Card Payments Data Flashcards
Level 1
- Consumer transactions
Merchants are only required to transmit the three data elements when accepting these payments:
1. Transaction amount
2. Transacton date
3. Merchant’s name
Level 2
- Business to Business (B2B) and Business to Government (B2G)
“Companies might benefit from making more data available when processing card transactions”
- tax information
- additional customer information
- merchant ZIP
- Commercial, corporate, purchasing and government cards are eligible for Level 2 processing, but not consumer cards (which can only be processed at level 1)
Level 3
- Includes all Level 2 data and items such as invoice information, product information, quantity, unit of measure, postal code, VAT, and freight amount
- Historically, these transactions could only be accepted virtually (they were beyond the capabilities of traditional hardware POS terminals)
- Increasingly, modern card payment terminals offer Level 3 capability through touchscreen technology (Smart POS)
Summary of the levels:
“The higher the level, the more data is processed and transmitted to the issuer as part of the card transaction”
- Accepting Level 2 and Level 3 cards means that the merchant has to explicitly input more data at the point of interaction (through their PSP)
- The benefits of utilizing level 2/3 processing are significant. Businesses can access reduced interchange rates, resulting in potential savings of 0.45% to 1% per transaction
Implications for risk
“The greater the amount of data that is transmitted to the issuer, the more able they are to make better risk decisions”
PAN
- Primary Account Number
- Follows the ISO 7812 standard
“Essentially, a card using the ISO 7812 standard can be read in a card terminal”
First digit of PAN
MII - Major Industry Identifier
- Identifies the industry or type of card
4 for Visa
5 for MC
3 for travel and entertainment cards (Amex & Discover)
7 for Petroleum
Digit 1-6 of PAN (since 2022 1-8)
BIN - Bank Identification Number (Issuer Identification Number)
- The BIN enables you to identify a number of elements, including the card scheme, the issuer, they type of card (credit or debit) and the country
Digit 7-15 of PAN
Cardholder Account Number
- This identifies the cardholder
- In the past, you may have come across card where this number was all zeros: These were anonymous prepaid cards, which have been banned in most geographies according to Anti Money Laundering regulations
Last Digit of PAN
Check-digit and is added to validate the authenticity of the credit card number (based on the Luhn algorithm)
The BIN enables you to identify a number of elements:
- Card scheme
- Issuer
- Type of card (credit, debit, purchasing)
- Country
BIN Sponsorship
“A BIN sponsor (a bank) enables other eligible organizations to issue cards by allowing them to use BIN ranges that they control”
- This gives them quick time to market
- Many neo banks used BIN sponsors before obtaining a banking license themselves
EMV Chip
“The chip contains the data required for EMV transactions at the POS”
Standards:
- ISO 7816 for contact
- ISO 14443 for contactless
The data on the chip will be read when:
- the card is inserted into the card terminal (contact transaction)
- The card is held close to the terminal (contactless transaction)
Magnetic Stripe
- Constructed in accordance with ISO 7813
“Card swipe is the term used for a card payment transaction using the magstripe”
➡️Increasingly, modern cards do not include a magstripe
- Two magnetic tracks are used for data storage: Track 1 and Track 2
Hologram
- Security feature originally designed to prevent fraudsters from cloning cards, as it is difficult to reproduce
- For visa it is a dove
Signature Panel
The cardholder’s signature is used to authenticate the cardholder for face- to-face transactions in chip and signature or non-EMV markets
- Increasingly on modern cards, the signature panel is not present
Card Verification Value (CVV or CVC)
- 3 digits for Visa & MC
- 4 digits for American Express
“The CVV is used to authenticate remote transactions (e.g. e-commerce or telephone) by verifying that the card- holder has the card in their possession”
- It is intended for the cardholder’s eyes only and not machine readable
“The technical term, as defined in the standard, is CVV2”
- Whilst there are other card verification values (CVV1, CVV3) the term ‘CVV’ in day-to-day life refers to the CVV2 because this is what cardholders see
Wrapper
“The data remains the same regardless of the ‘wrapper’ (smart watch) you put around a card”
Service Code
- Is a 3 digit value encoded into the magnetic stripe
- Used by Issuers to tell merchants how the card can and cannot be used
- For example, whether the card is for international use or domestic use only, or if a PIN is required for all transactions, or if it’s only to be used at ATMs
- For instance, the comdirect debit has a service code of 221and means the transaction has to be authorized online (hence cannot be used at offline terminals)
- Another example: 520 - Card is domestic only, transaction has to be authorized online and PIN is required
CVV1
CVV1 is used in card-present transactions to verify if the data is valid and issued by a banking institution. It is provided in the card’s magnetic stripe
- During a transaction, the CVV1 is sent to the card issuer as part of the authorization request. The issuer checks the CVV1 against the value it has on record for the card
- It adds a layer of security that makes it more challenging to create a fully functional cloned card without the correct CVV1
CVV2
CVV2, unlike CVV1, is a code printed on the card. It is used in the case of a card, not present transactions such as mail order/ telephone order (MOTO) or internet. It acts as an added security feature for preventing potential frauds
iCVV
- The chip does not contain the same card verification value as the magstripe, but an alternative value (iCVV)
“The iCVV is generated by the chip and the card reader for each transaction (it is dynamic) using a different calculation from that used for the CVV1 on the magstripe”
Skimmer
A device used by fraudsters to read information from the magstripe
- Found at ATMs and petrol stations and other unattended terminals
“Skimmers are devices overlayed on top of the card terminals, and sometimes combined with small cameras to capture the PIN”
Shimmer
A shimmer (aka “shim”) is a device used to capture data from the EMV chip