Card Payments Data

Question 1

Level 1

Answer 1

• Consumer transactions

Merchants are only required to transmit the three data elements when accepting these payments:
1. Transaction amount
2. Transacton date
3. Merchant’s name

Question 2

Level 2

Answer 2

• Business to Business (B2B) and Business to Government (B2G)

“Companies might benefit from making more data available when processing card transactions”
- tax information
- additional customer information
- merchant ZIP

• Commercial, corporate, purchasing and government cards are eligible for Level 2 processing, but not consumer cards (which can only be processed at level 1)

Question 3

Level 3

Answer 3

• Includes all Level 2 data and items such as invoice information, product information, quantity, unit of measure, postal code, VAT, and freight amount
• Historically, these transactions could only be accepted virtually (they were beyond the capabilities of traditional hardware POS terminals)
• Increasingly, modern card payment terminals offer Level 3 capability through touchscreen technology (Smart POS)

Question 4

Summary of the levels:

Answer 4

“The higher the level, the more data is processed and transmitted to the issuer as part of the card transaction”

• Accepting Level 2 and Level 3 cards means that the merchant has to explicitly input more data at the point of interaction (through their PSP)
• The benefits of utilizing level 2/3 processing are significant. Businesses can access reduced interchange rates, resulting in potential savings of 0.45% to 1% per transaction

Question 5

Implications for risk

Answer 5

“The greater the amount of data that is transmitted to the issuer, the more able they are to make better risk decisions”

Question 6

PAN

Answer 6

• Primary Account Number
• Follows the ISO 7812 standard

“Essentially, a card using the ISO 7812 standard can be read in a card terminal”

Question 7

First digit of PAN

Answer 7

MII - Major Industry Identifier

• Identifies the industry or type of card

4 for Visa
5 for MC
3 for travel and entertainment cards (Amex & Discover)
7 for Petroleum

Question 8

Digit 1-6 of PAN (since 2022 1-8)

Answer 8

BIN - Bank Identification Number (Issuer Identification Number)

• The BIN enables you to identify a number of elements, including the card scheme, the issuer, they type of card (credit or debit) and the country

Question 9

Digit 7-15 of PAN

Answer 9

Cardholder Account Number

• This identifies the cardholder
• In the past, you may have come across card where this number was all zeros: These were anonymous prepaid cards, which have been banned in most geographies according to Anti Money Laundering regulations

Question 10

Last Digit of PAN

Answer 10

Check-digit and is added to validate the authenticity of the credit card number (based on the Luhn algorithm)

Question 11

The BIN enables you to identify a number of elements:

Answer 11

• Card scheme
• Issuer
• Type of card (credit, debit, purchasing)
• Country

Question 12

BIN Sponsorship

Answer 12

“A BIN sponsor (a bank) enables other eligible organizations to issue cards by allowing them to use BIN ranges that they control”

• This gives them quick time to market
• Many neo banks used BIN sponsors before obtaining a banking license themselves

Question 13

EMV Chip

Answer 13

“The chip contains the data required for EMV transactions at the POS”

Standards:

• ISO 7816 for contact
• ISO 14443 for contactless

The data on the chip will be read when:

• the card is inserted into the card terminal (contact transaction)
• The card is held close to the terminal (contactless transaction)

Question 14

Magnetic Stripe

Answer 14

• Constructed in accordance with ISO 7813

“Card swipe is the term used for a card payment transaction using the magstripe”

➡️Increasingly, modern cards do not include a magstripe

• Two magnetic tracks are used for data storage: Track 1 and Track 2

Question 15

Hologram

Answer 15

• Security feature originally designed to prevent fraudsters from cloning cards, as it is difficult to reproduce
• For visa it is a dove

Question 16

Signature Panel

Answer 16

The cardholder’s signature is used to authenticate the cardholder for face- to-face transactions in chip and signature or non-EMV markets

• Increasingly on modern cards, the signature panel is not present

Question 17

Card Verification Value (CVV or CVC)

Answer 17

• 3 digits for Visa & MC
• 4 digits for American Express

“The CVV is used to authenticate remote transactions (e.g. e-commerce or telephone) by verifying that the card- holder has the card in their possession”

• It is intended for the cardholder’s eyes only and not machine readable

“The technical term, as defined in the standard, is CVV2”

• Whilst there are other card verification values (CVV1, CVV3) the term ‘CVV’ in day-to-day life refers to the CVV2 because this is what cardholders see

Question 18

Wrapper

Answer 18

“The data remains the same regardless of the ‘wrapper’ (smart watch) you put around a card”

Question 19

Service Code

Answer 19

• Is a 3 digit value encoded into the magnetic stripe
• Used by Issuers to tell merchants how the card can and cannot be used
• For example, whether the card is for international use or domestic use only, or if a PIN is required for all transactions, or if it’s only to be used at ATMs
• For instance, the comdirect debit has a service code of 221and means the transaction has to be authorized online (hence cannot be used at offline terminals)
• Another example: 520 - Card is domestic only, transaction has to be authorized online and PIN is required

Question 20

CVV1

Answer 20

CVV1 is used in card-present transactions to verify if the data is valid and issued by a banking institution. It is provided in the card’s magnetic stripe

• During a transaction, the CVV1 is sent to the card issuer as part of the authorization request. The issuer checks the CVV1 against the value it has on record for the card
• It adds a layer of security that makes it more challenging to create a fully functional cloned card without the correct CVV1

Question 21

CVV2

Answer 21

CVV2, unlike CVV1, is a code printed on the card. It is used in the case of a card, not present transactions such as mail order/ telephone order (MOTO) or internet. It acts as an added security feature for preventing potential frauds

Question 22

iCVV

Answer 22

• The chip does not contain the same card verification value as the magstripe, but an alternative value (iCVV)

“The iCVV is generated by the chip and the card reader for each transaction (it is dynamic) using a different calculation from that used for the CVV1 on the magstripe”

Question 23

Skimmer

Answer 23

A device used by fraudsters to read information from the magstripe

• Found at ATMs and petrol stations and other unattended terminals

“Skimmers are devices overlayed on top of the card terminals, and sometimes combined with small cameras to capture the PIN”

Question 24

Shimmer

Answer 24

A shimmer (aka “shim”) is a device used to capture data from the EMV chip

Question 25

Security Benefit of Contactless:

Answer 25

The only difference is that the card will not be inserted in the terminal, thereby preventing both skimming and shimming attacks

Question 26

Level 3 Data Acceptance Options

Answer 26

• Historically, these transactions could only be accepted virtually and often integrated with enterprise resource planning platforms such as SAP or Oracle
• This is because they were beyond the capabilities of traditional hardware POS terminals (as many of the data elements require text input and standard card terminals have basic numeric keypads)
• Increasingly, modern card payment terminals offer Level 3 capability through touchscreen technology
• These card terminals are called Smart POS and support standard card payments as well as a range of applications supporting a merchants business
• These modern terminals are usually cloud based and based on open operating systems such as Android

Question 27

Chip and PIN

Answer 27

A Personal Identification Number (PIN) – a four-digit code selected and managed by the cardholder – is used to authenticate face-to-face transactions at the physical POS

Question 28

Chip and Signature

Answer 28

A signature is used to authenticate face-to-face transactions at the physical PO

Question 29

Five basic elements for the data contained in the card

Answer 29

1. PAN
2. Name
3. Expiry Date
4. Service Code
5. Discretionary Data

➡️ These elements are contained in the Track 1 and Track 2 of the magstripe as well as in the EMV chip

Question 30

Discretionary Data

Answer 30

“Used by issuers as they see fit”

• Used for security
• On Tracks 1 and 2, it may include PIN verification elements and a card verification value called the CVV1. The CVV1 is used to authenticate magstripe transactions

Question 31

Summary Verification Value

Answer 31

Both CVV1 (magstripe) and CVV2 (printed on card) are static data elements (i.e. they remain valid for the life of the card). The iCVV is dynamic and can’t be used twice

Question 32

Two Standards for EMV Chips

Answer 32

1. Contact
2. Contactless

“Security measures are the same”
- iCVV will work in the same way (dynamic, generated each time)

“Only difference is that the card will not be inserted in contactless preventing skimming and shimming”

Question 33

Dynamic CVV

Answer 33

“This is where the issuer supplies the cardholder with a little device as well as a card. The little device calculates a dCVV each time a remote trans- action is initiated by the cardholder, and this the three-digit number that the cardholder would use on an e-commerce website”

• This can also be achieved through the card itself, where a small electronic screen is embedded directly into the back of the card to perform the same function

Question 34

Summary Why ICVV is Better Than CVV1

Answer 34

CVV1 is easier to clone because the data does not change.

• A skimming device can capture all necessary information to create a counterfeit card
• Much harder to clone because the data changes with each transaction. Even if data is intercepted, it’s useless without the ability to generate the correct dynamic iCVV for future transactions