EMV Implementation Guide

Transcription

1 Publication date: Version 2.4

2 Legal Notice Legal Notice 2017 by B2 Payment Solutions Inc. developed for Chase Paymentech Inc. All rights reserved. All information contained herein is confidential and propriety to B2 Payment Solutions Inc. and/or Chase Paymentech Inc. It shall not be disclosed, duplicated or used in part or in whole, for any purpose without prior written consent from Chase Paymentech Inc. All trademarks, registered trademarks, product names and logos identified or mentioned herein are the property of Paymentech, LLC, Chase Paymentech Solutions, LLC, Chase Paymentech Europe Limited, or their respective owners. This edition of the EMV Implementation Guide contains information available at the time of publication and supersedes, in its entirety, all previously published documents by Chase Paymentech. ALL INFORMATION IS PROVIDED BY Paymentech, LLC, CHASE PAYMENTECH SOLUTIONS, LLC, Chase Paymentech Europe Limited, and their respective affiliates (collectively Chase Paymentech ) ON AN "AS IS" AND AS AVAILABLE BASIS ONLY and without condition, endorsement, guarantee, representation, or warranty of any kind by Chase Paymentech. This document and all information contained herein are proprietary to Chase Paymentech. Recipient agrees to treat it as such, whether or not any or all parts are protected by patent, trade secret, or copyright. Recipient shall not, under any circumstances disclose this document or the system described to any third party without prior written consent of a duly authorized representative of Chase Paymentech. To satisfy this proprietary obligation, recipient agrees to take appropriate action with its employees or other persons permitted access to this information. This document may contain references to third party sources of information, hardware, software, products or services ( Third Party Content ). Chase Paymentech does not control and is not responsible for any Third Party Content. This document is intended to support technical requirements for processing transactions only. It is not intended to be a guarantee that merchants will qualify for the best interchange rates from the payment brands or that merchant s transactions are in compliance with applicable Payment Brand Rules. Disclaimer Chase Paymentech does not guarantee or assume responsibility for any typographical, technical or other inaccuracies, errors or omissions in this document. Recipient s use of this document is at the recipient s own risk. Chase Paymentech reserves the right to periodically change information contained in this document, however, Chase Paymentech is under no obligation to provide notice of any such changes, revisions, updates, enhancements, or other additions to this document to recipient in a timely manner or at all. CHASE PAYMENTECH PROVIDES NO REPRESENTATIONS AND WARRANTIES, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING WITHOUT LIMITATION ANY WARRANTY OR CONDITION REGARDING QUALITY, SUITABILITY, MERCHANTABILITY, FITNESS FOR USE OR FITNESS FOR A PARTICULAR PURPOSE, NON- INFRINGEMENT OR OTHERWISE (REGARDLESS OF ANY COURSE OF DEALING, CUSTOM OR USAGE OF TRADE). IN NO EVENT WILL CHASE PAYMENTECH BE LIABLE TO ANY PARTY FOR ANY TYPES OF DAMAGES RELATED TO THIS DOCUMENT OR ITS USE, OR PERFORMANCE OR NON-PERFORMANCE OF ANY SOFTWARE, HARDWARE, SERVICE OR ANY THIRD PARTY PRODUCTS AND SERVICES REFERENCED HEREIN INCLUDING WITHOUT LIMITATION ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR AGGRAVATED DAMAGES FOR ANY USE OF THIS DOCUMENT OR THE INFORMATION CONTAINED HEREIN, INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, LOSS OF BUSINESS OPPORTUNITY, BUSINESS INTERRUPTION, CORRUPTION OR LOSS OF DATA OR PROGRAMS, FAILURE TO TRANSMIT OR RECEIVE DATA OR DOWNTIME COSTS, WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN, AND EVEN IF CHASE PAYMENTECH HAS BEEN EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Paymentech, LLC. All rights reserved Page 2 of 279

3 EMVCo LLC EMVCo LLC EMVCo LLC is the regulator agency, originally formed by Europay International, MasterCard International and Visa International, to manage, maintain and enhance the EMV Integrated Circuit Card specification for Payment Systems. EMVCo is responsible for the EMV type approval process and compliance testing. It is imperative that developers are familiar with the EMVCo requirements when developing their EMV POS Solution. Current active EMVCo members are Amex, Discover, JCB, MasterCard, China UnionPay and Visa. This Chase Paymentech EMV Implementation Guide provides insight into EMVCo requirements and outlines the expected EMV transaction flow. However, because EMV rules differ for each card brand and include rules specific to the PIN Pad and related EMV chip interaction, it is not possible to provide all EMVCo and certification requirements; nor is it possible to ensure this document always reflects the most current EMVCo requirements. For the most current EMV information and to keep up to date with all EMV regulatory updates, please refer to the EMVCo web site at Within this document all EMV and contactless configurations are generically referred to as an EMV POS Solution. Intended Audience This document is intended for Software Developers, Gateway Providers, Merchants, 3 rd Party Developers and Project Managers. It is intended to provide a basic understanding of how Chase Paymentech handles EMV chip card processing and how best to integrate their products to the Chase Paymentech host. Paymentech, LLC. All rights reserved Page 3 of 279

4 Supporting Documentation Supporting Documentation This document is not intended to cover all details required to board and implement EMV processing, but is meant to supplement information found in the following existing documents and other specifications available on the Chase Paymentech Developer Center. Chase Paymentech Processing and Interchange Guidelines Universal Terminal Formats for Host Capture System Universal Terminal Formats for Terminal Capture System Universal Terminal Formats Token Reference Guide PNS ISO Formats for Host and Terminal Capture System Stratus Online Processing Specification 120-Byte Batch Processing Specification This guide is intended to provide the minimum requirements to process chip transactions. Developers should also consult the most recent version other EMV documents that provide additional information required for EMV implementation. These documents can be obtained directly from the PIN Pad vendor, EMVCo and the specific card brands (i.e. Visa, MasterCard, etc.). Other EMV Integrated Circuit Card Specification for Payment Systems Visa International Integrated Circuit Card Specification Visa Transaction Acceptance Device Guide Visa Smart Debit/Credit Acquirer Device Validation Toolkit User Guide MasterCard International M/Chip Functional Architecture for Debit and Credit MasterCard U.S. Market Terminal Requirements Interac Association IDP Terminal Specifications Interac Direct Payment (IDP) POS Terminal Specifications Bulletin #1 Interac Terminal Application Certification Guide for U.S. Implementation AEIPS Terminal Specification Implementing American Express EMV Acceptance on a Terminal Discover D-PAS Acquirer Implementation Guide UnionPay Integrated Circuit Card Specifcation set (available from China UnionPay website) It is the developer s responsibility to review the above referenced materials as this supplement is an addition to the standards that are required for EMV compliance. It is recommended that developers review the reference materials before referring to this guide. Paymentech, LLC. All rights reserved Page 4 of 279

5 Table of Contents Table of Contents EMV Implementation Guide... 1 Legal Notice... 2 Disclaimer... 2 EMVCo LLC... 3 Intended Audience... 3 Supporting Documentation... 4 Table of Contents... 5 Requirements Best Practices Tables Change Log Introduction Implementation Guide Overview EMV Terminal Configurations Fully Integrated ECR Solution Partially Integrated ECR Solution Semi-Integrated ECR Solution Standalone POS Solution (Internal PINPad) Standalone POS Solution (External PINPad) Safetech Encryption Safetech Tokenization EMV and Contactless Solution Components Chase Paymentech Supported Configurations U.S. Debit Development Process Development and Certification Technical Profile Questionnaire (TPQ) Training Technical Support Development Host Connection Information Certification Process Card Brand Certification Pilot Post Rollout Re-Certification EMV Contact and Contactless Test Tools Paymentech, LLC. All rights reserved Page 5 of 279

6 Table of Contents Collis Merchant Test Suite ICC Solutions Test Suite Bundles for Certification (ICC TS) Integrated Solution Validation EMV Overview EMV Benefits Online vs. Offline EMV Transactions EMV Transaction Steps EMV Credit Transaction Set EMV Debit Transaction Set Transaction Processing Sale Transactions Authorization / Pre-Authorization Transactions Incremental Authorization Completions Return Balance Inquiry Transactions Quick Service Transactions (QSR, QPS, FPS) Contactless Overview Contactless Benefits MSD vs EMV Grade Contactless Card Schemes EMV Contactless Transaction Sets EMV Transaction Flow Full EMV Transaction Flow Full EMV Transaction Flowchart Partial EMV Transaction Flow Partial EMV Transaction Flowchart Contactless Transaction Flow Contactless Transaction Flowchart Chip Processing Guidelines Tender Processing Cashback Transaction Flow Tip Transaction Flow Faster EMV (Quick Chip / M/Chip Fast) Transaction Flow EMV Transaction Initiation Service Code Processing Chip Read Flow Chip Read Flowchart Fallback Processing Paymentech, LLC. All rights reserved Page 6 of 279

7 Table of Contents Fallback Acceptance Fallback Not Allowed Scenarios Fallback Prompting Fallback Timeline Exception to Fallback Application Selection Application Selection Methods Credit / Debit Selection and U.S. Debit Processing Final Selection Cardholder Application Confirmation Read Data Records Cardholder Language Selection Cardholder Prompting Card Entry Prompting PIN Prompting Amount Confirmation Prompting Processing Restrictions Processing Restrictions Steps Offline Card Authentication Offline Card Authentication Methods Cardholder Verification Chase Merchant Services (Paymentech) EMV Processing Guidelines Update Supported Cardholder Verification Methods (CVM) PIN Prompting CVM Results Validation (Tag 9F34) Terminal Risk Management EMV Floor Limit EMV Random Selection Data Object Lists Dynamic Data Object List (DDOL) Transaction Certificate Data Object List (TDOL) Processing Data Object List (PDOL) Terminal Action Analysis Issuer Action Codes (IACs) Terminal Action Codes (TACs) st Generate Application Cryptogram Terminal Action Analysis Card Action Analysis EMV Offline Approvals Paymentech, LLC. All rights reserved Page 7 of 279

8 Table of Contents Offline Transaction Upload Online Response Processing Partial Authorizations Referrals External Authenticate nd Generate Application Cryptogram Issuer Script Processing Transaction Completion Processing Reversal Processing Card Removal Prompting Transaction Storage Chase EMV Parameter Download Chase EMV Download Parameters Certificate of Authority Public Keys (CAPK) Fallback Indicator EMV Offline Floor Limit Threshold for Biased Random Selection PNS ISO Parameter Download Processing PNS ISO Download Notification PNS ISO Parameter Download UTF Parameter Download Processing UTF EMV Download Notification UTF EMV Parameter Download Stratus EMV Parameter Download Processing EMV Contact and Contactless Parameters Contact EMV Parameters Contactless EMV Parameters Chase Host Message Processing Host Transaction Sets Credit Transaction Set Debit Transaction Set Host Message EMV Fields Cardholder Data Chip Card Data EMV/Contactless PAN Sequence Number Host Message EMV Tags Authorization Request EMV Tags Authorization Response EMV Tags Reversal EMV Tags Paymentech, LLC. All rights reserved Page 8 of 279

9 Table of Contents Settlement EMV Tags Host Message Examples PNS ISO Host Message Examples UTF Host Message Examples Stratus Host Message Examples EMV Receipt Guidelines EMV Receipt Data Receipt Samples Credit Card (Online Approved Signature) Credit Card (Online Approved PIN) Credit Card (Online Approved Fallback) Credit Card (Offline Declined) EMV Report Guidelines EMV Transaction Report EMV Statistics Report Technical Fallback Reports EMV Clerk Technical Fallback Report PINPad Technical Fallback Report POS Entry Mode Report EMV Configuration Report EMV Public Key Load Report EMV Contact and Contactless Data Elements EMV Contact & Contactless Data Elements Definitions Reference Materials Answer to Reset EMV Reference Tables Application Interchange Profile (Tag 82) Application Priority Indicator (Tag 87) Application Usage Control (Tag 9F07) Cardholder Verification Rule (part of CVM List) Cardholder Verification Method Results (Tag 9F34) Card Verification Results (included in Tag 9F10) Cryptogram Information Data (Tag 9F27) Terminal Capabilities (Tag 9F33) Additional Terminal Capabilities (Tag 9F40) Terminal Verification Results (Tag 95) Transaction Status Indicator (Tag 9B) EMV Chip Commands Application Block Paymentech, LLC. All rights reserved Page 9 of 279

10 Table of Contents Application Unblock Card Block External Authenticate Generate AC Get Challenge Get Data Get Processing Options Internal Authenticate PIN Change/Unblock Read Record Select Verify EMV Response Codes (SW1 SW2) BCD to ASCII Conversion ASCII Chart EMV Testing and Certification Parameters Amex Certification Parameters Debit Network Alliance Certification Parameters Discover Certification Parameters Interac Certification Parameters JCB Certification Parameters MasterCard Certification Parameters Visa Certification Parameters China UnionPay Certification Parameters Glossary of Terms & Acronyms Appendix A - Canadian Processing Interac Account Selection Prompting Canadian Language Requirements specific to Interac Sample Approved Receipt - French Sample Declined Receipt - French Interac Application Selection Application Selection Flag Canadian Flag (Tag DF62) Processing Canadian Debit Transaction Set Interac Cashback Processing Paymentech, LLC. All rights reserved Page 10 of 279

11 Table of Contents Requirements All EMV POS Solutions must support MSR transactions Debit on chip enabled EMV POS Solutions must support EMV and MSR debit Notify Chase of all PIN Pad kernel configurations being used Provide PIN Pad Certification Letters of Approval (LOA) EMV certification letters must be current EMV Test Tool is required for Card Brand Certification qvsdc certification is required for contactless-only Visa EMV POS Solutions Multiple certifications required if multiple kernel configurations supported Keep track of the EMV POS Solution certification status Chase Paymentech must be notified of changes to EMV functionality Transactions must go online for issuer authorization Sale transactions must be Full EMV transactions Auth and Pre-Auth transactions must be processed as Full EMV transactions Incremental Authorizations must be sent as keyed transactions Completions without cardholder present require Pre-Authorization chip data Credit Returns must be Partial EMV transactions Debit Returns must be Full EMV transactions CVM processing must be performed for QSR transactions MasterCard requires issuer decision be used for 2nd Generate AC chip error Total transaction amount must be known before the card is presented Transaction Amount (Tag 9F02) must be set to total transaction amount Cardholder amount confirmation is optional Transaction Amount (Tag 9F02) must include the cashback amount Other Amount (Tag 9F03) must contain the cashback amount Cashback is only allowed for online debit and Discover AIDs Transaction Type must be set to 09 for MasterCard debit cashback transactions Service Code 2xx and 6xx must force a chip usage Cancel transaction if card accepted but removed before host authorization Reverse and cancel if host approves but card removed before 2nd Gen AC Decline transaction if host declines and card removed before 2nd Gen AC Only one card interface may be active once a read has begun Service Code 2xx and 6xx must be accepted for fallback card swipes Fallback must be cancelled when a card is inserted at fallback card entry Fallback must be cancelled if a non-emv card is swiped during fallback Fallback transactions must be identified in the host message Fallback must be cancelled when card is inserted during fallback card entry Service Code 2xx and 6xx must be accepted for fallback card swipes Paymentech, LLC. All rights reserved Page 11 of 279

12 Table of Contents Fallback Flag must be downloaded from the Chase host and used Fallback is not allowed if not supported by card scheme Transactions sent as swiped because EMV was not enabled must not be sent as Fallback Partial Selection must be supported Accept valid AIDs only AID list must be loaded into the kernel at kernel initialization Final Selection application names must be displayed to cardholder Transaction must be cancelled if Cardholder Application Confirmation fails Application Expiration Date must match Track 2 Equivalent Data Expiry Date Service Code must not be validated against Track 2 Equivalent Data Merchant prompts and receipts must be in default merchant language Cardholder prompts and receipts should be in selected cardholder language If Language Preference Indictor is not present use merchant language AID list must be supported with associated Application Version Numbers All Offline CAM failures must be sent for online authorization If offline CAM is not performed transaction must go online All Offline Card Authentication Methods must be supported If PIN CVM is supported then both Online and Offline PIN must be supported Signature CVM must be supported for attended solutions NO CVM must be supported for unattended solutions with no PIN Pad Maximum number of PIN tries must not exceed PIN Try Counter (Tag 9F17) Cardholder must be notified of last offline PIN attempt Cardholder must be notified when maximum Offline PIN tries is exceeded Floor Limit must be set to zero Non-zero EMV Floor Limits must be supported Random Selection parameters must ensure transaction is attempted A Default DDOL is required for EMV POS Solutions that support DDA The Visa Default TDOL (if used) must include Transaction Amount only The MasterCard Default TDOL (if used) must include multiple tags Do not set kernel to force transactions online Authorization Response Code must be set based on host Response Code Issuer Scripts must be supported in host responses Reversal must be sent if cardholder declines partial authorization Transaction Amount (Tag 9F02) must reflect the partially authorized amount Partially authorized amount must be sent in the settlement message Referral transactions must be declined Issuer Scripts must be executed for approved and declined transactions Must support Issuer Scripts up to 128 bytes in length Handling Issuer Script errors Paymentech, LLC. All rights reserved Page 12 of 279

13 Table of Contents EMV transaction reversals must include EMV tags Last EMV transaction data must be available even if transaction is declined Chase EMV Parameters must be downloaded whenever new version is available Download EMV parameters within nine Settlement periods of notification Must be capable of storing six CA Public Keys per card brand Application Name or Label must be printed on the receipt Transaction amount must be printed on the receipt AID must be printed on the receipt EMV Configuration Report is mandatory EMV Public Key Load Report is mandatory Canadian EMV POS Solutions must support French cardholder prompting Canadian EMV POS Solutions must support French receipt printing Paymentech, LLC. All rights reserved Page 13 of 279

14 Table of Contents This page intentionally blank Paymentech, LLC. All rights reserved Page 14 of 279

15 Table of Contents Best Practices BP Contactless should be supported BP U.S. Debit selection method should be configurable BP Select U.S. Common Debit AIDs when present on card BP Allow Cardholder to select AID when more than one funding source BP Obtain EMV Training before beginning an EMV project BP Budget adequate time for certification BP Be ready before attempting Card Brand Certification BP Production validation prior to rollout is strongly encouraged BP Respond quickly when notified of re-certification requirements BP The Collis MTS or ICC Solutions TS are recommended BP Prior/Forced Sale transactions should be Partial EMV transactions BP If PIN CVM is supported use Table Pay for restaurant tipping BP Fallback Prompting should only be allowed for a limited time BP When prompting use No PIN / PIN rather than Credit / Debit BP PIN Preferring and Credit / Debit selection methods should be supported BP A default application name should be assigned for all AIDs BP If multiple languages supported, cardholder should be prompted to select BP Prompt cardholder to Leave Card Inserted BP PIN CVM is not required BP Allow opportunity for customers who don t know their PIN to continue with the transaction BP Terminal Risk Management features should be supported BP Generated Offline approval codes should be in the format E BP Do not print receipt until the card has been removed BP Sound audible beep while waiting for card to be removed BP EMV Tags should be sent in order BP Authorization request messages must include all authorization EMV tags BP Reversal messages should include all reversal EMV tags BP Settlement messages should include all settlement EMV tags BP EMV Transaction Report should be available for last transaction BP EMV Transaction Report includes data element name and tag number BP EMV Transaction Report information should be stored in journal BP EMV Statistics report is recommended BP EMV Technical Fallback reports are recommended BP POS Entry Mode Report is recommended Paymentech, LLC. All rights reserved Page 15 of 279

16 Table of Contents This page intentionally blank Paymentech, LLC. All rights reserved Page 16 of 279

17 Table of Contents Tables. EMV Configuration Modes EMV Configuration Modes By Terminal Type U.S. Common Debit AIDs U.S. Common Debit Scenarios Development and Certification Components PIN Pad Certification Letters Certification Process Card Brand Certification Test Suites Chase Paymentech Approved EMV Test Tools Full EMV vs. Partial EMV Transaction Steps EMV Credit Transaction Set EMV Debit Transaction Set Contactless Card Schemes EMV Contactless Transaction Set Full EMV Transaction Flow Partial EMV Transaction Flow Chip Service Codes Processing Chip Reader Actions Magstripe Reader Actions Application Identifiers (AID) Cardholder Approval Indicator (Tag 87 bit-8) Recommended Card Entry Prompting Recommended PIN Entry Prompting Recommended Cardholder Amount Confirmation Card Brand Application Version Numbers Credit and Debit Transaction Options for Each Supported AIDs Chase Merchant Services Transaction Type Mapping to Hosts Cardholder Verification Methods (CVM) Cardholder Verification Method Results (Tag 9F34) Byte (CVM) Cardholder Verification Method Results (Tag 9F34) Byte (CVM) Cardholder Verification Method Results (Tag 9F34) Byte Risk Management Requirements Random Selection Values Authorization Response Code Values EMV Reversal Types Transaction Batch EMV Tag Information Required PNS ISO EMV Parameter Fields Paymentech, LLC. All rights reserved Page 17 of 279

18 Table of Contents EMV Parameter Download Required Indicator UTF EMV Parameter Fields Contact EMV Parameters Contactless EMV Parameters Credit Transaction Set Debit Transaction Set Chip Card Data Field Format Authorization Request Message EMV Tags Sensitive Data Tags Authorization Response Message EMV Tags Reversal Message EMV Tags Settlement Message EMV Tags ISO Visa Sale Request Message Raw Data ISO Visa Sale Request Message Formatted ISO Visa Sale Response Message Raw Data ISO Visa Sale Response Message Formatted ISO MasterCard Authorization Request Message Formatted ISO MasterCard Authorization Response Message Formatted ISO MasterCard Reversal Advice Message Formatted ISO MasterCard Authorization Reversal Message Formatted UTF MasterCard Retail Sale Request Message Raw Data UTF MasterCard Retail Sale Request Message Formatted UTF MasterCard Retail Sale Response Message Raw Data UTF MasterCard Retail Sale Response Message Formatted UTF Visa Retail Sale Request Message Raw Data UTF Visa Retail Sale Request Message Formatted UTF Visa Retail Sale Response Message Raw Data UTF Visa Retail Sale Response Message Formatted UTF Visa Reversal Advice Message Raw Data UTF Visa Reversal Advice Message Formatted Stratus Online 7.4 MasterCard Authorization Message Raw Data Stratus Online 7.4 MasterCard Authorization Message Formatted EMV Receipt Information Merchant and Cardholder Receipt Requirements EMV Contact & Contactless Data Elements Sorted by Element Name Basic ATR for T=0 Cards Only Basic ATR for T=1 Cards Only Application Interchange Profile (Tag 82) Byte Application Interchange Profile (Tag 82) Byte Paymentech, LLC. All rights reserved Page 18 of 279

19 Table of Contents Application Priority Indicator (Tag 87) Byte Application Usage Control (Tag 9F07) Byte Application Usage Control (Tag 9F07) Byte Cardholder Verification Rule Byte Cardholder Verification Rule Byte Cardholder Verification Method Results (Tag 9F34) Byte Cardholder Verification Method Results (Tag 9F34) Byte Cardholder Verification Method Results (Tag 9F34) Byte Card Verification Results Byte Card Verification Results Byte Card Verification Results Byte Card Verification Results Byte Card Verification Results Byte Cryptogram Information Data (Tag 9F27) Terminal Capabilities (Tag 9F33) Byte Terminal Capabilities (Tag 9F33) Byte Terminal Capabilities (Tag 9F33) Byte Additional Terminal Capabilities (Tag 9F40) Byte Additional Terminal Capabilities (Tag 9F40) Byte Additional Terminal Capabilities (Tag 9F40) Byte Additional Terminal Capabilities (Tag 9F40) Byte Additional Terminal Capabilities (Tag 9F40) Byte Terminal Verification Results (Tag 95) Byte 1 (Offline Data Authentication) Terminal Verification Results (Tag 95) Byte 2 (Processing Restrictions) Terminal Verification Results (Tag 95) Byte 3 (Cardholder Verification) Terminal Verification Results (Tag 95) Byte 4 (Terminal Risk Management) Terminal Verification Results (Tag 95) Byte 5 (Transaction Completion) Transaction Status Indicator (Tag 9B) Byte Transaction Status Indicator (Tag 9B) Byte APPLICATION BLOCK Command Values APPLICATION UNBLOCK Command Values CARD BLOCK Command Values EXTERNAL AUTHENTICATE Command Values EXTERNAL AUTHENTICATE Response Codes GENERATE AC Command Values GENERATE AC Reference Control Parameter Coding of Cryptogram Information Data GET CHALLENGE Command Values GET DATA Command Values Paymentech, LLC. All rights reserved Page 19 of 279

20 Table of Contents GET PROCESSING OPTIONS Command Values INTERNAL AUTHENTICATE Command Values PIN CHANGE/UNBLOCK Command Values READ RECORD Command Values READ RECORD Reference Control Parameter SELECT Command Values SELECT Reference Control Parameter (P1) SELECT Command Options Parameter (P2) SELECT Response Message Data Field (FCI) of the PSE SELECT Response Message Data Field (FCI) of the DDF SELECT Response Message Data Field (FCI) of the ADF VERIFY Command Values VERIFY Reference Data (P2) EMV Response Codes (SW1 SW2) Certification Parameters Amex Credit Certification Parameters Debit Network Alliance Debit Certification Parameters Discover Certification Parameters Interac Debit Certification Parameters JCB Credit Certification Parameters MasterCard Credit Certification Parameters MasterCard Debit Certification Parameters Visa Credit Certification Parameters China UnionPay Certification Parameters China UnionPay (cont) Glossary of Terms & Acronyms Interac Account Selection Prompting Canadian Application Selection Flag (Tag DF62) Application Selection Flag (Tag DF62) Byte 2 Interpretation Application Selection Scenarios Canadian Debit Transaction Set Paymentech, LLC. All rights reserved Page 20 of 279

21 Change Log Change Log The change control table includes the following columns: Revision Version number for this release of the specification. Date Date this Revision was released for integration. By Whom The author(s) of the edits for this Revision. Description A description of the edits made in this Revision. ID Chase Paymentech issue ID used for internal tracking purposes. Version Date Description Author 1.0 July October 2015 Initial guide development and publication Along with content clarification and formatting changes, the following significant changes have been made: PIN CVM is not mandatory PIN Bypass is strongly recommended Offline authorizations are not supported Fallback processing has been clarified Tip handling has been clarified to include tip adjustments Receipt requirements have been updated Report requirements have been updated B2 Chase Paymentech /4/16 Section 6.4 Fallback Processing complete re-write. Chase Paymentech Paymentech, LLC. All rights reserved Page 21 of 279

22 Change Log Version Date Description Author 2.2 1/19/17 Quick Hits Release Quick Chip section added (6.1.3) Amount confirm screen clarification Removal of Stand-In Processing section (formerly 6.16) Corrected AAC decline in Contactless Transaction Flowchart (5.3.1) Updated and clarified various Cashback content and requirements (6.1.1) Added debit on EMV POS must be EMV debit requirement Updates regarding floor limits in the parameter download file Amount Other update in Canadian Processing Added ICC Solutions Test Suite Bundle in certification tools section AID tables updated Changed references from BIN to IIN Discover contactless values added (section 14) Removed all references to Chase Paymentech Test Module (CPTM) Misc. formatting, style and reference errors corrected o o o o o Replaced old org and role references with new/current Technical Implementation org and roles Corrected list numbering errors Corrected page jump hyperlink errors Replaced B2 style Change Log with new CTI standard format Corrected spelling and grammatical errors 2.3 3/23/17 Added new section to help clarify EMV CVM processing requirements and expectations. Deleted RQ00306 Completion POS Entry Mode must match Pre-Authorization. It was an incorrect Chase Paymentech specific requirement. Also, it is a redundant requirement that is correctly defined in the DES Supplemental Guide. (Spec Inquiry #61) /17/17 Updated to include China UnionPay (CUP) as a new Method of Payment (MOP) throughout document. Chase Paymentech Chase Merchant Services Chase Merchant Services Paymentech, LLC. All rights reserved Page 22 of 279

23 Change Log This page intentionally blank Paymentech, LLC. All rights reserved Page 23 of 279

24 Introduction 1. Introduction 1.1 Implementation Guide Overview This document is the Chase Paymentech EMV Implementation Guide specific to Point of Sale environments. The information that follows encompasses the Chase Paymentech ISO, UTF and Stratus host environments, which will generically be referred to as the Chase host or Chase Paymentech host throughout the document. This document provides guidelines for developing a Chase Paymentech EMV POS Solution: Terminal Configurations Chase Paymentech Development Process and Certification Process EMV Transaction Flow Chase Paymentech EMV Best Practices Chase Paymentech EMV Requirements Host Message EMV Considerations Receipt and Report Guidelines This document also includes EMV reference material that could be useful during the development and certification process: EMV Tag Descriptions EMV AID Lists EMV Parameter Configuration Certificate of Authority Public Key (CAPK) File Format 1.2 EMV Terminal Configurations There are several possible EMV configurations which can be split into two categories; Integrated and Standalone. Integrated solutions generally have an Electronic Cash Register (ECR) directly connected to an external PIN Pad which provides the EMV and contactless functionality. The smartcard reader, PIN entry capability and EMV kernel all reside within the external PIN Pad. There are three supported integrated configurations each of which are detailed in following sections. Standalone solutions consist of a POS terminal that utilizes a PIN Pad to provide the EMV and contactless functionality. The smartcard reader, PIN entry capability and EMV kernel all reside within the PIN Pad. All standalone solutions must adhere to PCI requirements and require a full EMV certification. There are two supported standalone solutions described later in this section. Within this document all EMV and contactless configurations are generically referred to as an EMV POS Solution. Paymentech, LLC. All rights reserved Page 24 of 279

25 Introduction Fully Integrated ECR Solution In Fully Integrated mode the ECR application controls the transaction, provides the Chase Paymentech host interface and stores the authorization data. The ECR interfaces with an external PIN Pad for card entry (swipe / tap / insert) and EMV kernel functionality. The ECR builds the Chase Paymentech host authorization message and parses the Chase Paymentech response message. This solution provides the most control over the transaction process. PCI is in scope for the ECR as the ECR handles the card track data (PCI scope may be reduced or eliminated if P2PE and tokenization are implemented also see Safetech Encryption page 31) An EMV certification is required for the complete solution Paymentech, LLC. All rights reserved Page 25 of 279

26 Introduction For Fully Integrated implementations the ECR is within PCI scope (if not using Safetech Encryption and Safetech Tokenization) as the ECR can see non-encrypted card data. An EMV certification of the complete solution is required Partially Integrated ECR Solution In Partially Integrated mode the ECR application controls the transaction, communicates with the host and stores the authorization data. The ECR interfaces with an external PIN Pad for card entry (swipe / insert / tap) and EMV kernel functionality. The PIN Pad also builds the Chase Paymentech host authorization message and parses the Chase Paymentech response message. However, the ECR provides the actual host connectivity and is responsible for transmitting and receiving host messages and storing the authorization data. This solution reduces the amount of development required on the ECR as it does not build the host messages. PCI is in scope for the ECR as the ECR handles the card track data (PCI scope may be reduced or eliminated if P2PE and tokenization are implemented also see Safetech Encryption page 31) An EMV certification is required for the complete system Partially Integrated mode is generally used when the ECR wants to control the host interface and see card data without having to implement the host request and response message logic. This implementation is ideal for companies with ECR applications that connect to multiple Chase Paymentech hosts as the ECR application can remain consistent and only the PIN Pad logic would need to differ. Paymentech, LLC. All rights reserved Page 26 of 279

27 Introduction For Partially Integrated implementations the ECR is within PCI scope (if not using Safetech Encryption and Safetech Tokenization) as the ECR can see non-encrypted card data. An EMV certification of the complete solution is required Semi-Integrated ECR Solution In Semi-Integrated mode the ECR interfaces with a PIN Pad (or terminal) for EMV functionality. The PIN Pad also provides the Chase Paymentech host interface and stores the authorization data. This solution eliminates much of the ECR development as the ECR does not build the host authorization message. The ECR initiates the transaction and utilizes the external PIN Pad to provide the Chase Paymentech host interface, to store the authorization data, for card entry (swipe / insert / tap) and to provide EMV kernel functionality. PCI is not in scope for the ECR as the ECR does not see the card data An EMV certification of the complete solution is not required as the PIN Pad contains the full Paymentech, LLC. All rights reserved Page 27 of 279

28 Introduction payment application In Semi-Integrated mode the PIN Pad interface generally consists of high level commands that are simple to implement on an ECR. This is ideal for companies with multiple ECR vendors (or types) as most of the host and EMV functionality is contained within the PIN Pad, meaning that host and EMV development would not need to be replicated on each type of ECR supported. Chase Paymentech Host Semi-Integrated ECR External PINPad Host Host Communication Store Auth Data Magstripe Magnetic Stripe Reader ECR Application EMV POS Application POS Transaction ECR Interface EMV Kernel PIN Entry Device ICC Reader Amex ExpressPay Contactless Kernel Discover D-PAS MasterCard PayPass Visa paywave For Semi-Integrated implementations the ECR is not within PCI scope as the transaction is controlled by the external PIN Pad and the ECR does not see cardholder data. An EMV certification of the complete solution is not required as the PIN Pad contains the complete payment application. The PIN Pad requires a full EMV certification. Paymentech, LLC. All rights reserved Page 28 of 279

29 Introduction Standalone POS Solution (Internal PINPad) In this mode a single standalone POS terminal is used that includes an internal PIN Pad. The POS terminal contains the POS application and utilizes the EMV kernel residing in the internal PIN Pad to provide EMV functionality. This is often the simplest and most cost effective EMV POS Solution. Standalone internal PIN Pad implementations are within PCI scope (if not using Safetech Encryption and Safetech Tokenization). An EMV certification of the complete solution is required. Paymentech, LLC. All rights reserved Page 29 of 279

30 Introduction Standalone POS Solution (External PINPad) In this mode a standalone POS terminal controls the transaction, provides the Chase Paymentech host interface and stores the authorization batch data. The POS terminal interfaces with an external PIN Pad for card entry (swipe / insert / tap) and EMV kernel functionality. This is a cost effective EMV POS Solution for environments where the merchant and customer cannot easily share the same device, or if you have an existing terminal base that is not EMV compliant and you wish to add EMV functionality by simply adding an EMV certified PIN Pad. Standalone external PIN Pad implementations are within PCI scope and an EMV certification of the complete solution is required. Paymentech, LLC. All rights reserved Page 30 of 279

31 Introduction 1.3 Safetech Encryption Safetech Encryption is a point-to-point encryption (P2PE) technology that protects the primary account number (PAN) on a payment card from the moment of capture at the point of sale (POS) until it reaches the Chase Paymentech host, without requiring the customer to process, transmit or store unprotected card account data. Using Safetech Encryption may reduce or eliminate PCI requirements as your EMV POS Solution does not see unencrypted card data. Please contact your Account Representative for more information. 1.4 Safetech Tokenization Safetech Tokenization provides cardholder data security by returning a token in the transaction response message. By returning tokens to merchants, no cardholder data needs to be passed in subsequent transactions as the token serves as a proxy for the original account number. Merchants can also use tokens in lieu of clear card numbers in their internal systems as well. Using Safetech Tokenization may reduce or eliminate PCI requirements as your EMV POS Solution does not see unencrypted card data. Please contact your Account Representative for more information. 1.5 EMV and Contactless Solution Components All EMV POS Solutions must have the following components: An EMV capable PIN Pad that is: EMV Level 1 and Level 2 type approved PCI PTS approved MasterCard TQM (Terminal Quality Management) labeled Chase Paymentech approved (i.e. can be injected by Chase Paymentech or an authorized provider, and the PIN Pad application has been approved for use by Chase Paymentech) A receipt printer (if an attended device) The ability to download EMV parameters. The methods used to manage and download EMV parameters are the responsibility of the developer. For a list of required EMV parameters, see page 239 The ability to download Certificate of Authority (CA) Public Key (CAPK) information. The CA Public Key file cannot be hardcoded as it will change. For more information on downloading CAPK information, see page Chase Paymentech Supported Configurations The U.S. payment industry is migrating to EMV. Chase Paymentech, along with industry payment partners are committed to this migration. All existing non-emv applications, at some point, should be upgraded to support EMV. The migration to EMV is expected to take a considerable amount of time. Cards with a magnetic stripe will continue to be issued and used for the foreseeable future. Therefore, all EMV POS Solutions must continue to support magstripe transactions. Paymentech, LLC. All rights reserved Page 31 of 279

32 Introduction BP Contactless should be supported Chase Paymentech recommends that all EMV POS Solutions support contactless transactions All EMV POS Solutions must support MSR transactions Chase Paymentech requires that the EMV POS Solution includes support for magstripe only cards and fallback magstripe transactions Debit on chip enabled EMV POS Solutions must support EMV and MSR debit It is optional for clients/merchants to accept debit. Chase Paymentech requires that if debit will be accepted on chip enabled EMV POS Solutions, those devices must be capable of supporting EMV PIN debit and magstripe PIN debit. The EMV architecture supports several configuration modes for EMV POS Solutions. Currently, Chase Paymentech is an Online-Only acquirer which means that all transactions must go online for authorization. The following table defines the EMV configuration modes and for each mode identifies whether it is supported by the Chase Paymentech host. Mode EMV Configuration Modes Usage Chase Host Online Only Transactions are always sent to the host for authorization. Floor Limit processing is not used. Yes Online with Offline Capabilities Transactions can be locally authorized, based on Risk Management processing or sent to the Host for authorization. The EMV Floor Limit must be set to zero; therefore, the EMV POS Solution will behave like an Online-Only solution. Yes Offline Only Transactions are always locally approved. Used for attended and unattended, cardholder activated devices. No Paymentech, LLC. All rights reserved Page 32 of 279

33 Introduction Chase Paymentech is an Online-Only acquirer. However, during certification EMV POS Solutions may be required to perform and pass non-zero EMV Floor Limit (Offline) certification test cases. This is to ensure the EMV POS Solution is capable of supporting a non-zero EMV floor limit in the future. The following table shows the EMV Terminal Types and identifies whether they are supported by the Chase Paymentech host. EMV Configuration Modes By Terminal Type Environment Operation Modes Terminal Type Chase Host Online Only 11 Yes Financial Institutions Offline with Online Capabilities 12 Yes Attended Offline Only 13 No Online Only 21 Yes Merchant Offline with Online Capabilities 22 Yes Offline Only 23 No 1 Online Only 14 Yes Financial Institutions Offline with Online Capabilities 15 Yes Unattended Offline Only 16 No Online Only 24 Yes Merchant Offline with Online Capabilities 25 Yes Offline Only 26 No 1 1 Speak to your Implementation Manager if Offline-Only processing is required. The EMV Terminal Type (Tag 9F35), Terminal Capabilities (Tag 9F33) and Additional Terminal Capabilities (Tag 9F40) tags are used to set and identify the current EMV kernel configuration. 1.7 U.S. Debit To meet the requirements of the Durbin amendment to the Dodd Frank Wall Street Reform and Consumer Protection Act ( Durbin regulations ), which enables merchants and acquirers to choose to route transactions from debit and prepaid card programs via unaffiliated networks, Visa and MasterCard have introduced the following AIDs (commonly referred to as the U.S. Common Debit AIDs ). U.S. Common Debit AIDs Brand Scheme Common Debit AID MasterCard US Maestro A Visa Visa Common Debit A Discover Debit A DNA DNA Shared A Paymentech, LLC. All rights reserved Page 33 of 279

34 Introduction China UnionPay Debit A In addition to MasterCard and Visa, the Debit Network Alliance (DNA) and other individual debit networks will offer their own U.S. Debit AIDs that will only reside on non-visa and non-mastercard branded cards. Visa, MasterCard, and Discover branded chip cards issued in the U.S. under debit and prepaid card programs, will support both a U.S. Common Debit AID and a Global AID (either the standard Visa AID, the standard Discover AID, the standard MasterCard AID or the Maestro AID). If a Global AID (Visa, MasterCard, Global Maestro, or Discover) is used to initiate the chip transaction, the transaction will be routed via the appropriate Visa, MasterCard, or Discover credit network. The network used is based on the card IIN. If a U.S. Common Debit AID is used to initiate a chip transaction, the resulting transaction may also be routed via unaffiliated networks that have executed the necessary access agreement with Visa, MasterCard, or Discover. For both contact and contactless transactions, EMV POS Solutions should use the standard Application Selection process described for EMV transactions. The merchant may filter the resulting Candidate List to remove multiple AIDs which access the same underlying funding account. EMV POS Solutions must not assume that if a U.S. Common Debit AID is present, that this AID can be automatically selected to the exclusion of all other AIDs on the card, as those AIDs may relate to alternative products which the cardholder may wish to use (such as a credit product which is issued together with a debit product). All AIDs which relate to debit or prepaid programs will be identified in the data read during Application Selection. The presence of the following two data elements identifies the AID as relating to a U.S. Debit or prepaid program: Issuer Country Code (Tag 5F55) Two alpha digits with a value of 0x5553 ( US ) Issuer Identification Number (Tag 42) Contains the Bank Identification Number (BIN) There are four possible situations that must be handled: 1. The card has two or more AIDs where these data elements are present and the values of the Issuer Identification Number (IIN) are the same (Scenario One, Table 4 below): a. The EMV POS Solution may assume that the AIDs with the same IIN access the same underlying funding account and can eliminate all but one of those AIDs from the Candidate List. b. When these are the only AIDs present in the card, the EMV POS Solution may automatically select the remaining AID in the Candidate List. 2. The card has two or more AIDs where these data elements are present and the values of the Issuer Identification Number (IIN) are the same. There are also one or more other AID(s) present on the card that have a different IIN or the IIN is not present (Scenario Two, Table 4 below): a. The EMV POS Solution may assume that the AIDs with the same IIN access the same underlying funding account and can eliminate all but one of those AIDs from the Candidate List. b. For contact transactions the EMV POS Solution should present the remaining Candidate Paymentech, LLC. All rights reserved Page 34 of 279

35 Introduction List choices to the cardholder in accordance with Final Selection processing. c. For contactless transactions, the EMV POS Solution should automatically select the AID in the Candidate List with the highest Application Priority Indicator (Tag 87). 3. When a card has two or more groups of AIDs where these data elements are present and each group has two or more AIDs with the same IIN (Scenario Three, Table 4 below): a. For each group of AIDs with the same IIN, the EMV POS Solution may assume the AIDs access the same underlying funding account and can eliminate all but one of those AIDs from the Candidate List - leaving only one AID for each IIN. b. For contact transactions, the EMV POS Solution should present the remaining Candidate List choices to the cardholder in accordance with Final Selection processing. c. For contactless transactions, the EMV POS Solution should automatically select the AID in the Candidate List with the highest Application Priority Indicator (Tag 87). 4. When a card has multiple AIDs where these data elements are present and all AIDs have the same IIN, and there are multiple U.S. Common Debit AIDs present (Scenario Four, Table 4 below): a. The EMV POS Solution should assume that each U.S. Common AID relates to a different underlying funding account. b. The EMV POS Solution should eliminate either of the following from the Candidate List: i. All of the U.S. Common Debit AIDs ii. All of the Global Debit AIDs c. For contact transactions, the EMV POS Solution should present the remaining Candidate List choices to the cardholder in accordance with Final Selection processing. d. For contactless transactions, the EMV POS Solution should automatically select the AID in the Candidate List with the highest Application Priority Indicator (Tag 87). Scenario One Global Debit AID U.S. Common Debit AID Two U.S. Common Debit Scenarios AID Country Code Tag 5F55 IIN Tag 42 Card accesses single debit funding account A X1010 US XX0000 A XXXXX US XX0000 Candidate List Choice for the Merchant Merchant may decide which AID to select based on their preferred routing choice: Global AID may only be routed to the associated card brand s credit network (any supported CVM may be used) U.S. Common Debit AID may be routed to any of the supported debit networks (any supported CVM may be used) Combo card accessing a credit account and a single funding debit account Global Credit AID A X1010AA01 N/A N/A Global Credit AID will remain in the Candidate List for cardholder selection as described in EMV. Paymentech, LLC. All rights reserved Page 35 of 279

36 Introduction Scenario U.S. Common Debit Scenarios AID Country Code Tag 5F55 IIN Tag 42 Candidate List Choice for the Merchant Global Debit AID U.S. Common Debit AID A X1010AA02 US XX0000 A XXXXX US XX0000 Merchant should decide on either the Global AID or the U.S. Common Debit AID based on their preferred routing choice: Global AID may only be routed to the associated card brand s credit network (any supported CVM may be used) U.S. Common Debit AID may be routed to any of the supported debit networks (any supported CVM may be used) Three Card accesses two debit funding accounts Accounts have different IINs Global Debit AID 1 U.S. Common Debit AID 1 A X1010AA01 US XX0000 A XXXXXAA01 US XX0000 Merchant should choose either the Global AID 1 or the U.S. Common Debit AID 1 based on their preferred routing choice: Global AID 1 may only be routed to the associated card brand s credit network (any supported CVM may be used) U.S. Common Debit AID 1 may be routed to any of the supported debit networks (any supported CVM may be used) Global Debit AID 2 U.S. Common Debit AID 2 A X1010AA02 US XY9999 A XXXXXAA02 US XY9999 Merchant should choose either the Global AID 2 or the U.S. Common Debit AID 2 based on their preferred routing choice: Global AID 2 may only be routed to the associated card brand s credit network (any supported CVM may be used) U.S. Common Debit AID 2 may be routed to any of the supported debit networks (any supported CVM may be used) Four Card accesses two debit funding accounts Accounts have same IINs Global Debit AID 1 U.S. Common Debit AID 1 Global Debit AID 2 A X1010AA01 US XX0000 A XXXXXAA01 US XX0000 A X1010AA02 US XX0000 Merchant should choose either Global AID 1 and Global AID 2 or U.S. Common Debit AID 1 and U.S. Common Debit AID 2 based on their preferred routing choice: Global AID 1 and 2 may only be routed to the associated card brand s credit network (any supported CVM may be used) U.S. Common Debit AID 1 and 2 may be routed to any of the supported debit networks (any Paymentech, LLC. All rights reserved Page 36 of 279

37 Introduction Scenario U.S. Common Debit AID 2 U.S. Common Debit Scenarios AID Country Code Tag 5F55 IIN Tag 42 A XXXXXAA02 US XX0000 Candidate List Choice for the Merchant supported CVM may be used) For each of the scenarios described above, the method used by the EMV POS Solution to identify the AID(s) to eliminate from the Candidate List is described in more detail in the Credit / Debit section and U.S. Debit Processing section (see page 89). BP U.S. Debit selection method should be configurable Chase Paymentech recommends that the U.S. Debit identification method be configurable to support changes in merchant and acquirer preferences. Both methods will be tested during certification. BP Select U.S. Common Debit AIDs when present on card Chase Paymentech recommends that when both U.S. Common Debit and Global AIDs are present for the same funding account, that the Global AIDs be removed from the Candidate List. Using the U.S. Common Debit AID provides the maximum flexibility in debit routing options. BP Allow Cardholder to select AID when more than one funding source If more than one funding source is present, the cardholder must be able to choose which account to pay from. Paymentech, LLC. All rights reserved Page 37 of 279

38 Development Process 2. Development Process 2.1 Development and Certification Please be aware that implementing an EMV POS Solution is a much more difficult and time consuming process than implementing a traditional magstripe solution. EMV solutions are more complex and are subject to an extended and more rigorous certification process which, in addition to the standard Chase Paymentech certification, includes certification by the card brands and possibly a pilot. IT IS IMPORTANT THAT YOUR DEVELOPMENT TIMELINES REFLECT THE DEVELOPMENT COMPLEXITY AND THE ADDITIONAL TIME REQUIRED TO COMPLETE THE CERTIFICATION PROCESS. The table below outlines the development and certification components that will be used when developing an EMV POS Solution with Chase Paymentech. The information that follows encompasses the Sales, Account Executive and Relationship Management team, which will be generically referred to as the Account Representative and the Technical Implementation team which will be generically referred to as the Implementation Manager. Development and Certification Components 1. Client Consulting Discovery Chase will perform a Discovery process to define and understand the client s project business requirements. The team will interface with the client management and business decision makers to determine: Project timing High level project requirements Connectivity requirements Security implementations Funding windows In some cases this step may involve more technical discussions on some issues. 2. Contract The Account Representative will initiate the client setup process: Review contracts (new and existing) o A contract will be put into place for the client development project. o If the client already has a Chase contract, it may be modified or amended to include the new development. Engage Risk and Credit Add products and features Assign a Case Number (this number must be referenced on all correspondence). 3. Client Setup The Account Representative will engage the boarding team to configure the client s business parameters: Merchant information Products and services Methods of Payment (MOPs) EMV Parameters Paymentech, LLC. All rights reserved Page 38 of 279

39 Development Process 4. Implementation Managers The Implementation Manager works with the client to finalize: Connectivity requirements Products and Services Payment processing options: o EMV field guidance o Technical Specifications o Special processing requirements 5. Technical Profile Questionnaire The Technical Profile Questionnaire (TPQ) is completed by the client, with the assistance of their Implementation Manager. The TPQ is used to ensure that the client is implementing a valid, supportable EMV configuration that meets Chase Paymentech requirements. The TPQ defines EMV information related to the: Terminal Type Terminal Capabilities Additional Terminal Capabilities PIN Pad Certification Letters For more information on the Technical Profile Questionnaire see page Technical Implementations The Technical Implementations team will: Provide detailed test scripts Configure host connectivity Configure test credentials Generate Proof of Readiness (POR) test cases and them to the client 7. EMV Training EMV projects are considerably more complex than traditional magstripe applications. For this reason, Chase Paymentech highly recommends that first time EMV developers receive EMV training before beginning an EMV development project. For more information on EMV training, see page EMV Certification Test Tools The Collis Merchant Test Suite (MTS) contains all required card brand certification test cases, as well as a number of Chase Paymentech specific EMV test cases that must be completed during EMV certification. For more information about the Collis Merchant Test Suite, see page 49. Chase Paymentech has also partnered with ICC Solutions to offer the ICC Test Suite Bundles for Certification tools as an option to the Collis MTS for thorough and complete EMV testing and certification. For more information about ICC Solutions Test Suite Bundles for Certification, see page 53. Paymentech, LLC. All rights reserved Page 39 of 279

40 Development Process 9. Development and Testing The client develops their EMV POS Solution based on the project information provided to Chase Paymentech and performs standalone testing. During this process the client can submit their questions into the support box. If during development the project goes dormant and Chase has no communication with the client, the project may be closed. If that occurs, the project will have to be reopened by the client when ready to proceed. After 2 weeks with no client communication, the Chase Implementation Manager will send an warning that the project may be closed After 4 weeks with no client communication, the project will be closed until the client is ready to resume If the project is closed, the client will need to contact their Account Representative to have the project reopened 10. Proof of Readiness (POR) Testing Proof of Readiness (POR) testing must be performed by the client and reviewed by Chase Paymentech before any formal certification can begin. The purpose of POR testing is to ensure that the client has host connectivity and is ready to begin self-testing and certification. POR testing is a simple process that involves running a few magstripe transactions, one EMV transaction for each card brand supported and a single contactless transaction. At the completion of POR testing Chase Paymentech will review the results. If there are any issues, they will have to be corrected by the client and POR testing will have to be redone. For more information on POR testing see page Certification Test Case Document Chase will create a test case document that must be completed by the client to Class B certify the EMV POS Solution. This document will include: Class B magstripe certification test cases Chase specific EMV test cases 12. Class B Certification The client will execute the magstripe and EMV test cases defined in the Certification Test Case document: Magstripe test cases When all test cases have been completed, Chase Paymentech will review the test case results and create an issues document. If there are any issues, the errors will have to be corrected and the failed test cases must be rerun. Note: This process generally requires multiple passes over a 2-3 month period. 13. Class B Certification Letter Once all Class B magstripe and EMV test cases have been passed, Chase Paymentech will issue a Class B Certification letter. At this point, the client may begin to deploy the solution as a magstripe solution only. The deployed solution may include End-to-End Encryption and Tokenization. Note: The deployed solution cannot include any EMV functionality. Paymentech, LLC. All rights reserved Page 40 of 279

41 Development Process 14. EMV Card Brand Certification EMV Card Brand Certification must be performed once for each combination card brand / kernel configuration supported. During EMV Card Brand Certification: The client is responsible for running the card brand EMV test cases Chase Paymentech is responsible for supplying the test case requirements (e.g. M-TIP) and submitting the test case results for card brand approval To reduce the time required to complete this process, Chase staggers the start of each EMV Card Brand Certification and provides parallel processing of all brand certifications. While the client is running the next certification test cases, Chase Paymentech will be submitting previously completed card brand test case results for card brand approval. If any test cases fail, your Implementation Manager will determine, based on the type and complexity of the error, whether only the current brand test cases must be rerun or if all test cases for all card brands must be rerun. Note: The time required to complete EMV Card Brand Certification varies depending on the number of card brands supported and the complexity of the EMV POS Solution. It is a lengthy process, so be sure the EMV POS Solution is ready before beginning this process. Failed certifications will greatly increase the time required to complete. 15. EMV Certification Letter Once all EMV card brands have been certified, EMV Card Brand Certification is complete and Chase Paymentech will issue an EMV certification letter. The EMV POS Solution may now be deployed as an EMV capable solution. 16. Pilot Chase Paymentech does not require a pilot before beginning a rollout of an EMV POS Solution; however: Chase Paymentech does recommend that the rollout begin slowly with a few test locations so results can be analyzed by the client before beginning a full rollout In some cases MasterCard will require that an End-To-End-Demonstration (ETED) be performed at a pilot location before a full rollout may begin For more information on pilot and ETED requirements see page Rollout A full rollout of the EMV POS Solution may begin. Note: EMV certifications are not permanent. For information on an EMV POS Solution recertification requirements, see page Technical Profile Questionnaire (TPQ) To ensure that the client is implementing a valid, supportable EMV configuration that meets Chase Paymentech requirements, the client in conjunction with their Implementation Manager, will complete a Technical Profile Questionnaire (TPQ). The information on this form is obtained from the device and PIN Pad information provided by the client. The TPQ allows Chase Paymentech an opportunity to review the proposed implementation, validate that the configuration is currently supported and document the configuration, including all associated certification documents, for future reference. To complete the TPQ, the client must supply information relating to the PIN Pad and PIN Pad kernel being implemented. This includes but is not limited to: PIN Pad Terminal Brand/Model Paymentech, LLC. All rights reserved Page 41 of 279

42 Development Process PIN Pad Software API (Example VeriFone XPI 5.32) EMV Co Level I and II Approvals TQM Label or Action Plan PCI PED Approval Kernel Terminal Capabilities Kernel Additional Terminal Capabilities Notify Chase of all PIN Pad kernel configurations being used Chase Paymentech requires the client to notify their Account Representative of all PIN Pad kernel configurations being used by the EMV POS Solution as all kernel configurations must be documented in the TPQ. The client will be required to provide the following PIN Pad certification letters for the PIN Pad model and kernel configuration being used. These letters can generally be obtained from the PIN Pad vendor. PIN Pad and PIN Pad kernel certifications do expire. It is the developer s responsibility to ensure that the PIN Pad and PIN Pad kernel are current and that none of the certification letters have expired. The following table identifies the required PIN Pad certification letters and their duration. Letters PIN Pad Certification Letters Expires After EMVCo EMV Level 1 Letter of Approval EMVCo EMV Level 2 Letter of Approval EMVCo Contactless Level 1 Letter of Approval Brand Contactless Level 2 Letters of Approval (one per supported brand) MasterCard TQM Letter or TQM Label PCI PTS Certification Letter 4 Years 3 Years 4 Years Typically 2 years after date of approval N/A PCI PTS certification expiry is dependent on the PTS version the device was certified under. Note: PTS 1.0 devices are no longer supported Provide PIN Pad Certification Letters of Approval (LOA) Chase Paymentech requires the client to provide all certification Letters of Approval (LOA) for the EMV PIN Pad being implemented. Failure to do this will cause the project to be delayed until the required certification letters have been provided. Paymentech, LLC. All rights reserved Page 42 of 279

43 Development Process EMV certification letters must be current Chase Paymentech requires that all EMV certification letters be current and not about to expire. An EMV POS Solution will not be certified if any of the certification letters is scheduled to expire within 90 days of the date of certification. 2.3 Training It is important that everyone involved in the development and testing of an EMV project receive EMV training before beginning. Although this is not considered mandatory by Chase Paymentech, it is highly recommended as EMV and contactless solutions are considerably more complex than traditional magstripe solutions. Beginning EMV projects without proper training will lead to extended project timelines and certification issues that could require extensive time and redevelopment to resolve. Chase Paymentech cannot provide low level EMV, contactless or PIN Pad kernel integration support. It is the developer s responsibility to obtain this information from other third party sources. There are several external sources where EMV training may be obtained: Please check with your Implementation Manager for other possible EMV and contactless training options. BP Obtain EMV Training before beginning an EMV project Chase Paymentech highly recommends that everyone involved in EMV development and testing receive EMV training prior to beginning an EMV project. 2.4 Technical Support The intent of this document is to provide developers who are familiar with EMV, the necessary information to be self-supporting while developing their EMV POS Solution. Your Implementation Manager can provide some additional EMV implementation information and recommendations. However, Chase Paymentech cannot provide low level EMV, contactless or PIN Pad kernel integration support. It is the developer s responsibility to obtain this information from other sources: EMV requirements and guidelines can be obtained from the EMVCo website Paymentech, LLC. All rights reserved Page 43 of 279

44 Development Process For PIN Pad kernel technical support, refer to the PIN Pad vendor s documentation or contact the PIN Pad vendor to inquire about the availability of PIN Pad integration training and support Chase Paymentech does not recommend or endorse any specific external support service. 2.5 Development Host Connection Information During development and testing it will be necessary to send online EMV transactions to the Chase Paymentech host (or host simulator). Your Implementation Manager will provide the required development configuration information (Terminal IDs, Merchant IDs, IP address (URL), port, etc.). 2.6 Certification Process Chase Paymentech requires a full certification of all EMV, contactless and traditional magstripe transactions before an EMV POS Solution will be certified for rollout as an EMV solution. The certification duration is dependent on the complexity of the EMV POS Solution and the quality of the implementation. It is important to note that if the EMV POS Solution fails certification at any point, the entire certification process may have to be repeated. EMV certification is an extensive multi-step process which involves completing Chase Paymentech Class B certification, which includes both magstripe and EMV testing, and then completing EMV card brand certification for each card brand and kernel configuration supported. Class B certification validates message format adherence to the Chase Paymentech host. EMV card brand certification validates EMV functionality adherence to the card brands. EMV certification is extremely rigorous and far more time consuming than a traditional magstripe certification. This additional complexity should be accounted for in your project implementation timelines. The certification process cannot begin until development and self-testing has been completed. The certification process is performed as per the steps outlined below. All steps must be completed before certification is considered complete. Chase Paymentech does not charge for certifications. However, any certification fee dictated by the card brands will be passed directly on to the client. Paymentech, LLC. All rights reserved Page 44 of 279

45 Development Process Certification Process 1. Proof of Readiness Testing Before formal certification can begin, Proof of Readiness (POR) testing must be performed by the client and reviewed by Chase Paymentech, to ensure the EMV POS Solution is ready for certification. POR testing requires the client to perform: Several magstripe transactions for specific dollar amounts One EMV contact transaction for each of the card brands supported (e.g. Visa, MasterCard, Amex, etc.) A single contactless transaction (if supported) At the completion of POR testing Chase Paymentech will review the results. If there are any issues, the issues will have to be corrected and POR testing must be rerun. Note: All POR transactions should be approved by the Chase host. 2. Class B Magstripe Certification The client will execute the Class B magstripe test cases as defined in the Chase Test Case document. Tests are run using the Certify platform If assistance is required your Implementation Manager Test results should be populated into the test case document When testing is complete, Chase Paymentech will review the certification results and create an issues document. If there are any issues, the errors will need to be corrected and the failed test cases must be rerun. Note: This process generally requires multiple passes over a 2-3 month period. Paymentech, LLC. All rights reserved Page 45 of 279

46 Development Process Certification Process 3. Card Brand Certification Card Brand Certification must be performed once for each card brand / kernel configuration combination supported. Once pre-certification has been successfully completed, final card brand certification can be run while connected to the Chase host and the card brand simulators. The card brand certification process is performed as follows: 1. Chase Paymentech will provide test case documents (e.g. M-TIP) identifying the test cases that must be performed for a specific card brand The client will execute the required test cases for the specific card brand and submit the results to Chase Paymentech including: o card logs o completed questionnaires o receipts Chase Paymentech will review the results to ensure they are complete and submit them to the appropriate card brand for approval To decrease the time required to complete this process, the EMV Card Brand Certification steps will be performed one card brand at a time with the client and Chase Paymentech working in parallel. The client submits card brand results immediately after completion of each card brand, before beginning testing of the next card brand While the client tests the next card brand, Chase Paymentech will review and submit the completed card brand test case results for card brand approval If any test cases fail, Chase Paymentech will determine, based on the type and complexity of the error, whether only the current brand test cases must be rerun or if all test cases for all card brands must be rerun. For more information on Card Brand Certification see page 47. If you require additional information, contact your Implementation Manager. BP Budget adequate time for certification EMV POS Solutions require considerably more time to certify than traditional magstripe solutions. Please ensure that you budget at least 6-8 weeks to complete Pre-Certification and 3-5 weeks to complete Final (Card Brand) Certification. This time period will vary based on the complexity of the implementation and the number of card brands and kernel configurations being certified EMV Test Tool is required for Card Brand Certification Chase Paymentech requires that an approved EMV Test Tool be used to perform Card Brand Certification. For information about the recommended EMV Test Tools, see page 49. Paymentech, LLC. All rights reserved Page 46 of 279

47 Development Process 2.7 Card Brand Certification Card Brand Certification is the final step in the EMV certification process and is performed while connected to EMV Card Brand Simulators. A separate Card Brand Certification must be performed for every card brand and PIN Pad kernel combination being used by the EMV POS Solution. The following Card Brand Certification Test Suites must be used when performing card brand certification. Card Brand Certification Test Suites Card Brand EMV Test Suite Contactless Test Suite Amex / JCB* (*JCB processes via American Express in AEIPS ExpressPay Canada.) Debit Network Alliance Contact your Certification Analyst n/a Discover/Diners/JCB* (*JCB processes via D-PAS E2E D-PAS Contactless E2E Discover in the US.) China UnionPay D-PAS E2E D-PAS Contactless E2E Interac Terminal Certification Reader Terminal Interoperability and Confidence Test MasterCard M-TIP M-TIP Visa ADVT CDET qvsdc (only required for contactless-only implementations) Per the Visa Inc. U.S. EMV Chip Terminal Testing Requirements, qvsdc DM test results are no longer required in Visa CCRT when a dual-interface integrated terminal is selected. The qvsdc DM testing is still required for a standalone contactless-only device qvsdc certification is required for contactless-only Visa EMV POS Solutions Visa requires that a qvsdc certification be completed when implementing a Visa contactlessonly EMV POS Solution. This is in addition to the Visa CDET certification that must be completed for all contactless implementations. As each Card Brand Certification is completed, the results, including all card logs and receipts must be forwarded to Chase Paymentech. Chase Paymentech will review the results and forward them to the card brands for formal analysis and approval. If multiple PIN Pad kernel configurations are being certified, the certification timeframe will increase accordingly. If any EMV Card Brand Certification test case fails, EMV Card Brand Certification must be redone for the failing card brand. Depending on the severity and type of failure, it is possible that another entire EMV Card Brand Certification will be required for all card brands supported. Chase Paymentech will Paymentech, LLC. All rights reserved Page 47 of 279

48 Development Process determine what must be done based on the severity of the failure and the complexity of the changes required to correct. BP Be ready before attempting Card Brand Certification Card Brand Certification is a time consuming and costly process. If your EMV POS Solution fails Card Brand Certification, it will have to be redone which means additional time and cost. So do not perform Card Brand Certification until you are confident that your EMV POS Solution will pass all test cases Multiple certifications required if multiple kernel configurations supported The card brands require that a card brand certification be performed for every kernel configuration supported. Therefore, multiple certifications may be required for each card brand. One for each kernel configuration supported. 2.8 Pilot Chase Paymentech does not require a pilot before beginning a full rollout of an EMV POS Solution. However, due to the complexity of EMV applications it is recommended that a short pilot be run at a few locations before beginning a rollout. This will help ensure that the EMV POS Solution is properly configured for production and that EMV transactions are being processed and settled properly. In some situations MasterCard will require that the EMV POS Solution undergo End-to-End Demonstration (ETED) testing. When required: ETED testing is performed by a MasterCard representative at a pilot site MasterCard will perform a few live online transactions while connected to the production Chase Paymentech host MasterCard will analyze the messages and transaction results When ETED testing is required, it must be completed to MasterCard s satisfaction before a full rollout may begin. BP Production validation prior to rollout is strongly encouraged Although not required Chase Paymentech recommends that a single device or store be tested in production before a rollout, or even a pilot, begins. 2.9 Post Rollout Re-Certification EMV certifications are not permanent. There are a number of reasons that a deployed EMV POS Solution may need to be updated and re-certified after it has been rolled out: 1. Changes to an EMV parameter other than a parameter that is downloaded from the Chase Paymentech host 2. Expiring certifications (PIN Pad hardware or kernel) check with your Account Paymentech, LLC. All rights reserved Page 48 of 279

49 Development Process Representative to determine if re-certification is required 3. Inter-operability issues 4. Payment application changes When a situation occurs that affects your EMV POS Solution, it will be necessary to make the required changes and to re-certify your solution. How quickly this must be completed depends on the reason recertification is required: A date may be set by which time the EMV POS Solution must be re-certified using updated EMVCo and/or card brand approved hardware or software It may be possible to continue using the EMV POS Solution as is, until the next scheduled client modifications are made and a re-certification is required It is the client s responsibility to know when EMV certifications are expiring (see page 42). BP Respond quickly when notified of re-certification requirements Chase Paymentech recommends that the client act quickly when an EMV POS Solution must be re-certified to meet new regulatory requirements. When regulatory changes are mandated, many deployed solutions will require re-certification and the certification queue will fill quickly Keep track of the EMV POS Solution certification status Chase Paymentech requires the client to ensure that their deployed EMV POS Solutions are using supported EMVCo and/or card brand certified hardware and software. The EMV Migration Forum has relevant information that can assist in this effort Chase Paymentech must be notified of changes to EMV functionality Chase Paymentech requires the client to notify their Account Representative before a change is made to a deployed EMV POS Solution that will alter the EMV payment functionality EMV Contact and Contactless Test Tools Chase Paymentech mandates that an EMV Test Tool be used to perform EMV Card Brand Certification. These tools simplify the certification process and provide all reports and card logs required by the card brands when submitting certification test case results. To complete Chase Paymentech certification the EMV Test Tool used must support: The EMV Card Brand Certification test cases for all card brands supported by the EMV POS Solution Chase Paymentech currently supports the following EMV test tools for EMV and contactless certification. Paymentech, LLC. All rights reserved Page 49 of 279

50 Development Process Chase Paymentech Approved EMV Test Tools Company Test Tool Description UL (Underwriters Laboratories) (formerly known as Collis) Collis Merchant Test Suite (MTS) For details see Collis Merchant Test Suite below. ICC Solutions Test Suite Bundles for Certification (TS) For details see ICC Solutions Test Suite Bundles for Certification (ICC TS) below. BP The Collis MTS or ICC Solutions TS are recommended Chase Paymentech recommends that the Collis Merchant Test Suite (MTS) or the ICC Solutions Test Suite Bundles for Certification (TS) be purchased for use during card brand certification and when executing the Chase Paymentech EMV test cases. By using the Collis MTS or ICC TS, a client can reduce their overall certification timeframe based on the enhanced validation provided. Paymentech, LLC. All rights reserved Page 50 of 279

51 Development Process Collis Merchant Test Suite The Collis Merchant Test Suite (MTS) is a fully-equipped hardware and software suite that provides merchants, acquirers, processors and acceptance device vendors with the tools necessary to validate their EMV configurations, and to run all of the major card brand certification test suites. The Collis MTS supports both Point of Sale (POS) terminals and Automated Teller Machines (ATM) and includes detailed scripts that guide the user through the testing process, eliminating much of the complexity and confusion associated with EMV and contactless brand certifications. The Collis MTS includes all the hardware and software required for contact and contactless EMV certifications and comes in a robust carrying case so the complete MTS kit can be easily taken to wherever you need it. The Collis MTS includes two unique boxes (SmartLink and SmartWave ) to emulate both contact and contactless cards. The MTS software provides true card simulation by emulating all the functions of actual EMV and contactless cards. Collis MTS Software: Collis Brand Test Tool (BTT) Supports all major U.S. card brand contact and contactless certification test scripts, and it not only guides you through the certification process, it also tells you if each test case passed or failed. Once certification testing is complete, the BTT allows you to extract all information and reports required for card brand submission. Collis Card Simulator Simulates physical contact and contactless EMV cards allowing developers to perform ad hoc testing. Developers and testers can also alter existing simulated card profiles or create their own test specific EMV conditions. Collis Card Spy Inspects, measures performance and reports on the flow of data between the EMV chip (contact and contactless interfaces) and acceptance devices such as terminals and PIN Pads. All of the Collis MTS software applications provide a comprehensive interface that displays and interprets all of the commands being passed between an EMV capable device and the EMV chip card. This information is invaluable to developers and testers when debugging EMV applications. Collis MTS Hardware: SmartLink Box Physical box and probe used for contact EMV testing SmartWave Box Physical box and contactless probe used for contactless EMV testing Magstripe Test Cards Physical cards used to perform Fallback card testing License Dongle Secures access to the software and allows the Collis MTS to be run on any PC All required accessories such as cables, probes, power supplies etc. are included. The real key to the Collis MTS is the Collis Brand Test Tool (BTT) software. Using the Collis BTT Paymentech, LLC. All rights reserved Page 51 of 279

52 Development Process software you can test EMV devices within the environment in which they will be operated, and test them using the actual brand settings that will be used for development, certification and production. The Collis BTT software produces reports that can be used for local examination and documentation of the test cases. The reports can also be easily saved and exchanged with other parties involved in the certification process. Using the Collis BTT software results in a more robust, repeatable and well-documented development environment which leads to a contact and contactless-compliant, brand-certified payment device that can perform trouble-free EMV transactions within the payment infrastructure. The BTT is constantly being improved and upgraded to keep up with the latest brand certification requirements. It currently supports the following certification suites: Visa ADVT, qvsdc, CDET, paywave MasterCard M-TIP, PayPass Amex AEIPS Discover D-PAS E2E Diners E2E JCB TCI UnionPay UCA Interac Flash Collis is constantly updating their products to add functionality, improve usability and to keep pace with ever changing card brand certification requirements. The Collis product roadmap can be found at More information about the Collis MTS can be found at or sales@b2ps.com. Paymentech, LLC. All rights reserved Page 52 of 279

53 Development Process ICC Solutions Test Suite Bundles for Certification (ICC TS) ICC Solutions Ltd is a global leader in the provision of EMV test tools and services offering the complete set of qualified test suites for card brand accreditation of contact and contactless EMV terminals, (American Express, Discover, Interac, JCB, MasterCard, Visa), in addition to EMVCo type approval. ICC TS standalone contact and contactless certification device test tools are used worldwide by Payment Networks, Terminal and Card Vendors, Test Laboratories, Acquirer / Processors and Merchants / Retailers enabling development, quality, assurance and regression testing in addition to formal merchant certifications. The ICC Solutions contact and contactless test suite bundles are qualified by all payment brands to perform EMV Chip Terminal level 3 brand accreditation tests for certification with Chase Paymentech. What s included in the Test Suite Bundle? Test Software for ALL Brands USB Key for activation Dual Interface Card Reader Paymentech, LLC. All rights reserved Page 53 of 279

54 Development Process ICCSimTMat uses standard EMV chip card form factor ICCSim cards onto which each individual test case is downloaded via the ICCSim card reader prior to running the test. The ICCSim card is also used to capture the transaction log without any need for complex box of electronics, restrictive card paddle, expensive spy hardware or huge deck of cards and is also suitable for creating your own test cards. Operation of ICCSimTMat to perform EMV chip terminal accreditation testing is very straightforward and can be performed by a non EMV expert. Operational assistance is also included in the purchase price which is provided remotely by phone or which includes product training conducted over the internet using WebEx available upon request. A user guide with clear step by step instructions is available after installation. The Test Suite Bundle comprises a single software licence featuring full set of the latest test cases for each ICCSimTMat test suite, 1x Dual I/F ICCSim Card Reader / Writer, full set of ICCSim Cards for each ICCSimTMat test suite plus USB Licence key enabling access to the test suites. Support & Maintenance (S&M) is included in the purchase price for 12 months which entitles you to receive ICCSimTMat test tool upgrades and test script release updates free of charge for each test suite purchased as well as access to technical support. The Test Suite Bundle software can be installed on multiple computers, however it is only the one having the USB licence key connected at any point in time that is able to perform / run the tests. It is possible to run different test suites in parallel by purchasing additional USB licence keys priced along with additional ICCSim readers. Additional ICCSim cards are available suitable for creating your own test card packs for regression / QA testing or training / confidence testing etc. ICC Solutions Ltd provides powerful, efficient and simple solutions through automated Testing Tools for ease of use for the client. Further information about ICC Solutions products and services can be found at: or info@iccsolutions.com Paymentech, LLC. All rights reserved Page 54 of 279