Issuer Risk Management Parameters
Issuer Risk Management Parameters are described below.
Issuer Risk Management
- Criteria to consider when deciding on the outcome of a transaction
- Risk Management criteria have an impact on the outcome of the transaction
- The issuer should decide how much of the bank risk management will be done offline and how much online.
- Risk Management criteria on the card
- Issuer Action Codes
- Offline Transaction Limits
Issuer Risk Management-TVR
Terminal Operation Log (TVR)
- Keeps the results of transactions performed on a transaction with an EMV card
- It gives us access to all the details about the EMV transaction
- It is the most important parameter that is controlled while deciding the result of the EMV process.
Terminal Verification Results (TVR)
- The transaction log of the transactions performed by the terminal. It is very effective in the decision of the card and the Issuer bank regarding the transaction.
- Offline Card Verification was not performed
- Offline static card verification failed
- Data elements of the card are missing
- The card is in the terminal’s exception file
- Offline dynamic card verification failed
- Card and terminal have different version numbers
- The app on the card has expired
- The application on the card is not yet available for use.
- The requested service is not an allowed service
- Card is used first
- Cardholder verification failed
- CVM could not be interpreted
- PIN Tries exceeded
- PIN entry required, but PIN Pad missing or not working
- PIN input required, PIN Pad available but no PIN entered
- Online PIN entered
- Transaction amount is above floor limit
- Lower Consecutive Offline Limit exceeded
- Upper Consecutive Offline Limit exceeded
- The transaction was randomly selected to be forwarded online.
- Merchant redirected the transaction online
Risk Management-Issuer Action Codes
1.Issuer Action Codes
- The issuer bank has to determine its decision regarding the transaction for all elements in the terminal log.
- Issuer Action Code – Reject: Conditions set by the issuing bank for the rejection of the transaction
- Issuer Action Code – Online: Conditions set by the issuing bank for the transaction to be directed online
- Issuer Action Code – Default: If the transaction cannot be connected to the online system for any reason after being directed online, the conditions determined by the issuing bank
2.Risk Management-Terminal Action Codes
Terminal Action Codes
- The acquirer bank has to determine the transactional decision for all elements in the terminal log.
- Terminal Action Code – Red: Conditions set by the acquirer bank for the rejection of the transaction
- Terminal Action Code – Online: Conditions determined by the acquirer bank for the transaction to be directed online
- Terminal Action Code – Default: Conditions determined by the acquirer bank in case the transaction cannot be connected to the online system for any reason after the transaction is directed online.
3.Risk Management-Terminal’s Decision
After completing all the controls related to the transaction, the terminal makes one of the following 3 decisions regarding the transaction.
reject transaction
Confirm transaction
Redirect transaction online
The terminal evaluates the action codes of the Issuer and the terminal before making a decision about the transaction.
If it does not find a matching condition as a result of the above checks, it decides to accept the transaction as offline.
Decision Regarding the Transaction | Generated Cryptogram |
Accept | TC |
Red | AAC |
Online | ARQC |
Risk Management-Example
Terminal Log’u (TVR)
- Offline static card verification failed
- The card is in the terminal’s exception file
- The requested service is not an allowed service
- Transaction amount is above floor limit
- PIN Tries exceeded
Issuer Action Code – Red
- The app on the card has expired
- The application on the card is not yet available for use.
Issuer Action Code – Online
- Offline static card verification failed
- Data elements of the card are missing
- Offline dynamic card verification failed
- Card and terminal have different version numbers
- Card is used first
- Cardholder verification failed
- CVM could not be interpreted
Issuer Action Code – Default
- Offline static card verification failed
- Data elements of the card are missing
- Offline dynamic card verification failed
- Card and terminal have different version numbers
- Card is used first
- Cardholder verification failed
- CVM could not be interpreted
4.Risk Management-Offline Transaction Limits
- Limits on the number of consecutive offline transactions that can be made with the EMV Card
- upper limit
- lower limit
- The maximum amount of shopping that can be done in one day with the EMV Card (Offline + Online)
Costs of EMV Migration to Acquirer and Issuer System
Acquirer System-Terminals
- All POS, ATM and CAT terminals must have hardware that can read EMV cards.
- smart card reader
- EMV Level 1 certification
- PIN Pad
- All POS, ATM and CAT terminals must have software features that can interpret EMV cards.
- EMV Level 2 certification
- Processors that will quickly perform cryptographic operations
Acquirer System-Message Structure
- POS, ATM and CAT terminals have to transfer EMV data to the Acquiring system along with other data.
- The Acquiring System should be able to interpret and log the EMV data it receives from the terminal and create the message structure requested by BKM, VISA and MasterCard.
Acquirer System-Certifications
- Acquiring System must successfully complete VISA and MasterCard certifications
- ETEC test suite is used for MasterCard certification
- The sample cards provided by VISA are used for VISA certification.
- These certifications test the Acquiring system for EMV compliance
- Special Acquiring and Issuing System Simulators from MasterCard and VISA are used in certifications.
Issuer System-Card Printing and Personalization System
- Upgrade of existing card printing machines to EMV
- Personalization System (P3): The system where EMV Data and Keys are prepared and card personalization is done securely
- EMV Test Tools: They are used to test EMV cards.
- Quality Control tools: They are used to check the accuracy of the printed EMV cards.
Issuer System-Cards
- Replacing magnetic cards with EMV cards
- Delivery of newly printed cards to the customer
Issuer System-Back Office
- Changing Card and Customer Management Systems
- Changing the end-of-day mechanisms
- Ability of the Authorization System to meet EMV areas
- HSM devices support EMV functions
- Development of the Post-Issuance System
Fallback Transactions
- Fallback Transactions-1
- Transactions made using the magnetic stripe part due to a malfunction in the chip of the EMV card are called “Fallback Transactions”.
- Using the chip always has priority. However, fallback operations are allowed if the chip is unavailable.
- Issuer System should have special authorization criteria for fallback transactions. (For example, the maximum number of consecutive fallback operations)
- Fallback transactions are 0 floor limit transactions. That’s why they always go online.
- There are some fields in the online message format that indicate that the transaction is a fallback transaction.
Fallback Transactions-2
Fallback Transactions-3