1

I am new to EMV and working on a certification of domestic network. Some of the test cards returns AAC while other returns TC when logging 9F27 despite the transaction was approved from host. We suspect that the issue might be root to the tag 91 (Issuer Authentication Data) which is missing in the host response but as we checked the response of those test card where 9F27 returns TC we realized that they also have no tag 91 in it. My question is, is it safe to ignore the card decision and just follow the host response? What could be the other possible reason for such case?

Bitwise DEVS
  • 2,858
  • 4
  • 24
  • 67

2 Answers2

1

No, it is not safe to ignore card decision. It is against the mandates of most payment schemes and common sense. It may mean bearing full responsibility for the transaction in case of fraud and no recourse.

Regarding test cards, are you sure they are not meant to simulate exactly the scenario when you should decline and send reversal to these transactions? Please verify with your processor, why you do not receive Issuer Authentication Data - maybe something is simply misconfigured.

Michal Gluchowski
  • 1,197
  • 8
  • 16
  • Thanks, there are cases where decline is the actual expected result as well as reversal but these cases that I am raising here is suppose to be approved (TC). Anyway is Issuer Authentication Data always necessary for every transaction response? – Bitwise DEVS May 29 '23 at 18:22
1

Never ignore decision of a card. Some additional info you need to understand:

  1. Type of cryptogram is highly depend on Terminal Action Code (source - Terminal) and Issuer Action code (source - Card). This two values xored and the result is used in kernel to choose cryptogram type.
  2. Type of cryptograms:
  • AAC - Daniel transaction cryptogram
  • ARQC - Online transaction cryptogram
  • TC - Offline transaction cryptogram
  1. I assume under certification you mean L3 (M-TIP). If yes - read testcase objectives. Some testcase assume that successful condition to pass testcase is failed transaction.
  2. It is important to check transaction limits as it's values highly depend on kernel and card decisions to approve transaction.
  3. For some transaction type - particularly refund - AAC cryptogram is normal and it's not checked by authorization host.
Arthur
  • 769
  • 7
  • 17
  • We are actually performing local certification for debit. – Bitwise DEVS Jul 19 '23 at 13:08
  • 1
    @BitwiseDEVS AC has nothing with type of card (debit/credit/etc). It's related to issuer rules hardcoded in card. Again, check test objectives and goals - if, according to test objectives, AC result should be AAC - then it's ok, if ARQC - and you get AAC - then you are doing something wrong. Firstly check terminal configuration parameters. They need to meet issuers rules. Contact issuer and ask for terminal configuration that are already used in fields and copy tag values from it. – Arthur Jul 22 '23 at 17:07
  • I see, they do have a terminal configuration. Also the test objective is expecting TC. Anyway is there a community or platform dedicated for EMV and L3 certifications aside from SO? Thanks! – Bitwise DEVS Jul 22 '23 at 20:16
  • 1
    @BitwiseDEVS unfortunately I'm not aware of such community, but you can use emvlab.org for tag description and TLV decoding, emvco.com - for searching of EMV books and scheme portals for searching of specific specifications. As for TC - it means that you need offline cryptogram so you need to check 9F33 tag in your terminal configuration file. Check https://paymentcardtools.com/emv-tag-decoders/termcap for your current 9F33 values. You can also use this portal for decoding other EMV tags, check side menu. – Arthur Jul 24 '23 at 07:45