D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale...

40
© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute. D-PAS U.S. Chip Terminal Guide _________ Version 1.1 / May 2017

Transcript of D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale...

Page 1: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

D-PAS U.S. Chip Terminal Guide _________ Version 1.1 / May 2017

Page 2: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

2

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Disclaimer

This D-PAS: U.S. Chip Terminal Guide (this “Guide”) provides guidelines to assist Merchants and Value Added Resellers (VARs), including, but not limited to, Independent Software Vendors (ISVs) and Payment Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to the U.S. market when accepting Discover Network and its partners’ chip card products. This guide is subject to change by Discover® at any time without notice to any party. Neither this Guide nor any other document or communication creates any binding obligations upon Discover or any third party regarding testing services or Discover approval, which obligations will exist, if at all, pursuant to separate written agreements executed by Discover and such third parties. This Guide is provided “AS IS”, “WHERE IS” and “WITH ALL FAULTS”. Neither Discover, nor Diners Club International® (DCI), nor any of their affiliates, subsidiaries, directors, officers or employees (collectively, the “Discover Parties”) assume or accept any liability for any errors or omissions contained in the Guide. The Discover parties specifically disclaim and make no representations or warranties of any kind, express or implied, with respect to this Guide. The Discover parties disclaim all representations and warranties, including the implied warranties of Merchants’ ability and fitness for a particular purpose. The Discover parties further specifically disclaim all representations and warranties with respect to intellectual property subsisting in or relating to the Guide or any part thereof, including but not limited to any and all implied warranties of title, non-infringement or suitability for any purpose (whether or not the Discover parties have been advised, have reason to know or are otherwise in fact aware of any information). The contents of this Guide are proprietary and constitute trade secrets of Discover. This Guide is provided to Participants of the Discover and DCI Networks and their authorized Partners for their exclusive use and shall not be reproduced, published or otherwise disclosed, in whole or in part, to any party outside Discover without the prior written consent of Discover. DFS Services LLC, Discover® means our officers, directors and employees as well as the network, systems and processes, including hardware, software and personnel maintained by us to support card issuance and card acceptance programs operated by Issuers, Merchants and Acquirers for the benefit of Cardholders and Merchants, respectively; or, where used to describe products, enhancements or services, means the consumer-facing brand of Discover.

Page 3: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

3

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

What’s Inside

Chapter 1 Getting to Know D-PAS Page 4

1.1 Introduction Page 4

1.2 Purpose of this Guide Page 4

1.3 Target Audience Page 4

1.4 References Page 4

Chapter 2 Understanding Chip Card Transactions Page 5

2.1 EMV Fraud Liability Shift Page 5

2.2 Chip Card Technology Page 6

2.3 Contactless Technology Page 6

2.4 EMVCo Role in Chip Card Specifications Page 7

2.5 D-Payment Application Specification (D-PAS) Page 8

2.6 Understanding Chip Transactions Page 8

Chapter 3 Implementing D-PAS Page 12

3.1 Important Chip Card Implementation Considerations Page 12

3.2 Pre-Transaction Processing (Contactless) Page 12

3.3 Application Selection Page 12

3.4 Offline Data Authentication (ODA) Page 13

3.5 Cardholder Verification Page 14

3.6 Terminal Risk Management Page 17

3.7 First Terminal Action Analysis Page 18

3.8 Transaction Completion Page 19

3.9 Conclusion of Processing / Chip Card Deactivation and Removal

Page 20

3.10 Technical Fallback Page 21

3.11 Special Considerations for Merchants in the Restaurant / Bar, Lodging, Car Rental and Petro Industries

Page 22

Chapter 4 Point-of-Sale Solution Selection Page 23

4.1 Device Certification Page 23

4.2 End-to-End Certification Requirements Page 24

4.2.1 Discover Quick Chip Page 25

4.3 Production Validation Requirements Page 26

Chapter 5 Production Rollout Page 27

5.1 Production Rollout Check List Page 27

5.2 AID Parameters Page 28

Appendix A DFS CA Test Payment System Public Keys Page 32

1. Key Length 1152 Bits – PKI 91 Test Page 33

2. Key Length 1408 Bits – PKI 92 Test Page 34

3. Key Length 1984 Bits – PKI 93 Test Page 33

Appendix B DPAS Acronyms Page 35

Appendix C DPAS Terminology Page 36

Appendix D DFS IIN / BIN Table Page 39

Page 4: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

4

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 1: Getting to Know D-PAS in the U.S.

1.1 Introduction The Discover® D-Payment Application Specification (D-PAS) is an EMV-compliant smart card payment solution for contact, contactless and mobile payments. Discover supports and conforms to current EMV standards, enabling easy implementation and integration of the D-PAS solution. 1.2 Purpose of this Guide This Guide focuses on the U.S. market. It provides high-level guidance to assist Merchants, VARs and other relevant parties with terminal development to support both contact and contactless chip transactions in accordance with D-PAS solutions at the terminal level. Please consult with your Processor or Discover for detailed policy, technical specifications and operating regulations. 1.3 Target Audience This Guide is primarily intended for Merchants and Value Added Resellers (VARs), including, but not limited to, Independent Software Vendors (ISVs), Payment Gateways VARs and/or other entities responsible for implementing components and services required for accepting contact and contactless chip cards, mobile wallets and contactless devices on Merchant acceptance terminals in the U.S.* * The United States of America, includes fifty States, the District of Columbia and all other U.S. territories, Protectorates, and non-domestic U.S. military bases including American Samoa, Federated States of Micronesia, Guam, Marshall Islands, Northern Mariana Islands, Palau, Puerto Rico and the U.S. Virgin Islands. 1.4 References

Title Source1 Reference

Discover Contact and Contactless D-PAS: Terminal Requirements for U.S. Debit Cards Technical Addendum

1 DFS D-PAS: US DB TA, v 1.0

Terminal Requirements for JCB J/Smart™ Cards Technical Addendum

1 DN CT D-PAS: JCB JS TA, v 1.0

Discover Contact EMV: Terminal Requirements for UnionPay Contact Chip Cards Technical Addendum

1 UnionPay UICS TA v 1.0

Discover Contact D-PAS: Discover Quick Chip Implementation Guide v2.0

DN.com DFS CT D-PAS QC v 2.0 (July 12, 2016)

EMVCo emvco.com U.S. Payments Forum http://www.uspaymentsforum.org/

1 Source: 1 means references can be provided upon request to [email protected].

Page 5: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

5

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

In most cases, the issuer bears the initial responsibility for fraudulent activity if a lost, stolen or counterfeit card is used at POS.

Liability Issuer

2.1 EMV Fraud Liability Shift In October 2012, Discover® announced the alignment of its EMV fraud liability shift policies for contact chip cards across Discover, Diners Club International® and PULSE®. The Discover Network policy became effective in October 16, 2015 for all point-of-sale (POS) locations and is scheduled to go into effect in October 2020 for all automated fuel dispensers (AFD). PULSE’s liability shift date for ATM transactions on Discover / PULSE EMV contact cards at U.S. terminals will be effective October 1, 2017. After this date, ATM Acquirers will be financially liable for counterfeit card fraud if a contact EMV card is presented at an ATM that is not EMV enabled. To ensure simple and consistent dispute management for PULSE participants, PULSE has chosen ATM liability shift dates for PULSE cards that are consistent with the signature brand on the card. The switch to EMV is vital to prevent payment fraud, and Discover is here to help. Our resources and EMV best practices accelerate EMV certification, maximize Cardholder security and drive Merchant profitability. For more information, visit DiscoverNetwork.com/Chip-Card or contact [email protected].

2 Liability is transferred to the party with the direct relationship with Discover®. As of date of publication of this guide, the EMV Fraud Liability Shift is in effect for contact chip transactions only. 3 The Discover Network policy is scheduled to go into effect in October 2020 for automated fuel dispensers (AFD).

Before October 2015

After October 20153

Counterfeit Fraud Liability Lost or Stolen Fraud Liability

Type of Card Type of Terminal

Chip and PIN Preferring Card

Type of Card Type of Terminal

Chip and PIN Preferring Card Non EMV-

Enabled Terminal Chip and Signature Terminal

Chip and Signature Card Non EMV-

Enabled Terminal

Merchant or Acquirer2

Page 6: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

6

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

2.2 Chip Card Technology Chip cards, also known as smart cards or integrated circuit cards (ICC), are plastic cards embedded with a computer chip. Chip cards are capable of storing information, completing calculations, making decisions and running applications.

Chip cards still have a magnetic stripe on the back of the card to permit processing transactions at locations without EMV-enabled terminals and fallback processing in the event of a chip failure. 2.3 Contactless Technology Contactless technology is being adopted by Merchants that are looking for a faster, easier and more convenient payment method. The execution of a contactless payment transaction requires a contactless card or payment device and terminal / reader. Each contactless card or payment device and terminal, carry a microchip connected to an antenna that enables the exchange of data via near field communication (NFC). 2.3.1 Contactless Transaction Modes

• Contactless D-PAS EMV mode is an operating mode based on the use of the Contactless D-PAS application to create transaction-specific cryptograms that can be used to authenticate the card and the transaction. Contactless transactions can be processed either online or offline.

• Contactless D-PAS Magnetic Stripe (MS) mode uses functionality of Discover® Zip® v2.0. The Zip application provides cardholder information based on MS data to the terminal/reader. The terminal processes the transaction online and executes the Issuer decision.

Note: Discover Zip is a contactless payment solution deployed in the U.S. (Discover Zip cards and payment devices should be accepted wherever contactless payments are enabled.)

Page 7: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

7

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

2.3.2 Contactless Logos EMVCo licenses the Contactless Indicator and Contactless Symbol (collectively the “Contactless Marks”) for use in accordance with its reproduction requirements. See the EMVCo website for more details.

• The EMVCo Contactless Indicator, shown below, is used on Contactless Cards and Contactless Payment Devices such as key fobs.

• The EMVCo Contactless Symbol, shown below, is used on contactless terminals and may also be used in marketing materials.

2.4 EMVCo Role in Chip Card Specifications Chip cards and EMV-enabled terminals adhere to standard specifications to ensure interoperability among countries and Payment Networks. EMVCo is the entity that manages and evolves EMV specifications, tests processes and fosters worldwide interoperability of secure payment transactions. The EMV specifications govern chip cards, common payment application (CPA), card personalization and tokenization. EMVCo is co-owned by six member organizations: American Express, Discover®, JCB, MasterCard, UnionPay and Visa. The organization is supported by Issuers, Merchants, Acquirers, Acquirer Processors and other industry stakeholders who participate as EMVCo Associates. For more information about EMVCo and chip card specifications visit www.emvco.com4. 4 Source: EMVCo www.emvco.com

Page 8: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

8

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

2.5 D-Payment Application Specification (D-PAS) D-PAS is a specification that enables secure transactions among Discover® chip cards, payment devices, terminals and Acquirers. Discover provides a comprehensive program to support markets that are migrating from magnetic stripe cards to chip card transactions, including:

• D-PAS program documents that define the requirements for chip cards and terminals, including: - Discover Contact and Contactless D-PAS: Terminal Requirements for U.S. Debit Cards

Technical Addendum - Terminal Requirements for JCB J/Smart™ Cards Technical Addendum - Discover Contact EMV: Terminal Requirements for UnionPay Contact Chip Cards

Technical Addendum • Test cards • Production validation cards • Network support for chip card transactions • Testing and certification requirements

2.6 Understanding Chip Card Transactions A chip card transaction differs from a traditional magnetic stripe card transaction in how it interacts with a terminal.

• A magnetic stripe card is swiped through the terminal to initiate the transaction. • A contact chip card is inserted into the chip reader and must remain in the terminal for the

duration of the transaction. • A contactless chip card or payment device is tapped to initiate the transaction.

The following table lists the differences between chip card and magnetic stripe card transactions.

Chip Card Transaction Typical Magnetic Stripe Credit Card Transactions

Multiple card authentication methods. Basic level of authentication including Card Verification Value (CVV).

Multiple Cardholder verification methods supported, including use of offline and online Personal Identification Number (PIN).

Visual Cardholder verification (request of ID, check signature panel).

Issuer and Acquirer / Processor establishes and manages risk parameters.

Issuer manages most risk parameters.

Secure offline authorization if supported by the terminal and network, and approved by the card.

Offline authorization possible but risky as the authenticity of the card cannot be confirmed.

Use of dynamic data prevents cloning. Use of static data that can be easily copied. Added level of security of chip cards and chip-enabled terminals prevents counterfeit fraud. Use of PIN reduces fraud from lost and stolen cards.

Magnetic stripe cards and terminals are susceptible to counterfeit fraud.

Page 9: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

9

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

The diagrams below provide an overview of the D-PAS transaction process for contact and contactless transactions. Note that some steps may occur simultaneously.

Page 10: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

10

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

2.6.1 How a Contact D-PAS Transaction Works The most common transactions between a contact chip card and a terminal consist of:

• Chip and Personal Identification Number (PIN) with verification either offline or online • Chip and Signature

The following table provides a high-level description of each of these transactions.

Step Contact Chip and PIN Transaction Contact Chip and Signature Transaction

1 The Cardholder inserts the contact chip card into the terminal / reader.

The Cardholder inserts the contact chip card into the terminal / reader.

2 The transaction amount is displayed on the terminal / reader. The cardholder validates the amount The terminal reader prompts the Cardholder to enter PIN.

The transaction amount is displayed on the terminal / reader. The Cardholder validates the amount.

3 The Cardholder enters PIN on the terminal or PIN pad. The PIN is displayed as ********. Note: PIN “Merchants / Acquirers must support up to 8-digit PIN.

The Merchant terminal processes the purchase transaction offline or online, depending on the purchase amount, card and terminal parameters.

4 • If offline PIN, terminal sends PIN to chip card, chip card validates PIN and provides response back to terminal.

• If online PIN, terminal sends encrypted PIN to Issuer. Issuer returns authorization response to terminal.

The Merchant terminal validates the PIN and provides Cardholder with the results of the validation.

The Merchant terminal displays to the Cardholder the results of the validation as either “Approved” or “Declined”.

5 The Merchant terminal processes the purchase transaction offline or online, depending on the purchase amount, and card and terminal parameters.

For an approved transaction, the Merchant terminal prints a transaction receipt or creates a digital version.

6 On successful processing, the Merchant terminal displays “Approved” or “Declined”.

The terminal instructs the Cardholder to remove the chip card.

7 For an approved transaction, the Merchant terminal can print a transaction receipt if requested, or email an electronic copy.

The Cardholder signs the transaction receipt or digital version that can be emailed to cardholder.

8 The terminal instructs the Cardholder to remove the chip card.

Page 11: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

11

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 2: Understanding Chip Card Transactions

2.6.2 How a Contactless D-PAS Transaction Works The steps below provide an example of a typical transaction executed between a NFC-enabled chip and pin card (or device) and a reader connected to a standalone terminal.

Step Contactless D-PAS Transaction

1 The Merchant enters the purchase amount on the terminal. 2 The transaction amount is displayed on the terminal and on the reader. 3 The first LED (if present) begins to flash to indicate that the reader is ready to perform a contactless transaction. 4 The Cardholder presents the card or device close to the landing zone of the terminal / reader. 5 The reader exchanges commands and responses with the card or device to execute the contactless transaction. 6 The result of the exchange between the card or device and the reader, together with EMV transaction data, is sent to

the terminal. 7 When the data capture is completed, all four LED lights on the reader (if present) normally illuminate in green, and

the reader sounds an audible alert. 8 The Cardholder removes the card or device from the landing zone. 9 Depending on the card or device and terminal capabilities, as well as the risk management parameters, the

Cardholder Verification Method (CVM) will be online PIN, signature or no CVM. 10 The terminal completes the transaction online or offline. 11 The transaction result is displayed on the terminal to the Cardholder and the Merchant. It also can be displayed on

the reader. 12 A receipt can be printed, if requested, or an electronic copy can be sent by email.

This description may differ depending on the contactless POS terminal and reader model.

Page 12: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

12

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.1 Important Chip Card Implementation Considerations This chapter provides an overview of the chip card transaction steps that impact Merchants and VARs, including the technical requirements and best practices to successfully implement D-PAS. Not every transaction step is referenced in this chapter. For additional information on each transaction flow step, contact [email protected]. 3.2 Pre-Transaction Processing (Mandatory Step for Contactless D-PAS only) To minimize the time that a card must be in the RF field, the terminal / reader performs preliminary risk management checks by comparing the Transaction amount to limits set in the terminal. Note: Terminals that always use a fixed transaction amount (such as vending machines) do not perform risk management checks. If you have any questions contact your Acquirer / Processor. 3.3 Application Selection (Step 1 for Contact and Contactless D-PAS) There are various ways the application selection step is performed. In a typical credit card transaction, the card and the terminal analyze the supported Application Identifiers (AIDs). If multiple applications are supported, the terminal identifies the priority selected by the Issuer and may allow the Cardholder to choose the application to use. The terminal or peripheral selected for chip card implementation must have the intended AIDs loaded for chip transactions to work. For the U.S. Common Debit AID, Merchants and Acquirers may have proprietary software installed on POS devices to manage the selection of the Common AID over the proprietary / global AIDs–the specifics of which are outside the scope of this document.

Page 13: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

13

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

Below is a list of AIDs for the Discover Network and its partners that must be supported in terminals used by Merchants and VARs in the United States:

Specification Name AID Uses Territory

D-PAS A0000001523010 D-PAS Contact and Contactless AID. Discover® Card, Diners® and network-to-network partners (BCcard, DinaCard, elo, Interswitch, etc.)

All

D-PAS A0000001524010 Discover U.S. Common Debit AID* U.S. D-PAS A0000003241010 ZIP AID Magnectic Strip Contactless All

J/Smart A0000000651010 JCB J/Smart Contact AID U.S. UICS A000000333010102 UnionPay Credit Cards AID U.S., Mexico, Bahamas UICS A000000303010103 UnionPay Quasi Credit Cards AID U.S., Mexico, Bahamas UICS A000000333010101 UnionPay Debit Cards AID U.S., Mexico, Bahamas UICS A000000333010108 U.S. UnionPay Common Debit AID U.S.

UICS = UnionPay Integrated Circuit Chip Card Specifications *A common AID allows Merchants and Acquirers to route debit card transactions over multiple unaffiliated networks. The Discover U.S. Common Debit AID is available for Discover/PULSE-issued cards with another card brand as a secondary routing network. Important AID Notes

• The AID must be set to support partial match AID selection for D-PAS and J/Smart (not allowed for UICS).

• The terminal must support the list of AID methods for building the candidate list. • The application version number check requires that the terminal store the D-PAS application

version number of “0001”. • It is recommended that terminals hold one additional application version number slot open for

future use. 3.4 Offline Data Authentication (ODA) (Step 4 for Contact and Contactless D-PAS) In this step, the terminal ensures that:

• The chip card has not been altered since its personalization. • The data on the chip card was created by the authentic Issuer.

ODA must be implemented on all terminals/readers that support offline authorized transactions. For contact D-PAS, depending on the capabilities of the chip card and the terminal, the terminal may perform one of the following Offline Data Authentication (ODA) methods:

• Static Data Authentication (SDA) • Dynamic Data Authentication (DDA) • Combined DDA (CDA)

Note: CDA is the most secure method while SDA is a less secure method that will eventually be phased out.

Page 14: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

14

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

For contactless D-PAS, CDA is the only method that may be performed. Offline data validation of the card is performed using encryption keys. A key is a numeric value that is used as part of a mathematical operation to encrypt or decrypt data. To perform offline data authentication, terminals must be loaded with DFS Certification Authority Public Keys (CA PKs), JCB CA PKs and UnionPay CA PKs. Acquirers and Merchants are responsible for registering, managing and updating keys provided by Discover Network. Please note that both the D-PAS proprietary AID and the Discover® Debit U.S. Common AID use the same DFS CA PKs. See Appendix A for DFS Test Payment System Public Keys. DFS Production Payment System Public Keys and J/Smart and UICS Test and Production Keys can be requested from [email protected]. A Non-Disclosure Agreement (NDA) may be required. Important: Do not code CA PKs expiry dates in the terminal as they are subject to change by EMVCo and DFS.

Chip Card Terminal Requirements for ODA

ODA Requirements Important: All newly deployed offline-capable contact chip terminals are required to support DDA in addition to supporting SDA. Terminals should also support CDA whenever possible. In addition, Merchants and VARs should consider local market requirements and industry practices when deciding which methods to support.

DFS CA PK Requirements

To support ODA, the terminal must be able to store up to six DFS CA PKs and their associated data elements for each payment brand’s Registered Application Provider Identifier (RID) represented in the Terminal.

3.5 Cardholder Verification (Step 6 for Contact D-PAS and Step 5 for Contactless D-PAS) Cardholder Verification determines whether the person presenting the chip card is the legitimate Cardholder by using a CVM that is mutually supported by both the chip card and the terminal. Most terminals have the capability to support all CVMs. However, consult with your Processor to understand their ability to support all CVMs, especially the online PIN method. Cardholder verification is mandatory for contact D-PAS transactions. However, it is conditional for contactless D-PAS. If the Terminal Contactless CVM limit is present and the Transaction amount is greater than the Terminal CVM limit, the Terminal requires CVM to be performed.

Page 15: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

15

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

The following table describes the CVM types that are available to Merchants and Acquirers.

CVM Type Description

Online PIN If “Online PIN” is the selected CVM and is supported by the terminal, the terminal prompts the Cardholder for PIN entry and then enciphers the PIN for inclusion in the authorization message later in the transaction. The remaining processing for the online PIN transaction is conducted in accordance with existing DFS regulations.

Offline PIN (Plaintext and Enciphered)

If “Offline PIN” is the selected CVM for the transaction, the terminal prompts for PIN entry, and the PIN is transmitted from the terminal to the chip card for verification. The PIN can be sent either exactly as it was entered by the Cardholder (plaintext PIN) or encrypted (enciphered PIN). If the chip card cannot successfully verify the PIN, the chip card informs the terminal of the number of PIN try attempts remaining. Enciphering the PIN is strongly recommended. Offline PIN CVM type is not an option for contactless transactions.

Combined Offline PIN and Signature

If “Combined Offline PIN and Signature” is the selected CVM for the transaction, the terminal must complete the processes for both the offline PIN CVM and Signature CVM. This CMV type is not an option for contactless transactions.

Signature If “Signature” is the selected CVM for the transaction, CVM processing is considered complete from a D-PAS perspective. Other processing related to this CVM is executed in accordance with existing DFS regulations (e.g., comparing the Cardholder signature obtained to the signature on the card).

No CVM If “No CVM” is the selected CVM for the transaction, CVM processing is complete from the D-PAS perspective. This CVM must be supported by unattended terminals, please refer to section 3.5.1.1.

Consumer Device CVM (CDCVM)

For contactless payment devices only. Cardholder verification can be completed on the contactless payment device prior to initiating any payment transactions. Verification methods vary by device, such as password and biometrics, among other methods. If CDCVM is used, it must be noted in the Terminal Verification Results (TVRs).

Note: DFS allows no-signature or PIN for card-present sales of $50.00 or less, including applicable taxes, gratuities, surcharges, cash overs and / or Discover Pay with Rewards. 3.5.1 CVM Support Considerations When identifying which CVMs to support in the terminal, first check with your Acquirer and Processor to verify which CVMs they support, and then take the following decision factors into consideration.

Decision Factor Description

Assess Terminal Capabilities

Identify the capabilities of the terminal for supporting each CVM.

Identify the Relative Importance of Gaining Processing Efficiency

A PIN can reduce transaction processing time by eliminating the signature requirement. In addition, an offline PIN can make throughput faster, by eliminating online verification processes and network latencies.

Retain Traditional CVM Processing Capabilities

Merchants and VARs should be aware that magnetic stripe cards will continue to be encountered at the point-of-sale, so traditional processes for swiping the card and signing for the transaction will still need to be supported.

Important: For Acquirers and Merchants to take full advantage of the Fraud Liability Shift for lost or stolen cards, they must support both offline and online PIN authentication for contact chip cards.

Page 16: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

16

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

Discover® requires Acquirers and Merchants to support offline and online PIN at parity with Discover when PIN is being supported for any other Payment Networks. 3.5.1.1 Special Considerations for Unattended Terminals An unattended POS device is a device that delivers goods or services when the Cardholder is present but a Cashier is not. Examples of unattended POS devices are fuel dispensers, parking meters and vending machines. Many unattended POS devices that execute low-value transactions do not have communication capabilities; therefore, it is imperative that “No CVM” is supported as a CVM method. Note: Unattended POS Devices are often online-capable to allow issuer authorization and batch data capture. 3.5.1.2 Special Consideration for Automated Fuel Dispensers (AFD) It is recommended that AFDs support Online PIN, Offline PIN (plaintext and / or enciphered) and No-CVM. Since AFDs are considered self-service terminals or unattended, AFD operators should ensure support of the No-CVM cardholder verification method. 3.5.2 PIN Pad Configuration Merchants and VARs should consider the following PIN pad best practices:

• If the PIN pad is separate from the terminal, the addition of a chip card reader with PIN pad enables Cardholders to keep possession of their card throughout the transaction, thus reducing opportunities for card skimming.

• Cardholders should be able to reach the landing zone on a contactless PIN pad or reader. • The placement of a PIN pad should be accessible to all Cardholders. • PIN pads should be designed and placed in a way that prevents fraudsters from “shoulder surfing”

the PIN.

3.5.3. PIN Bypass The U.S. Market is a “chip and choice” environment, with both signature and PIN preferring Issuers. PIN entry bypass is an optional function supported by EMV that enables a manual override of the PIN CVM process. This option is used when PIN is selected as the preferred CVM, but the Merchant wants to allow a Cardholder to sign instead. An example of PIN bypass is when the Cardholder has forgotten their PIN. If PIN bypass is used, this must be noted in the TVR. Merchants and VARs should check with their Processors before enabling PIN bypass.

Page 17: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

17

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.6 Terminal Risk Management (Contact D-PAS Step 7) Chip-enabled terminals complete several checks to confirm that transaction processing is occurring within the risk limits set by the Payment Brand, Acquirer Processor and the Issuer. The following table outlines both mandatory and optional checks to be programmed in the terminal. Note that the Acquirer Processor may have already pre-programmed these parameters in the terminal.

Check Mandatory / Optional

Description

Floor Limits Mandatory Merchants / VARs may use the chip card terminal floor limits associated with each Merchant category or choose a zero floor limit. It is recommended that terminals that are capable of storing multiple floor limits specify separate floor limits for magnetic stripe and chip card transactions. To support a floor limit other than $0 (or local equivalent), the terminal must be able to store a separate floor limit for magnetic stripe and chip card transactions.

Random Transaction Selection

Mandatory Acquirers are advised to work with their Merchants to identify the terminal settings for random transaction selection. It is recommended that terminal parameters are adjusted to ensure that a bias is applied.

Exception File Optional It is recommended that exception file checking is performed at offline-only terminals. Talk to your Acquirer Processor for more details.

Transaction Forced Online

Optional

Merchants can implement a function that allows the Attendant to manually force a transaction online. This function can be employed if the Attendant is suspicious of the Cardholder and wants to ensure that the Issuer authorizes the transaction. If Merchants would like to implement transaction forced online functionality, Merchants and VARs should work with their Acquirer Processor to set guidelines for when this functionality should be used.

Page 18: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

18

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.7 First Terminal Action Analysis (Contact D-PAS Step 8 and Contactless D-PAS Step 7) A terminal / reader device performs the first Terminal Action Analysis step using different considerations for contact or contactless D-PAS transactions. 3.7.1 Contact D-PAS The terminal stores the results of the previous steps and analyzes them to make a recommendation to the chip card as to whether it should decline, send online or approve the transaction. Rules governing the levels of acceptable risk for various transaction conditions are set for:

• The terminal by the Payment Brand and the Acquirer via rules called Terminal Action Codes (TACs).

• The chip card by the Issuer via card rules called Issuer Action Codes (IACs).

For the purposes of this Guide, DFS is the Payment Brand responsible for setting the TACs. The applicable D-PAS contact TAC values listed in the following table must be stored in terminals as a prerequisite to the acceptance of chip cards. Terminals must store only the set of TAC values that is relevant to the functionality supported by the terminal. Note that there are no TACs for contactless transactions. Refer to Section 5.2 Discover® EMV Program Matrix for TAC values for Discover Network D-PAS and Discover® Debit U.S. Common AID, JCB J/Smart and UnionPay UICS. 3.7.2 Contactless D-PAS This step is completed with the contactless card or payment device outside of the landing zone and includes card / device application recommendations collected during Step 2 – Initiate Application Processing. As part of this step the following checks are performed by the terminal: card decision, CDA check results, application expiry date check and processing restrictions results.

Page 19: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

19

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.8 Transaction Completion (Contact D-PAS Step 13 & Contactless Step 9) 3.8.1 Transaction Completion for Contact D-PAS In Step 10, the terminal sends the transaction online to the Issuer. As a response to the online processing request, the Issuer then returns an Authorization Response, which approves or declines the transaction. The terminal may perform a Second Terminal Action Analysis (Step 11). The contact card may also perform a Second Card Action Analysis (Step 12). Transaction completion (Step 13) occurs when the terminal receives either an approval or decline response to one of its cryptogram requests. The terminal then executes the approval or decline requested by the chip card. At the conclusion of processing, the transaction result is displayed to the Cardholder. The receipt is printed or emailed (and signed if required), and the terminal stores any required transaction data. 3.8.2 Transaction Completion for Contactless D-PAS Please note that for Contactless D-PAS, online processing (Step 8) is conditional. It must be performed only if the final decision taken by the card is to perform an online transaction. Contactless D-PAS Step 9 is the final step of the transaction. This step tells the Cardholder the final decision and processes additional functions depending on the decision taken. The results could be one of the following:

• Offline processing: Approval or decline – Transaction is not sent to the issuer for decisioning. • Online processing: Approval or decline – Transaction is sent to the Issuer for decisioning. • Switch to another interface.

3.8.3 Switch to Another Interface (Contactless D-PAS Only) If the transaction cannot be processed using the contactless interface, and the contactless card or payment device supports another interface, then the terminal will indicate that the cardholder use an alternate interface.

From To Comments

Contactless D-PAS Contact D-PAS The terminal may switch to contact chip interface due to several reasons. The transaction is restarted as a standard Contact D-PAS transaction.

Contactless D-PAS Magnetic Stripe Transaction

If the switch to contact D-PAS is not possible, the transaction must switch to a magnetic stripe transaction. Magnetic stripe transactions have a higher risk than D-PAS; therefore, it must follow specific rules:

• The transaction must go online. • The transaction must be identified with a specific fallback indicator

value. See 3.10 for more details.

Page 20: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

20

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.8.4 Receipt Requirements The following table lists the EMV data that may be added to the receipt.

Receipt Data Requirement

AID Mandatory

Approval Code Mandatory: Include either an online approval code or an offline approval code created by the terminal.

Cryptogram Optional

Application Preferred Name or Application Label

Optional

PIN Verification Statement Optional Note: In addition to the EMV receipt requirements listed above, Discover® has additional receipt requirements that are listed in the Operating Regulations. Please consult your Processor for complete receipt requirements. 3.9 Conclusion of Processing / Chip Card Deactivation and Removal 3.9.1 Contact Deactivation and Removal (Contact D-PAS Step 15) The terminal displays the result of the transaction to the Attendant and the Cardholder as follows:

• If the transaction has been declined, the terminal displays an appropriate message and then indicates that the chip card can be removed from the reader.

• If the transaction has been approved, the terminal displays a message indicating that the chip card can be removed from the reader and prints a receipt.

• If a signature was provided, the Attendant compares the signature on the receipt with the signature on the back of the card.

3.9.2 Contactless Transaction Conclusion The transaction result is displayed on the terminal to the Cardholder and the Merchant. It can also be displayed on the reader. A receipt can be printed or e-mailed as required by Merchant or Cardholder.

Page 21: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

21

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.10 Technical Fallback Technical fallback may occur when a chip card is used at a chip-enabled terminal, but a technical failure of the card or the terminal prevents the transaction from being processed using the chip’s functionality. With all chip cards, technical fallback must be correctly identified in the authorization message so that the Issuer can make an informed decision whether to approve or decline the technical fallback transaction. All technical fallback transactions must be sent online. 3.10.1 Fallback Scenarios The following table shows common scenarios encountered and whether these transactions should be flagged as fallback or not. Please consult your Processor for specific fallback indicators.

Mode Transaction Needs to be Flagged as Fallback

Comments

Unknown AID or AID Not Found

No If the terminal is not able to recognize any of the applications supported by card, the terminal should allow the transaction to be processed as magnetic stripe.

Chip Card Error Yes A technical error in communication between the card and terminal has prevented a chip transaction taking place. The terminal should prompt the Cardholder to swipe the card.

Blocked Application No The terminal should terminate the transaction and it should not allow the Cardholder to initiate a magnetic stripe transaction.

Blocked Card No The terminal should terminate the transaction and it should not allow the Cardholder to initiate a magnetic stripe transaction.

Switch Interface Request from Contactless D-PAS to MS

Yes If a transaction cannot be completed as contactless D-PAS, and if a switch to contact D-PAS interface is not possible, the transaction must switch to a magnetic stripe.

Page 22: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

22

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.11 Special Considerations for Merchants in the Restaurant / Bar, Lodging, Car Rental and Petro Industries 3.11.1 Handling of Pre-Authorizations Restaurants, bars, hotels, card rentals and gas stations should continue to request pre-authorizations as done today for magnetic stripe swiped transactions. Pre-authorizations can be processed by:

1. Inserting or tapping the cardholder chip card or contactless device: In this scenario, the terminal should retain pre-authorization data elements necessary to complete the sale. This includes:

• Chip related data • Account number • Expiration date

Because of PCI requirements, the terminal should extract and retain only the necessary data from the chip.

2. As a card on file: Use existing magnetic stripe processing Important: Gas stations accepting chip cards or contactless devices, should continue to submit a one-dollar pre-authorization at Automated Fuel Dispensers (AFD) and completing an authorization advice message with the actual sale amount within 60 minutes of fuel delivery. 3.11.2 Incremental Authorizations In some instances, the pre-authorization is not sufficient to cover the amount to be charged to the cardholder. In this case an Incremental Authorization(s) may be used. Similar to any pre-authorization incremental authorizations are processed by:

1. Inserting or tapping the cardholder chip card or contactless device: In this scenario, the terminal should retain data elements necessary to complete the sale. This includes:

• Chip related data • Account number • Expiration date

Because of PCI requirements, the terminal should extract and retain only the necessary data from the chip.

2. As a card on file: Use existing magnetic stripe processing 3.11.3 Sale Completion Sale completion occurs when the final transaction amount is known and the merchant is ready to charge the cardholder. If a pre-authorization or incremental authorization was completed with a chip card or contactless device, the clearing message needs to include chip related data and its associated data elements.

Page 23: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

23

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 3: Implementing D-PAS

3.11.4 Terminal Configuration for AFDs Transactions at AFDs must be transmitted online. Terminal parameters should be set in the following ways to ensure transactions are always authorized online: • Configured to act as an online-only, unattended terminal • Utilize a $0 floor limit • Utilize the following Terminal Action Codes (TACs): TAC values for Offline Data Authentication Supported Terminal Action Code – Denial = ‘0010000000’ Terminal Action Code – Online = ‘FCE09CF800’ Terminal Action Code – Default = ‘DC00002000’ TAC values for Offline Data Authentication Not Supported Terminal Action Code – Denial = ‘0010000000’ Terminal Action Code – Online = ‘FFFFFFFFFF’ Terminal Action Code – Default = ‘FFFFFFFFFF’

Page 24: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

24

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 4: Point-of-Sale Solution Selection

Merchants and Issuers should carefully consider the type of point-of-sale (POS) solution that best works for their business model and the needs of their Customers. They also should consider the certification requirements for each option, including device certification and end-to-end certification. The following table outlines solutions available in the market. Please contact your Terminal Manufacturer and Processor for more details and options.

POS Type Description

Stand-Alone Chip-enabled terminal device or peripheral is connected directly to the Acquirer Processor. Updates are managed by the Acquirer. Ideal for small Merchants currently using stand-alone terminals.

Semi-Integrated Chip-enabled terminal device or peripheral is integrated into a new or existing POS software application. The payment device can be connected through a payment gateway or directly to the Acquirer. Terminal updates are managed either by the Payment Gateway or the Acquirer.

Integrated Chip-enabled reader is fully integrated into the POS solution or a stand-alone peripheral. Merchant, Payment Gateway and/or Acquirer / Processor may be responsible for managing terminal updates.

4.1 Device Certification Device certification is completed by the Device Manufacturer or Original Equipment Manufacturer. Below are some common terms used during the device certification process.

• EMV Kernel is a set of functions that provides all the necessary processing logic and data that is required to perform an EMV contact or contactless transaction. The kernel will be called from the terminal's payment application and utilize the Interface Device (IFD) to perform necessary data exchanges with the card4. Note: Contactless EMV requires a kernel for each Payment Network implemented.

• Level 1 Approval (Hardware): Level 1 tests compliance with the electromechanical characteristics (contact) or the analog characteristics (contactless) and logical protocol requirements defined in the EMV Specifications.5

• Level 2 Approval (Software): Level 2 type approval process tests compliance with the application requirements as defined in the EMV Specifications.5 - Please Note: Contactless Level 2 approvals follow the individual Payment Network

requirements. A valid contactless Level 1 Letter of Approval (LoA) is a prerequisite to contactless Level 2 certification.

Discover® Type Approval (for EMV contactless devices only): Verification by Discover that a specified composite Target of Evaluation (TOE) has demonstrated sufficient conformance to the Discover Specifications5 for its stated purpose and Discover specifications are used6. EMVCo does not have a single common contactless specification for terminals as there is for contact terminals. 5 Source: EMVCo www.emvco.com 6 Source: Type Approval Process V2.2

Page 25: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

25

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 4: Point-of-Sale Solution Selection

4.1.1 Device Certification Requirements Device certification should be completed prior to beginning end-to-end (E2E) certification. Because Level 1 and Level 2 approvals do expire, EMVCo and Discover Network require approvals to be renewed at defined intervals to maintain compliance. Please check with your Terminal Provider, Acquirer or Processor for Level 1 and Level 2 expiry dates.

Certification Type What it includes Certification initiator

Contact EMV Contactless EMV

Level 1 Addresses hardware conformance with EMV specifications EMVCo EMVCo

Level 2 Addresses application software conformance EMVCo The certification for Discover Network

is called "Discover Type Approval"

4.2 End-to-End Certification Requirements E2E terminal certification must be completed for each Payment Network supported by the terminal. Each terminal application, combined with any middleware software product, should be certified by each Processor. The purpose of E2E testing is to:

• Demonstrate that the deployed terminals meet the requirements of both the Acquirer and the Discover Network.

• Demonstrate the terminals’ acceptance of D-PAS. • Send authorization requests and receive authorization responses among terminals, Acquirer host

systems and Discover Network. • Demonstrate that terminals can process chip-based functions including PINs, fallback transactions

and CVMs as supported by the terminal. A high-level example of an end-to-end environment is provided in the following figure. For detailed information regarding the system architecture, requirements and configuration refer to the approved Test Tool documentation.

Page 26: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

26

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 4: Point-of-Sale Solution Selection

Initiator Requirements E2E Fulfillment

ISV Terminal Product Already Certified

Acquirer / Processor

Fully-Integrated Solution Contact: EMVCo Level 1 and Level 2 Contactless and Mobile: EMVCo Level 1 and DFS type approval

Gateway Test Plan Supporting Semi-Integrated Solutions

Provided by processor • Contact D-PAS test plan • Contactless D-PAS test Plan

Original Equipment Manufacturer (OEM)

End-to-End Test Tool

EMV-Capable POS Terminal / Peripheral

1. Issuer host simulator 2. Card simulator or test card plastics 3. Test tool

Consult with your Processor before buying any E2E tool. Acquirer / Processor defines use of physical or card simulator.

4.2.1 Discover® Quick Chip The objective of Discover Quick Chip is to offer Merchants increased flexibility in connection with EMV implementation that may help merchants streamline chip card transaction processing on chip-enabled terminals. Please contact [email protected] to obtain a copy of the Discover Contact D-PAS: Discover Quick Chip Implementation Guide, which describes the modified D-PAS deployment procedures that are required to implement Discover Quick Chip.

Discover® D-PAS or Payment Device

Discover-Approved Smart Card Simulator Terminals

Acquirer Host Acquirer Test Tool

Page 27: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

27

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 4: Point-of-Sale Solution Selection

4.3 Production Validation Requirements Production validation is required to verify that D-PAS- and J/Smart-certified terminals, and the associated infrastructure, are performing correctly in the production environment. Production validation must be performed in a live environment as part of an initial pilot or rollout for each unique combination of terminal, application and Processor. Production validation test transactions are executed using live but unfunded D-PAS and J/Smart test cards at deployed terminals or terminals in a live laboratory environment. To request production validation test cards, please contact [email protected]. 4.3.1 Steps to Complete Production Validation: To complete production validation, please follow these steps:

• Process a $1.00 sales amount of higher – Please use all the cars provided for this purpose. • A “Decline” response such as “Restricted Card” is expected. • Responses such as “Application not found” or “Application error” indicated that the terminal is not

enabled to accept Discover Network Chip cards. • Notify Discover® that testing was completed so that we can validate the test transactions. Please

email [email protected].

Page 28: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

28

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 5: Production Rollout

5.1 Production Rollout Check List The following list highlights important steps in ensuring a successful EMV rollout for Merchants and VARs. This not intended to be a compressive list. Please consult with your Processor or Discover Network for more details.

Certification

Check with your terminal provider, acquirer and processor to confirm who is responsible for renewing Level 1 and Level 2 certifications.

Complete E2E certification for each unique terminal application and configuration combination if utilizing a fully-integrated solution.

Confirm that your partner completed E2E certification if utilizing a semi-integrated solution.

Terminal Configuration / Terminal Management

Confirm who is responsible for updating your terminals: adding new AIDs, updating or replacing CA PKs, etc. Verify AIDs have been loaded on the EMV terminals. (See Table 5.2 for details). Ensure production CA PKs were loaded and replaced test CA PKs. Ratify the Application Version Number Check is “0001.” It is recommended that terminals hold one additional

Application Version Number slot open for future use. Confirm the terminal can store up to six CA PKs per card brand. Ensure TACs were properly coded. Support for the minimum chip card-related data elements for authorization and batch data capture.

If supporting Contactless D-PAS

If supporting contact and contactless D-PAS, terminals must not allow both interfaces to be activated simultaneously. If one interface is powered on, the other interface must be switched off.

Support Zip AID to allow for application switch from Contactless D-PAS to magnetic stripe. Set terminal amount limits (if any) based on Merchant decision and direction received from your Processor. Please

note that Discover® does not have any transaction amount limit established for contactless D-PAS transactions. Add decal signage at your POS advertising your merchant accepts contactless payments

Training and Pilot

Train your employees on how to process contact and contactless transactions. Review the resources that Discover has created to assist you with this task www.discovernetwork.com/chip-card/merchants/resource_center.html

Request production validation EMV test cards by contacting [email protected]. Complete production validation test transactions. Validate purchase, refund and cancellations. Confirm receipt is printing EMV-related data. Follow fallback to magnetic stripe processing.

Page 29: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

29

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 5: Production Rollout

Other Important Consideration

Ensure support for all Discover® IIN/BIN ranges. (See Appendix D). Validate acceptance of a variable PAN length of up to 19 bytes. Support for terminal floor limits. Terminals accepting a PIN must comply with the PCI PED security requirements.

5.2 Discover® EMV Program Matrix (V2.0 Published Jan 2017) The following table summarizes AID parameters supported by Discover for the U.S. market.

D-PAS (Proprietary) Discover U.S. Common debit JCB J/Smart

Unionpay integrated circuit cards (UICS)

Discover® Zip® Contactless

Magnetic Strip

Cre

dit

Qua

si C

redi

t

Deb

it

U.S

. C

omm

on A

ID

AID A0000001523010 A0000001524010 A0000000651010 A000000333010102

A000000333010103

A000000333010101

A000000333010108 A0000003241010

Partial Match Allowed and strongly encouraged Not allowed

Allowed and strongly

encouraged

Example of Issuers

Discover Card, Diners® and Net to Net Partners (BC Card, RuPay, elo Interswitch, etc.).

Discover Debit Card, PULSE®

issuers.

JCB branded cards UnionPay branded cards Discover Card

Interfaces Supported Contact EMV & Contactless EMV Contact EMV Contact EMV Contactless

Magnetic Strip

Application Version Number

0001 (Recommend

terminals hold one additional slot open for DFS future use.)

0001 (Recommend terminals hold

one additional slot open for DFS future use.)

0200 (for EMV v4.x compliance) 0120 (for EMV

v3.1.1 compliance)

0020 (For both v3.1.1 & v4.x Compliance)

Fallback to Magnetic Stripe

Supported when chip cannot be read (damaged). Supported when chip cannot be read (damaged).

For AID Not Found

Transaction should be initiated by magnetic strip but should not be coded as fallback.

Transaction should be initiated by magnetic strip but should not be coded as fallback.

For Application Blocked

Not allowed

PIN

PIN Support If PIN is supported for any payment brand, Online PIN and Offline PIN must be supported for Discover Network

PIN Bypass Supported

(Continued on next page.)

Page 30: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

30

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 5: Production Rollout

D-PAS (Proprietary) Discover® U.S. Common debit JCB J/Smart

Unionpay integrated circuit cards (UICS)

Discover® Zip® Contactless

Magnetic Strip

Cre

dit

Qua

si C

redi

t

Deb

it

U.S

. C

omm

on A

ID

Contact EMV

TACs for Contact Interface

ODA Supported

ODA Not Supported

ODA Supported

ODA Not Supported

ODA Supported

ODA Not Supported ODA Supported / ODA

Not Supported

Denial 0010000000 0010000000 0010000000 0010000000 0010000000

0010000000

Online FCE09CF800 30E09CF800 FCE09CF800 FFFFFFFFFF FC60ACF800

D84004F800

Default DC00002000 1000002000 DC00002000 FFFFFFFFFF FC6024A800 or

FC60242800 D84000A800

Offline Transaction Limit

Allowed, please contact processor for details. DFS limit

is $300.00 (with MCC exceptions)

Online Authorization is required for all Transactions originating from Discover U.S. Common

Debit AID

Allowed, please contact processor for details. DFS

limit is $300.00 (with MCC exceptions)

Online Authorization is required for all UP

Transactions.

EMV Fraud Liability Shift

October 2015, all industries except AFD

October 2020, AFD

October 2015, all industries except AFD

October 2020, AFD

As of publication date, JCB has not announced EMV FLS

for the U.S for transactions processed through Discover Network

As of publication date, UnionPay has not

announced EMV FLS for the U.S for transactions

processed through Discover Network

CVM Supported

Online PIN, Offline Enciphered PIN, Offline Plaintext PIN,

Signature, No CVM

Online PIN, No CVM, Signature (via No CVM)

Online PIN, Offline Enciphered PIN, Offline Plain Text PIN, Signature, No CVM

Online PIN,

Offline Plaintext

PIN, Signature, No CVM

Online PIN, No CVM, Offline

Plaintext PIN

Terminal ODA Requirement

All offline-capable contact chip Terminals are required to

support SDA and DDA, it is recommended that they also

support CDA.

ODA support is optional. If support ODA, terminal must

support both SDA and DDA. CDA support is optional. If it is

supported by the terminal, it must be supported using

All offline-capable contact chip Terminals are required to

support SDA and DDA, it is recommended that they also

support CDA.

All offline-capable contact chip Terminals are

required to support SDA and DDA, it is

recommended that they also support CDA.

(Continued on next page

Page 31: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

31

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 5: Production Rollout

D-PAS (Proprietary) Discover® U.S. Common debit JCB J/Smart

Unionpay integrated circuit cards (UICS)

Discover® Zip® Contactless

Magnetic Strip

Cre

dit

Qua

si C

redi

t

Deb

it

U.S

. C

omm

on A

ID

Contactless EMV

TACs for Contactless Interface

Do not apply. Contactless D-PAS do

not require TACs.

Do not apply. Contactless D-PAS do

not require TACs.

Offline Transaction Limit

Allowed, please contact processor for details. DFS limit is

$300.00 (with MCC exceptions)

Online Authorization is required for all Transactions

originating from Discover U.S.

Common Debit AID

Contactless Transaction Limit

No limit No limit

EMV FLS

As of publication of this document,

Contactless transactions do not fall into EMV FLS

As of publication of this document,

Contactless transactions do not fall

into EMV FLS

CVM Supported

Online PIN Signature No CVM

Online PIN No CVM

Signature (via No CVM)

Terminal ODA Requirement

All offline-capable contactless Terminals

are required to support CDA.

ODA support is optional.

If support ODA, terminal must support

CDA.

(Continued on next page.)

Page 32: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

32

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Chapter 5: Production Rollout

D-PAS (Proprietary)

Discover® U.S. Common debit JCB J/Smart

Unionpay integrated circuit cards (UICS)

Discover® Zip® Contactless

Magnetic Strip

Cre

dit

Qua

si C

redi

t

Deb

it

U.S

. C

omm

on A

ID

Others

Default DDOL Must include the Unpredictable Number.

TDOL and Terminal Exception File

D-PAS, J/Smart & UICS does not require default terminal TDOL and terminal exception file

No CVM Policy

Per DFS Operating Regulations, transactions below $50 do not require CVM. Please contact your processor to confirm requirements for No CVM.

Production Validation Required, using unfunded cards

CAPKS

Test Environment

Yes, same for both Discover Proprietary and Debit Common AIDs

J/Smart test CAPK with

length 1408 bits UCIS Test keys

Production Environment

Yes, same for both Discover Proprietary and Debit Common AIDs

J/Smart Production

CAPKs UCIS Production Keys

Test Cards

Test Environment, physical test cards

One pack contains Contact and Contactless D-PAS including Debit, J/Smart & UICS test cards.

Production Environment, unfunded cards

Available upon request. One pack contains Contact D-PAS, J/Smart & UICS test cards.

Page 33: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

33

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix A

DFS CA Test Payment System Public Keys 1. Key Length 1152 Bits – PKI 91 Test

Field Name Length Description Value

RID 5b Identifies the payment system to which the CA PK is associated

A0 00 00 01 52

CA Public Key Index 1b Identifies the CA PK in conjunction with the RID

5B

CA Hash Algorithm Indicator

1b Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme

01

CA Public Key Algorithm Indicator

1b Indicates the algorithm to be used with the CA PK

01

CA Public Key Modulus

144b Value of the modulus part of the CA PK

D3 F4 5D 06 5D 4D 90 0F 68 B2 12 9A FA 38 F5 49 AB 9A E4 61 9E 55 45 81 4E 46 8F 38 20 49 A0 B9 77 66 20 DA 60 D6 25 37 F0 70 5A 2C 92 6D BE AD 4C A7 CB 43 F0 F0 DD 80 95 84 E9 F7 EF BD A3 77 87 47 BC 9E 25 C5 60 65 26 FA B5 E4 91 64 6D 4D D2 82 78 69 1C 25 95 6C 8F ED 5E 45 2F 24 42 E2 5E DC 6B 0C 1A A4 B2 E9 EC 4A D9 B2 5A 1B 83 62 95 B8 23 ED DC 5E B6 E1 E0 A3 F4 1B 28 DB 8C 3B 7E 3E 9B 59 79 CD 7E 07 9E F0 24 09 5A 1D 19 DD

CA Public Key Exponent

1b CA PK Exponent equal to 3 03

CA Public Key Check Sum

20b A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1

4D C5 C6 CA B6 AE 96 97 4D 9D C8 B2 43 5E 21 F5 26 BC 7A 60

Page 34: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

34

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix A

2. Key Length – 1408 Bits – PKI 92 Test

Field Name Length Description Value

RID 5 Identifies the payment system to which the CA PK is associated

A0 00 00 01 52

CA Public Key Index 1 Identifies the CA PK in conjunction with the RID

5C

CA Hash Algorithm Indicator

1 Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme

01

CA Public Key Algorithm Indicator

1 Indicates the algorithm to be used with the CA PK

01

CA Public Key Modulus

176 Value of the modulus part of the CA PK

83 3F 27 5F CF 5C A4 CB 6F 1B F8 80 E5 4D CF EB 72 1A 31 66 92 CA FE B2 8B 69 8C AE CA FA 2B 2D 2A D8 51 7B 1E FB 59 DD EF C3 9F 9C 3B 33 DD EE 40 E7 A6 3C 03 E9 0A 4D D2 61 BC 0F 28 B4 2E A6 E7 A1 F3 07 17 8E 2D 63 FA 16 49 15 5C 3A 5F 92 6B 4C 7D 7C 25 8B CA 98 EF 90 C7 F4 11 7C 20 5E 8E 32 C4 5D 10 E3 D4 94 05 9D 2F 29 33 89 1B 97 9C E4 A8 31 B3 01 B0 55 0C DA E9 B6 70 64 B3 1D 8B 48 1B 85 A5 B0 46 BE 8F FA 7B DB 58 DC 0D 70 32 52 52 97 F2 6F F6 19 AF 7F 15 BC EC 0C 92 BC DC BC 4F B2 07 D1 15 AA 65 CD 04 C1 CF 98 21 91

CA Public Key Exponent

1b CA Public Key Exponent equal to 3

03

CA Public Key Check Sum

20 A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1

60 15 40 98 CB BA 35 0F 5F 48 6C A3 10 83 D1 FC 47 4E 31 F8

Page 35: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

35

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix A

3. Key Length – 1984 Bits – PKI 93 Test

Field Name Length Description Value

RID 5b Identifies the payment system to which the CA PK is associated

A0 00 00 01 52

CA Public Key Index 1b Identifies the CA PK in conjunction with the RID

5D

CA Hash Algorithm Indicator

1b Indicates the hash algorithm used to produce the Hash Result in the digital signature scheme

01

CA Public Key Algorithm Indicator

1b Indicates the algorithm to be used with the CA PK

01

CA Public Key Modulus

248b Value of the modulus part of the CA PK

AD 93 8E A9 88 8E 51 55 F8 CD 27 27 49 17 2B 3A 8C 50 4C 17 46 0E FA 0B ED 7C BC 5F D3 2C 4A 80 FD 81 03 12 28 1B 5A 35 56 28 00 CD C3 25 35 8A 96 39 C5 01 A5 37 B7 AE 43 DF 26 3E 6D 23 2B 81 1A CD B6 DD E9 79 D5 5D 6C 91 11 73 48 39 93 A4 23 A0 A5 B1 E1 A7 02 37 88 5A 24 1B 8E EB B5 57 1E 2D 32 B4 1F 9C C5 51 4D F8 3F 0D 69 27 0E 10 9A F1 42 2F 98 5A 52 CC E0 4F 3D F2 69 B7 95 15 5A 68 AD 2D 6B 66 0D DC D7 59 F0 A5 DA 7B 64 10 4D 22 C2 77 1E CE 7A 5F FD 40 C7 74 E4 413 79 D1 13 2F AF 04 CD F5 5B 95 04 C6 DC E9 F6 17 76 D8 1C 7C 45 F1 9B 9E FB 37 49 AC 7D 48 6A 5A D2 E7 81 FA 9D 08 2F B2 67 76 65 B9 9F A5 F1 55 31 35 A1 FD 2A 2A 9F BF 62 5C A8 4A 7D 73 65 21 43 11 78 F1 31 00 A2 51 6F 9A 43 CE 09 5B 03 2B 88 6C 7A 6A B1 26 E2 03 BE 7

CA Public Key Exponent

1b CA Public Key Exponent equal to 3

03

CA Public Key Check Sum

20b A check value calculated on the concatenation of all parts of the CA PK (RID, CA Public Key Index, CA Public Key Modulus, CA Public Key Exponent) using SHA-1

B5 1E C5 F7 DE 9B B6 D8 BC E8 FB 5F 69 BA 57 A0 42 21 F3 9B

Page 36: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

36

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix B

DPAS Acronyms

Acronym Meaning

AC Application Cryptogram AFD Automated Fuel Dispenser AID Application Identifier CA Certification Authority CAPK Certification Authority Public Key CAPKI Certification Authority Public Key Index CDDA Combined Dynamic Data Authentication and Application Cryptogram Generation CVM Card Verification Method DDA Dynamic Data Authentication DDOL Dynamic Data Authentication Data Object DFS Discover Financial Services D-PAS D-Payment Application Specification E2E End-to-End EMV Europay, MasterCard, Visa ICC Integrated Circuit Cards ISO International Organization for Standardization NFC Near Field Communication ODA Offline Data Authentication OEM Original Equipment Manufacturer PAN Primary Account Number PIN Personal Identification Number POS Point-of-Sale RID Registered Application Provider Identifier RFF Radio Frequency Field SDA Status Data Authentication TAC Terminal Action Code TDOL Transaction Certificate Data Object List TVR Terminal Verification Results UICS UnionPay Integrated Circuit Chip Card Specifications VAR Value-Added Reseller

Page 37: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

37

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix C

DPAS Terminology

Term Definition

AC A cryptogram computed by the chip card application and used by the Issuer to verify that a request came from the card.

Acquirer An entity that processes credit and debit card payments on behalf of a Merchant. Acquirer Processor A third-party entity designated by an Acquirer and approved by DFS for the purpose of

performing certain Acquirer obligations under the Acquirer Agreement and/or the Program Guides, subject to the limitations and requirements set forth in the Acquirer Agreement, the Acquirer Processor Agreement and the Program Guides.

AID An application identifier made up of the Registered Application Provider Identifier (RID) and the Proprietary Identifier Extension (PIX).

Application PAN A valid Cardholder account number. Authorization The process used to determine whether to approve a card sale or cash advance in

response to an authorization request. Authorization Request A request submitted by a Merchant or Acquirer, through DFS or another person acting on

our behalf, to the Issuer for authorization of a card sale or cash advance. CA PK The key of the CA asymmetric key pair that can be made public. Consists of a:

• CA PK Exponent – The value of the exponent part of the CA PK. • CA PK Modulus – The value of the modulus part of the CA PK.

Cardholder A user of a credit, debit or prepaid payment card product. CDA An offline authentication method performed by the terminal to verify a card via a

dynamic signature that is generated offline by the card and a cryptogram. The offline DDA is a dynamic signature. The online Application Cryptogram Authentication is the second signature.

Chip Card A card with an embedded integrated chip that is a contact chip payment device, a contactless chip payment device or a dual interface payment device.

Chip Card Transaction A card transaction that takes place with a chip card at a chip card terminal that complies with relevant operating regulations and technical specifications.

CVM Method used to ensure that the person presenting the card is the person to whom the application in the card was issued.

DDA Offline Dynamic Data Authentication performed by the terminal to verify the dynamic signature generated by the card for the transaction. Note: The generated dynamic signature is different for each transaction.

EMV The global standard for credit and debit payment cards based on chip card technology. EMV is a trademark owned by EMVCo, LLC.

(Continued on next page.)

Page 38: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

38

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix C

EMVCo The corporation that manages, maintains and enhances the EMV ICC specifications for chip-based payment cards and acceptance devices, including POS terminals and ATMs.

Floor Limit An amount designated in a Merchant Agreement as the amount below which the Merchant is not required to obtain an online authorization for a card sale.

ICC A card that has a chip embedded in it. Chip cards and Discover® Contactless D-PAS Cards embed such a chip.

ISO An agency that establishes and publishes international technical standards. Issuer An entity that has signed a DFS Credit Issuer Agreement for the purpose of issuing

DFS payment cards in accordance with the DFS Operating Regulations and other program documents.

JCB A financial services company based in Tokyo, Japan also known as JCB Co., Ltd. that operates as the JCB payment network in Japan and also issues JCB payment partners on its network for acceptance on its network.

Key A binary value that is used as part of an algorithm to encrypt or decrypt data. Landing Zone The landing zone is the strongest RF point close to the reader. It is identified by the EMVCo

contactless symbol. Merchant An entity engaged in commercial operations that comply with the requirements set out in the

Discover Operating Regulations and other program documents. Merchant Agreement A signed, written agreement between an Acquirer and a Merchant that:

• Permits the Merchant to accept cards as payment for goods and services and cash at the Acquirer’s discretion, but not in exchange for cash, cash equivalents or the funding of value used for future purchases (“quasi-cash”) unless specifically approved in the Acquirer Agreement.

• Describes the terms pursuant to which Acquirer shall pay Settlement Amounts to the Merchant for card transactions accepted by the Merchant.

• Provides a sublicense to the Merchant governing the Merchant’s use of the program marks.

• Describes the program services provided by Acquirer to the Merchant to support card acceptance.

ODA The process of validating a contactless EMV card offline at POS via CDA. PAN The unique identifying number that is assigned by the Issuer to the card at the time of

card issuance. Payment Brand An organization that manages a network to facilitate payments between Cardholders and

Merchants. Payment Device Contactless D-PAS products can be issued in many different forms such as key fobs,

stickers or mobile phones. These devices are collectively known as “contactless payment devices.”

PIN The personal identification number or code assigned by an Issuer that may be used by the Cardholder to facilitate a card sale or cash advance on a POS device.

PIX An optional data element assigned by the application provider of up to 11 bytes which is part of the structure of the AID.

(Continued on next page.)

Page 39: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

39

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix C

PKI Identifies a CA PK pair used in CDA. Plaintext Unenciphered information. POS Device An electronic card reader, chip card terminal, cash register or terminal and any necessary

software, located at the physical premises of a Merchant that is capable of electronically capturing data from cards and receiving electronic evidence of authorization responses and which may also be capable of transmitting electronic evidence of sales data.

Reader A device that can communicate with a contactless D-PAS card using the RF interface. Readers may be physically separate from a terminal or integrated inside.

RF Field Radio Frequency Field. Contactless field generated by the Contactless Reader. The Contactless Card must enter the RF field near the Reader landing zone to initiate a Contactless Transaction.

RID Part of an AID that is unique to an application provider and assigned according to ISO / IEC 7816-5.

SDA An authentication performed by the terminal to verify the static signature placed on a card during the card personalization process.

Terminal An electronic device that accepts and processes payment transactions. Terminal Contactless CVM Limit

This data sets the CVM limit for a particular AID based on the amount of the transaction. If the amount of the transactions is greater than or equal to this limit, the terminal will ask the card to perform Cardholder Verification.

Token A surrogate value for a PAN that limits exposure to the PAN. VAR An entity that adds features or services to an existing product, then resells it (usually to end-

users) as an integrated product or complete turnkey solution.

Page 40: D-PAS U.S. Chip Terminal Guide - Discover Global … Gateways, in meeting chip card point-of-sale (POS) terminal requirements that are specific to ... specifications, ...

40

© 2017 DFS Services LLC ½ Confidential & Proprietary. Do Not Copy or Distribute.

Appendix D

Issuer Identification Number (IIN) Ranges that Operate on the Discover network:

Discover® iin (bin) Range Table

Start End Issuing Network Credit / Debit Min Digits Max Digits 30000000 30599999 DCI Credit 16 19 30950000 30959999 DCI Credit 16 19 35280000 35899999a JCB Credit 16 19

36000000 36999999b DCI Credit 14 19 38000000 39999999 DCI Credit 16 19 60110000 60110399 DN Both 16 19 60110400 60110499 PayPal Credit 16 19 60110500 60110999 DN Both 16 19 60112000 60114999 DN Both 16 19 60117400 60117499 DN Both 16 19 60117700 60117999 DN Both 16 19 60118600 60119999 DN Both 16 19 62212600 62292599c UnionPay Both 16 19 62400000 62699999c UnionPay Credit 16 19 62820000 62889999c UnionPay Credit 16 19 64400000 65059999 DN Both 16 19 65060000 65060099 PayPal Credit 16 19 65060100 65060999 DN Both 16 19 65061000 65061099 PayPal Credit 16 19 65061100 65999999 DN Both 16 19

a. This IIN Range (35280000 to 35899999) shall be enabled only by Merchants, Acquirers or their Processors in connection with

Merchant relationships, POS Devices or otherwise, within the 50 States of the United States of America and the District of Columbia, Puerto Rico, the US Virgin Islands, the Northern Mariana Islands, Palau, and Guam, subject to certain exceptions in Acquirer Agreements where applicable.

b. The PAN length for this IIN Range (36000000 to 36999999) is 14 digits. c. The UnionPay IIN Ranges shall be enabled only by Merchants, Acquirers, or their Processors in connection with Merchant

relationships, POS Devices or otherwise, in the United States, Mexico, and the Caribbean* * The United States of America, includes fifty States, the District of Columbia and all other U.S. territories, Protectorates, and non-domestic U.S. military bases including American Samoa, Federated States of Micronesia, Guam, Marshall Islands, Northern Mariana Islands, Palau, Puerto Rico and the U.S. Virgin Islands.