Security Rules and Procedures - AIB Merchant Services...Summary of Changes, 28 February 2017 This manual reflects changes associated with announcements in Mastercard bulletins from

Security Rules andProcedures

28 February 2017

SP

Summary of Changes, 28 February 2017

This manual reflects changes associated with announcements in Mastercard bulletins from 1August 2016 to 1 February 2017, and additional terminology changes.

Please click the hyperlinked section numbers to locate the changes listed below.

Description of Change Where to Look

Added definitions of the following terms: Global Collection Only (GCO) DataCollection Program; Payment Account Reference (PAR).

Definitions

Clarified the requirements for a PAN of a Mastercard Account. 3.2

Clarified the description of the Issuer-assigned portion of a Maestro AccountPAN or Cirrus Account PAN.

3.3

Added cross-references to the International Electrotechnical Commission(IEC) to applicable cross-references to the International Organization forStandardization (ISO).

• 3.3• 3.5• 3.5.4• 3.11• 4.2• 4.10

Added titles to ISO/IEC Standard cross-references. • 3.3• 3.10.5• 4.2• 4.10• 6.3.3.3

Clarified the signature panel requirements for a Card. 3.4

Updated titles of ISO/IEC Standard cross-references. 3.5

Clarified the definition of a magnetic stripe-read counterfeit Transaction toalign with the definitions of a key-entered counterfeit Transaction and animprinted counterfeit Transaction.

6.3.2.2

Added tobacco product Merchants that conduct non-face-to-faceTransactions of any electronic nicotine delivery system to the types of non-face-to-face tobacco product Merchants required to be registered using theMRP.

9.4.3

Added Poland to the countries under MCC 9406 in which government-owned lottery Merchants must be registered using the MRP.

• 9.4.4• 9.4.4.2

Summary of Changes, 28 February 2017

©1991–2017 Mastercard. Proprietary. All rights reserved.Security Rules and Procedures • 28 February 2017 2

Contents

Summary of Changes, 28 February 2017......................................................... 2

Chapter 1: Customer Obligations...................................................................... 111.1 Compliance with the Standards..................................................................................121.2 Conflict with Law.......................................................................................................121.3 The Security Contact.................................................................................................. 12

Chapter 2: Card Production Standards............................................................132.1 Compliance with Card Production Standards..............................................................142.2 Monitoring of Personnel.............................................................................................142.3 Contracting with Card Registration Companies.......................................................... 152.4 Working with Vendors............................................................................................... 16

2.4.1 Order Request Required to Produce Cards...........................................................172.4.2 Stockpiling Plastics..............................................................................................17

2.5 Cards Without Personalization................................................................................... 172.6 Card Count Discrepancies.......................................................................................... 172.7 Reporting Card Loss or Theft......................................................................................172.8 Disposition of Unissued Cards and Account Information.............................................18

Chapter 3: Card and Access Device Design Standards............................ 193.1 Principles of Standardization...................................................................................... 213.2 Mastercard Account Number......................................................................................213.3 Maestro and Cirrus Account Numbers........................................................................223.4 Signature Panel.......................................................................................................... 223.5 Magnetic Stripe or Mastercard HoloMag Encoding..................................................... 22

3.5.1 Card Validation Code 1 (CVC 1)......................................................................... 233.5.2 Service Code...................................................................................................... 233.5.3 Cardholder Name............................................................................................... 233.5.4 Expiration Date...................................................................................................24

3.6 Chip Cards.................................................................................................................253.6.1 Chip Card Applications.......................................................................................26

3.6.1.1 Compliance Assessment and Security Testing.............................................. 263.6.1.2 Integrated Circuit Chip Providers................................................................. 27

3.6.2 Multiple Application Chip Cards......................................................................... 273.6.3 Use of M/Chip Card Application Specifications....................................................27

3.7 Contactless Cards and Payment Devices..................................................................... 273.8 Mobile Payment Devices.............................................................................................283.9 Consumer Device Cardholder Verification Methods.................................................... 29

Contents


3.9.1 Mastercard Qualification of Consumer Device CVMs...........................................293.9.2 CDCVM Functionality......................................................................................... 303.9.3 Persistent Authentication....................................................................................303.9.4 Prolonged Authentication...................................................................................313.9.5 Maintaining Mastercard-qualified CVM Status.................................................... 313.9.6 Issuer Responsibilities..........................................................................................313.9.7 Use of a Vendor..................................................................................................32

3.10 Card Validation Code (CVC)..................................................................................... 323.10.1 Issuer Requirements for CVC 1......................................................................... 333.10.2 Issuer Requirements for CVC 2......................................................................... 333.10.3 Issuer Requirements for CVC 3......................................................................... 343.10.4 Acquirer Requirements for CVC 2..................................................................... 343.10.5 CVC Calculation Methods................................................................................ 34

3.11 Service Codes...........................................................................................................363.11.1 Issuer Information.............................................................................................363.11.2 Acquirer Information........................................................................................ 373.11.3 Valid Service Codes...........................................................................................373.11.4 Additional Service Code Information.................................................................38

Chapter 4: Terminal and PIN Security Standards....................................... 404.1 Personal Identification Numbers (PINs)........................................................................414.2 PIN Selection and Usage.............................................................................................414.3 PIN Verification...........................................................................................................424.4 PIN Authorization Requests........................................................................................ 424.5 PIN Encipherment.......................................................................................................424.6 PIN Key Management.................................................................................................43

4.6.1 PIN Transmission Between Customer Host Systems and the InterchangeSystem........................................................................................................................ 434.6.2 On-behalf Key Management...............................................................................44

4.7 PIN at the Point of Interaction (POI) for Mastercard Magnetic Stripe Transactions........454.8 Terminal Security Standards........................................................................................454.9 Hybrid Terminal Security Standards.............................................................................464.10 PIN Entry Device Standards.......................................................................................464.11 Wireless POS Terminals and Internet/Stand-alone Internet Protocol (IP)-enabledPOS Terminal Security Standards.......................................................................................484.12 POS Terminals Using Electronic Signature Capture Technology (ESCT)....................... 484.13 Component Authentication......................................................................................494.14 Triple DES Migration Standards.................................................................................49

Chapter 5: Card Recovery and Return Standards...................................... 505.1 Card Recovery and Return..........................................................................................51

5.1.1 Card Retention by Merchants............................................................................. 51

Contents


5.1.1.1 Returning Recovered Cards......................................................................... 515.1.1.2 Returning Counterfeit Cards....................................................................... 515.1.1.3 Liability for Loss, Costs, and Damages......................................................... 52

5.1.2 ATM Card Retention...........................................................................................525.1.2.1 Handling ATM-Retained Cards.................................................................... 535.1.2.2 Returning ATM-Retained Cards to Cardholders........................................... 535.1.2.3 Fees for ATM Card Retention and Return.................................................... 53

5.1.3 Payment of Rewards...........................................................................................545.1.3.1 Reward Payment Standards.........................................................................545.1.3.2 Reward Amounts........................................................................................ 545.1.3.3 Reimbursement of Rewards.........................................................................555.1.3.4 Reward Payment Chargebacks.................................................................... 55

5.1.4 Reporting Fraudulent Use of Cards..................................................................... 555.1.5 Reporting Lost and Stolen Cards.........................................................................56

5.1.5.1 Mastercard Receiving Reports......................................................................565.2 Criminal and Counterfeit Investigations......................................................................57

5.2.1 Initiating an Investigation....................................................................................575.2.2 Providing a Progress Report................................................................................ 575.2.3 Requesting an Arrest and Criminal Prosecution................................................... 575.2.4 Fees and Reimbursement of Expenses.................................................................575.2.5 Investigation of Counterfeits and Major Criminal Cases...................................... 58

Chapter 6: Fraud Loss Control Standards...................................................... 596.1 Customer Responsibility for Fraud Loss Control.......................................................... 616.2 Mastercard Fraud Loss Control Program Standards..................................................... 61

6.2.1 Issuer Fraud Loss Control Programs.....................................................................616.2.1.1 Issuer Authorization Requirements.............................................................. 616.2.1.2 Issuer Fraud Monitoring Requirements........................................................ 626.2.1.3 Issuer Network Monitoring Requirements....................................................626.2.1.4 Product Portfolio Management................................................................... 626.2.1.5 Recommended Additional Issuer Monitoring............................................... 636.2.1.6 Additional Prepaid Monitoring Requirements.............................................. 636.2.1.7 Fraud Detection Tool Implementation..........................................................646.2.1.8 Cardholder Communication Strategy.......................................................... 64

6.2.2 Acquirer Fraud Loss Control Programs................................................................ 646.2.2.1 Acquirer Authorization Monitoring Requirements........................................656.2.2.2 Acquirer Merchant Deposit Monitoring Requirements................................. 656.2.2.3 Recommended Additional Acquirer Monitoring...........................................66

6.2.3 Noncompliance with Fraud Loss Control Program Standards............................... 666.3 Mastercard Counterfeit Card Fraud Loss Control Standards........................................ 66

6.3.1 Counterfeit Card Notification..............................................................................676.3.1.1 Notification by Issuer...................................................................................67

Contents


6.3.1.2 Notification by Acquirer.............................................................................. 676.3.1.3 Failure to Give Notice..................................................................................67

6.3.2 Responsibility for Counterfeit Loss...................................................................... 676.3.2.1 Loss from Internal Fraud..............................................................................676.3.2.2 Transactions Arising from Identified Counterfeit Cards................................ 676.3.2.3 Transactions Arising from Unidentified Counterfeit Cards............................686.3.2.4 Loss or Theft of Unfinished Cards................................................................68

6.3.3 Acquirer Counterfeit Liability Program................................................................ 686.3.3.1 Acquirer Counterfeit Liability.......................................................................696.3.3.2 Acquirer Liability Period...............................................................................696.3.3.3 Relief from Liability......................................................................................696.3.3.4 Application for Relief.................................................................................. 70

6.4 Maestro Issuer Loss Control Program (LCP)................................................................. 706.4.1 Group 1 Issuers—Issuers with Dynamic Geo-Controls......................................... 706.4.2 Group 2 Issuers—Issuers without Dynamic Geo-Controls.................................... 71

6.4.2.1 Authorization Controls................................................................................716.4.3 Group 3 Issuers—Issuers Experiencing Fraud in Excess of Established Levels(“High Fraud”)............................................................................................................ 726.4.4 Fraud Detection Tool Implementation................................................................. 736.4.5 Cardholder Communication Strategy..................................................................73

Chapter 7: Merchant, Submerchant, and ATM Owner Screeningand Monitoring Standards....................................................................................74

7.1 Screening New Merchants, Submerchants, and ATM Owners..................................... 757.1.1 Merchant Screening Procedures..........................................................................757.1.2 Submerchant Screening Procedures.................................................................... 767.1.3 ATM Owner Screening Procedures...................................................................... 777.1.4 Evidence of Compliance with Screening Procedures............................................ 777.1.5 Retention of Investigative Records.......................................................................787.1.6 Assessments for Noncompliance with Screening Procedures............................... 78

7.2 Ongoing Monitoring.................................................................................................. 797.3 Merchant Education...................................................................................................797.4 Additional Requirements for Certain Merchant and Submerchant Categories............. 80

Chapter 8: Mastercard Fraud Control Programs.........................................818.1 Notifying Mastercard..................................................................................................83

8.1.1 Acquirer Responsibilities..................................................................................... 838.1.2 Issuer Responsibilities..........................................................................................83

8.2 Global Merchant Audit Program.................................................................................838.2.1 Acquirer Responsibilities..................................................................................... 848.2.2 Tier 3 Special Merchant Audit.............................................................................84

Contents


8.2.3 Chargeback Responsibility.................................................................................. 868.2.4 Exclusion from the Global Merchant Audit Program............................................87

8.2.4.1 Systematic Exclusions.................................................................................. 888.2.4.2 Exclusion After GMAP Identification............................................................88

8.2.5 Notification of Merchant Identification................................................................898.2.5.1 Distribution of Reports................................................................................ 89

8.2.6 Merchant Online Status Tracking (MOST) System................................................ 908.2.6.1 MOST Mandate.......................................................................................... 908.2.6.2 MOST Registration...................................................................................... 90

8.3 Excessive Chargeback Program...................................................................................918.3.1 ECP Definitions...................................................................................................918.3.2 Reporting Requirements..................................................................................... 92

8.3.2.1 Chargeback-Monitored Merchant Reporting Requirements......................... 928.3.2.2 Excessive Chargeback Merchant Reporting Requirements............................92

8.3.3 Assessments....................................................................................................... 938.3.3.1 ECP Assessment Calculation........................................................................94

8.3.4 Issuer Reimbursement.........................................................................................958.3.5 Additional Tier 2 ECM Requirements.................................................................. 95

8.4 Questionable Merchant Audit Program (QMAP)..........................................................968.4.1 QMAP Definitions...............................................................................................968.4.2 Mastercard Commencement of an Investigation................................................. 988.4.3 Mastercard Notification to Issuers....................................................................... 98

8.4.3.1 Investigations Concerning Cardholder Bust-out Accounts............................988.4.3.2 Investigations Not Concerning Cardholder Bust-out Accounts..................... 99

8.4.4 Mastercard Notification to Acquirers...................................................................998.4.5 Merchant Termination.........................................................................................998.4.6 Mastercard Determination.................................................................................. 998.4.7 Chargeback Responsibility................................................................................ 1008.4.8 Fraud Recovery................................................................................................. 1008.4.9 QMAP Fees.......................................................................................................101

8.5 Issuer Monitoring Program (IMP).............................................................................. 1018.5.1 Identification Criteria........................................................................................ 1018.5.2 Mastercard Audit and Questionnaire.................................................................1028.5.3 Subsequent Issuer Identifications in the IMP......................................................102

Chapter 9: Mastercard Registration Program............................................ 1039.1 Mastercard Registration Program Overview.............................................................. 1049.2 General Registration Requirements...........................................................................104

9.2.1 Merchant Registration Fees and Noncompliance Assessments...........................1059.3 General Monitoring Requirements............................................................................1069.4 Additional Requirements for Specific Merchant Categories....................................... 106

9.4.1 Non-face-to-face Adult Content and Services Merchants.................................. 106

Contents


9.4.2 Non–face-to-face Gambling Merchants.............................................................1079.4.3 Pharmaceutical and Tobacco Product Merchants............................................... 1089.4.4 Government-owned Lottery Merchants............................................................ 109

9.4.4.1 Government-owned Lottery Merchants (U.S. Region Only)........................ 1099.4.4.2 Government-owned Lottery Merchants (Specific Countries).......................110

9.4.5 Skill Games Merchants (U.S. Region Only).........................................................1109.4.6 High-Risk Cyberlocker Merchants......................................................................112

Chapter 10: Account Data Protection Standards and Programs...... 11410.1 Account Data Protection Standards........................................................................ 11510.2 Account Data Compromise Events......................................................................... 115

10.2.1 Policy Concerning Account Data Compromise Events and Potential AccountData Compromise Events...........................................................................................11610.2.2 Responsibilities in Connection with ADC Events and Potential ADC Events......117

10.2.2.1 Time-Specific Procedures for ADC Events and Potential ADC Events........ 11810.2.2.2 Ongoing Procedures for ADC Events and Potential ADC Events............... 120

10.2.3 Forensic Report...............................................................................................12110.2.4 Alternative Standards Applicable to Certain Merchants or Other Agents......... 12210.2.5 Mastercard Determination of ADC Event or Potential ADC Event.................... 124

10.2.5.1 Assessments for PCI Violations in Connection with ADC Events...............12410.2.5.2 Potential Reduction of Financial Responsibility.........................................12410.2.5.3 ADC Operational Reimbursement and ADC Fraud Recovery—Mastercard Only....................................................................................................12510.2.5.4 Determination of Operational Reimbursement (OR) ................................12810.2.5.5 Determination of Fraud Recovery (FR)......................................................129

10.2.6 Assessments and/or Disqualification for Noncompliance................................. 13210.2.7 Final Financial Responsibility Determination.................................................... 132

10.3 Mastercard Site Data Protection (SDP) Program.......................................................13310.3.1 Payment Card Industry Data Security Standards.............................................. 13410.3.2 Compliance Validation Tools........................................................................... 13410.3.3 Acquirer Compliance Requirements................................................................ 13510.3.4 Implementation Schedule............................................................................... 136

10.3.4.1 Mastercard PCI DSS Risk-based Approach............................................... 14010.3.4.2 Mastercard PCI DSS Compliance Validation Exemption Program.............. 14110.3.4.3 Mandatory Compliance Requirements for Compromised Entities.............142

10.4 Connecting to Mastercard—Physical and Logical Security Requirements................. 14210.4.1 Minimum Security Requirements.....................................................................14310.4.2 Additional Recommended Security Requirements............................................14410.4.3 Ownership of Service Delivery Point Equipment.............................................. 144

Chapter 11: MATCH System................................................................................14511.1 MATCH Overview...................................................................................................146

Contents


11.1.1 System Features..............................................................................................14611.1.2 How does MATCH Search when Conducting an Inquiry?................................ 147

11.1.2.1 Retroactive Possible Matches...................................................................14711.1.2.2 Exact Possible Matches............................................................................14711.1.2.3 Phonetic Possible Matches...................................................................... 149

11.2 MATCH Standards..................................................................................................14911.2.1 Certification................................................................................................... 15011.2.2 When to Add a Merchant to MATCH..............................................................15011.2.3 Inquiring about a Merchant............................................................................ 15011.2.4 MATCH Noncompliance Assessments............................................................. 15111.2.5 Exceptions to MATCH Standards.....................................................................15111.2.6 MATCH Record Retention...............................................................................152

11.3 Merchants Listed by Mastercard............................................................................. 15211.3.1 Questionable Merchants.................................................................................152

11.4 Merchant Removal from MATCH............................................................................15211.5 MATCH Reason Codes........................................................................................... 153

11.5.1 Reason Codes for Merchants Listed by the Acquirer........................................15311.5.2 Reason Codes for Merchants Listed by Mastercard..........................................155

11.6 Requesting Access to and Using MATCH................................................................ 15611.7 Legal Notice........................................................................................................... 157

Chapter 12: System to Avoid Fraud Effectively (SAFE) ReportingStandards.....................................................................................................................158

12.1 SAFE Overview....................................................................................................... 15912.2 SAFE Fraud Reporting Standards............................................................................ 159

12.2.1 Digital Secure Remote Payment Transactions...................................................16012.3 SAFE Reason Codes................................................................................................16012.4 Data Accuracy and Integrity................................................................................... 16212.5 Timely Reporting of Mastercard and Debit Mastercard Transactions........................ 162

12.5.1 Tier I Reporting Requirement.......................................................................... 16212.5.2 Tier II Reporting Requirement ........................................................................ 16312.5.3 Tier III Reporting Requirement.........................................................................163

12.6 Timely Reporting of Maestro Transactions...............................................................16312.7 Timely Reporting of Cirrus Transactions.................................................................. 16312.8 Digital Goods Transactions..................................................................................... 16312.9 Fraud-related Chargebacks.....................................................................................16312.10 High Clearing Transaction Volume........................................................................16412.11 Transaction Amount.............................................................................................16412.12 Resubmitting Rejected Transactions...................................................................... 16412.13 Noncompliance Assessments................................................................................16412.14 Variances ............................................................................................................ 165

Contents


Chapter 13: Global Risk Management Program....................................... 16613.1 About the Global Risk Management Program.........................................................167

13.1.1 Customer Onboarding Reviews.......................................................................16713.1.2 Service Provider Risk Management Program....................................................16813.1.3 Customer Risk Reviews................................................................................... 169

13.1.3.1 Merchant Risk Review Requirement ........................................................16913.1.4 Customer Consultative Reviews...................................................................... 169

13.2 Global Risk Management Program Review Topics................................................... 17013.3 Global Risk Management Program Reports.............................................................17113.4 Customer Risk Review Conditions.......................................................................... 171

13.4.1 Customer Risk Review Issuer Criteria ..............................................................17113.4.2 Customer Risk Review Acquirer Criteria.......................................................... 17113.4.3 Basis Points Calculation.................................................................................. 172

13.5 Global Risk Management Program Fees..................................................................17213.6 Noncompliance with Fraud Loss Control Standards.................................................172

Appendix A: Track Data Content and Format........................................... 174A.1 Track 1 Data Content and Format............................................................................ 175A.2 Track 2 Data Content and Format............................................................................ 177

Appendix B: Contact Information................................................................... 181B.1 Franchise Integrity.................................................................................................... 182B.2 Customer Performance Integrity...............................................................................182B.3 Account Data Compromise Events........................................................................... 183B.4 Card Design Management....................................................................................... 183B.5 Mastercard Connect

™ Applications...........................................................................184

B.6 Global Customer Service.......................................................................................... 184B.7 Questionable Merchant Activity................................................................................185

Appendix C: Card Production Services..........................................................187C.1 Card Production Services..........................................................................................188

Appendix D: Definitions.......................................................................................190

Notices...........................................................................................................................223

Contents


Chapter 1 Customer ObligationsThis chapter describes general Customer compliance and Program obligations relating toMastercard Card issuing and Merchant acquiring Program Activities.

1.1 Compliance with the Standards.............................................................................................. 121.2 Conflict with Law....................................................................................................................121.3 The Security Contact...............................................................................................................12

Customer Obligations


1.1 Compliance with the Standards

This manual contains Standards. Each Customer must comply fully with these Standards.

All of the Standards in this manual are assigned to noncompliance category A under thecompliance framework set forth in Chapter 2 of the Mastercard Rules manual (“thecompliance framework”), unless otherwise specified in the table below. The noncomplianceassessment schedule provided in the compliance framework pertains to any Standard in theSecurity Rules and Procedures manual that does not have an established compliance Program.The Corporation may deviate from the schedule at any time.

Section Number Section Title Category

1.3 The Security Contact C

2.3 Contracting with CardRegistration Companies

C

7.1.5 Retention of InvestigativeRecords

C

1.2 Conflict with Law

A Customer is excused from compliance with a Standard in any country or region of a countryonly to the extent that compliance would cause the Customer to violate local applicable lawor regulation, and further provided that the Customer promptly notifies the Corporation, inwriting, of the basis for and nature of an inability to comply. The Corporation has theauthority to approve local alternatives to these Standards.

1.3 The Security Contact

Each Customer must have a Security Contact listed for each of its Member IDs/ICA numbers inthe Member Information tool on Mastercard Connect™.

Customer Obligations1.1 Compliance with the Standards


Chapter 2 Card Production StandardsThis chapter may be of particular interest to Customers that issue Cards, and includes requirementsfor personnel responsible for the tasks associated with producing Cards.

2.1 Compliance with Card Production Standards...........................................................................142.2 Monitoring of Personnel......................................................................................................... 142.3 Contracting with Card Registration Companies.......................................................................152.4 Working with Vendors............................................................................................................ 16

2.4.1 Order Request Required to Produce Cards....................................................................... 172.4.2 Stockpiling Plastics.......................................................................................................... 17

2.5 Cards Without Personalization................................................................................................ 172.6 Card Count Discrepancies....................................................................................................... 172.7 Reporting Card Loss or Theft...................................................................................................172.8 Disposition of Unissued Cards and Account Information......................................................... 18

Card Production Standards


2.1 Compliance with Card Production Standards

As used in this section, and unless otherwise specified, the term “Card production” isapplicable with respect to Cards and other types of Access Devices, including ContactlessPayment Devices and Mobile Payment Devices.

An Issuer engaged in Card production must comply with all applicable Standards, includingbut not limited to those set forth in this chapter and in the following documents:

• Card Design Standards• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical SecurityRequirements documents are available on the Payment Card Industry Security StandardsCouncil (PCI SSC) website under the Card Production tab at www.pcisecuritystandards.org/security_standards/documents.php.

An Issuer that uses a Card production vendor to produce Cards on its behalf must also complywith the Standards set forth in section 2.4 of this manual.

It is recommended that an Issuer that issues and/or personalizes Cards onsite at a bankbranch, retail store, or other location outside of a Card production vendor facility refer to theSecurity Guidelines for Instant Card Issuance and Instant Card Personalization manual forinformation relating to the secure issuance of Cards and protection of Cardholder data at suchlocations.

Card production activities subject to compliance with these Standards include, by way ofexample and not limitation, the treatment and safeguarding of Cards, Card manufacture,printing, embossing, encoding, and mailing, as well as to any phase of the production anddistribution of Cards or Card account information.

Refer to Appendix C of this manual for detailed descriptions of Card production activities.

2.2 Monitoring of Personnel

Where permissible by law, Issuers must conduct credit and criminal record checks for allpersonnel handling embossed or unembossed Cards, including part-time and temporarypersonnel.

In addition, where permissible by law, Issuers may not employ such personnel with one ormore known criminal convictions, high credit risk backgrounds, or both, in Card storage andprocessing areas.

Issuers also may not allow such personnel access to account numbers, embossed orunembossed Cards, embossing or encoding equipment, nor may they engage such personnelin security or waste processing work.

Card Production Standards2.1 Compliance with Card Production Standards


2.3 Contracting with Card Registration Companies

A card registration company (“Company”) is any entity that stores Card account numbersand, upon notification by the Cardholder, reports the loss or theft of the Card(s) to theIssuer(s).

Any Issuer having a contractual agreement with a Company pursuant to which the Companyregisters that Issuer’s Cardholder account numbers must ensure that the contract includes thefollowing obligations on the part of the Company:

• The Company shall maintain any Cardholder information, including, without limitation,names, addresses, phone numbers, and account numbers in strictest confidence anddisclose them only to the Issuer. The Company shall keep any media containing this type ofinformation in an area limited to selected personnel having access on a need-to-knowbasis. Before discarding such media, the Company shall destroy it in a manner that willrender the data unreadable.

• The Company shall control and limit access to account numbers stored in a computerenvironment by establishing procedures that must include, but are not limited to, apassword system for computer remote terminal (CRT) access and control over dial-up linesor any other means of access.

• The Company may not use the name of Mastercard in any promotion or advertising, exceptas provided by a contractual agreement with the Issuer for purposes of soliciting andproviding services to the Issuer’s Cardholders. Mastercard reserves the right to approve anysuch materials.

• The Company must maintain a 24-hours-per-day, seven-days-per-week service to receiveCardholder reports on lost or stolen Cards. The Company shall transmit each reportimmediately and in any event no later than two hours after receiving the report, by themost expeditious means, for example, phone or fax, to the appropriate Issuer.

At a minimum, the notification must include:

– Account number– Issuer’s name– Cardholder’s name, address, and phone number– Phone number where the Cardholder can be reached– Whether the Card was lost or stolen– Time and location of the reported loss or theft

• The Company shall report any loss or theft of Cardholder information whether due to actor omission, to Mastercard and to the Issuer with which it has a contract within 24 hoursof discovery of the loss or theft.

• The Company must convey a Cardholder request for a replacement Card to the Issuer.• The contract must include an indemnification clause holding Mastercard, its officers, its

directors and employees, its Customers, and the Issuer having the contract with theCompany not liable for any loss or damage claimed by or on behalf of the Cardholder,Issuer, or other person or entity alleged to be attributable to the Company’s failure to

Card Production Standards2.3 Contracting with Card Registration Companies


properly provide the services described in the contract or failure to safeguard accountinformation.

• The Company must be covered by liability, fidelity, fire, and theft insurance and must havea disaster recovery plan to ensure continuity of services in the event of natural or otherevents that disrupt or threaten to disrupt service unless otherwise agreed to in writing byMastercard. Coverage must be reasonable and adequate in consideration of the nature andvolume of work performed, the plant location, physical condition, and security of the plant,and the number and duties of employees.

• The Company must comply with all applicable laws, rules, and regulations, including,without limitation, consumer protection laws, applicable to the services offered andperformed by the Company.

2.4 Working with Vendors

Before employing the services of a vendor to perform any of the Card production servicesdescribed in Appendix C of this manual, a Customer must ensure that the vendor has beencertified by Mastercard under the Global Vendor Certification Program (GVCP).

Prior to certification and annual recertification of a vendor facility under the GVCP, Mastercardconducts an on-site audit of the facility to evaluate its compliance with the applicable physical,logical, and mobile payment provisioning security Standards set forth in the followingdocuments:

• Card Production Physical Security Requirements• Card Production Logical Security Requirements• Security Requirements for Mobile Payment Provisioning

The Card Production Physical Security Requirements and the Card Production Logical SecurityRequirements documents are available on the PCI SSC website under the Card Productiontab at www.pcisecuritystandards.org/security_standards/documents.php.

A certified vendor facility is issued a compliance certification, which is subject to annualrenewal provided the vendor facility remains in good standing. The “List of CertifiedVendors,” as published monthly in the Global Security Bulletin, contains the name of eachvendor facility then certified and a description of the specific services that the facility isauthorized to perform.

Any agreement between an Issuer and a vendor for Card production services should containterms stating that the vendor agrees to safeguard and control usage of account data and tocomply with all applicable Standards then in effect, including but not limited to those set forthin section 2.4 and in the Card Design Standards manual.

For more information about the GVCP, contact Mastercard by sending an email to [email protected].

Card Production Standards2.4 Working with Vendors


mailto:[email protected]:[email protected]

2.4.1 Order Request Required to Produce Cards

No vendor may print or manufacture any Card, sample, or facsimile, on plastic or any othermaterial, except in response to a specific order from a Customer or from Mastercard. ACustomer may order Cards by using the Card Order Request (Form 488), available in theLibrary section of Mastercard Connect™, or an equivalent document that provides the sameinformation.

Form 488 (or an equivalent document) must be completed and retained by the vendor andCustomer, and must be made available to Mastercard upon request.

Mastercard reserves the right to request, from time to time, Card samples for review, and willcommunicate any such request via the Submit a Card Design Request (Manufacturer)process on Mastercard Connect™.

2.4.2 Stockpiling Plastics

An Issuer may not encourage a vendor to stockpile plastics or Cards or use a vendor known toengage in the practice of stockpiling plastics or Cards. Stockpiling is the practice ofmanufacturing excess plastics or Cards in anticipation of future orders from Customers.

2.5 Cards Without Personalization

A Customer must not send “unfinished” Cards (as used herein, “unfinished” means a Cardthat has not yet been personalized with a primary account number [PAN] or expiration date)via the mail. Unfinished Cards must be shipped via secure shipping methods as described inthe Card Production Physical Security Requirements. In the rare event that rapid delivery isrequired and secure shipping methods are infeasible, the Issuer may use an express courierservice that provides shipment tracking, recipient authentication, and receipt confirmation forthe shipment of no more than 500 unfinished Cards per day.

2.6 Card Count Discrepancies

Upon receiving a shipment of Cards, the Issuer must verify that the correct Card quantity wasdelivered and take immediate action to resolve any Card count discrepancy and recover anymissing Cards. The Issuer may use the Card count noted on each sealed carton in the Cardcount verification. Sealed cartons may also be opened at random, audited, and resealed. Allopen cartons and all sealed cartons with no Card count noted on the carton must have thecontents counted.

2.7 Reporting Card Loss or Theft

Within 24 hours of discovery, a Customer must report to Mastercard the suspected orconfirmed loss or theft of any Cards while in transit from a vendor or in the Customer’s

Card Production Standards2.5 Cards Without Personalization


possession. The report must be sent via email to [email protected] and containthe following information:

• Issuer name and Member ID/ICA number• Card type and quantity• With respect to the loss or theft of Cards while in transit from a vendor:

– The vendor name– The location from which the Cards were shipped– The date and method of shipment– The address to which the Cards were shipped

• Pertinent details about the loss and the investigation• Name and phone number of contact for additional information• Name and phone number of person reporting the loss or theft

2.8 Disposition of Unissued Cards and Account Information

A Customer that ceases to issue Cards must promptly destroy or otherwise properly dispose ofall unissued Cards and all media containing Card Account information.

Card Production Standards2.8 Disposition of Unissued Cards and Account Information


mailto:[email protected]

Chapter 3 Card and Access Device Design StandardsThis chapter may be of particular interest to Issuers and vendors certified by Mastercard responsiblefor the design, creation, and control of Cards. It provides specifications for all Mastercard, Maestro,and Cirrus Card Programs worldwide.

3.1 Principles of Standardization................................................................................................... 213.2 Mastercard Account Number.................................................................................................. 213.3 Maestro and Cirrus Account Numbers.....................................................................................223.4 Signature Panel.......................................................................................................................223.5 Magnetic Stripe or Mastercard HoloMag Encoding..................................................................22

3.5.1 Card Validation Code 1 (CVC 1)...................................................................................... 233.5.2 Service Code................................................................................................................... 233.5.3 Cardholder Name............................................................................................................233.5.4 Expiration Date................................................................................................................24

3.6 Chip Cards..............................................................................................................................253.6.1 Chip Card Applications....................................................................................................26

3.6.1.1 Compliance Assessment and Security Testing........................................................... 263.6.1.2 Integrated Circuit Chip Providers..............................................................................27

3.6.2 Multiple Application Chip Cards...................................................................................... 273.6.3 Use of M/Chip Card Application Specifications................................................................ 27

3.7 Contactless Cards and Payment Devices..................................................................................273.8 Mobile Payment Devices......................................................................................................... 283.9 Consumer Device Cardholder Verification Methods.................................................................29

3.9.1 Mastercard Qualification of Consumer Device CVMs....................................................... 293.9.2 CDCVM Functionality...................................................................................................... 303.9.3 Persistent Authentication.................................................................................................303.9.4 Prolonged Authentication................................................................................................313.9.5 Maintaining Mastercard-qualified CVM Status.................................................................313.9.6 Issuer Responsibilities...................................................................................................... 313.9.7 Use of a Vendor.............................................................................................................. 32

3.10 Card Validation Code (CVC)..................................................................................................323.10.1 Issuer Requirements for CVC 1...................................................................................... 333.10.2 Issuer Requirements for CVC 2...................................................................................... 333.10.3 Issuer Requirements for CVC 3...................................................................................... 343.10.4 Acquirer Requirements for CVC 2..................................................................................343.10.5 CVC Calculation Methods............................................................................................. 34

3.11 Service Codes....................................................................................................................... 36

Card and Access Device Design Standards


3.11.1 Issuer Information......................................................................................................... 363.11.2 Acquirer Information..................................................................................................... 373.11.3 Valid Service Codes....................................................................................................... 373.11.4 Additional Service Code Information............................................................................. 38

Card and Access Device Design Standards


3.1 Principles of Standardization

All Cards must be usable in all standard magnetic stripe Card-reading devices, and if a chip ispresent, in all hybrid terminals and devices, so that the electronic interchange of Transactiondata is possible.

All embossed Cards must be usable in all standard imprinters—the embossed informationmust produce a clear imprint and comply with all positioning and type font Standards.

All Cards containing a chip must be EMV-compliant. Such Cards are called Chip Cards. AllChip Cards must have a single primary application defined by Mastercard that resides on thechip and on the magnetic stripe; the Account information appearing on the Card front mustbe for the primary application resident on the magnetic stripe. No Payment Applicationresident on the chip of a Card issued in the Asia/Pacific Region, Middle East/Africa Region, orUnited States Region may have a higher application priority than the Card’s primaryapplication.

All Payment Applications on a Chip Card must have a valid date (if applicable) and expirationdate within or the same as the dates present on the Card front. The valid dates appearing onthe Card front must be those of the primary application on the Card.

NOTE: A Hybrid Point-of-Sale (POS) Terminal can read both magnetic-stripe and chipTransactions and must be EMV-compliant, as set forth in section 4.8 of this manual.

NOTE: In 1996, Europay (now a wholly owned subsidiary of Mastercard and renamedMastercard Europe SA), Mastercard, and Visa developed Standards for integrated circuit Cards(ICCs), terminals, and applications. EMVCo, LLC, established in 1999, is the organization thatoversees and maintains the EMV specifications.

All Issuers must comply with the Card Design Standards, available on Mastercard Connect™,including but not limited to requirements relating to the following:

• Physical Card materials, dimensions, and measurements for the Card's embossing,magnetic stripe, chip, Marks, and other Card features

• Card design• Use of Card activation and selective authorization disclosure stickers.

3.2 Mastercard Account Number

The primary account number (PAN) of a Mastercard Account must be 16 digits in length. ThePAN includes the Issuer’s bank identification number (BIN), Issuer-assigned portion of theAccount number, and a check digit calculated using the Luehn Formula for ComputingModulus 10 (“Double-Add-Double”) Check Digit. A Mastercard Account PAN begins with aBIN in the range of 222100 to 272099 or 510000 to 559999. A Mastercard Account must usea Mastercard-assigned BIN.

Card and Access Device Design Standards3.1 Principles of Standardization


3.3 Maestro and Cirrus Account Numbers

The PAN of a Maestro Account or Cirrus Account must be no less than 12 numeric digits andno more than 19 numeric digits in length. The PAN includes the Issuer identification number(IIN, or BIN), the Issuer-assigned portion of the Account number, and a check digit calculatedusing the Luehn Formula for Computing Modulus 10 (“Double-Add-Double”) Check Digit.

A Customer may request Mastercard to assign a BIN for Maestro and Cirrus Cards. Mastercarddoes not allow a Maestro program to be added to a BIN which is not assigned by Mastercardor be verified as having been assigned to the Issuer under International Organization forStandardization (ISO)/International Electrotechnical Commission (IEC) 7812 (Identificationcards—Identification of issuers). In the event of any dispute relating to ISO/IEC BINassignments, it is the Issuer’s responsibility to resolve that conflict with the ISO.

3.4 Signature Panel

Upon issuance or reissuance, an Issuer must include written notice to all Cardholders to signall Cards immediately when received and before initial use. Only the authorized Cardholder(the person whose name appears on the Card) may sign the signature panel on the Cardback. The name signed by the authorized Cardholder must match the name that appears onthe Card, regardless of the language used by the Cardholder to sign his or her name. TheIssuer must state this as a condition of Card use. (The vehicle-assigned Mastercard CorporateFleet Card is exempt from this requirement.)

3.5 Magnetic Stripe or Mastercard HoloMag Encoding

The specifications for the physical and magnetic characteristics of the magnetic stripe onCards must comply with ISO/IEC 7813 (Information technology—Identification cards—Financial transaction cards). Production of Card plastics with low coercivity magnetic tape isprohibited. Alternatively, the Issuer may use Mastercard HoloMag™ in place of the magneticstripe.

The Issuer of a Mastercard Card must ensure that the encoded magnetic stripe contains Track1 and Track 2 data, and also includes the information specified in this chapter.

For a Maestro Card or Cirrus Card, only the encoding of Track 2 data is required; the encodingof Track 1 data is optional. If Track 3 is encoded, the encoding must comply with ISO/IEC 4909(Identification cards—Financial transaction cards—Magnetic stripe data content for Track 3).

An Acquirer must transmit the full unedited magnetic stripe data with each magnetic stripe-based electronically authorized Transaction.

NOTE: The transmission of the entire contents of Track 1 or Track 2 data must be unalteredand unedited, and cannot be truncated.

Card and Access Device Design Standards3.3 Maestro and Cirrus Account Numbers


3.5.1 Card Validation Code 1 (CVC 1)

Track 1 and Track 2 of the magnetic stripe must be encoded with a CVC 1 value. Refer to section 3.10.5 of this manual for Card validation code requirements, calculation methods, andverification data.

3.5.2 Service Code

Track 1 and Track 2 of the magnetic stripe must contain an encoded three-digit service codevalue. Refer to section 3.11 of this manual for service code usage requirements.

3.5.3 Cardholder Name

NOTE: The Cardholder’s name must be present in the Account Information Area and encodedon the magnetic stripe.

The encoded Cardholder Name field in Track 1 is a variable length, alphanumeric field, with amaximum length of 26 characters within (up to) three subfields. Due to the variable length ofthe field, the starting position of each remaining field depends on the ending position of theCardholder name. The Cardholder Name and Content Format table shown in Appendix Adefines the specifications for encoding the Cardholder name on the magnetic stripe.

NOTE: Characters “%”, “^”, and “?” cannot be used in the Cardholder Name field, becausethey are used only for specified encoding purposes.

Use the following specifications to encode the Cardholder name on the magnetic stripe of allCards:

• If the Card is a Mastercard Corporate Card product, the Cardholder name encoded onTrack 1 and the name present in the Account Information Area should be the same,although the formats are different.

For example:

BROWN/ROBERT S• Issuers engaged in the instant issuance and/or instant personalization of Cards under the

Mastercard Unembossed or Mastercard Electronic Programs or the issuance of non-personalized prepaid Cards must ensure that when a Program name appears on the Cardfront in place of the Cardholder name, the same Program name is also encoded in theCardholder Name field in Track 1.

• The magnetic stripe may encode a Cardholder’s title, such as Dr., Sir, or Mrs. A separatorperiod (.) must precede the title.

For example:

BROWN/ROBERT S.DR

• If two Cardholder names are present in the Account Information Area on the same Card,encode in any of the following four formats:

BROWN/ROBERT S or

Card and Access Device Design Standards3.5 Magnetic Stripe or Mastercard HoloMag Encoding


BROWN/AGNES T or

BROWN/ROBERT AGNES or

BROWN/ROBERT S.MR MRS• If a Card has a company name present in the Account Information Area, in addition to a

Cardholder name, encode the Cardholder name.

For example:

Present in the Account Information Area: ROBERT S. BROWN

ALPHA COMPANY

Encoded on the magnetic stripe: BROWN/ROBERT S

NOTE:

The subfields surname, initials or first name, and title may contain spaces. For example:

Present in the Account Information Area: RT REV ROBERT J SMITH

Encoded on the magnetic stripe: SMITH/ROBERT J.RT REV

3.5.4 Expiration Date

The following requirements apply for the encoded expiration date:

• The Card-read stripe must include the encoded Account’s expiration date. Acceptableexpiration date values are the following:

Year 00–99

Month 01–12• The format for the encoded expiration date is YYMM to comply with ISO/IEC specifications.• The encoded expiration date on Track 1 must be the same as the expiration date encoded

on Track 2 and present in the Account Information Area.• Do not encode the start date for dual dating, except as part of the Discretionary Data field

on Track 1 and Track 2 of the magnetic stripe.

A Maestro or Cirrus Card must not use a maximum validity period of more than 20 years fromthe date of issuance or, for non-expiring Cards, the designated default value of 4912(December 2049) must be used. For a Maestro or Cirrus Card issued in the Europe Region andusing the Europay Security Platform (ESP) PIN Verification Value (PVV), the maximum validityperiod is the current year plus four (effectively a five-year validity period).

The expiration date of a Chip Card must not exceed the expiration date of any of thecertificates contained within the chip. In the case of a non-expiring Chip Card:

Card and Access Device Design Standards3.5 Magnetic Stripe or Mastercard HoloMag Encoding


1. The settings within the chip must force every Transaction online for authorization ordecline the Transaction if online authorization is not possible;

2. The Chip Card must not contain an offline Card Authentication Method (CAM) certificate;and

3. The Issuer must utilize full EMV processing.

3.6 Chip Cards

Chip Cards, also known as integrated circuit or smart Cards, are credit or debit Cardscontaining computer chips with memory and interactive capabilities and can be used toidentify and store additional data about the Cardholder, Cardholder account, or both. ChipCards may have contact functionality or both contact and contactless functionality.

Issuers of Chip Cards must comply with all applicable Standards, including but not limited tothe Standards set forth in the M/Chip Requirements manual and other M/Chipdocumentation, and with the EMV specifications.

The Issuer of a Chip Card must implement M/Chip as the EMV payment application on theCard, in accordance with a current M/Chip Card application specification.

A contact Chip Card may be issued or re-issued under an online-only Card Program (herein,an “online-only contact chip Card”). An online-only contact chip Card is configured to alwaysrequire a POS Terminal to obtain online authorization from the Issuer for a contact chipTransaction.

The Issuer of a contact Chip Card must perform an online Card authentication method (onlineCAM) for each online-authorized contact Chip Transaction by validating the AuthorizationRequest Cryptogram (ARQC) contained in the Authorization Request/0100 or FinancialTransaction Request/0200 message and populating DE 55, including an AuthorizationResponse Cryptogram (ARPC), in the Authorization Request Response/0110 or FinancialTransaction Request Response/0210 message. Alternatively, if the Issuer’s host system does notsupport ARQC validation, the Issuer must be enrolled in the Mastercard M/Chip CryptogramPre-Validation Service.

The following requirements apply to any Chip Card configured to support offlineauthorization.

In this region…

Support of Dynamic DataAuthentication (DDA) isrequired and Static DataAuthentication (SDA) must notbe supported for Chip Cardsissued on or after…

Support of Combined DataAuthentication (CDA) isrequired for Chip Cards issuedon or after…

Asia/Pacific Region 16 October 2015 1 January 2017

Canada Region 16 October 2015 1 January 2017

Card and Access Device Design Standards3.6 Chip Cards


In this region…

Support of Dynamic DataAuthentication (DDA) isrequired and Static DataAuthentication (SDA) must notbe supported for Chip Cardsissued on or after…

Support of Combined DataAuthentication (CDA) isrequired for Chip Cards issuedon or after…

Europe Region 1 January 2011 1 January 2016

Latin America and the CaribbeanRegion

16 October 2015 16 October 2015

Middle East/Africa Region 16 October 2015 1 January 2017

United States Region Applies to all Chip Cards 1 January 2017

The following requirements apply in all Regions:

• Chip Cards supporting SDA as an offline CAM must expire or be replaced as of 1 January2020; and

• Chip Cards supporting DDA as the only offline CAM must expire or be replaced as of 1January 2022.

NOTE: Issuers must define their priority of PIN verification methods within the chip. OfflinePIN verification is recommended as the first priority.

3.6.1 Chip Card Applications

All Payment Applications must be type-approved by Mastercard, prior to Chip Cardproduction. Furthermore, the composition of the chip, operating system (if present), and theEMV application must have successfully passed a Compliance Assessment and Security Testing(CAST) security evaluation.

Issuers must define within the chip the preferred verification method for Point-of-Interaction(POI) Transactions. A non-Customer that personalizes Payment Applications acts on behalf ofthe Card Issuer and must conform to Mastercard security Standards.

Issuers using M/Chip 4 should refer to the M/Chip Personalization Data Specifications andProfiles and the M/Chip 4 Version 1.1 Issuer Guide to Debit and Credit ParameterManagement for more information.

Issuers using M/Chip Advance should refer to the M/Chip Advance Personalization DataSpecifications and the M/Chip Advance—Issuer Guide for more information.

3.6.1.1 Compliance Assessment and Security Testing

Mastercard has established the CAST process to assist its Issuers in promoting the continuousimprovement of security Standards for the implementation of all Chip Cards by Mastercard.Issuers may only issue Chip Cards that have been certified under the CAST process and appearon the CAST Approved Products list (Chip Cards that have undergone a successful evaluation

Card and Access Device Design Standards3.6 Chip Cards


against the CAST Security Guidelines using a recognized evaluation laboratory). Cards willtypically remain on the CAST Approved Products list for three years from the evaluation date.

Prior to Chip Card production, purchase, and distribution, Issuers must confirm with theirvendor(s) that the Chip Card will be on the CAST Approved Products list over the intendedperiod of issuance and adjust their procurement quantities accordingly.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual or contact the Chip Help Desk at [email protected].

3.6.1.2 Integrated Circuit Chip Providers

An Issuer must obtain all EMV chips for embedding on a Card from an EMV chipmanufacturer that has been approved in advance by Mastercard.

Mastercard publishes a list of approved EMV chip manufacturers periodically in a GlobalSecurity Bulletin. For more information, contact the Chip Help Desk at [email protected].

3.6.2 Multiple Application Chip Cards

Any Card Program may reside on a chip, and any combination of Card Programs may residetogether on a single Chip Card. All credit, debit, charge, and stored-value applications residingon a single Chip Card must be offered by, and are the responsibility of the Card Issuer.

Additionally, all other applications stored on a Chip Card by any Issuer, or any other party atan Issuer’s request, must conform to all relevant technical specifications of Mastercard or itsagent.

3.6.3 Use of M/Chip Card Application Specifications

Chip Card products that incorporate any implementation of the Mastercard M/Chip Cardapplication specifications may only be used on Mastercard, Maestro, and Cirrus Cards andAccess Devices, unless otherwise agreed in writing by Mastercard.

The M/Chip Card application specifications are available on Mastercard Connect™ in the ChipInformation Center.

3.7 Contactless Cards and Payment Devices

Cardholder Name

Mastercard prohibits the encoding of the Cardholder name in the contactless chip of acontactless-enabled Card ("Contactless Card") or Contactless Payment Device that allowssuch information to be transmitted via the radio frequency (RF) contactless interface. Thisrestriction applies to all newly issued and re-issued contactless-enabled Cards and ContactlessPayment Devices.

Card and Access Device Design Standards3.7 Contactless Cards and Payment Devices


mailto:[email protected]:[email protected]

Online CAM

The Issuer of a Contactless Card or Contactless Payment Device must perform an online CAMfor each online-authorized EMV Mode Contactless Transaction by validating the AuthorizationRequest Cryptogram (ARQC) contained in the Authorization Request/0100 or FinancialTransaction Request/0200 message. Alternatively, if the Issuer's host system does not supportARQC validation, the Issuer must be enrolled in the Mastercard M/Chip Cryptogram Pre-Validation Service.

Offline CAM

A Contactless Card or Contactless Payment Device with M/Chip functionality must notsupport SDA as the offline CAM, and must support CDA as the offline CAM, as follows:

• Asia/Pacific, Canada, Latin America and the Caribbean, and Middle East/AfricaRegions—CDA must be supported unless the Card or Access Device is configured foronline-only authorization of Contactless Transactions. Effective 1 October 2017, CDA mustbe supported for all newly issued and reissued Cards and Access Devices.

• Europe Region—CDA must be supported for all Cards and Access Devices.• United States Region—CDA and both online and offline authorization must be

supported for all Cards and Access Devices.

Refer to the M/Chip Requirements for additional details.

3.8 Mobile Payment Devices

There is no limitation on the type of account that may co-reside on the same Mobile PaymentDevice user interface, so long as such accounts are not linked, but rather exist independentlyand are accessed by a separate and distinct Payment Application hosted on the same ordifferent user interfaces.

Mobile Payment Devices may support Mastercard contactless payment and/or Digital SecureRemote Payment (DSRP) functionality. If an Issuer chooses to add this functionality to a SecureElement (SE)-based Mobile Payment Device, the application software, personalization data,and all other aspects of the functionality must comply with the requirements set forth in theStandards, including but not limited to the following as may be published by Mastercard fromtime to time:

• Mobile Mastercard PayPass User Interface Application Requirements,• M/Chip Mobile Issuer Implementation Guide v1.1,• the contactless branding Standards, and• any other applicable technical specifications.

For Mobile Payment Devices supporting Mastercard contactless payment or DSRP functionalitythat do not use an SE, Issuers should refer to the Mastercard Cloud-Based Payment (MCBP)documentation.

Issuers should also refer to the mobile payment security guidelines set forth in the SecurityGuidelines for Mobile Payment Solutions.

Card and Access Device Design Standards3.8 Mobile Payment Devices


The SE must be CAST-approved and have received a mobile payment certificate number(MPCN). Issuers may choose a CAST-approved SE (with corresponding MPCN) from the listpublished on Mastercard Connect. The Mobile Payment Device itself does not undergo aCAST approval. Prior to issuance of the SE-based Mobile Payment Device, the PaymentApplication must also pass the functional and security testing program, for which a letter ofapproval will be issued by Mastercard.

For information regarding CAST, refer to the Compliance Assessment and Security TestingProgram manual. For information regarding a letter of approval, refer to the M/Chip MobileIssuer Implementation Guide v1.1.

3.9 Consumer Device Cardholder Verification Methods

Consumer authentication technologies used on consumer devices, such as personalcomputers, tablets, mobile phones, and watches, are designed to verify a person as anauthorized device user based on one or more of the following:

• “Something I know”—Information selected by and intended to be known only to thatperson, such as a passcode or pattern

• “Something I am”—A physical feature that can be translated into biometric informationfor the purpose of uniquely identifying a person, such as a face, fingerprint, or heartbeat

• “Something I have”—Information intended to uniquely identify a particular consumerdevice

Any such consumer authentication technology must be approved by Mastercard as a“Mastercard-qualified CVM” before it may be used as a Consumer Device CardholderVerification Method (CDCVM) to process a Transaction.

3.9.1 Mastercard Qualification of Consumer Device CVMs

Before a Customer (such as an Issuer or Wallet Token Requestor) may use, as a CDCVM, aconsumer authentication technology in connection with the payment functionality of aparticular Access Device type (of a specific manufacturer and model), the technology must besubmitted to Mastercard by the Customer for certification and testing.

Certification and testing of a proposed CDCVM is performed by or on behalf of Mastercard, inaccordance with Mastercard requirements and at the expense of the Customer or third party,as applicable. Certification requires both successful security and functional testing.

Upon the completion of certification and testing, Mastercard, in its discretion, may approve aproposed consumer authentication technology as a “Mastercard-qualified CVM.” Summaryreport information about such certification and testing results and the successful completionof certification testing may be disclosed to Customers by Mastercard or a third party thatconducts certification and testing on Mastercard’s behalf. Any proposed update, change, ormodification of the consumer authentication technology that could impact the functionality orsecurity of the CDCVM must be submitted to Mastercard for certification and testing as anewly proposed consumer authentication technology. Mastercard reserves the right to change

Card and Access Device Design Standards3.9 Consumer Device Cardholder Verification Methods


the requirements for a Mastercard-qualified CVM at any time, and to establish new or changecertification and testing requirements.

3.9.2 CDCVM Functionality

Mastercard requires testing and certification of each of the following proposed CDCVMfunctionalities prior to use to effect a Transaction:

1. Shared Authentication Functionality—The method used to verify the credentialsestablished by a person in connection with the use of the Access Device or a Digital Walleton the Access Device also is the method used as the default CDCVM for Transactionsinvolving Accounts accessed by means of the Access Device.

2. CVM Result Based on Authentication and Explicit Consent—The PaymentApplication on the Access Device analyzes the combined result of authentication andconsent actions and sets the CDCVM results accordingly. Both Cardholder authenticationand explicit Cardholder consent must occur before the Payment Application will completea Transaction, as follows:

a. Cardholder authentication—The Cardholder may be prompted by the Access Deviceto perform the CDCVM action at the time of the Transaction, or the CDCVM mayconsist of a persistent authentication or prolonged authentication in which theCDCVM action is initiated and may also be completed before the Transaction occurs,as described in sections 3.9.3 and 3.9.4.

b. Explicit Cardholder consent—The Cardholder takes a specific Issuer-approved actionthat serves to confirm that the Cardholder intends a Transaction to be performed. Thismust consist of an action involving the Access Device that is separate from the act oftapping the Access Device to the Merchant’s POS Terminal; for example, the clicking ofa button.

3. Connected Consumer Devices—If two or more devices in the control of a Cardholderare able to be connected or linked to provide common payment functionality, so that eachsuch device can be an Access Device for the same Account, then Cardholder consent mustoccur on the Access Device used to effect the Transaction.

4. Device Integrity—Upon initiation and continuing throughout Cardholder authentication,the use of the CDCVM must depend on strong device integrity checks. Examples includedevice runtime integrity checks, remote device attestation, or a combination of both, andchecks to ensure that prolonged CVM velocity is intact; for example, the device lockfunctionality was not disabled.

CDCVM functionality requirements apply only to the extent that a CVM is requested by theMerchant or Terminal or required by the Issuer for completion of a Transaction.

3.9.3 Persistent Authentication

Persistent authentication means that authentication of a person as a Cardholder occurscontinuously throughout the person’s operation of the Access Device, typically throughcontinual contact or biometric monitoring (for example, the monitoring of a heartbeat).

Mastercard requires testing and certification of proposed CDCVM functionality for persistentauthentication with respect to the following:



1. A Mastercard-qualified persistence check mechanism is used to detect a change in theperson using the device;

2. The device on which authentication is initiated is able to detect without interruption thatthe authenticated person remains in close proximity to such device or to any connecteddevice with which it shares common payment functionality;

3. The device has the capability to prompt for explicit Cardholder consent (for example, byrequiring the Cardholder to click a button or tap on the device) before a Transaction maybe effected; and

4. The consumer authentication technology complies with Mastercard Standards.

3.9.4 Prolonged Authentication

Prolonged authentication occurs when a Cardholder authentication (for example, the entryand positive verification of a passcode) remains valid for a period of time (the “open period”)and, during that open period, no further authentication is requested or required in order forthe Cardholder to effect a Transaction.

Mastercard requires testing and certification of proposed CDCVM functionality for prolongedauthentication with respect to the following:

1. The Digital Wallet or Payment Application residing on the device is able to prompt for anew Cardholder authentication based on defined parameter limits;

2. The device is able to prompt for an Issuer-approved form of explicit Cardholder consent(for example, by requiring the Cardholder to click a button or tap on the device) before aTransaction may be effected;

3. The open period of a prolonged Cardholder authentication may be shared by connectedor linked consumer devices that are Access Devices for the same Account, provided theAccess Devices remain in proximity to one another; and

4. The consumer authentication technology complies with Mastercard Standards.

3.9.5 Maintaining Mastercard-qualified CVM Status

Mastercard may require additional testing of a Mastercard-qualified CDCVM as a condition forthe CDCVM to remain a Mastercard-qualified CVM; such requirement may arise, by way ofexample and not limitation, in the event of any operational, hardware, software, or othertechnological change that could directly or indirectly impact CDCVM security or otherfunctionality.

Mastercard reserves the right to withdraw Mastercard-qualified CVM status with respect to aCDCVM at any time should Mastercard have reason to believe that the security of the CDCVMis insufficient. Mastercard will notify Customers should a Mastercard-qualified CVM status bewithdrawn. Upon publication by Mastercard of such notice, a Customer must immediatelycease offering or permitting the use of such consumer authentication technology as a CVM.

3.9.6 Issuer Responsibilities

Prior to permitting a Cardholder to access an Account by means of an Access Device that usesa CDCVM for Transactions, an Issuer must:


©1991–2017 Mastercard. Proprietary. All rights reserved.Security Rules and Procedures • 28 February 2

Documents

Security Rules and Procedures - AIB Merchant Services...Summary of Changes, 28 February 2017 This manual reflects changes associated with announcements in Mastercard bulletins from