Sie sind auf Seite 1von 98

Payment Domain-Training Manual



Arvind Rana

Dushyant Prateek

Praveen Yadav

Sanjay Sajwan

Date: 07/18/2011

Software Subsidiary of Consulting Engineers Corp

11480, Sunset Hills Road, Suite 200 E Reston, VA 20190-5208 Phone: 703-481-2100 Fax: 703-481-3200

Chapter - 1 Chapter - 2 Chapter - 3 3.1 3.2 3.3 3.4 3.5 3.6 Introduction and Overview of Payments Technology Solutions ................................ 3 E-Commerce ............................................................................................................... 14 Payments Terminologies with Definition and Meanings .......................................... 25

Acquirers .................................................................................................................................. 25 Independent Sales Organizations.............................................................................................. 26 Point of Sale ............................................................................................................................. 26 Electronic Bill Presentment & Payment...................................................................................... 27 Issuer........................................................................................................................................ 28 EMV.......................................................................................................................................... 28 Electronic Prepaid Instruments ................................................................................. 30

Chapter - 4

4.1 Prepaid Gift Cards .................................................................................................................... 30 4.1.1 Mobile & Virtual gift cards ....................................................................................................... 30 4.1.2 Mobile Payments .................................................................................................................... 31 4.1.3 Premium SMS/USSD based transactional payments .............................................................. 31 4.1.4 Direct Mobile Billing ................................................................................................................ 32 4.1.5 Mobile web payments (WAP) .................................................................................................. 32 4.1.6 Direct operator billing .............................................................................................................. 33 4.1.7 Credit Card ............................................................................................................................. 33 4.1.8 Online Wallets ........................................................................................................................ 33 4.1.9 Contactless Near Field Communication .................................................................................. 34 4.2 Credit and Debit Instruments ..................................................................................................... 34 4.2.1 Credit Card ............................................................................................................................. 34 4.2.2 Debit Card .............................................................................................................................. 38 4.3 Stored-value card...................................................................................................................... 38 4.4 Closed system prepaid cards .................................................................................................... 39 4.5 Semi-closed system prepaid cards ............................................................................................ 39 4.6 Open system prepaid cards....................................................................................................... 39 4.7 Contactless Payment System and Devices................................................................................ 40 4.8 Radio-frequency identification (RFID) ........................................................................................ 40 4.9 Current Use of RFID ................................................................................................................. 41 4.10 Near field communication (NFC) - ............................................................................................. 41 4.11 NFC Current Uses .................................................................................................................... 41 4.12 NFC-enabled handsets ............................................................................................................. 43 Chapter - 5 Chapter - 6 Chapter - 7 Chapter - 8 Chapter - 9 Chapter - 10 Chapter - 11 Payment Gateway and Payment Processor .............................................................. 44 Payment Card Industry Security Standards .............................................................. 56 Card Present and Card Not Present Transactions .................................................... 58 Transaction Flow in Card Processing ....................................................................... 61 Security in the Payments Processing Chain ............................................................. 64 Payment Protocols ..................................................................................................... 77 ISO 8583 ...................................................................................................................... 82

Payment Domain Training Manual 08/02/11

Page ii of 98

Chapter - 1

Introduction and Overview of Payments Technology Solutions

A Short History of Payment Methods

Before the development of items that represented generally accepted units of value, an ad hoc system of exchange was the most common. If one man had a sheep he could live without, he might swap it for a set of tools someone else didnt need. By 3,000BC, the Mesopotamians in Asia (Mesopotamia is Greek for land between the rivers - in this case the Tigris and Euphrates now partly contained by Iraq) had begun to unify payments.

The term shekel became a unit of weight and currency and referred to a specific amount of barley. In this way it has a modern parallel in the Pound Sterling, which was originally a pound - in weight of silver but which became todays basic unit. On the other side of the world, seashells in Polynesia began to be used as cash. They were of no real significance themselves but became cherished for their appearance and therefore coveted. This particularly applied to the cowry shell, the home of a sea snail from which - via Italian - we get the term porcelain. By around 700BC, the Greeks were using metal coins as money and metal of various types was preferred in most places as it was not easily destroyed, was very portable and could be reformed as required. Gold was the first and remains the most valued coin, partly for its rarity. As coins were minted and reminted they often became debased with cheaper, more common metals which archaeologists now use to help date them (aside from any obvious stamps).

Payment Domain-Training Manual Dated 08/02/11

Page 3 of 98

Coins quickly gave rise to markets and towns built on trade, and cities no longer had to be built in the protective shadow of a castle. Craftsmen developed and the guilds were formed to protect their business. Economies grew ever bigger and more complex and methods had to be devised to represent ever greater sums of money. Bills of exchange were created in the great Italian citystates of the Middle Ages, such as Florence, which became the first kinds of credit: payment at a future date was guaranteed by the holder in return for the bill, which could then be used as if it were money itself. The notion of credit was a giant leap for money and sent economies soaring to the heights (and depths) modern countries have experienced in recent years. As business got ever bigger, banks were required as, initially, safehouses but then as the source of loans. They created money extra money for themselves by offering interest on savings and using the funds they held for profitable investment. Banknotes representing a set value which could, in theory, be redeemed at the bank in question - followed suit and many banks continued to print their own money in England until as late as the end of the 17th century. International trade required the setting of exchange rates between currencies among which was the gold standard set by Britain in the 1800s which dictated the precise value in gold of a pound note. Vast values for international banking developed, including the titan a 100million individual note used by the Bank of England for accounting purposes. Banks are now trialling contactless payment in which the electronic chips in a card need only be passed through the magnetic field of a receiver in a shop to pay for a massage or a new pair of shoes. Its a very long way from a string of cowry shells. 1.2

Contemporary Payment Technology Landscape

The once-common question "Cash or credit?" has fallen into disuse, the contemporary "Credit or debit?" stealing the title of most-asked question in checkout lines across the country. Modern technological advances have enabled cashless transactions to grow substantially in a relatively short period of time. Merchants now have fast, uninterrupted connections to global payment networks, allowing them to instantly check to see if Jane Doe can actually afford that pair of shoes or not. For customers, electronic payments allow them to avoid carrying around excess cash, offer protection in the event of loss or theft, and give them access to online retailers. The rise of the Internet has helped spur the proliferation of new payment technologies as well. Using cash or paper checks for online purchases is impractical and slow, leading to increased demand for fast, electronic payment methods. The rise of new payment technologies has spawned the growth of an industry dedicated to processing cashless transactions. There are a large number of electronic payment processors, who serve as intermediaries between customer, merchants, and financial institutions. Additionally, both retailers and banks need special software and equipment to maintain the electronic payment network, giving rise to companies specializing in these products. As cash becomes less and less frequently used, the companies involved in executing electronic transactions could benefit substantially. 1.3 Overview of the Payment System in US

The development of the payment system in the United States has been influenced by many diverse factors. Firstly, there are numerous financial intermediaries that provide payment, clearing and settlement services. Over 20,000 deposit-taking institutions offer some type of payment service. Privately operated payment systems range from the localised interbank associations that clear cheques for their members or operate automated teller machine (ATM) or point of sale (POS) networks to the nationwide credit and debit card networks and a major large-value electronic funds transfer system. In addition, the central bank plays a significant role in the payment system through the provision of a wide range of interbank payment services. Payment Domain-Training Manual Dated 08/02/11 Page 4 of 98

Secondly, the legal framework governing payment activity as well as the regulatory structure for financial institutions that provide payment services in the United States is complex. Financial institutions are chartered at either the state or federal level, and are supervised by one or more agencies at the state or federal level, or both. Thirdly, a variety of payment instruments and settlement mechanisms are available to discharge payment obligations between and among financial institutions and their customers. These payment instruments vary considerably in their characteristics, such as cost, technology, convenience, funds availability and finality, as well as in orientation towards consumer, commercial and interbank transactions. The large-value electronic funds transfer mechanisms are used to discharge the bulk of the dollar value of all payments in the United States. By contrast, the majority, by volume, of all payments in the United States, particularly those involving retail transactions, continues to be settled through the use of paper-based instruments, particularly cash and cheques. The use of electronic payment mechanisms, such as the Automated Clearing House (ACH) and ATM and POS networks, however, have been growing rapidly. In addition, innovation and competition have led to the use of new instruments and systems that rely increasingly on electronic payment mechanisms. The size and complexity of financial markets in the United States have created significant payment and settlement interdependencies involving the banking system, money and capital markets, and associated derivative markets. Market participants and the Federal Reserve have for many years pursued measures to strengthen major US payment mechanisms, to increase processing efficiency, and to reduce payment system risks. 1.4 Payment Instruments

(a) Paper cheques The paper cheque is the most frequently used non-cash payment instrument in the United States. Although the cheque remains the predominant type of non-cash payment instrument, the number of cheque payments and the number of cheque payments as a share of non-cash payments have declined over time (b) ACH credits and debits ACH transactions are a common form of electronic funds transfer used to make both recurring and non-recurring payments.. In an ACH credit transaction, funds flow from the originator to the receiver, and in a debit transaction, funds flow from the receiver to the originator. ACH credit payments include direct deposit of payrolls, government benefit payments and corporate payments to contractors and vendors. Debit payments include mortgage and loan payments, insurance premium payments, consumer bill payments and corporate cash concentration transactions. In addition, businesses and individuals may use the ACH to make payments to, or receive reimbursement from, the federal government related to federal tax obligations. (c) Funds transfers over Fedwire and CHIPS Fedwire and CHIPS are electronic credit transfer systems that are generally considered largevalue payment systems. These systems are used by financial institutions for settling many financial market and a wide range of other types of transactions. With a few exceptions, nondeposit-taking financial institutions, as well as non-financial organisations and individuals, access these systems and originate payments through deposit-taking institutions.

Payment Domain-Training Manual Dated 08/02/11

Page 5 of 98

(d) Card payments 1.5 Credit cards

Credit cards are the most frequently used electronic payment instrument in the United States. These cards combine a payment instrument with a credit arrangement. n. Bank credit cards are generally issued by a bank under a license from a national organisation, such as Visa or MasterCard, and typically involve a revolving credit agreement. There were 9.5 billion bank credit card transactions during 2000. In addition to bank-issued cards, a number of other companies offer credit cards directly to businesses and consumers. These include Discover Card; national travel and entertainment cards, such as American Express; and limited-use proprietary cards, such as those issued by retail stores and oil and telephone companies. 1.6 Debit cards

Debit cards transfer funds from a cardholders transactions account (for instance, a chequing account) at an issuing bank. Cardholders authorise debit card transactions either by entering a personal identification number (PIN) directly into a merchants online terminal or by a written signature. 1.7

US Interbank exchange and settlement circuits

General overview In the United States, interbank payments are processed and settled primarily through the following mechanisms: (1) cheque clearing, (2) ACH, (3) card networks, (4) same-day electronic funds transfer systems (Fedwire and CHIPS) and (5) the Federal Reserves National Settlement Service (NSS). Using these mechanisms, banks exchange and settle payments directly with each other, through private sector clearing houses, through correspondents, or through the Federal Reserve.


Cheque clearing systems

Typically, deposit-taking institutions located in the same geographical area exchange cheques directly or participate in local cheque clearing arrangements. Cheques drawn on deposit-taking institutions located outside the geographical area of the collecting deposit-taking institution are frequently deposited by the collecting institution with correspondent banks or Federal Reserve Banks. Correspondent banks that have established relationships with other correspondent banks present cheques drawn on each other directly. Smaller institutions generally use the cheque collection services offered by correspondent banks or those offered by the Federal Reserve. Cheques cleared by the Federal Reserve Banks and correspondent banks are processed on high-speed equipment that itemises, records and sorts cheques based on information contained in the magnetic ink character recognition (MICR) line printed along the bottom of cheques.

Payment Domain-Training Manual Dated 08/02/11

Page 6 of 98

Cheques are transported between collecting institutions in a variety of ways. Cheques cleared locally are usually transported by ground couriers, while cheques drawn in regions distant from the institution in which the cheque is first deposited are generally delivered via air transportation. The Federal Reserve manages an extensive air transportation network to exchange cheques among its 45 cheque clearing centres and uses local courier networks to present cheques to paying institutions.Correspondent banks settle for the cheques they collect for other institutions through accounts on their books. Paying banks generally settle with correspondent banks using the Federal Reserves Fedwire funds transfer system. Cheque clearing houses generally net payments. Settlement among cheque clearing house participants generally occurs through transactions directly between members, through designated settlement banks, or through NSS. The Federal Reserve settles for the cheques it collects by posting entries to the accounts that deposit- taking institutions maintain with the Federal Reserve. The account of the collecting institution is credited, and the account of the paying institution is debited, for the value of the deposited cheques in accordance with funds availability schedules maintained by the Federal Reserve, which reflect the time normally needed for the Federal Reserve to receive settlement from the institutions on which the cheques are drawn. Collecting institutions usually receive credit on the day of deposit or the next business day.


Automated Clearing House

Automated Clearing House (ACH) is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches. ACH credit transfers include direct deposit payroll and vendor payments. ACH direct debit transfers include consumer payments on insurance premiums, mortgage loans, and other kinds of bills. Debit transfers also include new applications such as the Point-of-Purchase (POP) check conversion pilot program sponsored by NACHA-The Electronic Payments Association. Both the government and the commercial sectors use ACH payments. Businesses are also increasingly using ACH to collect from customers online, rather than accepting credit or debit cards. 1.10 Operation of the ACH system The Federal Reserve maintains centralised application software used to process ACH payments submitted to the Federal Reserve Banks. Deposit-taking institutions electronically deliver files to and receive files from the Federal Reserve Banks through a variety of electronic access options. Private sector operators and the Federal Reserve Banks rely on each other for the processing of some ACH transactions in which either the originating depository institution or the receiving depository institution is not their customer. These inter-operator transactions are settled by the Federal Reserve.

ACH transactions processed by the Federal Reserve are settled through deposit-taking institutions accounts held at the Federal Reserve. Since June 2001, settlement for ACH credit transactions processed by the Federal Reserve Banks is final when posted to deposit-taking institutions accounts, which is currently at 8.30 am eastern time (ET) on the settlement date. Credit for Federal Reserve ACH debit transfers is not final at settlement. Credit for debit items is available to the receiving deposit-taking institution at 11 am ET on settlement date, but is not final until the banking day following the settlement date. Federal Reserve ACH services are governed by Operating Circular 4, which incorporates the Operating Rules of the National Automated Clearing House Association. Transactions processed by EPN are settled on a net basis using NSS.

Payment Domain-Training Manual Dated 08/02/11

Page 7 of 98

1.11 Card networks

Credit card, ATM and POS associations provide communications, transaction authorisation and interbank financial settlement for their member financial institutions. Bank card networks are typically owned by a group of financial institutions that provide initial capital and establish uniform operating policies, procedures and controls. Some major networks are owned by non-bank companies. The largest credit card and signature-based debit card networks in the United States are Visa and MasterCard. American Express and Discover Card are also major credit card networks. 1.12 Operation of card networks

Credit card, ATM and POS associations sort and route transaction data from acquiring banks to issuing banks over proprietary networks. The associations generally settle on a net basis with the acquiring and issuing banks daily, although typically with a one- or two-day lag between payment initiation and settlement. Generally, the associations use the acquiring and issuing banks aggregated transaction information to compile each banks net settlement position. Member banks may be required to maintain collateral with the associations settlement banks to manage default risks. Acquiring and issuing banks may settle directly with each other, through regional settlement banks or through the Federal Reserve, or by other net settlement arrangements. The settlement process can vary significantly, depending upon the member involved.

1.13 Federal Reserve National Settlement Service

The Federal Reserve allows participants in private clearing arrangements to settle transactions on a net basis using account balances held at the Federal Reserve. Users of the Federal Reserves National Settlement Service (NSS) include cheque clearing houses, ACH networks and some bank card processors. In 2002, more than 70 local and national private sector clearing and settlement arrangements used NSS to settle a netted value of about USD 15 billion daily. NSS provides operational efficiency and reduces settlement risk to participants by providing for intraday settlement finality within the limitations established in the Federal Reserves Operating Circular 12. NSS offers finality that is similar to that of the Fedwire funds transfer service and provides an automated mechanism for submitting settlement files to the Federal Reserve. It also enables Federal Reserve Banks to manage and limit risk by incorporating risk controls on extensions of daylight credit that are as robust as those used in the Fedwire funds transfer service.

Payment Domain-Training Manual Dated 08/02/11

Page 8 of 98

1.14 Operation of the NSS To use NSS, a settlement agent for a settlement arrangement transmits a settlement file electronically to the Federal Reserve using an electronic connection. The file contains a listing of the participants, the settlers (either the participant itself or the participants correspondent) and the dollar amount of the debit or credit to be posted to the settlers account. If various validity checks are satisfied, the Federal Reserve accepts the file for processing and sends an acknowledgment to the agent. NSS files are accepted for processing and settlement between 8.30 am and 5.30 pm ET. Files submitted earlier than 8.30 am are queued for processing beginning at 8.30 am. Each debit balance on the settlement file is checked against the account balance and intraday credit available to the settlers. In some instances, debit balances may be rejected if a settler does not have a sufficient balance, or sufficient intraday credit, to cover the debit. When all debit entries on the settlement file have been posted, NSS posts the credit balances. All postings are final and irrevocable when functioned. When all credits have been posted, the settlement for that file is complete and an acknowledgment message is sent to the settlement agent. 1.15 Alternate Payment Methods in US Besides the more common methods of payment in the US, several other alternate payment methods are also popular in the US ecommerce landscape. The overall breakdown for payments by type across all ecommerce is summarized in the chart below with information from Javelin Research. The 29% labeled other consists of everything from bank transfers (ACH / ECP), PayPal, mobile SMS billing and additional alternative payment methods such as BillMeLater, google checkout etc

Payment Domain-Training Manual Dated 08/02/11

Page 9 of 98

Paypal PayPal is an e-commerce business allowing payments and money transfers to be

made through the Internet. Online money transfers serve as electronic alternatives to traditional paper methods such as cheques and money orders. A PayPal account can be funded with an electronic debit from a bank account or by a credit card. The recipient of a PayPal transfer can either request a cheque from PayPal, establish their own PayPal deposit account or request a transfer to their bank account. PayPal performs payment processing for online vendors, auction sites, and other commercial users, for which it charges a fee. It may also charge a fee for receiving money, proportional to the amount received. The fees depend on the currency used, the payment option used, the country of the sender, the country of the recipient, the amount sent and the recipient's account type.[2] In addition, eBay purchases made by credit card through PayPal may incur extra fees if the buyer and seller use different currencies.

Google Checkout - Google Checkout is an online payment processing service provided by

Google aimed at simplifying the process of paying for online purchases. Users store their credit or debit card and shipping information in their Google Account, so that they can purchase at participating stores by clicking an on-screen button. Google Checkout provides fraud protection and a unified page for tracking purchases and their status. Google Checkout service became available in the United States on June 28, 2006, and in the UK on April 13, 2007.[1] It was free for merchants until February 1, 2008.[2] From then until May 5, 2009 Google charged US merchants 2.0% plus $0.20 per transaction, and UK merchants 1.4% + 0.20. Google since moved to a tiered cost structure, identical to that of PayPal

To find stores that accept Google Checkout, search Google and look for this shopping cart icon in sponsored links:

No need to sign up ahead of time. Do your shopping, find the items you want to buy, and add them to your cart.

When you're ready to complete your purchase, click the Google Checkout button. Sign up or sign in, review your order, and you're done.

Amazon Payments - Amazon Payments is a way for customers to purchase goods and
services at websites across the internet using the payment methods in their accounts, such as their Visa or MasterCard. (Currently and Amazon Payments will not accept payment methods such as PayPal or Google Checkout.) At participating vendors, Payment Domain-Training Manual Dated 08/02/11 Page 10 of 98

which include Patagonia and Jockey, users can check out using their Amazon account information without needing to re-enter credit card numbers or shipping addresses. Users can also check out with Amazon's 1 Click.

Ebillme eBillme is the secure cash payment option that extends the convenience of online
banking to the merchants checkout, and enables merchants to increase sales while reducing transaction costs. Using eBillme, consumers can shop securely and pay cash using their banks online bill payment service, without having to use credit cards.

How does it work?

Billmelater - After customers open their accounts (including credit check), Bill Me Later asks
customers at every purchase to fill out the last 4 digits of their SSN and their date of birth. The approved customer can then pay the bill by mail (check) or online (via bank account) at The first time customers are emailed a link to register with so that they can check their balances or pay their bill. Customers also get an email whenever they are declined. In cases when they are declined and they don't receive declined email/letter, they can contact Bill Me Later Customer Service to check if it was not a system issue Payment Domain-Training Manual Dated 08/02/11 Page 11 of 98

Mobile Payment Trends in the US Commerce is the next major advancement in mobile
technology. Through the use of NFC or near field communication chips, several companies are about to revolutionize the way we shop, replacing our wallets with smartphones. NFC allows a device, usually a mobile phone, to collect data from another device or NFC tag at close range. In many ways, its like a contactless payment card that is integrated into a phone. In other ways, its similar to Bluetooth, except that instead of programming two devices to work together, they can simply touch to establish a connection

Payment Domain-Training Manual Dated 08/02/11

Page 12 of 98

Mobile Payment transactions total $240 annually but thats just the tip of the iceberg. Juniper research estimates that the market will grow 2x to 3x in the next 5 years By 2013 Sales of NFC enabled phones will exceed $75 billion 1 in 5 cellphones worldwide will use NFC technology By 2014 NFC transactions alone will approach $50 billion Google predicts that 50% of cellphones will use NFC technology By 2015 The value of mobile money transactions is expected to reach $670 billion. Digital goods will make up nearly 40% of the market. Asia, Western Europe and North America will be responsible for 75% of all mobile payment transactions

Payment Domain-Training Manual Dated 08/02/11

Page 13 of 98

Chapter - 2
2.1 Introduction


1. In 1991, the Internet had less than 3 million users around the world and its application to e-commerce was non-existent. By 1999, an estimated 250 million users accessed the Internet and approximately one quarter of them made purchases online from electronic commerce sites, worth approximately $110 billion. Furthermore, it is perceived that the total value of e-commerce transactions around the world reached around $3.8 trillion in 2003, over $9 trillion in 2005, and around 18% of global sales in 2006.If the expansion in e-commerce continues at this rapid pace, as is expected, then in four to five years from now, e-commerce transactions between businesses (B2B) and between businesses and consumers (B2C) will account for about 5 per cent of intercompany transactions and retail sales respectively. Looking forward, the potential for ecommerce transactions to gain a sizeable share of consumer and business purchases appears to be large, although it is difficult to quantify.

2. The prospect that e-commerce transactions may gain a sizeable share of overall commerce is only one dimension of why the Internet is generating such interest. The open structure of the Internet and low cost of using it permit the interconnection of new and existing information and communication technologies, and offers businesses and consumers a new and powerful information system and a new form of communication. This makes it possible for buyers and sellers to come together in more efficient ways and is creating new marketplaces and opportunities for the reorganization of economic processes. It is also changing the way products are customized, distributed and exchanged and how businesses and consumers search and consume products. 3. In the decades to come, exploiting the full potential of these developments could have profound impacts in individual sectors of the economy as well as for macroeconomic performance and economic policies. At the aggregate level, productivity and economic growth could rise, at least for some time, as a result of more efficient management of supply and distribution, lower transaction costs, low barriers to entry and improved access to information. Moreover, even if the impact of e-commerce on GDP is small and uncertain it could enhance welfare because, for example, of saved time, greater convenience and access to a wider selection of goods and services more finely tuned to individual needs. Nonetheless, to fully exploit the opportunities much remains to be done to ameliorate user and consumer trust, improve access to the Internet infrastructure and services, and to create a stable, predictable regulatory 2.2 What is Ecommerce?

Electronic commerce, commonly known as e-commerce or ecommerce, is the online transaction of business, which consisting of buying and selling products or services over electronic systems such as the Internet and other computer networks. The amount of trade conducted electronically has grown extraordinarily since the spread of the Internet. A large percentage of electronic commerce is conducted entirely electronically including the virtual storefronts on web sites with online catalogs, Airline reservations, online book store, online banking including the electronic funds transfer, supply chain management, Internet marketing, online transaction processing, electronic data interchange (EDI), inventory management systems, and automated data collection systems. Electronic commerce that is conducted between businesses for buying and selling is referred to as business-to-business or B2B. Electronic commerce that is conducted between businesses and consumers is referred to as business-toconsumer or B2C.

Payment Domain-Training Manual Dated 08/02/11

Page 14 of 98

To simply put, what E-Commerce is all about, just think of buying a book, or an airline ticket or an electronic instrument. It is as simple as going online in the internet and buying the goods what you want in the ecommerce way which is very simple and fast.

Pictorial representation of a typical ecommerce transaction

E-Commerce is about setting and doing your business on the Internet by enabling the customers to browse your website, go through your products and services. When the customer chooses to buy some product that he likes, he will add that product to his shopping cart. Once his selection is complete, he will check out by paying the amount with Credit Card, Debit card or any other acceptable payment method. These transactions should be made securely to protect the privacy of the customers. 2.3 Advantages of Ecommerce:

Helps Create New Relationship Opportunities: Expanding or opening an eBusiness can create a world of opportunity and helps to establish new relationships with potential customers, potential business associates and new product manufacturers. Just by being in an easy to find location that is accessible to users all over the world, you will be available for others to find and approach you about new opportunities. Customers who don't know you exist will know about you, product suppliers will request you add their items and other businesses will approach you about partnership opportunities. Many of Payment Domain-Training Manual Dated 08/02/11 Page 15 of 98

these opportunities would not present themselves without an Online presence or site for them to discover you on their own. Open for Business 24x7: An eCommerce site basically gives you the ability to have unlimited store hours, giving your customers 24 hours a day, 7 days a week access to shop and buy items from you. Some merchants choose to limit their hours to 5 days a week, but orders can still be made over the weekend and customers can still make contact 24/7 via email, phone or fax. In addition, the costs associated with having your store open 24/7 are much less than maintaining a physical storefront or phone operator with 247 operation capability. You can literally take orders and let customers shop while you sleep, take vacations or from remote locations.

Increases Brand or Product Awareness: Having an Online business means that you can literally reach out to millions of consumers looking for what you sell anywhere in the world. By reaching out to new markets and displaying your site prominently in front of them, you will be able to help increase your company/domain brand name and also increase awareness about your product line. By giving users 24/7 access in an easy to find location, you will help to create more word of mouth buzz for your eBusiness, in turn helping

Payment Domain-Training Manual Dated 08/02/11

Page 16 of 98

to promote your brand name and products. Users who haven't heard of you will discover you exist and help spread the word about you. Helps Establish Customer Loyalty: An eCommerce storefront will help create an easier means for your customers to purchase the items you sell and offers a unique way to display and describe your products in a informative, visual and interactive way. The customers you have will become more loyal shoppers each time they visit, making eCommerce great for improved customer satisfaction and visitor loyalty. Now that you offer your products for sale Online, consumers will be able to shop from your catalog more easily, get updates on new items or product discounts and can shop or buy anytime they wish. Potential to Increase Overall Business Sales: An eCommerce store that is an extension of a physical storefront is a great way to boost overall business sales and potentially increase company profits across the board. Companies who already do business from a physical location are typically unaware of how much more they could be making if only they were to expand into their Online marketplaces. Selling Online opens up many opportunities for businesses both new and old. It's a great way to increase sales, especially if you already have a physical store. Potential to Increase Company Profits: As mentioned above, opening an Online extension of your store or moving your business solely Online are great ways to boost sales and potentially profits. Remember, just because SALES increase it does not necessarily mean that company PROFITS will increase also. Online businesses do have a greater chance of increasing sales and profits by opening up an eCommerce store to sell the items they offer. Sales and profits are the lifeblood of any company, so it makes sense to increase them where ever possible and whenever possible throughout the existence of your company. More sales, more profits, bigger budgets, etc. Potential to Decrease Some Costs: In addition to potentially increasing sales and profits, eBusiness owners can also typically reduce the costs of running their business by moving it or expanding it into the Online world. eCommerce stores can run with less employees including sales staff, customer service reps, order fulfillment staff and others. EBusinesses also do not need a physical location in order to stay operational, which can reduce costs related to building leases, phone bills, utility costs and other costs associated with running a brick-and-mortar storefront. Expands Geographical or Customer Reach: As mentioned, owning an eCommerce business typically means no limits as to who and where you can sell your products. Some countries outside the United States have additional regulations, licensing requirements or currency differences, but generally you will not be limited on the customers you can reach out to. Physical storefronts are limited to the city in which they are located, Online businesses aren't limited unless you put geographical limits in place. At the very least, you should consider targeting U.S. buyers, but also consider, Canada, UK, Australia and others. Sell to anyone, anywhere, anytime! Allows for Smaller Market or Niche Targeting: Although your customer reach may expand beyond your local area, you may only wish to target smaller consumer markets and buyer niches for your eCommerce products. Owning an Online store gives the merchant much control over who they target and reach out to notify about the items for sale in their store. Currently, you can target women, men, a generation of users, a

Payment Domain-Training Manual Dated 08/02/11

Page 17 of 98

particular race and many more smaller niche markets. This is typically done by placing keywords that those niche markets use on a regular basis when shopping for the items you offer. Allows for Easier Delivery of Information: An Online store and Web brochure are great ways to deliver and display information about your company and the products you sell. With an Online presence your customers will have direct access to product information, company information, specials, promotions, real time data and much more information that they can easily find just by visiting your site day or night. Not only does it benefit your customers, but it's also generally easier for merchants to update their site rather than break down an in store display and put up another for the next event. It saves both your customers and you precious time and can help you to plan more updates or better sales as it will be much easier for you to update and take down

Ecommerce and broader internet applications

G2G eg: Coordination

G2B eg: Information

G2C eg: Information

B2G eg: Procurement B2B eg: Commerce B2C eg: Ecommerce

C2G eg : Tax Compliance C2B eg : Price Comparison C2C eg: Auction markets



Business Applications:

Some common applications related to electronic commerce are the following: Document automation in supply chain and logistics Domestic and international payment systems Enterprise content management Group buying Automated online assistants Instant messaging

Payment Domain-Training Manual Dated 08/02/11

Page 18 of 98

Newsgroups Online shopping and order tracking Online banking Online office suites Shopping cart software Teleconferencing Electronic tickets


Forms of ecommerce:

Contemporary electronic commerce involves everything from ordering "digital" content for immediate online consumption, to ordering conventional goods and services, to "meta" services to facilitate other types of electronic commerce. On the consumer level, electronic commerce is mostly conducted on the World Wide Web. An individual can go online to purchase anything from books or groceries, to expensive items like real estate. Another example would be online banking, i.e. online bill payments, buying stocks, transferring funds from one account to another, and initiating wire payment to another country. All of these activities can be done with a few strokes of the keyboard. On the institutional level, big corporations and financial institutions use the internet to exchange financial data to facilitate domestic and international business. Data integrity and security are very hot and pressing issues for electronic commerce.


Human Skills Required for ecommerce :

It's not just about E-commerce; t's about redefining business models, reinventing business processes, changing corporate cultures, and raising relationships with customers and suppliers to unprecedented levels of intimacy. Internet-enabled Electronic Commerce: Web site development Web Server technologies Security Integration with existing applications and processes Developing Electronic Commerce solutions successfully across the Organization means building reliable, scalable systems for 1) Security, 2) E- commerce payments 3) Supply- chain management 4) Sales force, data warehousing, customer relations 5) Integrating all of this existing back-end operation Payment Domain-Training Manual Dated 08/02/11 Page 19 of 98


Global Trends in E-Retailing and Shopping :

Business models across the world also continue to change drastically with the advent of eCommerce and this change is not just restricted to USA. Other countries are also contributing to the growth of eCommerce. For example, the United Kingdom has the biggest e-commerce market in the world when measured by the amount spent per capita, even higher than the USA. The internet economy in UK is likely to grow by 10% between 2010 to 2015. This has led to changing dynamics for the advertising industry Amongst emerging economies, China's eCommerce presence continues to expand. With 384 million internet users,China's online shopping sales rose to $36.6 billion in 2009 and one of the reasons behind the huge growth has been the improved trust level for shoppers 2.8 Distribution Channels : E-commerce has grown in importance as companies have adopted Pure-Click and Brick and Click channel systems. We can distinguish between pure-click and brick and click channel system adopted by companies. Pure-Click companies are those that have launched a website without any previous existence as a firm. It is imperative that such companies must set up and operate their ecommerce websites very carefully. Customer service is of paramount importance. Brick and Click companies are those existing companies that have added an online site for e-commerce. Initially, Brick and Click companies were skeptical whether or not to add an online e-commerce channel for fear that selling their products might produce channel conflict with their off-line retailers, agents, or their own stores. However, they eventually added internet to their distribution channel portfolio after seeing how much business their online competitors were generating. Forecast for Global Ecommerce Growth :


Although the US and Canada lead the world in ecommerce spending, other countries are increasingly shopping online. By 2014, global ecommerce spending is projected to increase more than 90 percent. A sizable portion of that growth is expected to come from Latin America, where the amount spent online is projected to more than double. If these projections are accurate, annual ecommerce spending, in billions for 2014 will be: North America $202.8 Western Europe $166.5 Asia-Pacific $93.2 Latin America $27.1 Eastern Europe & Russia $27.0 Australia $4.9 Africa & The Middle East $3.0 Snapshot of Global Ecommerce Projection from Euromonitor International

Payment Domain-Training Manual Dated 08/02/11

Page 20 of 98

2.10 Emerging Trends in Global Ecommerce : As social media, app stores and global availability become standard, many companies are looking to enhance the online customer experience. And while retail and other transactions via Internet are customary, more than ever companies are simplifying the ways in which customers interact with their website and ultimately make online purchases. Here are eight trends happening right now in global e-commerce that seek to enhance the user experience 1. Micropayments : Among the most revolutionary changes in the coming monthsnot yearsis the use of micro-payment systems from a variety of financial firms, e.g., Paypal, Visa, WesternUnion, among others, including banks. This trend is facilitated by the W3C working group that approved these protocols and technical standards for the interworking. These systems will change not only how we carry money but how we value money and think about purchases. (Consider how a purchase of $4.99 feels in a mobile app store vs. at Dunkin' Donuts.) Payment systems that make it easier to buy online, coupled with mobile technologies will accelerate the usage of global e-commerce applications. 2. Mobile Technologies : More people access the Internet on their mobile devices than on any other device. We are rapidly approaching the time (if we are not already there) where designs must be created for the mobile Web first, and for the desktop second. Mobile technologies facilitate comparison shopping; with the advent of barcode reader apps and Payment Domain-Training Manual Dated 08/02/11 Page 21 of 98

price-comparison databases, a consumer could snap a bar code in Walmart and quickly reference product reviews and prices on (or compare prices with Walmart competitors). Mobile technologies also facilitate impulse buys especially with the advent of micro-payments tied to the mobile device. Just recently, Starbucks customers can not only place an order with their Smartphone, but also make a purchase. 3. Social Media : As Facebook has become the most visited site on the Web, the role of social media, including Facebook and its local clones such as Twitter, is increasingly important. Social media sites increasingly act as points of entry to e-commerce sites, and vice versa, as e-commerce sites build rating, loyalty and referral systems tied to social media. Group buying (e.g., Groupon) is also gaining mainstream ground, with many "deal of the day" sites competing for an increasingly savvy consumer base, but improvements lie ahead as the social aspects and user experience are refined. 4. Fulfillment Options : Users will want to have multiple fulfillments and return options when interacting with a vendor: ship to address, courier, pick-up in store, return to store, etc. Having many fulfillment options is how customers view their overall customer experience. Some companies have made a business proposition online by being exceptional in service to the online channel (e.g., Zappos). 5. Global Availability : Increasingly, consumers want the availability to buy products from foreign sites and have them delivered locally. Thus, currency and customs will be of growing concern to many online retailers. Along with this, there will be concerns with local privacy laws and restrictions on related data collection and storage 6. Localization: While the trend is to globalize, whats often more important is to localize. Research clearly shows that sites that feel local with proper imagery, language, time/date, weights/measures, currency, etc. resonate far more than sites that seem culturally distant or sterile 7. Customizability : Consumers want control, and want to be able to design the details of the items they purchase 8. Time based Availability : Some of the hottest and most successful sites are those that have a time-critical response component. Sites like Groupon, Gilt and others capitalize on the perception of limited-time availability. Creating a sense of urgency drives traffic and purchase behavior. 2.11 Challenges Facing Global Ecommerce : The issues concerning global ecommerce can be categorized along four major diomensions economic, technological, social and legal. Economic considerations regarding ecommerce include the cost justification of projects, the number of buyers and sellers and their access to the internet, the issues connected with infrastructure upgrade and the question of skill shortage.

Payment Domain-Training Manual Dated 08/02/11

Page 22 of 98

Economic Cost Justification Internet Access Telecom Infrastructure Skill Shortage

Social Privacy/Security Cultural Diversity Trust Absence of touch/feel

Technical Security, reliability and protocols Bandwidth Integration

Legal Intellectual property rights Legal validity of transactions Taxation issues Policing/Regulation

The technical considerations concerning ecommerce are security, reliability, communication protocols, bandwidth availability and integration with existing applications. There are a number of social and cultural issues that need to be addressed when considering global ecommerce. Some of them are concerns with privacy and security on the internet, the challenges of global diversity, the questions raised by user resistance and inadequate trust and the absence of a tactile medium for online sales. Security and privacy issues are major stumbling blocks for the growth of ecommerce as consumers hesitate to disclose confidential information on the internet. The issue of intellectual property rights is a major factor in the development of global ecommerce. One of the most important concerns is the legal validity of electronic transactions, the taxation of electronic transactions and the enforcement of regulations. The open nature of the medium requires the enactment of new laws that will make electronic transactions valid and legally enforceable 2.12 Ecommerce in India: An Overview Indias eCommerce industry is on the growth curve and experiencing a spurt in growth. The Online Travel Industry is very well developed and is booming largely due to the Internet-savvy urban population. The rest of the segments, categorized under online non-travel industry, include e-Tailing (online retail), online classifieds and Digital Downloads (still in a nascent stage). Though eCommerce took a beating in the dotcom bust, it seems set to grow globally. The global revival of eCommerce is having a ripple effect in India too where the B2B (Business to Business), B2C (Business to Consumer), C2C (Consumer to Consumer), G2B (Government to Business) and G2C (Government to Citizens) segments are showing rapidly increasing activity over the past few years. India has its share of success stories in the B2C segment in the form of,,,,,, and etc. These and such other portals are generating a lot of interest and increasing transaction traffic. Smaller businesses have jumped onto the bandwagon by offering products and services online and have successfully carved out niches for themselves. The online community is growing by leaps and bounds as an increasing number of consumers have started transacting online because the initial fears and apprehensions are being laid to rest. Payment Domain-Training Manual Dated 08/02/11 Page 23 of 98

Research studies have indicated several factors responsible for the sudden spurt in growth of eCommerce in India such as: Rapidly increasing Internet user base Technology advancements such as VOIP (Voice-over-IP) have bridged the gap between buyers and sellers online The emergence of blogs as an avenue for information dissemination and two-way communication for online retailers and eCommerce vendors Improved fraud prevention technologies that offer a safe and secure business environment and help prevent credit card frauds, identity thefts and phishing Bigger web presence of SMEs and Corporates because of lower marketing and infrastructure costs. Longer reach Consumers in the Tier II & Tier III cities are fast realizing the potential of the Internet as a transacting medium The young population find online transactions much easier

Net commerce on India has evolved over the past decade in terms of magnitude. Total net commerce market of India is estimated to be INR 19,688 crores in year 2009 and is expected to grow to INR 31,598 crores by year 2010. It has come a long way since 2007 when the market size was just INR 8,146 Crores (Source: IAMAI)

Payment Domain-Training Manual Dated 08/02/11

Page 24 of 98

Chapter - 3

Payments Terminologies with Definition and Meanings


An acquirer (or acquiring bank) is a member of a card association, for example MasterCard and/or Visa, which maintains merchant relationships and receives all bankcard transactions from the merchant. Acquirers charge the merchants fees which include: a monthly rent for the EFTPOS terminal (if it is not owned by the merchant) which is usually equivalent to around 10 to 30 USD monthly, a percentage fee on their transactions (which varies from country to country, for example in Poland it ranges from 1.8% to 2.5%, regardless of whether the card is debit or credit, in USA and many Western Europe countries the fee is often much lower for debit card transactions, than for those with credit cards), and sometimes--especially in the countries where fees for debit card transactions are much lower--an additional fixed fee per transaction, which ranges from 10 to 20 cents). In the USA, Visa/MasterCard acquirers, and therefore merchants, usually pay much less for a transaction in which the magnetic stripe on the reverse of the card has been successfully swiped through the magnetic stripe reader found in a credit card terminal. This is due to the inclusion of the information encoded into the stripe, which includes anti-fraud features. The fees for card transactions that are hand-keyed into the keypad of a card terminal or computer keyboard are higher, since this security information is absent from the transaction data. Debit transaction costs are usually just a flat rate (usually $.60 to $1.10 USD each) when the Personal Identitification Number (PIN) is entered by the cardholder. This type of transaction is referred to as "PIN debit." The merchant's terminal requires a PIN pad for this PIN entry. Often the PIN pad is a separate device connected to the terminal, other times the PIN pad is integrated in the machine. When a debit card is swiped through the magnetic stripe reader of a credit card terminal, but the PIN is not entered, the acquirer usually charges a rate comparable to the swiped credit card rate or less. Since Visa/MC charges acquires less for non-PIN debit cards, many acquirers charge less to the merchant. Typical rates are usually around 1.3% to 1.9% for non-PIN debits (offline Debit rate) and often 1.6% to 1.9% for credit card swipes. This type of debit transactions is referred to as "signature debit." When properly handled by the merchant, these swiped transactions will qualify for the lowest available Interchange program from the card associations. This indicates all of the required criteria have been satisfied by the transaction to "qualify" for that program rate. For this reason, they are often referred to as "Qualified" transactions. "Rewards" cards from the Associations--cards that provide the cardholder some premium for its use, such as air miles--even when swiped, often fall into the more expensive "Mid-Qualified" or even the most expensive "Non-Qualified" category. Handkeyed transactions usually have a much higher rate, often 2.3% to 2.8% for these transactions. Many processors will charge the lower rate on all transactions on their monthly merchant statements, then show the "add on" for the handkeyed and other more costly transactions. Often this 'add on' is 1-1.3%. These transactions are often referred to as MidQualified. The highest rate (Non-Qualified transactions) is for corporate cards, foreign cards, downgraded transactions (when the merchant does not meet all of the requirements), and higher-level Rewards-type cards. This Non-Qual rate is typically at least 3.0%, and sometimes as high as 5.0% In a credit card transaction, the acquirer is the entity that receives an authorization request from its merchant accepting the card as a form of payment and forwards it through various

Payment Domain-Training Manual Dated 08/02/11

Page 25 of 98

"authorization networks" to the Issuing Bank ("Issuer"). The Issuer determines whether to approve or decline the sale, since they are the entity actually extending credit to its cardholder. 3.2

Independent Sales Organizations

The payment card industry defines an Independent sales organization (ISO) as an organization or individual that is not a member of Card Associations like Visa or MasterCard, but that has a bank card relationship with an Association member that involves acquiring or issuing functions such as the ISO soliciting merchant accounts, arranging for terminal purchases or leases, providing customer service, and soliciting cardholders. For good reason, acquiring banks are selective about the businesses to which they provide merchant accounts. Some kinds of businessessuch as online wagering or adult entertainment sites and those that are small, home-based, or not yet establishedare more prone to risk and credit-card fraud than others. For these kinds of businesses, obtaining merchant accounts directly from acquiring banks can be difficult. Independent sales organizations (ISOs) are third-party organizations that partner with acquiring banks to find, open, and manage merchant accounts on behalf of such businesses in exchange for a higher fee, or for a percentage of the merchant's sales. An ISO is sometimes referred to as a Member Service Provider (MSP), although their definitions are not always synonymous. MasterCard refers to its ISOs as MSPs, defining a Member Service Provider as a non-member that is registered by the Corporation [MasterCard] as an MSP to provide Program Services to a member, or any member that is required to register, in the Corporations sole discretion, and has been registered as an MSP to provide Third Party Processor Program Services to another member. The acquirer must register all ISO / MSPs with the applicable Association. It is important to understand that ISOs and MSPs are not banks and the actual handling of the merchants money is done by the processing bank that has contracted with the ISO. Each ISO / MSP must be sponsored by such a processing bank, member of Visa and / or MasterCard, in order to be registered by either Credit Card Association. Typically, processing banks are members of both Associations and the registration process for each Association is done simultaneously. An ISO / MSP can be sponsored by multiple member banks, and as mentioned above processing banks can also perform the job of their ISOs / MSPs, but they rarely do so and prefer to concentrate on issuing credit cards and acquiring payment transactions instead. ISOs / MSPs must display the name of their sponsor bank on their website and marketing materials. Most disclosures are located in the footer of the ISO / MSP website. 3.3

Point of Sale

Point of sale (POS) or checkout is the location where a transaction occurs. A "checkout" refers to a POS terminal or more generally to the hardware and software used for checkouts, the equivalent of an electronic cash register. A POS terminal manages the selling process by a salesperson accessible interface. The same system allows the creation and printing of the receipt. A checkout system generally involves the following components General computer hardware General computer software Checkout hardware Checkout software Miscellaneous store hardware

Payment Domain-Training Manual Dated 08/02/11

Page 26 of 98

Because of the expense involved with a POS system, the eBay guide recommends that if annual revenue exceeds the threshold of $700,000, investment in a POS system will be advantageous. POS systems are manufactured and serviced by such firms as Fujitsu, IBM, MICROS Systems, Panasonic, Radiant Systems, Sharp, Squirrel Systems, and Vectron POS among others. 3.4 Electronic Bill Presentment & Payment Electronic Bill Presentment & Payment (EBPP) is a form of electronic billing in which a company presents or sends its bills and customers pay these electronically over the Internet. The service has applications for many industries, from financial service providers to telecommunications companies and utilities. This method of billing and collecting can take two distinct forms Biller direct and Bank Aggregator. Biller Direct refers to an approach in which consumers make payments directly to one biller that issues bills that they receive at the website of the firm that issued the bill. An example would be of a public utility company offering this payment service to its consumers. On the other hand, the approach under the Bank-aggregator model is to make payment at an aggregator or consolidator site, usually from a consumer's banks website. This model allows the consumer to make payments to multiple billers that are pre-registered to receive payments. The focus is on the many-to-one relationship, with transactions conducted via a website. An excellent example of the consolidated form of EBPP is online bill payment. Many of the larger financial institutions offer online bill payment for their customers. A user can, with several clicks of a mouse and a few keystrokes, pay a large variety of bills, such as the phone bill, the electric bill, the car payment, the rent, the medical bills, and the ISP bill. A good example of the direct form of EBPP is a credit card company's website, which offers online payment for debtors' accounts. A user can log on to the website and schedule a credit card payment via banking information already entered. This is a one-to-one relationship. Many websites that offer online bill payments also offer email reminders of payments. This is the presentment part of EBPP. Such email reminders can also be used for traditional paper payments. Many websites that offer online bill payments also offer information download options, so that users can keep copies of their online transactions on their own PCs. Common download formats Payment Domain-Training Manual Dated 08/02/11 Page 27 of 98

include Quicken, Quickbooks, Excel, and CSV. EBPP is also convenient for financial institutions in that it allows for computerized tracking and assimilation of transaction data at lightning-quick speeds. Electronic bill-keeping can eliminate the need for paper records, which saves a financial institution both time and money. Billers, bankers, aggregators and consolidators implementing EBPP can play various roles in the overall EBPP process. Once roles are defined, it is easier to identify which model is most appropriate for the client's EBPP strategy. Billers may also implement more than one model in order to best serve their clients. Because the industry is continuously changing and redefining, the options and opportunities for EBPP will continue to expand. Biller payment provider (BPP) - An agent of the biller that accepts remittance information on behalf of the Biller. Biller service provider (BSP) - An agent of the biller that provides an EBPP service for the Biller. Consolidator - A biller service provider that consolidates bills from multiple Billers or other bill service providers (BSPs) and delivers them for presentment to the customer service provider (CSP). Customer service provider (CSP) An agent of the customer that provides an interface directly to customers, businesses or others for bill presentment. CSP enrolls customers, enables presentment and provides customer care, among other functions.

3.5 Issuer An issuing bank or Issuer is a bank that offers card association branded payment cards directly to consumers. The issuing bank assumes primary liability for the consumer's capacity to pay off debts they incur with their card. The issuing bank extends a line of credit to the consumer. Liability for non-payment is then shared by the issuing bank and the acquiring bank, according to rules established by the card association brand. 3.6 EMV EMV stands for Europay, MasterCard and VISA, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. It is a joint effort between Europay, MasterCard and Visa to ensure security and global interoperability so that Visa and MasterCard cards can continue to be accepted everywhere. Europay International SA was absorbed into MasterCard in 2002. JCB (formerly Japan Credit Bureau) joined the organization in December 2004, and American Express joined in February 2009. IC card systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN". The EMV standards define the interaction at the physical, electrical, data and application levels between IC cards and IC card processing devices for financial transactions. There are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards. The most widely known chip card implementations of EMV standard are VSDC VISA MChip MasterCard AEIPS - American Express J Smart - JCB

Payment Domain-Training Manual Dated 08/02/11

Page 28 of 98

Visa and MasterCard have also developed standards for using EMV cards in devices to support card-not-present transactions over the telephone and Internet. MasterCard has the Chip Authentication Program (CAP) for secure e-commerce. Its implementation is known as EMV-CAP and supports a number of modes. Visa has the Dynamic Password Authentication (DPA) scheme, which is their implementation of CAP using different default values.

Payment Domain-Training Manual Dated 08/02/11

Page 29 of 98

Chapter - 4

Electronic Prepaid Instruments

Prepaid Gift Cards

A gift card is a restricted monetary equivalent or scrip that is issued by retailers or banks to be used as an alternative to a non-monetary gift. Highly popular, they rank as the second-most given gift by consumers in the United States (2006) and the most-wanted gift by women, and the thirdmost wanted by males. Gift cards have become increasingly popular as they relieve the donor of selecting a specific gift. A gift card may resemble a credit card or display a specific theme on a plastic card the size of a credit card. The card is identified by a specific number or code, not usually with an individual name, and thus could be used by anybody. They are backed by an on-line electronic system for authorization. Some gift cards can be reloaded by payment and can be used thus multiple times. Cards may have a barcode or magnetic strip, which is read by an electronic credit card machine. Many cards have no value until they are sold, at which time the cashier enters the amount which the customer wishes to put on the card. This amount is rarely stored on the card but is instead noted in the store's database, which is crosslinked to the card ID. Gift cards thus are generally not stored-value cards as used in many public transport systems or library photocopiers, where a simplified system (with no network) stores the value only on the card itself. To thwart counterfeiting, the data is encrypted. The magnetic strip is also often placed differently than on credit cards, so they cannot be read or written with standard equipment. Other gift cards may have a set value and need to be activated by calling a specific number. Gift cards can also be custom tailored to meet specific needs. By adding a custom message or name on the front of the card, it can make for an individualized gift or incentive to an employee to show how greatly they are appreciated. Some companies offer custom designs on the cards for businesses wishing to add their logo. Special order cards are available for businesses. Gift cards are divided into "open loop" or "network" cards and "closed loop" cards. The former are issued by banks or credit card companies and can be redeemed by different establishments, the latter by a specific store or restaurant and can be only redeemed by the issuing provider. The latter, however, tend to have lesser problems with card value decay and fees. In either case the giver would buy the gift card (and may have to pay an additional purchase fee), and the recipient of the card would use the value of the card at a later transaction. A third form is the "hybrid closed loop" card where the issuer has bundled a number of closed loop cards; an example is a gift card for a specific mall. Gift cards differ from gift certificates, in that the latter are usually sold as a paper document with an authorized signature by a restaurant, store, or other individual establishment as a voucher for a future service; there is no electronic authorization. A gift certificate may or may not have an expiration date and generally has no administrative fees. Bank-issued gift cards may be used in lieu of checks as a way to disburse rebate funds. Some retailers use the gift card system for refunds in lieu of cash thereby assuring that the customer will spend the funds at their store. A Charity Gift Card allows the gift giver to make a charitable donation, and the gift recipient to choose a charity that will receive the donation.

4.1.1 Mobile & Virtual gift cards

Mobile gift cards are delivered to mobiles phones via SMS messages and phone applications including iPhone applications allowing users to carry only their cell phones. Benefits include tying them to a particular phone number and ease of distribution through email.

Payment Domain-Training Manual Dated 08/02/11

Page 30 of 98

Virtual gift cards are delivered via e-mail to their recipient, the benefits being that they cannot be lost and that the consumer does not have to drive to the bricks and mortar location to purchase a gift card. Target, one of the top sellers of Gift Cards in the US and Starbucks have launched mobile gift cards.

4.1.2 Mobile Payments

Mobile payment or known also as Mobile wallet is an alternative payment method. Instead of paying with cash, cheque or credit cards, a consumer can use a mobile phone to pay for a wide range of services and digital or hard goods such as Music, videos, ringtones, online game subscription or items, wallpapers and other digital goods. Transportation fare (bus, subway or train), parking meters and other services Books, magazines, tickets and other hard goods There are four primary models for mobile payments Premium SMS based transactional payments Direct Mobile Billing Mobile web payments (WAP) Contactless NFC (Near Field Communication) Mobile payment has been well adopted in many parts of Europe and Asia. Combined market for all types of mobile payments is expected to reach more than $600B globally by 2013, which will be the double of the current figure, while mobile payment market for goods and services, excluding contactless NFC transactions and money transfers, is expected to exceed $300B globally by 2013.

4.1.3 Premium SMS/USSD based transactional payments

The consumer sends a payment request via an SMS text message or an USSD to a short code and a premium charge is applied to their phone bill or their online wallet. The merchant involved is informed of the payment success and can then release the paid for goods. Since a trusted delivery address has typically not been given these goods are most frequently digital with the merchant replying using a Multimedia Messaging Service to deliver the purchased music, ringtones, wallpapers etc. A Multimedia Messaging Service can also deliver barcodes which can then be scanned for confirmation of payment by a merchant. This is used as an electronic ticket for access to cinemas and events or to collect hard goods. Transactional payments have been popular in Asia and Europe but are now being overtaken by other mobile payment methods such as mobile web payments (WAP), mobile payment client (Java ME, Android) and Direct Mobile Billing for a number of reasons: Poor reliability - transactional payments can easily fail as messages get lost. Slow speed - sending messages can be slow and it can take hours for a merchant to get receipt of payment. Consumers do not want to be kept waiting more than a few seconds. Security - The SMS/USSD encryption ends in the radio interface, then the message is a plaintext. High cost - There are many high costs associated with this method of payment. The cost of setting up short codes and paying for the delivery of media via a Multimedia

Payment Domain-Training Manual Dated 08/02/11

Page 31 of 98

Messaging Service and the resulting customer support costs to account for the number of messages that get lost or are delayed. Low payout rates - operators also see high costs in running and supporting transactional payments which results in payout rates to the merchant being as low as 30%. Usually around 50% Low follow-on sales - once the payment message has been sent and the goods received there is little else the consumer can do. It is difficult for them to remember where something was purchased or how to buy it again. This also makes it difficult to tell a friend.

Some Mobile Payment services accept Premium SMS payments. Here is the typical end user payment process: 1. User sends SMS with Keyword and unique number to a Premium Short Code. 2. User receive a PIN (User billed via the short code on receipt of the PIN) 3. Finally user enters PIN to get access to content or services.

4.1.4 Direct Mobile Billing

The consumer uses the mobile billing option during checkout at an e-commerce sitesuch as an online gaming siteto make a payment. After two-factor authentication involving a PIN and OneTime-Password, the consumer's mobile account is charged for the purchase. It is a true alternative payment method that does not require the use of credit/debit cards or pre-registration at an online payment solution such as PayPal, thus bypassing banks and credit card companies altogether. This type of mobile payment method, which is extremely prevalent and popular in Asia, provides the following benefits: 1. 2. 3. 4. 5. Security - Two-factor authentication and a risk management engine prevents fraud. Convenience - No pre-registration and no new mobile software is required. Easy - It's just another option during the checkout process. Fast - Most transactions are completed in less than 10 seconds. Proven - 70% of all digital content purchased online in some parts of Asia uses the Direct Mobile Billing method

4.1.5 Mobile web payments (WAP)

The consumer uses web pages displayed or additional applications downloaded and installed on the mobile phone to make a payment. It uses WAP (Wireless Application Protocol) as underlying technology and thus inherits all the advantages and disadvantages of WAP. However, using a familiar web payment model gives a number of proven benefits: 1. Follow-on sales where the mobile web payment can lead back to a store or to other goods the consumer may like. These pages have a URL and can be bookmarked making it easy to re-visit or share with friends. 2. High customer satisfaction from quick and predictable payments 3. Ease of use from a familiar set of online payment pages

Payment Domain-Training Manual Dated 08/02/11

Page 32 of 98

However, unless the mobile account is directly charged through a mobile network operator, the use of a credit/debit card or pre-registration at online payment solution such as PayPal is still required just as in a desktop environment. Mobile web payment methods are now being mandated by a number of mobile network operators. A number of different actual payment mechanisms can be used behind a consistent set of web pages.

4.1.6 Direct operator billing

A direct connection to the operator billing platform requires integration with the operator, but provides a number of benefits: 1. Simplicity - the operators already have a billing relationship with the consumers, the payment will be added to their bill. 2. Instantaneous payments giving the highest customer satisfaction 3. Accurate responses showing success and reasons for failure (no money for example) 4. Security to protect payment details and consumer identity 5. Best conversion rates from a single click-to-buy and no need to enter any further payment details. 6. Reduced customer support costs for merchants since customers will complain to the operator. It has however a drawback, the payout rate will be much lower than with other payment providers. Examples from a popular provider: 92% with Paypal 85 to 86% with Credit Card 45 to 91.7% with Operator billing in the US, UK and different smaller European countries, but usually around 60%

Direct operator billing is also known as Mobile content billing or WAP billing.

4.1.7 Credit Card

A simple mobile web payment system can also include a credit card payment flow allowing a consumer to enter their card details to make purchases. This process is familiar but any entry of details on a mobile phone is known to reduce the success rate (conversion) of payments. In addition, if the payment vendor can automatically and securely identify customers then card details can be recalled for future purchases turning credit card payments into simple single clickto-buy giving higher conversion rates for additional purchases.

4.1.8 Online Wallets

Online companies like PayPal, Amazon Payments and Google Checkout also have mobile options. Here is the process: First Payment o User registers, inputs their phone number, the provider sends them an SMS with a PIN o User enters the received PIN, authenticating the number. Page 33 of 98

Payment Domain-Training Manual Dated 08/02/11

User inputs their credit card info (or another payment method) if necessary. (Not necessary if account already existing) and validates payments

Subsequent payments o The user re enters their PIN to authenticate

Requesting a PIN is known to lower the success rate (conversion) for payments. These systems can be integrated with directly or can be combined with operator and credit card payments through a unified mobile web payment platform.

4.1.9 Contactless Near Field Communication

Near Field Communication (NFC) is used mostly in paying for purchases made in physical stores or transportation services. A consumer using a special mobile phone equipped with a smartcard waves his/her phone near a reader module. Most transactions do not require authentication, but some require authentication using PIN, before transaction is completed. The payment could be deducted from pre-paid account or charged to mobile or bank account directly. Mobile payment method via NFC faces significant challenges for wide and fast adoption, while some phone manufacturers and banks are enthusiastic, due to lack of supporting infrastructure, complex ecosystem of stakeholders, and standards. NFC vendors in Japan are closely related to mass-transit networks, like the Mobile Suica used on the JR East rail network. Osaifu-Keitai system, used for Mobile Suica and many others including Edy and nanaco, has become the de-facto standard method for mobile payments in Japan. Its core technology, Mobile FeliCa IC, is partially owned by Sony, NTT DoCoMo and JR East. Mobile FeliCa utilize Sony's FeliCa technology, which itself is the de-facto standard for contactless smart cards in the country. Other NFC vendors mostly in Europe use contactless payment over mobile phones to pay for onand off-street parking in specially demarcated areas. Parking wardens may enforce the parkings by license plate, transponder tags or barcode stickers. First conceptualized in the 1990s, the technology has seen commercial use in this century in both Scandinavia and Estonia. End users benefit from the convenience of being able to pay for parking from the comfort of their car with their mobile phone, and parking operators are not obliged to invest in either existing or new street-based parking infrastructures. Parking wardens maintain order in these systems by license plate, transponder tags or barcode stickers or they read a digital display with their eyes in the same way as they read a pay and display receipt. Other Technic use synergistic of both NFC and Bar-code on the mobile via Digimo capability for mobile payment giving full caver for both Point Of Sale and the fact that most of the mobile devices in the market does not support NFC yet. 4.2

Credit and Debit Instruments

4.2.1 Credit Card

A credit card is a small plastic card issued to users as a system of payment. It allows its holder to buy goods and services based on the holder's promise to pay for these goods and services. The issuer of the card creates a revolving account and grants a line of credit to the consumer (or the user) from which the user can borrow money for payment to a merchant or as a cash advance to the user. A credit card is different from a charge card: a charge card requires the balance to be paid in full each month. In contrast, credit cards allow the consumers a continuing balance of debt, subject to Payment Domain-Training Manual Dated 08/02/11 Page 34 of 98

interest being charged. A credit card also differs from a cash card, which can be used like currency by the owner of the card. Most credit cards are issued by banks or credit unions, and are the shape and size specified by the ISO/IEC 7810 standard as ID-1. This is defined as 85.60 53.98 mm (3.370 2.125 in) (33/8 21/8 in) in size.

How credit cards work

Credit cards are issued by a credit card issuer, such as a bank or credit union, after an account has been approved by the credit provider, after which cardholders can use it to make purchases at merchants accepting that card. When a purchase is made, the credit card user agrees to pay the card issuer. The cardholder indicates consent to pay by signing a receipt with a record of the card details and indicating the amount to be paid or by entering a personal identification number (PIN). Also, many merchants now accept verbal authorizations via telephone and electronic authorization using the Internet, known as a card not present transaction (CNP). Electronic verification systems allow merchants to verify in a few seconds that the card is valid and the credit card customer has sufficient credit to cover the purchase, allowing the verification to happen at time of purchase. The verification is performed using a credit card payment terminal or point-of-sale (POS) system with a communications link to the merchant's acquiring bank. Data from the card is obtained from a magnetic stripe or chip on the card; the latter system is called Chip and PIN in the United Kingdom and Ireland, and is implemented as an EMV card. For card not present transactions where the card is not shown (e.g., e-commerce, mail order, and telephone sales), merchants additionally verify that the customer is in physical possession of the card and is the authorized user by asking for additional information such as the security code printed on the back of the card, date of expiry, and billing address. Each month, the credit card user is sent a statement indicating the purchases undertaken with the card, any outstanding fees, and the total amount owed. After receiving the statement, the cardholder may dispute any charges that he or she thinks are incorrect. Otherwise, the cardholder must pay a defined minimum proportion of the bill by a due date, or may choose to pay a higher amount up to the entire amount owed. The credit issuer charges interest on the amount owed if the balance is not paid in full (typically at a much higher rate than most other forms of debt). In addition, if the credit card user fails to make at least the minimum payment by the due date, the issuer may impose a "late fee" and/or other penalties on the user. To help mitigate this, some financial institutions can arrange for automatic payments to be deducted from the user's bank accounts, thus avoiding such penalties altogether as long as the cardholder has sufficient funds. Advertising, solicitation, application and approval Credit card advertising regulations include the Schumer box disclosure requirements. A large fraction of junk mail consists of credit card offers created from lists provided by the major credit reporting agencies. In the United States, the three major US credit bureaus (Equifax, TransUnion and Experian) allow consumers to opt out from related credit card solicitation offers via its Opt Out Pre Screen program. Interest charges Credit card issuers usually waive interest charges if the balance is paid in full each month, but typically will charge full interest on the entire outstanding balance from the date of each purchase if the total balance is not paid. For example, if a user had a $1,000 transaction and repaid it in full within this grace period, there would be no interest charged. If, however, even $1.00 of the total amount remained unpaid, interest would be charged on the $1,000 from the date of purchase until the payment is received. The precise manner in which interest is charged is usually detailed in a cardholder agreement Payment Domain-Training Manual Dated 08/02/11 Page 35 of 98

which may be summarized on the back of the monthly statement. The general calculation formula most financial institutions use to determine the amount of interest to be charged is APR/100 x ADB/365 x number of days revolved. Take the annual percentage rate (APR) and divide by 100 then multiply to the amount of the average daily balance (ADB) divided by 365 and then take this total and multiply by the total number of days the amount revolved before payment was made on the account. Financial institutions refer to interest charged back to the original time of the transaction and up to the time a payment was made, if not in full, as RRFC or residual retail finance charge. Thus after an amount has revolved and a payment has been made, the user of the card will still receive interest charges on their statement after paying the next statement in full The credit card may simply serve as a form of revolving credit, or it may become a complicated financial instrument with multiple balance segments each at a different interest rate, possibly with a single umbrella credit limit, or with separate credit limits applicable to the various balance segments. Usually this compartmentalization is the result of special incentive offers from the issuing bank, to encourage balance transfers from cards of other issuers. In the event that several interest rates apply to various balance segments, payment allocation is generally at the discretion of the issuing bank, and payments will therefore usually be allocated towards the lowest rate balances until paid in full before any money is paid towards higher rate balances. Interest rates can vary considerably from card to card, and the interest rate on a particular card may jump dramatically if the card user is late with a payment on that card or any other credit instrument, or even if the issuing bank decides to raise its revenue. Benefits to customers The main benefit to each customer is convenience. Compared to debit cards and cheques, a credit card allows small short-term loans to be quickly made to a customer who need not calculate a balance remaining before every transaction, provided the total charges do not exceed the maximum credit line for the card. Credit cards also provide more fraud protection than debit cards. Many credit cards offer rewards and benefits packages, such as offering enhanced product warranties at no cost, free loss/damage coverage on new purchases, and points which may be redeemed for cash, products, or airline tickets. Benefits to merchants For merchants, a credit card transaction is often more secure than other forms of payment, such as cheques, because the issuing bank commits to pay the merchant the moment the transaction is authorized, regardless of whether the consumer defaults on the credit card payment (except for legitimate disputes, which are discussed below, and can result in charges back to the merchant). In most cases, cards are even more secure than cash, because they discourage theft by the merchant's employees and reduce the amount of cash on the premises. Prior to credit cards, each merchant had to evaluate each customer's credit history before extending credit. That task is now performed by the banks which assume the credit risk. Credit cards can also aid in securing a sale, especially if the customer does not have enough cash on his or her person or checking account. Extra turnover is generated by the fact that the customer can purchase goods and/or services immediately and is less inhibited by the amount of cash in his or her pocket and the immediate state of his or her bank balance. Much of merchants' marketing is based on this immediacy. For each purchase, the bank charges the merchant a commission (discount fee) for this service and there may be a certain delay before the agreed payment is received by the merchant. The commission is often a percentage of the transaction amount, plus a fixed fee (interchange rate). In addition, a merchant may be penalized or have their ability to receive payment using that credit card restricted if there are too many cancellations or reversals of charges as a result of disputes. Some small merchants require credit purchases to have a minimum amount to compensate for the transaction costs.

Payment Domain-Training Manual Dated 08/02/11

Page 36 of 98 Costs to merchants Merchants are charged several fees for the privilege of accepting credit cards. The merchant is usually charged a commission of around 1 to 3 per-cent of the value of each transaction paid for by credit card. The merchant may also pay a variable charge, called an interchange rate, for each transaction. In some instances of very low-value transactions, use of credit cards will significantly reduce the profit margin or cause the merchant to lose money on the transaction. Merchants must accept these transactions as part of their costs to retain the right to accept credit card transactions. Merchants with very low average transaction prices or very high average transaction prices are more averse to accepting credit cards. In some cases merchants may charge users a "credit card supplement", either a fixed amount or a percentage, for payment by credit card. This practice is prohibited by the credit card contracts in the United States, although the contracts allow the merchants to give discounts for cash payment. Parties involved Cardholder: The holder of the card used to make a purchase; the consumer. Card-issuing bank or Issuer: The financial institution or other organization that issued the credit card to the cardholder. This bank bills the consumer for repayment and bears the risk that the card is used fraudulently. American Express and Discover were previously the only card-issuing banks for their respective brands, but as of 2007, this is no longer the case. Cards issued by banks to cardholders in a different country are known as offshore credit cards. Merchant: The individual or business accepting credit card payments for products or services sold to the cardholder. Acquiring bank: The financial institution accepting payment for the products or services on behalf of the merchant. Independent sales organization: Resellers (to merchants) of the services of the acquiring bank. Merchant account: This could refer to the acquiring bank or the independent sales organization, but in general is the organization that the merchant deals with. Credit Card association: An association of card-issuing banks such as Visa, MasterCard, Discover, American Express, etc. that set transaction terms for merchants, card-issuing banks, and acquiring banks. Transaction network: The system that implements the mechanics of the electronic transactions. May be operated by an independent company, and one company may operate multiple networks. Affinity partner: Some institutions lend their names to an issuer to attract customers that have a strong relationship with that institution, and get paid a fee or a percentage of the balance for each card issued using their name. Examples of typical affinity partners are sports teams, universities, charities, professional organizations, and major retailers.

Payment Domain-Training Manual Dated 08/02/11

Page 37 of 98 Transaction steps Authorization: The cardholder pays for the purchase and the merchant submits the transaction to the acquirer (acquiring bank). The acquirer verifies the credit card number, the transaction type and the amount with the issuer (Card-issuing bank) and reserves that amount of the cardholder's credit limit for the merchant. An authorization will generate an approval code, which the merchant stores with the transaction. Batching: Authorized transactions are stored in "batches", which are sent to the acquirer. Batches are typically submitted once per day at the end of the business day. If a transaction is not submitted in the batch, the authorization will stay valid for a period determined by the issuer, after which the held amount will be returned to the cardholder's available credit (see authorization hold). Some transactions may be submitted in the batch without prior authorizations; these are either transactions falling under the merchant's floor limit or ones where the authorization was unsuccessful but the merchant still attempts to force the transaction through. Clearing and Settlement: The acquirer sends the batch transactions through the credit card association, which debits the issuers for payment and credits the acquirer. Essentially, the issuer pays the acquirer for the transaction. Funding: Once the acquirer has been paid, the acquirer pays the merchant. The merchant receives the amount totaling the funds in the batch minus either the "discount rate," "mid-qualified rate", or "non-qualified rate" which are tiers of fees the merchant pays the acquirer for processing the transactions. Chargebacks: A chargeback is an event in which money in a merchant account is held due to a dispute relating to the transaction. Chargebacks are typically initiated by the cardholder. In the event of a chargeback, the issuer returns the transaction to the acquirer for resolution. The acquirer then forwards the chargeback to the merchant, who must either accept the chargeback or contest it.

4.2.2 Debit Card

A debit card is a plastic card that provides the cardholder electronic access to his or her bank account/s at a financial institution. Some cards have a stored value with which a payment is made, while most relay a message to the cardholder's bank to withdraw funds from a designated account in favor of the payee's designated bank account. The card can be used as an alternative payment method to cash when making purchases. In many countries the use of debit cards has become so widespread that their volume of use has overtaken or entirely replaced the check and, in some instances, cash transactions. Like credit cards, debit cards are used widely for telephone and Internet purchases. However, unlike credit cards, the funds paid using a debit card are transferred immediately from the bearer's bank account, instead of having the bearer pay back the money at a later date. Debit cards usually also allow for instant withdrawal of cash, acting as the ATM card for withdrawing cash and as a check guarantee card. Merchants may also offer cashback facilities to customers, where a customer can withdraw cash along with their purchase. 4.3 Stored-value card A stored-value card refers to monetary value on a card not in an externally recorded account and differs from prepaid cards where money is on deposit with the issuer similar to a debit card. One major difference between stored value cards and prepaid debit cards is that prepaid debit cards are usually issued in the name of individual account holders, while stored value cards are usually anonymous. Gift cards are also stored value cards.

Payment Domain-Training Manual Dated 08/02/11

Page 38 of 98

The term stored-value card means the funds and or data are physically stored on the card. With prepaid cards the data is maintained on computers affiliated with the card issuer. The value associated with the card can be accessed using a magnetic stripe embedded in the card, on which the card number is encoded; using radio-frequency identification (RFID); or by entering a code number, printed on the card, into a telephone or other numeric keypad. 4.4 Closed system prepaid cards Closed system prepaid cards have emerged and replaced the traditional gift certificate and are commonly known as merchant gift cards. "Closed system" means the cards are only accepted at a single merchant. Purchasers buy a card for a fixed amount and can only use the card at the merchant that issues the card. Generally, few if any laws govern these types of cards. Card issuers or sellers are not required to obtain a license. Presently, no law exists that requires an issuer to provide refunds for lost or stolen cards. Whether a refund is possible is specified in an issuer's cardholder agreement. In addition, most closed system cards cannot be redeemed for cash. When a cardholder redeems all but an insignificant portion of the card on merchandise, that amount is generally lost and is absorbed by the issuer. 4.5 Semi-closed system prepaid cards Semi-closed system prepaid cards are similar to closed system prepaid cards. However, cardholders are permitted to redeem the cards at multiple merchants within a geographic area. These types of cards are issued by a third party, rather than the retailer who accepts the card. Examples include university cards and mall gift cards. The laws governing these types of cards are unsettled. 4.6 Open system prepaid cards Open System Prepaid Cards or network-branded prepaid cards are not credit cards, although they are sometimes marketed as "prepaid credit cards". No credit is offered by the card issuer and the cardholder spends money which has been prepaid to a card. Therefore, these cards are also marketed as "prepaid debit cards". The value is not physically stored on the card instead, the card number uniquely identifies a record in a central database, where the balance is recorded. These cards are similar to closed system prepaid cards, but are endorsed by a retail electronic payments network such as Visa, Visa Electron, MasterCard, or Maestro and can, unlike gift cards, be used anywhere debit cards with the same logo may be used. They are very similar to a debit card except that they don't require a checking account. These cards are also sometimes referred to as "open loop" cards. These cards have been marketed to consumers with poor credit, who are unable to qualify for the line of credit that backs a mainstream credit card. The fees associated with these cards are often very high. These have been criticized as unjustified, because the issuer is not taking any credit risk An example of open system prepaid cards is the Payroll card. Payroll cards are used by employers to pay employees. The employee is issued a card that permits access to an account established by the employer. At the end of each pay period, the employee's ability to draw money from that account is increased by the amount of his or her wages. The card may be used at an Automated Teller Machine (ATM) to obtain cash, and may be used at a store to pay for purchases. The payroll card is particularly useful for employees who do not have a regular checking or savings account at a financial institution because they can access their wages conveniently. Also, if there is no charge for using an ATM, they avoid fees charged for cashing checks. The advantage to the employer is low cost of paying wages and efficiency.

Payment Domain-Training Manual Dated 08/02/11

Page 39 of 98

4.7 Contactless Payment System and Devices Contactless payment systems (also known as "touch and go" or "wave and pay") are credit cards and debit cards, key fobs, smartcards or other devices which use RFID or NFC technology for making secure payments. The embedded chip and antenna enable consumers to wave their card or fob over a reader at the point of sale. Some suppliers claim that transactions can be almost twice as fast as a conventional cash, credit, or debit card purchase. As with all payment devices, contactless cards have a number of security features. Contactless runs over the same chip and PIN network as normal credit and debit card transactions, there is a payment limit on single transactions and contactless cards can only be used a certain number of times before customers are asked for their PIN. Contactless debit and credit transactions are protected by the same fraud guarantee as standard transactions. 4.8 Radio-frequency identification (RFID) RFID is a technology that uses communication through the use of radio waves to transfer data between a reader and an electronic tag attached to an object for the purpose of identification and tracking. RFID makes it possible to give each product in a grocery store its own unique identifying number, to provide assets, people, work in process, medical devices etc. all with individual unique identifiers - like the license plate on a car but for every item in the world. This is a vast improvement over paper and pencil tracking or bar code tracking that has been used since the 1970s. With bar codes, it is only possible to identify the brand and type of package in a grocery store, for instance. Furthermore, passive RFID tags (those without a battery) can be read if passed within close enough proximity to an RFID reader. It is not necessary to "show" the tag to the reader device, as with a bar code. In other words it does not require line of sight to "see" an RFID tag, the tag can be read inside a case, carton, box or other container, and unlike barcodes RFID tags can be read hundreds at a time. Bar codes can only read one at a time. Some RFID tags can be read from several meters away and beyond the line of sight of the reader. The application of bulk reading enables an almost-parallel reading of tags. Radio-frequency identification involves the hardware known as interrogators (also known as readers), and tags (also known as labels), as well as RFID software or RFID middleware. Most RFID tags contain at least two parts: one is an integrated circuit for storing and processing information, modulating and demodulating a radio-frequency (RF) signal, and other specialized functions; the other is an antenna for receiving and transmitting the signal. RFID can be either passive (using no battery), active (with an on-board battery that always broadcasts or beacons its signal) or battery assisted passive (BAP) which has a small battery on board that is activated when in the presence of an RFID reader. Passive tags in 2011 start at $ .05 each and for special tags meant to be mounted on metal, or withstand gamma sterilization go up to $5. Active tags for tracking containers, medical assets, or monitoring environmental conditions in data centers all start at $50 and can go up over $100 each. BAP tags are in the $3 10 range and also have sensor capability like temperature and humidity.[citation needed] The term RFID refers to the technology. The tags should properly be called "RFID tags" not "RFIDs". Fixed RFID and Mobile RFID: Depending on mobility, RFID readers are classified into two different types: fixed RFID and mobile RFID. If the reader reads tags in a stationary position, it is called fixed RFID. These fixed readers are set up specific interrogation zones and create a "bubble" of RF energy that can be tightly controlled if the physics is well engineered. This allows a very definitive reading area for when tags go in and out of the interrogation zone. On the other

Payment Domain-Training Manual Dated 08/02/11

Page 40 of 98

hand, if the reader is mobile when the reader reads tags, it is called mobile RFID. Mobile readers include hand helds, carts and vehicle mounted RFID readers from manufacturers such as Motorola, Intermec, Impinj, Sirit, etc. There are a variety of groups defining standards and regulating the use of RFID, including the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), ASTM International, the DASH7 Alliance and EPCglobal. (Refer to Regulation and standardization below.)There are also several specific industries that have set guidelines including the Financial Services Technology Consortium (FSTC) has set a standard for tracking IT Assets with RFID, the Computer Technology Industry Association CompTIA has set a standard for certifying RFID engineers and the International Airlines Transport Association IATA set tagging guidelines for luggage in airports. RFID has many applications; for example, it is used in enterprise supply chain management to improve the efficiency of inventory tracking and management. The Healthcare industry has used RFID to create tremendous productivity increases by eliminating "parasitic" roles that don't add value to an organization such as counting, looking for things, or auditing items. 4.9

Current Use of RFID

Electronic Vehicle Registration Payment by mobile phones Transportation payments Car-sharing Season parking tickets Toll roads Public transit (bus, rail, subway) Product tracking Casino chip tracking IT asset tracking Transportation and logistics Animal identification Hospital operating rooms

4.10 Near field communication (NFC) NFC allows for simplified transactions, data exchange, and connections with a touch. Formed in 2004, the Near Field Communication Forum (NFC Forum) promotes sharing, pairing, and transactions between NFC devices and develops and certifies device compliance with NFC standards. A smartphone or tablet with an NFC chip could make a credit card payment or serve as keycard or ID card. NFC devices can read NFC tags on a museum or retail display to get more information or an audio or video presentation. NFC can share a contact, photo, song, application, or video or pair Bluetooth devices. The 140 NFC Forum members include LG, Nokia, Huawei, HTC, Motorola, NEC, RIM, Samsung, Sony Ericsson, Toshiba, AT&T, Sprint, Rogers, SK, Google, Microsoft, PayPal, Visa, Mastercard, American Express, Intel, TI, Qualcomm, and NXP. 4.11 NFC Current Uses Emerging NFC standards allow customers to quickly purchase products and transfer secure information by touching devices. NFC allows companies to reduce staffing, printing, and point of sale costs. Globally, 100 million people use mobile payment outside the U.S., but only 3.5 million use the technology in the U.S. Social networking: Payment Domain-Training Manual Dated 08/02/11 Page 41 of 98

File Sharing: Tap one NFC device to another to instantly share a contact, photo, song, application, video, or website link. Electronic business card: Tap one NFC device to another to instantly share electronic business cards or resumes. Electronic money: To pay a friend, you could tap the devices and enter the amount of the payment. Mobile gaming: Tap one NFC device to another to enter a multiplayer game. Friend-to-friend: You could touch NFC devices together to Facebook friend each other or share a resume or to "check-in" at a location.

o o

Bluetooth and WiFi Connections o Bluetooth: Instant Bluetooth Pairing can save searching, waiting, and entering codes. Touch the NFC devices together for instant pairing. WiFi: Instant WiFi Configuration can configure a device to a WiFi network automatically. Tap an NFC device to an NFC enabled router.

eCommerce o Mobile payment: An NFC device may make a payment like a credit card by touching a payment terminal at checkout or a vending machine when a PIN is entered. PayPal: PayPal may start a commercial NFC service in the second half of 2011. Google Wallet is an Android app that stores virtual versions of your credit cards for use at checkout when a PIN is used. Ticketing: Tap an NFC device to purchase rail, metro, airline, movie, concert, or event tickets. A PIN is required. Boarding pass: A NFC device may act as a boarding pass, reducing check-in delays and staffing requirements. Point of Sale: Tap an SmartPoster tag to see information, listen to an audio clip, watch a video, or see a movie trailer. Coupons: Tapping an NFC tag on a retail display or SmartPoster may give the user a coupon for the product. Tour guide: Tap a passive NFC tag for information or an audio or video presentation at a museum, monument, or retail display. Page 42 of 98

Payment Domain-Training Manual Dated 08/02/11

Identity documents o ID card: An NFC enabled device can also act as an encrypted student, employee, or personal ID card or medical ID card. Keycard: An NFC enabled device may serve as car, house, and office keys. Rental Car and hotel keys: NFC rental car or hotel room keys may allow fast VIP check-in and reduce staffing requirements.

o o

4.12 NFC-enabled handsets Nokia C7-00 Nokia 6216 Classic Nokia 6212 Classic Nokia 6131 NFC Nokia 3220 + NFC Shell Nokia 5140(i) + NFC Shell Samsung S5230 Tocco Lite/Star/Player One/Avila Samsung SGH-X700 NFC Samsung D500E SAGEM my700X Contactless LG 600V contactless Motorola L7 (SLVR) Benq T80 Sagem Cosyphone Google Nexus S Google Nexus S 4G Samsung Galaxy S II Samsung Wave 578 BlackBerry Bold 9900/9930 Nokia N9

Payment Domain-Training Manual Dated 08/02/11

Page 43 of 98

Chapter - 5

Payment Gateway and Payment Processor

What is a Payment Gateway?

A payment gateway is a application that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical point of sale terminal located in most retail outlets. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor.

Payment Domain-Training Manual Dated 08/02/11

Page 44 of 98


How payment gateways work?

A payment gateway facilitates the transfer of information between a payment portal (such as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a customer orders a product from a payment gateway-enabled merchant, the payment gateway performs a variety of tasks to process the transaction: 1. A customer places order on website by pressing the 'Submit Order' or equivalent button, or perhaps enters their card details using an automatic phone answering service. 2. If the order is via a website, the customer's web browser encrypts the information to be sent between the browser and the merchant's webserver. This is done via SSL (Secure Socket Layer) encryption. 3. The merchant then forwards the transaction details to their payment gateway. This is another SSL encrypted connection to the payment server hosted by the payment gateway. 4. The payment gateway forwards the transaction information to the payment processor used by the merchant's acquiring bank. 5. The payment processor forwards the transaction information to the card association (e.g., Visa/MasterCard) 1. If an American Express or Discover Card was used, then the processor acts as the issuing bank and directly provides a response of approved or declined to the payment gateway. 2. Otherwise, the card association routes the transaction to the correct card issuing bank. 6. The credit card issuing bank receives the authorization request and sends a response back to the processor (via the same process as the request for authorization) with a response code. In addition to determining the fate of the payment, (i.e. approved or declined) the response code is used to define the reason why the transaction failed (such as insufficient funds, or bank link not available) 7. The processor forwards the response to the payment gateway. 8. The payment gateway receives the response, and forwards it on to the website (or whatever interface was used to process the payment) where it is interpreted as a relevant response then relayed back to the cardholder and the merchant. 9. The entire process typically takes 23 seconds. 10. The merchant submits all their approved authorizations, in a "batch", to their acquiring bank for settlement via their processor. 11. The acquiring bank deposits the total of the approved funds in to the merchant's nominated account. This could be an account with the acquiring bank if the merchant does their banking with the same bank, or an account with another bank. 12. The entire process from authorization to settlement to funding typically takes 3 days. Many payment gateways also provide tools to automatically screen orders for fraud and calculate tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud

Payment Domain-Training Manual Dated 08/02/11

Page 45 of 98

include geolocation, velocity pattern analysis, delivery address verification, computer finger printing technology, identity morphing detection, and basic AVS checks.


Security Features of a Payment Gateway

Since the customer is usually required to enter personal details, the entire communication of 'Submit Order' page (i.e. customer - payment gateway) is often carried out through HTTPS protocol. To validate the request of the payment page result, signed request is often used - which is the result of the hash function in which the parameters of an application confirmed by a secret word, known only to the merchant and payment gateway. To validate the request of the payment page result, sometimes IP of the requesting server has to be verified. There is a growing support by acquirers, issuers and subsequently by payments gateways for Virtual Payer Authentication (VPA), implemented as 3-D Secure protocol branded as Verified by VISA, MasterCard SecureCode and J/Secure by JCB, which adds additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second

1) 2) 3) 4) 5) 6) 7) 8) 9) 10) 11) 12) 13) 14) 15) 16) 17) 18)

Some of the Leading Payment Gateways Globally Cybersource First Data RBS WorldPay Paypal Payflow Skipjack Orbital/Paymentech ElysNet (France) EProcessingNetwork eSelectPlus / Moneris (Canada) Evertec MMPay (Latin America) eWAY (Australia, UK, NZ) First Atlantic Commerce EBS (India) ICICI (Payseal) Maybankcard / Maybank2U (Malaysia) St. George / IPN (Australia)


What is a Payment Processor?

A payment processor is a company (often a third party) appointed by a merchant to handle credit card transactions for merchant banks. They are usually broken down into two types: front-end and back-end. Front-end processors have connections to various card associations and supply authorization and settlement services to the merchant banks merchants. Back-end processors accept

Payment Domain-Training Manual Dated 08/02/11

Page 46 of 98

settlements from front-end processors and, via The Federal Reserve Bank, move the money from the issuing bank to the merchant bank. In an operation that will usually take a few seconds, the payment processor will both check the details received by forwarding them to the respective cards bank issuing bank or card association for verification, and also carry out a series of anti-fraud measures against the transaction. Additional parameters, including the cards country of issue and its previous payment history, are also used to gauge the probability of the transaction being approved. Once the payment processor has received confirmation that the credit card details have been verified, the information will be relayed back via the payment gateway to the merchant, who will then complete the payment transaction. If verification is denied by the card association, the payment processor will relay the information to the merchant, who will then decline the transaction.

The customer submits his credit card for payment.

Payment Domain-Training Manual Dated 08/02/11

Page 47 of 98

Authorize.Net manages the complex routing of the data on behalf of the merchant through the following steps/entities

Payment Domain-Training Manual Dated 08/02/11

Page 48 of 98

Authorize.Net passes the secure transaction information via a secure connection to the Processor. The Merchant Bank's Processor submits the transaction to the credit card network (like Visa or MasterCard). The credit card network routes the transaction to the bank that issued the credit card to the customer.

Payment Domain-Training Manual Dated 08/02/11

Page 49 of 98

The issuing bank approves or declines the transaction based on the customer's available funds and passes the transaction results back to the credit card network. The credit card network relays the transaction results to the merchant bank's processor. The processor relays the transaction results to Authorize.Net.

Payment Domain-Training Manual Dated 08/02/11

Page 50 of 98

Authorize.Net stores the transaction results and sends them to the website for the customer and merchant to see.

Payment Domain-Training Manual Dated 08/02/11

Page 51 of 98

The merchant delivers goods or services to the buyer

Payment Domain-Training Manual Dated 08/02/11

Page 52 of 98

The issuing bank sends the appropriate funds for the transaction to the credit card network, which passes the funds to the merchant's bank. The bank then deposits the funds into the merchant's bank account. This is called 'settlement', and typically the transaction funds are deposited into the merchant's primary bank account within two to four business days.

Payment Domain-Training Manual Dated 08/02/11

Page 53 of 98


The Payment Processing Network

Here's a breakout of the participants and elements involved in processing payments: Acquiring Bank: In the online payment processing world, an Acquiring Bank provides Internet Merchant Accounts.A merchant must open an Internet Merchant Account with an Acquiring Bank to enable online credit card authorization and payment processing. Examples of Acquiring Banks include Merchant eSolutions and most major banks. Authorization: The process by which a customer's credit card is verified as active and that they have the credit available to make a transaction. In the online payment processing world, an authorization also verifies that the billing information the customer has provided matches up with the information on record with their credit card company. Credit Card Association: A financial institution that provides credit card services that are branded and distributed by Customer Issuing Banks. Examples include Visa and MasterCard. Customer: The holder of the payment instrument-such as credit card, debit card, or electronic check. Customer Issuing Bank: A financial institution that provides a customer with a credit card or other payment instrument. Examples include Citibank, Suntrust, etc. During a purchase, the Customer Issuing Bank verifies that the payment information submitted to the merchant is valid and that the customer has the funds or credit limit to make the proposed purchase. Internet Merchant Account: A special account with an Acquiring Bank that allows the merchant to accept credit cards over the Internet.The merchant typically pays a processing fee for each transaction processed, also known as the discount rate.A merchant applies for an Internet Merchant Account in a process similar to applying for a commercial loan.The fees charged by the Acquiring Bank will vary. Merchant: Someone who owns a company that sells products or services. Payment Processing Service: A service that provides connectivity among merchants, customers, and financial networks to process authorizations and payments.The service is usually operated by a third-party provider such as VeriSign. Processor: A large data center that processes credit card transactions and settles funds to merchants.The processor is connected to a merchant's site on behalf of an Acquiring Bank via a Payment Processing Service. Settlement: The process by which transactions with authorization codes are sent to the processor for payment to the merchant. Settlement is a sort of electronic bookkeeping procedure that causes all funds from captured transactions to be routed to the merchant's acquiring bank for deposit.


How Payment Processing Works

Payment processing in the online world is similar to payment processing in the offline or "brick and mortar" world, with a few exceptions. In the online world, the store and the transaction are virtual.This means that the card is "not present" at the transaction and that the transaction

Payment Domain-Training Manual Dated 08/02/11

Page 54 of 98

information is submitted and processed via the merchant store network. Because of this, merchants are held liable for fraudulent transactions by the credit card associations. Merchants must take additional steps against online fraud, including verifying that the card information is being submitted by the actual owner of the card and protecting their store and network infrastructure against hacking attempts. Payment processing can be divided into two major phases or steps: authorization and settlement. Authorization verifies that the card is active and that the customer has sufficient credit available to make the transaction. Settlement involves transferring money from the customer's account to the merchant's account. Online payment processing may also allow you to set up automatically recurring billing payments, if your payment processing service provider offers this feature.


Payment Processing-Authorization


1. Customer decides to make a purchase on Merchant's Web site, proceeds to check-out and inputs credit card information. 2.The Merchant's Web site receives customer information and sends transaction information to Payment Processing Service. 3. Payment Processing Service routes information to the Processor. 4. Processor sends information to the Issuing Bank of the Customer's credit card. 5. Issuing Bank sends transaction result (authorization or decline) to the Processor. 6. Processor routes transaction result to the Payment Processing Service. 7. Payment Processing Service passes result information to Merchant. 8. Merchant accepts or rejects transaction and ships goods if necessary. Because this is a "card not present" transaction, the Merchant should take additional precautions to ensure that the card has not been stolen and that the customer is the actual owner of the card

Brick and Mortar

1. Customer selects item(s) to purchase, brings them to cashier, and hands credit card to Merchant. 2. Merchant swipes card and transfers transaction information to a point of sale terminal. 3. Point of sale terminal routes information to the Processor via dial-up connection (for the purposes of the graphic above, the point of sale terminal takes the place of the Payment Processing Service in the offline world). 4. Processor sends information to the Issuing Bank of the Customer's credit card. 5. Issuing Bank sends transaction result (authorization or decline) to the Processor. 6. Processor routes transaction result to the point of sale terminal. 7. Point of sale terminal shows Merchant whether the transaction was approved or declined. 8. Merchant tells the Customer the outcome of the transaction. If approved, Merchant has the Customer sign the credit card receipt and gives the item(s) to the Customer.


Payment Processing-Settlement

The settlement process transfers authorized funds for a transaction from the customer's bank account to the merchant's bank account. The process is basically the same whether the transaction is conducted online or offline.

Payment Domain-Training Manual Dated 08/02/11

Page 55 of 98

Chapter - 6

Payment Card Industry Security Standards

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The standards globally govern all merchants and organizations that store, process or transmit this data, and include specific requirements for software developers and manufacturers of applications and devices used in the transaction process. Compliance with the PCI security standards is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

PCI Standards Include: 6.1 PCI Data Security Standard:

The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS. PIN Transaction Security Requirements: The PCI PTS applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Payment Application Data Security Standard: The PA-DSS is for software developers and integrators of applications that store, process or transmit cardholder data as part of authorization or settlement. It governs these applications that are sold, distributed or licensed to third parties.

Payment Domain-Training Manual Dated 08/02/11

Page 56 of 98

PCI DSS is a set of 12 requirements designed to secure and protect customer payment data, as most security breaches could be avoided if merchants: Remove sensitive authentication data and limit data retention Protect the perimeter, internal and wireless networks Secure applications Protect through monitoring and access control


12 requirements that meet the standards

PCI DSS features a group of principles and a set of requirements that aim to safeguard sensitive card data across the card payment industry: Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Don't use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy Maintain a policy that addresses information security

Payment Domain-Training Manual Dated 08/02/11

Page 57 of 98

Chapter - 7

Card Present and Card Not Present Transactions

Card present transactions are those in which both the card and card holder are present at the point of sale. The Merchants are required to take all reasonable steps to assure that the card, card holder, and transaction are legitimate. Proper card acceptance begins and ends with sales staff and is critical to customer satisfaction and profitability. On the back of every credit and debit card, is a magnetic stripe. The stripe contains the cardholder name, card account number, and expiration date, as well as special security information designed to help detect counterfeit cards. When the stripe is swiped through the terminal, this information is electronically read and relayed to the card issuer, who then uses it as crucial input for the authorization decision. Merchants are charged different levels of fees by the card transaction proccessors (such as Visa, MasterCard), depending on the level of fraud risk. Card present transactions, because the card is available for inspection, are considered less risky and therefore carry lower fees than online or phone transactions. On the other hand, Card Not Present (CNP) is a credit card purchase made over the telephone or over the Internet where the physical card has not been swiped into a reader. It is a major route for credit card fraud. If a fraudulent transaction is reported, the bank that hosted the merchant account that received the money from the fraudulent transaction must make restitution.

Payment Domain-Training Manual Dated 08/02/11

Page 58 of 98


Credit Card Authorization

Each credit card transaction goes through a three-stage process that begins with the authorization of the payment by the card issuer. Authorized transactions are then processed by the merchant and submitted to the processing bank for clearing and settlement. Authorization is the process of approving or declining by a card issuer of a sales transaction involving one of the banks payment cards. In a face-to-face setting, the authorization occurs immediately after a card is swiped through a point-of-sale (POS) terminal. In a card-not-present setting, the authorization takes place immediately after the credit card information is submitted by the customer online or over the phone. All non-swiped transactions must be authorized before being processed. For swiped transactions, the merchant is only required to receive an authorization approval for amounts that are above the merchants floor limit a dollar figure stated in the processing agreement. So if the floor limit is

Payment Domain-Training Manual Dated 08/02/11

Page 59 of 98

$25, all transactions for up to $24.99 would not need an authorization approval, while these of $25.00 and above would require it. Merchants can request partial authorization approvals for debit or prepaid cards, if the transaction amount exceeds the funds available on the card. If this is the case, the merchant is allowed to split the transaction between the card for which a partial authorization approval was received and another form of payment, which can be another card. This is called a split-tender sale. However, merchants are not allowed to split sales with the goal of avoiding authorization limits. 7.2 Authorization Responses and Actions

Once the transaction information is sent to the card issuer, it is reviewed and a response code is sent back to the processing bank and the merchant. The format of the response may vary, but it communicates the following information: Response Approved Explanation and Recommended Action The transaction is authorized. If the transaction review process raises no suspicions, the payment can be completed.


The transaction is not authorized. Do not complete the transaction. Request that your customer presents an alternative payment form. You are requested to call the issuers authorization center. Follow the operators instructions. If your authorization request is: Approved complete the transaction. Declined request another payment form.

Refer to / call card issuer

Capture card / Pick up No match

You are requested to retain the card, which you should only do by peaceful means. Request another authorization. If you get the same no match response, make a Code 10 call to your authorization enter. This is a response to information inquiries, like balance inquiries, address verification requests and other non-financial types of requests.


A valid response means that the request was processed successfully, i.e. the balance amount was given, the address verification provided, etc.

Payment Domain-Training Manual Dated 08/02/11

Page 60 of 98

Chapter - 8

Transaction Flow in Card Processing

This will identify the various parties involved in transaction processing and explains how they interrelate. When a card is used in a transaction to purchase merchandise or obtain a cash advance, the transaction moves through a process that involves authorisation, clearing and settlement. Each step of the process involves an exchange of transaction data and monies which need to be settled and balanced; ending with the cardholder paying for the merchandise listed on his/her monthly statement. 8.1 Transaction Parties:

In any card transaction there are primarily four entities involved in the process. The acquiring and issuing bank can be the same institution but carry out distinct roles in the transaction process. Card Holder: The cardholder is the person who has been issued with the credit/debit card and has a certain amount of purchasing power. For debit cards it is the amount of money in the cardholders account (plus any overdraft). For credit cards, it is the amount of money that the card issuer is prepared to lend him (the credit limit). Acquiring Bank: The acquiring bank acquirers the debt on behalf of the merchant and guarantees payment to the merchant while it, in return waits for payment from the card issuer. Issuing Bank: The issuing bank issues the card to the cardholder and, in the case of a credit card, allocates the credit limit available. The issuing bank facilitates the clearing of funds movement based on successfully transaction activity. Open and Closed Loop Schemes: There are two types of Scheme that facilitate the processing of card transactions. These are: 1. Open Loop Where the card is not limited for use at one merchant or one particular group of stores. Usually, these cards carry the logo of American Express, Discover, MasterCard, or Visa. 2. Closed Loop These type of cards are only valid at one particular merchant or group of stores and are often prepaid or gift cards associated with the particular merchant. 8.2 Flow Diagram

The diagram below shows the flow between the various parties in a card transaction.

Payment Domain-Training Manual Dated 08/02/11

Page 61 of 98

Authorisation : When a cardholder makes a purchase using a payment card, the merchant must obtain authorisation for the purchase from the bank that issued the card the issuing bank. In the case of a credit card, the Authorisation allows the cardholder to initiate a loan from the issuing bank that will ultimately need to be repaid. For a debit card, the authorisation allows the cardholder to draw down on funds available from the account the card is linked to. The authorisation is an electronic message that is instigated from the merchants POS terminal. The cardholder either keys in a personal Identification Number (PIN) or the card details are captured using the magnetic stripe on the back of the card with the cardholder signing of the purchase. The authorisation message is then sent through the network, ultimately waiting for a response from the issuing bank. Clearing : For authorisations that were successfully approved, the next step is the clearing phase. During this step, the acquiring bank collates all the authorisations that were successfully processed that day and batches them up into a file. The file is then sent to the issuing banks, via the Card Scheme in the case of an open loop system. The issuing banks then use the clearing information to deduct the monies from the cardholders account and to add line entries to their statement. Settlement : So far all that has happened is electronic messages have been passed about authorising purchases and debiting cardholders accounts. The settlement step is where actual funds are transferred between the parties to balance the message flow. The acquiring bank credits the merchants account. The issuing bank debits the cardholders account and sends payment to the acquiring bank to credit it for the funds it has just transferred to the merchant. In the case of a credit card the cardholder settles his/her account when the statement is received. In the case of a debit card the cardholders account is automatically debited. Finally, interchange

Payment Domain-Training Manual Dated 08/02/11

Page 62 of 98

fees & service fees are deducted from the various payments to compensate the various participating parties in facilitating the transaction flow. 8.3 Debit Card Transaction Processing:

Just like credit cards, Debit cards directly access the cardholders bank account to secure and hold the authorization amount against available funds. The difference between the credit and debit networks is in their pricing to merchants. PIN debit works well for merchants with a high average transaction. Also, industries and business that have had a history of high volume of checks are a great candidate for debit service. Personal Identification number or PIN Debit: is one of the fastest growing methods of payment available today. With PIN debit, all a customer has to do is enter his or her Pin, enter the amount of the transaction and hit enter. A receipt is printed out, and that is the end of the story. This transaction can be performed through a credit card terminal or POS Software system with an attached pin pad. The good part about PIN debit is that only a flat fee per transaction is charged, no matter how large the transaction is. No processing percentage is deducted. The only drawback in the case of PIN Debit is that the majority of banks place daily debit limits for their customers. Signature Debit is Offline Debit: A debit card may be used just like a credit card over the internet, as long as they have a Visa or MasterCard logo on them. Their fee structure too is in the same format as that of credit cards. A percentage of the transaction is deducted as fee. However, this fee is lesser in comparison to that charged for a credit card transaction. Both PIN and signature debit have attractive profitability characteristics for issuers. According to a new study conducted by an independent research firm, PIN-based point-of-sale (POS) transactions cost approximately 50 percent less than signature debit transactions. Consumers too prefer to use PIN debit at the point-of-sale and merchants like the added security and guaranteed funds of PIN debit. According to, STAR Consumer Payments Usage Study, Consumers who use both PIN and signature debit make significantly more purchases than those who used one method exclusively

Payment Domain-Training Manual Dated 08/02/11

Page 63 of 98

Chapter - 9

Security in the Payments Processing Chain

With over 20 billion credit card purchase transactions in the US in 2009 and a highly complex system for processing those transactions, its not surprising that credit card information is a key target for thieves. Thieves have become adept at exploiting numerous vulnerabilities in the consumer-merchant- acquirer payment processing chain to gain access to this information. Fortunately, there are cost-effective solutions that are available to help secure sensitive data and reduce compliance costs. Payment security is complex. Many vulnerabilities exist in the payments processing chain, especially in the interactions between consumers, merchants and acquirers. The sheer volume of consumers and merchants provides a large window of opportunity for thieves to capture data that can be fraudulently turned into profit. None of the technologies that exist today solves all the security problems in the payments processing chain. However, a select few technologies focus on solving the biggest problems and greatest vulnerabilities that affect most merchants, and they can do so in a cost-effective manner. Merchants can use these solutions to reduce their overall level of vulnerability. New security methods are now available to secure sensitive cardholder data from compromise as close to the initiation of the transaction as possible. In addition, these technologies can help reduce a merchants PCI compliance burden. End-to-end data encryption protects sensitive data from the point of capture through the handoff to the payment processor. Protecting the data in motion foils many of the high-profile attacks of recent years, and encryption is a proven technology that can be deployed effectively by any size of merchant. Tokenization is a process whereby sensitive data is replaced by a randomly generated string of characters that can be linked back to the original data only by an authorized party. By storing and using tokenized data instead of real cardholder data in back-end applications, merchants remove sensitive data from their environments, thus reducing the risks associated with a data breach as well as the scope of their PCI audits. 9.1 Overview :

The credit card industry has been very successful in its efforts to convince consumers to use credit cards as their primary form of payment. In the United States alone, there are 176.8 million consumers who collectively hold 609.8 million credit cards. The average number of cards per cardholder was 3.5, as of year-end 2008. In 2009, there were 20.2 billion credit card purchase transactions in the United States worth $1.76 trillion.1 In the face of these staggering numbers, its easy to see why thieves are drawn to the credit card industry. Unfortunately, thieves also have been successful at stealing payment data and turning it into profitand our collective loss. In 2008, the Verizon Business RISK Team investigated data breaches in all industries in which 285 million total records were breached. Fully 80 percent of those records comprised payment card information, and a significant number of those records were used fraudulently. What makes this sensitive data vulnerable? Card data for a purchase transaction must flow through a payments processing chain in order to be processed. This processing chain, which includes consumers, merchants, acquirers/processors, card brands and issuing banks, links many technologies including communication lines, databases and sophisticated applications. Payment Domain-Training Manual Dated 08/02/11 Page 64 of 98

Data thieves have become quite sophisticated in their knowledge of how these technologies work, enabling them to exploit points of vulnerability in the payments processing chain. The payment card industry (PCI) is fighting back. One starting point is the PCI Data Security Standard (PCI DSS), which provides guidelines to merchants about how to secure cardholder data. While PCI DSS has helped, it isnt enough; hundreds of millions of data records have still been breached in recent years. Consumers, as well as companies in the processing chain, have a responsibility to reduce the risk of lost, stolen or otherwise exposed sensitive cardholder data. This paper looks at where security fits in the processing chain, especially the most vulnerable points where enhanced security would benefit the entire ecosystem. We discuss several cost-effective technology based solutions that are readily available today to help organizations to secure sensitive data and improve their PCI DSS compliance posture 9.2 Background :

The payments processing chain has many players: consumers, merchants, acquirers, card brands, issuing banks and sometimes other companies in between. As cardholder data flows from one entity to another and is aggregated at various collection points, it may be vulnerable to exposure, loss and theft. There are criminals who target the most vulnerable links in this chain, and so the payments industry is trying to reduce the vulnerabilities at every point. This requires diverse, layered solutions to seal the gaps where thieves are gaining access to sensitive data that they can potentially monetize.


The Flow of a Transaction Through the Payments Processing Chain

Its amazing to think of the complex set of processes that take place when a consumer swipes his credit card and is approved for his purchase in less than a few seconds. The average consumer doesnt think about where his card data (the primary account number or PAN) goes or how many organizations in the processing chain must work with it in order to authorize or decline the credit transaction he wants to make. The chart on the next page provides a simplified view of the process.

Payment Domain-Training Manual Dated 08/02/11

Page 65 of 98

In reality, this process is quite complex and may involve more organizations than those pictured here, but for the purposes of this paper, we can summarize the process in a few basic steps: 1. A consumer wants to buy goods or services and pay for it using his credit card. The cardholder data is entered into the merchants payment system, which could be a point-of-sale (POS) terminal/software or an e-commerce Web site. 2. The card data (PAN) is sent to an acquirer/payment processor, whose job it is to route the data through the interchange system for processing. 3. The acquirer/processor sends the data to the payment brand (e.g., Visa, MasterCard, American Express,etc.), who forwards it to the issuing bank. 4. The issuing bank verifies that the card is legitimate, not reported lost or stolen, and that the account has the appropriate amount of credit/funds available to pay for the transaction. 5. If so, the issuer generates an authorization number and routes this number back to the card brand. The issuing bank agrees to fund the purchase on the consumers behalf. 6. The card brand forwards the authorization code and the PAN back to the acquirer/processor. 7. The acquirer/processor sends the authorization code and either the PAN or a viable substitute number for the PAN (i.e., a token) back to the merchant. 8. The merchant concludes the sale with the customer. 9. The merchant may retain the transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs. 9.4 The States of Data and Their Risks Throughout the payments processing chain, sensitive data is at risk when it is in each of its three states: at rest, in transit and in use. A few simple examples illustrate what we mean by these states. At rest Cardholder data is at rest when it is being stored or aggregated in a database or other storage device. For example, a merchant holds onto the PAN until he closes out his batch at the end of the day. Payment Domain-Training Manual Dated 08/02/11 Page 66 of 98

Once the batch is completed, the data is cleared from storage. Another example of at-rest data is when a merchant stores card numbers in a data warehouse for post-sale auxiliary purposes such as returns, chargebacks, customer loyalty programs and other marketing activities. No matter where it resides, any data at an aggregation point is vulnerable to thieves. Whats more, any card data stored anywhere in the organizations network puts that part of the network in scope for a PCI audit, regardless of whether or not the data is encrypted. In transit Cardholder data is in transit when it is moving across any communications channel as it passes from one entity (such as a merchant) to another (such as an acquirer). Examples of common communication channels include a stores local area network; a wireless connection from a POS terminal to a store server; the open Internet; and a private data line. When data is traveling along any of these or other types of communication paths, its possible for thieves to sniff the data and divert a copy of it to an illicit destination.

In use Cardholder data is in use when it is in a clearly readable state, being used by a part of the transaction process. For example, the acquirers computer is reading the card data to determine which card brand to submit it to for processing, or the card brands computer is reading the data to determine which bank issued the card. Thieves have been known to hack into the memory of computers that are actively processing card data in order to steal the clearly readable data. In each of these scenarios, a thief might be able to get information.


Why Security Must Be Improved From Consumer to Merchant to Acquirer

Lets look at the security issues and technology solutions for the part of the processing chain between the consumer and the acquirer. There are several reasons why we chose to focus on these entities. First, this is where the greatest vulnerabilities exist and where the need for better security is most important. There are hundreds of millions of consumers and millions of merchants, and each one represents an opportunity to a thief. By comparison, there are fewer than 10 organizations in the United States that fulfill the role of acquirer/ processor; only a handful of card brands; and a similarly small number of issuers. All of these organizations understand the extreme value and significance of the card data that they process and hold, and so they have built strong security measures to protect it. However, the breach of Heartland Payment Systems shows that even those systems could be vulnerable. Although thieves view the massive amounts of data within these organizations as key targets, they more often take the path of least resistance to get data. This path takes them back to the consumer-to-merchant-to-acquirer/processor segment of the transaction flow.

Payment Domain-Training Manual Dated 08/02/11

Page 67 of 98

Figure 2 The most vulnerable segments of the transaction flow


Many consumers and merchants are vulnerable

Millions of merchants in the United States accept electronic payments either in person, over the phone or over the Web, and more than 175 million Americans collectively use over 600 million credit cards to purchase goods and services. In fact, there were more than 20 billion credit card purchase transactions just in 2009. That volume more than doubles when we add in debit and prepaid cards, whose 2009 U.S. activity totaled 36.2 billion transactions worth $1.63 trillion.3 Thats a lot of financial activity, and it certainly has captured the interest of thieves who covet card data.

The underground business of buying, selling and using stolen card data is largebigger than some national economies. Last year, thefts from stolen credit card and bank accounts had the potential to add up to $8 billion, according to data from Symantec, maker of the Norton antivirus software. However, actual losses were lower because not every breached record results in fraudulent use. The fewer records exposed or stolen in a breach, the more likely those records are to be used for illegitimate purposes. When a thief gets a hundred or thousand cards at a time, it is comparable to a local criminal who steals the cards and then uses them for personal gain. In these cases, the gap between the theft and the use of the stolen card is short. In the more sensational breaches yielding tens of thousands or millions of cards, the crimes are perpetrated by organized and often widespread groups that profit through the resale of the cards on the black market rather than their direct use. Payment Domain-Training Manual Dated 08/02/11 Page 68 of 98

In those cases, selling millions of card numbers in batches of thousands frequently takes so long that the breach is discovered and the compromised cards are deactivated before all of the cards can be used. Its this paradox of scope that make a breach so serious for small merchants; if a thief steals 100 card records from a small business, chances are very high that all 100 cards are likely to be used fraudulently and rather quickly. But discovery of a breach doesnt mean the fraud can be stopped quickly. One hundred thirty million records were stolen in the Heartland breach, which was discovered in January 2009. And although the issuing banks have had more than a year to close the compromised accounts, there are still cards being used in a fraudulent manner today.


A merchants primary job: selling takes precedence over security

PCI DSS provides guidelines to merchants on how to implement security measures to protect sensitive cardholder data. Still, the guidelines are a security baseline representing the minimum, not a comprehensive roadmap, therefore leaving to merchants the complex task of determining exactly what techniques and technologies to deploy to protect their own businesses. This approach results in merchants solving for securing card data in almost as many ways as there are merchants. This comes as little surprise. Data security, after all, is not the primary job for merchants; their job is to sell goods and services. Even the largest merchants in the world are focused on the core business of selling merchandise, so this is where their resources are focused. Accepting electronic payments at checkout is a sales enabler, but payment security is not usually the highest priority or area of expertise for retailers. 9.8 Merchants are under pressure

Until PCI DSS forced their hand, many merchants didnt think much about cardholder data security. However, in recent years they have faced the daunting task of segmenting networks, upgrading POS hardware and software, implementing fraud detection techniques in their online checkout procedures and more. Merchants have to verify, through costly audits and attestations, that theyve installed sufficient controls to meet the requirements of PCI DSS.

Members of the National Retail Federation have collectively spent more than $1 billion so far on PCI compliance as part of their security programs, and they sometimes question the value of this investment.4 Merchants can be PCI compliant and still not have fully secure cardholder data environments. Some of the more noteworthy data breaches have happened to companies that had passed their PCI audits. PCI is not the only pressure point for merchants. Many states have enacted legislation that requires consumer notification of personal data breaches. The costs of notifications, remediation, consumer credit monitoring, legal defense and other aspects of a breach continue to rise. A Ponemon Institute study assessed the cost of a data breach at $204 per compromised customer record in 2009, up from $202 in 2008.5 Even a small breach involving only a few hundred records can be costly, especially for small merchants.


Liability is shifting to consumers and merchants

Payment Domain-Training Manual Dated 08/02/11

Page 69 of 98

More of the liability of a data breach is shifting to consumers and merchants. There is an effort by the card brands to bring new technology to the United States within the next five years. EMV (Europay MasterCard Visa) specification provides technology that helps detect the fraudulent use of electronic payment cards when they are physically presented for use. If an EMV-enabled card is used in a fraudulent transaction, the onus of proof is on the consumer to show that it wasnt him who used the card. This could make consumers rather than banks and card companies liable for fraudulent purchases the consumers didnt make. Merchants, too, could assume more financial responsibility for losses stemming from card fraud. This dollar figure is on top of the cost to implement new POS hardware to support EMV, which can cost up to $500 for each new POS terminal.

Major Vulnerability Points in the Consumer-MerchantAcquirer Part of the Payments Processing Chain

Lets take a look at the most significant points of vulnerability to understand how thieves may capture cardholder data. Then we can begin to apply solutions that eliminate or reduce these vulnerabilities.

9.10 Vulnerabilities of Data in Transit To make its way through the payments processing chain, cardholder data must be sent from one entity to another along some type of communications path. With a little bit of technical savvy, thieves can siphon off the PAN, track data and card expiration date and route a copy to their own storage medium. From consumer to merchant Whether a consumer swipes a card at a POS terminal or enters data in an online shopping form, the risk is that the data in the clear could be intercepted before it reaches the merchants server over an internal network. This is the technique that was used in the TJX Companies breach in which 45.7 million credit and debit card records were compromised. A contributing factor in the breach was outdated and weak wireless security. Thieves were able to intercept the clear text card data as it was transmitted in-store between hand-held price-checking devices, cash registers and the stores computers. Between merchant and acquirer/processor Once the merchant collects a consumers cardholder data, the next step is to send that data to the acquirer for processing. Again, the risk is interception of the data as it travels along a communications network. Across the retail industry, approaches to data transmission vary. Sometimes it is sent in the clear over private lines because its assumed that private lines are secure. Occasionally the data is transmitted in the clear over public linesa risky behavior. Some merchants encrypt the data before transmitting it to the acquirer, but then compromise the process by not properly managing the encryption/decryption keys. Its possible for a thief to steal a merchants symmetric encryption key (i.e., one that also decrypts the data), which effectively unlocks all the encrypted card data, making it completely accessible to the thief. Payment Domain-Training Manual Dated 08/02/11 Page 70 of 98

In the case of the Hannaford Bros. grocery chain data breach, thieves are accused of having installed malware on store servers that allowed payment card data and the cards expiration dates to be intercepted as the data was transmitted from the stores servers to the acquirer for processing. More than 4.2 million credit and debit cards were compromised in this breach. 9.11 Vulnerabilities of Data at Rest

Requirement 3 of the PCI DSS explicitly states that merchants must protect stored cardholder data, yet this continues to be one of the most challenging compliance requirements. One of the top reasons merchants fail PCI auditsand a leading factor in data theftis the failure to adequately protect stored data. VeriSign Global Security Consulting Services, a division of security services vendor VeriSign, has conducted hundreds of PCI assessments in recent years. Seventy-nine percent of the merchant companies assessed by VeriSign were cited for the failure to protect stored dataand thus failed their assessments.6 At a minimum, PCI DSS requires the PAN to be rendered unreadable anywhere it is stored, including portable digital media, backup media and computer logs. Better yet, the PCI Security Standards Council notes: Requirement 3 only applies if cardholder data is stored. Merchants who do not store any cardholder data automatically provide stronger protection by having eliminated a key target for data thieves.

Despite the risks, many merchants see the benefits of storing cardholder data and therefore they do maintain the data for business purposes. The leading reason why they have trouble protecting this sensitive data at rest is that they dont know all the places where the data resides. For starters, it may be on a POS server or store server, at least until the end of day when the transaction batch is closed out. Some merchants hold onto the data longer in case of chargebacks or returns. Large multi-store merchants may use card data in backoffice applications, such as financial analysis, marketing and customer loyalty programs. And once the data is stored, instances of that data may proliferate. For example, employees may take data from a central database to desktop spreadsheets or printed reports in order to perform their jobsjobs that have nothing to do with processing the original transaction.

PCI DSS accounts for this data proliferation by requiring that every place where cardholder data sits at rest be included in the annual PCI audit to validate that it is being secured properly. Collectively, these places are all part of the cardholder data environment (CDE). The broader the scope of the CDE, the more vulnerable the data becomes. Whats more, the scope and the cost of the PCI audit grow with the CDE. Technology Solutions to Address the Areas of Greatest Vulnerability and Greatest Need Some of the current technologies in use by the payments processing chain today can put cardholder data at risk of compromise. For example, theres no question that cardholder data must be transmitted via some sort of communication line from the merchant to the acquirer in order to process the transaction. The merchant chooses his preferred technology for communication, and his level of risk is determined by his choice. A private data line such as a frame relay is certainly more secure than a plain vanilla connection, but typically only large merchants choose private lines. Since cost is a large factor in choosing technology, most smaller merchants choose public lines. Risk is a trade-off for cost. Payment Domain-Training Manual Dated 08/02/11 Page 71 of 98

A logical solution to this dilemma is to use other or additional technology that is effective at keeping the data secure, but at a reasonable cost for all. Leaders in the payments industry are attacking the problem where the most vulnerabilities are and where technology solutions can do the most good for the lowest cost. We are mindful that, while security is a necessary thing, it doesnt significantly add to a merchants ability to sell more goods and services. Without good security, however, a merchants ability to sell can certainly be affected. For instance, 43 percent of consumers who have been victimized by fraud avoid certain merchants where they believe their data could be compromised again. 9.12 End-to-End Encryption Encryption refers to algorithmic schemes that encode plain text such as the PAN into a nonreadable form called ciphertext, thus providing privacy for the encrypted data. One or more keys is required to decrypt the data and return it to its original plain text format. The key, which thieves would not possess, is the trigger mechanism to the algorithm. Perhaps the most important measure that merchants can take to protect cardholder data is to encrypt it at the time when the consumer presents iteither when the card is swiped at a terminal or entered into an e-commerce applicationand allow the data to remain encrypted regardless of the network path until it is received by the acquirer/processor, where it is decrypted and sent to the issuing bank for authorization. This is referred to as end-to-end encryption, or E2EE. Through this process, the transaction data is never transmitted in plain text in the frame relay, dial-up or Internet connection, where it could be intercepted by thieves. If the data is siphoned off by a thief once it is encrypted, it is virtually useless.

However, not all encryption methods are equal. There are several varying types of encryption: - Symmetric encryption uses one key (mathematical algorithm) to both encrypt and decrypt the data. It is similar to a door lock in which the same key is used to lock and unlock the door. Thus, whoever has the key has the power to access the original data. This means that additional security measures have to be built into the business processes to protect the key. For example, in the case of a multi-store merchant, the company might use one key per store. Then if a key is compromised, only one store and not the entire chain is affected. - Asymmetric encryption, also called public key encryption, uses one key to encrypt the data and another completely different key to decrypt it. Theres no worry about securing the public key used to encrypt data, and so it can be freely distributed to all merchant locations because this key cant unlock the data. In the case of payments processing, merchants would have the public key to encrypt cardholder data, and the acquirer would hold the private key to decrypt it. It is this private key that must be secured. 9.13 Where encryption fits in the payments processing chain As described above, end-to-end encryption starts at the moment of cardholder data capture and remains in place until the acquirer has the data. This system reduces the possibility that a thief can obtain usable data if he is sniffing any part of the network that carries sensitive data. If data is not encrypted at the point of capture, it is vulnerable as it is transmitted in plain text to the POS server or the merchants central server. (This is what is believed to have happened in data breaches involving Hannaford Bros., TJX and the Dave & Busters restaurant chain.) In situations where a card is presented in person, encryption can take place within the POS terminal application, at the time or immediately after the magnetic-stripe reader (MSR) obtains the Payment Domain-Training Manual Dated 08/02/11 Page 72 of 98

card data track. While numerous Level 1 merchants have already enabled this capability, most other merchants have not, largely due to the cost of installing a card reader with the encryption capabilities. Encryption can safeguard data in a card-not-present (CNP) scenario as well as when a card is swiped. The data can be encrypted as soon as it is entered into the sales application and prior to being submitted for approval of the transaction. This can be further enhanced by leveraging third-party hosted payment pages, eliminating the need for the CNP merchant to touch the card data at all. To secure data at rest, some merchants choose to encrypt the cardholder data they have in backend databases. Although this data is no longer needed for the original purchase transaction process, it is sometimes used for auxiliary uses such as reporting and data analysis. While encryption certainly helps to protect the data, it does nothing to reduce the scope of the cardholder data environment that must be audited for PCI DSS compliance. Regardless of encryption status, it is still cardholder data and it must be reviewed for compliance with the industry regulation. Thus security is improved but at an increased cost and effort

Figure 3 Where encryption fits in the payments process

1. When the cardholder data (the PAN) is captured at the POS (with a physical swipe or data entry), the data is encrypted. 2. The data is encrypted as it traverses any in-store network. 3. The merchant sends the encrypted PAN to the acquirer/processor. 4. The payment processor decrypts the data and sends it via a secure channel to the appropriate network or association for authorization. When the transaction is authorized for payment, it gets sent back to the payment processor. 5. After authorization, the acquirer/processor returns the encrypted PAN along with the transaction response to the merchant. 6. The merchant may retain the encrypted transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs

Payment Domain-Training Manual Dated 08/02/11

Page 73 of 98

9.14 The problems that data encryption solves

Data encryption solutions solve for the problem of live (clear text) data in transmission as it moves upstream to the acquirer by encrypting the data as close to the point of capture as makes sense for a particular merchant. It also can solve for the problem of having clear text cardholder data in electronic storage environments when the data is kept for auxiliary use. These are two of the greatest vulnerabilities for most merchants, and by applying data encryption technology, merchants can reduce their risk of liability stemming from a data breach. If a breach does occur and a thief obtains encrypted data, he cant use it without also obtaining the decrypting key. Endto-end encryption is not currently a requirement in PCI DSS. However, according to George Peabody, principal analyst with the Mercator Advisory Group, end-to-end encryption may well be the end game recommendation of PCI and, if data breaches continue to plague the payments industry and occupy headlines, that recommendation may become a mandate within two years.

9.15 Tokenization

An increasingly popular approach for the protection of sensitive data is the use of a token (or alias) as a substitute for a real credit card number. In the process of tokenization, actual cardholder data is used in a payment transaction and, once the transaction is authorized, this very sensitive data is sent to a centralized and highly secure server called a vault, where it is stored securely. At the same time, a random unique number is generated and returned to the merchants systems for use in place of the cardholder data. The vault manager maintains the reference database that allows the token to be exchanged for the real cardholder data if it is needed again for, say, a chargeback. Meanwhile the token, which cannot be monetized, can be used in various auxiliary business applications as a reliable substitute for the real card data. To anyone or any process that doesnt have authorization to access the vault, the token value is totally meaningless; its just random characters. In the payments processing chain, the acquirer/processor is the most likely entity to manage the vault. Encryption tools and secure key management complement this approach by protecting the original data value within the vault. Tokens can be uniquely tied to a single transaction or uniquely assigned to a single payment card regardless of how often that card is used. Which method is better depends on a merchants needs. If the token is unique to the transaction, then a merchant cannot track when a specific consumer has used the merchants services multiple times. This method hinders back-end use of the data for purposes such as marketing and customer loyalty programs. Small merchants may not have a need for such applications. Larger merchants, on the other hand, would benefit from a token methodology that uses a consistent token value for a single payment card. This approach enables the tracking of a consumer as he shops multiple times with the merchant, at a single store or across many locations. 9.16 Where tokenization fits in the processing chain

Any tokenization solution fits best at the end of the transaction authorization process. Once a transaction is authorized by the issuing bank and an authorization code is sent to the acquirer, there is no need to send the actual PAN back to the merchant. At this point, the acquirer can substitute a token to return with the authorization code. When the merchant receives the tokenized data, he can store it indefinitely and use it in multiple business applications without fear Payment Domain-Training Manual Dated 08/02/11 Page 74 of 98

of compromising sensitive data. This scenario works just as well for CNP transactions as for cardpresent transactions. Because the data that comprises a token is random, the token can have the same 16-character format as a credit card. Therefore, it can be used in back-end databases and business applications without modifying those systems in any way.

1. When the cardholder data (the PAN) is captured at the POS (with a physical swipe or data entry), the data is encrypted. 2. The data is encrypted as it traverses any in-store network. 3. The merchant sends the encrypted PAN to the acquirer/processor. 4. The payment processor decrypts the data and sends it via a secure channel to the appropriate network or association for authorization. When the transaction is authorized for payment, it gets sent back to the payment processor. 5. After authorization, the acquirer/processor returns the encrypted PAN along with the transaction response to the merchant. 6. The merchant may retain the encrypted transaction data long term for the processing of returns, retrieval requests or chargebacks, as well as for business intelligence reasons such as analysis of consumer buying behavior and creation of marketing programs.

9.17 The problems that tokenization solves

Tokenization solves the problem of having live cardholder data in storage or in use in business applications after the transaction approval. This process eliminates the possibility of having real card data stolen at this point because it doesnt even exist here. And unlike encrypted data, the use of tokenized data reduces the scope of PCI audits, again because there is no cardholder data

Payment Domain-Training Manual Dated 08/02/11

Page 75 of 98

that must be secured. Merchants can save significant time and money by reducing the scope of their PCI audits. 9.18 Conclusions Payment security is complex, with risks and vulnerabilities at every point of the processing chain. Unfortunately, there is no single approach to security that can totally prevent or eliminate card data theft and fraud. As criminals become more inventive in their methods of thievery, the risks and vulnerabilities for data increase, and security methods must evolve as well. Everyone in the payment chainconsumers, merchants, gateways, acquirers/processors, card companies and issuing bankshas a responsibility to become educated about the vulnerabilities and to take ownership of the aspects of security within their domain. This responsibility is especially important as each entity also assumes more liability for security breaches. All of these organizations can benefit from a combined approach of endto- end encryption and tokenization technologies that solve for some of the biggest security problems affecting the greatest numbers of consumers and merchants in the most cost-effective and timely manner.

Payment Domain-Training Manual Dated 08/02/11

Page 76 of 98

Chapter - 10 Payment Protocols

SSL: It is the most widely used security protocol on the Net. The SSL protocol combines symmetric encryption systems and asymmetric encryption systems. SET: As a complement SSL Mastercard and Visa developed SEPP (Secure Electronic Payment Protocol) and STT (Secure Transaction Technology) to ensure the economic transactions exclusively using credit cards as payment, although later both entities, with American Express, agreed to join efforts to develop a single protocol for electronic payment cards, called SET. The SET protocol (Secure Electronic Transaction) is a set of rules or safety specifications which are a standard way to perform payment transactions through the Internet. 3D Secure or 3 Domain Secure, has been developed by Visa to verify that the buyer is entitled to use the credit card. It gives to the buyer and to the seller greater certainty in electronic transactions. Its trade name is Verified by Visa. This protocol prevents the fraudulent use of credit cards through the Internet. Its operation is quite simple: 3-D Secure prompts the user for a password that previously have been processed by the issuing bank. If the key is correct and the card Credit is available, the system authorizes the closing of the purchase. 3-D Secure is supported by the SSL protocol to ensure the integrity of the messages exchanged between all those involved in the transaction (Buyer, Seller, the Issuing Bank, Bank of Seller).

The Word Wide Web (WWW) has been a boon for sellers trying to reach a world market as well as buyers trying to buy almost anything from anywhere in the world. But, as the old New Yorker cartoon suggested, no one knows that you're a dog on the Internet. In fact, no one knows who you are at all on the Internet. And that creates problems when making purchases. In the real world, you build relationships with vendors with whom you do business in person. Corporations built bilateral agreements as they carry out business. But on the Internet, both the buyer and seller have a certain anonymity and thus have to prove who they are every time a transaction occurs. There are many protocols that are currently employed to allow money to change hands in cyberspace. Lets evaluate three of the open protocols used for payments on the Web namely, SSL/TLS, SET, and IOTP that are most likely to find future or continued widespread use and implementation. 10.1 SSL and TLS The Secure Sockets Layer (SSL) protocol was designed by Netscape as a method for secure client-server communications over the Internet. Using public key cryptography and certificates, SSL offers a mechanism so that clients and servers can authenticate each other and then engage in secure communication. During an initial handshaking phase, the client and server select a secret key crypto scheme to use and then the client sends the secret key to the server using the server's public key from the server's certificate. From that point on, the information exchanged between the client and server is encrypted. The Transaction Layer Security (tls) Working Group (WG) was formed by the Internet Engineering Task Force (IETF) in 1996 to create an Internet Standard protocol to provide privacy, authentication, and integrity services for applications above the transport layer, primarily using the reliable services of the Transmission Control Protocol (TCP). To avoid reinventing the wheel, the tls WG chose to use existing Internet drafts as the basis for the new protocol and, as a result, the Transaction Layer Security (TLS) protocol, V1.0 is very similar to SSL V3.0. Browsers today routinely support SSL V2.0 and V3.0, and TLS V1.0; from a protocol perspective, TLS V1.0 is equivalent to "SSL v3.1". TLS is published as Request for Comments (RFC) 2246.

Payment Domain-Training Manual Dated 08/02/11

Page 77 of 98

SSL/TLS is an intermediate protocol layer that sits between TCP and a higher-layer application. SSL/TLS can be employed by any application layer protocol running over the Transmission Control Protocol (TCP), including Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet, and the e-mail protocols (Simple Mail Transfer Protocol SMTP, Post Office Protocol POP3, and Internet Message Access Protocol IMAP4). Indeed, the most widely known and widely used application of SSL/TLS is for securing HTTP communication, denoted by the https:// in URLs and use of TCP port 443. At its heart, SSL/TLS is not a payment protocol at all. SSL's goal is to provide a secure connection between two parties and its application for electronic commerce is to provide a secure communications channel over which a customer and business can exchange private information. In fact, the processing of payments such as the seller obtaining credit card approval continues to use the same mechanisms that are employed today by businesses, such as the use of a private business-to-bank network or use of card swipe machines at the business. Secure communications in SSL/TLS relies on secret key cryptography (SKC) to ensure privacy and public key cryptography (PKC) for key exchange and authentication. The exact SKC and PKC algorithms, as well as key sizes, are negotiated on a per-session basis between the client and server. In general, the client tells the server what crypto algorithms it can support and lists them in preference order; the server selects the crypto scheme that it supports that is highest on the client's list. The client then creates an SKC session key and sends it to the server. Verification of public keys is performed using X.509 certificates. One of the criticisms and concerns about SSL/TLS is that only the server provides a certificate for authentication prior to securing the communication channel. The buyer is authenticated when the seller checks the buyer's credit card and determines that it is valid, but this takes place after the communication channel is secured. The risk, of course, is that the credit card could be stolen and then used by the thief to make on-line purchases. Use of a client-side certificate would make this much more difficult. As the SSL/TLS protocol handshaking in Figure 1 shows, however, the protocol provides the messages and procedures so that a certificate could be provided by both client and server. This feature is not widely used today largely because the market hasn't demanded it. Recall that prior to the introduction of SSL in the mid-1990s, many people were actually conducting business by sending credit card information in unencrypted e-mails. To require users to obtain certificates for secure transactions would have been a serious impediment to e-commerce due to the relative lack of sophistication of most users and the lack of a user-oriented certificate mechanism. In any case, users today either appear to be willing to accept the risks associated with not having a client certificate in exchange for the convenience, or they are unaware of the risks and have not demanded something different. TLS continues the evolution started by SSL. Market acceptance and user confidence in the protocol is extremely high and its use will clearly continue. It is worth noting that SSL/TLS is sufficiently secure for the vast majority of consumers who use it today to guard everything from credit card transactions and electronic banking to voting their proxy shares and applying to college. Furthermore, we don't hear about attackers stealing users' credit card numbers by grabbing packets off of the Internet and breaking the encryption; the attackers instead break into the server and grab tens of thousands of unencrypted credit card numbers! TLS is also the basis for the Wireless Application Protocol (WAP) Forum's Wireless TLS (WTLS) specification. WTLS is functionally similar to TLS 1.0 and provides authentication, privacy, and data integrity between two applications communicating over a wireless network. WTLS is optimized for the relatively low bandwidth and high latency characteristics of this environment by incorporating such additional features as datagram support, streamlined protocol handshaking, and dynamic key refreshing.

Payment Domain-Training Manual Dated 08/02/11

Page 78 of 98

10.2 SET Despite SSL's popularity, MasterCard, Visa, and several other companies developed the Secure Electronic Transaction (SET) protocol specifically to handle electronic payments. SET version 1.0 was released in May 1997. Message formats, protocol handshaking, and encryption mechanisms are described in three separate books which are available at SETCo. Today, interoperability testing is in full swing-many products, such as Cybercash's popular merchant software, are already SET compliant. Fraud prevention is a primary motivator behind SET. Visa and Mastercard claim that online credit card fraud closely track offline rates, which they estimate to be less than one-tenth of one percent. That would seem to indicate that the current model of using SSL to protect transactions is adequate. However, some recent studies have suggested that merchants are experiencing fraud rates as high as 40% in certain segments of the electronic marketplace-items such as airline tickets, computers, and downloadable software carry the greatest risk. SET has the potential to reduce the chance of fraud by providing rigorous authentication measures in addition to encrypting transactions. The SET approach to cryptography is similar to SSL's, employing a combination of of the DES secret key and RSA public key schemes. A unique facet of SET's RSA implementation is that participants use two public/private key pairs: one for key exchange and another for digital signatures. Digital certificates form the basis of SET security. In addition to merchants possessing server-side certificates, customers are required to obtain certificates so that their identities as legitimate cardholders can be verified. Payment gateways interfacing between the Internet merchant and the traditional payment network are also required to have certificates. One of the biggest differences between SET and SSL is in scope. SET has several components which communicate securely end-to-end across the Internet. Cardholders interact with merchants who process order information and pass payment information to payment gateways. In contrast, SSL is essentially point-to-point between buyer and seller, and makes no explicit provisions for involving financial institutions. SET only appears on the scene at the end of a purchase. All cryptographic schemes add processing delay, so product selections are generally made without encryption to improve performance, while registration, ordering, and other interactions involving personal information take place using another secure protocol such as SSL. After completing the order process, the customer clicks a button on the website's payment page to activate a wallet application. A reference number is generated by the merchant software and sent to the customer software along with a summary of the order. The cardholder selects the appropriate credit card in the digital wallet and clicks on a payment button, invoking SET and beginning the payment process. An exchange of SET messages over the Internet-between the cardholder and the merchant, and between the merchant and the payment gateway-completes the transaction. Connections between the payment gateway and banks use the existing payment network, and are thus are not part of the SET specification. SET provides a high degree of privacy for customers by encrypting payment information so that only the bank can see it. Customer software sends a purchase request to the merchant containing the following (Figure 2): unencrypted order information and a dual signature, intended for the merchant; payment instructions and a dual signature, both encrypted and intended for the payment gateway; and the cardholder's digital certificate to be used by the merchant and the payment gateway for authentication. Lacking the payment gateway's private key, the e-commerce site can only read the order information. The merchant passes payment instructions in an authorization request to the gateway. SET, then, eliminates the merchant as a vulnerability in the credit card chain; because the merchant does not require access to the credit card account information, it is neither processed nor stored it in their databases!

Payment Domain-Training Manual Dated 08/02/11

Page 79 of 98

The order details and the account information are unequivocally associated through a "dual signature" mechanism. The SET client software first combines a hash of the order information with a hash of the payment instructions. The result is then hashed, thus linking the order and payment together such that nobody can deny the bond. This second hash value is signed by encrypting it with the customer's secret key, tying the customer to the purchase. SET is not currently popular in the United States, though examples of SET merchants are legion elsewhere. To see the latest list of e-commerce sites using SET, visit MasterCard's site at or Visa's merchant list at Perception appears to be holding back SET implementation; it is viewed by many as too complex to implement. While not rocket science, the very "end to end" nature of SET, involving many participants who need to be authenticated, does mean it is inherently more complex than SSL. With SSL already prevalent in the United States, there is little incentive to change processes to include a new, more complicated protocol. The greatest weakness is on the consumer side. For SET to be of any real security benefit, end user authentication has to be a part of the transaction. However, requiring the average surfer to obtain a certificate is a dicey proposition, partially proven by the continued use of SSL and serveronly authentication. To promote migration, there are provisions to allow for optional customer certificates in the short-term. Generating certificates involves new user behavior, potentially complicating the customer's shopping experience and thereby discouraging purchases. To promote adoption of SET, the specification allows for optional customer certificates-whether to require them is at the card issuer's discretion. Extensions to SET may aid in its eventual acceptance. They include the ability to transmit personal identification numbers as well as information stored on smart cards, debit cards, and other tokens. Other developments might include moving to more sophisticated encryption methods, such as elliptic curve cryptography, to improve performance while retaining the rigorous security required for online transactions. On June 19th of this year, Visa announced a global e-commerce transaction security initiative, indicating their continued support for SET deployment in their European and Latin American/Caribbean regions, areas with a smaller installed base of products not already SETcompliant. What's instructive is the tacit admission that, in Visa's view, SET appears not to be viable in the United States. This press release certainly was a red flag about the protocol's future; SET may not offer enough incentive for sites and users to adopt new software and user behavior in the United States. However, the inclusion of SET wallet software in popular products such as Microsoft's Internet Explorer supporting SET wallet software could bode well for the technology. Regardless, SET will augment SSL rather than supplant it. Each protocol has its niche and can be used together: SSL as a generic protection scheme and SET as a payment-specific mechanism. 10.3 IOTP Whereas SSL is a secure communications protocol that can be used by a consumer to forward payment information and SET is a protocol specifically designed for credit card transactions, the Internet Open Trading Protocol (IOTP) provides an interoperable framework for consumer-tobusiness Internet-based electronic commerce. As a commerce framework specification, IOTP is designed to replicate the "real" world of transactions where consumers choose their product, choose their vendor, choose their form of payment (in conjunction with their vendor), arrange delivery, and, periodically, even return products. The designers of IOTP intend that this protocol will be the lingua franca of Internet commerce just as EDI has become the standard document language for "real" commerce; any two parties conducting Internet-based e-commerce in a way that conforms to the IOTP specifications will be able to complete their transactions securely.

Payment Domain-Training Manual Dated 08/02/11

Page 80 of 98

Note that it might be more proper to refer to IOTP as a shopping protocol rather than a payment protocol since it attempts to capture the entire online shopping cycle and shopping is more than merely paying for stuff. And just as you might wander through the stores of a new mall in the real world, IOTP is optimized for those cases where the buyer and merchant do not have an a priori relationship. The Selection and Offer step is a particularly good example of mapping e-commerce to realspace. In this step, the user selects amongst payment mechanisms the way they might in a "real" store. I might select a credit card, for example, because of an award that I may get for using the card or perhaps because of a discount offer made by the store. Alternatively, I may use one currency over another for some other perceived benefits. IOTP maintains payment-system independence and can be used to encapsulate and support payment systems such as CyberCoin, e-cash, GeldKarte, MilliCent, Mondex, SET, and others. Note also that IOTP procedures can be employed by the customer for communication with the merchant, payment handler, and shipper which may be one, two, or three different entities. But while IOTP will support the familiar models of business that we have today, it also has to support the new models that only the Internet has made viable. Individual very low-value transactions (e.g., where someone purchases pages of a document rather than an entire book at a rate of fractions of pennies per page) don't even exist in the real world because they use currency that doesn't "exist"! New product delivery models will also appear. Consider today's Internet market where the value of a product might be is irretrievably transferred to the customer upon downloading a file; in this case, an item must be proved delivered before payment is rendered but payment must be forthcoming upon delivery and nonrefundable. Clearly, cryptography is an important part of the security associated with IOTP. Although IOTP does not call out for specific algorithms, it does provide the flexibility that any given transaction may employ symmetric (secret key), asymmetric (public key), or both types of crypto schemes. Furthermore, depending upon transaction type, digital certificates may or may not be employed. Again, the overhead and cost of the security must be balanced with the needs of the buyer and the seller on a per-transaction basis. Use of XML (eXtensible Markup Language) as the data representation language provides flexibility and extensibility, and facilitates the development of a broad range of IOTP-aware applications. IOTP is a relatively new protocol, V1.0 (RFC 2801) being dated in only April of this year. 10.4 SUMMARY E-payment security and privacy are clearly requirements for the burgeoning Internet-based economy. And it is equally clear that SSL/TLS, SET, and IOTP will each have a role to play going forward. There will be no single solution just as in everything else in the security space it is a matter of balancing risk with exposure except in this case it is balancing convenience with threat of credit card theft. While most users will sacrifice some convenience for protection even the authors have been known to have sent credit card information in unencrypted e-mails in 1995, how many continue to do so today? there is a limit. Once users think that they are safe enough, they will not tolerate tools that make their shopping less productive. If e-commerce security mechanisms become too onerous, users will work around the precautions totally obviating any good. Developers of secure protocols, then, have to provide options so that users can find their own balance of security and exposure. IOTP provides an important framework so that current and future payment mechanisms and even purchase-payment models can be supported and coexist. This seamless integration is the most important thing for consumers and sellers, alike. And since this is software, w will always have the same vulnerability that we have always had; namely, the imperfection of software and the fact that implementation flaws will always weaken any scheme regardless of the design

Payment Domain-Training Manual Dated 08/02/11

Page 81 of 98

Chapter - 11
11.1 ISO 8583

ISO 8583

ISO 8583 Financial transaction card originated messages Interchange message specifications is the International Organization for Standardization standard for systems that exchange electronic transactions made by cardholders using payment cards. It has three parts Part 1: Messages, data elements and code values Part 2: Application and registration procedures for Institution Identification Codes (IIC) Part 3: Maintenance procedures for messages, data elements and code values A card-based transaction typically travels from a transaction acquiring device, such as a point-ofsale terminal or an automated teller machine (ATM), through a series of networks, to a card issuing system for authorization against the card holder's account. The transaction data contains information derived from the card (e.g., the account number), the terminal (e.g., the merchant number), the transaction (e.g., the amount), together with other data which may be generated dynamically or added by intervening systems. The card issuing system will either authorize or decline the transaction and generate a response message which must be delivered back to the terminal in a timely manner. ISO 8583 defines a message format and a communication flow so that different systems can exchange these transactions. The vast majority of transactions made at ATMs use ISO 8583 at some point in the communication chain, as do transactions made when a customer uses a card to make a payment in a store. In particular, both the MasterCard and Visa networks base their authorization communications on the ISO 8583 standard, as do many other institutions and networks. ISO 8583 has no routing information, so is sometimes used with a TPDU header. Cardholder-originated transactions include purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers. ISO 8583 also defines system-to-system messages for secure key exchanges, reconciliation of totals, and other administrative purposes. Although ISO 8583 defines a common standard, it is not typically used directly by systems or networks. Instead, each network adapts the standard for its own use with custom fields and custom usages.. The placements of fields in different versions of the standard varies; for example, the currency elements of the 1987 and 1993 versions are no longer used in the 2003 version, which holds currency as a sub-element of any financial amount element. As of writing, ISO 8583:2003 has yet to achieve wide acceptance. An ISO 8583 message is made of the following parts: Message type indicator (MTI) One or more bitmaps, indicating which data elements are present Data elements, the fields of the message

Message type indicator This is a 4 digit numeric field which classifies the high level function of the message. A message type indicator includes the ISO 8583 version, the Message Class, the Message Function and the Message Origin, each described briefly in the following sections. The following example (MTI 0110) lists what each digit indicates: 0xxx -> version of ISO 8583 (1987 version) x1xx -> class of the Message (Authorization Message)

Payment Domain-Training Manual Dated 08/02/11

Page 82 of 98

xx1x -> function of the Message (Request Response) xxx0 -> who began the communication (Acquirer)

11.2 ISO 8583 version Position one of the MTI specifies the versions of the ISO 8583 standard which is being used to transmit the message. Position Meaning


ISO 8583-1:1987 version


ISO 8583-2:1993 version


ISO 8583-1:2003 version


Private usage

11.3 Message Class Position two of the MTI specifies the overall purpose of the message Meaning Usage



Authorization Message

Determine if funds are available, get an approval but do not post to account for reconciliation, Dual Message System (DMS), awaits file exchange for posting to account


Financial Message

Determine if funds are available, get an approval and post directly to the account, Single Message System (SMS), no file exchange after this


File Actions Message

Used for hot-card, TMS and other exchanges



Reverses the action of a previous authorization

Payment Domain-Training Manual Dated 08/02/11

Page 83 of 98



Reconciliation Message

Transmits settlement information


Administrative Message

Transmits administrative advice. Often used for failure messages (e.g. message reject or failure to apply)


Fee Collection Message


Network Management Message

Used for secure key exchange, logon, echo test and other network functions


Reserved by ISO

11.4 Message Function Position three of the MTI specifies the message function which defines how the message should flow within the system. Requests are end-to-end messages (e.g., from acquirer to issuer and back with timeouts and automatic reversals in place), while advices are point-to-point messages (e.g., from terminal to acquirer, from acquirer to network, from network to issuer, with transmission guaranteed over each link, but not necessarily immediately). Position Meaning




Request Response




Advice Response



Payment Domain-Training Manual Dated 08/02/11

Page 84 of 98


Response acknowledgment


Negative acknowledgment

11.5 Message Origin Position four of the MTI defines the location of the message source within the payment chain

Positi on





Acquirer Repeat




Issuer Repeat




Other Repeat

11.6 Examples Bearing each of the above four positions in mind, an MTI will completely specify what a message should do, and how it is to be transmitted around the network. Unfortunately, not all ISO 8583 implementations interpret the meaning of an MTI in the same way. However, a few MTIs are relatively standard: MTI Meaning Usage


Authorization request

Request from a point-of-sale terminal for authorization for a cardholder purchase

Payment Domain-Training Manual Dated 08/02/11

Page 85 of 98


Issuer Response

Issuer response to a point-of-sale terminal for authorization for a cardholder purchase


Authorization Advice

When the Point of Sale device breaks down and you have to sign a voucher


Authorisation Advice Repeat

if the advice times out


Issuer Response to Authorization Advice

Confirmation of receipt of authorization advice


Acquirer Financial Request

Request for funds, typically from an ATM or pinned point-of-sale device


Issuer Response to Financial Request

Issuer response to request for funds


Acquirer Financial Advice

e.g. Checkout at a hotel. Used to complete transaction initiated with authorization request


Acquirer Financial Advice repeat

if the advice times out


Issuer Response to Financial Advice

Confirmation of receipt of financial advice


Acquirer Reversal Request

Reverses a transaction


Acquirer Reversal Advice

Advises that a reversal has taken place


Acquirer Reversal Advice Repeat Message

if the reversal times out

Payment Domain-Training Manual Dated 08/02/11

Page 86 of 98


Issuer Reversal Response

Confirmation of receipt of reversal advice


Network Management Request

Echo test, logon, log off etc.


Network Management Response

Echo test, logon, log off etc.


Network Management Advice


11.7 BitMaps Within ISO 8583, a bitmap is a field or subfield within a message which indicates which other data elements or data element subfields may be present elsewhere in a message. A message will contain at least one bitmap, called the Primary Bitmap which indicates which of Data Elements 1 to 64 are present. A secondary bitmap may also be present, generally as data element one and indicates which of data elements 65 to 128 are present. Similarly, a tertiary, or third, bitmap can be used to indicate the presence or absence of fields 129 to 192, although these data elements are rarely used. The bitmap may be transmitted as 8 bytes of binary data, or as 16 hexadecimal characters 0-9, A-F in the ASCII or EBCDIC character sets. A field is present only when the specific bit in the bitmap is true. For example, byte '82x is binary '1000 0010' which means fields 1 and 7 are present in the message and fields 2, 3, 4, 5, 6, and 8 are not present. Bitmap Defines presence of


Fields 2, 7, 12, 28, 32, 39, 41, 42, 50, 53, 62


Fields 2, 3, 4, 7, 11, 12, 14, 22, 24, 26, 32, 35, 37, 41, 42, 47, 49, 53, 62, 64


Fields 1, 64

0000000000000003 (secondary bitmap)

Fields 127, 128

Explanation of Bitmap (8 BYTE Primary Bitmap = 64 Bit) field 4210001102C04804 BYTE1 : 01000010 = 42x (counting from the left, the second and seventh bits are 1,

Payment Domain-Training Manual Dated 08/02/11

Page 87 of 98

indicating that fields 2 and 7 are present) BYTE2 : 00010000 = 10x (field 12 is present) BYTE3 : 00000000 = 00x (no fields present) BYTE4 : 00010001 = 11x (fields 28 and 32 are present) BYTE5 : 00000010 = 02x (field 39 is present) BYTE6 : 11000000 = C0x (fields 41 and 42 are present) BYTE7 : 01001000 = 48x (fields 50 and 53 are present) BYTE8 : 00000100 = 04x (field 62 is present)

0________10________20________30________40________50________60__64 1234567890123456789012345678901234567890123456789012345678901234 n-th bit 0100001000010000000000000001000100000010110000000100100000000100 bit map Fields present in the above variable length message record: 2-7-12-28-32-39-41-42-50-53-62 11.8 Data Elements Data elements are the individual fields carrying the transaction information. There are up to 128 data elements specified in the original ISO 8583:1987 standard, and up to 192 data elements in later releases. The 1993 revision added new definitions, deleted some, while leaving the message format itself unchanged. While each data element has a specified meaning and format, the standard also includes some general purpose data elements and system- or country-specific data elements which vary enormously in use and form from implementation to implementation. Each data element is described in a standard format which defines the permitted content of the field (numeric, binary, etc.) and the field length (variable or fixed), according to the following table: Abbreviation Meaning

Alpha, including blanks

Numeric values only

Special characters only




Alpha & special characters only


Numeric and special characters only

Payment Domain-Training Manual Dated 08/02/11

Page 88 of 98


Alphabetic, numeric and special characters.

Binary data

Tracks 2 and 3 code set as defined in ISO/IEC 7813 and ISO/IEC 4909 respectively

. or .. or ...

variable field length indicator, each . indicating a digit.

x or xx or xxx

fixed length of field or maximum length in the case of variable length fields.

Additionally, each field may be either fixed or variable length. If variable, the length of the field will be preceded by a length indicator. Type Meaning


no field length used

LLVAR or (..xx)

Where LL < 100, means two leading digits LL specify the field length of field VAR


Where LLL < 1000, means three leading digits LLL specify the field length of field VAR

LL and LLL are hex or ASCII. A VAR field can be compressed or ASCII depending of the data element type.

LL can be 1 or 2 bytes. For example, if compressed as one hex byte, '27x means there are 27 VAR bytes to follow. If ASCII, the two bytes '32x, '37x mean there are 27 bytes to follow. 3 digit field length LLL uses 2 bytes with a leading '0' nibble if compressed, or 3 bytes if ASCII. The format of a VAR data element depends on the data element type. If numeric it will be compressed, e.g. 87456 will be represented by 3 hex bytes '087456x. If ASCII then one byte for each digit or character is used, e.g. '38x, '37x, '34x, '35x, '36x.

Payment Domain-Training Manual Dated 08/02/11

Page 89 of 98

11.9 ISO defined Data Elements Data element Type Usage

b 64

Bit map (b 128 if secondary is present and b 192 if tertiary is present)

n ..19

Primary account number (PAN)


Processing code

n 12

Amount, transaction

n 12

Amount, settlement

n 12

Amount, cardholder billing

n 10

Transmission date & time


Amount, cardholder billing fee


Conversion rate, settlement



Conversion rate, cardholder billing



Systems trace audit number



Time, local transaction (hhmmss)



Date, local transaction (MMDD)



Date, expiration



Date, settlement

Payment Domain-Training Manual Dated 08/02/11

Page 90 of 98



Date, conversion



Date, capture



Merchant type



Acquiring institution country code



PAN extended, country code



Forwarding institution. country code



Point of service entry mode



Application PAN number



Function code (ISO 8583:1993)/Network International identifier (NII)



Point of service condition code



Point of service capture code



Authorizing identification response length



Amount, transaction fee



Amount, settlement fee



Amount, transaction processing fee



Amount, settlement processing fee

Payment Domain-Training Manual Dated 08/02/11

Page 91 of 98


n ..11

Acquiring institution identification code


n ..11

Forwarding institution identification code


n ..28

Primary account number, extended


z ..37

Track 2 data


n ...104

Track 3 data


an 12

Retrieval reference number


an 6

Authorization identification response


an 2

Response code


an 3

Service restriction code


ans 16

Card acceptor terminal identification


ans 15

Card acceptor identification code


ans 40

Card acceptor name/location (1-23 address 24-36 city 37-38 state 39-40 country)


an ..25

Additional response data


an ..76

Track 1 data


an ...999

Additional data - ISO


an ...999

Additional data - national

Payment Domain-Training Manual Dated 08/02/11

Page 92 of 98


an ...999

Additional data - private



Currency code, transaction


an 3

Currency code, settlement



Currency code, cardholder billing


b 64

Personal identification number data


n 18

Security related control information


an ...120

Additional amounts


ans ...999

Reserved ISO


ans ...999

Reserved ISO


ans ...999

Reserved national


ans ...999

Reserved national


ans ...999

Reserved for national use


an .7

Advice/reason code (private reserved)


ans ...999

Reserved private

Payment Domain-Training Manual Dated 08/02/11

Page 93 of 98


ans ...999

Reserved private


ans ...999

Reserved private


b 16

Message authentication code (MAC)


b 64

*Bit indicator of tertiary bitmap only*, tertiary bitmap data follows secondary in message stream.



Settlement code



Extended payment code



Receiving institution country code



Settlement institution county code



Network management Information code



Message number


ans ...999

Data record (ISO 8583:1993)/n 4 Message number, last(?)



Date, action


n 10

Credits, number


n 10

Credits, reversal number


n 10

Debits, number

Payment Domain-Training Manual Dated 08/02/11

Page 94 of 98


n 10

Debits, reversal number


n 10

Transfer number


n 10

Transfer, reversal number


n 10

Inquiries number


n 10

Authorizations, number


n 12

Credits, processing fee amount


n 12

Credits, transaction fee amount


n 12

Debits, processing fee amount


n 12

Debits, transaction fee amount


n 15

Credits, amount


n 15

Credits, reversal amount


n 15

Debits, amount


n 15

Debits, reversal amount


n 42

Original data elements


an 1

File update code



File security code



Response indicator

Payment Domain-Training Manual Dated 08/02/11

Page 95 of 98


an 7

Service indicator


an 42

Replacement amounts


an 8

Message security code


n 16

Amount, net settlement


ans 25



n ..11

Settlement institution identification code


n ..11

Receiving institution identification code


ans 17

File name


ans ..28

Account identification 1


ans ..28

Account identification 2


ans ...100

Transaction description


ans ...999

Reserved for ISO use


ans ...999

Reserved for ISO use


ans ...999

Reserved for ISO use



Reserved for ISO use

Payment Domain-Training Manual Dated 08/02/11

Page 96 of 98



ans ...999

Reserved for ISO use


ans ...999

Reserved for ISO use


ans ...999

Reserved for ISO use


ans ...999

Reserved for national use


n ..11

Authorizing agent institution id code


ans ...999

Reserved for national use


ans ...999

Reserved for national use


ans ...999

Reserved for national use


ans ...999

Reserved for national use


ans ...999

Reserved for national use


ans ...999

Reserved for national use


ans ...999

Reserved for private use

Payment Domain-Training Manual Dated 08/02/11

Page 97 of 98


ans ...999

Reserved for private use


ans ...999

Reserved for private use


ans ...999

Reserved for private use


ans ...255

Info text


ans ..50

Network management information


ans .6

Issuer trace id


ans ...999

Reserved for private use


b 16

Message authentication code

Field Definition



Fixed length field of six digits


LVAR numeric field of up to 6 digits in length


LLVAR alphanumeric field of up to 11 characters in length


LLLVAR binary field of up to 999 bytes in length

Payment Domain-Training Manual Dated 08/02/11

Page 98 of 98