acquirer Processor and the Issuer. The following table outlines both mandatory and optional
checks to be programmed in the terminal. Note that the Acquirer Processor may have already pre-programmed these
parameters in the terminal.
18
CHECK
MANDATORY /
OPTIONAL
DESCRIPTION
Floor Limits
Mandatory
Merchants/VARs may use the chip card terminal floor limits associated with
each Merchant category or choose a zero floor limit.
It is recommended that terminals that are capable of storing multiple floor
limits specify separate floor limits for magnetic stripe and chip card
transactions. To support a floor limit other than $0 (or local equivalent), the
terminal must be able to store a separate floor limit for magnetic stripe and
chip card transactions.
Random Transaction
Selection
Mandatory
Acquirers are advised to work with their Merchants to identify the terminal
settings for random transaction selection.
It is recommended that terminal parameters are adjusted to ensure that a
bias is applied.
Exception File
Optional
It is recommended that exception file checking is performed at offline-only
terminals. Talk to your Acquirer Processor for more details.
Transaction Forced
Online
Optional
Merchants can implement a function that allows the Attendant to manually
force a transaction online. This function can be employed if the Attendant is
suspicious of the Cardholder and wants to ensure that the Issuer authorizes
the transaction. If Merchants would like to implement transaction forced
online functionality, Merchants and VARs should work with their Acquirer
Processor to set guidelines for when this functionality should
be used.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.7 First Terminal Action Analysis (Contact D-PAS Step 8 and Contactless D-PAS Step 7)
A terminal/reader device performs the first Terminal Action Analysis step using different considerations for contact or
contactless D-PAS transactions.
3.7.1 Contact D-PAS
The terminal stores the results of the previous steps and analyzes them to make a recommendation to the chip card as to
whether it should decline, send online or approve the transaction.
Rules governing the levels of acceptable risk for various transaction conditions are set for:
• The terminal by the Payment Brand and the Acquirer via rules called Terminal Action Codes (TACs).
• The chip card by the Issuer via card rules called Issuer Action Codes (IACs).
For the purposes of this Guide, DFS is the Payment Brand responsible for setting the TACs. The applicable D-PAS
contact TAC values listed in the following table must be stored in terminals as a prerequisite to the acceptance of chip
cards. Terminals must store only the set of TAC values that is relevant to the functionality supported by the terminal.
Note that there are no TACs for contactless transactions.
For JCB-specific J/Smart TAC values review the document Discover Contact EMV: Terminal Requirements for JCB
J/Smart Cards – Technical Addendum.
For Discover Debit U.S. Common AID TAC values consult the document Discover Contact D-PAS: Terminal
Requirements for U.S. Debit and Prepaid Cards – Technical Addendum.
DISCOVER
TERMINAL ACTION
CODES FOR
CONTACT
TRANSACTIONS
ONLY
VALUE
DESCRIPTION
ODA SUPPORTED
ODA NOT SUPPORTED
Denial /Decline
Specifies the conditions that cause the denial of
a transaction without attempt to go online.
0010000000
0010000000
Online
Specifies the conditions that cause a
transaction to be transmitted online.
FCE09CF800
30E09CF80
Default
Specifies the conditions that cause a
transaction to be rejected if a terminal cannot
go online.
DC00002000
1000002000
3.7.2 Contactless D-PAS
This step is completed with the contactless card or payment device outside of the landing zone and includes card/device
application recommendations collected during Step 2 – Initiate Application Processing. As part of this step the following
checks are performed by the terminal: card decision, CDA check results, application expiry date check and processing
restrictions results.
19
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.8 Transaction Completion (Contact D-PAS Step 13 & Contactless Step 9)
3.8.1 Transaction Completion for Contact D-PAS
In Step 10, the terminal sends the transaction online to the Issuer. As a response to the online processing request, the
Issuer then returns an Authorization Response, which approves or declines the transaction. The terminal may perform a
Second Terminal Action Analysis (Step 11). The contact card may also perform a Second Card Action Analysis (Step 12).
Transaction completion (Step 13) occurs when the terminal receives either an approval or decline response to one of its
cryptogram requests. The terminal then executes the approval or decline requested by the chip card. At the conclusion of
processing, the transaction result is displayed to the Cardholder. The receipt is printed or emailed (and signed if required),
and the terminal stores any required transaction data.
3.8.2 Transaction Completion for Contactless D-PAS
Please note that for Contactless D-PAS, online processing (Step 8) is conditional. It must be performed only if the final
decision taken by the card is to perform an online transaction.
Contactless D-PAS Step 9 is the final step of the transaction. This step tells the Cardholder the final decision and
processes additional functions depending on the decision taken. The results could be one of the following:
• Offline processing: Approval or decline – Transaction is not sent to the issuer for decisioning.
• Online processing: Approval or decline – Transaction is sent to the Issuer for decisioning.
• Switch to another interface.
3.8.3 Switch to Another Interface (Contactless D-PAS Only)
If the transaction cannot be processed using the contactless interface, and the contactless card or payment device
supports another interface, then the terminal will indicate that the cardholder use an alternate interface.
20
FROM
TO
COMMENTS
Contactless D-PAS
Contact D-PAS
The terminal may switch to contact chip interface due to several reasons.
The transaction is restarted as a standard Contact D-PAS transaction.
Contactless D-PAS
Magnetic Stripe
Transaction
If the switch to contact D-PAS is not possible, the transaction must switch to
a magnetic stripe transaction. Magnetic stripe transactions have a higher risk
than D-PAS; therefore, it must follow specific rules:
• The transaction must go online.
• The transaction must be identified with a specific fallback indicator value.
See 3.10 for more details.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.8.4 Receipt Requirements
The following table lists the EMV data that may be added to the receipt.
RECEIPT DATA
REQUIREMENT
AID
Mandatory
Approval Code
Mandatory: Include either an online approval code or an offline approval code created
by the terminal.
Cryptogram
Optional
Application Preferred Name or
Application Label
Optional
PIN Verification Statement
Optional
Note: In addition to the EMV receipt requirements listed above, Discover has additional receipt requirements that are
listed in the Operating Regulations. Please consult your Processor for complete receipt requirements.
3.9 Conclusion of Processing/Chip Card Deactivation and Removal
3.9.1 Contact Deactivation and Removal (Contact D-PAS Step 15)
The terminal displays the result of the transaction to the Attendant and the Cardholder as follows:
• If the transaction has been declined, the terminal displays an appropriate message and then indicates that the
chip card can be removed from the reader.
• If the transaction has been approved, the terminal displays a message indicating that the chip card can be
removed from the reader and prints a receipt.
• If a signature was provided, the Attendant compares the signature on the receipt with the signature on the back of
the card.
3.9.2 Contactless Transaction Conclusion
The transaction result is displayed on the terminal to the Cardholder and the Merchant. It can also be displayed on the
reader. A receipt can be printed or e-mailed as required by Merchant or Cardholder.
21
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 3: Implementing D-PAS
3.10 Technical Fallback
Technical fallback may occur when a chip card is used at a chip-enabled terminal, but a technical failure of the card or the
terminal prevents the transaction from being processed using the chip’s functionality. With all chip cards, technical fallback
must be correctly identified in the authorization message so that the Issuer can make an informed decision whether to
approve or decline the technical fallback transaction. All technical fallback transactions must be sent online.
3.10.1 Fallback Scenarios
The following table shows common scenarios encountered and whether these transactions should be flagged as fallback
or not. Please consult your Processor for specific fallback indicators.
22
MODE
TRANSACTION
NEEDS TO BE
FLAGGED AS
FALLBACK
COMMENTS
Unknown AID or AID
Not Found
No
If the terminal is not able to recognize any of the applications supported
by card, the terminal should allow the transaction to be processed as
magnetic stripe.
Chip Card Error
Yes
A technical error in communication between the card and terminal has
prevented a chip transaction taking place. The terminal should prompt the
Cardholder to swipe the card.
Blocked Application
No
The terminal should terminate the transaction and it should not allow the
Cardholder to initiate a magnetic stripe transaction.
Blocked Card
No
The terminal should terminate the transaction and it should not allow the
Cardholder to initiate a magnetic stripe transaction.
Switch Interface
Request from
Contactless D-PAS
to MS
Yes
If a transaction cannot be completed as contactless D-PAS, and if a switch
to contact D-PAS interface is not possible, the transaction must switch to a
magnetic stripe.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 4: Point-of-Sale Solution Selection
CHAPTER 4: Point-of-Sale Solution Selection
Merchants and Issuers should carefully consider the type of point-of-sale (POS) solution that best works for their business
model and the needs of their Customers. They also should consider the certification requirements for each option,
including device certification and end-to-end certification. The following table outlines solutions available in the market.
Please contact your Terminal Manufacturer and Processor for more details and options.
POS TYPE
DESCRIPTION
Stand-Alone
Chip-enabled terminal device or peripheral is connected directly to the Acquirer Processor.
Updates are managed by the Acquirer. Ideal for small Merchants currently using stand-alone
terminals.
Semi-Integrated
Chip-enabled terminal device or peripheral is integrated into a new or existing POS software
application. The payment device can be connected through a payment gateway or directly to the
Acquirer. Terminal updates are managed either by the Payment Gateway or the Acquirer.
Integrated
Chip-enabled reader is fully integrated into the POS solution or a stand-alone peripheral.
Merchant, Payment Gateway and/or Acquirer/Processor may be responsible for managing
terminal updates.
4.1 Device Certification
Device certification is completed by the Device Manufacturer or Original Equipment Manufacturer. Below are some
common terms used during the device certification process.
• EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to
perform an EMV contact or contactless transaction. The kernel will be called from the terminal's payment application
4
and utilize the Interface Device (IFD) to perform necessary data exchanges with the card . Note: Contactless EMV
requires a kernel for each Payment Network implemented.
• Level 1 Approval (Hardware): Level 1 tests compliance with the electromechanical characteristics (contact) or the
4
analog characteristics (contactless) and logical protocol requirements defined in the EMV Specifications.
• Level 2 Approval (Software): Level 2 type approval process tests compliance with the application requirements
4
as defined in the EMV Specifications.
− Please Note: Contactless Level 2 approvals follow the individual Payment Network requirements. A valid
contactless Level 1 Letter of Approval (LoA) is a prerequisite to contactless Level 2 certification.
• Discover Type Approval (for EMV contactless devices only): Verification by Discover that a specified composite
5
Target of Evaluation (TOE) has demonstrated sufficient conformance to the Discover Specifications for its stated
5
purpose and Discover specifications are used . EMVCo does not have a single common contactless specification
for terminals as there is for contact terminals.
4
5
Source: EMVCo www.emvco.com
Source: Type Approval Process V2.2
23
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 4: Point-of-Sale Solution Selection
4.1.1 Device Certification Requirements
Device certification should be completed prior to beginning end-to-end (E2E) certification. Because Level 1 and Level 2
approvals do expire, EMVCo and Discover Network require approvals to be renewed at defined intervals to maintain
compliance. Please check with your Terminal Provider, Acquirer or Processor for Level 1 and Level 2 expiry dates.
CERTIFICATION INITIATOR
CERTIFICATION TYPE
WHAT IT INCLUDES
CONTACT EMV
CONTACTLESS EMV
Level 1
Addresses hardware conformance
with EMV specifications
EMVCo
EMVCo
Level 2
Addresses application software
conformance
EMVCo
The certification for Discover Network
is called "Discover Type Approval"
4.2 End-to-End Certification Requirements
E2E terminal certification must be completed for each Payment Network supported by the terminal. Each terminal
application, combined with any middleware software product, should be certified by each Processor.
The purpose of E2E testing is to:
• Demonstrate that the deployed terminals meet the requirements of both the Acquirer and the Discover Network.
• Demonstrate the terminals’ acceptance of D-PAS.
• Send authorization requests and receive authorization responses among terminals, Acquirer host systems and
Discover Network.
• Demonstrate that terminals can process chip-based functions including PINs, fallback transactions and CVMs as
supported by the terminal.
A high-level example of an end-to-end environment is provided in the following figure. For detailed information regarding
the system architecture, requirements and configuration refer to the approved Test Tool documentation.
24
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 4: Point-of-Sale Solution Selection
4.3 Production Validation Requirements
Production validation is required to verify that D-PAS- and J/Smart-certified terminals, and the associated infrastructure,
are performing correctly in the production environment. Production validation must be performed in a live environment as
part of an initial pilot or rollout for each unique combination of terminal, application and Processor.
Production validation test transactions are executed using live D-PAS and J/Smart test cards at deployed terminals or
terminals in a live laboratory environment. To request production validation test cards, please contact
[email protected].
25
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
CHAPTER 5: Production Rollout
5.1 Production Rollout Check List
The following list highlights important steps in ensuring a successful EMV rollout for Merchants and VARs. This not
intended to be a compressive list. Please consult with your Processor or Discover Network for more details.
CERTIFICATION
Check with your terminal provider, acquirer and processor to confirm who is responsible for renewing Level 1 and
Level 2 certifications.
Complete E2E certification for each unique terminal application and configuration combination if utilizing a fullyintegrated solution.
Confirm that your partner completed E2E certification if utilizing a semi-integrated solution.
TERMINAL CONFIGURATION / TERMINAL MANAGEMENT
Confirm who is responsible for updating your terminals: adding new AIDs, updating or replacing CA PKs, etc.
Verify AIDs have been loaded on the EMV terminals. (See Table 5.2 for details).
Ensure production CA PKs were loaded and replaced test CA PKs.
Ratify the Application Version Number Check is “0001.” It is recommended that terminals hold one additional
Application Version Number slot open for future use.
Confirm the terminal can store up to six CA PKs per card brand.
Ensure TACs were properly coded.
Support for the minimum chip card-related data elements for authorization and batch data capture.
IF SUPPORTING CONTACTLESS D-PAS
If supporting contact and contactless D-PAS, terminals must not allow both interfaces to be activated
simultaneously. If one interface is powered on, the other interface must be switched off.
Support Zip AID to allow for application switch from Contactless D-PAS to magnetic stripe.
Set terminal amount limits (if any) based on Merchant decision and direction received from your Processor. Please
note that Discover does not have any transaction amount limit established for contactless D-PAS transactions.
Add decal signage at your POS advertising your merchant accepts contactless payments
TRAINING AND PILOT
Train your employees on how to process contact and contactless transactions. Review the resources that Discover
has created to assist you with this task www.discovernetwork.com/chip-card/merchants/resource_center.html
Request production validation EMV test cards by contacting [email protected].
Complete production validation test transactions.
Validate purchase, refund and cancellations.
Confirm receipt is printing EMV-related data.
Follow fallback to magnetic stripe processing.
26
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
OTHER IMPORTANT CONSIDERATION
Ensure support for all Discover IIN/BIN ranges. (See Appendix D).
Validate acceptance of a variable PAN length of up to 19 bytes.
Support for terminal floor limits.
Terminals accepting a PIN must comply with the PCI PED security requirements.
5.2 Discover EMV Program Matrix (V1.2 Published Nov 2015)
The following table summarizes AID parameters supported by Discover for the US market.
D-PAS (PROPRIETARY
CONTACT AND
CONTACTLESS)
U.S. DISCOVER DEBIT
COMMON AID
JCB J/SMART
ZIP.
CONTACTLESS
MAGNETIC STRIPE
AID
A0000001523010
A0000001524010
A0000000651010
A0000003241010
Partial Match
Allowed and strongly
encouraged
Allowed and strongly
encouraged
Allowed and strongly
encouraged
Allowed and strongly
encouraged
Example of
Issuers
Discover Card, Diners Club
interaction and Net to Net
Partners (BC Card, RuPay).
Discover Debit Card, PULSE
Issuers.
JCB-branded cards
Discover Card
Interfaces
Supported
Contact EMV and Contactless
EMV
Contact EMV and Contactless
EMV. (Needs details to
support Contactless are
under development)
Contact EMV
Contactless
Magnetic stripe
Application
Version Number
0001
(Recommend terminals hold
one additional slot open for
DFS future use.)
0001
(Recommend terminals hold
one additional slot open for
DFS future use.)
0200 (for EMV v4.x
compliance)
0120 (for EMV v3.1.1
compliance)
Fallback to
Magnetic Stripe
Supported when chip cannot
be read (damaged).
Supported when chip cannot
be read (damaged).
Supported when chip cannot
be read (damaged).
For AID Not
Found
Transaction should be
initiated by magnetic stripe
but should not be coded as
fallback.
Transaction should be
initiated by magnetic stripe
but should not be coded as
fallback.
Transaction should be
initiated by magnetic stripe
but should not be coded as
fallback.
For Application
Blocked
Not allowed
Not allowed
Not allowed
PIN Support
If PIN is supported for any
payment brand, Online PIN
and Offline PIN must be
supported for Discover
Network
If PIN is supported for any
payment brand, Online PIN
and Offline PIN must be
supported for Discover
Network
N/A
PIN Bypass
Supported
Supported
N/A
PIN
(Continued on next page.)
27
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY)
U.S. DISCOVER DEBIT
COMMON AID
JCB J/SMART
ZIP.
CONTACTLESS
MAGNETIC
STRIPE
TACs for
Contact
Interface
ODA
Supported
ODA Not
Supported
ODA
Supported
ODA Not
Supported
ODA
Supported
Denial
0010000000
0010000000
0010000000
0010000000
0010000000
Online
FCE09CF800
30E09CF800
FCE09CF800
FFFFFFFFFF
FC60ACF800
Default
DC00002000
1000002000
DC00002000
FFFFFFFFFF
FC6024A800 or FC60242800
Offline
Transaction
Limit
Allowed, please contact
Processor for details.
DFS limit is $300.00
(with MCC exceptions).
Online Authorization is
required for all transactions
originating from Discover U.S.
Common Debit AID.
Allowed, please contact
processor for details.
DFS limit is $300.00
(with MCC exceptions).
EMV Fraud
Liability Shift
October 2015, all industries
except AFD
October 2017, AFD
October 2015, all industries
except AFD
October 2017, AFD
As of publication date,
JCB has not announced
EMV Fraud Liability Shift
for the U.S.
CVM Supported
Online PIN
Offline Enciphered PIN
Offline Plaintext PIN
Signature
No CVM
Online PIN
Signature (via No CVM)
No CVM
Online PIN
Offline Enciphered PIN
Offline Plaintext PIN
Signature
No CVM
Terminal ODA
Requirement
All offline-capable contactless
terminals are required to
support CDA.
ATMs should not be
configured to support ODA.
ODA support is optional.
If support ODA, terminal must
support both SDA and DDA.
CDA support is optional. If it is
supported by the terminal, it
must be supported using EMV
Mode 1.
ATMs should not be
configured to support ODA.
All offline-capable contact
terminals are required to
support SDA and DDA.
Contact EMV
(Continued on next page.)
28
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
ODA Not
Supported
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY)
U.S. DISCOVER DEBIT
COMMON AID
JCB J/SMART
TACs for
Contactless
Interface
Do not apply.
Contactless D-PAS does not
require TACs.
Do not apply.
Contactless D-PAS do not
require TACs.
N/A
Offline
Transaction
Limit
Allowed, please contact
Processor for details.
DFS limit is $300.00
(with MCC exceptions).
Online Authorization is
required for all transactions
originating from Discover U.S.
Common Debit AID.
N/A
Contactless
Transaction
Limit
No limit
No limit
N/A
EMV Fraud
Liability Shift
As of publication of this
document, contactless
transactions do not fall into
EMV Fraud Liability Shift.
As of publication of this
document, contactless
transactions do not fall into
EMV Fraud Liability Shift.
N/A
CVM Supported
Online PIN
Signature
No CVM
Online PIN
Signature
No CVM (via No CVM)
N/A
Terminal ODA
Requirement
All offline-capable contactless
terminals are required to
support CDA.
ATMs should not be
configured to support ODA.
ODA support is optional.
If support ODA, terminal must
support CDA.
ATMs should not be
configured to support ODA.
N/A
Contactless
EMV
(Continued on next page.)
29
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
ZIP.
CONTACTLESS
MAGNETIC
STRIPE
CHAPTER 5: Production Rollout
D-PAS (PROPRIETARY)
U.S. DISCOVER DEBIT
COMMON AID
JCB J/SMART
ZIP.
CONTACTLESS
MAGNETIC
STRIPE
Others
Default DDOL
Must include the Unpredictable Number.
TDOL and
Terminal
Exception File
D-PAS does not require default terminal TDOL and terminal exception file.
No CVM Policy
Per DFS Operating
Regulations, transactions
below $50 do not
require CVM.
Production
Validation
Please contact your
Processor to confirm
requirements for No CVM.
Per DFS Operating
Regulations, transactions
below $50 do not
require CVM.
Please contact your Processor
to confirm requirements for
No CVM.
Per DFS Operating
Regulations, transactions
below $50 do not
require CVM.
Please contact your
Processor to confirm
requirements for No CVM.
Required, using
unfunded cards
Required, using
unfunded cards
Required, using
unfunded cards
Per DFS Operating
Regulations,
transactions below
$50 do not
require CVM.
Please contact your
Processor to confirm
requirements for
No CVM.
CAPKs
Test Environment
Yes, same for both Discover Proprietary and
Debit Common AIDs
J/Smart Test CAPK with
length 1408 bits
Production
Environment
Yes, same for both Discover Proprietary and
Debit Common AIDs
J/Smart Production CAPKs
Test Cards
30
Test
Environment,
Physical Test
Cards
One pack contains Contact and Contactless D-PAS, Debit and JCB test cards. Test cards can be purchased from a
qualified vendor. JCB contact cards are available upon request to [email protected]
Production
Environment,
Unfunded Cards
Available upon request. One pack contains Contact and Contactless D-PAS, Debit and JCB test cards, plus JCB Contact
test cards
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX A
Appendix A
DFS CA Test Payment System Public Keys
1. Key Length 1152 Bits – PKI 91 Test
31
FIELD NAME
LENGTH
DESCRIPTION
VALUE
RID
5b
Identifies the payment system
to which the CA PK is
associated
A0 00 00 01 52
CA Public Key Index
1b
Identifies the CA PK in
conjunction with the RID
5B
CA Hash Algorithm
Indicator
1b
Indicates the hash algorithm
used to produce the Hash
Result in the digital signature
scheme
01
CA Public Key
Algorithm Indicator
1b
Indicates the algorithm to be
used with the CA PK
01
CA Public Key
Modulus
144b
Value of the modulus part of the
CA PK
D3 F4 5D 06 5D 4D 90 0F 68 B2 12 9A FA 38 F5 49
AB 9A E4 61 9E 55 45 81 4E 46
8F 38 20 49 A0 B9 77 66 20 DA 60 D6 25
37 F0 70 5A 2C 92 6D BE AD 4C A7 CB 43 F0 F0
DD 80 95 84 E9 F7 EF BD A3 77 87 47 BC 9E 25 C5
60 65 26 FA B5 E4 91 64
6D 4D D2 82 78 69 1C 25 95 6C 8F ED 5E 45 2F 24
42 E2 5E DC 6B 0C 1A A4 B2 E9 EC 4A D9 B2 5A
1B 83 62 95 B8 23 ED DC 5E B6
E1 E0 A3 F4 1B 28 DB 8C 3B 7E 3E 9B 59 79 CD 7E
07 9E F0 24 09 5A 1D 19 DD
CA Public Key
Exponent
1b
CA PK Exponent equal to 3
03
CA Public Key
Check Sum
20b
A check value calculated on the
concatenation of all parts of the
CA PK (RID, CA Public Key
Index, CA Public Key Modulus,
CA Public Key Exponent) using
SHA-1
4D C5 C6 CA B6 AE 96 97 4D 9D C8 B2 43 5E 21
F5 26 BC 7A 60
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX A
2. Key Length – 1408 Bits – PKI 92 Test
32
FIELD NAME
LENGTH
DESCRIPTION
VALUE
RID
5
Identifies the payment system
to which the CA PK is
associated
A0 00 00 01 52
CA Public Key Index
1
Identifies the CA PK in
conjunction with the RID
5C
CA Hash Algorithm
Indicator
1
Indicates the hash algorithm
used to produce the Hash
Result in the digital signature
scheme
01
CA Public Key
Algorithm Indicator
1
Indicates the algorithm to be
used with the CA PK
01
CA Public Key
Modulus
176
Value of the modulus part of
the CA PK
83 3F 27 5F CF 5C A4 CB 6F 1B F8 80 E5 4D CF EB
72 1A 31 66 92 CA FE B2 8B 69 8C AE CA FA 2B
2D 2A D8 51 7B 1E FB 59 DD EF C3 9F 9C 3B 33
DD EE 40 E7 A6 3C 03 E9 0A 4D D2 61 BC 0F 28
B4 2E A6 E7 A1 F3 07 17 8E 2D 63 FA 16 49 15 5C
3A 5F 92 6B 4C 7D 7C 25 8B CA 98 EF 90 C7 F4 11
7C 20 5E 8E 32 C4 5D 10 E3 D4 94 05 9D 2F 29 33
89 1B 97 9C E4 A8 31 B3 01 B0 55 0C DA E9 B6 70
64 B3 1D 8B 48 1B 85 A5 B0 46 BE 8F FA 7B DB 58
DC 0D 70 32 52 52 97 F2 6F F6 19 AF 7F 15 BC EC
0C 92 BC DC BC 4F B2 07 D1 15 AA 65 CD 04 C1
CF 98 21 91
CA Public Key
Exponent
1b
CA Public Key Exponent
equal to 3
03
CA Public Key Check
Sum
20
A check value calculated on
the concatenation of all parts
of the CA PK (RID, CA Public
Key Index, CA Public Key
Modulus, CA Public Key
Exponent) using SHA-1
60 15 40 98 CB BA 35 0F 5F 48 6C A3 10 83 D1 FC
47 4E 31 F8
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX A
3. Key Length – 1984 Bits – PKI 93 Test
33
FIELD NAME
LENGTH
DESCRIPTION
VALUE
RID
5b
Identifies the payment
system to which the CA PK
is associated
A0 00 00 01 52
CA Public Key Index
1b
Identifies the CA PK in
conjunction with the RID
5D
CA Hash Algorithm
Indicator
1b
Indicates the hash
algorithm used to produce
the Hash Result in the
digital signature scheme
01
CA Public Key
Algorithm Indicator
1b
Indicates the algorithm to
be used with the CA PK
01
CA Public Key
Modulus
248b
Value of the modulus part
of the CA PK
AD 93 8E A9 88 8E 51 55 F8 CD 27 27 49 17 2B 3A 8C
50 4C 17 46 0E FA 0B ED 7C BC 5F D3 2C 4A 80 FD
81 03 12 28 1B 5A 35 56 28 00 CD C3 25 35 8A 96 39
C5 01 A5 37 B7 AE 43 DF 26 3E 6D 23 2B 81 1A CD
B6 DD E9 79 D5 5D 6C 91 11 73 48 39 93 A4 23 A0 A5
B1 E1 A7 02 37 88 5A 24 1B 8E EB B5 57 1E 2D 32 B4
1F 9C C5 51 4D F8 3F 0D 69 27 0E 10 9A F1 42 2F 98
5A 52 CC E0 4F 3D F2 69 B7 95 15 5A 68 AD 2D 6B 66
0D DC D7 59 F0 A5 DA 7B 64 10 4D 22 C2 77 1E CE
7A 5F FD 40 C7 74 E4 413 79 D1 13 2F AF 04 CD F5
5B 95 04 C6 DC E9 F6 17 76 D8 1C 7C 45 F1 9B 9E
FB 37 49 AC 7D 48 6A 5A D2 E7 81 FA 9D 08 2F B2 67
76 65 B9 9F A5 F1 55 31 35 A1 FD 2A 2A 9F BF 62 5C
A8 4A 7D 73 65 21 43 11 78 F1 31 00 A2 51 6F 9A 43
CE 09 5B 03 2B 88 6C 7A 6A B1 26 E2 03 BE 7
CA Public Key
Exponent
1b
CA Public Key Exponent
equal to 3
03
CA Public Key
Check Sum
20b
A check value calculated on
the concatenation of all
parts of the CA PK (RID,
CA Public Key Index, CA
Public Key Modulus, CA
Public Key Exponent)
using SHA-1
B5 1E C5 F7 DE 9B B6 D8 BC E8 FB 5F 69 BA 57 A0
42 21 F3 9B
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX B
Appendix B
DPAS Acronyms
34
ACRONYM
MEANING
AC
Application Cryptogram
AFD
Automated Fuel Dispenser
AID
Application Identifier
CA
Certification Authority
CA PK
Certification Authority Public Key
CA PKI
Certification Authority Public Key Index
CDDA
Combined Dynamic Data Authentication and Application Cryptogram Generation
CVM
Card Verification Method
DDA
Dynamic Data Authentication
DFS
Discover Financial Services
D-PAS
D-Payment Application Specification
E2E
End-to-End
EMV
Europay, MasterCard, Visa
ICC
Integrated Circuit Cards
ISO
International Organization for Standardization
NFC
Near Field Communication
ODA
Offline Data Authentication
OEM
Original Equipment Manufacturer
PAN
Primary Account Number
PIN
Personal Identification Number
POS
Point-of-Sale
RID
Registered Application Provider Identifier
RFF
Radio Frequency Field
SDA
Status Data Authentication
TAC
Terminal Action Code
TVR
Terminal Verification Results
VAR
Value-Added Reseller
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX D
Appendix C
DPAS Terminology
TERM
DEFINITION
AC
A cryptogram computed by the chip card application and used by the Issuer to verify that a
request came from the card.
Acquirer
An entity that processes credit and debit card payments on behalf of a Merchant.
Acquirer Processor
A third-party entity designated by an Acquirer and approved by DFS for the purpose of
performing certain Acquirer obligations under the Acquirer Agreement and/or the Program
Guides, subject to the limitations and requirements set forth in the Acquirer Agreement, the
Acquirer Processor Agreement and the Program Guides.
AID
An application identifier made up of the Registered Application Provider Identifier (RID) and
the Proprietary Identifier Extension (PIX).
Application PAN
A valid Cardholder account number.
Authorization
The process used to determine whether to approve a card sale or cash advance in
response to an authorization request.
Authorization Request
A request submitted by a Merchant or Acquirer, through DFS or another person acting on
our behalf, to the Issuer for authorization of a card sale or cash advance.
CA PK
The key of the CA asymmetric key pair that can be made public. Consists of a:
• CA PK Exponent – The value of the exponent part of the CA PK.
• CA PK Modulus – The value of the modulus part of the CA PK.
Cardholder
A user of a credit, debit or prepaid payment card product.
CDA
An offline authentication method performed by the terminal to verify a card via a
dynamic signature that is generated offline by the card and a cryptogram. The offline
DDA is a dynamic signature. The online Application Cryptogram Authentication is the
second signature.
Chip Card
A card with an embedded integrated chip that is a contact chip payment device, a
contactless chip payment device or a dual interface payment device.
Chip Card Transaction
A card transaction that takes place with a chip card at a chip card terminal that complies
with relevant operating regulations and technical specifications.
CVM
Method used to ensure that the person presenting the card is the person to whom the
application in the card was issued.
DDA
Offline Dynamic Data Authentication performed by the terminal to verify the dynamic
signature generated by the card for the transaction.
Note: The generated dynamic signature is different for each transaction.
EMV
The global standard for credit and debit payment cards based on chip card technology.
EMV is a trademark owned by EMVCo, LLC.
(Continued on next page.)
APPENDIX C
EMVCo
The corporation that manages, maintains and enhances the EMV ICC specifications
for chip-based payment cards and acceptance devices, including POS terminals and
ATMs.
Floor Limit
An amount designated in a Merchant Agreement as the amount below which the Merchant
is not required to obtain an online authorization for a card sale.
ICC
A card that has a chip embedded in it. Chip cards and Discover Contactless D-PAS Cards
embed such a chip.
ISO
An agency that establishes and publishes international technical standards.
Issuer
An entity that has signed a DFS Credit Issuer Agreement for the purpose of issuing DFS
payment cards in accordance with the DFS Operating Regulations and other program
documents.
JCB
A financial services company based in Tokyo, Japan also known as JCB Co., Ltd. that
operates as the JCB payment network in Japan and also issues JCB payment partners on
its network for acceptance on its network.
Key
A binary value that is used as part of an algorithm to encrypt or decrypt data.
The landing zone is the strongest RF point close to the reader. It is identified by the EMVCo
contactless symbol.
An entity engaged in commercial operations that comply with the requirements set out in the
Discover Operating Regulations and other program documents.
Landing Zone
Merchant
Merchant Agreement
A signed, written agreement between an Acquirer and a Merchant that:
• Permits the Merchant to accept cards as payment for goods and services and cash at
the Acquirer’s discretion, but not in exchange for cash, cash equivalents or the funding
of value used for future purchases (“quasi-cash”) unless specifically approved in the
Acquirer Agreement.
• Describes the terms pursuant to which Acquirer shall pay Settlement Amounts to the
Merchant for card transactions accepted by the Merchant.
• Provides a sublicense to the Merchant governing the Merchant’s use of the program
marks.
• Describes the program services provided by Acquirer to the Merchant to support card
acceptance.
ODA
The process of validating a contactless EMV card offline at POS via CDA.
PAN
The unique identifying number that is assigned by the Issuer to the card at the time of card
issuance.
Payment Brand
An organization that manages a network to facilitate payments between Cardholders and
Merchants.
Payment Device
Contactless D-PAS products can be issued in many different forms such as key fobs,
stickers or mobile phones. These devices are collectively known as “contactless payment
devices.”
PIN
The personal identification number or code assigned by an Issuer that may be used by the
Cardholder to facilitate a card sale or cash advance on a POS device.
PIX
An optional data element assigned by the application provider of up to 11 bytes which is
part of the structure of the AID.
(Continued on next page.)
36
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX C
37
PKI
Identifies a CA PK pair used in CDA.
Plaintext
Unenciphered information.
POS Device
An electronic card reader, chip card terminal, cash register or terminal and any necessary
software, located at the physical premises of a Merchant that is capable of electronically
capturing data from cards and receiving electronic evidence of authorization responses and
which may also be capable of transmitting electronic evidence of sales data.
Reader
A device that can communicate with a contactless D-PAS card using the RF interface.
Readers may be physically separate from a terminal or integrated inside.
RF Field
Radio Frequency Field. Contactless field generated by the Contactless Reader. The
Contactless Card must enter the RF field near the Reader landing zone to initiate a
Contactless Transaction.
RID
Part of an AID that is unique to an application provider and assigned according to
ISO/IEC 7816-5.
SDA
An authentication performed by the terminal to verify the static signature placed on a card
during the card personalization process.
Terminal
An electronic device that accepts and processes payment transactions.
Terminal Contactless CVM
Limit
This data sets the CVM limit for a particular AID based on the amount of the transaction. If
the amount of the transactions is greater than or equal to this limit, the terminal will ask the
card to perform Cardholder Verification.
Token
A surrogate value for a PAN that limits exposure to the PAN.
VAR
An entity that adds features or services to an existing product, then resells it (usually to endusers) as an integrated product or complete turnkey solution.
D-PAS U.S. Chip Terminal Guide
© 2016 DFS Services LLC | Confidential and Proprietary
APPENDIX D
Appendix D
Issuer Identification Number (IIN) Ranges that Operate on the Discover network:
DISCOVER IIN (BIN) RANGE TABLE
Start
a.
b.
c.
End
Issuing Network
Credit / Debit
Min Digits
Max Digits
30000000
30599999
DCI
Credit
16
19
30950000
30959999
DCI
Credit
16
19
35280000
35899999a
JCB
Credit
16
19
36000000
36999999b
DCI
Credit
14
19
38000000
39999999
DCI
Credit
16
19
60110000
60110399
DN
Both
16
19
60110400
60110499
PayPal
Credit
16
19
60110500
60110999
DN
Both
16
19
60112000
60114999
DN
Both
16
19
60117400
60117499
DN
Both
16
19
60117700
60117999
DN
Both
16
19
60118600
60119999
DN
Both
16
19
62212600
62292599c
UnionPay
Both
16
19
62400000
62699999c
UnionPay
Credit
16
19
62820000
62889999c
UnionPay
Credit
16
19
64400000
65059999
DN
Both
16
19
65060000
65060099
PayPal
Credit
16
19
65060100
65060999
DN
Both
16
19
65061000
65061099
PayPal
Credit
16
19
65061100
65999999
DN
Both
16
19
This IIN Range (35280000 to 35899999) shall be enabled only by Merchants, Acquirers or their Processors in connection with Merchant
relationships, POS Devices or otherwise, within the 50 States of the United States of America and the District of Columbia, Puerto Rico, the
US Virgin Islands, the Northern Mariana Islands, Palau, and Guam, subject to certain exceptions in Acquirer Agreements where applicable.
The PAN length for this IIN Range (36000000 to 36999999) is 14 digits.
The UnionPay IIN Ranges shall be enabled only by Merchants, Acquirers, or their Processors in connection with Merchant relationships,
POS Devices or otherwise, in the United States, Mexico, and the Caribbean.

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz