Tuesday, June 5, 2012

Cardholder-Activated Terminals

Cardholder-Activated Terminals

Typically, cardholder-activated terminals (CATs) are unattended terminals that accept bankcards, debit, credit, and proprietary cards. These terminals are frequently installed at train and subway ticketing stations, gas stations, toll roads, parking garages, and other merchant locations. The cardholder is typically guided through the sales process by a series of requests posted on the terminal's screen. There are four types of cardholder-activated terminals:
  • Automated Dispensing Machines - Level 1.
  • Self-Service Terminals - Level 2.
  • Limited Amount Terminals - Level 3.
  • In-Flight Commerce (IFC) Terminals - Level 4.
Cardholder-activated terminal requirements specify the maximum dollar amount of transactions permitted as well as authorization, clearing and chargeback requirements and related transaction liability for each cardholder-activated terminal type.

Because cardholder-activated terminals are usually unattended, the traditional point-of-sale (POS) card acceptance procedures do not apply, such as the merchant's verification of the card's authenticity by examining its hologram, embossed account number, or embossed security features for signs of altering. The merchant is also prevented from verifying the authenticity of the cardholder's signature.

Requirements for Cardholder-Activated Terminals

Cardholder-activated terminals must comply with the following six general card acceptance requirements:
  1. All non–face-to-face transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
    • The Authorization Request message must include a valid merchant category code, point-of-sale (POS) country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
    • Messages used at the CAT must communicate to the cardholder, at a minimum, the following information:
      • Invalid transaction.
      • Unable to route.
      • Invalid PIN—re-enter (Level 1 only).
      • Capture card (subject to the terminal’s ability to retain cards).
    • The merchant identification number and the CAT level indicator must be present in the First Presentment, First Chargeback, Second Presentment, and Arbitration Chargeback messages.
  2. The acquiring bank must ensure that the description of products or services on the CAT sales receipt is clearly recognizable to the cardholder.
  3. Acquiring banks are responsible for providing requested transaction information documents.
  4. No cardholder-activated terminal may accept a payment card for the purchase of scrip.
  5. Acquiring banks must ensure that sales receipts show only the last four digits of the card account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as "X," "*," or "#" and not with blank spaces or numeric characters.
Requirements for Automated Dispensing Machines

The following card acceptance requirements apply to Automated Dispensing Machines (ADM)/Level 1.
  1. The Automated Dispensing Machine must accept a personal identification number (PIN) as a substitute for signature.
    • If PIN is not adopted as a standard within a country or card issuers have not provided one, this level of service is not available.
    • The PIN authorization must be made via a secured transmission.
    • ADM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits.
  2. The acquiring bank may decline a transaction after four attempts and four consecutive negative responses of "invalid PIN" or "invalid transaction" from the credit card network. Optionally, the acquiring bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ADM.
  3. All transactions regardless of amount must be authorized on a zero floor limit basis with full, unaltered card read data transmitted.
  4. Card retention at an ADM is not required, however, if the terminal capability is available, the merchant may do so only at the card issuer's specific direction.
    • The retained card must be logged and secured under appropriate audit controls.
    • The retained card must be cut in half and then returned to the acquiring bank.
  5. For transactions processed at ADMs where a PIN and full, unaltered card data is transmitted, "No Cardholder Authorization" chargeback rights are not available to card issuers because PIN is a valid proxy for the cardholder's signature.
  6. An ADM that is also a hybrid terminal may perform fallback procedures unless it is prohibited by a region. Acquiring banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the account number because the merchant cannot process the transaction using smart card technology.
Requirements for Self-Service Terminals
The following card acceptance requirements apply to Self-Service Terminals (SST)/Level 2.
  1. Self-Service Terminals do not process PIN. They include (but are not limited to) automated fuel dispensers identified with MCC 5542.
  2. All Self-Service Terminals must comply with the following requirements:
    • The floor limit for authorization purposes is zero.
    • The acquiring bank must read and transmit full, unaltered card account data.
  3. The Authorization System will send all transactions identified as Self-Service Terminals in the Authorization Request message to the card issuer, regardless of Limit 1 parameters.
  4. The maximum transaction amount is $100 or its equivalent.
  5. Chargebacks processed because of no cardholder authorization for Self-Service Terminal transactions will be allowed only if the card issuer verifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer. Additionally, the card issuer must block the account number until card expiration on or before the Central Site processing date of chargebacks processed because of no cardholder authorization. The card issuer also must list the cardholder account number on the respective Credit Card Association's Account File with a "capture card" response until card expiration. Card issuers in the Europe region also must list such accounts on the European Stop List (ESL).Counterfeit transactions occurring at Self-Service Terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargebacks processed because of no cardholder authorization.
  6. A U.S.-based merchant acquiring automated fuel dispenser transactions at Self-Service Terminals/Level 2 may forward an Authorization Request message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and CAT level indicator 2. If authorization is obtained, the acquiring bank is protected from authorization related chargebacks "requested/required authorization not obtained", or "exceeds floor limit - not authorized and fraudulent transaction" for transactions less than or equal to $75. The acquiring bank protection is limited to $75 for transactions that exceed $75, and card issuers may charge back only the difference between the transaction amount and the implied $75 limit.
  7. A Self-Service Terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.
Requirements for Limited-Amount Terminals
The following card acceptance requirements apply to Limited-Amount Terminals/Level 3.
  1. A Limited Amount Terminal must check the account number against the Electronic Warning Bulletin file if the terminal has such a capacity.
  2. The maximum transaction amount is $40 or its equivalent.
  3. Re-presentment rights for chargebacks processed because of no cardholder authorization are not available to card issuers for properly identified Limited-Amount Terminals/Level 3 transactions. Re-presentment rights for chargebacks processed because the requested or required authorization was not obtained or exceeded the applicable floor limit or for not authorized and fraudulent transactions, are available if the maximum transaction amount of $40 or its equivalent has been exceeded.
  4. A Limited-Amount Terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.
In-Flight Commerce Terminals
  1. Acquiring Bank and Merchant Services Provider Requirements and Transaction Identification
    • Acquiring banks must ensure timely delivery and installation of the In-Flight Commerce (IFC) Blocked Gaming File to gaming service providers. IFC Blocked Gaming File access is required before every gaming transaction.
    • Acquiring banks must identify in-flight commerce services or merchandise with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in First Presentment messages. If an airline also acts as the service provider, the acquiring bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC.
      • Catalog merchant - 5964.
      • Duty-free store - 5306.
      • Gaming - 7995.
      • Miscellaneous services - 7299.
      • Video game - 7994.
    • Transactions must be consolidated by MCC, per flight, for each cardholder account.
    • The acquiring bank must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message. The TCC for gaming transactions should be "U" (unique transaction) and for any other type of transactions - "R" (retail purchase).
    • The merchant name and location must include the service provider's name and flight identification. The flight identification must be a recognizable identification of the airline.
    • The city field description for mailed purchases and gaming transactions should contain the the service provider's customer service telephone number. For all IFC transactions other than mailed purchases and gaming, the city field description optionally may be a customer service telephone number.
    • For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
    • Acquiring banks must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating a transaction. Disclosures must include the following:
      • Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
      • Notification that transactions will be billed upon the issuer's approval of the authorization request.
      • For mailed purchases only, any additional shipping or handling charges.
      • Policy on refunds or returns.
      • Provision for a paper receipt.

      For IFC gaming transactions, service providers must additionally disclose the following:

      • Maximum winnings ($3,500) and maximum losses ($350).
      • Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder's account.
      • Notification that cardholder must be at least 18 years of age to play.
      • Notification that some card issuers may not allow gaming.
    • Acquiring banks must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions. The acquirer must ensure that, at the cardholder's option, the service provider can effect this offer in one of three ways:
      • Printing a receipt at the passenger's seat.
      • Printing a receipt from a centralized printer on the plane.
      • Mailing a receipt to the cardholder.
      The mailed receipt offer must be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods described above. The receipt must contain the following elements:

      • Identification of the passenger's flight, seat number, and date of departure.
      • Itemized transaction detail.
      • Gaming transaction specified as a net win or net loss.
      • The cardholder's account number truncated on the receipt. Acquiring banks must ensure that transaction receipts provided to cardholders reflect a minimum of four and a maximum of 12 digits of the cardholder account number. The remaining digits must be truncated. It is recommended that the receipt reflect only the last four digits of the primary account number, and that all preceding digits are truncated. It is also recommended that truncated digits are replaced with fill characters such as "X", "*", or "#" and not with blank spaces or numeric characters.
    • For IFC terminals, the assurance and demonstration of security of the transmission of data between the on-board client server and the acquiring bank and the physical controls over hardware and operating software. Encryption of transmitted data is advised.
  2. Transaction Requirements.
    • There are no maximum transaction amount requirements that apply to any IFC transaction, with the exception of IFC gaming transactions.
    • Merchants are not allowed to perform fallback procedures from chip to magnetic stripe on an IFC terminal that also is a hybrid terminal.
  3. Additional Requirements for IFC Gaming Transactions.
    • Net gaming losses cannot exceed $350 per flight per cardholder account. Net payouts to cardholders for gaming wins cannot exceed $3,500 per flight per cardholder account. The service provider must monitor gaming activity throughout the flight by and ensure compliance with this requirement.
    • When a cardholder posts a gaming win, the transaction must result in posting of net winnings (credit) to the cardholder's account. Under no circumstance may winnings be paid in cash or other form of payment.
    • Before participating in IFC gaming activity, the acquiring bank must ensure that such IFC gaming activity will be conducted in full compliance with all applicable laws and regulations.
  4. In-flight Cardholder Account Number Verification Prior to Transaction Initiation.
    • The service provider must conduct a Mod-10 check digit routine to verify card authenticity.
    • The service provider must confirm that the card account number is within a valid BIN range that begins with:
      • American Express - 3.
      • Visa cards - 4.
      • MasterCard cards - 5.
      • Discover cards - 6.
    • For IFC gaming transactions, the acquiring bank must ensure that the cardholder's account number is checked against the IFC Blocked Gaming File. Cardholders whose account numbers are listed on the IFC Blocked Gaming File are prohibited from participating in any IFC gaming transaction.
  5. Authorization Requirements
    • The authorization request message must include the cardholder-activated terminal level 4 indicator.
    • Acquiring banks must read and transmit full, unaltered card account data. An IFC authorization request may not contain a key-entered account number or expiration date.
    • Transactions are either authorized air-to-ground during the transaction or authorized in a delayed batch. All in-flight commerce transactions have a floor limit of zero and must be authorized without exception.
    • Acquiring banks must convert all "refer to card issuer" and "capture card" messages received from issuers to "declines."
  6. Additional Authorization Requirements. All IFC gaming losses authorized post-flight must be submitted for authorization for the net amount. All gaming transactions authorized during the flight will be for the full wager amount ($350 or a lower amount pre-determined by the airline and gaming service provider). No gaming wins will be submitted for authorization.
  7. Clearing Requirements.
    • Acquiring banks are not allowed to submit declined transactions for clearing.
    • No surcharges or service fees may be assessed on any IFC transaction, including IFC gaming transactions.
  8. Additional Clearing Requirements.
    • IFC gaming transactions submitted for clearing must be for the net amount that is won or lost.
    • IFC gaming win transactions will be submitted as a credit transaction. Interchange will be paid to card issuers by acquiring banks on gaming win transactions.
    • Acquiring banks may resubmit a gaming transaction for a different amount within the specified transaction limits if it was previously rejected for exceeding the specified transaction limits which are $3,500 for wins and $350 for losses.

No comments:

Post a Comment