security rules and procedures · 2020-06-11 · summary of changes, 30 july 2015 this manual...

Security Rules andProcedures

30 July 2015

Summary of Changes, 30 July 2015

This manual reflects changes associated with announcements in MasterCard bulletins from 15September 2014 to 15 July 2015, and additional terminology changes.

To locate the changes listed below online, on the Adobe toolbar, click Find. In the Find box,type >> and then press ENTER. To move to the next change, press ENTER again.

Description of Change Where to Look

Removed definitions of the following terms: Dual Interface Hybrid POSTerminal.

Appendix F

Updated definitions of the following terms: Interregional Transaction;Intraregional Tranaction.

Appendix F

Added definitions of the following terms: Digital Goods; Dual Interface;Identification & Verification (ID&V); Multi-Account Chip Card.

Appendix F

NOTE: The changes to Appendix F (Definitions) cannot be locatedonline using the Find box. Please scroll to Appendix F at the end ofthe manual to locate these changes.

Added access instructions for the Card Production Physical SecurityRequirements and the Card Production Logical Security Requirements.

2.4

Clarified the CVC 2 value verification requirements for Issuers. 3.9.2

Clarified the CVC 2 value provision requirements for Acquirers. 3.9.4

Added section 6.2.1.4—Product Portfolio Management. 6.2.1.4

Updated the recommended additional monitoring parameters for Issuers. 6.2.1.5 (renumbered)

Added section 6.2.1.6—Additional Prepaid Monitoring Requirements. 6.2.1.6

Added section 6.2.1.7—Fraud Detection Tool Implementation. 6.2.1.7

Added section 6.2.1.8—Cardholder Communication Strategy. 6.2.1.8

Clarified the Merchant deposit monitoring parameters for Acquirers. 6.2.2.2

Moved the 150 percent threshold recommendation for Acquirer fraud losscontrol monitoring reports from section 6.2.2.2—Acquirer MerchantDeposit Monitoring Requirements to section 6.2.2.3.

6.2.2.3

Updated the recommended additional monitoring parameters forAcquirers.

6.2.2.3


©1991–2015 MasterCard. Proprietary. All rights reserved.Security Rules and Procedures • 30 July 2015 2


Updated references from website monitoring to Merchant monitoring. 6.2.2.3

7.2

13.2.2

Added MATCH compliance requirements for Acquirers.

NOTE: The MATCH compliance requirements added to section 7.1.2were inadvertently omitted from the article, "Revised Standardsfor the Payment Facilitator and Service Provider Programs,"published in Global Security Bulletin No. 10, 15 October 2014.

7.1.2

Removed MCC 9754 from the types of non-face-to-face gamblingMerchants required to be registered using the MRP.

9.1

9.4.2

Added MCCs 7801 and 7802 to the types of non-face-to-face gamblingMerchants required to be registered using the MRP.

9.1

9.4.2

Removed MCC 9399 from the types of state lottery Merchants required tobe registered using the MRP.

9.1

9.4.4

Added MCC 7800 to the types of state lottery Merchants required to beregistered using the MRP.

9.1

9.4.4

Added website URL to the information requested for each Merchant,Submerchant, or other entity required to be registered through the MRPsystem.

9.2

Updated applicable references from MasterCard POS Transaction toMasterCard Transaction.

Chapter 10

Updated applicable references from Maestro POS Transaction to MaestroTransaction.

Chapter 10

Removed the definition of Point-of-Sale (POS) Transaction from the list ofAccount Data Compromise Event terminology.

10.2

Updated the ADC FR determination process. 10.2.5.5

Added references of fraudulent inter-European Maestro POS Transactionsto references of fraudulent intra-European Maestro POS Transactions.

12.2

12.6

Added section 12.8—Digital Goods Transactions. 12.8




Removed section 13.1.1.1—Merchant Risk Review Offering. 13.1.1.1 (deleted)



Contents

Summary of Changes, 30 July 2015....................................................................2

Chapter 1: Customer Obligations...................................................................... 131.1 Compliance with the Standards..................................................................................141.2 Conflict with Law.......................................................................................................141.3 The Security Contact.................................................................................................. 14

Chapter 2: Card Production Standards............................................................152.1 Compliance with Card Production Standards..............................................................162.2 Monitoring of Personnel.............................................................................................162.3 Contracting with Card Registration Companies.......................................................... 172.4 Working with Vendors............................................................................................... 18

2.4.1 Order Request Required to Produce Cards...........................................................192.4.2 Stockpiling Plastics..............................................................................................19

2.5 Cards Without Personalization................................................................................... 192.6 Card Count Discrepancies.......................................................................................... 192.7 Reporting Card Loss or Theft......................................................................................192.8 Disposition of Unissued Cards and Account Information.............................................20

Chapter 3: Card and TID Design Standards.................................................. 213.1 Principles of Standardization...................................................................................... 223.2 MasterCard Account Number.....................................................................................223.3 Maestro and Cirrus Account Numbers........................................................................233.4 Signature Panel.......................................................................................................... 243.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................... 24

3.5.1 Card Validation Code 1 (CVC 1)......................................................................... 243.5.2 Service Code...................................................................................................... 243.5.3 Cardholder Name............................................................................................... 243.5.4 Expiration Date...................................................................................................26

3.6 Chip Cards.................................................................................................................263.6.1 Chip Card Applications.......................................................................................283.6.2 Multiple Application Chip Cards......................................................................... 283.6.3 Use of M/Chip Card Application Specifications....................................................29

3.7 Contactless Cards and Payment Devices..................................................................... 293.8 Mobile Payment Devices.............................................................................................303.9 Card Validation Code (CVC)....................................................................................... 30

3.9.1 Issuer Requirements for CVC 1........................................................................... 313.9.2 Issuer Requirements for CVC 2........................................................................... 32

Contents


3.9.3 Issuer Requirements for CVC 3........................................................................... 323.9.4 Acquirer Requirements for CVC 2....................................................................... 323.9.5 CVC Calculation Methods.................................................................................. 33

3.10 Service Codes...........................................................................................................343.10.1 Issuer Information.............................................................................................353.10.2 Acquirer Information........................................................................................ 353.10.3 Valid Service Codes...........................................................................................363.10.4 Additional Service Code Information.................................................................37

3.11 Transaction Information Documents (TIDs)................................................................373.11.1 Formset Contents............................................................................................. 383.11.2 POS Terminal Receipt Contents......................................................................... 383.11.3 Primary Account Number Truncation and Expiration Date Omission.................. 39

Chapter 4: Terminal and PIN Security Standards....................................... 404.1 Personal Identification Numbers (PINs)........................................................................414.2 PIN Selection and Usage.............................................................................................414.3 PIN Verification...........................................................................................................424.4 PIN Authorization Requests........................................................................................ 424.5 PIN Encipherment.......................................................................................................424.6 PIN Key Management.................................................................................................43

4.6.1 PIN Transmission Between Customer Host Systems and the InterchangeSystem........................................................................................................................ 434.6.2 On-behalf Key Management...............................................................................44

4.7 PIN at the POI for MasterCard Magnetic Stripe Transactions....................................... 454.8 Terminal Security Standards........................................................................................454.9 Hybrid Terminal Security Standards.............................................................................464.10 PIN Entry Device Standards.......................................................................................464.11 Wireless POS Terminals and Internet/Stand-alone IP-enabled POS TerminalSecurity Standards............................................................................................................484.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)....................... 484.13 Component Authentication......................................................................................494.14 Triple DES Migration Standards.................................................................................49

Chapter 5: Card Recovery and Return Standards...................................... 505.1 Card Recovery and Return..........................................................................................51

5.1.1 Card Retention by Merchants............................................................................. 515.1.2 ATM Card Retention...........................................................................................525.1.3 Payment of Rewards...........................................................................................545.1.4 Reporting Fraudulent Use of Cards..................................................................... 555.1.5 Reporting Lost and Stolen Cards.........................................................................56

5.2 Criminal and Counterfeit Investigations......................................................................575.2.1 Initiating an Investigation....................................................................................57

Contents


5.2.2 Providing a Progress Report................................................................................ 575.2.3 Requesting an Arrest and Criminal Prosecution................................................... 575.2.4 Fees and Reimbursement of Expenses.................................................................575.2.5 Investigation of Counterfeits and Major Criminal Cases...................................... 58

Chapter 6: Fraud Loss Control Standards...................................................... 596.1 Customer Responsibility for Fraud Loss Control.......................................................... 616.2 MasterCard Fraud Loss Control Program Standards.................................................... 61

6.2.1 Issuer Fraud Loss Control Programs.....................................................................616.2.2 Acquirer Fraud Loss Control Programs................................................................ 656.2.3 Noncompliance with Fraud Loss Control Program Standards............................... 67

6.3 MasterCard Counterfeit Card Fraud Loss Control Standards....................................... 676.3.1 Counterfeit Card Notification..............................................................................676.3.2 Responsibility for Counterfeit Loss...................................................................... 686.3.3 Acquirer Counterfeit Liability Program................................................................ 69

6.4 Maestro Issuer Loss Control Program (LCP)................................................................. 716.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls......................................... 716.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls.................................... 726.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels(“High Fraud”)............................................................................................................ 736.4.4 Fraud Detection Tool Implementation................................................................. 736.4.5 Cardholder Communication Strategy..................................................................74

Chapter 7: Merchant, Submerchant, and ATM Owner Screeningand Monitoring Standards....................................................................................75

7.1 Screening New Merchants, Submerchants, and ATM Owners..................................... 767.1.1 Merchant Screening Procedures..........................................................................767.1.2 Submerchant Screening Procedures.................................................................... 777.1.3 ATM Owner Screening Procedures...................................................................... 787.1.4 Evidence of Compliance with Screening Procedures............................................ 787.1.5 Retention of Investigative Records.......................................................................797.1.6 Assessments for Noncompliance with Screening Procedures............................... 80

7.2 Ongoing Monitoring.................................................................................................. 807.3 Merchant Education...................................................................................................817.4 Additional Requirements for Certain Merchant and Submerchant Categories............. 81

Chapter 8: MasterCard Fraud Control Programs........................................828.1 Presenting Valid Transactions......................................................................................84

8.1.1 Notifying MasterCard—Acquirer Responsibilities.................................................848.1.2 Notifying MasterCard—Issuer Responsibilities..................................................... 848.1.3 MasterCard Audit...............................................................................................84

Contents


8.2 Global Merchant Audit Program.................................................................................868.2.1 Acquirer Responsibilities..................................................................................... 878.2.2 Tier 3 Special Merchant Audit.............................................................................878.2.3 Chargeback Responsibility.................................................................................. 898.2.4 Exclusion from the Global Merchant Audit Program............................................908.2.5 Notification of Merchant Identification................................................................928.2.6 Merchant Online Status Tracking (MOST) System................................................ 93

8.3 Excessive Chargeback Program...................................................................................948.3.1 ECP Definitions...................................................................................................948.3.2 Reporting Requirements..................................................................................... 958.3.3 Assessments....................................................................................................... 968.3.4 Issuer Reimbursement.........................................................................................988.3.5 Additional Tier 2 ECM Requirements.................................................................. 98

8.4 Questionable Merchant Audit Program (QMAP)..........................................................998.4.1 QMAP Definitions...............................................................................................998.4.2 MasterCard Commencement of an Investigation.............................................. 1018.4.3 MasterCard Notification to Issuers.................................................................... 1018.4.4 MasterCard Notification to Acquirers................................................................ 1028.4.5 Merchant Termination.......................................................................................1028.4.6 MasterCard Determination............................................................................... 1028.4.7 Chargeback Responsibility................................................................................ 1038.4.8 Fraud Recovery................................................................................................. 1038.4.9 QMAP Fees.......................................................................................................103

8.5 Issuer Monitoring Program (IMP).............................................................................. 1048.5.1 Identification Criteria........................................................................................ 1048.5.2 MasterCard Audit and Questionnaire................................................................1048.5.3 Subsequent Issuer Identifications in the IMP......................................................105

Chapter 9: MasterCard Registration Program........................................... 1069.1 MasterCard Registration Program Overview..............................................................1079.2 General Registration Requirements...........................................................................107

9.2.1 Merchant Registration Fees and Noncompliance Assessments...........................1089.3 General Monitoring Requirements............................................................................1099.4 Additional Requirements for Specific Merchant Categories....................................... 109

9.4.1 Non-face-to-face Adult Content and Services Merchants.................................. 1099.4.2 Non–face-to-face Gambling Merchants.............................................................1099.4.3 Pharmaceutical and Tobacco Product Merchants............................................... 1119.4.4 State Lottery Merchants (U.S. Region Only).......................................................1129.4.5 Skill Games Merchants (U.S. Region Only).........................................................113

Contents


Chapter 10: Account Data Protection Standards and Programs...... 11510.1 Account Data Protection Standards........................................................................ 11610.2 Account Data Compromise Events......................................................................... 116

10.2.1 Policy Concerning Account Data Compromise Events and Potential AccountData Compromise Events...........................................................................................11710.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events......11810.2.3 Forensic Report...............................................................................................12210.2.4 Alternative Standards Applicable to Certain Merchants...................................12310.2.5 MasterCard Determination of ADC Event or Potential ADC Event................... 12410.2.6 Assessments and/or Disqualification for Noncompliance................................. 13110.2.7 Final Financial Responsibility Determination.................................................... 131

10.3 MasterCard Site Data Protection (SDP) Program......................................................13210.3.1 Payment Card Industry Data Security Standards.............................................. 13210.3.2 Compliance Validation Tools........................................................................... 13310.3.3 Acquirer Compliance Requirements................................................................ 13310.3.4 Implementation Schedule............................................................................... 135

10.4 Connecting to MasterCard—Physical and Logical Security Requirements................ 14110.4.1 Minimum Security Requirements.....................................................................14110.4.2 Additional Recommended Security Requirements............................................14210.4.3 Ownership of Service Delivery Point Equipment.............................................. 142

Chapter 11: MATCH System................................................................................14411.1 MATCH Overview...................................................................................................145

11.1.1 System Features..............................................................................................14511.1.2 How does MATCH Search when Conducting an Inquiry?................................ 145

11.2 MATCH Standards..................................................................................................14811.2.1 Certification................................................................................................... 14911.2.2 When to Add a Merchant to MATCH..............................................................14911.2.3 Inquiring about a Merchant............................................................................ 14911.2.4 MATCH Noncompliance Assessments............................................................. 15011.2.5 Exceptions to MATCH Standards.....................................................................15011.2.6 MATCH Record Retention...............................................................................151

11.3 Merchants Listed by MasterCard............................................................................ 15111.3.1 Questionable Merchants.................................................................................151

11.4 Merchant Removal from MATCH............................................................................15111.5 MATCH Reason Codes........................................................................................... 152

11.5.1 Reason Codes for Merchants Listed by the Acquirer........................................15211.5.2 Reason Codes for Merchants Listed by MasterCard.........................................154

11.6 Requesting Access to and Using MATCH................................................................ 15511.7 Legal Notice........................................................................................................... 156

Contents


Chapter 12: System to Avoid Fraud Effectively (SAFE) ReportingStandards.....................................................................................................................157

12.1 SAFE Overview....................................................................................................... 15812.2 SAFE Fraud Reporting Standards............................................................................ 158

12.2.1 Digital Secure Remote Payment Transactions and Tokenized Account Data......15812.3 SAFE Reason Codes................................................................................................15912.4 Data Accuracy and Integrity................................................................................... 16012.5 Timely Reporting of MasterCard and Debit MasterCard Transactions...................... 160

12.5.1 Tier I Reporting Requirement.......................................................................... 16112.5.2 Tier II Reporting Requirement ........................................................................ 16112.5.3 Tier III Reporting Requirement.........................................................................161

12.6 Timely Reporting of Maestro Transactions...............................................................16112.7 Timely Reporting of Cirrus Transactions.................................................................. 16112.8 Digital Goods Transactions..................................................................................... 16112.9 Fraud-related Chargebacks.....................................................................................16212.10 High Clearing Transaction Volume........................................................................16212.11 Transaction Amount.............................................................................................16212.12 Resubmitting Rejected Transactions...................................................................... 16212.13 Noncompliance Assessments................................................................................16312.14 Variances ............................................................................................................ 163

Chapter 13: Global Risk Management Program....................................... 16413.1 About the Global Risk Management Program.........................................................165

13.1.1 Customer Onboarding Reviews.......................................................................16513.1.2 Third Party Risk Reviews..................................................................................16613.1.3 Customer Risk Reviews................................................................................... 16613.1.4 Customer Consultative Reviews...................................................................... 166

13.2 Global Risk Management Program Review Topics................................................... 16713.2.1 Issuer Global Risk Management Program Review Topics.................................. 16713.2.2 Acquirer Global Risk Management Program Review Topics..............................167

13.3 Global Risk Management Program Reports.............................................................16813.4 Customer Risk Review Conditions.......................................................................... 169

13.4.1 Customer Risk Review Issuer Criteria ..............................................................16913.4.2 Customer Risk Review Acquirer Criteria.......................................................... 16913.4.3 Basis Points Calculation.................................................................................. 170

13.5 Global Risk Management Program Fees..................................................................17013.6 Noncompliance with Fraud Loss Control Standards.................................................170

Appendix A: Track Data Content and Format........................................... 171A.1 Track 1 Data Content and Format............................................................................ 172

Contents


A.2 Track 2 Data Content and Format............................................................................ 174

Appendix B: Formset Specifications...............................................................178B.1 MasterCard Formset Specifications...........................................................................179

B.1.1 Formset Physical Dimensions.............................................................................179B.1.2 Standard Wording............................................................................................ 179B.1.3 Number of Copies and Retention Requirements................................................179B.1.4 Paper Stock Characteristics............................................................................... 180B.1.5 Color of Interchange Copy............................................................................... 180B.1.6 Carbon.............................................................................................................180B.1.7 Registration Mark............................................................................................. 180B.1.8 Formset Numbering..........................................................................................180B.1.9 Information Slip Specifications.......................................................................... 181

B.2 Formset Printing Standards ......................................................................................181B.2.1 Financial Transaction Formsets.......................................................................... 181B.2.2 Information Slip Formsets................................................................................. 182B.2.3 Imprinters.........................................................................................................183

Appendix C: Contact Information................................................................... 184C.1 Security and Risk Services.........................................................................................185C.2 Merchant Fraud Control...........................................................................................185C.3 Account Data Compromise Events........................................................................... 186C.4 Card Design Management....................................................................................... 186C.5 MasterCard Connect

™ Applications......................................................................... 187

C.6 Customer Operations Services..................................................................................187C.7 Questionable Merchant Activity............................................................................... 188

Appendix D: Best Practices Guides................................................................. 190D.1 Acquirers’ Best Practices Guide................................................................................ 191D.2 MasterCard Debit Card and ATM Debit/Credit Card Fraud Guide............................. 191D.3 Issuers’ Best Practices Guide.....................................................................................191D.4 Prepaid Card Fraud and Risk Management Best Practices Guide............................... 191D.5 Security Guidelines for Merchants’ Terminals............................................................192D.6 How to Access the “Best Practices” Guides..............................................................192

Appendix E: Card Production Services.......................................................... 193E.1 Card Production Services.......................................................................................... 194

Contents


Appendix F: Definitions........................................................................................196

Notices...........................................................................................................................227

Contents


Chapter 1 Customer ObligationsThis chapter describes general Customer compliance and Program obligations relating toMasterCard Card issuing and Merchant acquiring Program Activities.

1.1 Compliance with the Standards.............................................................................................. 141.2 Conflict with Law....................................................................................................................141.3 The Security Contact...............................................................................................................14

Customer Obligations


1.1 Compliance with the Standards

This manual contains Standards. Each Customer must comply fully with these Standards.

All of the Standards in this manual are assigned to noncompliance category A under thecompliance framework set forth in Chapter 2 of the MasterCard Rules manual (“thecompliance framework”), unless otherwise specified in the table below. The noncomplianceassessment schedule provided in the compliance framework pertains to any Standard in theSecurity Rules and Procedures manual that does not have an established compliance Program.The Corporation may deviate from the schedule at any time.

Section Number Section Title Category

1.3 The Security Contact C

2.3 Contracting with CardRegistration Companies

C

7.1.5 Retention of InvestigativeRecords

C

B.1.2 Standard Wording B

1.2 Conflict with Law

A Customer is excused from compliance with a Standard in any country or region of a countryonly to the extent that compliance would cause the Customer to violate local applicable lawor regulation, and further provided that the Customer promptly notifies the Corporation, inwriting, of the basis for and nature of an inability to comply. The Corporation has theauthority to approve local alternatives to these Standards.

1.3 The Security Contact

Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers inthe Member Information tool on MasterCard Connect™.

Customer Obligations1.1 Compliance with the Standards


Chapter 2 Card Production StandardsThis chapter may be of particular interest to Customers that issue Cards, and includes requirementsfor personnel responsible for the tasks associated with producing Cards.

2.1 Compliance with Card Production Standards...........................................................................162.2 Monitoring of Personnel......................................................................................................... 162.3 Contracting with Card Registration Companies.......................................................................172.4 Working with Vendors............................................................................................................ 18

2.4.1 Order Request Required to Produce Cards....................................................................... 192.4.2 Stockpiling Plastics.......................................................................................................... 19

2.5 Cards Without Personalization................................................................................................ 192.6 Card Count Discrepancies....................................................................................................... 192.7 Reporting Card Loss or Theft...................................................................................................192.8 Disposition of Unissued Cards and Account Information......................................................... 20

Card Production Standards


2.1 Compliance with Card Production Standards

As used in this section, and unless otherwise specified, the term “Card production” isapplicable with respect to Cards and other types of Access Devices, including ContactlessPayment Devices and Mobile Payment Devices.

An Issuer engaged in Card production must comply with all applicable Standards, includingbut not limited to those set forth in this chapter and in the following documents:

• Card Design Standards• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical SecurityRequirements documents are available on the Payment Card Industry Security StandardsCouncil (PCI SSC) website under the Card Production tab at www.pcisecuritystandards.org/security_standards/documents.php.

An Issuer that uses a Card production vendor to produce Cards on its behalf must also complywith the Standards set forth in section 2.4 of this manual.

It is recommended that an Issuer that issues and/or personalizes Cards onsite at a bankbranch, retail store, or other location outside of a Card production vendor facility refer to theSecurity Guidelines for Instant Card Issuance and Instant Card Personalization manual forinformation relating to the secure issuance of Cards and protection of Cardholder data at suchlocations.

Card production activities subject to compliance with these Standards include, by way ofexample and not limitation, the treatment and safeguarding of Cards, Card manufacture,printing, embossing, encoding, and mailing, as well as to any phase of the production anddistribution of Cards or Card account information.

Refer to Appendix E of this manual for detailed descriptions of Card production activities.

2.2 Monitoring of Personnel

Where permissible by law, Issuers must conduct credit and criminal record checks for allpersonnel handling embossed or unembossed Cards, including part-time and temporarypersonnel.

In addition, where permissible by law, Issuers may not employ such personnel with one ormore known criminal convictions, high credit risk backgrounds, or both, in Card storage andprocessing areas.

Issuers also may not allow such personnel access to account numbers, embossed orunembossed Cards, embossing or encoding equipment, nor may they engage such personnelin security or waste processing work.

Card Production Standards2.1 Compliance with Card Production Standards


2.3 Contracting with Card Registration Companies

A card registration company (“Company”) is any entity that stores Card account numbersand, upon notification by the Cardholder, reports the loss or theft of the Card(s) to theIssuer(s).

Any Issuer having a contractual agreement with a Company pursuant to which the Companyregisters that Issuer’s Cardholder account numbers must ensure that the contract includes thefollowing obligations on the part of the Company:

• The Company shall maintain any Cardholder information, including, without limitation,names, addresses, phone numbers, and account numbers in strictest confidence anddisclose them only to the Issuer. The Company shall keep any media containing this type ofinformation in an area limited to selected personnel having access on a need-to-knowbasis. Before discarding such media, the Company shall destroy it in a manner that willrender the data unreadable.

• The Company shall control and limit access to account numbers stored in a computerenvironment by establishing procedures that must include, but are not limited to, apassword system for computer remote terminal (CRT) access and control over dial-up linesor any other means of access.

• The Company may not use the name of MasterCard in any promotion or advertising,except as provided by a contractual agreement with the Issuer for purposes of solicitingand providing services to the Issuer’s Cardholders. MasterCard reserves the right to approveany such materials.

• The Company must maintain a 24-hours-per-day, seven-days-per-week service to receiveCardholder reports on lost or stolen Cards. The Company shall transmit each reportimmediately and in any event no later than two hours after receiving the report, by themost expeditious means, for example, phone or fax, to the appropriate Issuer.

At a minimum, the notification must include:

– Account number– Issuer’s name– Cardholder’s name, address, and phone number– Phone number where the Cardholder can be reached– Whether the Card was lost or stolen– Time and location of the reported loss or theft

• The Company shall report any loss or theft of Cardholder information whether due to actor omission, to MasterCard and to the Issuer with which it has a contract within 24 hoursof discovery of the loss or theft.

• The Company must convey a Cardholder request for a replacement Card to the Issuer.• The contract must include an indemnification clause holding MasterCard, its officers, its

directors and employees, its Customers, and the Issuer having the contract with theCompany not liable for any loss or damage claimed by or on behalf of the Cardholder,Issuer, or other person or entity alleged to be attributable to the Company’s failure to

Card Production Standards2.3 Contracting with Card Registration Companies


properly provide the services described in the contract or failure to safeguard accountinformation.

• The Company must be covered by liability, fidelity, fire, and theft insurance and must havea disaster recovery plan to ensure continuity of services in the event of natural or otherevents that disrupt or threaten to disrupt service unless otherwise agreed to in writing byMasterCard. Coverage must be reasonable and adequate in consideration of the natureand volume of work performed, the plant location, physical condition, and security of theplant, and the number and duties of employees.

• The Company must comply with all applicable laws, rules, and regulations, including,without limitation, consumer protection laws, applicable to the services offered andperformed by the Company.

2.4 Working with Vendors

Before employing the services of a vendor to perform any of the Card production servicesdescribed in Appendix E of this manual, a Customer must ensure that the vendor has beencertified by MasterCard under the Global Vendor Certification Program (GVCP).

Prior to certification and annual recertification of a vendor facility under the GVCP,MasterCard conducts an on-site audit of the facility to evaluate its compliance with theapplicable physical, logical, and mobile payment provisioning security Standards set forth inthe following documents:

• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

>>>The Card Production Physical Security Requirements and the Card Production LogicalSecurity Requirements documents are available on the PCI SSC website under the CardProduction tab at www.pcisecuritystandards.org/security_standards/documents.php.

2.4.1 Order Request Required to Produce Cards

No vendor may print or manufacture any Card, sample, or facsimile, on plastic or any othermaterial, except in response to a specific order from a Customer or from MasterCard. ACustomer may order Cards by using the Card Order Request (Form 488), available in theLibrary section of MasterCard Connect™, or an equivalent document that provides the sameinformation.

Form 488 (or an equivalent document) must be completed and retained by the vendor andCustomer, and must be made available to MasterCard upon request.

MasterCard reserves the right to request, from time to time, Card samples for review, and willcommunicate any such request via the Submit a Card Design Request (Manufacturer)process on MasterCard Connect™.

2.4.2 Stockpiling Plastics

An Issuer may not encourage a vendor to stockpile plastics or Cards or use a vendor known toengage in the practice of stockpiling plastics or Cards. Stockpiling is the practice ofmanufacturing excess plastics or Cards in anticipation of future orders from Customers.

2.5 Cards Without Personalization

A Customer must not send “unfinished” Cards (as used herein, “unfinished” means a Cardthat has not yet been personalized with a primary account number [PAN] or expiration date)via the mail. Unfinished Cards must be shipped via secure shipping methods as described inthe Card Production Physical Security Requirements. In the rare event that rapid delivery isrequired and secure shipping methods are infeasible, the Issuer may use an express courierservice that provides shipment tracking, recipient authentication, and receipt confirmation forthe shipment of no more than 500 unfinished Cards per day.

2.6 Card Count Discrepancies

Upon receiving a shipment of Cards, the Issuer must verify that the correct Card quantity wasdelivered and take immediate action to resolve any Card count discrepancy and recover anymissing Cards. The Issuer may use the Card count noted on each sealed carton in the Cardcount verification. Sealed cartons may also be opened at random, audited, and resealed. Allopen cartons and all sealed cartons with no Card count noted on the carton must have thecontents counted.

2.7 Reporting Card Loss or Theft

Within 24 hours of discovery, a Customer must report to MasterCard the suspected orconfirmed loss or theft of any Cards while in transit from a vendor or in the Customer’s

Card Production Standards2.5 Cards Without Personalization


possession. The report must be sent via email to [email protected] and containthe following information:

• Issuer name and Member ID/ICA number• Card type and quantity• With respect to the loss or theft of Cards while in transit from a vendor:

– The vendor name– The location from which the Cards were shipped– The date and method of shipment– The address to which the Cards were shipped

• Pertinent details about the loss and the investigation• Name and phone number of contact for additional information• Name and phone number of person reporting the loss or theft

2.8 Disposition of Unissued Cards and Account Information

A Customer that ceases to issue Cards must promptly destroy or otherwise properly dispose ofall unissued Cards and all media containing Card Account information.

Card Production Standards2.8 Disposition of Unissued Cards and Account Information


mailto:[email protected]

Chapter 3 Card and TID Design StandardsThis chapter may be of particular interest to Issuers and vendors certified by MasterCard responsiblefor the design, creation, and control of Cards. It provides specifications for all MasterCard, Maestro,and Cirrus Card Programs worldwide.

3.1 Principles of Standardization................................................................................................... 223.2 MasterCard Account Number................................................................................................. 223.3 Maestro and Cirrus Account Numbers.....................................................................................233.4 Signature Panel.......................................................................................................................243.5 Magnetic Stripe or MasterCard HoloMag Encoding.................................................................24

3.5.1 Card Validation Code 1 (CVC 1)...................................................................................... 243.5.2 Service Code................................................................................................................... 243.5.3 Cardholder Name............................................................................................................243.5.4 Expiration Date................................................................................................................26

3.6 Chip Cards..............................................................................................................................263.6.1 Chip Card Applications....................................................................................................28

3.6.1.1 Compliance Assessment and Security Testing........................................................... 283.6.1.2 Integrated Circuit Chip Providers..............................................................................28

3.6.2 Multiple Application Chip Cards...................................................................................... 283.6.3 Use of M/Chip Card Application Specifications................................................................ 29

3.7 Contactless Cards and Payment Devices..................................................................................293.8 Mobile Payment Devices......................................................................................................... 303.9 Card Validation Code (CVC)....................................................................................................30

3.9.1 Issuer Requirements for CVC 1........................................................................................ 313.9.2 Issuer Requirements for CVC 2........................................................................................ 323.9.3 Issuer Requirements for CVC 3........................................................................................ 323.9.4 Acquirer Requirements for CVC 2....................................................................................323.9.5 CVC Calculation Methods............................................................................................... 33

3.10 Service Codes....................................................................................................................... 343.10.1 Issuer Information......................................................................................................... 353.10.2 Acquirer Information..................................................................................................... 353.10.3 Valid Service Codes....................................................................................................... 363.10.4 Additional Service Code Information............................................................................. 37

3.11 Transaction Information Documents (TIDs).............................................................................373.11.1 Formset Contents..........................................................................................................383.11.2 POS Terminal Receipt Contents......................................................................................383.11.3 Primary Account Number Truncation and Expiration Date Omission............................... 39

Card and TID Design Standards


3.1 Principles of Standardization

All Cards must be usable in all standard magnetic stripe Card-reading devices, and if a chip ispresent, in all hybrid terminals and devices, so that the electronic interchange of Transactiondata is possible.

All embossed Cards must be usable in all standard imprinters—the embossed informationmust produce a clear imprint and comply with all positioning and type font Standards.

All Cards containing a chip must be EMV-compliant. Such Cards are called Chip Cards.

All Chip Cards must have a single primary application defined by MasterCard that resides onthe chip and on the magnetic stripe; the Account information appearing on the Card frontmust be for the primary application resident on the magnetic stripe. No Payment Applicationresident on the chip of a Card issued in the United States Region may have a higherapplication priority than the Card’s primary application.

All Payment Applications on a Chip Card must have a valid date (if applicable) and expirationdate within or the same as the dates present on the Card front. The valid dates appearing onthe Card front must be those of the primary application on the Card.

NOTE: A Hybrid Point-of-Sale (POS) Terminal can read both magnetic-stripe and chipTransactions and must be EMV-compliant, as set forth in section 4.8 of this manual.

NOTE: In 1996, Europay (now a wholly owned subsidiary of MasterCard and renamedMasterCard Europe SPRL), MasterCard, and Visa developed Standards for integrated circuitCards (ICCs), terminals, and applications. EMVCo, LLC, established in 1999, is the organizationthat oversees and maintains the EMV specifications.

All Issuers must comply with the Card Design Standards, available on MasterCard Connect™,including but not limited to requirements relating to the following:

• Physical Card materials, dimensions, and measurements for the Card's embossing,magnetic stripe, chip, Marks, and other Card features

• Card design• Use of Card activation and selective authorization disclosure stickers.

3.2 MasterCard Account Number

The account number identifies the Issuer’s bank identification number (BIN), Issuer-assignedportion of the account number, and check digit, as shown in Table 3.1.

Card and TID Design Standards3.1 Principles of Standardization


Table 3.1—MasterCard Account Number Sample Configuration

MasterCard Account number = 5412 75XX XXXX 9999

Configuration is as follows:

5412 75

Issuer BIN assigned byMasterCard

XX XXXX 999

Issuer-assigned portion of theAccount number

9

Check digit

MasterCard assigns BINs from a block of numbers reserved by the International Organizationfor Standardization (ISO) for the exclusive use of MasterCard. MasterCard BINs range from510000–559999.

The check digit is calculated using the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”) Check Digit.

3.3 Maestro and Cirrus Account Numbers

The primary account number (PAN) of a Maestro Account or Cirrus Account must be no lessthan 12 numeric digits and no more than 19 numeric digits in length. The PAN includes theIssuer identification number (IIN, or BIN), the Issuer-assigned portion of the individual Accountnumber, and a check digit calculated using the Luehn Formula for Computing Modulus 10(“Double-Add-Double”) Check Digit.

The IIN typically appears in the first six digits of the PAN, and must be assigned by the ISORegistration Authority, or a delegated authority such as MasterCard. In the event that anIssuer is found to be using an IIN that has been assigned by ISO to another entity, then withinthree months from the date on which ISO makes its final determination of the properassignment of the IIN, the Issuer must replace all Cards using such IIN and MasterCard willreassign the IIN to the appropriate entity in its routing tables.

A Customer may request MasterCard to assign an IIN(s) for Maestro and Cirrus Cards. In theEurope Region, MasterCard assigns IINs from the 639000 to 639099 and 670000 to 679999ranges, with IINs in the ranges 675900 to 675999 and 676770 to 676774 assigned only forMaestro Card issuance in the United Kingdom. These ranges are reserved by ISO for exclusiveuse by MasterCard. IINs from these ranges are assigned to Customers for the issuance ofCards and may not be used for any other purpose without the prior written agreement ofMasterCard. These ranges must not be used to issue cards bearing competing global orregional brands.

Card and TID Design Standards3.3 Maestro and Cirrus Account Numbers


3.4 Signature Panel

Upon issuance or reissuance, an Issuer must include written notice to all Cardholders to signall Cards immediately when received and before initial use. Only the authorized Cardholder(the person whose name appears on the Card front) may sign the Card back. The namesigned by the authorized Cardholder must match the name that appears on the Card front,regardless of the language used by the Cardholder to sign his or her name. The Issuer muststate this as a condition of Card use. (The vehicle-assigned MasterCard Corporate Fleet Card isexempt from this requirement.)

3.5 Magnetic Stripe or MasterCard HoloMag Encoding

The specifications for the physical and magnetic characteristics of the magnetic stripe onCards must comply with ISO 7813 Credit Cards—Magnetic Stripe Encoding for Tracks 1 and 2.Production of Card plastics with low coercivity magnetic tape is prohibited. Alternatively, theIssuer may use MasterCard HoloMag™ in place of the magnetic stripe.

The Issuer of a MasterCard Card must ensure that the encoded magnetic stripe contains Track1 and Track 2 data, and also includes the information specified in this chapter.

For a Maestro Card or Cirrus Card, only the encoding of Track 2 data is required; the encodingof Track 1 data is optional. If Track 3 is encoded, the encoding must comply with ISO 4909Bank Cards—Magnetic Stripe Content for Track 3.

An Acquirer must transmit the full unedited magnetic stripe data with each magnetic stripe-based electronically authorized Transaction.

NOTE: The transmission of the entire contents of Track 1 or Track 2 data must be unalteredand unedited, and cannot be truncated.

3.5.1 Card Validation Code 1 (CVC 1)

Track 1 and Track 2 of the magnetic stripe must be encoded with a CVC 1 value. Refer to section 3.9.5 of this manual for Card validation code requirements, calculation methods, andverification data.

3.5.2 Service Code

Track 1 and Track 2 of the magnetic stripe must contain an encoded three-digit service codevalue. Refer to section 3.10 of this manual for service code usage requirements.

3.5.3 Cardholder Name

NOTE: The Cardholder’s name must be present in the Account Information Area and encodedon the magnetic stripe.

Card and TID Design Standards3.4 Signature Panel


The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with amaximum length of 26 characters within (up to) three subfields. Due to the variable length ofthe field, the starting position of each remaining field depends on the ending position of theCardholder name. The Cardholder Name and Content Format table shown in Appendix Adefines the specifications for encoding the Cardholder name on the magnetic stripe.

NOTE: Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, becausethey are used only for specified encoding purposes.

Use the following specifications to encode the Cardholder name on the magnetic stripe of allCards:

• If the Card is a MasterCard Corporate Card product, the Cardholder name encoded onTrack 1 and the name present in the Account Information Area should be the same,although the formats are different.

For example:

BROWN/ROBERT S• Issuers engaged in the instant issuance and/or instant personalization of Cards under the

MasterCard Unembossed or MasterCard Electronic Programs or the issuance of non-personalized prepaid Cards must ensure that when a Program name appears on the Cardfront in place of the Cardholder name, the same Program name is also encoded in theCardholder Name field in Track 1.

• The magnetic stripe may encode a Cardholder’s title, such as Dr., Sir, or Mrs. A separatorperiod (.) must precede the title.

For example:

BROWN/ROBERT S.DR

• If two Cardholder names are present in the Account Information Area on the same Card,encode in any of the following four formats:

BROWN/ROBERT S or

BROWN/AGNES T or

BROWN/ROBERT AGNES or

BROWN/ROBERT S.MR MRS• If a Card has a company name present in the Account Information Area, in addition to a

Cardholder name, encode the Cardholder name.

For example:

Present in the Account Information Area: ROBERT S. BROWN

ALPHA COMPANY

Card and TID Design Standards3.5 Magnetic Stripe or MasterCard HoloMag Encoding


Encoded on the magnetic stripe: BROWN/ROBERT S

NOTE:

The subfields surname, initials or first name, and title may contain spaces. For example:

Present in the Account Information Area: RT REV ROBERT J SMITH

Encoded on the magnetic stripe: SMITH/ROBERT J.RT REV

3.5.4 Expiration Date

The following requirements apply for the encoded expiration date:

• The Card-read stripe must include the encoded Account’s expiration date. Acceptableexpiration date values are the following:

Year 00–99

Month 01–12• The format for the encoded expiration date is YYMM to comply with ISO specifications.• The encoded expiration date on Track 1 must be the same as the expiration date encoded

on Track 2 and present in the Account Information Area.• Do not encode the start date for dual dating, except as part of the Discretionary Data field

on Track 1 and Track 2 of the magnetic stripe.

A Maestro or Cirrus Card must not use a maximum validity period of more than 20 years fromthe date of issuance or, for non-expiring Cards, the designated default value of 4912(December 2049) must be used. For a Maestro or Cirrus Card issued in the Europe Region andusing the Europay Security Platform (ESP) PIN Verification Value (PVV), the maximum validityperiod is the current year plus four (effectively a five-year validity period).

The expiration date of a Chip Card must not exceed the expiration date of any of thecertificates contained within the chip. In the case of a non-expiring Chip Card:

1. The settings within the chip must force every Transaction online for authorization ordecline the Transaction if online authorization is not possible;

2. The Chip Card must not contain an offline Card Authentication Method (CAM) certificate;and

3. The Issuer must utilize full EMV processing.

3.6 Chip Cards

Chip Cards, also known as integrated circuit or smart Cards, are credit or debit Cardscontaining computer chips with memory and interactive capabilities and can be used toidentify and store additional data about the Cardholder, Cardholder account, or both. ChipCards may have contact functionality or both contact and contactless functionality.

Card and TID Design Standards3.6 Chip Cards


Issuers of Chip Cards must comply with all applicable Standards, including but not limited tothe Standards set forth in the M/Chip Requirements manual and other M/Chipdocumentation, and with the EMV specifications.

The Issuer of a Chip Card must implement M/Chip as the EMV payment application on theCard, in accordance with a current M/Chip Card application specification.

A contact Chip Card may be issued or re-issued under an online-only Card Program (herein,an “online-only contact chip Card”). An online-only contact chip Card is configured to alwaysrequire a POS Terminal to obtain online authorization from the Issuer for a contact chipTransaction.

Effective as of the dates described below, the Issuer of a contact Chip Card must perform anonline Card authentication method (online CAM) for each online-authorized contact ChipTransaction by validating the Authorization Request Cryptogram (ARQC) contained in theAuthorization Request/0100 or Financial Transaction Request/0200 message and populatingDE 55, including an Authorization Response Cryptogram (ARPC), in the Authorization RequestResponse/0110 or Financial Transaction Request Response/0210 message. Alternatively, if theIssuer’s host system does not support ARQC validation, the Issuer must be enrolled in theMasterCard M/Chip Cryptogram Pre-Validation Service.

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region that is not in compliance must establish a compliance action planby 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region must be in compliance by 17 April 2015.

• All Issuers located in the United States Region must be in compliance by 1 October 2015.

All Chip Cards, except Cards issued under an online-only Card Program, must support StaticData Authentication (SDA) (unless prohibited within a Region) or Dynamic DataAuthentication (DDA) as the offline CAM, to reduce the risk of counterfeit fraud. (Support ofboth DDA and Combined Data Authentication [CDA] is highly recommended.) Online-onlycontact chip Cards are not required to support offline CAM for contact chip Transactions.

Any Chip Card issued or reissued in the Europe Region on or after 1 January 2011 and anyChip Card issued or re-issued in the Asia/Pacific Region, Canada Region, Latin America andthe Caribbean Region, or Middle East/Africa Region on or after 16 October 2015:

• Must, at a minimum, support DDA as the offline CAM for contact chip Transactions, exceptCards issued under an online-only Card Program; and

• Must not support SDA.

Any Chip Card issued or reissued in the United States Region, if configured to support offlineauthorization, must support DDA or both DDA and CDA as the offline CAM(s) for contactchip Transactions and must not support SDA.

NOTE: Issuers must define their priority of PIN verification methods within the chip. OfflinePIN verification is recommended as the first priority.

Support of CDA on Chip Cards is optional.



3.6.1 Chip Card Applications

All Payment Applications must be type-approved by MasterCard, prior to Chip Cardproduction. Furthermore, the composition of the chip, operating system (if present), and theEMV application must have successfully passed a Compliance Assessment and Security Testing(CAST) security evaluation.

Issuers must define within the chip the preferred verification method for Point-of-Interaction(POI) Transactions. A non-Customer that personalizes Payment Applications acts on behalf ofthe Card Issuer and must conform to MasterCard security Standards.

Issuers using M/Chip 4 should refer to the M/Chip Personalization Data Specifications andProfiles and the M/Chip 4 Version 1.1 Issuer Guide to Debit and Credit ParameterManagement for more information.

Issuers using M/Chip Advance should refer to the M/Chip Advance Personalization DataSpecifications and the M/Chip Advance—Issuer Guide for more information.

3.6.1.1 Compliance Assessment and Security Testing

MasterCard has established the CAST process to assist its Issuers in promoting the continuousimprovement of security Standards for the implementation of all Chip Cards by MasterCard.Issuers may only issue Chip Cards that have been certified under the CAST process and appearon the CAST Approved Products list (Chip Cards that have undergone a successful evaluationagainst the CAST Security Guidelines using a recognized evaluation laboratory). Cards willtypically remain on the CAST Approved Products list for three years from the evaluation date.

Prior to Chip Card production, purchase, and distribution, Issuers must confirm with theirvendor(s) that the Chip Card will be on the CAST Approved Products list over the intendedperiod of issuance and adjust their procurement quantities accordingly.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual or contact the Chip Help Desk at [email protected].

3.6.1.2 Integrated Circuit Chip Providers

An Issuer must obtain all EMV chips for embedding on a Card from an EMV chipmanufacturer that has been approved in advance by MasterCard.

MasterCard publishes a list of approved EMV chip manufacturers periodically in a GlobalSecurity Bulletin. Or for more information, contact the Chip Help Desk at [email protected].

3.6.2 Multiple Application Chip Cards

Any Card Program may reside on a chip, and any combination of Card Programs may residetogether on a single Chip Card. All credit, debit, charge, and stored-value applications residingon a single Chip Card must be offered by, and are the responsibility of the Card Issuer.

Additionally, all other applications stored on a Chip Card by any Issuer, or any other party atan Issuer’s request, must conform to all relevant technical specifications of MasterCard or itsagent.



mailto:[email protected]:[email protected]

3.6.3 Use of M/Chip Card Application Specifications

Chip Card products that incorporate any implementation of the MasterCard M/Chip Cardapplication specifications may only be used on MasterCard, Maestro, and Cirrus Cards andAccess Devices, unless otherwise agreed in writing by MasterCard.

The M/Chip Card application specifications are available on MasterCard Connect™ in the ChipInformation Center.

3.7 Contactless Cards and Payment Devices

MasterCard prohibits the encoding of the Cardholder name in the contactless chip of acontactless-enabled Card ("Contactless Card") or Contactless Payment Device that allowssuch information to be transmitted via the radio frequency (RF) contactless interface. Thisrestriction applies to all newly issued and re-issued contactless-enabled Cards and ContactlessPayment Devices.

Effective as of the dates described below, the Issuer of a Contactless Card or ContactlessPayment Device must perform an online CAM for each online-authorized EMV ModeContactless Transaction by validating the Authorization Request Cryptogram (ARQC)contained in the Authorization Request/0100 or Financial Transaction Request/0200 message.Alternatively, if the Issuer's host system does not support ARQC validation, the Issuer must beenrolled in the MasterCard M/Chip Cryptogram Pre-Validation Service.

• Any Issuer located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region that is not in compliance must establish a compliance action planby 1 January 2015.

• All Issuers located in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, orMiddle East/Africa Region must be in compliance by 17 April 2015.

• All Issuers located in the United States Region must be in compliance by 1 October 2015.

A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued orre-issued in the Asia/Pacific, Canada, Europe, Latin America and the Caribbean, or MiddleEast/Africa Region:

• Must support CDA as the offline CAM, unless it supports online-only authorization ofContactless Transactions; and

• Must not support SDA as the offline CAM.

A Contactless Card or Contactless Payment Device with M/Chip functionality that is issued orre-issued in the United States Region:

• Must be configured to support both online and offline authorization of ContactlessTransactions; and

• Must support CDA as the offline CAM and must not support SDA.

Refer to the M/Chip Requirements for additional details.

Card and TID Design Standards3.7 Contactless Cards and Payment Devices


3.8 Mobile Payment Devices

There is no limitation on the type of account that may co-reside on the same Mobile PaymentDevice user interface, so long as such accounts are not linked, but rather exist independentlyand are accessed by a separate and distinct Payment Application hosted on the same ordifferent user interfaces.

Mobile Payment Devices may support MasterCard contactless payment and/or Digital SecureRemote Payment (DSRP) functionality. If an Issuer chooses to add this functionality to a SecureElement (SE)-based Mobile Payment Device, the application software, personalization data,and all other aspects of the functionality must comply with the requirements set forth in theStandards, including but not limited to the following as may be published by MasterCard fromtime to time:

• Mobile MasterCard PayPass User Interface Application Requirements,• M/Chip Mobile Issuer Implementation Guide v1.1,• the contactless branding Standards, and• any other applicable technical specifications.

For Mobile Payment Devices supporting MasterCard contactless payment or DSRP functionalitythat do not use an SE, Issuers should refer to the MasterCard Cloud-Based Payment (MCBP)documentation.

Issuers should also refer to the mobile payment security guidelines set forth in the SecurityGuidelines for Mobile Payment Solutions.

The SE must be CAST-approved and have received a mobile payment certificate number(MPCN). Issuers may choose a CAST-approved SE (with corresponding MPCN) from the listpublished on MasterCard Connect. The Mobile Payment Device itself does not undergo aCAST approval. Prior to issuance of the SE-based Mobile Payment Device, the PaymentApplication must also pass the functional and security testing program, for which a letter ofapproval will be issued by MasterCard.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual. For information regarding a letter of approval, refer to the M/Chip MobileIssuer Implementation Guide v1.1.

3.9 Card Validation Code (CVC)

The CVC is a security feature with components identified elsewhere in this manual. Use ofCVCs makes it more difficult for counterfeiters to alter Cards and reuse them for fraudulentpurposes.

NOTE: CVC 1 and CVC 2 are mandatory security features for all MasterCard Cards.

CVC 1 must be encoded on Track 1 and Track 2 in three contiguous positions in theDiscretionary Data field of the magnetic stripe on all MasterCard Cards.

Card and TID Design Standards3.8 Mobile Payment Devices


Maestro Cards and Cirrus Cards issued or reissued on or after 11 January 2013 and with aPAN of 16 digits or less must support CVC 1 on the magnetic stripe and Chip CVC in theTrack 2 Equivalent Data field.

Chip CVC must be encoded in the Track 2 Equivalent Data field in three contiguous positionswithin the Discretionary Data field of the chip on all Chip Cards and must be different thanthe CVC 1 value encoded on the magnetic stripe.

All Chip Card Issuers, including those using the Chip-to-Magnetic Stripe Conversion Service,must use different values for CVC 1 and Chip CVC for all new and reissued Cards.

The following applies to contactless-enabled Cards (“Contactless Cards”) and ContactlessPayment Devices:

• All magnetic stripe profile Contactless Cards and Contactless Payment Devices mustgenerate a dynamic CVC 3.

• All M/Chip Contactless Cards and Contactless Payment Devices issued before 1 January2010 that are capable of performing a Magnetic Stripe Mode Contactless Transaction musteither be encoded with a static CVC 3 or be able to generate a dynamic CVC 3.

• All M/Chip Contactless Cards and Contactless Payment Devices issued on or after 1 January2010 that are capable of performing a Magnetic Stripe Mode Contactless Transaction mustgenerate a dynamic CVC 3.

Refer to the M/Chip Requirements for additional details.

Refer to Appendix A for track data layout, format, and content requirements. Refer to section3.9.5 for CVC calculation methods.

Refer to the M/Chip Requirements for information about Chip CVC.

Refer to the M/Chip Processing Services—Service Description manual for information aboutthe Chip-to-Magnetic Stripe Conversion Service.

3.9.1 Issuer Requirements for CVC 1

MasterCard Issuers must:

• Encode the CVC 1 on Tracks 1 and 2• Verify the encoded CVC 1 when processing a Card-read authorization request

The Issuer verifies the CVC 1 value from the Card-read data as transmitted in theauthorization request during the online authorization process. The Issuer’s host can performthe verification.

NOTE: Certification is required for Issuers to validate the CVC 1 value during the authorizationprocess and to signal CVC 1 validation errors. Refer to Chapter 4 of the Authorization Manualfor more information.

When an Issuer is “timed out” or unavailable, the Stand-In Processing Service provides anauthorization request response. If an Issuer is signed up for CVC 1 verification, the Stand-InProcessing Service performs an additional test to verify that the CVC 1 value is valid.

Card and TID Design Standards3.9 Card Validation Code (CVC)


MasterCard may mandate participation in the CVC 1 verification in the Stand-In ProcessingService for an Issuer with both 35 basis points of Transactions authorized by means of Stand-In processing and significant counterfeit activity within a calendar quarter. Refer to Chapter 6of the Authorization Manual for more information.

3.9.2 Issuer Requirements for CVC 2

An Issuer must verify the CVC 2 value when provided by the Merchant and transmitted by theAcquirer in Data Element (DE) 48 (Additional Data—Private Use), subelement 92 (CVC 2) ofthe Authorization Request/0100 message >>>or Financial Transaction Request/0200messageor Financial Transaction RequestResponse/0210 message

3.9.5 CVC Calculation Methods

The Issuer may calculate the CVC 1, CVC 2, and Chip CVC by one of two methods:

• Issuer proprietary calculation—which gives the Issuer the option to derive the CVCalgorithmically.

• Data Encryption Standard (DES) software—where the Issuer can perform thecalculation through a DES software application within a host system or through use of atamper-resistant security module (TRSM).

Issuers that choose the DES software method must use the DES algorithm procedure togenerate the CVC 1, CVC 2, and Chip CVC.

The DES algorithm procedure is described below and is also published in the followingdocuments:

• ANSI X3.92-1981 American National Standard, Data Encryption Algorithm• ISO/IEC 18033-3:2010, Information technology—Security techniques—Encryption

algorithms—Part 3: Block ciphers (see Annex A)

The DES method algorithm generates the three-digit CVC 1 for the Discretionary Data field ofTrack 1 and Track 2. The Issuer also uses this method to develop the three-digit CVC 2 andChip CVC. This algorithm procedure applies only to Issuers that implement the CVCgeneration process in their host systems.

MasterCard requires two 64-bit cryptographic DES keys for use in the generation process. AnIssuer may use the same two 64-bit DES keys for generating the CVC 1, CVC 2, and ChipCVC (but not the CVC 3) provided that separate service codes are used. The same keys shouldnot be shared among multiple Issuers, such as when Issuers use a common Service Providerfor CVC 1, CVC 2, and Chip CVC processing.

MasterCard strongly discourages Issuers from using a CVC 2 value of “000.”

The DES algorithm procedure is performed by following the eight steps below:

1. If the primary account number (PAN) is longer than 16 digits, extract the last 16 digits ofthe PAN.

2. Construct a string of bits by concatenating (left to right) the sequence of 4-bit values (ornibbles), each of which is the binary representation of a numeric digit in the CVC DataElements, in the order indicated in Table 3.2:

NOTE: The Issuer must perform independent calculations to produce each CVC value.

Table 3.2—CVC Data Elements

For CVC 1 For CVC 2 For Chip CVC Length (all)

Output from Step 1 Output from Step 1 Output from Step 1 16

Card and TID Design Standards3.9 Card Validation Code (CVC)


For CVC 1 For CVC 2 For Chip CVC Length (all)

Card expiration date (aspresented in Track 2 encoding)

Card expiration date (aspresented in the AccountInformation Area of the Cardfront)

Card expiration date (aspresented in Track 2Equivalent Data encoding)

41

Service code value must NOTbe “000”

Service code value must be“000”

Service code value must be“999”

3

Total 232

3. Apply ISO/IEC 9797-1 “MAC Algorithm 3”, “Padding Method 1” to the string created inStep 2, using two independent DES keys, to produce an 8-byte result.

4. From the result of Step 3, going from left to right, a nibble at a time, extract all nibblesthat correspond to numeric digits (0-9); left-justify these digits in a 16–position field.

5. From the result of Step 3, going from left to right, a nibble at a time, extract all nibblesthat correspond to hexadecimal characters (A–F). To compensate for hexadecimal, subtract10 from each extracted hexadecimal digit.

6. Concatenate the resulting digits from Step 5 to the right of the digits extracted in Step 4.7. Set the CVC to the first three left-most digits of the decimal string created in Step 6.8. Run the program three times, once for each CVC, using the CVC data elements indicated

in Table 3.2.

3.10 Service Codes

The service code, a three-digit number that complies with ISO 7813 (Identification Cards—Financial Transaction Cards), is encoded on Track 1 and Track 2 of the magnetic stripe of aCard and indicates to a magnetic stripe-reading terminal the Transaction acceptanceparameters of the Card. Each digit of the service code represents a distinct element of theIssuer’s Transaction acceptance policy. However, not all combinations of valid digits form avalid service code, nor are all service code combinations valid for all Card Programs. Issuersmay encode only one service code on Cards, and the same value must be encoded on bothTrack 1 and Track 2 in their respective, designated positions.

Service codes provide Issuers with flexibility in defining Card acceptance parameters, andprovide Acquirers with the ability to interpret Issuers’ Card acceptance preferences for all POIconditions.

Service codes apply to magnetic stripe-read Transactions only. In the case of Chip Cards usedin Hybrid POS Terminals, the Hybrid POS Terminal uses the data encoded in the chip tocomplete the Transaction.

1 For OBKM, the format of the Card expiration date may be as presented as either YYMM or MMYY. See On-BehalfKey Management (OBKM) Interface Specifications.

2 The output from Step 1 is 16 digits long. The resulting string reflects 23 digits (16+4+3) and is 92 bits long.

Card and TID Design Standards3.10 Service Codes


NOTE:

A value of 2 or 6 in position 1 of the service code indicates that a chip is present on a Cardwhich contains the MasterCard application that is present on the magnetic stripe.

3.10.1 Issuer Information

Currently, MasterCard recommends using service code value 101 (international Card, normalauthorization, normal Cardholder verification, no restrictions) for most Card applications. Formore information, refer to Table 3.3 in this chapter.

For a Maestro Card, the Issuer must use the following values in the service code:

• A value of 1 or 2 in position 1;• A value of 0 or 2 (recommended) in position 2; and• A value of 0, 1, or 6 in position 3. If a value of 1 or 6 is used, the Issuer must accept

Transactions that do not contain PIN data.

For a Cirrus (ATM-only) Card, the Issuer must use the following values in the service code:

• A value of 1 or 2 in position 1;• A value of 0 or 2 in position 2; and• A value of 0, 1, or 3 (recommended) in position 3.

A Debit MasterCard Card Issuer must not encode a value of 5 or 7 in position 3 of the servicecode.

A MasterCard Electronic Card Issuer must encode a value of 2 (positive online authorizationrequired) in position 2 of the service code.

Issuers may use service codes to support the issuance of ICC applications and PINrequirements.

For purposes