PayPass—M/Chip

Requirements
3 July 2013
Notices
Following are policies pertaining to proprietary rights, trademarks, translations, and details about
the availability of additional information online.

Proprietary Rights

The information contained in this document is proprietary and confidential to MasterCard International
Incorporated, one or more of its affiliated entities (collectively “MasterCard”), or both.
This material may not be duplicated, published, or disclosed, in whole or in part, without the prior
written permission of MasterCard.
Trademarks

Trademark notices and symbols used in this document reflect the registration status of MasterCard
trademarks in the United States. Please consult with the Customer Operations Services team or the
MasterCard Law Department for the registration status of particular product, program, or service names
outside the United States.
All third-party product and service names are trademarks or registered trademarks of their respective
owners.
Disclaimer

MasterCard makes no representations or warranties of any kind, express or implied, with respect to
the contents of this document. Without limitation, MasterCard specifically disclaims all representations
and warranties with respect to this document and any intellectual property rights subsisting therein or
any part thereof, including but not limited to any and all implied warranties of title, non-infringement,
or suitability for any purpose (whether or not MasterCard has been advised, has reason to know, or is
otherwise in fact aware of any information) or achievement of any particular result. Without limitation,
MasterCard specifically disclaims all representations and warranties that any practice or implementation of
this document will not infringe any third party patents, copyrights, trade secrets or other rights.
Translation

A translation of any MasterCard manual, bulletin, release, or other MasterCard document into a language
other than English is intended solely as a convenience to MasterCard customers. MasterCard provides any
translated document to its customers “AS IS” and makes no representations or warranties of any kind
with respect to the translated document, including, but not limited to, its accuracy or reliability. In no
event shall MasterCard be liable for any damages resulting from reliance on any translated document.
The English version of any MasterCard document will take precedence over any translated version in
any legal proceeding.
Information Available Online

MasterCard provides details about the standards used for this document—including times expressed,
language use, and contact information—on the Publications Support page available on MasterCard
Connect™. Go to Publications Support for centralized information.

©2013 MasterCard. Proprietary. All rights reserved.

3 July 2013 • PayPass—M/Chip Requirements

Table of Contents

Chapter 1 Using This Manual............................................................... 1-i

Purpose.................................................................................................................................... 1-1
Scope ....................................................................................................................................... 1-1
Audience.................................................................................................................................. 1-2
Overview ................................................................................................................................. 1-2
Language Use .......................................................................................................................... 1-3
Requirements and Best Practices ............................................................................................. 1-3
Terminology............................................................................................................................. 1-4
Reference Information ............................................................................................................. 1-5
Conventions............................................................................................................................. 1-6

Chapter 2 PayPass Introduction........................................................... 2-i

Introduction ............................................................................................................................. 2-1
Participation............................................................................................................................. 2-1
PayPass Operating Modes ....................................................................................................... 2-2
PayPass Cards.......................................................................................................................... 2-2
PayPass Transaction Types ...................................................................................................... 2-2
PayPass Acceptance................................................................................................................. 2-3
PayPass Transaction Flow........................................................................................................ 2-4
Other Transaction Environments ............................................................................................. 2-7

Chapter 3 Issuer Requirements............................................................ 3-i

General Requirements ............................................................................................................. 3-1
Card Requirements .................................................................................................................. 3-1
Card Delivery................................................................................................................... 3-15
Issuer Host Requirements ...................................................................................................... 3-15
Clearing Requirements........................................................................................................... 3-18
Chargeback and Exception Processing .................................................................................. 3-19

Chapter 4 Acquirer Requirements ....................................................... 4-i

General Requirements ............................................................................................................. 4-1
Terminals ................................................................................................................................. 4-2
Offline Card Authentication ................................................................................................... 4-12

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 i
Table of Contents

Cardholder Verification .......................................................................................................... 4-14

Terminal Risk Management.................................................................................................... 4-17
Terminal Action Codes .......................................................................................................... 4-17
Authorization Responses........................................................................................................ 4-18
Cardholder Receipts............................................................................................................... 4-18
Subsequent Contact Transactions........................................................................................... 4-19
Terminated Transactions ........................................................................................................ 4-19
Cardholder Activated Terminals............................................................................................. 4-19
Automated Teller Machines ................................................................................................... 4-20
Vending Machines.................................................................................................................. 4-20
Acquirer Network Requirements............................................................................................ 4-21
Authorization Requirements................................................................................................... 4-22
Clearing Requirements........................................................................................................... 4-23
Exception Processing ............................................................................................................. 4-24
On-behalf Services................................................................................................................. 4-24

Chapter 5 Data Requirements.............................................................. 5-i

Terminal Action Codes ............................................................................................................ 5-1
Payment Scheme Specific Data Objects ................................................................................... 5-4
Third Party Data ................................................................................................................ 5-4
Application Capabilities Information ................................................................................. 5-6

Chapter 6 Abbreviations ...................................................................... 6-i

Abbreviations........................................................................................................................... 6-1

©2013 MasterCard. Proprietary. All rights reserved.

ii 3 July 2013 • PayPass—M/Chip Requirements
Chapter 1 Using This Manual
This section provides information on the purpose, overview, reference information, and
conventions used.

Purpose.......................................................................................................................................... 1-1
Scope ............................................................................................................................................. 1-1
Audience........................................................................................................................................ 1-2
Overview ....................................................................................................................................... 1-2
Language Use ................................................................................................................................ 1-3
Requirements and Best Practices ................................................................................................... 1-3
Terminology................................................................................................................................... 1-4
Reference Information ................................................................................................................... 1-5
Conventions................................................................................................................................... 1-6

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 1-i
Using This Manual
Purpose

Purpose
This document provides the MasterCard requirements and best practices
for issuers and acquirers when using contactless chip technology with their
MasterCard M/Chip™ products.

It contains the requirements relating to MasterCard®, Debit MasterCard and

Maestro® PayPass™ card programs, and the requirements for performing
contactless payment transactions at attended Point of Sale (POS) terminals,
ATMs and Cardholder Activated Terminals (CAT).

This document does not provide an introduction to PayPass or explanation as

to how PayPass works, nor does it duplicate or reproduce existing standards
such as EMV or the existing MasterCard requirements for other technologies.
The purpose of the manual is to:

• Define the PayPass requirements that MasterCard has established for use
with MasterCard brands
• Propose recommendations that constitute best practices for PayPass
implementations
• Define when and how the functions must be used as a requirement or
should be used as a best practice

Scope
This document does not discuss general brand rules or requirements, except to
explain how certain rules are implemented in PayPass.

In general, the brand rules continue to apply to PayPass transactions except

when modified for PayPass and as explained in this document. For example,
chargeback rights are the same for PayPass except in connection with the
chargeback protection limits described here. For full details of the rules and
requirements for specific card brands, refer to the relevant brand-specific
documentation on MasterCard OnLine (see the Reference Information below).

These requirements have been written for PayPass—M/Chip so also cover the
PayPass—Mag Stripe requirements.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 1-1
Using This Manual
Audience

This document does not introduce new technical requirements that are not
already included in the existing card and reader specifications. The following
products, services, or environments are not in the scope of this document
because they are already addressed in other dedicated documents:

• Card Application Specifications (for example, M/Chip Advance,

PayPass—M/Chip 4)
• Terminal and reader specifications
• EMV contact chip card interface and transactions (for example, M/Chip
Requirements)
• Personalization Data
• Data Storage applications used with PayPass
• MasterCard Cash

Audience
This document is intended for use by MasterCard customers and product
vendors involved in PayPass implementation projects who already have a
general understanding of how the contactless chip product works.

The target audience includes:

• Staff working on PayPass—M/Chip implementation projects

• Operations staff who need to understand the impact of PayPass on their
activities

Overview
This document supports issuers and acquirers implementing PayPass—M/Chip.
It details the requirements and best practices for effective deployment of
PayPass solutions.

©2013 MasterCard. Proprietary. All rights reserved.

1-2 3 July 2013 • PayPass—M/Chip Requirements
Using This Manual
Language Use

The following table provides an overview of the chapters in this manual:

Chapter Description

Chapter 1: Using this This chapter contains information that helps you understand
Manual and use this document.
Chapter 2: This chapter introduces the basic principles of PayPass.
Introduction
Chapter 3: Issuer This chapter details the requirements from an issuer
Requirements perspective including requirements for configuring cards
and devices.

Chapter 4: Acquirer This chapter details the requirements from an acquirer

Requirements perspective including requirements for terminals and
networks.
Chapter 5: Data This chapter lists values of certain data elements that are
Requirements not defined in other documents (for example, the PayPass
Personalization Data Specifications)

Language Use
The spelling of English words in this manual follows the convention used for
U.S. English as defined in Webster’s New Collegiate Dictionary.

An exception to the above concerns the spelling of proper nouns. In this case,
we use the local English spelling.

Requirements are documented using the following definitions:

• Must—indicates a mandatory requirement

• Should—indicates a recommendation or best practice
• May—defines a product or system capability that is optional or a statement
that is informative only

Requirements and Best Practices

Requirements, as identified in this document, are functional elements
which must be implemented as stated in the text to achieve the required
level of acceptance for MasterCard or Maestro branded PayPass cards on
PayPass-enabled terminals.

Requirements are always expressed using the word must. Requirements are
contained in tables and are indicated by a capital R in the left column.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 1-3
Using This Manual
Terminology

Best practices are MasterCard recommendations for the best ways to implement
different options. If customers choose not to follow them, their PayPass
implementation will still work but may not be as effective or efficient as it
could be.

Best practices are written using the word should. Best practices are formatted
in the same way as requirements but are preceded by the letters BP.

Requirements and best practices include an indication of whether they apply to

all products or just to the MasterCard or Maestro brand.

R All Requirement applies to all PayPass cards or terminals.

R MC Requirement applies to MasterCard branded PayPass cards
or terminals.
R MS Requirement applies to Maestro branded PayPass cards or
terminals.

Terminology
PayPass Cards and Devices

PayPass devices can be issued in form factors other than that of a traditional
payment card, for example: mobile phones, key fobs, watches. Throughout
this document a reference to PayPass cards includes other devices unless
specifically excluded.

A dual interface card refers to a chip card that can perform both EMV contact
and contactless chip transactions.

A hybrid card refers to a card that has a magnetic stripe and a chip with a
contact interface. The chip carries an EMV payment application that supports
the same payment product that is encoded on the magnetic stripe.

PayPass Terminals and Readers

Functionality for the acceptance of PayPass cards may be provided by the

PayPass reader or by the accompanying POS terminal. Throughout this
document a reference to a PayPass terminal includes both the reader and
terminal functionality and unless specifically stated does not imply the function
should be in a specific part of the terminal system.

A hybrid terminal refers to a payment device that can accept transactions using
both contact chip and magnetic stripe technologies.

©2013 MasterCard. Proprietary. All rights reserved.

1-4 3 July 2013 • PayPass—M/Chip Requirements
Using This Manual
Reference Information

Magnetic Stripe Grade Issuers

Magnetic stripe grade issuers receive additional information produced during

a chip transaction, but do not process it. If the magnetic stripe grade issuer
uses the Chip Conversion service, the issuer does not receive the additional
information.

On Device Cardholder Verification

Devices such as a mobile phone may allow the cardholder to verify themselves
to the device, for example by entering a PIN, either before or during a PayPass
transaction. When required, the device confirms to the terminal that cardholder
verification has been performed during the transaction processing. This is
known as On Device Cardholder Verification but is also referred to as "mobile
PIN" or "mPIN".

Reference Information
The following references are used in, or are relevant to, this document. The
latest version applies unless a publication date is explicitly stated.

• Chargeback Guide
• M/Chip Card Personalization Standard Profiles (Including PayPass)
• M/Chip Requirements
• MasterCard Contactless ATM Implementation Requirements
• Maestro Global Rules
• Maestro PayPass Branding Standards
• MasterCard PayPass Branding Standards
• MasterCard Rules
• PayPass—Mag Stripe Acquirer Implementation Requirements
• PayPass On-behalf Services Guide
• PayPass Personalization Data Specification
• M/Chip Advance Personalization Data Specifications
• PayPass Vendor Product Approval Process Guide (Cards and Devices)
• PayPass Vendor Product Approval Process Guide (Terminals)
• Mobile PayPass Issuer Implementation Guide
• PayPass—M/Chip Issuer Guide
• PayPass Mag Stripe Issuer Implementation Requirements
• Security Rules and Procedures

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 1-5
Using This Manual
Conventions

Conventions
A generic reference to PayPass includes all applicable products. The terms
MasterCard PayPass or Maestro PayPass is used to identify specific product
requirements.

A reference to the MasterCard product or MasterCard brand includes MasterCard

and Debit MasterCard® unless specifically addressed.

MasterCard brands refers to MasterCard and Maestro products.

Values expressed in hexadecimal form ('0' to '9' and 'A' to 'F') are enclosed
in single quotes. For example, a hexadecimal value of ABCD is indicated as
'ABCD'.

Values expressed in binary form are followed by a lower case b. For example,
1001b.

EMV Card commands are indicated in bold capitals, for example, GENERATE AC.

Specific byte/bit references within a data object are included in square brackets.
For example, [1][3] means the third bit of the first byte of the given data object.

©2013 MasterCard. Proprietary. All rights reserved.

1-6 3 July 2013 • PayPass—M/Chip Requirements
Chapter 2 PayPass Introduction
This section provides information on PayPass participation, transaction types, and
transaction flows.

Introduction ................................................................................................................................... 2-1

Participation................................................................................................................................... 2-1
PayPass Operating Modes ............................................................................................................. 2-2
PayPass Cards................................................................................................................................ 2-2
PayPass Transaction Types ............................................................................................................ 2-2
PayPass Acceptance....................................................................................................................... 2-3
PayPass Transaction Flow.............................................................................................................. 2-4
Other Transaction Environments ................................................................................................... 2-7

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 2-i
PayPass Introduction
Introduction

Introduction
PayPass is the proximity payments program from MasterCard Worldwide.

It allows cardholders to make payments without having to hand over, dip or

swipe a payment card. To make a payment, the cardholder simply taps their
PayPass card onto a PayPass terminal. The details are read from the card over
a contactless interface using radio frequency communications and a payment
transaction is performed over the existing MasterCard payment networks and
infrastructure.

Primary characteristics of PayPass transactions are speed and convenience for

merchants and cardholders.

PayPass is supported on the MasterCard and Maestro brands. The PayPass

contactless functionality can be used at any merchant location that has PayPass
terminals and accepts the underlying payment brand. The merchant segments
where PayPass is expected to be most attractive include those environments
with high transaction volumes and where fast transaction times are important.
PayPass contactless functionality can also be used at ATMs.

Participation
To issue PayPass cards or acquire PayPass transactions customers must enroll
in the PayPass program.

Vendors are required to obtain a license agreement before developing and

selling PayPass cards and devices.

All cards, devices and readers used for performing PayPass transactions must
have been approved and licensed by MasterCard. Customers must only
purchase and deploy cards and terminals from properly licensed vendors.
Detailed information about the type approval process can be found in the
PayPass Vendor Product Approval Process Guide (Cards and Devices) and the
PayPass Vendor Product Approval Process Guide (Terminals) documents.

Issuers and acquirers must start a project with the relevant MasterCard project
team in order to define and complete various certification steps that are required.
Unless otherwise stated within the Project Implementation Plan issuers will
complete Issuer NIV, CPV and Issuer End-to-end Demonstration and acquirers
will complete Acquirer NIV, TIP and Acquirer End-to-end Demonstration.

Questions about the enrollment or license process should be directed to

[email protected].

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 2-1
PayPass Introduction
PayPass Operating Modes

PayPass Operating Modes

PayPass supports two modes of operation:

• PayPass—Mag Stripe mode

• PayPass—M/Chip mode

PayPass—Mag Stripe transactions are authorized online by the issuer, either

in real-time or deferred. PayPass—Mag Stripe is designed for contactless
payments using authorization networks that currently support only magnetic
stripe authorization for MasterCard cards.

PayPass—M/Chip transactions use transaction logic similar to EMV contact

chip. They may require online authorization but may be approved offline by
the card and terminal. The PayPass—M/Chip mode is designed for contactless
payments in markets that have migrated to chip technology for EMV contact
payments.

All MasterCard PayPass cards and terminals support PayPass—Mag Stripe

mode. Cards and terminals may also support PayPass—M/Chip mode.

Maestro PayPass cards and terminals are configured to support

PayPass—M/Chip mode for the Maestro product.

PayPass Cards
PayPass functionality may be:

• Included in a standard ISO 7816 ID-1 card

• Issued in another form factor, such as a mobile phone or key fob

All PayPass cardholder devices are valid for acceptance at PayPass terminals;
not just cards.

PayPass Transaction Types

Different transaction types are available for PayPass.

PayPass issuers and acquirers must support purchase transactions. Refunds

must be supported by issuers and acquirers for PayPass although they may not
be available at every PayPass terminal.

PayPass data should only be used for card present transactions. Electronic
commerce or Mail Order/Telephone Order transactions should not be
performed with PayPass data read through the contactless interface.

Purchase with Cash Back is not supported on Maestro PayPass.

©2013 MasterCard. Proprietary. All rights reserved.

2-2 3 July 2013 • PayPass—M/Chip Requirements
PayPass Introduction
PayPass Acceptance

The contactless interface may be used for MasterCard Purchase with Cash Back
transactions based on the existing product rules. Cardholder verification is
always required for Purchase with Cash Back transactions.

MasterCard PayPass must not be used for Unique Transactions, as defined in

the MasterCard Rules.

Maestro PayPass must not be used for POS Unique Transactions, as defined
in the Maestro Global Rules.

PayPass Acceptance
PayPass cards may be accepted at attended and unattended POS terminals.
PayPass cards may be used at ATMs.

Card Checking

PayPass transactions are carried out by the cardholder; therefore, the card does
not need to be given to the merchant. Since the PayPass card may remain in
the hands of the cardholder, the merchant is exempt from the visual inspection
requirement to determine if the PayPass card is valid. The card only needs
to be given to the merchant after the contactless interaction is complete if
signature verification is to be performed.

Transaction Amount

The transaction amount is usually known before the PayPass transaction is

initiated to ensure fast processing of PayPass transactions. The amount should
be displayed to the cardholder.

If the transaction amount exceeds the maximum amount for PayPass

transactions, for the product or terminal, the terminal or merchant should
prompt the cardholder to use a different technology to complete the transaction
(for example an EMV contact chip transaction). This ensures cardholders are not
denied service when they have a valid MasterCard product for the transaction.

Limits

For MasterCard PayPass, a Chargeback Protection Amount is published in the

Chargeback Guide. Transactions equal to or less than this limit do not need
cardholder verification. A receipt does not need to be routinely issued for
these transactions.

In some specific markets, a maximum transaction amount may be published for

MasterCard PayPass.

For Maestro PayPass, a Ceiling Limit is published in the Maestro Global

Rules. Transactions are not allowed above this limit, except in certain markets
specified by MasterCard where transactions are permitted with Online PIN or
On Device Cardholder Verification. In these situations, the published ceiling
limit effectively becomes the chargeback protection amount.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 2-3
PayPass Introduction
PayPass Transaction Flow

The term chargeback protection amount is used generically in later sections to

refer to both the MasterCard chargeback protection amount and the Maestro
limit above which cardholder verification is required.

Floor limits for PayPass are as for EMV contact chip (for PayPass—M/Chip) or
magnetic stripe (for PayPass—Mag Stripe) transactions. The floor limit may
vary per market.

Fallback

If the contactless technology fails the transaction may be completed by any

other technology available. A subsequent transaction is not considered a
technical fallback transaction.

PayPass Transaction Flow

Several steps are involved in the PayPass transaction.

Technology Selection

The cardholder decides whether to use PayPass or an alternative interface on

the card. PayPass technology is used for the transaction when the PayPass card
is presented by the cardholder to the PayPass reader.

If the card application selected and the terminal supports PayPass—M/Chip

mode, then it is automatically used by the terminal to complete the transaction.
Otherwise, PayPass—Mag Stripe mode is used.

Application Selection

If the cardholder has chosen to pay by PayPass, the terminal attempts to find
an application via the contactless interface to complete the transaction.

When the terminal detects more than one application that it supports on the
PayPass card, the terminal automatically selects the application with the highest
priority set by the issuer. Interactive cardholder selection or confirmation is not
supported for PayPass to improve the transaction speed.

If there are no available applications, given any relevant transaction limits, then
the PayPass transaction cannot proceed.

For MasterCard products, the same Application Identifiers (AID) are used
for PayPass transactions as for EMV contact chip transactions. There are no
PayPass specific AIDs.

©2013 MasterCard. Proprietary. All rights reserved.

2-4 3 July 2013 • PayPass—M/Chip Requirements
PayPass Introduction
PayPass Transaction Flow

Card Authentication

For all PayPass transactions the card being used is authenticated. For
PayPass—M/Chip transactions the card can be authenticated:

• Offline by the terminal

OR

• Online by the issuer

All offline approved Maestro PayPass transactions must be authenticated by

the terminal using CDA.

All offline MasterCard PayPass—M/Chip transactions must be authenticated

by the terminal using either:

• CDA

OR

• SDA1

While older cards may support SDA, the only offline card authentication
method allowed for new cards is CDA. All PayPass—M/Chip terminals support
CDA. PayPass does not support DDA.

For online PayPass—M/Chip transactions the issuer should perform online

authentication by verifying the application cryptogram received in the online
authorization.

For PayPass—Mag Stripe transactions, transactions are authorized online by

the issuer, either in real time or deferred. The PayPass card produces a unique
password, referred to as dynamic CVC3, for each transaction. The value is
placed by the terminal in issuer defined positions within the existing track
data fields; therefore, no extra data needs to be transmitted. The issuer should
perform online authentication by verifying the dynamic CVC3 received in the
online authorization.

If PayPass—Mag Stripe profile transactions are not authorized by the issuer,

then the merchant may be liable for any disputed transactions.

Offline-only terminals may be configured to:

• decline transactions performed with PayPass—Mag Stripe cards.

• allow transactions where an ARQC is provided by the PayPass—M/Chip
card.

1. SDA authenticates the card, but not the transaction data. New PayPass cards cannot be issued supporting
SDA. Newly deployed PayPass terminals do not support SDA, and are not configured to support SDA.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 2-5
PayPass Introduction
PayPass Transaction Flow

Cardholder Verification

PayPass transactions for amounts less than or equal to the chargeback

protection amount do not require cardholder verification.

For transaction amounts above the chargeback protection amount, cardholder

verification is required or the acquirer may be liable for disputed transactions.

For MasterCard PayPass, acceptable cardholder verification methods are:

• Online PIN
• Signature
• On Device Cardholder Verification

For Maestro PayPass, acceptable cardholder verification methods are:

• Online PIN
• On Device Cardholder Verification

PayPass does not support offline PIN.

For PayPass—Mag Stripe transactions, the CVM is determined by the terminal.

This can be done in a similar way to swiped magnetic stripe transactions,
based on the methods supported by the terminal. The terminal is not required
to follow issuer instructions contained in the Service Code encoded in the
magnetic stripe data. The device notifies the terminal if On Device Cardholder
Verification is supported, in which case this method is used if supported by the
terminal and cardholder verification is required.

For PayPass—M/Chip transactions, the CVM is determined by the PayPass

reader application in the terminal, based on the CVM List or other information
contained in the card. The actual CVM is completed after the interaction with
the card is complete, except for On Device Cardholder Verification which is
completed before the interaction begins.

Card Risk Management

The card risk management performed is at the discretion of the issuer.

Online/Offline Authorization

PayPass—M/Chip transactions may be authorized offline by the PayPass card

or the card may request online authorization by the issuer.

PayPass—Mag Stripe transactions are usually authorized online by the issuer.

If PayPass—Mag Stripe transactions are not authorized online, then the acquirer
may be liable for any disputed transactions.

If online PIN has been identified as the cardholder verification method for the
transaction, the PIN is verified as part of the online authorization request.

©2013 MasterCard. Proprietary. All rights reserved.

2-6 3 July 2013 • PayPass—M/Chip Requirements
PayPass Introduction
Other Transaction Environments

End of Transaction

A PayPass—M/Chip terminal ends the interaction with the card once the
response to the first GENERATE AC command is received by the terminal. A
PayPass—Mag Stripe terminal ends the interaction with the card once the
response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command is received
by the terminal. This is not the end of the PayPass transaction.

The PayPass terminal completes the transaction based on:

• An offline approval or decline response from the card for PayPass—M/Chip

transactions.

OR

• An online authorization response (approve or decline) when requested for

PayPass—M/Chip or PayPass—Mag Stripe transactions

When the printing of a receipt is supported by the point of sale, for PayPass
transactions less than or equal to the chargeback protection amount, a receipt
must be available if requested by the cardholder. A receipt must be provided
for transactions above the chargeback protection amount if the terminal is
capable of producing a receipt. See MasterCard Rules and Maestro Global
Rules for exemptions.

Neither Issuer Authentication Data nor issuer scripts are returned to the card
during a PayPass—M/Chip transaction.

Other Transaction Environments

There are additional transaction types and environments in which PayPass
cards may or may not be used.

Cardholder Activated Terminals

MasterCard defines several types of cardholder activated terminals (CATs).

PayPass may be used at CAT Level 1, 2, 3 and 4 terminals (see the Chargeback
Guide for full definitions).

As CAT Level 1 terminals require PIN based cardholder verification, only

PayPass cards that support online PIN or On Device Cardholder Verification
may be used at these terminals.

Automated Teller Machines

PayPass contactless functionality can also be used at ATMs.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 2-7
Chapter 3 Issuer Requirements
This section includes information on requirements for the issuer.

General Requirements ................................................................................................................... 3-1

Card Requirements ........................................................................................................................ 3-1
Card Delivery......................................................................................................................... 3-15
Issuer Host Requirements ............................................................................................................ 3-15
Clearing Requirements................................................................................................................. 3-18
Chargeback and Exception Processing ........................................................................................ 3-19

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-i
Issuer Requirements
General Requirements

General Requirements
PayPass Enrollment

For issuers wishing to participate in the PayPass program, completion of the

PayPass Program Enrollment Form is mandatory. Once enrolled, issuers receive
access to the relevant technical documents.

R ALL All customers who wish to issue PayPass must enroll in the PayPass
program.

Card Requirements
Various requirements and best practices exist for the PayPass card.

Approvals and Testing

All PayPass cards issued are required by MasterCard to have MasterCard vendor
product approval. It is the issuer¢s responsibility to confirm all products have
received this approval. A full PayPass card Letter of Approval is only granted to
a card when it has successfully completed all of the following:

• Interface and Application Testing

• Compliance Assessment and Security Testing
• Card Quality Management

When ordering cards from a card manufacturer, the issuer must ensure that the
card manufacturer has a current PayPass Letter of Approval for the product
being purchased. The Letter of Approval is valid for the duration of the time
the cards are held in stock prior to being issued.

All PayPass products must have a valid PayPass Letter of Approval at the time
the product is issued.

R ALL Issuers must ensure that all PayPass cards are covered by a valid Letter
of Approval at the time they are issued.

Branding, Appearance and Physical Requirements

For the brand standards and design elements required for PayPass cards, please
refer to the MasterCard PayPass Branding Standards and the Maestro PayPass
Branding Standards. Issuers must obtain approval from MasterCard Card
Design Management for their PayPass card design, even if a similar design has
already been approved for use on a non-PayPass card.

R ALL Cards must comply with the PayPass branding requirements.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-1
Issuer Requirements
Card Requirements

PayPass Cards

If PayPass—M/Chip is implemented on an ISO 7816 compliant ID-1 plastic card

then the card must support both magnetic stripe and an EMV contact chip.

R ALL PayPass—M/Chip cards that are ISO 7816 compliant must be hybrid
cards supporting both magnetic stripe and EMV contact chip.

A MasterCard PayPass card that supports EMV contact chip transactions on the
contact interface normally also supports PayPass—M/Chip.

BP MC An EMV contact chip capable MasterCard branded PayPass card should

support PayPass—M/Chip.

Non-card Devices

PayPass functionality can be present in form factors other than traditional

payment cards. Examples of different forms are:

• Mobile phones
• Key fobs
• Watches

All PayPass non-card devices conduct PayPass transactions in the same way
as PayPass cards. They may support special functionality, such as On Device
Cardholder Verification.

When PayPass—M/Chip cards use offline risk management features, an

interaction with the card is required to manage the offline risk management
counters. This cannot be performed in a normal PayPass payment transaction
since response data from the issuer is not returned to the card. This interaction
may be achieved:

• By performing a transaction through the EMV contact chip interface of a

hybrid card
• By over-the-air messages, for example to a mobile phone
• Through the contactless interface in a special terminal designed for this
purpose, if supported by the cardholder device.

PayPass cards which support offline transactions must be able to support

the management of the offline risk management counters. PayPass—M/Chip
non-card devices that cannot support the management of the offline risk
management counters must be configured as online only.

All PayPass non-card device programs must be approved by MasterCard.

©2013 MasterCard. Proprietary. All rights reserved.

3-2 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

The MasterCard PayPass device given to the cardholder can be linked to a

MasterCard card account assigned to that same cardholder accessed by a
standard MasterCard card. This card does not have to be a PayPass card. The
expiration date of the PayPass device must not be later than the card that it is
linked to. If the MasterCard card is cancelled, the issuer must simultaneously
cancel the companion PayPass device.

It is not necessary for the PayPass device to display an account number. As

a result, a non-card form factor that is issued without a companion card may
be limited in use. Issuers must highlight this to the account holder at the time
of issuance.

Devices other than mobile phones should accommodate a signature panel

where possible. Those devices that cannot accommodate a signature panel
should contain a customization area or unique identification number. A
minimal space on small form factors is sufficient to provide cardholders with
an opportunity to customize the device with their initials or another mark to
identify it as belonging to them.

R ALL All PayPass non-card device programs must be approved in advance

by MasterCard.
R ALL If linked to a card, the expiration date of the PayPass device must not
exceed the expiration date of the card to which it is linked.
R ALL If linked to a card, the PayPass device must be cancelled if the card
is cancelled.
BP ALL The PayPass device, other than a mobile phone, should accommodate
a signature panel.
R ALL PayPass—M/Chip non-card devices that do not provide a mechanism
to reset offline risk management counters must be configured as online
only.
R ALL PayPass—M/Chip non-card devices must be issued with clear
instructions for the account holder regarding the limitations of their use.

Card Application

PayPass—M/Chip must be implemented using approved applications. Examples

are:

• M/Chip Advance
• PayPass—M/Chip 4
• Mobile PayPass
• PayPass—M/Chip Flex

R ALL All PayPass—M/Chip cards must use approved applications.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-3
Issuer Requirements
Card Requirements

Support of PayPass—M/Chip and PayPass—Mag Stripe

A PayPass card using the MasterCard brand:

• Must support PayPass—Mag Stripe transactions (unless for domestic use

only)
• May support PayPass—M/Chip transactions

R MC A MasterCard PayPass card that is not exclusively for domestic use

must support PayPass—Mag Stripe transactions.

A PayPass card using the Maestro brand:

• Must support PayPass—M/Chip transactions

• Must not support PayPass—Mag Stripe transactions for Maestro

R MS A Maestro PayPass card must support PayPass—M/Chip transactions.

R MS Unless explicitly allowed in the Maestro Global Rules, a Maestro
PayPass card must not support PayPass—Mag Stripe transactions.

PayPass technology may not currently be used on MasterCard Fleet or MultiCard

products as data positions required by PayPass are already used in the product
personalization requirements of these products.

R MC MasterCard Fleet or MultiCard products must not support contactless

transactions.

ATM

The CVM used for ATM transactions is online PIN.

Issuers should support ATM transactions on the contactless interface.

Because not all ATMs validate the settings of the card, issuers should be aware
that they may receive transactions from ATMs even if:

• support for ATM is not indicated in the Application Usage Control

• support for online PIN is not included in the CVM list

BP ALL The Application Usage Control should indicate support for ATM
transactions.

Online and Offline Capability

PayPass—Mag Stripe transactions are always authorized online, either in

real-time or deferred. The card has no input into the decision to seek
authorization.

©2013 MasterCard. Proprietary. All rights reserved.

3-4 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

In PayPass—M/Chip cards the transaction counters and decision making

capability of the chip are used to control risk. To support fast transactions, it is
recommended that PayPass—M/Chip cards be configured to support offline
transaction approval.

As some terminals operate exclusively online, PayPass—M/Chip cards should

be configured to support online transaction approval.

PayPass—M/Chip cards issued in the U.S. region must be configured to support

both online and offline transaction approval.

To meet special market requirements MasterCard may approve cards that are
exclusively online or exclusively offline; however, issuers should be aware that
these cards do not work in some terminals.

R ALL PayPass—M/Chip cards issued in the U.S. region must be configured

to support both online and offline transaction approval.
BP ALL PayPass—M/Chip cards should be configured to support offline
transaction approval. They should not be configured to be exclusively
online.
BP ALL PayPass—M/Chip cards should be configured to support online
transaction approval. They should not be configured to be exclusively
offline.

Service Codes

A value for the service code may be found several times on a PayPass—M/Chip
card. For example:

• on the magnetic stripe of the card in both Track 1 and Track 2

• Track 1 Data (tag '56') and Track 2 Data (tag '9F6B') accessed via the
contactless interface
• Track 2 Equivalent Data (tag '57') accessed via the contactless interface
• Track 2 Equivalent Data (tag '57') accessed via the EMV contact chip
interface

It is recommended that cards be personalized to use the service code

appropriate for the product. The service code values used in the PayPass
application should be consistent in each data object where the service code
appears. Although not recommended, PayPass issuers may choose to use
service code values in the PayPass application that differ from those used on
the magnetic stripe of the same card.

If the issuer does use a different service code value on the contactless interface,
the value may be acted on by some terminals. In particular, terminals that
process the service code may reject international cards that have a service code
value starting with '5' (National use only).

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-5
Issuer Requirements
Card Requirements

BP ALL Issuers should use a value of the service code appropriate for the
product.
BP ALL Issuers should use the same value of the service code each time the
service code is used.

Expiry Dates

The expiry date of the card should be consistent across all technologies
supported.

BP ALL The expiry date in the PayPass application should be consistent with
the expiry date of the card.

Purchase with Cash Back

Maestro cards must not support Purchase with Cash Back on the contactless
interface.

Debit MasterCard cards may support Purchase with Cash Back on the
contactless interface.

Purchase with Cash Back on the contactless interface may only be supported
by MasterCard credit cards in European markets.

Purchase with Cash Back transactions always require cardholder verification,

regardless of the amount.

R MS Maestro cards must not be configured to support Purchase with Cash

Back through the contactless interface.
R MC MasterCard credit cards issued outside the Europe region must not be
configured to support Purchase with Cash Back through the contactless
interface.

©2013 MasterCard. Proprietary. All rights reserved.

3-6 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

Application Selection

PayPass terminals normally perform application selection using the PPSE on

the card. All PayPass cards must contain a PPSE.

Issuers must use the Application Priority Indicator in the PPSE to show the
preferred sequence of choice of all PayPass applications on the card. Issuers
must set a different priority for each application. Cardholder confirmation must
not be requested.

The AID value used for PayPass is the same AID used for the EMV contact chip
interface. There are no specific AIDs for PayPass.

Supported AIDs are:

• MasterCard ‘A0000000041010’
• Maestro ‘A0000000043060’

Identification of PayPass cards use the product AID without any extension, as
shown above. PIX extensions may be used by issuers and are considered as
a successful match by the terminal when partial AID matching is supported.
However, it is recommended not to use PIX extensions, as some legacy PayPass
terminals do not support partial AID matching.

If the same account is accessed through the contact and contactless interfaces,
the AID used on each interface might be different; the contact AID may contain
a PIX extension, but the contactless AID excludes this PIX extension.

The Application Label (tag '50') must be present in a PayPass card. This may
appear on any receipts.

A MasterCard card must be configured with an appropriate Application Label

such as MasterCard, MASTERCARD, Debit MasterCard or DEBIT MASTERCARD.

A Maestro card must be configured with an appropriate Application Label such

as Maestro or MAESTRO.

Issuers may personalize the Application Preferred Name (tag '9F12') and Issuer
Code Table Index (tag '9F11'). The Application Preferred Name may be used
on receipts instead of the Application Label if the terminal supports the code
table indicated.

R ALL All PayPass cards must contain a PPSE.

R ALL Issuers must set a unique value for the Application Priority Indicator in
the FCI of the PPSE for each contactless application on the card.
R ALL Issuers must not set the Cardholder Confirmation bit in the Application
Priority Indicator in the FCI of the PPSE.
R ALL Issuers must use the appropriate Application Label.
BP ALL PIX extensions should not be used in the AID for PayPass.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-7
Issuer Requirements
Card Requirements

Card Authentication

MasterCard requires the use of dynamic CVC3 by all PayPass—Mag Stripe

cards. This includes PayPass—M/Chip cards that perform PayPass—Mag Stripe
transactions.

For PayPass—M/Chip online transactions the application cryptogram should be

validated to prevent counterfeit fraud.

For MasterCard PayPass—M/Chip:

• New cards issued in the Europe or U.S. regions must support CDA and
must not support SDA
• New cards issued outside of the Europe or U.S. regions that do not support
CDA must operate as online only. Cards must not support SDA. Cards that
do not support CDA may experience interoperability issues and may not
work with some merchants such as mass transit agencies.

MasterCard recommends that the issuer support CDA.

Issuers of old cards that support SDA should note that SDA will not be
performed on PayPass readers that comply with EMVCo Book C-2 and therefore
all transactions at these readers will require online authorization.

All Maestro PayPass cards must support CDA and must not support SDA for
Maestro PayPass—M/Chip.

PayPass does not support DDA.

R MS Maestro PayPass—M/Chip cards must support CDA and must not

support SDA.
R MC MasterCard PayPass—M/Chip cards must not support SDA.
R MC MasterCard PayPass—M/Chip cards issued in the Europe or US regions
must support CDA.
R MC MasterCard PayPass—M/Chip cards issued outside of the Europe or
US regions must support CDA or be configured as online only and not
support any offline CAM.
BP MC Issuers outside the Europe and US regions are strongly recommended
to use CDA on MasterCard PayPass—M/Chip cards.
R ALL PayPass—M/Chip cards must not support DDA on the PayPass
interface.
R MC MasterCard PayPass—M/Chip cards must use a dynamic CVC3 for
PayPass—Mag Stripe transactions.
BP ALL Issuers are strongly recommended to validate the application
cryptogram for online PayPass—M/Chip transactions.

©2013 MasterCard. Proprietary. All rights reserved.

3-8 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

The payment system public keys for PayPass—M/Chip have the same values
and expiry dates as those used for MasterCard EMV contact chip transactions. It
is recommended to use the same Issuer Key pair for transactions on the contact
and contactless interface of a PayPass—M/Chip card; therefore, the same Issuer
Public Key certificate may be used.

It is recommended to use the same ICC Key pair for transactions on the contact
and contactless interface of a PayPass—M/Chip card. The ICC Public Key
Certificate cannot be shared between the contact and contactless interface
even if the same keys are used since some of the data elements signed in the
certificate are different.

BP ALL Issuers should use the same Issuer and ICC Public Keys across both
the contact and contactless interface.

Cardholder Verification

A signature or PIN is not required for a PayPass transaction less than or equal
to the chargeback protection amount. In this situation, no setting of the Service
Code for PayPass—Mag Stripe, or CVM List for PayPass—M/Chip, requires the
acquirer to obtain cardholder verification.

For transactions greater than the chargeback protection amount, cardholder

verification is normally requested. If transactions are completed offline with
no cardholder verification above the chargeback protection amount then the
acquirer may be liable for disputed transactions.

For PayPass—Mag Stripe transactions, the cardholder verification method

is determined by the terminal in a similar manner to swiped magnetic stripe
transactions. The terminal is not required to refer to the Service Code, which
appears in multiple data elements. If the device supports On Device Cardholder
Verification, this is communicated to the terminal as part of the transaction.

For PayPass—M/Chip transactions, the CVM is determined by the PayPass

reader application in the terminal based on the terminal capabilities and CVM
List or other data in the cardholder device.
NOTE
For the remainder of this section a distinction is made between cardholder
devices that support On Device Cardholder Verification (mobile phones) and
all other cardholder devices (cards).

MasterCard PayPass—M/Chip cards:

• Must support Signature

• Must support Online PIN
• Must support No CVM

MasterCard PayPass—M/Chip mobile phones:

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-9
Issuer Requirements
Card Requirements

• Must support No CVM

• Must support Signature
• Must support Online PIN or On Device Cardholder Verification, or both.

Support for both Online PIN and On Device Cardholder Verification is

recommended for MasterCard mobile phones.

The issuer may elect for either Signature or Online PIN to be preferred and
personalize the CVM List accordingly. On Device Cardholder Verification is
performed above the chargeback protection amount if supported by the mobile
phone and the terminal.

If issuers require support for MasterCard PayPass—M/Chip mobile phones at

ATMs, then Online PIN must be supported.

Maestro PayPass cards and mobile phones must support No CVM.

If the issuer supports Maestro PayPass transactions above the ceiling limit, then:

• Maestro PayPass cards must support Online PIN.

• Maestro PayPass mobile phones must support Online PIN or On Device
Cardholder Verification or both.

If issuers require support for Maestro PayPass—M/Chip cards or mobile phones

at ATMs then Online PIN must be supported.

Support for On Device Cardholder Verification is recommended for all

MasterCard and Maestro PayPass mobile phones.

CVM List entries should not make use of the X and Y values to influence the
availability of a particular CVM. This means that condition codes: '06', '07', '08'
or '09' should not be used.

Offline PIN is not supported for PayPass—M/Chip transactions. Offline PIN

may be supported on the same card but only for EMV contact chip transactions.
Issuers must not include offline PIN options in the CVM List read through the
contactless interface.

R ALL All PayPass—M/Chip cards and mobile phones must support No CVM
in the CVM List read through the contactless interface.
R ALL PayPass—M/Chip cards and mobile phones must not support either
offline plain text PIN or offline enciphered PIN in the CVM List read
through the contactless interface.
R MC MasterCard PayPass—M/Chip cards must support Online PIN and
Signature in the CVM List read through the contactless interface.
R MC MasterCard PayPass—M/Chip mobile phones must support Signature
in the CVM List read through the contactless interface.

©2013 MasterCard. Proprietary. All rights reserved.

3-10 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

R MC MasterCard PayPass—M/Chip mobile phones must support Online PIN,

in the CVM List read through the contactless interface, or On Device
Cardholder Verification, or both.
R MS If the issuer allows Maestro PayPass transactions above the ceiling
limit, then cards must support Online PIN in the CVM List read through
the contactless interface.
R MS If the issuer allows Maestro PayPass transactions above the ceiling
limit, then mobile phones must support Online PIN in the CVM List
read through the contactless interface, or On Device Cardholder
Verification, or both.
BP MS Support for Online PIN is recommended for all Maestro PayPass cards
and mobile phones.
BP ALL Support for On Device Cardholder Verification is recommended for all
PayPass—M/Chip mobile phones.
BP ALL CVM List entries should not make use of the X and Y values to
influence the availability of a particular CVM.

Magnetic Stripe Based PVV

It may not be possible or easy to change some of the data on a PayPass

card. Any existing magnetic stripe processes that rely on rewriting data to
the magnetic stripe after the card has been issued need to be evaluated. In
particular this may affect magnetic stripe based PVV solutions for online PIN
verification if PIN change is supported.

BP ALL Magnetic stripe based PVV methods should not be used for online PIN
verification if PIN change is supported.

Managing the Contactless Controls

The issuer should manage the offline counters and parameters for the contactless
interface during the authorization response to a contact chip transaction. They
cannot be managed during a PayPass transaction as the Issuer Authentication
Data from the authorization response is never delivered to the card.

The PayPass—M/Chip application may trigger an online authorization request

at the next contact transaction to enable management of the offline counters.

Personalization Requirements

The PayPass personalization requirements are detailed in the PayPass

Personalization Data Specifications and the M/Chip Advance Personalization
Data Specifications.

MasterCard requires that the personalization of each card configuration be

approved using the CPV service before cards are issued.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-11
Issuer Requirements
Card Requirements

MasterCard prohibits encoding the cardholder name in the data read through the
contactless interface to prevent unauthorized disclosure. It is recommended to
use a space character followed by the surname separator “/” in the Track 1 Data.

Third Party Data may be used by a terminal for proprietary processing. Issuers
that intend to participate in a scheme utilizing this data object must request a
Unique Identifier from MasterCard. A sub-field of this data object is also used to
carry the Device Type. Refer to Data Requirements for more information.

R ALL CPV must be successfully completed for all PayPass cards issued.
R ALL The name of the cardholder must not be readable over the contactless
interface.
R ALL If the Third Party Data included in the PayPass card is intended to be
used to carry proprietary data, then the issuer must contact MasterCard
at [email protected] to obtain the Unique Identifier.
BP ALL Issuers should use ² /² for the cardholder name in the data read
through the contactless interface.
R ALL Non-card form factors must be personalized with the Device Type
present in the Third Party Data object.
R ALL Effective 18 October 2013, U.S. region issuers must ensure that each
newly issued or reissued PayPass-enabled card, access device, and
mobile payment device is personalized with the appropriate Device
Type value.
R ALL Effective 18 October 2014, Canada region issuers must ensure that
each newly issued or reissued PayPass-enabled card, access device,
and mobile payment device is personalized with the appropriate
Device Type value.

Data objects may be personalized in the card organized in the pre-defined file
structure detailed in the PayPass Personalization Data Specifications to allow
efficient data capture by the PayPass terminal resulting in a faster transaction.

R ALL If data objects are not organized according to the rules specified for
the pre-defined file structure, then the pre-defined values for the AFL
must not be used.

PayPass—M/Chip Personalization Requirements

Some data elements are unique for the contactless interface and some are
shared with the contact interface.

For PayPass the issuer may operate in full chip grade, semi-grade or magnetic
stripe grade on the contact profile.

©2013 MasterCard. Proprietary. All rights reserved.

3-12 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Card Requirements

Issuers that have the capability to distinguish between chip-read and magnetic
stripe-read transactions must use a different value for Chip CVC on the
contactless interface to the CVC1 encoded on the magnetic stripe. This prevents
compromised PayPass data being used to fraudulently create valid counterfeit
magnetic stripe cards.

Maestro cards that do not have a CVC1 encoded on the magnetic stripe do not
need to include a Chip CVC.

However to protect against the risk of counterfeiting, it must not be possible to

reproduce the Track 2 on the magnetic stripe from the PayPass data in the chip.
This means that some aspect of the magnetic stripe data must be unique to the
stripe, unpredictable and validated during the authorization.

R ALL Issuers that have the capability to distinguish between chip-read and
magnetic stripe-read transactions must support a Chip CVC in Track
2 Equivalent Data on the contactless interface that is different to the
CVC1 if present.
R ALL The genuine CVC1, as found on the physical magnetic stripe, must not
appear in any data element that can be read through the contactless
interface.
R MS Issuers of Maestro PayPass cards that do not have a Chip CVC in Track
2 Equivalent Data must ensure that the Track 2 data found on the
magnetic stripe cannot be reproduced from the PayPass data on the
chip. Some aspect of the magnetic stripe data must be unique to the
magnetic stripe, unpredictable and validated during the authorization.

Issuers may choose to use an Application PAN on the contactless interface

which is different to the PAN present on the magnetic stripe or that appears
on the face of the card.

If this option is chosen, the issuer must be aware of the requirements to return
the value of the embossed PAN in the response message for PayPass transit
transactions.

To protect critical data used in the transaction, if the card supports offline card
authentication then the data elements shown in the table below must be stored
in records that are signed.

Data Element Tag

Application Currency Code '9F42'

Application Expiration Date '5F24'
Application Effective Date1 '5F25'

Application PAN Sequence Number '5F34'

1. If present

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-13
Issuer Requirements
Card Requirements

Data Element Tag

Application Primary Account Number '5A'

Application Usage Control '9F07'

CDOL1 '8C'
CDOL2 '8D'
CVM List '8E'
Issuer Action Code—Default '9F0D'

Issuer Action Code—Denial '9F0E'

Issuer Action Code—Online '9F0F'

Issuer Country Code '5F28'

SDA Tag List '9F4A'

R ALL The data elements shown in the table above, if present, must all be
stored in records that are signed.

PayPass—Mag Stripe Personalization Requirements

The first and only record of the file SFI 1 must include the data objects
necessary to perform the PayPass -Mag Stripe transactions.

The last digit of both Track 1 and Track 2 must not be used by the issuer as this
is used by the terminal to indicate the number of digits of the unpredictable
number (nUN). The length of the unpredictable number must not be fewer
than 2 digits.

The positions where the PayPass reader stores the ATC, UN, and CVC3 in the
discretionary data in Track 1 Data and Track 2 Data, should be filled with zeroes.
This is a requirement if PayPass On Behalf CVC validation services are used.

If the issuer intends to make use of MasterCard's On-behalf Service for dynamic
CVC3 verification, then the value of NATCTRACK1 and the value of NATCTRACK2
must be greater than or equal to 3 for the CVC3 Validation in Stand-in Service,
or greater than or equal to 2 for the dynamic CVC3 Pre-validation Service or the
PayPass Mapping Service (processing only option). In both cases, a value of at
least 4 for NATCTRACK1 and NATCTRACK2 is recommended.

R MC Record 1 of SFI 1 must contain the data to perform a PayPass—Mag

Stripe transaction. Record 1 must be the only record included in SFI 1.
R MC The last digit of both Track 1 and Track 2 must not be used by the
issuer.

©2013 MasterCard. Proprietary. All rights reserved.

3-14 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Issuer Host Requirements

R MC Placeholders for dynamic CVC3 data which is inserted by the terminal

in either Track 1 or Track 2 must be zero filled if PayPass-on behalf
CVC validation services are used.
R ALL The Unpredictable Number must be at least 2 digits in length.
R ALL Users of on-behalf services must use the appropriate minimum values
for NATCTRACK1 and NATCTRACK2.

Card Delivery
PayPass data can be read by any reader that can power the contactless chip
and send the correct commands.

Therefore, it is feasible that card data could be captured while the card is in
transit to the cardholder. Issuers should consider appropriate control methods
to reduce the risks and impact of card or data interception. This might be by
using a special envelope to shield card reading or by disabling the contactless
interface until the card has been activated by the cardholder.

BP ALL Issuers should ensure that contactless transactions are not possible
until the card has been activated by the cardholder.

Issuer Host Requirements

Issuer host must meet requirements to accommodate authorization messages
and decisions.

Authorization Messages

PayPass issuers must ensure host systems are capable of correctly receiving
and processing authorization messages containing specific values for the data
element (DE) 22 (POS Entry Mode) and DE 61 (POS Data) that identify PayPass
transactions.

• DE 22 (POS Entry Mode), subfield 1, value 07 is used for a PayPass—M/Chip

transaction. A value of 91 is used for a PayPass—Mag Stripe transaction
even if performed at a PayPass—M/Chip terminal.
• DE 61 (POS Card Data Terminal Input Capability Indicator), subfield 11,
value of 3 indicates that the terminal supports PayPass—M/Chip and
PayPass—Mag Stripe transactions. A value of 4 indicates support for
PayPass—Mag Stripe transactions. Note that these values may be used even
in the context of a contact transaction.

R ALL Issuers must support on their network interface and host system
PayPass transactions as described above.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-15
Issuer Requirements
Issuer Host Requirements

Authorization Decisions

Authorization requests are approved against the account balance or open to

buy position in the usual way. In addition, issuers should check the authenticity
of the PayPass card by validating the dynamic CVC3 or application cryptogram
received.

The issuer should take into account that bits that are not set in the TVR included
in the authorization request of a PayPass—M/Chip transaction may not always
reflect the final outcome of the terminal tests performed. An example of this is
when card authentication may have been completed after the GENERATE AC
command was issued to the card or after the TVR was signed.

As part of the authorization decision process, issuers should also consider the
number of transactions done without cardholder verification that have been
done consecutively.

Issuers should also consider the presence of transit indicators in DE 48

(Additonal Data), subelement 64 (Transit Program) of the authorization message
during the decision process.

BP ALL Issuers should always perform online CAM by checking that the ARQC
contained in a PayPass—M/Chip online authorization request is correct.
R ALL An authorization or clearing request may legitimately contain a TC in
DE 55 (Integrated Circuit Card [ICC] System-Related Data). Issuers must
not routinely decline transactions in this situation.
R ALL The transaction amount and the transaction date may be different in
DE 55 when compared with other fields in the authorization message.
The issuer must not routinely decline transactions in this situation.
R MC Issuers must always perform online CAM by checking that the CVC3
contained in a PayPass —Mag Stripe online authorization request is
correct.
R MC Issuers must be able to process PayPass—Mag Stripe transactions if
either Track 1 Data or Track 2 Data is present in the authorization
message.
BP ALL Issuers should manage the risk of PayPass transactions done without a
CVM that are approved consecutively.
BP ALL Issuers should adopt the authorization decision process when
appropriate for transit-based transactions.

Application Transaction Counter Monitoring

The role of the ATC is to ensure that every cryptogram produced by a genuine
card is unique.

©2013 MasterCard. Proprietary. All rights reserved.

3-16 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Issuer Host Requirements

The ATC is incremented by the card during each transaction. However,

although ATC values are generated sequentially, they may not be presented
to the issuer in this way. Transactions may sometimes be completed offline,
completed with deferred authorization, or not completed at all. In these
situations ATCs could be missing in the sequence received by the issuer, or they
could be received out of sequence.

For approved transactions where the application cryptogram or dynamic CVC3

has been successfully validated, issuers should keep a record of the most recent
ATC received (the “last seen ATC”). Issuers should set a feasible range, outside
of which the receipt of an ATC value is considered suspicious. This may
indicate fraud, or that a cardholder is having problems using their card. For
these transactions issuers should raise a post-event alert and conduct further
investigation, but should not decline the transaction for this reason only. A
suitable value for this range will depend on the market environment where the
card is used. For example, if offline transactions are frequently performed for
tollways or transit, then a wider range will be required. The range might not be
the same above as below the last seen ATC.

Issuers should not routinely decline transactions where the ATC is out of the
range that they have set or if the ATCs arrive out of sequence.

To detect duplicate ATCs, issuers may also consider keeping a record of

previous ATCs received where the application cryptogram or dynamic CVC3
has been successfully validated (limited to a practical window size) or all ATCs
missing from the sequence up to the last seen ATC. If the same ATC is received
twice with valid, but different application cryptogram or dynamic CVC3 values
then this indicates that the secret keys of the card have been compromised. If
the same ATC is received twice with valid, but identical application cryptogram
or dynamic CVC3 values then this may indicate attempted replay fraud. In both
cases the issuer should decline the transaction and investigate further.

The issuer may wish to accept and process advice messages (0120) in order to
maintain up to date ATC values as part of ATC management.

BP ALL For approved transactions where the application cryptogram has

been successfully validated, issuers should keep a record of the “last
seen ATC” and set a feasible range. Subsequent transactions received
which contain an ATC outside of this range should be treated as
suspicious, but should not be routinely declined.
BP ALL Issuers should put in place a mechanism to detect duplicate ATCs and
decline and investigate further when duplicates are detected.

Authorization Responses

A referral response must not be given to a PayPass authorization request.

Since the consumer remains in control of the PayPass card throughout the
transaction, the opportunity for merchants to pick up these cards is limited.
Issuers should not use a capture card authorization response to PayPass
transactions.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-17
Issuer Requirements
Clearing Requirements

For PayPass—M/Chip authorization responses, the issuer should not generate

Issuer Authentication Data, because the PayPass terminal is not able to pass
it to the PayPass card.

For PayPass—M/Chip authorization responses, the issuer should not include

issuer scripts because the PayPass terminal is not able to pass them to the
PayPass card.

R ALL Issuers must not use a referral 01 authorization response code.

BP ALL Issuers should not use a capture card 04 authorization response code.
BP ALL PayPass—M/Chip issuers should not generate Issuer Authentication
Data for authorization responses.
BP ALL PayPass—M/Chip issuers should not send scripts with authorization
responses.
R ALL Issuers that use a PAN mapping service must return the genuine PAN
in the authorization response message, even if an alternative PAN was
used in the authorization request.

Refunds

MasterCard PayPass issuers must be able to support the processing of a refund

transaction initiated via the contactless interface.

R MC Issuers must be able to process refunds initiated via the contactless

interface.

Clearing Requirements
PayPass transactions are identified in clearing messages.

Clearing Messages

PayPass issuers must ensure host systems are capable of correctly receiving and
processing existing subfields within the clearing message containing specific
values of the data input capability and the data input profile, DE 22 (POS
Entry Code).

DE 22, subfield 1 identifies the terminal capabilities and must contain:

• the value of M for a transaction at a PayPass—M/Chip terminal.

• the value of A for a transaction at a PayPass—Mag Stripe terminal.

DE 22, subfield 7 identifies the card data input profile for this transaction and
must contain:

• the value M for a PayPass—M/Chip transaction.

• the value A for a PayPass—Mag Stripe transaction.

©2013 MasterCard. Proprietary. All rights reserved.

3-18 3 July 2013 • PayPass—M/Chip Requirements
Issuer Requirements
Chargeback and Exception Processing

R ALL Issuers must support PayPass transactions as described above on their

clearing interface and host system.

As there is only one GENERATE AC command in a PayPass transaction, the

cryptogram and related data included in the clearing message will always relate
to the first GENERATE AC. The cryptogram may be a TC or an ARQC.

Chargeback and Exception Processing

Issuers may not make a retrieval request for a transaction identified as a PayPass
transaction that is less than the chargeback protection amount, except in certain
transit situations as defined in the Chargeback Guide.

No new chargeback reason codes have been introduced to support PayPass.

Updates to the existing reason codes are documented in the Chargeback Guide
or in the Maestro Global Rules.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 3-19
Chapter 4 Acquirer Requirements
This section includes information on requirements for the acquirer.

General Requirements ................................................................................................................... 4-1

Terminals ....................................................................................................................................... 4-2
Offline Card Authentication ......................................................................................................... 4-12
Cardholder Verification ................................................................................................................ 4-14
Terminal Risk Management.......................................................................................................... 4-17
Terminal Action Codes ................................................................................................................ 4-17
Authorization Responses.............................................................................................................. 4-18
Cardholder Receipts..................................................................................................................... 4-18
Subsequent Contact Transactions................................................................................................. 4-19
Terminated Transactions .............................................................................................................. 4-19
Cardholder Activated Terminals................................................................................................... 4-19
Automated Teller Machines ......................................................................................................... 4-20
Vending Machines........................................................................................................................ 4-20
Acquirer Network Requirements.................................................................................................. 4-21
Authorization Requirements......................................................................................................... 4-22
Clearing Requirements................................................................................................................. 4-23
Exception Processing ................................................................................................................... 4-24
On-behalf Services ....................................................................................................................... 4-24

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-i
Acquirer Requirements
General Requirements

General Requirements
Overall general requirements for acquirers and merchants include PayPass
enrollment and acceptance.

PayPass Enrollment

Acquirers implementing PayPass acceptance must enroll in the MasterCard

PayPass program. Acquirers must be enrolled and receive approval from
MasterCard to acquire PayPass transactions.

Program enrollment allows acquirers access to all required specifications and to

receive MasterCard related services and products.

R ALL Members that want to acquire PayPass transactions must enroll in the
PayPass program.

PayPass Acceptance

PayPass acceptance means that all cardholder devices are valid for acceptance
at terminals, not just PayPass cards.

A PayPass terminal that accepts MasterCard:

• Must accept PayPass—Mag Stripe transactions

• May accept PayPass—M/Chip transactions

A PayPass terminal that accepts Maestro:

• Must not accept Maestro in PayPass—Mag Stripe mode. The terminal may
support PayPass—Mag Stripe for MasterCard.
• Must support PayPass—M/Chip transactions

PayPass—M/Chip must be used if supported by the card and terminal.

Attempted PayPass—M/Chip transactions must not fallback to PayPass—Mag
Stripe. Terminals cannot change processing mode during a transaction once
it is determined.

R MC A MasterCard PayPass terminal must support PayPass—Mag Stripe.

R MS A Maestro PayPass terminal must support PayPass—M/Chip.
R MS A Maestro PayPass terminal must not support PayPass—Mag Stripe
mode transactions for Maestro PayPass.

PayPass—Mag Stripe merchant locations normally also support magnetic stripe

contact acceptance.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-1
Acquirer Requirements
Terminals

PayPass—M/Chip enabled merchant locations normally also support EMV

contact chip and magnetic stripe acceptance. If the terminal supports EMV
contact chip technology, then products supported for PayPass must also be
supported for EMV contact chip transactions.

A terminal that supports magnetic stripe and EMV chip contact transactions
(hybrid terminal) that also supports PayPass should support PayPass—M/Chip.

BP ALL A hybrid terminal that also supports PayPass should support

PayPass—M/Chip.
BP ALL A PayPass terminal should also support contact transactions.
R ALL A hybrid terminal must support on the EMV contact chip interface
every product supported on the contactless interface.

Locations that only accept contactless transactions are permitted in agreement

with MasterCard and are permitted for specific merchant category codes on
an individual country basis.

An updated list of countries and merchant categories that are allowed to accept
PayPass only is maintained in the MasterCard Rules and Maestro Global Rules.

Terminals
Acquirers and merchants must only use approved PayPass terminals.

Approvals and Testing

All PayPass products need to obtain approval before deployment. Subsequent

changes to terminal software could affect compliance with PayPass Terminal
Vendor testing and must be discussed and reviewed with MasterCard.

R ALL Acquirers must only deploy terminals that have successfully completed
the MasterCard PayPass vendor product approval process. Approvals
are only given to properly licensed vendors.

Reader Specifications

R ALL All PayPass readers must successfully complete M-TIP testing.

R ALL All PayPass readers submitted for M-TIP testing must have a valid
Terminal Quality Management (TQM) Label.
R ALL Effective 1 July 2013, submissions for M-TIP testing for new PayPass
deployments in the Europe region must use PayPass readers that
comply with PayPass—M/Chip version 3.0 or EMVCo Book C2.
R ALL Effective 1 January 2014, PayPass readers deployed at new merchants
in the Europe region must comply with PayPass—M/Chip version 3.0
or EMVCo Book C-2.

©2013 MasterCard. Proprietary. All rights reserved.

4-2 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminals

R ALL All new deployments of PayPass readers in merchant locations in

the U.S. region must comply with PayPass—M/Chip version 3.0 or
EMVCo Book C-2.
R ALL Effective 18 October 2014, all new deployments of PayPass readers
in merchant locations in the Canada region must comply with
PayPass—M/Chip version 3.0 or EMVCo Book C-2.

Terminal Branding

PayPass terminals must meet the MasterCard branding requirements. PayPass

terminals use common interfaces to provide a consistent consumer and
merchant experience.

In order to give the cardholder clear information as to where to tap the PayPass
device on the PayPass terminal, acquirers must use the PayPass landing zone.
The landing zone must indicate with the contactless identifier where the
cardholder has to tap or hold the MasterCard PayPass card.

If space permits, MasterCard PayPass and other scheme branding may also be
placed on the landing zone as long as branding rules are maintained and the
contactless symbol is not obscured in any way. If space on the landing zone
does not allow room for scheme branding, then it should be placed elsewhere
at the point of interaction. It should not distract the customer from identifying
the contactless symbol and the landing zone.

R ALL PayPass terminals must meet the MasterCard PayPass branding

standards.

Terminal Design and Ergonomics

Merchants should consider that the placement of the PayPass reader is

particularly important to the cardholder using the reader. The PayPass reader
contains the antenna and needs to be conveniently placed and visible. PayPass
readers may be integrated within a payment terminal or be stand-alone devices.

MasterCard recommends that where appropriate, the PayPass reader is included

in a PIN Entry/contact card acceptance device keeping the terminal footprint
on the merchant site to a minimum.

If a merchant uses a separate Electronic Cash Register (ECR) and PayPass

POS terminal, the payment amount generated by the ECR should be made
automatically available to the PayPass terminal when a cardholder chooses to
pay with PayPass. This integration eliminates the need for dual-amount entry
by the clerk which is a key time-saver and also reduces the risk of error.

When the interaction with the card is successfully completed, the reader
provides a visible and audible indication of a successful PayPass interaction to
the cardholder. The visible and audible cues confirm the card can be removed,
but not that transaction is approved or completed.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-3
Acquirer Requirements
Terminals

BP ALL The PayPass reader should be included in the PIN Entry Device to
minimize the terminal footprint.
BP ALL The payment amount should be made automatically available to the
PayPass terminal by the electronic cash register. The amount should
not have to be entered manually.
R ALL The terminal must use visible and audible cues to the cardholder that
the PayPass interaction has been successful and is complete.

PayPass acceptance devices must be designed to avoid accidental capture of

MasterCard PayPass payment account information when a consumer intends to
transact using the card¢s magnetic stripe or EMV contact chip, where present.

PayPass readers must be designed to prevent the introduction of foreign objects

which may degrade unit performance or be used to capture PayPass payment
application data from a PayPass card or device.

Consideration should be given that in some retail environments:

• The terminal may be subjected to physical abuse by consumers. It is

recommended that it be constructed from durable materials and have the
facility to be securely attached to a counter or mounting location.
• The terminal may be located in a position where liquid spillage may occur.
It is recommended for such environments that the terminal be sealed to
prevent liquids from causing damage to the internal components.

R ALL PayPass acceptance devices must be designed to avoid accidental

capture of contactless payment account information when a consumer
intends to transact using an interface other than the contactless
interface.
R ALL PayPass acceptance devices must be designed to be tamper resistent.
BP ALL PayPass acceptance devices should be designed to be robust and
appropriate for use in their intended environment.

©2013 MasterCard. Proprietary. All rights reserved.

4-4 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminals

Visual Card Checks

There is no need to complete visual card checks for PayPass transactions.

Therefore, the merchant does not have to:

• Check any visual security features, such as the presence of a MasterCard

hologram
• Visually check the valid date and the expiration date on the face of the card
• Manually check Warning Bulletins
• Compare the four-digit truncated account number imprinted in the signature
panel with the last four digits of the embossed account number on the
face of the card
• Compare the embossed account number on the face of the card with the
number displayed or printed from the POS terminal
• Compare any photograph on the card with the person presenting the card
• Check that the card is signed (This does not necessarily mean that a
signature is not required to complete the transaction)

Any automation of the above visual checks by the POS system, such as Swipe
and Verify checks, must be capable of being overridden or disabled for the
acceptance of PayPass transactions.

Transaction Types

Payment

PayPass acquirers must support payment transactions.

R ALL PayPass acquirers must support payment transactions.

Purchase with Cash Back

Terminals may support cash back for MasterCard PayPass, according to the
product rules. Cardholder verification and online authorization are always
required for Purchase with Cash Back transactions.

Terminals must not support cash back for Maestro PayPass transactions.

R MS Purchase with Cash Back transactions must not be completed with

Maestro PayPass.
R MC Cardholder verification and online authorization must always be
performed for Purchase with Cash Back transactions.

Refunds

Acquirers must be able to process refund transactions initiated via the contactless
interface. A refund must be to the same account as the original transaction.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-5
Acquirer Requirements
Terminals

Cardholder verification is not required for refunds. Authorization is not required

for refunds.

If card refunds are supported by a merchant that has deployed at least one
contactless terminal, then refunds initiated through the contactless interface
must be supported. Merchant support for PayPass refunds is recommended at a
minimum of one PayPass enabled terminal in a merchant location.

For PayPass—M/Chip transactions, refunds initiated through the contactless

interface must be performed by reading the Track 2 details and then requesting
an AAC. The refund is then cleared in the normal way. This prevents card risk
management counters from being adversely impacted.

For PayPass—Mag Stripe transactions, refunds initiated over the contactless

interface must be performed by reading track details via the contactless interface
and clearing the refund transaction in the normal way.

R ALL Acquirers must be able to support refunds initiated through the

contactless interface.
R ALL If PayPass—M/Chip refunds initiated through the contactless interface
are supported by the merchant, the transaction must be terminated by
requesting an AAC from the card if supported by the PayPass reader
application.
R ALL If PayPass—Mag Stripe refunds initiated through the contactless
interface are supported by a merchant, the transaction must be
performed by reading track details from the card and processing in
the normal way.
R ALL If refunds initiated using the contact interface are supported at a POS,
then the merchant must also allow refunds for PayPass transactions
through the contactless interface.

POI Currency Conversion

POI Currency Conversion is not supported for PayPass transactions.

Manual Cash Advance

Cardholder verification is always required for manual cash advance.

R ALL Cardholder verification must always be performed for manual cash

advance transactions.

Gratuities

If gratuities are to be included in the PayPass transaction then the cardholder

should be offered the opportunity to add the gratuity amount before the
PayPass transaction commences.

©2013 MasterCard. Proprietary. All rights reserved.

4-6 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminals

BP ALL If supported, the possibility to add a gratuity should be offered before

the PayPass transaction commences.

Online and Offline Capability

The terminal is normally online capable unless it is a CAT Level 3 terminal

that is offline only. Other exceptions may be allowed by MasterCard such as
Maestro acceptance on a bus.

Since some PayPass—M/Chip cards may be configured to work as offline only,

MasterCard recommends that terminals not be online only.

BP ALL PayPass terminals should be online capable unless CAT Level 3

terminals or other exceptions approved by MasterCard.
BP ALL PayPass terminals should not be online only for PayPass—M/Chip.

PayPass Limits

In the technical specifications, three limits are used by terminals in processing

PayPass transactions. The same limit may have different values for different
products. The limits are configurable for each AID accepted at the terminal.

The Terminal Contactless Transaction Limit is a maximum transaction amount

above which a contactless transaction must not be performed.

Transactions less than or equal to the Terminal CVM Required Limit do not
require cardholder verification and, unless specifically requested by the
cardholder, do not require a printed receipt. For PayPass transactions above
the Terminal CVM Required Limit, normal cardholder verification and receipt
printing procedures apply.

The Terminal Contactless Floor Limit is a transaction amount above which

online issuer authorization is required.1

1. Acquirers should be aware that the transaction limits discussed here are managed and supported
differently in the different versions of the PayPass—M/Chip reader.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-7
Acquirer Requirements
Terminals

Terminal Contactless Transaction Limit

When more than one PayPass application is identified on a card, an application

for which the Terminal Contactless Transaction Limit is exceeded must not be
used to complete a transaction. The transaction may be performed if other
PayPass applications are identified permitting the transaction amount or if the
terminal should prompt for a contact transaction to be performed where higher
value contact transactions are supported.

There is no maximum transaction amount for MasterCard PayPass set in the

MasterCard Rules. The maximum transaction amount for Maestro PayPass is
market specific as defined in the Maestro Global Rules. A terminal should be
able to perform PayPass transactions up to the same value as other technologies.

BP ALL Terminals should prompt cardholders and/or merchants to use an

alternative technology to perform the transaction if the Terminal
Contactless Transaction Limit is exceeded for all PayPass applications
on the card.
BP ALL A terminal should be able to perform PayPass transactions up to the
same value as other technologies.

Terminal CVM Required Limit

Transactions less than or equal to the Terminal CVM Required Limit do not
require cardholder verification.

Transactions greater than the Terminal CVM Required Limit require cardholder
verification.

For MasterCard PayPass, the Chargeback Guide lists the chargeback protection
amounts to be used in each market. The relevant value should be used to
configure the Terminal CVM Required Limit.

For Maestro PayPass, the Maestro Global Rules lists the ceiling limits to be used
in each market. The relevant value should be used to configure the Terminal
CVM Required Limit.

For PayPass—M/Chip, only No CVM must be supported in the Terminal

Capabilities for transactions less than or equal to the Terminal CVM Required
Limit.

Terminals that allow transactions above the Terminal CVM Required Limit must
not support No CVM above this limit.

©2013 MasterCard. Proprietary. All rights reserved.

4-8 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminals

R ALL PayPass—M/Chip terminals that allow transactions above the Terminal

CVM Required Limit must not support No CVM above this limit.
BP ALL The ceiling limit or chargeback protection amount relevant to the
market should be used to set the Terminal CVM Required Limit.
R ALL PayPass—M/Chip terminals must support only No CVM in the Terminal
Capabilities for transactions less than or equal to the Terminal CVM
Required Limit.

Terminal Contactless Floor Limit

PayPass—M/Chip transactions less than or equal to the Terminal Contactless

Floor Limit may be authorized offline. Transactions greater than this limit
should be authorized online by the issuer to provide the acquirer protection
against authorization related chargebacks. Online issuer authorization may be
required for transactions less than or equal to this limit, if this is the outcome of
the terminal and card risk management.

For PayPass—Mag Stripe transactions, online issuer authorization is always

obtained either in real time or deferred.

Generally, there are no special floor limits applicable to PayPass transactions.

The same limits apply for contact transactions. In certain markets, PayPass
specific floor limits have been defined, refer to the Quick Reference Booklet to
view details of all current floor limits. However, terminal implementations
should be able to maintain and use this limit independently for each interface.

BP ALL Transactions greater than the Terminal Contactless Floor Limit should
be authorized online by the issuer.

Maestro PayPass Limits

For Maestro PayPass, in a given market, one of the following scenarios will
apply:

• The Terminal Contactless Transaction Limit and Terminal CVM Required

Limit have the same value. Collectively they are referred to as the ceiling
limit and their value is defined in the Maestro Global Rules. All Maestro
PayPass transactions are completed with no cardholder verification.
• There is no maximum transaction amount. Transactions may be completed
above the Terminal CVM Required Limit. A merchant must ensure that
Online PIN or On-Device Cardholder Verification is performed to protect
against chargebacks.

Details of the markets where transactions above the ceiling limit are allowed
are shown in the Maestro Global Rules.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-9
Acquirer Requirements
Terminals

PayPass Mode Selection

The cardholder decides whether to use PayPass or an alternative interface on

the card. The terminal does not drive this decision.

If the cardholder chooses to use PayPass, and both the card and terminal
support PayPass—M/Chip, then this mode must be used to complete the
transaction.

R ALL For PayPass transactions, the PayPass—M/Chip transaction mode must

be used if both the card and terminal support it.

Data Usage

PayPass acquirers must only use data read from the contactless interface for
PayPass transactions. Data obtained from the contactless interface must not be
used for another payment transaction type.

R ALL Data read from the contactless interface must not be used for payment
transactions other than PayPass. This restriction does not include
refunds and transit debt recovery.

Acquirers must take care to manage cardholder data retrieved during a

transaction in a secure manner. This means respecting industry practices such
as PCI DSS and any applicable local privacy laws.

Acquirers should also be aware that any merchant data written to a card during
a transaction may be retrieved later by a third party. The data stored must
therefore respect local privacy laws.

R ALL Acquirers must handle cardholder data in a secure manner. This

includes compliance with PCI DSS and local privacy laws.
R ALL Acquirers must respect local privacy laws when storing data on the
card.

Track Data Consistency

For PayPass—Mag Stripe transactions, some POS systems collect Track 1 data,
truncate it, and process it as Track 2. PayPass Track 1 and Track 2 data may be
different. For this reason, merchants and acquirers must make sure that Track 1
data is processed as Track 1 and Track 2 data is processed as Track 2. If data
from one track is presented as the other, this may cause the transaction to be
rejected by the card issuer as the dynamic CVC3 cannot be verified correctly.

Track 2 Equivalent Data is mandatory for PayPass—M/Chip transactions. It

must be transmitted to the issuer in every authorization message.

©2013 MasterCard. Proprietary. All rights reserved.

4-10 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminals

R ALL Merchants and acquirers must make sure that Track 1 Data is processed
as Track 1 and Track 2 Data is processed as Track 2.
R ALL Track 2 Equivalent Data must be used in the authorization request
for PayPass—M/Chip transactions.

Service Codes

MasterCard PayPass issuers may choose to use service code values in the
PayPass data different from those typically used for magnetic stripe cards.

A service code read during the PayPass transaction that indicates the presence
of a chip card does not mean that the terminal must prompt for an EMV contact
chip transaction.

A service code read during the PayPass transaction indicating that PIN is
required does not mean that PIN is required for a PayPass transaction below
the chargeback protection amount.

A service code read during the PayPass transaction indicating that the
transaction must be processed online does not mean that the terminal must
seek online authorization for transactions below the appropriate floor limit.

R ALL Terminals must not prompt for an EMV contact chip transaction just
because the service code read during the PayPass transaction indicates
a chip is present on the card.
R ALL Terminals must not prompt for PIN for transactions less than or equal
to the chargeback protection amount just because the service code
read during the PayPass transaction indicates that a PIN is required.
R ALL Terminals must not seek online authorization just because the service
code read during the PayPass transaction indicates that the card is
online only.

Cardholder Name

PayPass cards must not include the cardholder name in the data read through
the contactless interface. POS systems that normally obtain and make use of the
cardholder name from Track 1 data obtained from a magnetic stripe read must
be able to accommodate this difference.

R ALL Terminals that process Track 1 data must be able to handle the data
without a fully populated cardholder name.

Application Selection

Terminals must maintain an independent list of AIDs accepted by the terminal

for PayPass.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-11
Acquirer Requirements
Offline Card Authentication

The highest priority available payment application is selected automatically by

the PayPass terminal. PayPass terminals must support application selection
without cardholder assistance. If priorities have not been set in the card, then
the application selected will be determined by the terminal.

Cardholder confirmation must not be supported by the terminal for PayPass

transactions.

R ALL Terminals must maintain an independent list of all AIDs supported

through the contactless interface.
R ALL Terminals must support application selection without cardholder
assistance.
R ALL Terminals must not support cardholder confirmation.

The AID value used for PayPass is the same AID used for the contact interface.
There are no specific AIDs for PayPass.

Supported AIDs are:

• MasterCard ‘A0000000041010’
• Maestro ‘A0000000043060’

An application on the card can be selected by the terminal if the ADF is

identical to, or begins with, an AID supported by the terminal. PIX extensions
may be used by issuers but identification of PayPass cards uses the product AID
irrespective of any extension. Terminals must support partial name matching
for application selection.

R ALL Terminals must support partial name matching during application

selection.

Offline Card Authentication

For PayPass—M/Chip:

• PayPass—M/Chip terminals that support On Device Cardholder Verification

must support offline CAM.
• Online only PayPass terminals that do not support On Device Cardholder
Verification do not need to support offline CAM.
• Offline capable PayPass—M/Chip terminals must support offline CAM.
• The only valid offline CAM method for newly deployed PayPass—M/Chip
terminals is CDA.

©2013 MasterCard. Proprietary. All rights reserved.

4-12 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Offline Card Authentication

R ALL PayPass—M/Chip terminals that support On Device Cardholder

Verification must support CDA.
R ALL All offline capable PayPass—M/Chip terminals must support CDA.
R ALL Newly deployed PayPass—M/Chip terminals must not support SDA.

PayPass does not support DDA.

The payment system public keys for PayPass—M/Chip are the same values and
may be shared with those used for MasterCard EMV contact chip transactions.
Terminals must contain all current keys and must be able to store up to six CA
Public Keys per RID.

The terminal must associate each key with the following key-related information
that is used with the key.

• Certification Authority Public Key Check Sum (if required)

• Certification Authority Public Key Exponent
• Certification Authority Public Key Index
• Certification Authority Public Key Modulus

MasterCard test public keys must not be held in operational terminals.

R ALL All offline capable PayPass—M/Chip terminals must hold all the active
and current MasterCard public keys.
R ALL Terminals must only accept keys that the terminal can authenticate as
originating from the genuine acquirer.
R ALL Acquirers must be able to verify that all the appropriate keys are loaded
into all terminals that generate transactions which they acquire.
R ALL Terminals must not hold test public keys that might be used for live
transactions.

This table shows the Payment System Public Keys that are currently in use.

Key Index Key Length Expiry Date

04 1152 bits 31 December 2017

05 1408 bits 31 December 2021

06 1984 bits 31 December 2021

Key lengths and expiration dates are reviewed annually. MasterCard notifies
members of any changes in the Global Security Bulletin.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-13
Acquirer Requirements
Cardholder Verification

There is no requirement to store the expiry date of keys in the terminal. Expired
keys must be removed from terminals within six months. Where keys are held
in the terminals with an expiry date, it is imperative that keys remain valid until
the published expiry date, as amended from time to time.

Cardholder Verification
Cardholder verification is not required for a PayPass transaction less than or
equal to the chargeback protection amount.

To benefit from chargeback protection, the PayPass transaction must be

properly identified in authorization and clearing records.

For transactions greater than the chargeback protection amount, a CVM is

required. If transactions are completed without cardholder verification and
are above the chargeback protection amount, then the acquirer may be liable
for disputed transactions. Merchants should request cardholder verification
above this value.

Maestro terminals that accept contactless transactions above the ceiling limit
with cardholder verification must not accept transactions above the ceiling
limit with no cardholder verification.
NOTE
There are some MCCs where no CVM has been part of the product proposition
above the chargeback protection amount up to a specific transaction limit:
tollways, parking, etc.

For MasterCard PayPass, if an attended terminal supports transactions greater

than the chargeback protection amount, then the terminal:

• Must support signature

• Should support Online PIN
• Should support On Device Cardholder Verification

For Maestro PayPass, attended terminals that support transactions above the
ceiling limit:

• Must support Online PIN

• Should support On Device Cardholder Verification

Attended terminals in the Europe region that are capable of accepting

contactless chip transactions above the chargeback protection amount must
support one or both of the following PIN verification methods.

• Online PIN
• On Device Cardholder Verification

©2013 MasterCard. Proprietary. All rights reserved.

4-14 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Cardholder Verification

Acquirers and merchants that currently support Online PIN should also support
On Device Cardholder Verification.

For PayPass—M/Chip transactions, the reader must complete CVM Processing

for all transaction amounts, both above and below the Terminal CVM Required
Limit. The CVM is determined by the CVM List or other data supplied by the
card and the CVM capabilities indicated by the PayPass reader application of
the terminal. The CVM capabilities may be different above and below the
Terminal CVM Required Limit.

The use of No CVM must be positively identified by the EMV process. It does
not mean skip CVM processing.

PayPass terminals must not permit PIN Entry Bypass.

PayPass terminals must not support offline PIN on the contactless interface.
Offline PIN may be supported at the same terminal but only for EMV contact
chip transactions. Terminals must ensure that offline PIN is never selected as
the CVM for a PayPass transaction.

BP ALL PayPass—M/Chip terminals, except CAT Level 1 terminals, should not

request cardholder verification for transactions less than or equal to
the chargeback protection amount.
R MC MasterCard PayPass—M/Chip terminals must not support No CVM for
transactions greater than the chargeback protection amount.
R MC Attended MasterCard PayPass terminals must support Signature for
transactions greater than the chargeback protection amount.
BP MC MasterCard PayPass terminals that support transactions greater than the
chargeback protection amount should support Online PIN.
BP MC MasterCard PayPass terminals should support On Device Cardholder
Verification for transactions greater than the chargeback protection
amount.
R MS Maestro PayPass terminals must support No CVM for transactions less
than or equal to the ceiling limit.
R MS Maestro PayPass terminals must not support No CVM for transactions
greater than the ceiling limit.
R MS Maestro PayPass terminals in markets that support transactions greater
than the ceiling limit must support online PIN.
BP MS Maestro PayPass terminals in markets that support transactions greater
than the ceiling limit should support On Device Cardholder Verification.
R ALL PayPass terminals must not perform PIN Entry Bypass.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-15
Acquirer Requirements
Cardholder Verification

R MC Attended terminals in the Europe region that are capable of accepting

contactless chip transactions above the chargeback protection amount
must support either Online PIN or On Device Cardholder Verification,
or both.
R ALL Terminals must not request offline PIN for PayPass transactions.

For PayPass—Mag Stripe transactions, the CVM is determined by the terminal.

Purchase with Cash Back transactions must be completed with cardholder

verification, regardless of the amount. ATM transactions must be verified by
online PIN.

R MC MasterCard PayPass Purchase with Cash Back transactions require

cardholder verification, regardless of the amount.
R ALL ATM transactions must be verified by online PIN.

CAT Level 1 terminals must support online PIN for all PayPass transactions, and
may also support On Device Cardholder Verification.

CAT Level 2 and CAT Level 3 terminals must use No CVM for all PayPass
transactions.

Dual capability devices may be deployed (see section on Cardholder Activated

Terminals).

R ALL CAT Level 1 terminals must support online PIN and may also support
On Device Cardholder Verification.
R ALL CAT Level 2 and CAT Level 3 terminals must support only No CVM
for PayPass transactions.

When online PIN is used to verify the cardholder, if the authorization is declined
by the issuer because the PIN is incorrect, the transaction should be restarted
and the cardholder prompted to re-enter their PIN.

BP ALL If an online authorization is declined by the issuer because of an

incorrect PIN, then a new PayPass transaction should be started.

When online PIN is the chosen cardholder verification method for the
transaction, the PIN must be entered or the transaction will be terminated. This
is because PIN entry is canceled or the terminal has timed out.

R ALL While waiting for PIN entry, if PIN entry is canceled by the cardholder
or merchant or if the terminal times out, then the transaction must
be terminated.

©2013 MasterCard. Proprietary. All rights reserved.

4-16 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Terminal Risk Management

If a signature is required for cardholder verification, this may be captured on a

receipt or electronically. When the PayPass cardholder device does not carry
the customer signature and signature verification is required, the signature
must be verified against either the companion card or some form of formal
identification. Formal identification must include a specimen signature and
be confirmed as belonging to the same cardholder. If this is not available,
the PayPass transaction must be cancelled or completed with no cardholder
verification at the acquirer¢s risk.

R MC If Signature is the chosen CVM for the transaction, but there is no

signature panel on the cardholder device, the merchant must check the
signature provided against some form of formal identification.

Terminal Risk Management

Exception File Checking by the terminal is optional for PayPass transactions. It
may be done after the communication with the card is finished.

The current terminal application version number for PayPass—M/Chip is '0002'.

PayPass terminals may perform a cumulative floor limit check by adding the
last transaction in the terminal log file, if present and if performed by the
same card, to the current transaction amount and comparing the total with
the Terminal Contactless Floor Limit.

Neither Velocity Checking by the terminal nor Random Transaction Selection is

performed for PayPass transactions.

R ALL The terminal application version number for PayPass—M/Chip must

be set to '0002'.

Terminal Action Codes

The Terminal Action Codes (TACs) indicate the acquirer’s conditions that
determine if the PayPass transaction will be declined or sent online.

The mandatory TACs used for PayPass purchase transactions are provided
in Data Requirements.

If the terminal supports EMV contact chip transactions, the terminal must
maintain the PayPass TACs independently.

R ALL The terminal must maintain TACs for use in PayPass transactions
independent of other interfaces.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-17
Acquirer Requirements
Authorization Responses

Authorization Responses
If a response to an authorization is not received, transactions are approved
at the acquirer¢s risk.

For PayPass—M/Chip there is no second terminal or card risk management

possible, as there is for EMV contact chip transactions.

Referrals or Call Me issuer responses are not required to be supported by

acquirers for PayPass. Referral responses may be declined by the acquirer
or merchant.

Retaining the card at an attended terminal is optional as it may be impractical

for an attendant to retain a card that is not initially handed over to the merchant
during payment.

Cardholder Receipts
For transactions less than or equal to the Terminal CVM Required Limit, a
PayPass merchant, card acceptor, must make a receipt available if requested by
the cardholder. This means the facility to produce receipts must be available
unless some special circumstances apply. Refer to MasterCard Rules and
Maestro Global Rules for exemptions.

Receipts may be offered at the end of a transaction, rather than the cardholder
or merchant needing to confirm if they would like a receipt before continuing.

Above the Terminal CVM Required Limit, a receipt must always be provided if
the terminal has that capability.

Any receipt should specifically identify PayPass transactions. The input method
should be shown as Contactless, CONTACTLESS, or RF for PayPass transactions.

R ALL A cardholder receipt must be available for transactions less than the
chargeback protection amount on cardholder request if the terminal
supports receipt printing.
R ALL A cardholder receipt must be provided for transactions above the
chargeback protection amount if the terminal supports receipt printing.
BP ALL Terminals should not routinely produce receipts for transactions less
than the chargeback protection amount.
BP ALL Cardholder receipts should identify contactless transactions by
indicating 'Contactless', 'CONTACTLESS' or 'RF'.

©2013 MasterCard. Proprietary. All rights reserved.

4-18 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Subsequent Contact Transactions

Subsequent Contact Transactions

If a PayPass—M/Chip transaction is processed to completion and results in a
decline, then, if supported by both card and terminal, the PayPass terminal
must prompt for a contact transaction to be performed. The decision to decline
the transaction may be taken by the card, terminal or issuer. It is not to be
assumed that the transaction will be declined when the same card is used in
a contact transaction.

The new transaction may be attempted using a different card read method
supported by both the card and the terminal in the order of preference of:

• EMV contact chip

• Magnetic stripe (swipe)

These transactions are authorized according to the current payment product

rules for the technology. There are no changes to network messages to identify
these transactions as having previously been attempted using the contactless
interface. There are no PayPass technical fallback transactions.

R ALL If a contact interface is available, PayPass terminals must prompt for

a contact transaction when a PayPass transaction is declined by the
card, terminal, or issuer.

Terminated Transactions
A terminal may allow a merchant to cancel a transaction:

• For a PayPass—M/Chip transaction, before the GENERATE AC command

is issued

OR

• Before the terminal has requested an online authorization

The terminal should monitor the number of aborted transactions. If the

frequency is high it is likely that a fraudster is trying to get a specific value of
the Unpredictable Number. The terminal should take appropriate measures to
reduce the risks of an attack, such as introducing wait times after three aborted
transactions.

BP ALL The terminal should take appropriate measures to reduce the risks of
an attack using aborted transactions.

Cardholder Activated Terminals

For MasterCard PayPass transactions at Cardholder Activated Terminals:

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-19
Acquirer Requirements
Automated Teller Machines

• For CAT Level 1 terminals, the CVM is either Online PIN or On Device
Cardholder Verification as offline PIN is not supported for PayPass and
signature is not possible at an unattended terminal
• For CAT Level 2, Level 3, and Level 4 terminals, it is recommended that the
Terminal CVM Required Limit and Terminal Contactless Transaction Limit
be set to the maximum allowed transaction value appropriate for these
devices, and where indicated in the Chargeback Guide

BP ALL On unattended terminals that do not require cardholder verification, the

Terminal CVM Required Limit and the Terminal Contactless Transaction
Limit should be set to the maximum allowed transaction value.

Unattended terminals may operate at different levels according to the value of

the transaction. For example, it is possible to operate as a CAT Level 2 terminal
allowing transactions without cardholder verification up to the chargeback
protection amount, and to operate as a CAT Level 1 terminal requiring Online
PIN above the chargeback protection amount. This is achieved by setting the
Terminal CVM Required Limit to the chargeback protection amount. These
terminals are known as dual capability devices.

BP MC Dual capability devices should be deployed rather than CAT Level 1

terminals enabling low value PayPass transactions to be completed
with no cardholder verification.

Automated Teller Machines

PayPass terminals may be deployed to provide contactless interface functionality
for ATMs.

Requirements and recommendations regarding the deployment of contactless

functionality on ATM are discussed in MasterCard Contactless ATM
Implementation Requirements.

Vending Machines
PayPass-only payment acceptance is permitted on vending machines identified
with Merchant Category Code 5499.

Such vending machines can operate with one of two possible purchasing
processes:

• "select first", where the goods or service to be purchased are selected

before payment is made
• "credit first", where the payment is made before selecting the goods or
service

©2013 MasterCard. Proprietary. All rights reserved.

4-20 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Acquirer Network Requirements

Acquirers should note that only PayPass readers installed on vending machines
using a “select first” ordering and payment process will be capable of supporting
both online and offline authorization of contactless transactions. Such readers
may also behave as offline only or online only.

PayPass readers installed on "credit first" vending machines cannot authorize

contactless transactions offline and consequently must always request online
authorization.

R ALL PayPass-enabled vending machines that operate as "credit first" must

always request online authorization.
R ALL Offline capable PayPass-enabled vending machines must operate as
"select first".

Acquirer Network Requirements

Acquirers and merchants must support changes to transaction messages,
intervening systems and networks indicating that a PayPass transaction has
occurred.

Data Elements

Acquirer databases must also identify the terminal as being PayPass capable.
This impacts DE 61 and DE 22 in authorization messages and DE 22 in clearing
messages. Other data elements contain the same data values as for existing
transactions.

PayPass transactions from PayPass—M/Chip terminals are either:

• PayPass—M/Chip transactions with the same data elements as current chip

transactions

OR

• PayPass—Mag Stripe transactions with the same data elements as current

magnetic stripe transactions

PayPass transactions from PayPass—Mag Stripe terminals are always

PayPass—Mag Stripe transactions with the same data elements as current
magnetic stripe transactions.

Acquirers who deploy PayPass—M/Chip terminals must be Full Grade

acquirers. Partial Grade acquirers must migrate to Full Grade chip acquiring
and carry all of the minimum data set required. Full Grade acquirers provide
DE 55 in the authorization request messages.

For PayPass—M/Chip transactions, it is not required to deliver issuer

authorization response chip data, including Issuer Scripts, to the terminal in the
authorization response. If the data is returned to the terminal then the terminal
does not process the data. The terminal is not required to retain the data.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-21
Acquirer Requirements
Authorization Requirements

Authorization Performance

The benefits of MasterCard PayPass are maximized when used with high-speed
authorization lines.

Authorization Responses

Referrals are not required to be supported by acquirers for Paypass transactions.

Any referral response received may be treated as a decline.

Service Codes

MasterCard PayPass issuers may choose to use service code values in the
PayPass application different from those typically used for magnetic stripe
cards. For this reason acquirers need to ensure that all processing systems
support all service codes.

BP ALL Acquirers should ensure that processing systems support all service
codes that could be used in PayPass transactions.

Authorization Requirements
Specific values in existing subfields within the authorization message specify
the terminal capability, DE 61, and the profile of operation, DE 22.

Authorization Messages

PayPass transactions require new values in these data elements in authorization

messages:

• DE 22, subelement 1, value of 07 is used for a contactless M/Chip

transaction and a value of 91 is used for a contactless magnetic stripe
transaction, even if performed at a PayPass—M/Chip terminal.
• DE 61, subelement 11, value of 3 is used for any transaction at a contactless
M/Chip terminal, the terminal may also be contactless magnetic stripe
capable, and a value of 4 is used for any transaction at a contactless
magnetic stripe terminal.

Terminals and other parts of the acquirer system must be able to determine
when transaction data has been obtained using the contactless interface in
order to properly process and identify the transaction to the issuer.

Acquirers should capture the Device Type indicator where present on a PayPass
device and send this to the issuer in DE 48 (Additonal Data), subelement 23
(Payment Initiation Channel). The Device Type indicator may be included in
the Third Party Data.

Acquirers must support full-grade EMV for all PayPass—M/Chip

implementations. Partial grade acquiring is not permitted. For PayPass—M/Chip
transactions, DE 55 is mandatory in authorization messages.

©2013 MasterCard. Proprietary. All rights reserved.

4-22 3 July 2013 • PayPass—M/Chip Requirements
Acquirer Requirements
Clearing Requirements

Requirements for acquirer generated reversals for online authorizations are

for current processing.

R ALL Acquirers must process on their network interface and host system
PayPass transactions as described above.
R ALL Acquirers must be full grade.
BP ALL Acquirers should include the Device Type indicator, where present, in
the authorization message.
R ALL If the Device Type is retrieved in a PayPass transaction, U.S. region
acquirers must transmit it in DE 48 of authorization messages.
R ALL Effective 18 October 2014, if the Device Type is retrieved in a PayPass
transaction, Canada region acquirers must transmit it in DE 48 of
authorization messages.

Clearing Requirements
Clearing Messages

Specific values in existing subfields within the clearing message specify the
data input capability and the data input profile, DE 22. PayPass transactions
require new values in these subfields.

DE 22, subfield 1 identifies the terminal capabilities and must contain:

• the value of M for a transaction at a PayPass—M/Chip terminal, the terminal

may also be PayPass—Mag Stripe capable
• the value of A for a transaction at a PayPass—Mag Stripe terminal

DE 22, subfield 7 identifies the card data input profile for this transaction and
must contain:

• the value of M for a PayPass—M/Chip transaction

• the value of A for a PayPass—Mag Stripe transaction

For PayPass—M/Chip transactions, DE 55 is mandatory in clearing.

No aggregation or truncation of PayPass transactions is permitted, except in

certain transit situations, as documented in the MasterCard Rules and Maestro
Global Rules.

R ALL Acquirers must process on their clearing interface and host system
PayPass transactions as described above.
BP ALL If the Device Type is retrieved from the card during a transaction,
acquirers should include it in private data subelement (PDS) 0198 of
the First Presentment/1240 message.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 4-23
Acquirer Requirements
Exception Processing

R ALL If the Device Type is retrieved in a PayPass transaction, U.S. region

acquirers must transmit it in private data subelement (PDS) 0198
(Device Type Indicator) of First Presentment/1240 messages.
R ALL Effective 18 October 2014, if the Device Type is retrieved in a
PayPass transaction, Canada region acquirers must transmit it in
private data subelement (PDS) 0198 (Device Type Indicator) of First
Presentment/1240 messages.

Exception Processing
Acquirers do not need to fulfill a retrieval request for a transaction identified as
a PayPass transaction that is equal to or less than the chargeback protection
amount, except in certain transit situations.

No new chargeback reason codes have been introduced to support PayPass.

Updates to the existing reason codes are documented in the Chargeback Guide
or in the Maestro Global Rules.

A properly identified PayPass transaction that is less than or equal to the

applicable chargeback protection amount is protected against chargebacks
using the following message reason codes.

Message Reason Code Description

4801 Requested Transaction Data Not Received

4802 Requested/Required Information Illegible or Missing

4837 No Cardholder Authorization

For message reason code 4837 - No Cardholder Authorization the transaction

must be properly authorized, offline by a chip or online by the issuer, for
protection against chargeback.

On-behalf Services
MasterCard offers the PayPass Mapping Service—an optional service that helps
issuers process different PayPass account numbers by translating them into
primary account numbers that can be processed with minimal impact.

R ALL Acquirer host systems must be able to process PayPass transactions

that make use of the MasterCard PayPass Mapping Service. Refer to
the PayPass On-behalf Services Guide for more information.

©2013 MasterCard. Proprietary. All rights reserved.

4-24 3 July 2013 • PayPass—M/Chip Requirements
Chapter 5 Data Requirements
This section defines data requirements for PayPass.

Terminal Action Codes .................................................................................................................. 5-1

Payment Scheme Specific Data Objects ......................................................................................... 5-4
Third Party Data....................................................................................................................... 5-4
Application Capabilities Information ....................................................................................... 5-6

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 5-i
Data Requirements
Terminal Action Codes

Terminal Action Codes

Chip terminals must use the TAC settings defined in this document for PayPass
transactions.

As PayPass terminals never perform the 2nd GENERATE AC command, the

IAC—Default and TAC—Default is never applicable at online capable terminals.
For PayPass transactions, if an online authorization is incomplete, then the
transaction is declined.

The IAC—Default and TAC—Default are used at offline only terminals.

Required and recommended values of IACs are provided in the PayPass

Personalization Data Specification manual.

MasterCard and Maestro PayPass Terminal Action Codes for Online Capable Terminals

Byte/Bit Meaning Denial Online Default

Byte 1 8 Offline Data Authentication was not 0 1 1

performed
7 Offline SDA failed 0 1 1

6 ICC data missing 0 1 1

5 ICC on Hot Card File 0 1 1

4 Offline DDA failed 0 1 1

3 Combined DDA/AC Generation failed 0 1 1

2–1 RFU 0 0 0
Byte 2 8 ICC & Terminal have different App 0 0 0
Version Numbers
7 Expired application 0 1 1

6 Application not yet effective 0 0 0

5 Service not allowed for card product 0 1 1

4 New Card 0 0 0

3–1 RFU 0 0 0
Byte 3 8 Cardholder verification failed (see 0 1 1
exception below)
7 Unrecognized CVM 0 0 0

6 PIN try limit exceeded 0 0 0

5 PIN req but PIN pad not present/not 0 1 1

working

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 5-1
Data Requirements
Terminal Action Codes

4 PIN req, PIN pad present but PIN not 0 1 1

entered
3 Online PIN entered 0 1 1
2–1 RFU 0 0 0

Byte 4 8 Transaction exceeds floor limit 0 1 1

7 LCOL exceeded 0 0 0

6 UCOL exceeded 0 0 0

5 Randomly selected for online 0 0 0

processing

4 Merchant forced transaction online 0 1 1

3–1 RFU 0 0 0
Byte 5 8 Default TDOL used 0 0 0
7 Issuer Authentication Unsuccessful 0 0 0

6 Script failed before final cryptogram 0 0 0

5 Script failed after final cryptogram 0 0 0

4–1 RFU 0 0 0

• Terminal Action Code—Denial: ‘0000000000’

• Terminal Action Code—Online: ‘FC509C8800’
• Terminal Action Code—Default: ‘FC509C8800’

For MasterCard PayPass and Maestro PayPass on online capable terminals

that do not support online PIN verification, the settings in the following table
must be used.

Byte/Bit Meaning Denial Online Default

Byte 3 6 PIN try limit exceeded 0 0 0

Byte 3 5 PIN req but PIN pad not present/not 0 0 0

working

Byte 3 4 PIN req, PIN pad present but PIN not 0 0 0

entered
Byte 3 3 Online PIN entered 0 0 0

• Terminal Action Code—Denial: ‘0000000000’

• Terminal Action Code—Online: ‘FC50808800’
• Terminal Action Code—Default: ‘FC50808800’

©2013 MasterCard. Proprietary. All rights reserved.

5-2 3 July 2013 • PayPass—M/Chip Requirements
Data Requirements
Terminal Action Codes

For Maestro PayPass in markets that support Online PIN for transactions greater
than the ceiling limit, the following settings must be used:

Byte/Bit Meaning Denial Online Default

Byte 3 8 Cardholder verification failed 1 0 0

• Terminal Action Code—Denial: ‘0000800000’

• Terminal Action Code—Online: ‘FC501C8800’
• Terminal Action Code—Default: ‘FC501C8800’

MasterCard and Maestro PayPass Terminal Action Codes for Offline Only Terminals

Byte/Bit Meaning Denial Online Default

Byte 1 8 Offline Data Authentication was not 1 0 0

performed
7 Offline SDA failed 1 0 0

6 ICC data missing 1 0 0

5 ICC on Hot Card File 1 0 0

4 Offline DDA failed 1 0 0

3 Combined DDA/AC Generation failed 1 0 0

2–1 RFU 0 0 0
Byte 2 8 ICC & Terminal have different App 0 0 0
Version Nos
7 Expired application 1 0 0

6 Application not yet effective 0 0 0

5 Service not allowed for card product 1 0 0

4 New Card 0 0 0

3–1 RFU 0 0 0
Byte 3 8 Cardholder verification failed 1 0 0
7 Unrecognized CVM 0 0 0

6 PIN try limit exceeded 0 0 0

5 PIN req but PIN pad not present/not 0 0 0

working

4 PIN req, PIN pad present but PIN not 0 0 0

entered
3 Online PIN entered 0 0 0

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 5-3
Data Requirements
Payment Scheme Specific Data Objects

2–1 RFU 0 0 0

Byte 4 8 Transaction exceeds floor limit 1 0 0

7 LCOL exceeded 0 0 0

6 UCOL exceeded 0 0 0

5 Randomly selected for online processing 0 0 0

4 Merchant forced transaction online 0 0 0

3–1 RFU 0 0 0
Byte 5 8 Default TDOL used 0 0 0
7 Issuer Authentication Unsuccessful 0 0 0

6 Script failed before final cryptogram 0 0 0

5 Script failed after final cryptogram 0 0 0

4–1 RFU 0 0 0

• Terminal Action Code—Denial: ‘FC50808000’

• Terminal Action Code—Online: ‘0000000000’
• Terminal Action Code—Default: ‘0000000000’

Payment Scheme Specific Data Objects

This section lists MasterCard defined data objects used between the card and
the terminal for PayPass transactions.

All length indications are given in bytes. Data object formats are binary (b)
or alphanumeric (an).

Third Party Data

Tag '9F6E'
Length 5–32

©2013 MasterCard. Proprietary. All rights reserved.

5-4 3 July 2013 • PayPass—M/Chip Requirements
Data Requirements
Payment Scheme Specific Data Objects

Format b
Descriptions The Third Party Data contains proprietary information from a third
party and is coded as shown below. If present in the PayPass card, the
Third Party Data is returned in the File Control Information Template.
The Device Type subfield is present when the most significant bit of
byte 1 of the Unique Identifier is set to 0b. In this case, the maximum
length of the Proprietary Data field is 26 bytes.
Third Party Data may be used to communicate the Device Type to the
terminal, even when there is no Proprietary Data being used. In this
case a static, default value of '0000' for the Unique Identifier is used.

Third Party Data Format

Data Field Length Format Value

Country Code 2 n3 Country Code according to [ISO
3166-1]
Unique Identifier 2 b Value assigned by MasterCard,
or '0000' if no Proprietary Data
included.
Device Type 0 or 2 an See table below
Proprietary Data 1–26 or 28 b Determined by issuer/third party;
Default value of '00' if field not
used.

Device Type

Device Types are assigned as follows:

Device Value
Card 00 (NB ASCII value coded as
'3030')
Mobile Network Operator (MNO) or controlled 01
removable secure element (SIM or UICC)
personalized for use with a Mobile Phone or a
Smartphone1
Key Fob 02

Watch 03

Mobile Tag 04
Wristband 05

1. As removable secure elements (SE) may be moved from a mobile phone to a tablet or eBook by the
consumer, this value represent the initial intended use of this SE.

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 5-5
Data Requirements
Payment Scheme Specific Data Objects

Device Value
Mobile Phone Case or Sleeve 06
Mobile Phone or Smartphone with a permanent 07
secure element controlled by the MNO, for
example CDMA
Removable secure element not controlled by the 08
MNO, for example SD Card personalized for use
with a Mobile Phone or Smartphone1
Mobile Phone or Smartphone with a permanent 09
secure element not controlled by the MNO
MNO controlled removable secure element (SIM 10
or UICC) personalized for use with a tablet or
eBook
Tablet or eBook with a permanent secure element 11
controlled by the MNO
Removable permanent element not controlled by 12
the MNO, for example SD Card personalized for
use with a tablet or eBook
Tablet or eBook with a permanent secure element 13
not controlled by the MNO
Reserved for future use 14–99

Application Capabilities Information

Tag '9F5D'
Length 3
Format b
Descriptions The Application Capabilities Information is an optional data
object included in the File Control Information Template of the
PayPass Card. It lists a number of card features beyond regular
payment and is coded as defined below.

©2013 MasterCard. Proprietary. All rights reserved.

5-6 3 July 2013 • PayPass—M/Chip Requirements
Data Requirements
Payment Scheme Specific Data Objects

Byte Bit Description

Byte 1 b8-5 Version number

0000: VERSION 0
Other values: RFU

b4-1 Data Storage Version Number

0000: DATA STORAGE NOT SUPPORTED
0001: VERSION 1
0010: VERSION 2
Other values: RFU
Byte 2 b8-4 RFU

b3 Support for field off detection

b2 Support for balance reading

b1 CDA Indicator
0: CDA SUPPORTED AS IN EMV
1: CDA SUPPORTED OVER TC, ARQC AND AAC
Byte 3 b8-1 SDS Scheme Indicator
00000000: Undefined SDS configuration
00000001: All 10 tags 32 bytes

00000010: All 10 tags 48 bytes

00000011: All 10 tags 64 bytes

00000100: All 10 tags 96 bytes

00000101: All 10 tags 128 bytes

00000110: All 10 tags 160 bytes

00000111: All 10 tags 192 bytes

00001000: All SDS tags 32 bytes except '9F78' which is 64 bytes

Other values: RFU

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 5-7
Chapter 6 Abbreviations
This section provides a listing of abbreviations used throughout the manual.

Abbreviations................................................................................................................................. 6-1

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 6-i
Abbreviations
Abbreviations

Abbreviations

Abbreviation Description

AAC Application Authentication Cryptogram

ADF Application Definition File
AFL Application File Locator
AID Application Identifier
ARQC Authorization Request Cryptogram
ATC Application Transaction Counter
ATM Automated Teller Machine
CA Certification Authority
CAM Card Authentication Method
CAT Cardholder Activated Terminal
CDA Combined DDA/AC Generation
CDOL Card Risk Management Data Object List
CPV Card Personalization Validation
CVC Card Verification Code
CVC1 Card Verification Code (used for magnetic stripe transactions)
CVC3 Card Verification Code (used for PayPass)
CVM Cardholder Verification Method
DDA Dynamic Data Authentication
DE Data Element
EMV Europay MasterCard Visa
FCI File Control Information
IAC Issuer Action Code
ICC Integrated Circuit Card
ISO International Organization for Standardization
nUN Number of digits of the Unpredictable Number
PIN Personal Identification Number
PIX Proprietary Application Identifier
POS Point of Sale

©2013 MasterCard. Proprietary. All rights reserved.

PayPass—M/Chip Requirements • 3 July 2013 6-1
Abbreviations
Abbreviations

PPSE Proximity Payment System Environment

PVV PIN Verification Value
RFU Reserved for Future Use
RID Registered Application Provider Identifier
SDA Static Data Authentication
SDS Standalone Data Storage
SFI Short File Identifier
TAC Terminal Action Codes
TC Transaction Cryptogram
TVR Terminal Verification Results
UN Unpredictable Number

©2013 MasterCard. Proprietary. All rights reserved.

6-2 3 July 2013 • PayPass—M/Chip Requirements