Monday, October 12, 2009

In-flight Commerce Terminals / Level 4 Requirements

The following requirements apply to In-flight Commerce Terminals / Level 4.
  1. Acquirer / Service Provider requirements and transaction identification specifications:
    • Acquiring banks must ensure timely delivery and installation of the IFC Blocked Gaming File to gaming service providers. IFC Blocked Gaming File access is required before every gaming transaction.
    • The acquiring bank must identify in-flight commerce services or merchandise with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in First Presentment / 1240 messages. If an airline also acts as the service provider, the acquiring bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC.

      IFC Transaction Type

      MCC

      Catalog card acceptor

      5964

      Duty-free store

      5309

      Gaming

      7995

      Miscellaneous services

      7299

      Video game

      7994

    • Transactions must be consolidated by MCC, per flight, for each MasterCard cardholder account. "Flight" is defined as one or more segments of a continuous air flight with the same flight number.
    • The acquiring bank must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message.

      IF the IFC transaction is for…

      THEN the acquirer must use TCC…

      Gaming

      U for Unique Transaction.

      Anything other than gaming

      R for Retail Purchase

    • The Merchant Name / Location (DE 43) must include the service provider's name and flight identification. The flight identification must be a recognizable identification of the airline (not necessarily the airline alphabetic International Air Transport Association [IATA] indicator).
    • The city field description should contain the following:

      For…

      The city field description…

      Mailed purchases and gaming transactions

      Must include the service provider’s customer service telephone number. It is not required to be a toll-free number.

      All IFC transactions other than mailed purchases and gaming

      Optionally may be a customer service telephone number.

    • For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
    • The acquiring bank must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions, as detailed below. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating transaction. The disclosure must include the following:
      • Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
      • Notification that transactions will be billed upon the card issuer's approval of the authorization request.
      • For mailed purchases only, any additional shipping or handling charges.
      • Policy on refunds or returns.
      • Provision for a paper receipt.

        • For IFC gaming transactions, service providers must additionally disclose the following:

      • Maximum winnings ($3,500) and maximum losses ($350).
      • Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder's account
      • Notification that cardholder must be at least 18 years of age to play.
      • Notification that some card issuers may not allow gaming.
    • The acquiring bank must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions and that, at the cardholder's option, the service provider can effect this offer in one of three ways:
      • Printing a receipt at the passenger's seat.
      • Printing a receipt from a centralized printer on the plane.
      • Mailing a receipt to the cardholder.

        • The mailed receipt offer is to be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods, described above.

        The receipt must contain the following elements:

      • Identification of the passenger's flight, seat number, and date of departure.
      • Itemized transaction detail.
      • Gaming transaction specified as a net win or net loss.
      • The cardholder's account number truncated on the receipt. Acquirers must ensure that transaction receipts provided to cardholders reflect a minimum of four and a maximum of 12 digits of the cardholder account number. The remaining digits are to be truncated, or rendered indeterminable. In all cases, at least four digits must be truncated. It is recommended that the receipt reflect only the last four digits of the primary account number, and that all preceding digits are truncated. It is also recommended that truncated digits are replaced with fill characters such as "X", "*", or "#" and not with blank spaces or numeric characters.
    • For IFC terminals, the assurance and demonstration of security of the transmission of authorization and clearing data between the on-board client server and the acquiring bank and the physical controls over hardware and operating software. Encryption of transmitted data is advised.
  2. Transaction requirements.
    • No maximum transaction amount applies to any IFC transaction, with the exception of IFC gaming transactions.
    • An IFC terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.
  3. Additional requirements for IFC gaming transactions.
    • Net gaming losses cannot exceed $350 per flight per cardholder account. Net payouts to cardholders for gaming wins cannot exceed $3,500 per flight per cardholder account. This must be monitored throughout the flight by the service provider to ensure compliance.
    • A gaming win transaction will result in posting of net winnings (credit) to the cardholder's account. Under no circumstance may winnings be paid in cash or other form of payment.
    • Before participating in IFC gaming activity, the acquiring bank must take all reasonable and necessary steps to ensure that all IFC gaming activity will be effected in full compliance with all applicable laws and regulations.
  4. Cardholder account number verification - in-flight verification prior to transaction initiation.
    • The acquirer must ensure that the service provider conducts a Mod-10 check digit routine to verify card authenticity.
    • The acquirer must ensure that the service provider confirms that the card account number is a valid one.
    • For IFC gaming transactions, the acquirer must ensure that the cardholder's account number is checked against the IFC Blocked Gaming File. Cardholders whose account numbers are listed on the IFC Blocked Gaming File must be prohibited from initiating any IFC gaming transaction.

Posted by mss at 11:41 AM 0 comments

Thursday, September 10, 2009

Cardholder-Activated Terminal Level Requirements

The following acceptance requirements apply to the specific CAT levels indicated:
  • Automated Dispensing Machines (ADMs) / Level 1.
    1. The Automated Dispensing Machine (ADM) must accept a personal identification number (PIN) as a substitute for signature, and ensure that all requirements are met in accordance with the published specifications.
      • The PIN requirement is contingent upon PIN being adopted as a standard within a country as well as card issuers providing the required PIN. If PIN is not adopted as a standard within a country or supported in accordance with the processing requirements for PIN-based transactions, this level of service is not available.
      • The PIN authorization must be made via a secured transmission, in accordance with the published specifications.
      • ADM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits and a maximum length of six digits.
    2. The acquiring bank may decline a transaction after four attempts and four consecutive negative responses of "invalid PIN" or "invalid transaction" from the network. Optionally, the acquiring bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ADM.
    3. All transactions regardless of amount must be authorized on a zero floor limit basis with full, unaltered card-read data transmitted. All acquiring banks of ADMs must have received one-time CVC / CVV certification.
    4. Card retention at an ADM is not required, however, if the terminal capability is available, the merchant may do so only at the card issuer's specific direction.
      • The retained card must be logged and secured under appropriate audit controls.
      • The retained card must promptly be rendered useless and then returned to the acquiring bank.
    5. "No Cardholder Authorization" (reason code 4837) chargeback rights for this reason code are not available to card issuers for transactions processed at ADMs where a PIN and full, unaltered card-read data are transmitted because PIN is a valid proxy for the cardholder's signature.
    6. An ADM that is also a hybrid terminal may perform fallback procedures unless it is prohibited by a region. Member banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the PAN because the merchant cannot process the transaction using smart card technology.
  • Self-Service Terminal / Level 2.
    1. Self-Service Terminals do not process PIN. They include (but are not limited to) automated fuel dispensers identified with MCC 5542.
    2. All Self-Service Terminal (SST) devices must comply with the following requirements:
      • Zero floor limit for authorization purposes.
      • Acquiring banks must read and transmit full, unaltered card read data.
    3. The Authorization System will send all transactions identified as Self-Service Terminals in the Authorization Request / 0100 message to the card issuer's host, regardless of Limit-1 parameters.
    4. The maximum transaction amount is $100 or its equivalent.
    5. Chargebacks processed for reason code 4837, "No Cardholder Authorization," for Self-Service Terminal transactions will be allowed only if the card issuer certifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer.In addition, the card issuer must block the account number on the issuer's host until card expiration on or before the Central Site processing date of chargeback reason code 4837, "No Cardholder Authorization." The card issuer also must list the cardholder account number on the Visa and MasterCard Account File with a "capture card" response until card expiration. Card issuers in the Europe region (region D) also must list such accounts on the European Stop List (ESL).

      Counterfeit transactions occurring at Self-Service Terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargeback reason code 4837, "No Cardholder Authorization."

    6. A U.S. region merchant acquiring automated fuel dispenser transactions at Self-Service Terminals / Level 2 may forward an Authorization Request / 0100 message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and CAT level indicator 2. If authorization is obtained, the acquiring bank is protected from authorization related chargebacks "requested / required authorization not obtained" (reason code 4808), or "exceeds floor limit—not authorized and fraudulent transaction" (reason code 4847) for transactions less than or equal to $75. The acquiring bank protection is limited to $75 for transactions that exceed $75, and issuers may charge back only the difference between the transaction amount and the implied $75 limit.
    7. A Self-Service Terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.
  • Limited Amount Terminals / Level 3.
    1. A Limited Amount Terminal must check the account number against the Electronic Warning Bulletin file if the terminal has such a capacity.
    2. The maximum transaction amount is $40 or its equivalent.
    3. Chargeback rights for reason code 4837, "No Cardholder Authorization," are not available to issuers for properly identified CAT / Level 3 transactions. Chargeback rights for "requested / required authorization not obtained" (reason code 4808), or "exceeds floor limit - not authorized and fraudulent transaction" (reason code 4847) are available if the maximum transaction amount of $40 or its equivalent has been exceeded.
    4. A Limited Amount Terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.

Posted by mss at 4:37 PM 0 comments

Wednesday, September 9, 2009

General Acceptance Requirements for Cardholder-Activated Terminal (CAT)

The following general card acceptance requirements apply to cardholder-activated terminals:
  • All card-not-present transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
    • The Authorization Request / 0100 message must include a valid merchant category code, POS country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
    • Messages used at the CAT must communicate to the cardholder, at a minimum, the following:
      • Invalid transaction.
      • Unable to route.
      • Invalid PIN—re-enter (Level 1 only).
      • Capture card (subject to the terminal's ability to retain cards).
    • The merchant identification number and the CAT level indicator must be present in the First Presentment / 1240, First Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages.
  • The acquiring bank must ensure that the description of goods or services on the CAT TID is clearly recognizable to the cardholder.
  • The acquiring bank is responsible for providing requested transaction information documents.
  • No cardholder-activated terminal may accept a card for the purchase of scrip.
  • Acquiring banks must ensure that transaction receipts provided to cardholders reflect only the last four digits of the primary account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as "X," "*," or "#" and not with blank spaces or numeric characters.

Posted by mss at 2:57 PM 0 comments

Tuesday, September 8, 2009

Cardholder-Activated Terminal (CAT)

Cardholder-activated terminals (CATs) are typically unattended terminals that accept various payment cards. These terminals are frequently installed at rail ticketing stations, petrol stations, toll roads, parking garages, and other merchant locations. There are four types of cardholder-activated terminals:
  • Automated Dispensing Machines / Level 1.
  • Self-Service Terminals / Level 2.
  • Limited Amount Terminals / Level 3.
  • In-flight Commerce (IFC) Terminals / Level 4.
Cardholder-activated terminal requirements specify the maximum allowed dollar amount of transactions as well as authorization, clearing, chargeback, and addendum record requirements and related transaction liability for each cardholder-activated terminal type.

As CATs are usually unattended, the traditional point-of-sale (POS) acceptance procedures do not apply, such as the merchant's examination of the card to detect irregularities in the logo, hologram, embossed account number, or the security features and the comparison of the cardholder signature to the signature on the sales receipt.

MasterCard identifies eCommerce transactions using a value of CT6 in Terminal Type (PDS 0023) within First Presentment / 1240, Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages. There are currently no registration requirements established for these types of transactions, however, MasterCard requires acquiring banks to identify eCommerce transactions using a value of CT6 in Terminal Type (PDS 0023). Additionally, member banks can use a CAT level indicator 7 (a value of CT7 in Terminal Type [PDS 0023]) to identify transponder transactions. Acquiring banks may optionally provide a value of CT7 in Terminal Type (PDS 0023) in First Presentment / 1240, First Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages.


Posted by mss at 5:16 PM 0 comments

Friday, September 4, 2009

Unique Transaction Requirements

Unique transactions are subject to standards governing retail sales transactions except as otherwise provided here.
  • The floor limit for all unique transactions must be zero.
  • With the exception of truck stop transactions and of card-read transactions where a non-signature CVM is used, if a unique transaction is processed in a card-present environment, the cardholder must present a personal identification of the cardholder identical to that required for a cash disbursement as follows:The identification must be an official government document that has not expired and bears the customer's signature (for example, a passport, identification document, or driver's license).

    Acquiring banks should ensure that their merchants shall, to the extent allowed by applicable law, record on the face of the sales receipt:

    • A description of the identification.
    • Any serial number, expiration date, and jurisdiction of issue.
    • The name of the customer (if not the same as the embossed name).
    • The address of the customer.

    Except for card-read transactions where a non-signature CVM is used, to ensure that the cardholder's signature compares positively, the signature on the card must be compared to both of the following:

    • The cardholder's signature on the identification presented.
    • The cardholder's signature on the merchant receipt.

    If the identification has a photograph of the cardholder, the merchant must check that the person presenting the card appears to be the same person.

  • Authorization requests and clearing messages must identify the transactions as unique.

Posted by mss at 4:46 PM 0 comments
Subscribe to: Posts (Atom)