Dear Readers,
In the realm of EMV payment processing, understanding the intricate decision-making process that occurs within payment terminals is vital. The terminal’s role in determining whether to proceed with a transaction, seek online authorization, or reject it hinges on deciphering the Transaction Verification Results (TVR), guided by Issuer Action Code (IAC) and Terminal Action Code (TAC) lists. These lists, characterized by specific bit structures, hold the key to various transaction outcomes, making them an essential component of EMV payment security. This article delves into the structure and significance of IAC, TAC, and TVR, shedding light on how these elements shape the EMV payment landscape.
The terminal has to decides either to proceed the transaction offline, to go online or to reject the transaction. The Terminal will send the decision with a Generate AC command to the card.
The decision is based on the Transaction Verification Results. There are several lists called Issuer Action Code (IAC) and Terminal Action Code (TAC) which give a directive to evaluate the TVR.
Structure
IAC, TAC and TVR have the same structure.
Source: EMV Book 3
Byte 1:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
1 | x | x | x | x | x | x | x | Offline data authentication was not performed |
x | 1 | x | x | x | x | x | x | SDA failed |
x | x | 1 | x | x | x | x | x | ICC data missing |
x | x | x | 1 | x | x | x | x | Card appears on terminal exception file |
x | x | x | x | 1 | x | x | x | DDA failed |
x | x | x | x | x | 1 | x | x | CDA failed |
x | x | x | x | x | x | 0 | x | RFU |
x | x | x | x | x | x | x | 0 | RFU |
Byte 2:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
1 | x | x | x | x | x | x | x | ICC and terminal have different applicatioin versions |
x | 1 | x | x | x | x | x | x | Expired application |
x | x | 1 | x | x | x | x | x | Application not yet effective |
x | x | x | 1 | x | x | x | x | Requested service not allowed for card product |
x | x | x | x | 1 | x | x | x | New Card |
x | x | x | x | x | 0 | x | x | RFU |
x | x | x | x | x | x | 0 | x | RFU |
x | x | x | x | x | x | x | 0 | RFU |
Byte 3:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
1 | x | x | x | x | x | x | x | Cardholder verification was not successful |
x | 1 | x | x | x | x | x | x | Unrecognised CVM |
x | x | 1 | x | x | x | x | x | PIN Try Limit exceeded |
x | x | x | 1 | x | x | x | x | PIN entry required and PIN pad not present or not working |
x | x | x | x | 1 | x | x | x | PIN entry required, PIN pad present, but PIN was not entered |
x | x | x | x | x | 1 | x | x | Online PIN entered |
x | x | x | x | x | x | 0 | x | RFU |
x | x | x | x | x | x | x | 0 | RFU |
Byte 4:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
1 | x | x | x | x | x | x | x | Transaction exceeds floor limit |
x | 1 | x | x | x | x | x | x | Lower consecutive offline limit exceeded |
x | x | 1 | x | x | x | x | x | Upper consecutive offline limit exceeded |
x | x | x | 1 | x | x | x | x | Transaction selected randomly for online processing |
x | x | x | x | 1 | x | x | x | Merchant forced transaction online |
x | x | x | x | x | 0 | x | x | RFU |
x | x | x | x | x | x | 0 | x | RFU |
x | x | x | x | x | x | x | 0 | RFU |
Byte 5:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
1 | x | x | x | x | x | x | x | Default TDOL used |
x | 1 | x | x | x | x | x | x | Issuer authentication failed |
x | x | 1 | x | x | x | x | x | Script processing failed before final GENERATE AC |
x | x | x | 0 | x | x | x | x | RFU |
x | x | x | x | 0 | x | x | x | RFU |
x | x | x | x | x | 0 | x | x | RFU |
x | x | x | x | x | x | 0 | x | RFU |
x | x | x | x | x | x | x | 0 | RFU |
Issuer Action Code – Online, Denial, Default
There are three kinds of every IAC/TAC list: Online, Denial and Default.
IAC – Online
This specifies the issuer’s conditions to approve a transaction online.
Example:
Issuer Action Code - Online: FC68BC9800 Byte 1: Offline data authentication was not performed (b8) SDA failed (b7) ICC data missing (b6) Card appears on terminal exception file (b5) DDA failed (b4) CDA failed (b3) Byte 2: Expired application (b7) Application not yet effective (b6) New card (b4) Byte 3: Cardholder verification was not successful (b8) PIN Try Limit exceeded (b6) PIN entry required and PIN pad not present or not working (b5) PIN entry required, PIN pad present, but PIN was not entered (b4) Online PIN entered (b3) Byte 4: Transaction exceeds floor limit (b8) Transaction selected randomly for online processing (b5) Merchant forced transaction online (b4) Byte 5:
TVR byte two b7 is set to 1 (New Card). This match with byte two b7 from the Issuer Action Code – Online.
As a Result of this the Terminal will decide to proceed the transaction online.
\IAC – Denial
This specifies the issuer’s conditions to reject a transaction.
Example:
Issuer Action Code - Denial: 0010180000 Byte 1: Byte 2: Requested service not allowed for card product (b5) Byte 3: PIN entry required and PIN pad not present or not working (b5) PIN entry required, PIN pad present, but PIN was not entered (b4) Byte 4: Byte 5:
The transaction will be rejected, if byte three b5 is set to 1 in the TVR and IAC.
IAC – Default
If the Terminal has no online ability, the IAC – Default list specifies the issuers’s conditions to reject a transaction.
Example:
Issuer Action Code - Default: FC40AC8000 Byte 1: Offline data authentication was not performed (b8) SDA failed (b7) ICC data missing (b6) Card appears on terminal exception file (b5) DDA failed (b4) CDA failed (b3) Byte 2: Expired application (b7) Byte 3: Cardholder verification was not successful (b8) PIN Try Limit exceeded (b6) PIN entry required, PIN pad present, but PIN was not entered (b4) Online PIN entered (b3) Byte 4: Transaction exceeds floor limit (b8) Byte 5:
If TVR and IAC both have byte four b8 set to 1 the transaction will be rejected.
Terminal Action Code – Online, Denial, Default
The TAC specifies the terminal’s conditions. It is similar to the IAC.
Generate AC
If the terminal made an decision, it will send with a Generate AC command to the card. Depending on the decision, the terminal requires different Application Cryptograms from the card.
Source: EMV Book 3
Type | Abbrevation | Meaning |
---|---|---|
Application Authentication Cryptogram | AAC | Transaction declined |
Application Authorisation Referral | AAR | Referral requested by the card |
Authorisation Request Cryptogram | ARQC | Online authorisation requested |
Transaction Certificate | TC | Transaction approved |
The Command Message has the following structure:
Code | Value |
---|---|
CLA | ’80’ |
INS | ‘AE’ |
P1 | Reference control parameter (see table below) |
P2 | ’00’ |
Lc | Var. |
Data | Transaction-related data |
Le | ’00’ |
Coding of P1:
b8 | b7 | b6 | b5 | b4 | b3 | b2 | b1 | Meaning |
---|---|---|---|---|---|---|---|---|
0 | 0 | AAC | ||||||
0 | 1 | TC | ||||||
1 | 0 | ARQC | ||||||
1 | 1 | RFU | ||||||
x | RFU | |||||||
0 | CDA signature not requested | |||||||
1 | CDA signature requested | |||||||
x | x | x | x | RFU |
The transaction-related data is depending on a Card Risk Management Data Objetct List 1(CDOL1).
This CDOL is given by the card. It contains the tagname and length of the expected data.
Example
Card Risk Management Data Object List 1 (CDOL1): 9F02069F030695055F2A029A039C019F37049F4C089F4502 // Tag - Length - Meaning 9f02 - 06 - Authorised amount of the transaction (excluding adjustments) 9f03 - 06 - Secondary amount associated with the transaction representing a cashback amount 95 - 05 - Terminal Verification Results 5f2a - 02 - Transaction Currency Code 9a - 03 - Transaction Date 9c - 01 - Transaction Type 9f37 - 04 - Unpredictable Number 9f4c - 08 - ICC Dynamic Number 9f45 - 02 - Data Authentication Code
First we create an ByteString which corresponds to the CDOL1 above.
To obtain the ICC Dynamic Number we send a Get Challenge command to the card. The card will return an 8-byte unpredictable number.
var authorisedAmount = new ByteString("000000000001", HEX); var secondaryAmount = new ByteString("000000000000", HEX); var tvr = new ByteString("0000000000", HEX); var transCurrencyCode = new ByteString("0978", HEX); var transDate = new ByteString("090730", HEX); var transType = new ByteString("21", HEX); var unpredictableNumber = crypto.generateRandom(4); var iccDynamicNumber = card.sendApdu(0x00, 0x84, 0x00, 0x00, 0x00); var DataAuthCode = e.cardDE[0x9F45]; var Data = authorisedAmount.concat(secondaryAmount).concat(tvr) .concat(transCurrencyCode).concat(transDate) .concat(transType).concat(unpredictableNumber) .concat(iccDynamicNumber).concat(DataAuthCode);
Then we set P1 to ’40’, to request an Transaction Certificate (offline transaction) and execute the Generate AC command.
var p1 = 0x40; var generateAC = card.sendApdu(0x80, 0xAE, p1, 0x00, Data, 0x00);
The Generate AC command was succesful if the card returns SW1/SW2=9000.
96 C: 00 84 00 00 - GET CHALLENGE Le=0 R: SW1/SW2=9000 (Normal processing: No error) Lr=8 0000 8D 51 F4 6C 9F 40 5F 71 .Q.l.@_q 96 C: 80 AE 40 00 - UNKNOWN_INS Lc=37 0005 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 ................ 0015 00 09 78 09 07 30 21 2C 76 4F 65 8D 51 F4 6C 9F ..x..0!,vOe.Q.l. 0025 40 5F 71 D1 79 @_q.y Le=0 R: SW1/SW2=9000 (Normal processing: No error) Lr=32 0000 77 1E 9F 27 01 80 9F 36 02 02 13 9F 26 08 2D F3 w..'...6....&.-. 0010 83 3C 61 85 5B EA 9F 10 07 06 84 23 00 31 02 08 .<a.[..... .#.1..
About Ambimat Electronics:
With design experience of close to 4 decades of excellence, world-class talent, and innovative breakthroughs, Ambimat Electronics is a single-stop solution enabler to Leading PSUs, private sector companies, and start-ups to deliver design capabilities and develop manufacturing capabilities in various industries and markets. AmbiIoT design services have helped develop Smartwatches, Smart homes, Medicals, Robotics, Retail, Pubs and brewery, Security.
Ambimat Electronics has come a long way to become one of India’s leading IoT(Internet of things) product designers and manufacturers today. We present below some of our solutions that can be implemented and parameterized according to specific business needs. AmbiPay, AmbiPower, AmbiCon, AmbiSecure, AmbiSense, AmbiAutomation.
To know more about us or what Ambimat does, we invite you to follow us on LinkedIn or visit our website.
References:-
https://www.openscdp.org/scripts/tutorial/emv/Terminal%20Action%20Analysis.html