Paypass User Guide for TIP Subsets

PayPass User Guide for TIP Subsets
December 2011
Copyright / The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and its members.
This material may not be duplicated, published, or disclosed, in whole or in part, without the prior written permission of MasterCard.
Media / This document is available in both electronic and printed format.
MasterCard Worldwide - CCoE
Chaussée de Tervuren, 198A
B-1410 Waterloo
Belgium
Fax:+32 2 352 5353
Table of Contents

1Using this Manual

1.1Scope

1.2Audience

1.3Terminology

1.4Language Use

1.5Related Publications

1.6Abbreviations

1.7Notations

1.8History

2Introduction

2.1Terminal Integration Testing Process

2.2Introduction to the TIP Cards

2.3Testing configuration requirements

3Test Cases

3.1Test Case Template Description

3.2Common PayPass M/Chip Test Cases

TC001 - Regression – card does not support any ODA

TC002 - Regression – CDA

TC003 - Regression – different CA key lengths

TC004 - Regression – exponent 2^16+1

TC005 - Regression – Offline-only & ARQC

TC011 - Interoperability – various unexpected data/length

TC012 - Interoperability – CDOL1 includes tags forbidden in DE055

TC021 - Integration/capabilities – OfflinePIN not supported in PayPass

TC022 - Integration/capabilities – No accumulated transaction amount

TC023 - Integration/capabilities – No Velocity Checking

TC024 - Integration/capabilities – cardholder receipt below CVM limit

TC031 - Integration/CVM – only NoCVM below the CVM limit

TC032 - Integration/CVM – only NoCVM below the CVM limit – online transaction

TC041 - Integration/online message – Gratuities / ‘Tips’

TC042 - Integration/online message – Issuer response: successful

TC043 - Integration/online message – Issuer response: unsuccessful

TC045 - Integration/online message – Issuer response contains script

TC046 - Integration/online message – Terminal Country Code not in CDOL1

TC047 - Integration/online message – PAN sequence number from chip

TC048 - Integration/online message – PAN sequence number not returned

TC049 - Integration/online message – Full Grade

TC050 - Integration/online message – New Values in Existing Authorization Fields

TC051 - Integration/online message – Online PIN

TC052 - Integration/online message – Issuer response: wrong online PIN

TC061 - Integration/configuration – Contactless Transaction Limit

TC063 - Integration – Amount known before

TC065 - Integration – PIX extension

TC065b - Integration – PIX extension not supported

TC066 - Integration – service code indicates a chip is present on card

TC067 - Integration – service code indicates OnlinePIN

TC068 - Integration – Following a card decline

TC069 - Integration/capabilities – refund (v2.x)

TC069b - Integration/capabilities – refund (v1.3)

3.3MasterCard PayPass M/Chip Test Cases

TC201 - Regression – SDA

TC221 - Integration/CVM – attended terminal

TC222 - Integration/CVM – CAT1

TC223 - Integration/CVM – CAT2 and CAT3

3.4Maestro PayPass M/Chip Test Cases

TC401 - Integration/capabilities – No PayPass Mag Stripe

TC402 - Integration/capabilities – No SDA

TC410 - Integration/CVM – OnlinePIN above the CVM limit (in Maestro OnlinePIN Market)

TC411 - Integration/CVM – noCVM above the CVM limit (in Maestro OnlinePIN Market)

TC412 - Integration/CVM – Hard limit market

3.5PayPass Mag Stripe Test Cases

TC601 - Interoperability – various unexpected data/length

TC611 - Integration – Service Code checking

TC612 - Integration – ATC in discretionary data

TC613 - Integration – Issuer response: unsuccessful

TC614 - Integration – Traditional Mag Stripe

4Test Scenarios for TIP Subset 8

4.1TIP Subset 8 card details

4.2Using the Test Cards

4.3Test Scenario Template Description

4.4Test Scenarios for MasterCard PayPass M/Chip

4.5Test Scenarios for Maestro PayPass M/Chip

5Test Scenarios for TIP Subset 6

5.1TIP Subset 6 card details

5.2Using the Test Cards

5.3Test Scenario Template Description

5.4Test Scenarios for PayPass Mag Stripe

6Annexes

6.1RSA Keys used

6.2DES Keys used

6.3DES Key Used for PVV and CVC

1Using this Manual

This chapter contains information that helps you understand and use this document.

1.1Scope

This document lists the PayPass Mag Stripe and PayPass M/Chip test casesand test scenarios used for the PayPassTIPor M-TIP.

1.2Audience

This document is intended for use by terminal vendors and Acquirers who want to obtain approval for their PayPass implementation.

1.3Terminology

'Terminal' vs. 'reader'

[PayPass1.3] uses the term “terminal” in order to refer to the device supporting the PayPass application while [PayPass2.x] uses the term “PayPass reader”.

In many cases the PayPass reader is separate from the POS terminal. However, when dealing with (M-)TIP it makes more sense to consider both the separate “reader” and the POS terminal as a single device. Therefore this document will use the term “terminal” or “PayPass terminal” in order to refer to:

the device providing the contactless interface used by the PayPass card and
the device supporting the PayPass application and
the device sending the authorization/clearing messages online.

'Cards'

This document uses the term "card" or "TIP card" but the test tool could also be a card simulator or a probe.

'(M-)TIP'

When a statement applies to both TIP and M-TIP, the term "(M-)TIP" is used. However MasterCard did not define specific PayPassM-TIP subsets or cards so the cards listed in this document are the ones previously defined for the TIP process. Therefore this document will always mention the term "TIP cards", not "(M-)TIP cards".

1.4Language Use

The spelling of English words in this manual follows the convention used for U.S. English as defined in Webster’s New Collegiate Dictionary.MasterCard is incorporated in the United States and publishes in the United States. Therefore, this publication uses U.S. English spelling and grammar rules.

An exception to the above spelling rule concerns the spelling of proper nouns.In this case, we use the local English spelling.

1.5Related Publications

The following publications contain information related to the contents of this manual.

AcqGuide2008 / PPMCAIR V1.0-July 2008 + PayPass M/Chip ApplicationNote17 - Oct 6, 2009
MaestroOnlinePIN / Maestro PayPass Online PIN - Acquirer Implementation Guide v2.0
PayPass2.1 / PayPass– M/Chip Reader Card Application Interface Specification (V2.1) + PayPassM/Chip ApplicationNote#18 (April 12, 2010)
PayPass2.0 / PayPass– M/Chip Reader Card Application Interface Specification (V2.0) + PayPassM/Chip ApplicationNote#15 (April 2, 2009)
PayPass2.x / [PayPass2.1] or [PayPass2.0]
PayPass1.3 / PayPass– M/Chip Technical Specifications (V1.3 - Sept2005) + PayPassM/Chip ApplicationNote#11 (Aug 6, 2008)
MChip2010 / M/Chip Requirements 11 June 2010
CustomerIntfce / Customer Interface Specification – April 2009
TIPguide / Terminal Integration Process Guide - January 2009
MTIPguide / M-TIP Process Guide –14 May 2010
EMV BOOK 1 / ICC Specification for Payment Systems: Application Independent ICC to Terminal Interface Requirements. Version 4.2, June 2008.
EMV BOOK 2 / ICC Specification for Payment Systems: Security & Key Management.Version 4.2, June 2008.
EMV BOOK 3 / ICC Specification for Payment Systems: Application Specification.Version 4.2, June 2008.
EMV BOOK 4 / ICCSpecification for Payment Systems: Cardholder, Attendant and Acquirer Interface Requirements. Version 4.2, June 2008.

1.6Abbreviations

The following abbreviations are used in this manual:

Abbreviation / Description
AAC / Application Authentication Cryptogram
AFL / Application File Locator
AID / Application Identifier
AIP / Application Interchange Profile
an / Alphanumeric
ARQC / Authorization Request Cryptogram
ATC / Application Transaction Counter
b / Binary
CA Public Key / Certification Authority Public Key
CDA / Combined DDA/AC generation
CDOL / Card Risk Management Data Object List
CVM / Cardholder Verification Method
CVR / Cardholder Verification Results
EMV / Europay MasterCard Visa
FCI / File Control Information
hex. / Hexadecimal
IAC / Issuer Action Code
ICC / Integrated Circuit Card
M/Chip / MasterCard Chip
n / Numeric
PAN / Primary Account Number
PDOL / Processing Data Object List
PIN / Personal Identification Number
PPSE / PayPassPayment System Environment
RFU / Reserved for Future Use
RID / Registered Application Provider Identifier
SDA / Static Data Authentication
TAC / Terminal Authentication Code
TC / Transaction Certificate
TRM / Terminal Risk Management
TVR / Terminal Verification Results

1.7Notations

The following notations apply:

Notation / Description
‘0’ to ‘9’ and ‘A’ to ‘F’ / 16 hexadecimal digits.Values expressed in hexadecimal form are enclosed in single quotes (i.e. ‘_’).
1001b / Binary notation.Values expressed in binary form are followed by a lower case ‘b’.
‘abcd’ / an or ans string.
# / Number.
[…] / Optional part.
xx / Any value.

1.8History

The following lists the main changes:

Version / Changes
March 2010 / Original version
July 2010 /

Reviewed the tests to cover the [PayPass1.3] readers
- TestCase TC065b created
- TestCase TC069b created
- TestCase TC211, sub-case 06 created
Better test coverage for the PayPass MasterCard hard limit markets
Other tests were created or updated:
- TC412 was created
- TC613 was updated (Issuer response '51' instead of '05')

August December 2011 /

Added the card version v2.1
Fixed issues with TVR B1b7 instead of B1b3
TC402 (SDA Maestro) does no longer apply for 1.3 because this could be impossible to implement for 1.3 readers. MP72 T04 created accordingly.
Refund: the terminal is not obliged to use the same amount as in the purchase transaction (e.g.: a default zero value could be used instead). Several tests modified accordingly.
Fixed an issue in TC065b and related scenarios: the transaction will not abort after PPSE but after Select AIDs.
Added a pass criteria to ensure ARQC is validated
Fixed minor issues with the CVM 1F03 / 5F03
"(Please provide the receipt)" added in a few tests

2Introduction

This chapter contains an introduction to the TIP and M-TIP testing processes and the TIP cards.

2.1Terminal IntegrationTesting Process

The M-TIP process defined in [MTIPprocess] is applicable for PayPass terminals supporting [PayPass2.x]. In any other case, the TIP process defined in [TIPprocess] applies.

Acquirers must complete the (M-)TIPprocess before deploying and using a terminal in a live environment.

The objective of the(M-)TIP process is to ensure the terminal meets the MasterCard requirements described in [AcqGuide2008].

The current document describes:

the(M-)TIP test cases that are defined to ensure the correct implementation of the MasterCard requirements. Each test case refers to a requirement in [AcqGuide2008]
thetest scenariosthat must be executed in (M-)TIP. The test scenarios refer to one or several test cases. Each test scenario involves a TIP card.

A Test Scenario is a short test procedure permitting to check one or several specification requirements identified in the Test Cases. This is outlined in the figure below:

2.2Introduction to the TIP Cards

About TIP Cards

MasterCard has designed sets of test cards, to allow the acquirer to test that the host and terminal payment applications are compliant with MasterCard requirements. TheTIP cards are grouped into different “subsets” in order to allow targeted testing. For the (M-)TIP process, the following PayPass subsets are used.

For PayPass – M/Chip terminals, the Subset 6 ensures that the PayPass – M/Chip terminals correctly work with PayPass – Mag Stripe cards.
Note that the Subset 6 is also used during Network Interface Validation (NIV) tests of PayPass Mag Stripe terminals. However the current document is (M-)TIP-focused so the Subset 6 will sometimes be referred to as "TIP Subset 6".

The Subset 8 ensures that the PayPass – M/Chip terminals correctly work with PayPass – M/Chip cards.

Number of Cards

The following table summarizes the content of the PayPass TIP Subsets.

Subset / Type / Number of cards
Subset 6 / PayPass Mag Stripe cards / 6
PayPass M/Chip cards / 1
Subset 8 / MasterCard PayPass M/Chip cards / 17
Maestro PayPass M/Chip cards / 17
Total Number of cards / 41

2.3Testing configuration requirements

During the (M-)TIP testing session, the terminal configuration must be as close as possible as it will be in the live environment. In particular, the terminal must be configured as follows.

The list of Application Identifiers (AID) supported by the terminal must be the ones intended for live deployment.
Application Version Number PayPass Mag Stripe: Terminal Application version number shall be set to ‘0001’ for PayPass – Mag Stripe.
Application Version NumberPayPass M/Chip: Terminal Application version number shall be set to ‘0002’ for PayPass – M/Chip.
The Terminal Contactless Transaction Limit, when applicable, shall have the same value as in the field for MasterCard and Maestro applications.
The Terminal Contactless Floor Limit shall have the same value as in the field for MasterCard and Maestro applications
The Terminal CVM Required Limit, when applicable, shall have the same value as in the field for MasterCard and Maestro applications.

However the Certification Authority Public Keys shall be the test keys defined further in this document.

3Test Cases

This chapter lists the high level PayPass M/Chip (M-)TIP Test Cases.

3.1Test Case Template Description

Overview

Below is an example of Test Case. This template is described here after.

TC002 - Regression – CDA
Objective / To ensure that the PayPass terminal performs CDA correctly.
Applicability Conditions / Terminal supports CDA
Reference Documentation / [AcqGuide2008]:Section “2.4.5 Offline Data Authentication Requirements” p2-11
Test Conditions / The transaction amount must be below the Contactless transaction limit.
The AIP byte 1 indicates that CDA is supported.
Data returned by card is such as the transaction can be approved offline*.
Pass Criteria / The terminal shall send request a TC with CDA (‘50’) in the generate AC.
Transaction shall be approved offline.
Note / *: most of the PayPass terminals will bypass the CDA if the transaction is declined or sent online, see the transaction flow in technical specifications.

Test Case name

TC002 - Regression – CDA

The Test Case is as follows: TCxyy - [Test category] - [Test title].

TCxyy uniquely identifies the Test Case. It follows the below rules:

TC0yy: Common PayPass M/Chip Test Cases
TC2yy: MasterCard PayPass M/Chip Test Cases
TC4yy: Maestro PayPass M/Chip Test Cases
TC6yy: PayPass Mag Stripe Test Cases

[Test category] can be the following:

"Regression": major Level2 tests that are re-performed during (M-)TIP to ensure no regression occurs when integrating the product in the live environment.
"Interoperability": these tests are basic tests that are re-performed during (M-)TIP because they often led to interoperability issues.
"Integration": those tests ensure the PayPass terminal complies with the MasterCard requirements defined in [AcqGuide2008].

Objective

Objective / To ensure that the PayPass terminal performs CDA correctly.

This is a short description of the objective of the test.

Applicability Conditions

Applicability Conditions / Terminal supports CDA

This gives the conditions for the test to be applicable.

Reference Documentation

Reference Documentation / [AcqGuide2008]:Section “2.4.5 Offline Data Authentication Requirements” p2-11

This makes a reference to the related requirement in the specifications.

Test Conditions

Test Conditions / The transaction amount must be below the Contactless transaction limit.
The AIP byte 1 indicates that CDA is supported.
Data returned by card is such as the transaction can be approved offline*.

This lists all the conditions required for testing the objective.

Note: the test conditions often assume that the reader supports the "Contactless transaction limit". If not, it is obvious that the related condition shall be disregarded.

Pass Criteria

Pass Criteria / The terminal shall send request a TC with CDA (‘50’) in the generate AC.
Transaction shall be approved offline.

This lists the conditions required in order to pass the test.

Note

Note / *: most of the PayPass terminals will bypass the CDA if the transaction is declined or sent online, see the transaction flow in technical specifications.

Some Test Cases include a note in order to clarify some test details.

3.2Common PayPass M/Chip Test Cases

The test cases described in this section apply to terminals that accept either MasterCard PayPassor Maestro PayPass.

TC001 - Regression – card does not support any ODA
Objective / To ensure the PayPass terminal correctly behaves when the card does not support any offline data authentication method.
Applicability Conditions / Always applicable
Reference Documentation / [AcqGuide2008]:Regression test – no specific reference
Other:[PayPass2.x] section “4.3.6 Offline Data Authentication”
Test Conditions / The transaction amount must be below the Contactless transaction limit.
The AIP byte 1 indicates that SDA, DDA and CDA are NOT supported.
Tests are run for MasterCard and Maestro applications, unless not applicable:
Case 01: amount is below the floor limit (and terminal is online capable)*
Case 02: amount is above the floor limit
Case 03: terminal is offline-only
Pass Criteria / The terminal will set the TVR byte 1 bit 8 (offline data authentication not performed).
Cases 01 & 02: Online capable terminals shall request an ARQC as per TAC settings, even if the amount is below the floor limit.
Case 03: Offline-only terminals will decline the transaction offline as per TAC settings. The terminal must not fallback to a contact or swipe transaction since the PayPass reader requested a card decline (see [AcqGuide2008] sections 2.4.10.3 and 2.6).
Note / *: if the CVM limit is lower than the floor limit and if both the card and the terminal support OnlinePIN, the amount should be below the CVM limit in order to not set the TVR B3b3 (“OnlinePIN entered”).
TC002 - Regression – CDA
Objective / To ensure that the PayPass terminal performs CDA correctly.
Applicability Conditions / Terminal supports CDA
Reference Documentation / [AcqGuide2008]:Section “2.4.5 Offline Data Authentication Requirements” p2-11
Test Conditions / The transaction amount must be below the Contactless transaction limit.
The AIP byte 1 indicates that CDA is supported.
Data returned by card is such as the transaction can be approved offline*.
Tests are run for MasterCard and Maestro applications, unless not applicable.
Pass Criteria / TVR byte 1 bit 8 is not set (offline data authentication was performed).
The terminal shall request a TC with CDA (‘50’) in the generate AC.
Transaction shall be approved offline.
Note / *: most of the PayPass terminals will bypass the CDA if the transaction is declined or sent online, see the transaction flow in technical specifications.
TC003 - Regression – different CA key lengths
Objective / To ensure the PayPass terminal correctly supports different certification authority public key lengths.
Applicability Conditions / Terminal supports SDA or CDA
Reference Documentation / [AcqGuide2008]:Regression test – no specific reference
Other:[PayPass2.x] sections “4.3.13 Retrieve ICC key and Verify SDAD” and “4.3.14 Static Data Authentication”
Test Conditions / The transaction amount must be below the Contactless transaction limit.
The AIP byte 1 indicates that SDA or/and CDA is supported.
Data returned by card is such as the transaction can be approved offline*.