Merchant Testing and Training Pack

Size: px

Start display at page:

Download "Merchant Testing and Training Pack"

Eric Cross
5 years ago
Views:

1 Merchant Testing and Training Pack Product description and user s guide 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED No Content may be copied, distributed, published or used in any way, in whole or in part, without prior written agreement from Merchant Testcards

2 Table of contents I. High-level description... 3 II. Intended purpose... 3 III. Intended audience... 4 IV. Detailed pack content VISA CREDIT card MASTERCARD CREDIT card DINERS CLUB card VISA ELECTRON card MAESTRO DEBIT card Expired card Card with a blocked application Card with a blocked offline PIN V. Ordering the pack VI. Terminal test configuration Terminal public keys Transaction authorization Loading the Test configuration on a terminal VII. Using the cards Card input Cardholder verification method Resetting the cards VIII. Disclaimer IX. Information for acquirers and terminal providers Authorization information Terminal public keys MERCHANT TESTCARDS ALL RIGHTS RESERVED 2

I. High-level description The Merchant Testing and Training Pack is a set of eight

They are production-grade cards, the very same cards that are used by banks and

ensure that they support certain brands or certain features.

those are prerequisites for terminals to be in service and need very specific and

In terms of terminal behaviour, these cards are more intended to ensure that the

3 I. High-level description The Merchant Testing and Training Pack is a set of eight EMV test cards that can be used with payment terminals and with ATMs. They are production-grade cards, the very same cards that are used by banks and issuers all around the world, encoded with test profiles, that allow testing for positive and negative behaviour. II. Intended purpose The cards are intended to be used for payment terminal testing, to ensure that they support certain brands or certain features. They are not intended for certification or full-blown test and validation, because those are prerequisites for terminals to be in service and need very specific and specialised equipment. In terms of terminal behaviour, these cards are more intended to ensure that the terminal has been set up correctly and is not damaged. The cards can also be used to test the terminal's connection with the acquirer or the service provider, and that the transactions go to the right payment processor MERCHANT TESTCARDS ALL RIGHTS RESERVED 3

Another important aspect is staff training.

supporting your terminals, but also for your customer-facing staff

in the payment space: It can be used by small merchants, who have

test the connectivity and train themselves on the device.

terminal estate and management system, and need to ensure that

that their staff know how to operate the terminals.

4 Another important aspect is staff training. This could be for your technical staff developing, testing or supporting your terminals, but also for your customer-facing staff who have to operate terminals to process transactions and need to be ready for every situation. III. Intended audience This set of cards is intended for a large audience in the payment space: It can be used by small merchants, who have been provided with a terminal by a payment processor, and want to test the connectivity and train themselves on the device. It can be used by medium to large merchants, who operate their own terminal estate and management system, and need to ensure that rollouts are successful, that connectivity is fully functional, and that their staff know how to operate the terminals. It can be used by terminal providers to test configurations before sending them out. It can also be used by payment service providers and value-added resellers for all the purposes stated previously. And it can be used by acquirers for all that, plus testing routing on their switch MERCHANT TESTCARDS ALL RIGHTS RESERVED 4

5 IV. Detailed pack content The pack contains 5 fully functional cards, which can be used to test and train for positive behaviour, as well as 3 cards with common problems that most stores should expect to see usually more than once a week. The cards can be used as magstripe, simply by swiping them, but they are really intended to be used for Chip & PIN transactions or for contactless transactions. The profiles loaded on the cards are globally interoperable, which is the real purpose of EMV. The cards come with a country of issuance and a currency, which can be customized upon request on most cards, but those are mostly transparent pieces of information for a payment terminal because terminals are programmed, tested and certified for global acceptance Those cards should be a good representation of the types of cards that a store normally sees on a weekly basis. 1. VISA CREDIT card The pack contains a VISA credit card, which is both contact and contactless. It is a very common type of card, denominated in US dollar and issued in the USA. Both currency and country can be customized to your domestic environment upon request. This card should be accepted on any terminal or ATM that supports VISA. When used on the contact interface, the card supports the following cardholder verification methods: Online PIN (for ATM) Enciphered offline PIN Plaintext offline PIN Online PIN Signature No CVM 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 5

6 Others features for the contact interface include: Support for SDA and DDA Valid for domestic and international cashback Card is not set with any offline limit Features for the contactless interface include: Support for MSD (contactless magstripe) and contactless EMV Support for No CVM Support for offline (with fdda) and online EMV transactions Contactless offline limit set to $30.00 per transaction for USD terminals (unlimited for terminals in other currencies) 2. MASTERCARD CREDIT card The pack contains a MasterCard credit card, which is both contact and contactless. It is a very common type of card, denominated in Euro and issued in Belgium. Both currency and country can be customized to your domestic environment upon request. This card should be accepted on any terminal or ATM that supports MasterCard. When used on the contact interface, the card supports the following cardholder verification methods: Online PIN (for ATM) Plaintext offline PIN Signature No CVM Others features for the contact interface include: Language preference: English, French, Spanish, German Support for SDA and CDA Valid for domestic and international cashback Card is not set with any offline limit 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 6

7 Features for the contactless interface include: Support for PayPass Magstripe and PayPass EMV (No CVM) Support for offline and online EMV transactions Support for SDA and CDA Valid for domestic and international cashback Card is not set with any contactless offline limit 3. DINERS CLUB card The pack contains a Diners Club card, which is both contact and contactless, denominated in US dollar and issued in the USA. This card should be accepted on any terminal or ATM that supports Diners Club or Discover. Please note that, because Diners Club and Discover are actually the same brand and share the same technology, they are interchangeable in terms of testing When used on the contact interface, the card supports the following cardholder verification methods: Online PIN (for ATM) Online PIN Signature No CVM Others features for the contact interface include: Support for DDA only Not valid for cashback Card is not set with any offline limit Features for the contactless interface include: Support for magstripe and EMV contactless Support for offline and online EMV transactions Support for CDA Support for Signature, Online PIN verification and No CVM Valid for domestic and international cashback Contactless limit set to $ per transaction for USD terminals (unlimited for terminals in other currencies) 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 7

8 4. VISA ELECTRON card The pack contains a VISA Electron card, which is contactonly, denominated in US dollar and issued in the USA. Both currency and country can be customized to your domestic environment upon request. This card should be accepted on any terminal or ATM that supports Electron. The card supports the following cardholder verification methods: Online PIN (for ATM) Plaintext offline PIN Signature Online PIN No CVM Others features include: Support for SDA only Not valid for cashback Card is not set with any offline limit 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 8

9 5. MAESTRO DEBIT card The pack contains a Maestro Debit card, which is both contact and contactless, denominated in Euro and issued in Belgium. Both currency and country can be customized to your domestic environment upon request. This card should be accepted on any terminal or ATM that supports Maestro. When used on the contact interface, the card supports the following cardholder verification methods: Online PIN (for ATM) Online PIN (for cash advance) Plaintext offline PIN Online PIN Signature Others features for the contact interface include: Support for SDA and CDA Not valid for cashback Card is not set with any offline limit Features for the contactless interface include: Support for PayPass Magstripe and PayPass EMV Support for offline and online EMV transactions Support for SDA and CDA Support for Online PIN verification and No CVM Not valid for cashback Card is not set with any contactless offline limit 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 9

10 6. Expired card The pack contains an expired VISA card, which is contact only, denominated in US dollar and issued in the USA. Both currency and country can be customized to your domestic environment upon request. This card can be used on any terminal or ATM that supports VISA, but transactions are expected to fail. Expired cards are very common in the real world, and this one allows to test the behaviour of the terminal when such a card is inserted, and to train staff on how to react when this happens. 7. Card with a blocked application The pack contains a MasterCard card, which is contact only, denominated in Euro and issued in Belgium, and which payment application has been blocked. Both currency and country can be customized to your domestic environment upon request. This card can be used on any terminal or ATM that supports MasterCard, but transactions are expected to fail. A blocked application typically happens when the card was expired but the cardholder tried to use it anyway, or when a card has been reported stolen, or for any number of reasons why a bank would want that the card not be used any more. When inserted into a terminal, because the MasterCard application that was loaded on that card has been blocked, the terminal doesn't have any payment application to run a transaction on and will inform the cardholder of that fact. This card can be used to see what message the terminal actually displays in this situation, and to train staff to react accordingly MERCHANT TESTCARDS ALL RIGHTS RESERVED 10

11 8. Card with a blocked offline PIN The pack contains a MasterCard card, which is contact only, denominated in Euro and issued in Belgium, and which offline PIN has been blocked. Both currency and country can be customized to your domestic environment upon request. This card can be used on any terminal that supports MasterCard, but transactions are expected to fail. A blocked offline PIN typically happens when too many wrong PINs have been presented. When presented at a terminal, the terminal will realise that it should prompt for PIN presentation, but that the PIN tries have been exceeded in a previous transaction, which will cause the transaction to fail. This card can be used to see what message the terminal actually displays in this situation, and to train staff to react accordingly. Obviously, if the terminal does not support PIN input, or does not support offline PIN presentation, then the behaviour will be entirely different. This is especially true if you present this card at an ATM, where the PIN is always verified online by the issuer and the PIN on the card is just being ignored MERCHANT TESTCARDS ALL RIGHTS RESERVED 11

V. Ordering the pack You can purchase the Merchant Testing and Training Pack directly from our website:

com/products/emv-cards-for-merchant-testing-and-training, where you will be able to indicate if you want to customize the

You can also e-mail us at team@merchant-testcards.com to receive a quotation.

12 V. Ordering the pack You can purchase the Merchant Testing and Training Pack directly from our website: where you will be able to indicate if you want to customize the country and currency of the cards that can be localized. There is no minimum order quantity. You can also us at to receive a quotation. The Merchant Testing and Training Pack comes by default with our logo and design, which you can see on the previous pages. For a small additional fee, the Merchant Testing and Training Pack can be created with your logo instead of ours, in greyscale or colour MERCHANT TESTCARDS ALL RIGHTS RESERVED 12

Test mode usually includes a change of terminal public keys and of transaction authorization routing. 1.

13 VI. Terminal test configuration Test cards are not intended to be used on a Live terminal. Only Live cards should be used on a Live terminal or ATM. In order to use those cards, the terminal needs to be put in Test mode, which is a very common thing to do. Test mode usually includes a change of terminal public keys and of transaction authorization routing. 1. Terminal public keys There are differences between Live and Test in terms of terminal public keys. Live cards are protected with Live keys issued by the card brands, like Visa or MasterCard, and therefore Live terminals are loaded with Live keys, so that Live cards can be accepted. Test cards, on the other hand, are protected with Test keys, also issued by the card brands, and that have been created for the purpose of testing. Therefore, terminals in Test mode are loaded with Test keys, so that Test cards can be accepted. This difference between Live and Test does not impact the terminal behaviour in any other way. This document describes the Test keys that should be loaded on Test terminals in section Terminal public keys on page MERCHANT TESTCARDS ALL RIGHTS RESERVED 13

2. Transaction authorization The second difference is in terms of who authorizes transactions.

So, for instance, if you use a VISA card, the acquirer sends the transaction to VISA, and then VISA would find your bank and

This means that your bank can approve the transaction that was created with your card, and this approval makes its way all the

In Test mode, because the test cards do not have an issuing bank, the acquirer uses a simulator in place of the payment network

14 2. Transaction authorization The second difference is in terms of who authorizes transactions. A Live transaction typically goes to an acquirer, whose job it is to forward it to the payment network that the card belongs to. So, for instance, if you use a VISA card, the acquirer sends the transaction to VISA, and then VISA would find your bank and forward the transaction to them. This means that your bank can approve the transaction that was created with your card, and this approval makes its way all the way back to the terminal and to your card. In Test mode, because the test cards do not have an issuing bank, the acquirer uses a simulator in place of the payment network and the issuing bank. This is a very standard practice. What this means is that, for the cards to work, they simply need to be loaded on the simulator. Section Authorization information on page 20 of this document contains the card information that you should give to your acquirer or terminal provider MERCHANT TESTCARDS ALL RIGHTS RESERVED 14

15 3. Loading the Test configuration on a terminal Loading the Test configuration is typically a simple procedure, but it is a proprietary operation, which means that there is no unique way of doing it. For some terminals, it is simply the press of a button on the acquirer or payment processor's management system, which generates a download onto the device and it's ready to test. On some devices you need to plug a USB key that contains the configuration, and on other devices, it's a simple menu entry. You should contact your terminal provider if you do not know how to load a Test configuration MERCHANT TESTCARDS ALL RIGHTS RESERVED 15

inserting them or by tapping them (for cards that show the

This depends on the card input capability of the payment terminal

The test cards can be inserted into terminals and ATMs that support

16 VII. Using the cards 1. Card input The cards can be used with a magstripe swipe, by inserting them or by tapping them (for cards that show the contactless logo only). This depends on the card input capability of the payment terminal being tested. The test cards can be inserted into terminals and ATMs that support EMV contact transactions: The test cards can be tapped on terminals and ATMs that support EMV contactless transactions (usually identified by a contactless logo on the device): 2017 MERCHANT TESTCARDS ALL RIGHTS RESERVED 16

Those lists are provided for each card in the Detailed pack content section.

17 2. Cardholder verification method The identity of the cardholders can be verified with a PIN code, with a signature or it can be not verified. The method that a terminal ends up using depends on what it can support, and also on a prioritized list that the card provides to the terminal. Those lists are provided for each card in the Detailed pack content section. For example, if signature verification is higher in the card s priority list than PIN verification, and if the terminal supports both, then the terminal will ask the cardholder for a signature. Please beware that the PIN code can be verified in three different ways: online, offline in the clear, and offline enciphered. Online verification is when the terminal sends the PIN to the issuer for verification (always for ATMs), whereas offline verification is when the terminal presents the PIN directly to the card, and the card validates the PIN value. Clear and enciphered methods depend on the card s cryptographic capabilities, with the second method being more secure. The pack contains enough variety to allow testing all methods MERCHANT TESTCARDS ALL RIGHTS RESERVED 17

This can become an issue in a test environment if the host simulator is not able to provide a full-chip response to transaction authorizations (i.e. with the correct cryptographic elements), in which case cards consider all transactions to be effectively approved offline, and start declining after a while.

18 3. Resetting the cards The cards have been created with no offline limits, which means that their behaviour should not change over time. Offline limits, on Live cards, typically stop the card from approving transactions that are not authorized by the card issuer. This can become an issue in a test environment if the host simulator is not able to provide a full-chip response to transaction authorizations (i.e. with the correct cryptographic elements), in which case cards consider all transactions to be effectively approved offline, and start declining after a while. This is a big issue for contactless transactions. This behaviour should not happen with those cards, but in the unlikely event that it does, a card reset application is provided free of charge on our website. The application essentially simulates a full online transaction which resets those counters. The application also resets the PIN try counter. If you enter a wrong PIN on a card more than three times, the card s offline PIN will become blocked. The application allows to unblock the offline PIN, so that it can be presented again. You can read more on this on our website MERCHANT TESTCARDS ALL RIGHTS RESERVED 18

19 VIII. Disclaimer The cards provided by Merchant Testcards are meant to be used on payment terminals and ATMs in Test mode only. Merchant Testcards cannot be held responsible for the consequences of using the cards on a Live terminal, including damages that could be caused. Payment terminals and ATMs should be set back to a Live configuration before Live transactions are meant to be processed on them. Merchant Testcards cannot be held responsible for the consequences of users forgetting to set a terminal back to its Live configuration. Merchant Testcards wish to remind users that credit/debit card fraud is a serious crime in every country, and that the use of Merchant Testcards s for fraudulent activities is forbidden and exposes the user to the full extent of the law in the territory where they are used MERCHANT TESTCARDS ALL RIGHTS RESERVED 19

20 IX. Information for acquirers and terminal providers 1. Authorization information The following information should be added to host simulator for transaction authorization: Card name Card number (PAN) Contact Contactless VISA CREDIT card CVN10 CVN10 MASTERCARD CREDIT card M/Chip 4 M/Chip 4 DINERS CLUB card CVN05 CVN15 VISA ELECTRON card CVN10 - MAESTRO DEBIT card M/Chip 4 M/Chip 4 Expired card CVN10 - Card with a blocked application M/Chip 4 - Card with a blocked offline PIN M/Chip 4 - The cards use the following 3-DES keys, which are all standard keys provided by the card brands for testing purposes: Card brand Key type Key value KCV VISA IMK AC C9110AD C9110AD40 F7D5A0 IMK MAC/SMI C9110AD C9110AD40 F7D5A0 IMK ENC/SMC C9110AD C9110AD40 F7D5A0 MASTERCARD/MAESTRO IMK AC 9E F7318A CB79B90BD986AD IMK MAC/SMI FE615FB02 E5D57F292AA2B3B IMK ENC/SMC CE293B8CC12A EF256D DF8 DINERS CLUB IMK AC D2B91C IMK MAC/SMI E18DE2 IMK ENC/SMC DDB MERCHANT TESTCARDS ALL RIGHTS RESERVED 20

21 2. Terminal public keys The following keys should be loaded on the payment terminal as part of its Test configuration. PKI: 92 RID: A Exponent: 03 Public key: 99 6A F5 6F D C E D8 EE B 18 A2 45 8E FA A9 2D A3 B6 DF EC F D4 3B E9 B8 F0 CC 66 9E 3F CB DD F8 BD A1 91 BB B C8 DC 9A 73 0D B8 F6 B4 ED E FF D9 B8 C C2 3A 36 BA 0B 8A F EB 57 EA 5D 89 E7 D1 4E 9C 7B 6B F DA 16 AC 92 3F 15 AF F0 F0 3E BD 3C 5C 2C 94 9C BA 30 6D B4 4E 6A 2C 07 6C 5F 67 E2 81 D7 EF D C4 D E4 91 F A 9E 2D C6 6F CE 0D AF 8D 17 EA D4 6A D8 E3 0A 24 7C 9F PKI: F3 RID: A Exponent: 03 Public key: 98 F0 C7 70 F C2 E7 66 DF 02 D1 E8 33 DF F4 FF E9 2D 69 6E F0 A8 8C C6 47 9D 16 DB BF E2 9E 4F DC 6E 6E 8A FD 1B 0E B7 EA C BF 19 E9 3F B 2F 77 6E 82 9E 87 DA ED A9 C9 4A 8B A 35 0C C9 7A FF 08 FD A C9 50 A7 2C 3C A5 00 2E F5 13 FC CC 28 6E 64 6E 3C D B3 B3 26 E1 23 4F 9C B4 8C 36 DD D4 4B 41 6D A6 6F 40 3B A5 11 C5 EF A MERCHANT TESTCARDS ALL RIGHTS RESERVED 21

22 PKI: FA RID: A Exponent: 03 Public key: A9 0F CD 55 AA 2D 5D E3 5E D0 F F 49 C6 BA B1 5C DA E5 79 4B E9 3F 93 4D D5 D E4 8C 38 BA 83 D8 44 5D EA A A3 01 A1 02 B2 F1 14 EA DA 0D 18 0E E5 E7 A5 C7 3E 0C 4E 11 F6 7A 43 DD AB 5D B CC F4 4B 8D A4 92 FF AA DA D4 F D0 E C3 C4 9A D3 D0 FA E B0 F6 B1 B A3 D6 D F B D EC 40 FA AE CD 74 0C 00 E2 B7 A8 85 2D PKI: 5C RID: A Exponent: 03 Public key: 83 3F 27 5F CF 5C A4 CB 6F 1B F8 80 E5 4D CF EB 72 1A CA FE B2 8B 69 8C AE CA FA 2B 2D 2A D8 51 7B 1E FB 59 DD EF C3 9F 9C 3B 33 DD EE 40 E7 A6 3C 03 E9 0A 4D D2 61 BC 0F 28 B4 2E A6 E7 A1 F E 2D 63 FA C 3A 5F 92 6B 4C 7D 7C 25 8B CA 98 EF 90 C7 F4 11 7C 20 5E 8E 32 C4 5D 10 E3 D D 2F B 97 9C E4 A8 31 B3 01 B0 55 0C DA E9 B B3 1D 8B 48 1B 85 A5 B0 46 BE 8F FA 7B DB 58 DC 0D F2 6F F6 19 AF 7F 15 BC EC 0C 92 BC DC BC 4F B2 07 D1 15 AA 65 CD 04 C1 CF MERCHANT TESTCARDS ALL RIGHTS RESERVED 22