Now that Visa has made it mandatory for all U.S. processors to support chip-based transactions by April 1, 2013, we will need to start familiarizing ourselves with the new technology. In this post I will review the requirement for all EMV-accepting devices to support terminal risk management. Each point-of-sale (POS) device should be able to determine whether terminal risk management must be performed prior to sending an authorization decision to the card.
The two mandatory risk management checks for POS terminals are floor limit and random transaction selection.
Floor limit is the transaction amount above which an authorization needs to be requested. Processors determine the floor limit for each of their merchants using Visa and MasterCard regulations, based on the country and merchant type.
Countries can implement different floor limits for chip and magnetic stripe transactions, so POS devices should be capable of supporting both. Alternatively, terminals can have an effective zero floor limit for mag-stripe transactions by forcing all of them online and use a floor limit for chip transactions.
Floor limits for mag-stripe transactions are not applicable for fallback transactions (where the mag-stripe is only used if the chip cannot be read), which all have a zero floor limit. If a mag-stripe fallback transaction cannot be processed online, a paper voucher or key entry processing is allowed with voice authorization. If a fallback transaction cannot be authorized, it must be terminated.
Random Transaction Selection
EMV terminals must support random transaction selection for online processing, which helps protect against counterfeit cards designed to operate exclusively offline. The POS device needs to be programmed to randomly select below-floor-limit transactions for online processing. The values are determined on a per-country basis and designed to achieve two goals:
- Preventing criminals from predicting a POS terminal’s online behavior and exploiting the floor limit.
- Providing adequate opportunities for transactions to be approved offline, depending on the issuer’s card controls.
There are two types of random selection:
- Random selection. Here a certain percentage of below-floor-limit transactions is sent online.
- Biased random selection. In this case a formula is used to determine whether a transaction goes online, with the probability increasing as the transaction amount approaches the floor limit.
Random transaction selection is based on three factors:
- Target percentage for random selection. This percentage (which can be anywhere between 0 and 99) designates the approximate ratio of transactions below the threshold value that the POS terminal sends online for authorization. It also designates the minimum percentage of above-threshold transactions to be sent online. A value of zero turns off the random transaction selection.
- Threshold value for biased random selection. Below this value (which can be anywhere between 0 and the floor limit amount), transactions are subject to random selection and above it — to biased random selection. If the threshold is zero, all transactions will be evaluated by biased random selection. If it is set at the floor limit, random selection is used.
- Maximum target for biased random selection. This value (anywhere between 0 and 99) is used to increase the ratio of selected transactions as the transaction amount approaches the floor limit. The higher the maximum target amount, the more likely that the transaction will go online.
The POS terminal risk management rules, together with the card rules, are used to determine whether a given transaction should be approved offline, sent online for authorization, or declined offline. You will need to work with your processor and equipment vendor to ensure that your device is properly set up.
Image credit: Eftposmart.co.nz.