Cardholder-Activated Terminal Level Requirements

The following acceptance requirements apply to the specific CAT levels indicated:

• Automated Dispensing Machines (ADMs) / Level 1.
  
  1. The Automated Dispensing Machine (ADM) must accept a personal identification number (PIN) as a substitute for signature, and ensure that all requirements are met in accordance with the published specifications.
     
     • The PIN requirement is contingent upon PIN being adopted as a standard within a country as well as card issuers providing the required PIN. If PIN is not adopted as a standard within a country or supported in accordance with the processing requirements for PIN-based transactions, this level of service is not available.
     • The PIN authorization must be made via a secured transmission, in accordance with the published specifications.
     • ADM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits and a maximum length of six digits.
  2. The acquiring bank may decline a transaction after four attempts and four consecutive negative responses of "invalid PIN" or "invalid transaction" from the network. Optionally, the acquiring bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ADM.
  3. All transactions regardless of amount must be authorized on a zero floor limit basis with full, unaltered card-read data transmitted. All acquiring banks of ADMs must have received one-time CVC / CVV certification.
  4. Card retention at an ADM is not required, however, if the terminal capability is available, the merchant may do so only at the card issuer's specific direction.
     
     • The retained card must be logged and secured under appropriate audit controls.
     • The retained card must promptly be rendered useless and then returned to the acquiring bank.
  5. "No Cardholder Authorization" (reason code 4837) chargeback rights for this reason code are not available to card issuers for transactions processed at ADMs where a PIN and full, unaltered card-read data are transmitted because PIN is a valid proxy for the cardholder's signature.
  6. An ADM that is also a hybrid terminal may perform fallback procedures unless it is prohibited by a region. Member banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the PAN because the merchant cannot process the transaction using smart card technology.
• Self-Service Terminal / Level 2.
  
  1. Self-Service Terminals do not process PIN. They include (but are not limited to) automated fuel dispensers identified with MCC 5542.
  2. All Self-Service Terminal (SST) devices must comply with the following requirements:
     
     • Zero floor limit for authorization purposes.
     • Acquiring banks must read and transmit full, unaltered card read data.
  3. The Authorization System will send all transactions identified as Self-Service Terminals in the Authorization Request / 0100 message to the card issuer's host, regardless of Limit-1 parameters.
  4. The maximum transaction amount is $100 or its equivalent.
  5. Chargebacks processed for reason code 4837, "No Cardholder Authorization," for Self-Service Terminal transactions will be allowed only if the card issuer certifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer.In addition, the card issuer must block the account number on the issuer's host until card expiration on or before the Central Site processing date of chargeback reason code 4837, "No Cardholder Authorization." The card issuer also must list the cardholder account number on the Visa and MasterCard Account File with a "capture card" response until card expiration. Card issuers in the Europe region (region D) also must list such accounts on the European Stop List (ESL).
     
     Counterfeit transactions occurring at Self-Service Terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargeback reason code 4837, "No Cardholder Authorization."
  
  
  6. A U.S. region merchant acquiring automated fuel dispenser transactions at Self-Service Terminals / Level 2 may forward an Authorization Request / 0100 message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and CAT level indicator 2. If authorization is obtained, the acquiring bank is protected from authorization related chargebacks "requested / required authorization not obtained" (reason code 4808), or "exceeds floor limit—not authorized and fraudulent transaction" (reason code 4847) for transactions less than or equal to $75. The acquiring bank protection is limited to $75 for transactions that exceed $75, and issuers may charge back only the difference between the transaction amount and the implied $75 limit.
  7. A Self-Service Terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.
• Limited Amount Terminals / Level 3.
  
  1. A Limited Amount Terminal must check the account number against the Electronic Warning Bulletin file if the terminal has such a capacity.
  2. The maximum transaction amount is $40 or its equivalent.
  3. Chargeback rights for reason code 4837, "No Cardholder Authorization," are not available to issuers for properly identified CAT / Level 3 transactions. Chargeback rights for "requested / required authorization not obtained" (reason code 4808), or "exceeds floor limit - not authorized and fraudulent transaction" (reason code 4847) are available if the maximum transaction amount of $40 or its equivalent has been exceeded.
  4. A Limited Amount Terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.

General Acceptance Requirements for Cardholder-Activated Terminal (CAT)

The following general card acceptance requirements apply to cardholder-activated terminals:

• All card-not-present transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
  
  • The Authorization Request / 0100 message must include a valid merchant category code, POS country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
  • Messages used at the CAT must communicate to the cardholder, at a minimum, the following:
    
    • Invalid transaction.
    • Unable to route.
    • Invalid PIN—re-enter (Level 1 only).
    • Capture card (subject to the terminal's ability to retain cards).
  • The merchant identification number and the CAT level indicator must be present in the First Presentment / 1240, First Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages.
• The acquiring bank must ensure that the description of goods or services on the CAT TID is clearly recognizable to the cardholder.
• The acquiring bank is responsible for providing requested transaction information documents.
• No cardholder-activated terminal may accept a card for the purchase of scrip.
• Acquiring banks must ensure that transaction receipts provided to cardholders reflect only the last four digits of the primary account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as "X," "*," or "#" and not with blank spaces or numeric characters.

Cardholder-Activated Terminal (CAT)

Cardholder-activated terminals (CATs) are typically unattended terminals that accept various payment cards. These terminals are frequently installed at rail ticketing stations, petrol stations, toll roads, parking garages, and other merchant locations. There are four types of cardholder-activated terminals:

• Automated Dispensing Machines / Level 1.
• Self-Service Terminals / Level 2.
• Limited Amount Terminals / Level 3.
• In-flight Commerce (IFC) Terminals / Level 4.

Cardholder-activated terminal requirements specify the maximum allowed dollar amount of transactions as well as authorization, clearing, chargeback, and addendum record requirements and related transaction liability for each cardholder-activated terminal type.

As CATs are usually unattended, the traditional point-of-sale (POS) acceptance procedures do not apply, such as the merchant's examination of the card to detect irregularities in the logo, hologram, embossed account number, or the security features and the comparison of the cardholder signature to the signature on the sales receipt.

MasterCard identifies eCommerce transactions using a value of CT6 in Terminal Type (PDS 0023) within First Presentment / 1240, Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages. There are currently no registration requirements established for these types of transactions, however, MasterCard requires acquiring banks to identify eCommerce transactions using a value of CT6 in Terminal Type (PDS 0023). Additionally, member banks can use a CAT level indicator 7 (a value of CT7 in Terminal Type [PDS 0023]) to identify transponder transactions. Acquiring banks may optionally provide a value of CT7 in Terminal Type (PDS 0023) in First Presentment / 1240, First Chargeback / 1442, Second Presentment / 1240, and Arbitration Chargeback / 1442 messages.

Unique Transaction Requirements

Unique transactions are subject to standards governing retail sales transactions except as otherwise provided here.

• The floor limit for all unique transactions must be zero.
• With the exception of truck stop transactions and of card-read transactions where a non-signature CVM is used, if a unique transaction is processed in a card-present environment, the cardholder must present a personal identification of the cardholder identical to that required for a cash disbursement as follows:The identification must be an official government document that has not expired and bears the customer's signature (for example, a passport, identification document, or driver's license).
  
  Acquiring banks should ensure that their merchants shall, to the extent allowed by applicable law, record on the face of the sales receipt:
  
  
  
  • A description of the identification.
  • Any serial number, expiration date, and jurisdiction of issue.
  • The name of the customer (if not the same as the embossed name).
  • The address of the customer.
  
  Except for card-read transactions where a non-signature CVM is used, to ensure that the cardholder's signature compares positively, the signature on the card must be compared to both of the following:
  
  
  
  • The cardholder's signature on the identification presented.
  • The cardholder's signature on the merchant receipt.
  
  If the identification has a photograph of the cardholder, the merchant must check that the person presenting the card appears to be the same person.


• Authorization requests and clearing messages must identify the transactions as unique.

Processing Procedures for Unique Transactions

At merchant locations processing unique transactions via a Point of Sale (POS) terminal, acquiring banks must incorporate the following requirement into merchant agreements with gambling merchants and ensure compliance:

"A merchant must not credit winnings, unspent chips, or other value usable for gambling to a cardholder account."

Acquiring banks must properly identify all unique transactions in all authorization and clearing messages. In addition, acquirers must ensure that electronic commerce transactions are properly identified in the authorization and clearing messages.

Acquiring banks must incorporate the following requirements into all merchant agreements with internet casino merchants:

• Internet casino merchants must request that cardholders identify the state or foreign country where they are physically located at the time of the transaction. They must record the response and retain it, along with the cardholder's account number, the transaction amount, and the date. Internet casino merchants must retain this information for a minimum of one year from the transaction date and provide it to the acquirer on request.
• As a condition of having a merchant account, internet casino merchants must post a notice on their websites (in a position such that the notice will be displayed before requesting a card account number, such as a click-through notice) stating that assertions have been made that internet gambling may not be lawful in some jurisdictions, including California, and suggesting that the cardholder check whether internet gambling is lawful under applicable law.
• Internet casino merchants must not sell chips or other value that can be used, directly or indirectly, to gamble other than at a merchant that sells such chips or other value.
• Internet casino merchants must not credit winnings or unspent chips or other value usable for gambling to a cardholder account.

Advance Resort Deposit

If a hotel, motel, or resort is participating in the Advance Resort Deposit service for all cards, the following procedures will apply:

1. If a cardholder calls a participating merchant wishing to make an advance deposit with his or her card, the merchant explains the terms of the reservation, cancellation, and refund policy procedure to the cardholder.
2. The merchant takes the cardholder's account number, card expiration date, name, and address and confirms the room rate and location.
3. The merchant is required to confirm the status of the card. The authorization procedure is determined by the location (region) of the lodging facility. The applicable procedure follows.
   
   • If located within the U.S. region, the merchant is required to follow the appropriate authorization procedures to obtain approval for the transaction. If authorization is not obtained, the merchant accepts responsibility for the transaction.
   • For all regions other than the U.S., the merchant is required to check the Warning Notice. (This may be done subsequent to the phone call.) If the account number is listed in the Warning Notice, the merchant should follow the usual procedures provided by the acquiring bank.
   
   The merchant is required to call for authorization if the amount of the advance deposit exceeds $50. If the result of the authorization call is denial, the merchant must advise the cardholder.


4. The merchant completes a sales ticket filling in the cardholder's name, card account number, card expiration date, reservation confirmation number, and merchant identification and writes the words "advance deposit" in place of the cardholder's signature. It is recommended that the merchant note on the sales ticket any special terms and conditions regarding its refund policy.
5. The merchant mails a letter of confirmation, a copy of the sales ticket, including the reservation confirmation number, and information concerning its cancellation and refund policy to the cardholder at the address previously provided.
6. The merchant deposits the sales ticket for the advance deposit in the usual manner. There are no special deposit requirements imposed on the merchant.
7. If a cardholder cancels his or her reservation in accordance with the agreed upon procedures, the merchant is obligated to cancel the reservation and issue a credit to the cardholder.
   
   • The merchant prepares a credit slip in the usual manner for the amount of the previously-submitted advance deposit, writing the words "deposit cancellation" in place of the cardholder's signature on the credit slip.
   • The merchant prepares a notice of cancellation issuing a cancellation number to the cardholder.
   • The merchant mails a copy of the credit slip and notice of cancellation to the cardholder.
   • The merchant records the cancellation number on the slip and deposits the credit slip in the usual manner. There are no special deposit requirements imposed on the merchant.
8. If the transaction results in a dispute, and if the account number used to make the deposit is unidentifiable as to a specific card issuer or was fictitious, the bearer of the liability will be the acquiring bank. Where the transaction is identifiable to a specific card issuer but is not identifiable to a specific account number within that institution, the bearer of the liability will again be the acquiring bank.