EMV Terminal risk management
Procedures performed by the terminal are an element of ensuring the security of payment transactions and include three mechanisms to combat card fraud:
▪ control the size of operations performed on the card
▪ random selection of the transaction for its online authorization by the Issuer
▪ the transaction must be approved offline
▪ the transaction must be sent for authorization to the Issuer
▪ the transaction must be rejected offline
▪ checking offline card usage activity as the card authentication procedures are performed, transaction processing restrictions are checked, cardholder verification is verified, and risk management is performed, the terminal generates a field with a set of attributes that inform the results of the checks performed by the terminal during the transaction processing, which is called Terminal Verification Results (TVR). After all procedures are completed, the terminal analyzes all the situations recorded in the TVR. The purpose of this analysis is to develop a terminal recommendation decision on how, from the point of view of the terminal, the transaction processing should be continued. There are three possible solutions.:
When we talk about the decision “from the point of view of the terminal”, we mean that in reality the decision is formed on the basis of the rules defined by the servicing Bank (payment system) and the card Issuer. To do this, two sets of data objects are defined in the EMV specifications, called Issuer Action Codes (IAC) and Terminal Action Codes (TAC). In turn, each of these sets consists of three objects with the suffixes Denial, Online, and Default. Thus, the following objects are used.
IAC-Denial
IAC-Online
IAC-Default
TAC-Denial
TAC-Online
TAC-Default
Each of these objects has the same format as TVR. IAC and TAC are not binding from the perspective of the EMV specifications. But leading payment systems require their presence on the card and in the terminal. TAC are loaded into the terminal by the servicing Bank (for example, Visa and MasterCard define mandatory TAC for servicing banks). These objects depend on the type of terminal and the card product. IACS are determined by the card Issuer and are recorded on the card during its personalization. These objects determine the policy of the Issuer to ensure the safety of their operations. The purpose of the objects is explained in the table below (this table uses a synonym for the phrase “servicing Bank” – acquirer).
The terminal forms its decision on how to process the transaction by comparing the bits set in TVR, IAC, and TAC as follows.
- 1. If there are single bits in TVR and the corresponding bits in IACDenial and TAC-Denial are also set to 11, then the transaction must be rejected without attempting to perform online authorization. Otherwise, the terminal goes to step 2 if the terminal is able to perform the transaction online, or to step 3 when the terminal only works offline. That is, the result of the bitwise logical multiplication operation TVR and the result of the bitwise logical addition of IAC and TAC is not equal to 0.
- 2. When there are single bits in TVR and the corresponding bits in IACOnline and TAC-Online are also set to 1, the terminal considers that the transaction should be sent to the Issuer for authorization. Otherwise, the terminal offers the card to approve the transaction offline.
- 3. If there are single bits in TVR and the corresponding bits in IACDefault and TAC-Default are also set to 1, then the terminal considers that the transaction should be rejected. Otherwise, the terminal offers the card to approve the transaction offline. The terminal informs the card about the method of processing the transaction in the first GENERATE AC command. In the first GENERATE AC command, the terminal can request the card to generate one of the following cryptograms. 1. An AAC (Application Authentication Cryptogram) cryptogram if the transaction is to be rejected without attempting to perform online authorization. 2. ARQC (Authorization Request Cryptogram), when the terminal decided to send a transaction for authorization to the Issuer. 3. TC (Transaction Certificate) cryptograms, if the terminal offers the card to approve a transaction in offline mode, the Card receives from the terminal in the GENERATE AC command not only the type of transaction requested by the terminal, but also the data that the card needs to perform its own risk management procedures. The terminal learns what data the card needs to perform risk management procedures and calculate the cryptogram through the lists of data objects that are described in the next section.