Credit Card Processing Blog

Self-service terminal is a cardholder-activated terminal (CAT), especially one including the functions both of delivering and paying for goods (for example, in an automatic terminal at a gas or train station). The following card acceptance requirements apply to the use of self-service terminals, in addition to the general requirements applicable to all CATs:

1. Self-service terminals do not process personal identification numbers (PINs). They include, but are not limited to, automated gas station terminals.
2. All self-service terminals must comply with the following requirements:
   • The floor limit for all transactions at self-service terminals is zero, which means that all transactions must be authorized, regardless of the transaction amount.
   • The merchant’s processing bank must read and transmit full, unaltered card account data.
3. The authorization system will send all transactions identified as self-service terminals in the authorization request message to the card issuer.
4. The maximum transaction amount for all transactions at self-service terminals is $100 or its equivalent.
5. Chargebacks processed because no cardholder authorization was obtained for self-service terminal transactions will be allowed only if the card issuer verifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer. Additionally, the card issuer must block the account number and list it on Visa’s or MasterCard’s file with a “capture card” response until card expiration. Card issuers in the Europe region also must list such accounts on the European Stop List (ESL).
   Counterfeit transactions processed at self-service terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargebacks processed because of no cardholder authorization.
6. A U.S.-based merchant acquiring automated gas station transactions at self-service terminals may forward an authorization request message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and cardholder-activated terminal level indicator 2. If an authorization is obtained, the processing bank is protected from authorization related chargebacks “requested/required authorization not obtained”, or “exceeds floor limit – not authorized and fraudulent transaction” for transactions less than or equal to $75. The processing bank protection is limited to $75 for transactions that exceed $75, and card issuers may charge back only the difference between the transaction amount and the implied $75 limit.
7. A self-service terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.

Transactions such as shopping or gaming activity that a cardholder initiates during a flight are known as in-flight commerce (IFC). In-flight commerce terminals are cardholder-activated terminals operated on aircraft. Merchants operating such terminals and their processing banks must comply with the following requirements:

1. Requirements for processing banks and service providers.
   • Processing banks must ensure delivery and installation of the In-Flight Commerce Blocked Gaming File to gaming service providers, before they can process gaming transactions.
   • Processing banks must identify IFC services or products with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in first presentment messages. If an airline also acts as the service provider, the processing bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC:
     
     

     IFC Transaction Type	MCC
     Catalog merchant	5964
     Duty-free store	5309
     Gaming	7995
     Miscellaneous services	7299
     Video game	7994

   
   

   • Transactions must be consolidated by MCC, per flight, for each cardholder account.
   • Processing banks must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message, as shown in the table below.
     
     

     If the IFC transaction is for…	The acquirer must use TCC…
     Gaming	U for Unique Transaction
     Anything other than gaming	R for Retail Purchase

   
   

   • The merchant’s name and location must include the service provider’s name and flight identification. The flight identification must be a recognizable identification of the airline.
   • The city field description for mailed purchases and gaming transactions should contain the service provider’s customer service telephone number. For all IFC transactions other than mailed purchases and gaming, the city field description optionally may be a customer service telephone number.
   • For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
   • Processing banks must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating a transaction. Disclosures must include the following:
     • Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
     • Notification that transactions will be billed upon the issuer’s approval of the authorization request.
     • For mailed purchases only, any additional shipping or handling charges.
     • Policy on refunds or returns.
     • Provision for a paper receipt.

     
     For IFC gaming transactions, service providers must additionally disclose the following:

     • Maximum winnings ($3,500) and maximum losses ($350).
     • Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder’s account.
     • Notification that cardholder must be at least 18 years of age to play.
     • Notification that some card issuers may not allow gaming.
   • Processing banks must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions. The processor must ensure that, at the cardholder’s option, the service provider can effect this offer in one of three ways:
     • Printing a receipt at the passenger’s seat.
     • Printing a receipt from a centralized printer on the plane.
     • Mailing a receipt to the cardholder.

     
     The mailed receipt offer must be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods described above. The receipt must contain the following elements:

     • Identification of the passenger’s flight, seat number, and date of departure.
     • Itemized transaction detail.
     • Gaming transaction specified as a net win or net loss.
     • The cardholder’s account number truncated on the receipt. Processors must ensure that transaction receipts provided to cardholders show only the last four digits of the cardholder account number. The remaining digits must be truncated. It is also recommended that truncated digits are replaced with fill characters such as “X”, “*”, or “#” and not with blank spaces or numeric characters.
   • For IFC terminals, the assurance and demonstration of security of the transmission of data between the on-board client server and the processing bank and the physical controls over hardware and operating software. Encryption of transmitted data is recommended.
2. Transaction requirements.
   • No maximum transaction amount applies to any IFC transaction, with the exception of IFC gaming transactions.
   • An IFC terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.
3. Cardholder account number verification – in-flight verification prior to transaction initiation. Prior to initiating an in-flight card transaction, the account number must be verified. The following procedures should be followed:
   • The service provider must conduct a Mod-10 check digit routine to verify the card’s authenticity.
   • The service provider must confirm that the card account number is a valid one. A valid number for each card brand should begin with:
     • American Express cards – 3.
     • Visa cards – 4.
     • MasterCard cards – 5.
     • Discover cards – 6.
4. Authorization requirements.
   • The authorization request message must include the cardholder-activated terminal indicator.
   • The processor must read and transmit full, unaltered card-read data. An IFC authorization request may not contain a key-entered account number or expiration date.
   • Transactions are either authorized air-to-ground during the transaction or authorized in a delayed batch. All are authorized on a zero floor limit basis.
   • The processor must convert all “refer to card issuer” and “capture card” messages received from issuers to “declines.”
5. Clearing requirements.
   • The processor is not permitted to submit declined transactions for clearing.
   • No surcharges or service fees may be assessed on any IFC transaction.

Automated Teller Machines (ATMs) are cardholder-activated terminals that provide clients of financial institutions with access to their accounts and the ability to process financial transactions without the need for a bank clerk. Customers identify themselves at an ATM by inserting an ATM card into the terminal and entering a preselected personal identification number (PIN). The information is then verified with the card issuer and the cardholder is allowed to proceed with the transaction.

As with all other types of cardholder-activated terminals, ATM requirements specify the maximum dollar amount of transactions allowed, as well as authorization, clearing, chargeback, and transaction liability. The following specific requirements apply:

1. The ATM must accept a personal identification number (PIN) as a substitute for signature.
   1. If PIN is not adopted as a standard within a country or card issuers have not provided one, this type of service is not available.
   2. The PIN authorization must be made via a secured data transmission.
   3. ATM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits.
2. The merchant’s processing bank may decline a transaction after four attempts and four consecutive negative responses of “invalid PIN” or “invalid transaction” from the credit card network. Alternatively, the processing bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ATM.
3. All transactions, regardless of the amount, must be authorized on a zero floor limit basis with full, unaltered card-read data transmitted.
4. Card retention at an ATM is not required. However, if the terminal has that capability, the merchant may do so only at the card issuer’s specific direction.
   1. The retained card must be logged and secured under applicable audit controls.
   2. The retained card must be cut in half and then returned to the merchant’s processing bank.
5. For transactions processed at ATMs where a PIN and full, unaltered card data is transmitted, “No Cardholder Authorization” chargeback rights are not available to card issuers because PIN is a valid substitute for the cardholder’s signature.
6. An ATM that is also a hybrid terminal may perform fallback procedures unless it is specifically prohibited by local regulations. Processing banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the account number, because the merchant cannot process the transaction using smart card technology.

Industry regulations require merchants and processing banks to truncate, or make otherwise indeterminable on printed sales receipts generated by point-of-sale (POS) terminals and automated telling machines (ATMs), all but the last four digits of a personal account number (PAN). Truncation is also required for all sales receipts generated at Cardholder-Activated Terminals (CATs), like the ones installed at gas stations or train stations, as well as for receipts generated at all other points of sale.

Since 2005 all transaction receipts generated by newly installed, replaced or relocated POS terminals, whether attended or unattended, have been required to adhere to this policy. While an account number’s last four digits must be shown on a sales receipt, all preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters. Characters that can be used include “X,” “*,” and “#.”

Implementing best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant’s ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

Truncation of a greater number of digits, when compared to the total number of digits in the PAN, typically increases the effectiveness of your data protection procedures. However, it may also increase the confusion and difficulty that cardholders may have in reconciling their sales receipts to their monthly card statements. That’s why a sales receipt should also include the following information:

• Your Doing Business As (DBA) merchant name.
• The transaction date.
• A description of the products or services sold.
• The authorization approval code (except on credit receipts).
• Cardholder identification – only required for unique transactions processed in a card-present environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used). In such transactions merchants must include on the sales receipt a description of the unexpired, official government document provided as identification by the cardholder, including any serial number, expiration date, jurisdiction of issue, customer name (if not the same name as embossed on the card), and customer address.

PAN truncation is an important part of each merchant’s data security policy. While most of the technical work related to the procedure is done by processing banks and POS terminal manufacturers, it is important to understand that merchants bear (or at the very least share) the ultimate responsibility for a data security breach, as many retailers have discovered. Remember that your customer has a relationship with you, not with your processor or suppliers, and will hold you exclusively responsible for any compromise in his or her account information. Even if you are not held legally responsible for a data breach, your customers are likely to vote with their feet and go to a competitor, if they believe you are not doing enough to protect their sensitive account information.

Cardholder-activated terminals (CATs) are typically unattended terminals that accept bank cards for payment. These terminals are frequently installed at rail ticketing stations, gas stations, toll roads, parking garages, and other merchant locations. There are four types of cardholder-activated terminals:

• Automated Dispensing Machines / Level 1.
• Self-Service Terminals Level 2.
• Limited Amount Terminals Level 3.
• In-flight Commerce (IFC) Terminals Level 4.

CAT requirements specify the maximum dollar amount of transactions permitted as well as authorization, clearing and chargeback requirements and related transaction liability for each CAT type.

Because CATs are typically unattended, traditional point-of-sale (POS) card acceptance procedures do not apply, such as verification of the card’s validity by examining its hologram, account number, expiration date and other security features for signs of tampering. For the same reason the merchant is also prevented from verifying the authenticity of the cardholder’s signature.

Merchants operating CATs need to ensure that payment processing procedures at their unattended terminals comply with the following general acceptance requirements:

1. All non-face-to-face transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
   1. The authorization request message must include a valid merchant category code, point-of-sale (POS) country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
   2. Messages used at the CAT must communicate to the cardholder, at a minimum, the following information:
      • Invalid transaction.
      • Unable to route.
      • Invalid PIN-re-enter (Level 1 only).
      • Capture card (subject to the terminal’s ability to retain cards).
   3. The merchant identification number and the CAT level indicator must be present in the First Presentment, First Chargeback, Second Presentment, and Arbitration Chargeback messages.
2. Processing banks must ensure that the description of products or services on the CAT sales receipt is clearly recognizable to the cardholder.
3. Processing banks are responsible for providing requested transaction information documents.
4. No CAT may accept a bank card for the purchase of scrip.
5. Processing banks must ensure that transaction receipts provided to cardholders show only the last four digits of the primary account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as “X,” “*,” or “#” and not with blank spaces or numeric characters.