EMV Fallback Transaction

This article continues the series dedicated to EMV standard and EMV payment card processing. In it we are going to describe transaction fallback mechanism, its purpose, and types of EMV fallback transactions.

As we know, the general purpose of EMV technology is to increase the level of security and protection of cardholder data during the transaction. That is why it is always preferable to perform transactions when the card is equipped with a chip which is properly functioning. However, in some cases EMV transaction is impossible, in spite of the fact that the EMV chip is available.

For example, the payment terminal does not support chipped cards at all, or the slot, intended for reading of card chips is temporarily out of order.

Sometimes a chip cannot be read because it is damaged and the terminal cannot read the data from this chip.

For situations like these EMV standard provides the concept of EMV fallback transaction. If the data cannot be read from the chip, one can try to swipe the EMV card like an ordinary magnetic stripe card (swiped EMV fallback transaction). If the swipe doesn’t work either, it is possible to input the card number into the terminal manually (manual EMV fallback transaction).

It should be stressed, that EMV transaction fallback is an independent concept, and EMV card swipe cannot be viewed as an ordinary swipe transaction. This approach allows to prevent EMV terminals from being used for unintended purposes. That is, in theory, a fraudster could use a stolen EMV card with the terminal and try to swipe it or input its number manually (instead of scanning the chip, which might lead to detection of the fraudulent activity). However, EMV terminals are programmed in such a way that EMV card swipe cannot be attempted unless and attempt of reading the chip has already been made (although, technically, manual input of card number can still be attempted before the chip). This is implemented using a special service code, present in the track data. When a swipe is performed, the terminal analyzes that service code, it can block the swipe and display the message, requiring to insert the EMV card. If an attempt to insert an EMV chip has been detected, the terminal allows the operator to subsequently perform EMV fallback transaction. In this case, when the transaction is processed, a special flag is raised, indicating that it is a fallback, and that the initial attempt to read the chip was unsuccessful.

Conclusion

When implementing your EMV application, you need to take fallback mechanism into account. Although there are no strict requirements as to the order of fallbacks, it is recommended to develop protection mechanism, preventing the card from being swiped before the chip has been attempted. If the chip cannot be read, it is recommended to perform the swipe, and after that (if the swipe is unsuccessful) – try manual fallback.

If the payment terminal supports both contactless and contact EMV payments, these payment types should be “interchangeable” (if contact transaction is unsuccessful, conactless payment can be attempted and vice versa). If neither contact nor contacless payment comes through, swipe and manual fallback can be attempted.

Handling Interac Payments in Canada

With this article we continue the series of articles related to EMV standard and EMV certifications. The purpose of this particular article is to describe the peculiarities of integrations with Canadian payment service providers.

Any integration with a payment processing partner in Canada requires integration with Interac Association, which is a non-profit inter-bank debit network, connecting multiple financial entities in Canada. In principle, the process of integration with Interac is similar to integrations with other associations, such as Visa and MasterCard (or integrations with debit networks in the US). However, there are certain requirements, which distinguish integrations with Interac from those done with other associations. The difference lies in the supplemental mechanisms imposed by Interac Association members on processing of card-present and card-not-present transactions.

Let us outline these additional requirements.

Processing of card present transactions by Interac Association

When it comes to processing of card-present payments (both EMV and swipe) by Interac merchants, the distinguishing feature is the transaction validation mechanism. This mechanism involves additional data protection level. To provide this protection, an additional block of data is generated during transaction verification. This block is called message authentication code or MAC.

MAC block of data represents an encrypted line of values. These values are: transaction ID, transaction amount, merchant ID, and terminal ID. For encryption of the data block, including these values, a special key is used, called the session key. It should be stressed, that the session key is a separate value, unrelated to card PINs or P2PE keys. The session key is stored in the terminal memory and has to be updated (rotated) after a fixed number of transactions is processed. MAC values cannot be calculated at POS/gateway level, as they depend on particular terminal hardware.

Encrypted MAC block is used as a kind of digital signature/seal, which is used by the payment processor to ensure that the rest of the message arrived unaltered. When the message is received by the processor, it uses MAC block as well as values provided in the message to verify the integrity of the message. The response, generated by the processor and sent to the terminal, also includes an additional encrypted MAC block of data, which has to be decrypted and validated by the terminal. The terminal must send back confirmation of receipt of unaltered response message.

As we see, MAC ensures the control of transaction integrity. We should remind that MAC is a mechanism, specific for Interac, and intended only for protection of debit (both EMV and swiped) card data.

Processing of card-not-present transactions by Interac Association

When it comes to processing of card-not-present transactions, some (but not all) Interac Association members use an additional data protection mechanism, which is, in a way, similar to 3D secure capabilities, used by Visa and MasterCard.

More or less detailed information on how 3D secure works can be found in the respective Paylosophy article. Here we’d like to remind, that 3D secure protection mechanism redirects the cardholder from the shopping cart application to the bank’s web-site, where he is required to input some additional confirmation of his identity (usually, some confirmation code or password).

Some Canadian providers are using a special online service, similar to 3D secure. A cardholder, paying for products or services online with his debit card, is automatically redirected to the web-site of the aforementioned online service, where he is required to input additional information, confirming his identity.

Conclusion

If you are planning your first integration in Canada, it is important to understand, that, even if you have the experience of conducting integrations in the US, in Canada your integrations will be a bit more complicated, due to additional Interac logic. Particularly, this means that an EMV payment application, developed in the US, would still require quite significant adjustments to be able to support Interac in Canada, because Interac, in its turn, requires the special logic, depending on specific terminal hardware. If you are ordering test terminals to do your integrations, make sure, that they are injected not only with a PIN key, but with the MAC key, needed for integration with Interac.

Internet-acquiring and Omni-channel Payment Platforms

If you are an online business looking for a processing center to partner with, this article is for you. In it we will explain the benefits of a payment platform, specializing on internet-acquiring, as a potential partner for online businesses. The purpose of this article is to clarify the main criteria to be used as guidance when selecting a processing partner; it is designed for online businesses in search of a processor, or online businesses trying to get merchant accounts.

Presently, we see more and more omni-channel payment platforms appearing every day. The term “omni-channel” implies that these platforms support almost all types of payments and transactions, present on the market. However, there are many companies, specializing in some particular payment types. For example some companies specialize on processing of card-not-present transactions, while others specialize on card-present ones.

Internet acquiring is a kind of acquiring activity, focused on merchant account issuance to online businesses.

There are many payment processors (processing centers) on the market. Many of them represent omni-channel payment platforms. However, they are not always suitable candidates to partner with for online merchants.

If you are an online merchant in search of a processing center to partner with (or an online business still trying to get a merchant account), why not make your partner search more targeted? You do not necessarily need an omni-channel payment platform (as it may be a costly option, involving many unnecessary functions you will still have to pay for); maybe the most suitable potential partner is the one, specializing in internet-acquiring services.

This processing center should

  • support the necessary merchant category codes (MCC), currencies, payment types;
  • have the tools and functions you need, as well as integrations with shopping carts (or other logins for online systems, facilitating online commerce);
  • charge reasonable commissions for processing of particular types of transactions (both, one-time commissions and subscription-based regular payments);
  • support 3D secure and online anti-fraud tools;
  • have a flexible and effective customer service etc.

Also, collaboration with companies, specializing in internet-acquiring may be beneficial, because it requires lesser skills and, consequently, lesser operations capital, than partnerships with companies, which, beside internet-acquiring, work with payment terminals. These “universal” companies have to deal with respective logistics-related and other issues (also requiring additional efforts and resources) and are less focused.

Conclusion

If you are an online company looking for a merchant account, or an online merchant looking for a processing center, a processing platform, specializing solely on internet-acquiring may be the best option for you in terms of both budget and functionality.