Welcome to

PIN Management for IC Cards Member Implementation Guide

The PIN Management for IC Cards Member Implementation Guide is now available. The Visa *Confidential* label indicates that the information in this document is intended for use by Visa employees, member banks, and external business partners that have signed a Nondisclosure Agreement (NDA) with Visa. This information is not for public release.

Effective:

27 June 2002

PIN Management for IC Cards

Member Implementation Guide

Version 1.0
Effective: 27 June 2002

Visa International 2002 Visa *Confidential*

40060-01

Contents

Contents
About This Guide ....................................................................... 1
Audience ............................................................................................. 1 Scope .................................................................................................. 1 Document Organisation..................................................................... 2 Related Documents ............................................................................ 3 For More Information ........................................................................ 3

1.

Service Overview ............................................................ 11

1.1 1.2 1.3 1.4 Key Concepts........................................................................ 11 Service Features .................................................................. 12 Service Requirements.......................................................... 17 Enrolment Procedures......................................................... 18

2.

Issuer Implementation .................................................... 21

2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 PIN Management Messages................................................ 21 Offline and Online PINs...................................................... 21 Reversals and Advice of Reversals ..................................... 22 Unsafe PINs ......................................................................... 22 PIN Reissuance .................................................................... 23 Cardholder Notification....................................................... 23 Reporting.............................................................................. 23 Integrated Billing ................................................................ 24 Training................................................................................ 24

3.

Acquirer Implementation ................................................ 31

3.1 3.2 3.3 3.4 3.5 PIN Management Messages................................................ 31 ATM Screens ........................................................................ 31 Reporting.............................................................................. 33 Integrated Billing ................................................................ 33 Training................................................................................ 33

4.

Certification Requirements ............................................ 41

4.1 4.2 Certification Environment .................................................. 41 Certification Process............................................................ 42

A. Message Formats and Flows ......................................... A1

A.1 A.2 BASE I Message Formats ...................................................A2 SMS Message Formats ........................................................A9

27 Jun 2002

Visa *Confidential*

PIN Management for IC Cards Member Implementation Guide 40060-01

A.3 A.4

Updated Field Descriptions ..............................................A16 PIN Management Message Flows ....................................A20

B. Certification Scripts ........................................................ B1

B.1 B.2 BASE I Certification Script.................................................B1 SMS Certification Script .....................................................B3

Glossary ..................................................................................... 1

ii

Visa *Confidential*

27 Jun 2002

Figures

Figures
Figure 1-1: PIN Management Message Flow ............................... 12 Figure A-1: PIN Management Request/Response......................A20 Figure A-2: PIN Management Reversal .....................................A21 Figure A-3: Acquirer Not Participating ......................................A22 Figure A-4: Issuer Not Participating .........................................A23 Figure A-5: Issuer Unavailable ...................................................A24 Figure A-6: Time-Out, Issuer Does Not Respond.......................A25 Figure A-7: Message Undeliverable to Acquirer ........................A26 Figure A-8: PIN Management Reversal Issuer Unavailable...........................................................................A27

27 Jun 2002

Visa *Confidential*

PIN Management for IC Cards Member Implementation Guide 40060-01

ii

Visa *Confidential*

27 Jun 2002

Tables

Tables
Table 1-1: Existing Response Codes ............................................. 16 Table 3-1: Existing Response Codes ............................................. 32 Table A-1: BASE I Request/Response...........................................A2 Table A-2: BASE I Reversal ..........................................................A5 Table A-3: BASE I Advice of Reversal ..........................................A7 Table A-4: SMS Request/Response ...............................................A9 Table A-5: SMS Reversal .............................................................A12 Table A-6: SMS Advice of Reversal.............................................A14 Table B-1: BASE I PIN Management Certification Script..........B2 Table B-2: SMS PIN Management Certification Script ..............B4

27 Jun 2002

Visa *Confidential*

PIN Management for IC Cards Member Implementation Guide 40060-01

ii

Visa *Confidential*

27 Jun 2002

About This Guide Audience

About This Guide

This guide is intended to assist Visa Members with implementing PIN Management for single-application integrated circuit (IC) cards in preparation for the UK rollout of offline PIN verification at the point of sale. The EU Region will offer this service on a market-bymarket basis following the initial UK pilot in 2003.

Audience
This guide is directed to staff responsible for implementing PIN Management for IC cards at their financial institution. It assumes that the reader has a basic knowledge of IC cards, ATM processing and the VisaNet V.I.P. System.

Scope
Changes that issuers and acquirers must make to implement PIN Management for IC Cards are addressed in this guide, including those related to: Sending and receiving PIN Management messages Co-ordinating offline and online PINs Developing customer service procedures for cardholders who have forgotten their PINs Designing new ATM screens to accommodate PIN Change/Unlock and PIN Unlock transactions
NOTE: The term PIN Unlock is used in this guide as EU members have elected to use this term at their ATMs and in cardholder materials. The term PIN Unblock is used for the processing code in PIN Management messages and in VisaNet technical documentation to be consistent with EMV and industry standards.

Implications for ATM vendors and third-party processors are mentioned where applicable; however, changes to their systems are outside the scope of this document.

27 Jun 2002

Visa *Confidential*

PIN Management for IC Cards Member Implementation Guide 40060-01

It is assumed that members have already implemented full data option IC card processing; for example, that issuers can send PostIssuance Script commands and acquirers can receive the script commands and transmit them to the IC card at their ATMs.

Document Organisation
The information in this guide is divided into the following chapters and appendices: Chapter 1, Service OverviewDefines PIN management concepts, describes the processing of both PIN Change/Unlock and PIN Unlock messages, and explains the changes to BASE I and Single Message System (SMS) message formats for PIN management. The enrolment procedure for the service is also covered. Chapter 2, Issuer ImplementationSummarises the systems changes needed to implement the service from an issuers perspective, including handling unsafe PINs and alternate routing. Customer service procedures that need to be developed are identified, such as PIN reissuance. Additionally, reporting and training activities are described. Chapter 3, Acquirer ImplementationProvides information on systems changes needed by the acquirer. Reporting and training activities are also covered. Chapter 4, Certification RequirementsExplains the certification environment, as well as requirements for precertification and certification with VisaNet. Appendix A, Message Formats and FlowsProvides PIN Management message formats for BASE I and the Single Message System, as well as message flows for common processing scenarios. Appendix B, Certification ScriptsContains sample PIN Management certification scripts for BASE I and SMS. A glossary is also included.

Visa *Confidential*

27 Jun 2002

About This Guide Related Documents

Related Documents
The following documents contain technical information related to PIN Management for IC Cards: V.I.P. System BASE I Technical Specifications V.I.P. System BASE I Processing Specifications V.I.P. System SingleConnect SMS ATM Processing Specifications V.I.P. System SMS ATM Technical Specifications V.I.P. System Services

For More Information

Contact your Visa representative.

27 Jun 2002

Visa *Confidential*

PIN Management for IC Cards Member Implementation Guide 40060-01

Visa *Confidential*

27 Jun 2002

Service Overview Key Concepts

1. Service Overview
As payment markets shift to widespread use of integrated circuit (IC) cards with PIN as the primary cardholder verification method, it becomes increasingly important for cardholders to have convenient access to their PINs. This is especially true for credit cardholders who may not know the PIN associated with their card. This service is designed to provide Visa cardholders with the capability to change or unlock their PINs at participating ATMs. This new functionality is expected to facilitate the rollout of PINs at the point of sale by offering an easy and secure means for cardholders to select their own PINs.

1.1

Key Concepts
The following concepts are key to understanding PIN Management for IC Cards. Offline PINA numeric value stored on an IC card used to identify the cardholder when PIN verification takes place offline between the card and terminal. Offline PIN VerificationThe process of verifying a PIN entered into a terminal by the cardholder through interaction between the card and terminal. The PIN entered by the cardholder is compared to a numeric value stored on the card. Online PINA numeric value stored at the Issuers host that is used to identify the cardholder when PIN verification takes place through an online message routed between the acquirer and the issuer. Online PIN VerificationThe process of verifying a PIN entered into a terminal by the cardholder by sending it to the issuer for verification. The PIN entered by the cardholder is compared to a numeric value stored at the issuers host. PIN Change/UnlockA PIN Management message used to change the offline PIN on an IC card. The status of the PIN-try counter is included in the request message, so the issuer may optionally reset the PIN-try counter using the same response message. PIN Management MessageAn online message used to handle PINrelated functions, such as changing or unlocking a PIN.

27 Jun 2002

Visa *Confidential*

11

PIN Management for IC Cards Member Implementation Guide 40060-01

PIN UnlockA PIN Management message used to reset the PIN-try counter on IC cards. When the PIN-try counter reaches its maximum allowable value as set by the issuer, the card may become blocked. This will prevent subsequent transactions. Post-Issuance ScriptA command sent from the card issuer to the card through VisaNet to change a parameter set in the chip on the card. The IC card will verify that it is the genuine issuer that has provided the Post-Issuance Script.

1.2

Service Features
PIN Management for IC Cards is designed for single-application IC cards. Issuers, acquirers and ATM manufacturers must comply with EMV standards for IC card processing. PIN Management messages work in both dual and single-message processing environments and are subject to normal ATM processing edits. PIN blocks are encrypted using the existing acquirer and issuer encryption working keys. Figure 1-1 illustrates the flow of PIN Management messages.

Figure 1-1: PIN Management Message Flow

(1) (6) (2) (5) (3) (4)

ATM

Acquirer

Issuer

PIN Change/Unlock Message Flow

The following list corresponds to the numbered arrows in Figure 1-1 and describes the high-level processing steps for a PIN change. 1. The cardholder inserts their IC card into the ATM, enters the current PIN, and then selects the PIN Change/Unlock function at the ATM, entering the new PIN twice. Both entries of the new PIN must match or the cardholder is requested to re-enter the new PIN. The ATM: ! ! Encrypts both the current and new PINs entered by the cardholder using the acquirers working key Receives the Authorisation Request Cryptogram (ARQC) generated by the card

12

Visa *Confidential*

27 Jun 2002

Service Overview Service Features

Sends the transaction data, including information from the chip, such as the ARQC and the status of the PIN-try counter, to the acquirer

2. The acquirer: ! ! ! Creates a PIN Management request message (0100/0200) with processing code 70 PIN Change/Unblock Includes the ARQC, chip information and other transaction data in the request message Sends the authorisation request message to VisaNet

3. The V.I.P. System decrypts the PIN blocks using the acquirers working key and re-encrypts the PIN blocks using the issuers working key. The V.I.P. System then routes the message to the issuer.
NOTE: The V.I.P. System does not perform CVV or PVV processing or Chip Card Payment Service (CCPS) CAM/CVV processing for PIN Management messages. Only PIN translation is performed.

The issuer must be available as no Stand-In Processing is performed on PIN Management messages. If the issuer is unavailable or times out, a response code of 91 Issuer Unavailable is returned. 4. The issuer receives the PIN Management request message then decrypts and verifies the cardholders current PIN, validates the ARQC and performs other edits as determined by the issuers host system, such as checking the account status. If the PIN change is approved, the issuer prepares a Post-Issuance Script command to change the offline PIN to the new PIN requested by the cardholder. The issuer may optionally create a script command to reset the PIN-try counter if the card has been blocked due to excessive PIN tries as this information is carried in the PIN Management request. The issuer then creates an Authorisation Response Cryptogram (ARPC) and sends a PIN Management response message (0110/0210) containing the script commands to VisaNet. The issuer changes the online PIN stored at its host to reflect the new PIN value. 5. VisaNet routes the response message to the acquirer. 6. The acquirer sends the response message to the ATM. The PostIssuance Script command is applied to the card where the new offline PIN value is stored. The PIN-try counter is reset if the script command to change this card parameter was also sent by the issuer. The cardholder removes the card from the ATM.

27 Jun 2002

Visa *Confidential*

13

PIN Management for IC Cards Member Implementation Guide 40060-01

If the PIN Change/Unlock function is not completed at the ATM for any reason, the ATM generates a reversal message and sends it to the acquirer. The acquirer sends the reversal to VisaNet where it is routed to the issuer. If the issuer is unavailable, VisaNet creates an advice of reversal message for the issuer. The issuer must develop procedures for the action that should be taken upon receipt of a reversal or advice of reversal. See Section 2.3, Reversals and Advice of Reversals, for a discussion of the issues.

PIN Unlock Message Flow

The following list describes the high-level processing steps to unlock a cardholders PIN and corresponds to the numbered arrows in Figure 1-1. 1. The cardholder inserts their IC card into the ATM, enters the current PIN, and then selects the PIN Unlock function at the ATM.
NOTE: Assuming that the cardholder had previously forgotten their PIN, they must have contacted their issuer prior to the transaction to obtain the correct PIN. Issuers must develop procedures to verify the cardholders identity and provide a copy of the correct PIN in advance of this transaction being performed. Refer to Section 3.3, Customer Service Procedures, for more information.

The ATM: ! ! ! Encrypts the PIN entered by the cardholder using the acquirers working key Receives the Authorisation Request Cryptogram (ARQC) generated by the card Sends the transaction data, including information from the chip, such as the ARQC and the status of the PIN-try counter, to the acquirer

2. The acquirer: ! ! ! Creates a PIN Management request message (0100/0200) with processing code 72 PIN Unblock Includes the ARQC, chip information and other transaction data in the request message Sends the authorisation request message to VisaNet

3. The V.I.P. System decrypts the PIN block using the acquirers working key and re-encrypts the PIN block using the issuers working key. The V.I.P. System then routes the request message to the issuer.

14

Visa *Confidential*

27 Jun 2002

Service Overview Service Features

NOTE: The V.I.P. System does not perform CVV or PVV processing or Chip Card Payment Service (CCPS) CAM/CVV processing for PIN Management messages. Only PIN translation is performed.

The issuer must be available as no Stand-In Processing is performed on PIN Management messages. If the issuer is unavailable or times out, a response code of 91 Issuer Unavailable is returned. 4. The issuer receives the PIN Management request message and verifies the cardholders current PIN, validates the ARQC and performs other edits as determined by the issuers host system, such as checking the account status. The issuer prepares a Post-Issuance Script command to reset the PIN-try counter on the card to zero, creates an Authorisation Response Cryptogram (ARPC) and sends a PIN Management response message (0110/0210) to VisaNet. 5. VisaNet routes the response message to the acquirer. 6. The acquirer sends the response message to the ATM. The PostIssuance Script command is applied to the card where the PINtry counter is reset to zero. The cardholder removes the card from the ATM. If the PIN Unlock function is not completed at the ATM for any reason, the ATM generates a reversal message and sends it to the acquirer. The acquirer sends the reversal to VisaNet where it is routed to the issuer. If the issuer is unavailable, VisaNet creates an advice of reversal message for the issuer.

PIN Management Messages

PIN Management for IC Cards uses standard V.I.P. System authorisation message pairs to handle PIN management functions: 0100/0110 messages in BASE I and 0200/0210 messages in SMS. New values have been defined for existing fields. There are also required values for existing fields and fields that must be present in the messages. This information is summarised in the following sections.

New Values in Existing Fields

New processing codes and response codes are used in PIN Management messages. Two new processing codes have been defined for field 3: 700000 PIN Change/Unblock 720000 PIN Unblock

27 Jun 2002

Visa *Confidential*

15

PIN Management for IC Cards Member Implementation Guide 40060-01

Two new response codes have been defined for field 39: P5 Decline of request P6 Unsafe PIN The following BASE I response codes have been added to SMS in support of PIN Management: 58 Transaction not allowed at terminal (Acquirer not participating) 85 No reason to decline a request (Approval of request) Other existing response codes that are valid for this service are shown in Table 1-1. The standard VisaNet response code definition is listed first, and the meaning specific to PIN Management messages follows in parentheses. Other standard response codes used in VisaNet ATM processing may also apply. Any response codes added to ATM processing in the future will automatically apply to PIN Management as well.

Table 1-1: Existing Response Codes

BASE I 12 Invalid transaction 55 Incorrect PIN 57 Transaction not permitted to cardholder (Issuer not participating) 58 Transaction not allowed at terminal (Acquirer not participating) 81 PIN cryptographic error 83 Unable to verify PIN
2 1

SMS 12 Invalid transaction 55 Incorrect PIN 57 Transaction not permitted to cardholder (Issuer not participating)
1

81 Cryptographic error in PIN 86 Cannot verify PIN

2

85 No reason to decline a request (Approval of request) 91 Issuer unavailable or switch inoperative (STIP not applicable or available to this transaction) 96 System malfunction 91 Destination unavailable or time out when no stand-in

96 System malfunction

1 Response code 12 is returned to the acquirer when the chip fields in either F55 or the 3rd bitmap (F152) are dropped from the request message. The PIN Change/Unlock request message is not forwarded to the issuer if either F55 or the 3rd bitmap is not present. 2 When SMS receives response code 83 from BASE I, it converts the 83 to an 86 before forwarding the message to the acquirer.

16

Visa *Confidential*

27 Jun 2002

Service Overview Service Requirements

Required Values in Existing Fields

These values are required for existing fields in PIN Management messages: Field 18, Merchant Type, must be 6011 ATM Field 22, POS Entry Mode, must be 05 or 95 Field 25, POS Condition Code, must be 00 Field 52, must contain the existing PIN Field 55, if used, must contain tag CO with the new PIN
NOTE: The new PIN may alternatively be sent in field 152, Secondary PIN rd Data, the 3 bit map for chip data. Field 55 or 152 must be present if the processing code in field 3.1 is 70.

Field 136, Cryptogram, must be present Field 142, Issuer Script, must be present if the response code from the issuer is 85
NOTE: Multiple script commands may be included in this field, such as one to change the offline PIN and one to reset the PIN-try counter to zero.

Field 143, Issuer Script Results, must be present in the Reversal message Field 147, Cryptogram Amount, must be present

Other Relevant Fields

The information stored in the chip, such as status of the PIN-try counter and cardholder verification method, is captured during terminal processing. The data is transmitted to the issuer in Field 130, Terminal Capability Profile, and Field 131, Terminal Verification Results. See Appendix A, Message Formats and Flows, for additional details.

1.3

Service Requirements
PIN Management for IC Cards requires changes to both issuer and acquirer host systems. Certification with VisaNet for PIN Management messages is required for participating issuers and acquirers. In addition, both issuers and acquirers must have previously certified for the full data option for IC card processing.

27 Jun 2002

Visa *Confidential*

17

PIN Management for IC Cards Member Implementation Guide 40060-01

Refer to Chapter 2, Issuer Implementation, and Chapter 3, Acquirer Implementation for details. Testing and certification requirements are covered in Chapter 4. PIN Management message formats can be found in Appendix A.

1.4

Enrolment Procedures
Please contact your Relationship Manager to enrol in this service.

18

Visa *Confidential*

27 Jun 2002

Issuer Implementation PIN Management Messages

2. Issuer Implementation
This chapter discusses steps that issuers must take to implement PIN Management for IC Cards. Issuer implementation activities include developing the capabilities to: Receive and respond to PIN Management messages Co-ordinate offline and online PINs Detect and decline unsafe PINs Reissue PINs to cardholders prior to performing a PIN Change/Unlock or PIN Unlock at an ATM Notify cardholders of the availability of PIN Management for IC Cards

Additionally, reporting and training activities are described.

2.1

PIN Management Messages

Issuers must update their host systems to be able to receive and respond to PIN Management messages as described in Section 1.1, Service Features, and Appendix A. Certification with VisaNet is required for this service. Refer to Chapter 4 for more information on testing and certification. The V.I.P. System technical documentation also provides information on PIN Management messages and transaction processing.

2.2

Offline and Online PINs

A critical feature of the project to implement PIN Management for IC Cards is the capability to coordinate cardholders offline and online PINs. When an issuer approves a PIN Change/Unlock request message, the online PIN must be changed in the issuers host system to match the new offline PIN. In addition, in the event that Issuer Script in the response message is not applied to the card due to technical difficulties, the issuer must be prepared to back out the new PIN and restore the previous online PIN in their host system upon receipt of a reversal or an advice of reversal.

27 Jun 2002

Visa *Confidential*

21

PIN Management for IC Cards Member Implementation Guide 40060-01

If the online PIN in the issuers host system is not in sync with the offline PIN on the card, the cardholder will experience declined transactions due to incorrect PIN at terminals that use online PIN verification.

2.3

Reversals and Advice of Reversals

If for any reason the PIN Change/Unlock cannot be completed once the issuer has sent an authorisation response approving the transaction, the V.I.P. System generates a reversal or advice of reversal for the issuer. Issuers must develop procedures for the action that should be taken upon receipt of the reversal or advice of reversal, considering the customer service implications of the situation. For example, the issuer may choose to change the online PIN stored at its host back to the PIN as it existed prior to the transaction, reversing the failed PIN change. Alternatively, the decision might be taken not to apply the reversal and proactively contact the cardholder regarding the situation.

2.4

Unsafe PINs
It is the issuers responsibility to detect unsafe PINs that have been selected by cardholders. Examples might include: 1234, 9999, the cardholders first name, etc. Issuers should refer to their internal information security guidelines for the definition of unsafe PINs. Once the definition of an unsafe PIN has been determined, appropriate edits for the new PIN block contained in PIN Management messages should be implemented. Any unsafe PINs selected by cardholders should be declined with a response code of P6 Unsafe PIN. Cardholders will receive an ATM screen stating that their PIN selection has been declined as an unsafe PIN and that they should select another PIN. Cardholder education materials should be developed that explain the issuers guidelines for PIN selection. This information should be provided to cardholders when their PIN is reissued for the purpose of performing a PIN Change/Unlock at an ATM.

22

Visa *Confidential*

27 Jun 2002

Issuer Implementation PIN Reissuance

2.5

PIN Reissuance
Cardholders must know their current PIN in order to change or unblock it at an ATM. Thus, procedures must be developed to reissue PINs to cardholders who have forgotten their PINs. Issuers typically have existing PIN reissuance procedures that can be utilised or modified for this purpose. Issuers should review the current procedure with the following questions in mind: How is the cardholders identity verified? How is the PIN provided to the cardholder? How long does it take for the cardholder to receive the PIN? Does this process effectively meet the customer service requirements for the new PIN Change/Unlock and PIN Unlock functions? What modifications should be made to the existing process to support PIN Management for IC Cards?

2.6

Cardholder Notification
Cardholders should be notified of the availability of the service, along with the procedures they need to follow if they have forgotten their PIN or would like to select a new one. Typical methods include statement inserts and statement messages. Information on the service might also be provided in new account materials sent to cardholders and included in card activation materials. A procedural change that you may want to consider is to mail systemgenerated PINs prior to the IC cards when cards are initially issued. Information on PIN change procedures can be enclosed with the PIN. This gives the cardholder the ability to immediately change their PIN when they receive their card, in the event that they prefer not to use the system-generated PIN.

2.7

Reporting
The two new PIN Management transaction types: PIN Change/Unlock and PIN Unlock, should be added to any internal reporting that displays transaction data and counts of transaction types.

27 Jun 2002

Visa *Confidential*

23

PIN Management for IC Cards Member Implementation Guide 40060-01

You should also add these transactions to transaction history that can be viewed on screen in the card management system by customer service representatives. The new transaction data elements will be available in the Visa Transaction Research Service (VTRS) using Visa Online (VOL).

2.8

Integrated Billing
The new fees associated with PIN Management for IC Cards will appear on your Integrated Billing statement. They include: Issuer Participation fee PIN Change transaction fee PIN Unlock transaction fee

2.9

Training
Customer service, back-office and branch staff should be trained as part of the implementation of PIN Management for IC Cards prior to your live date. The following topics should be considered: Features of the service: PIN Change/Unlock and PIN Unlock High-level description of PIN Management message processing Changes to PIN reissuance procedures, if any New ATM screens, if your organisation is also participating as an acquirer Cardholder notification materials Changes to the card management system Changes to reporting

24

Visa *Confidential*

27 Jun 2002

Acquirer Implementation PIN Management Messages

3. Acquirer Implementation
This chapter describes the PIN Management for IC Cards implementation activities for acquirers. They include: Developing the capability to send PIN Management request messages and process PIN Management response messages Designing new ATM screens for PIN Change/Unlock and PIN Unlock transactions Adding the new transaction types to ATM reporting Training staff

3.1

PIN Management Messages

Acquirers must update their host systems to be able to send PIN Change/Unlock and PIN Unlock messages as described in Section 1.1, Service Features, and Appendix A. You must also be able to process the response messages from issuers. Certification with VisaNet is required for this service. Refer to Chapter 4 for more information on testing and certification. The V.I.P. System technical documentation also provides information on PIN Management messages and transaction processing.

3.2

ATM Screens
ATM screens must be added for the following functions: PIN Change/Unlock
NOTE: The PIN entry screen must capture both the current and new PIN. The new PIN must be entered twice and edited either at the ATM or the acquirers host system to ensure that the same PIN was entered both times. Only one new PIN block is sent to the issuer.

PIN Unlock

27 Jun 2002

Visa *Confidential*

31

PIN Management for IC Cards Member Implementation Guide 40060-01

New response codes, including: ! ! Request declined by issuer (P5) Unsafe PIN selection by the cardholder (P6)

The following BASE I response codes have been added to SMS in support of PIN Management: 58 Transaction not allowed at terminal (Acquirer not participating) 85 No reason to decline a request (Approval of request)

Your ATM screens must also accommodate the existing VisaNet response codes that are used for this service as shown in Table 3-1. The response codes must either be mapped to existing screens with appropriate language or a new screen added. Other standard response codes used in VisaNet ATM processing may also apply. Any response codes added to ATM processing in the future will automatically apply to PIN Management as well.

Table 3-1: Existing Response Codes

BASE I 12 Invalid transaction 55 Incorrect PIN 57 Transaction not permitted to cardholder (Issuer not participating) 58 Transaction not allowed at terminal (Acquirer not participating) 81 PIN cryptographic error 83 Unable to verify PIN
2 1

SMS 12 Invalid transaction 55 Incorrect PIN 57 Transaction not permitted to cardholder (Issuer not participating)
1

81 Cryptographic error in PIN 86 Cannot verify PIN

2

85 No reason to decline a request (Approval of request) 91 Issuer unavailable or switch inoperative (STIP not applicable or available to this transaction) 96 System malfunction 91 Destination unavailable or time out when no stand-in

96 System malfunction

1 Response code 12 is returned to the acquirer when the chip fields in either F55 or the 3rd bitmap (F152) are dropped from the request message. The PIN Change/Unlock request message is not forwarded to the issuer if either F55 or the 3rd bitmap is not present. 2 When SMS receives response code 83 from BASE I, it converts the 83 to an 86 before forwarding the message to the acquirer.

32

Visa *Confidential*

27 Jun 2002

Acquirer Implementation Reporting

3.3

Reporting
The two new PIN Management transaction types, PIN Change/Unlock and PIN Unlock, should be added to ATM reporting that displays transaction data and counts of transaction types. The new transaction data elements will be available in the Visa Transaction Research Service (VTRS) using Visa Online (VOL).

3.4

Integrated Billing
The Acquirer Incentive associated with PIN Management for IC Cards will appear as a credit on your Integrated Billing statement.

3.5

Training
Customer service, back-office and branch staff should be trained as part of the implementation of PIN Management for IC Cards prior to your live date. The following topics should be considered: Features of the service: PIN Change/Unlock and PIN Unlock High-level description of PIN Management message processing New ATM screens Frequently asked questions from customers and non-customers Changes to reports

27 Jun 2002

Visa *Confidential*

33

PIN Management for IC Cards Member Implementation Guide 40060-01

34

Visa *Confidential*

27 Jun 2002

Certification Requirements Certification Environment

4. Certification Requirements
This chapter addresses the PIN Management for IC Cards requirements for certification, including: Certification Environment Pre-Certification V.I.P. Certification

4.1

Certification Environment
Once you have completed internal testing of coding changes to support PIN Management for IC Cards, you will need to begin preparing for certification with VisaNet. The first step in the certification process is to ensure that all of the necessary components are in place. The following components are required for the certification environment: VisaNet Certification Management Service (VCMS) connectivity VisaNet Access Point (VAP) 10.23 or greater VTS2000 release 3.4 or greater or Visa Test System (Sapphire Edition) version 11.0 or greater. PIN Management for IC cards certification scripts Personalised test chip cards

Contact your Visa representative to obtain certification scripts. For more information, refer to the following documents: Visa Certification Management Service (VCMS) Testing and Certification Guide-V.I.P. System VCMS Users Manual-BASE I System VTS2000 Users Guide or the Visa Test System (Sapphire Edition) Users Guide

27 Jun 2002

Visa *Confidential*

41

PIN Management for IC Cards Member Implementation Guide 40060-01

4.2

Certification Process
You must perform a series of transactions, referred to as a test or certification script, to demonstrate your host system is able to send and receive the new data and fields required in the PIN Management messages. Sample test scripts are provided in Appendix B.
NOTE: Your organisation must be certified for Visa ATM Services and the full data option for IC card processing prior to certifying for PIN Management for IC Cards.

Certification information for PIN Management for IC cards is gathered via Visa Online. After your implementation of the service is initiated at Visa, you will receive a set of PIN Management certification questions through Visa Online. The certification questions are answered and returned online. Your Implementation Manager then uses the information to set up the testing and certification process for your organisation at the regional certification lab.

42

Visa *Confidential*

27 Jun 2002

Message Formats and Flows BASE I Message Formats

A. Message Formats and Flows

This appendix contains the BASE I and SMS message formats for PIN Management transactions, including request, response, reversal and advice of reversal messages.
NOTE: Two fields are included in these messages that dont specifically affect PIN Management processing:

Track 2 data Currency Code (Field 49)

These fields remain in use for data consistency with other ATM messages. The message format tables use the following abbreviations to indicate if fields are required: M Mandatory C Conditional O Optional

27 Jun 2002

Visa *Confidential*

A1

PIN Management for IC Cards Member Implementation Guide 40060-01

A.1 BASE I Message Formats

Table A-1 shows the BASE I 0100/0110 message format for the PIN Management request/response message pair.

Table A-1: BASE I Request/Response

Field Number Field Name 0100 0110 Comments

Bitmap, third 2 3 Primary Account Number (PAN) Processing Code

M M M

M M M 700000 PIN Change/Unblock 720000 PIN Unblock

7 11 14 18 19 22 23 25 26 32 33

Transmission Date and Time Systems Trace Audit Number Date, Expiration Merchant Type Acquiring Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Point of Service PIN Capture Code Acquiring Institution ID Code Forwarding Institution ID Code

M M C M M M C M C M C

M M

Must be 6011 M Must be 05 or 95 C M Must be 00

M Required for SMS bridge transactions. It will not be forwarded to the Issuer. Chip data image of Track 2 data M

35 37

Track 2 Data Retrieval Reference Number

C M

A2

Visa *Confidential*

27 Jun 2002

Message Formats and Flows BASE I Message Formats

Field Number

Field Name

0100

0110

Comments

39

Response Code

Values must be: 12 = Invalid transaction 55 = Incorrect PIN 81 = PIN cryptographic error 83 = Unable to verify PIN 85 = Approval of request P5 = Decline of request P6 = Unsafe PIN 57 = Issuer not participating 58 = Acquirer not participating 91 = Issuer unavailable or timed-out Identification of ATM Identification of ATM Name/Location of ATM

41 42 43 44.1 49 52 53

Card Acceptor Terminal ID Card Acceptor ID Code Card Acceptor Name/Location Response Source/Reason Code Currency Code, Transaction PIN Data Security Related Control Info

M M M

M M

M M M M M Existing PIN Information about existing PIN and new requested PIN C Location for new PIN or Field 152, Field 55 or Field 152 must be present if the processing code in Field 3.1 is 70 BER-TLV Tag is CO The field is formatted: COXXFFFFFFFFFFFFFFFF where: CO is the tag, XX is the is the fixed length of the data, FFFFFFFFFFFFFFFF is the encrypted secondary PIN block

55

Field 55 (BER-TLV)

59 60 130 131

National POS Geographic Data Additional POS Information Terminal Capability Profile Terminal Verification Results

C M C C

27 Jun 2002

Visa *Confidential*

A3

PIN Management for IC Cards Member Implementation Guide 40060-01

Field Number

Field Name

0100

0110

Comments

132 133 134 135 136 137 138 139

Unpredictable Number Terminal Serial Number Visa Discretionary Data Issuer Discretionary Data Cryptogram Application Transaction Counter Application Interchange Profile ARPC Response Cryptogram and Code Issuer Script

C C C C C C C C C Must be present

142

Must be present, if response code from issuer is 85

144 145 146 147

Cryptogram Transaction Type Terminal Country Code Terminal Transaction Date Cryptogram Amount

C C C C Must be present; a zero amount is used in generating the ARQC and ARPC

148 149 152

Cryptogram Currency Code Cryptogram Cashback Amount Secondary PIN Data

C C C Field 152 or Field 55 must be present if Field 3.1 is equal to 70

A4

Visa *Confidential*

27 Jun 2002

Message Formats and Flows BASE I Message Formats

The BASE I reversal message format is shown in Table A-2.

Table A-2: BASE I Reversal

Field Number Field Name 0400 0410 Comments

Bitmap, third 2 3 Primary Account Number (PAN) Processing Code

M M M

M M M 700000 PIN Change/Unblock 720000 PIN Unblock

7 11 14 18 19 22 23 25 26 32 33

Transmission Date and Time Systems Trace Audit Number Date, Expiration Merchant Type Acquiring Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Point of Service PIN Capture Code Acquiring Institution ID Code Forwarding Institution ID Code

M M C M M M C M C M C

M M

Must be 6011 M

C M Must be 00

M Required for SMS bridge transactions. It will not be forwarded to the issuer. M M

37 39 41 42 43 44.1 49

Retrieval Reference Number Response Code Card Acceptor Terminal ID Card Acceptor ID Code Card Acceptor Name/Location Additional Response Data Currency Code, Transaction

M M M

M M

M M M

27 Jun 2002

Visa *Confidential*

A5

PIN Management for IC Cards Member Implementation Guide 40060-01

Field Number

Field Name

0400

0410

Comments

55 59 60 90 131

Field 55 (BER-TLV) National Geographic Data Additional POS Information Original Data Elements Terminal Verification Results

C C M M C

C It is present in 0400 if issuer authentication failed If present in original, it is required in 0400 request

133

Terminal Serial Number

134 137 143

Visa Discretionary Data Application Transaction Counter Issuer Script Results

C C C C Must be present for reversal

A6

Visa *Confidential*

27 Jun 2002

Message Formats and Flows BASE I Message Formats

The BASE I advice of reversal message format is shown in Table A-3.

Table A-3: BASE I Advice of Reversal

Field Number Field Name Bitmap, third 2 3 7 11 14 18 19 22 23 25 26 32 33 37 39 41 42 43 44.1 49 55 59 60 Primary Account Number (PAN) Processing Code Transmission Date and Time Systems Trace Audit Number Date, Expiration Merchant Type Acquiring Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Point of Service PIN Capture Code Acquiring Institution ID Code Forwarding Institution ID Code Retrieval Reference Number Response Code Card Acceptor Terminal ID Card Acceptor ID Code Card Acceptor Name/Location Additional Response Data Currency Code, Transaction Field 55 (BER-TLV) National Geographic Data Additional POS Information 0420 M M M M M C M M M C M C M C M M M M M M M C C M

27 Jun 2002

Visa *Confidential*

A7

PIN Management for IC Cards Member Implementation Guide 40060-01

Field Number 90 131 133 134 137 143

Field Name Original Data Elements Terminal Verification Results Terminal Serial Number Visa Discretionary Data Application Transaction Counter Issuer Script Results

0420 M C C C C C

A8

Visa *Confidential*

27 Jun 2002

Message Formats and Flows SMS Message Formats

A.2 SMS Message Formats

Table A-4 shows the SMS 0200/0210 message format for the PIN Management Service request/response message pair.

Table A-4: SMS Request/Response

Field Number Field Name 0200 0210 Comments

Bitmap, Secondary Third Bitmap, 2 3 Primary Account Number (PAN) Processing Code

M M M M

M M M M 700000 PIN Change/Unblock 720000 PIN Unblock

7 11 12 13 14 15 18 19 21 22 23 25 26 32 33

Transmission Date and Time Systems Trace Audit Number Time, Local Transaction Date, Local Transaction Date, Expiration Date, Settlement Merchant Type Acquiring Institution Country Code Forwarding Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Point of Service PIN Capture Code Acquiring Institution ID Code Forwarding Institution ID Code

M M M M O

M M

M M M C M C M C M C M C M M

SMS provided Must be 6011

Must be 05 or 95

Must be 00

Required for SMS bridge transactions. It will not be forwarded to the issuer.

27 Jun 2002

Visa *Confidential*

A9

PIN Management for IC Cards Member Implementation Guide 40060-01

Field Number

Field Name

0200

0210

Comments

35 37 39

Track 2 Data Retrieval Reference Number Response Code

C M M M

Chip data image of Track 2 data

Values must be: 12 = Invalid transaction 55 = Incorrect PIN 81 = PIN cryptographic error 85 = Approval of request 86 = Unable to verify PIN P5 = Decline of request P6 = Unsafe PIN 57 = Issuer not participating 58 = Acquirer not participating 91 = Issuer unavailable or timed-out 96 = System malfunction NOTE: When SMS receives response code 83 from BASE I, it converts the 83 to an 86 before forwarding the message to the acquirer.

41 42 43 49 52 53

Card Acceptor Terminal ID Card Acceptor ID Code Card Acceptor Name/Location Currency Code, Transaction PIN Data Security Related Control Info

M M M C M M

M M

Identification of ATM Identification of ATM Name/Location of ATM

C Existing PIN Information about existing PIN and new requested PIN C Location for new PIN or Field 152, Field 55 or Field 152 must be present if the processing code in Field 3.1 is 70 BER-TLV Tag is CO The field is formatted: COXXFFFFFFFFFFFFFFFF where: CO is the tag, XX is the is the fixed length of the data, FFFFFFFFFFFFFFFF is the encrypted secondary PIN block

55

Field 55 (BER-TLV)

A10

Visa *Confidential*

27 Jun 2002

Message Formats and Flows SMS Message Formats

Field Number

Field Name

0200

0210

Comments

59 60 63.0 63.1 115 130 131 132 133 134 135 136 137 138 139

National POS Geographic Data Additional POS Information Bitmap (Field 63) Network ID Additional Trace Data Terminal Capability Profile Terminal Verification Results Unpredictable Number Terminal Serial Number Visa Discretionary Data Issuer Discretionary Data Cryptogram Application Transaction Counter Application Interchange Profile ARPC Response Cryptogram and Code Issuer Script

C M M M O O O O O O O O O O C O Must be present M M

142

Must be present, if response code from issuer is 85

144 145 146 147

Cryptogram Transaction Type Terminal Country Code Terminal Transaction Date Cryptogram Amount

O O O O Must be present; a zero amount is used in generating the ARQC and ARPC

148 152

Cryptogram Currency Code Secondary PIN Block

O C Field 152 or Field 55 must be present if Field 3.1 is equal to 70

27 Jun 2002

Visa *Confidential*

A11

PIN Management for IC Cards Member Implementation Guide 40060-01

The SMS reversal message format is shown in Table A-5.

Table A-5: SMS Reversal

Field Number Field Name 0420 0430 Comments

Bitmap, Secondary Third Bitmap 2 3 Primary Account Number (PAN) Processing Code

M M M M

M M M M 700000 PIN Change/Unblock 720000 PIN Unblock

7 11 12 13 15 18 19 21 22 23 25 32 33

Transmission Date and Time Systems Trace Audit Number Time, Local Transaction Date, Local Transaction Date, Settlement Merchant Type Acquiring Institution Country Code Forwarding Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Acquiring Institution ID Code Forwarding Institution ID Code

M M M M

M M

M M M C M C M M C C M M Required for SMS bridge transactions. It will not be forwarded to the issuer. M Must be 00 M Must be 6011

37 38 39 41 42

Retrieval Reference Number Authorization ID Response Response Code Card Acceptor Terminal ID Card Acceptor ID Code

M C

M M M M M

A12

Visa *Confidential*

27 Jun 2002

Message Formats and Flows SMS Message Formats

Field Number

Field Name

0420

0430

Comments

43 49 55 59 60 63.0 63.1 63.3 90 115 131

Card Acceptor Name/Location Currency Code, Transaction Field 55 (BER-TLV) National Geographic Data Additional POS Information Bitmap (Field 63) Network ID Message Reason Code Original Data Elements Additional Trace Data Terminal Verification Results

M M C C C M M M M O O It is present in 0420 if issuer authentication failed If present in original, it is required in 0420 request M M M C

133

Terminal Serial Number

134 137 143

Visa Discretionary Data Application Transaction Counter Issuer Script Results

O O M O M Must be present for reversal

27 Jun 2002

Visa *Confidential*

A13

PIN Management for IC Cards Member Implementation Guide 40060-01

The SMS advice of reversal message format is shown in Table A-6.

Table A-6: SMS Advice of Reversal

Field Number Field Name Bitmap, Secondary Third Bitmap 2 3 7 11 12 13 15 18 19 21 22 23 25 32 33 37 38 39 41 42 43 44.1 Primary Account Number (PAN) Processing Code Transmission Date and Time Systems Trace Audit Number Time, Local Transaction Date, Local Transaction Date, Settlement Merchant Type Acquiring Institution Country Code Forwarding Institution Country Code Point of Service Entry Mode Code Card Sequence Number Point of Service Condition Code Acquiring Institution ID Code Forwarding Institution ID Code Retrieval Reference Number Authorisation ID Response Response Code Card Acceptor Terminal ID Card Acceptor ID Code Card Acceptor Name/Location Response Source/Reason Code 0420 M M M M M M M M M M M C M C M M C M C M M M M M M M M M C M M M M 0430 M M M M M M

A14

Visa *Confidential*

27 Jun 2002

Message Formats and Flows SMS Message Formats

Field Number 49 55 59 60 63.0 63.1 63.3 63.4 90 131 133 134 137 143

Field Name Currency Code, Transaction Field 55 (BER-TLV) National Geographic Data Additional POS Information SMS Private Use Fields Network ID Message Reason Code STIP/Switch Reason Code Original Data Elements Terminal Verification Results Terminal Serial Number Visa Discretionary Data Application Transaction Counter Issuer Script Results

0420 M C C C M M M M M O O O O M

0430

M M

O M

27 Jun 2002

Visa *Confidential*

A15

PIN Management for IC Cards Member Implementation Guide 40060-01

A.3 Updated Field Descriptions

These field descriptions have been updated with information related to PIN Management messages. The PIN Management changes apply to both BASE I and SMS.

Field 152 Secondary PIN Block Attributes Description

Fixed length 64 N, bit string; 8 bytes Field 152 contains a new PIN to replace an existing PIN. It is encrypted and formatted as a block of 16 hexadecimal digits. (A new PIN is chosen to replace the current PIN when the cardholder does not remember the current PIN, or the current PIN is compromised or just wants a new PIN.) In an acquirer-initiated request, this field format must conform to the PIN Block Format Code in Field 53 Security Related Control Information. In a request received by the issuer processor, the format conforms to the PIN Block Format of the issuer processor, as previously specified to Visa. This new PIN is never logged, even if it is in an encrypted form.

Usage

Field 152 is required in 0100/0200 requests only when the cardholder chooses to replace their current PIN at an ATM. It must be present when requesting a PIN change. This field is not used in reversal requests or advices, or in any responses. If this field is present, Field 52 Personal Identification Number (PIN) Data and Field 53 Security Related Control Information must also be present. This field should not be used other than for a PIN Management request. STIP and Switch Advices: Field 152 is omitted from advices

Field Edits

Field 152 is required if Field 3.1 is 70 (PIN Change/Unblock). The VICs security module edits field contents during PIN translation. If there is an error (most commonly, an acquirer key problem), the request message is not rejected; instead, the response code in Field 39 of the 0110/0210 response is set to 81.

Reject Reject Codes

The reject codes for Field 152 are: 0489 = Field missing in a PIN Change request 0717 = Field present in a PIN Unblock request

A16

Visa *Confidential*

27 Jun 2002

Message Formats and Flows Updated Field Descriptions

Field 142 Issuer Script Attributes Description

Variable length 1 byte + up to 510 hexadecimal digits, maximum 256 bytes Field 142 is a Visa Smart Debit/Visa Smart Credit (VSDC) field. It is also used in Chip Offline Preauthorized Card (COPAC) transactions. It contains proprietary information that the issuer processor wishes to communicate to the card. It allows dynamic changes to the content of the card without reissuing the card. Field 142 is optional in 0110 responses. It is not present in 0120 advices. Field 142 is required in 0110/0210 responses when the issuer approved a PIN Change/Unblock request.

Usage

Field Edits

If Field 142 is present, the value in the one-byte length value cannot be greater that the 510-hexadecimal-digit maximum. If the Issuer approved a PIN Change/Unblock request, Field 142 must be present in the response message.

Reject Codes

The reject codes for Field 142 are: 0371 = Invalid length 0490 = Field 142 is missing in an approved PIN Change/Unblock response 0717 = Field 142 is present in a declined PIN Change/Unblock response

27 Jun 2002

Visa *Confidential*

A17

PIN Management for IC Cards Member Implementation Guide 40060-01

Field 143 Issuer Script Results Attributes Description

Variable length 1 byte + up to 40 hexadecimal digits, maximum 21 bytes Field 143 is a Visa Smart Debit/Visa Smart Credit (VSDC) field. During online processing, the issuer processor has the option of sending commands to the card in the authorization response. These commands instruct the card to update the card parameters. The card records the success or failure of the updates in the Issuer Script Results field.
Position length 1-8 reserved Byte 1 1-4 script processing 1-8 reserved Byte 2 5-8 script sequence Byte 5 1-8 reserved Byte 3 1-8 reserved Bytes 6-21 1-8 reserved Byte 4

Length Subfield: The number of bytes following the length subfield. Field 143 Subfield Values
Position 1-8 1-4 Description Byte 1-4 Reserved for Visa Reserved for Visa Script Processing n/a Byte 5 0000 = Script not performed 0001 = Script processing failed 0010 = Script processing successful 0000 = Script sequence not specified 0000-1110 = Sequence number of script command 1-14 1110 = Sequence number of script command 15 or above n/a Values

5-8

Script Sequence

Byte 6-21 Reserved for Visa 1-8 Reserved for Visa

Usage Field Edits

If an issuer script result is present, field 143 is used in 0400 request and 0420 advices. If field 143 is present, its length cannot exceed 20 bytes excluding the length byte. If an update failure occurs for a PIN Management message, Field 143 must be present in the 0400/0420 reversal request.

A18

Visa *Confidential*

27 Jun 2002

Message Formats and Flows Updated Field Descriptions

Reject Codes

The reject codes for Field 143 are: 0371 = Invalid length 0491 = Field 143 is missing in a PIN Management reversal request message

27 Jun 2002

Visa *Confidential*

A19

PIN Management for IC Cards Member Implementation Guide 40060-01

A.4 PIN Management Message Flows

This section illustrates the flow of PIN Management messages. The flow shown in Figure A-1 is typical when everything is in proper order. The acquirer and issuer are both participating in the PIN Management service. No processing problems are encountered by the V.I.P. System in this scenario, and the issuer is available. The issuers response includes the Issuers Script (field 142) with commands to update the IC card.

Figure A-1: PIN Management Request/Response

Acquirer PIN Change/Unlock Request

V.I.P. System

Issuer PIN Change/Unlock Request

PIN Change/Unlock Request

Issuers Script Response

Issuers Script Response

Issuers Script Response

A20

Visa *Confidential*

27 Jun 2002

Message Formats and Flows PIN Management Message Flows

A reversal is illustrated in Figure A-2. The acquirer will send a Reversal message only when a script update failure occurs.

Figure A-2: PIN Management Reversal

Acquirer Reversal for script update failure only Reversal for script update failure only

V.I.P. System

Issuer

Reversal for script update failure only

Issuers Reversal Response Issuers Reversal Response

Issuers Reversal Response

27 Jun 2002

Visa *Confidential*

A21

PIN Management for IC Cards Member Implementation Guide 40060-01

If an acquirer is not participating in PIN Management for IC Cards, but is able to send a request, the V.I.P. System will issue a response code 58 as shown in Figure A-3.

Figure A-3: Acquirer Not Participating

Acquirer PIN Change/Unlock Request

V.I.P. System

Issuer

PIN Change/Unlock Request

Response Code 58

Respond with 58 (Transaction not allowed at terminal)

A22

Visa *Confidential*

27 Jun 2002

Message Formats and Flows PIN Management Message Flows

As shown in Figure A-4, when an issuer is not participating in the PIN Management for IC Cards service, the V.I.P. System will issue a response code 57.

Figure A-4: Issuer Not Participating

Acquirer PIN Change/Unlock Request

V.I.P. System

Issuer

PIN Change/Unlock Request

Response Code 57 Respond with 57

27 Jun 2002

Visa *Confidential*

A23

PIN Management for IC Cards Member Implementation Guide 40060-01

If the issuer is unavailable, the V.I.P. System will issue a response code 91 as illustrated in Figure A-5.

Figure A-5: Issuer Unavailable

Acquirer

V.I.P. System

Issuer

PIN Change/Unlock Request Unavailable

PIN Change/Unlock Request

Response Code 91 Respond with 91

A24

Visa *Confidential*

27 Jun 2002

Message Formats and Flows PIN Management Message Flows

The scenario in Figure A-6 illustrates a time-out. The issuer does not respond within the specific time limit. The original request message is timed-out and Visa Stand-In Processing (STIP) processes a response destined to the acquirer. As this is a PIN-based transaction, the V.I.P. System responds with response code 91. When the V.I.P. System receives the late response, the message is returned back to the issuer. This enables the issuer to amend their records, backing out the original request.

Figure A-6: Time-Out, Issuer Does Not Respond

Acquirer PIN Change/Unlock Request

V.I.P. System

Issuer PIN Change/Unlock Request

PIN Change/Unlock Request

Response Code 91 Respond with 91

PIN Change/Unlock Request

Process Late Response

Issuers Script Response

Return Late Response to Issuer to Back-Out the Request

Back Out Request if a Returned Message is Received from VIP

27 Jun 2002

Visa *Confidential*

A25

PIN Management for IC Cards Member Implementation Guide 40060-01

The scenario illustrated in Figure A-7 shows a returned message from the acquirers node (undeliverable). This indicates that the acquirer did not receive the Issuers Script to successfully complete the PIN Change/Unlock request. When VisaNet receives the returned message, the V.I.P. System forwards the returned message to the issuer.

Figure A-7: Message Undeliverable to Acquirer

Acquirer PIN Change/Unlock Request PIN Change/Unlock Request

V.I.P. System

Issuer

PIN Change/Unlock Request

Issuers Script Response Issuers Script Response

Issuers Script Response

Response is undelivered and returned to VIP Returned Message

Process Returned Message and send to Issuer to backout Request

Back out Request if a Returned Message is received from VIP

A26

Visa *Confidential*

27 Jun 2002

Message Formats and Flows PIN Management Message Flows

The scenario in Figure A-8 shows the flow of a Reversal message when the issuer is unavailable. The V.I.P. System generates an Advice message for later retrieval when the issuer is available. The issuer may or may not retrieve their advices instantly. Retrieving advices is typically performed during off-peak hours. Also, some issuers do not retrieve their advices online, but opt to have their advices delivered offline via BASE II TC48s.

Figure A-8: PIN Management Reversal Issuer Unavailable

Acquirer

V.I.P. System

Issuer

Reversal for script update failure only

Reversal for script update failure only

Reversal for script update failure only

VIP creates an Advice to be retrieved by the Issuer

Issuers Advice File

Issuer sends message to VIP to retrieve their Advices

Send Reversal Advice to Issuer

Receive Reversal Advice from VIP

27 Jun 2002

Visa *Confidential*

A27

PIN Management for IC Cards Member Implementation Guide 40060-01

A28

Visa *Confidential*

27 Jun 2002

Certification Scripts BASE I Certification Script

B. Certification Scripts
This appendix contains sample BASE I and SMS test scripts for PIN Management certification. Prior to online testing, you should obtain the most current certification scripts from Visa Online.
NOTE: Draft test scripts are included in this appendix as examples only, so it is critical that you obtain the most current version through Visa Online.

B.1 BASE I Certification Script

Table B-1 describes the sample test cases in the BASE I certification script.

27 Jun 2002

Visa *Confidential*

B1

PIN Management for IC Cards Member Implementation Guide 40060-01

Table B-1: BASE I PIN Management Certification Script

Field Values F3 700000 6011 0510 00 85 F18 F22 F25 F39 Comments

Case Message Type Number Identifier Case Name

0100/0110

Authorisation - PIN Change

PIN request approved. F142 must be present in response. PIN request approved. F142 must be present in response. F143 Issuer script results must be present

2 Reversal Authorisation - PIN Unblock Authorisation - PIN Change Authorisation - PIN Unblock Authorisation - PIN Change Authorisation - PIN Unblock Authorisation - PIN Change Reversal Advice Authorisation - PIN Unblock 720000 700000 700000 6011 6011 6011 720000 6011 0510 0510 0510 0510 720000 6011 0510 720000 6011 0510 00 00 00 00 00 00 91 700000 6011 0510 00 P5 P6 83 81 85 720000 6011 0510 00 85 700000 6011 0510 00

0100/0110

Authorisation - PIN Change

700000

6011

0510

00

85

0400/0410

0100/0110

PIN request approved. F142 must be present in response. PIN request declined Unsafe PIN Unable to verify PIN Cryptographic error PIN request approved. F142 must be present in response. F143 Issuer script results must be present Issuer unavailable or timed out

0100/0110

0100/0110

0100/0110

0100/0110

0100/0110

0420/0430

0100/0110

NOTE:

F55 or F152 will have the new PIN.

B2

Visa *Confidential*

27 Jun 2002

Certification Scripts SMS Certification Script

B.2 SMS Certification Script

Table B-2 provides a sample SMS certification script. SMS test case results should be verified against SMS reports and raw data.

27 Jun 2002

Visa *Confidential*

B3

PIN Management for IC Cards Member Implementation Guide 40060-01

Table B-2: SMS PIN Management Certification Script

Field Values F3 700000 6011 0510 00 85 F18 F22 F25 F39 Comments

Case Message Type Number Identifier Case Name

0200/0210

PIN Change

PIN request approved. F142 must be present in response. PIN request approved. F142 must be present in response. F143 Issuer script results must be present

2 Reversal Pin Unblock PIN Change PIN Unblock PIN Change PIN Unblock PIN Change Reversal Advice PIN Unblock 720000 700000 6011 6011 700000 6011 0510 0510 0510 720000 6011 0510 720000 6011 0510 00 00 00 00 00 91 720000 6011 0510 00 700000 6011 0510 00 P5 P6 83 81 85 720000 6011 0510 00 85 700000 6011 0510 00

0200/0210

PIN Change

700000

6011

0510

00

85

0400/0410

0200/0210

PIN request approved. F142 must be present in response. PIN request declined Unsafe PIN Unable to verify PIN Cryptographic error PIN request approved. F142 must be present in response. F143 Issuer script results must be present Issuer unavailable or timed out

0200/0210

0200/0210

0200/0210

0200/0210

0200/0210

0420/0430

0200/0210

NOTE:

F55 or F152 will have the new PIN.

B4

Visa *Confidential*

27 Jun 2002

Glossary

Glossary
Card Verification Value (CVV)
A unique check value encoded on the magnetic stripe or chip of a card. The Card Verification Value is used to validate the card information during authorisation and detect counterfeit cards. This service is not available to PIN Management for IC Cards.

Europay, MasterCard, Visa (EMV) Specifications

Technical specifications developed by the three payment schemes outlining the interactions between chip cards and terminals to ensure interoperability.

Offline PIN
A numeric value stored on the chip of an IC card used to identify the cardholder when PIN verification takes place offline between the card and terminal.

Offline PIN Verification

The process of verifying a PIN entered into a terminal by the cardholder through interaction between the card and terminal. The PIN entered by the cardholder is compared to a numeric value stored on the chip in the card.

Online PIN
A numeric value stored at the issuers host that is used to identify the cardholder when PIN verification takes place through an online message routed between the acquirer and the issuer.

Online PIN Verification

The process of verifying a PIN entered into a terminal by the cardholder by sending it to the issuer for verification. The PIN entered by the cardholder is compared to a numeric value stored at the issuers host.

27 Jun 2002

Visa *Confidential*

Glossary1

PIN Management for IC Cards Member Implementation Guide 40060-01

PIN Change/Unlock
A PIN Management message used to change the offline PIN on an IC card. Optionally, the issuer may reset the PIN-try counter in the same response message, as the status of the PIN-try counter is included in the request message.

PIN Verification Value (PVV)

The PIN Verification Value is used in the PIN Verification Service offered by Visa to verify PINs on behalf of issuers. This service is not available to PIN Management for IC Cards as only the issuer can approve a PIN Management request.

PIN Management Message

An online message used to handle PIN-related functions, such as changing or unlocking a PIN on an IC card.

PIN Unlock
A PIN Management message used to reset the PIN-try counter on IC cards. When the PIN-try counter reaches its maximum allowable value as set by the issuer, the card application may become blocked. This will prevent subsequent transactions.

Post-Issuance Script
A command sent from the card issuer to the IC card through VisaNet to change a parameter set in the chip on the card. The IC card will verify that it is the genuine issuer that has provided the PostIssuance Script. Also referred to as issuer script.

Glossary2

Visa *Confidential*

27 Jun 2002