2.7 Processing at the point of service
2.7 Processing at the point of service
Several steps have to be performed at the point of service for the processing of a payment card transaction.
First, an attendant manually captures the financial data
-
If an operator attends the point of service, the operator checks that the card's brand and the type of card product are accepted at the point of service. The operator visually verifies the card authenticity, based on the hologram embedded in the card, and checks the validity of the card with respect to the expiration date.
-
When the point of service is equipped with an electronic terminal, the check digit of the PAN, as well as the check digit of the entire magnetic track that stores the financial data of the card, are
verified .
If these verifications do not pass, the authenticity of the card is not accepted or the integrity of the data stored on the magnetic stripe is not
-
Business environment data elements: This
group includes thename and location of the point of service, the merchant type, the identifier of the merchant, the identifier of his terminal, local time, and date when the transaction is captured. Since the financial data of the card can be read in several ways (embossed data, magnetic stripe, integrated circuit), a data element must state the actual reading method of the financial data at the point of service as well as the possibilities of the terminal to read financial data. This data element is referred to as the point of service data code in the ISO/IEC 8583 standard [17]. -
Transaction data elements: This group includes the amount of the transaction and the currency code in which the amount is
expressed . It also includes the type of transaction performed in case several transaction types are accepted at the point of service. Several examples of transaction types are payment for goods, payment for goods and cash back, and cash advance using a credit card. The transaction type data element is referred to as the processing code [17]. -
Message identification data element: This is a kind of serial number that allows the unique identification of a payment message in the system. This data element is referred to as the system trace audit number (STAN) [17].
The attendant, or terminal, at the point of service decides whether the payment transaction can be concluded off-line at the point of service or if an authorization has to be obtained on-line from the card issuer. The corresponding processing is called point of service risk management. The decision of off-line or on-line completion impacts on the further processing of the payment message by the acquirer, which either submits it to a clearing processing or to an authorization processing, respectively. The point of service risk management procedure takes into account the type of payment card product, the business environment at the point of service, and the amount of the transaction when compared against prearranged floor limits.
When the point of service is equipped with an electronic terminal connected to the acquirer network and the service code data element recorded on the magnetic stripe indicates that on-line authorization by the issuer is mandatory, the payment message is forwarded for authorization to the issuer. In this case the card authenticity is verified by the issuer, which assesses the correctness of the static authenticator recorded on the magnetic stripe. If track 3 is used, a supplementary control can be performed against counterfeiting, considering the synchronization of the card security number stored on the track and the corresponding random number stored in the cardholder accounts database in connection with the card. If the PIN verification method is required by the card product, the cardholder types in the PIN in the secure PIN pad of the terminal. The terminal securely sends the encrypted PIN for verification to the issuer, which computes the PIN image control value. Whatever the result of the authorization, the terminal is informed by the issuer host about the acceptance or the
If the payment card product does not require a mandatory on-line authorization by the issuer, the authorization of the transaction can be performed locally. This is usually the case at attended points of service that are not equipped with electronic terminals, or at points of service equipped with electronic terminals that are not permanently connected on-line to the acquirer's network. The local authorization is
PIN image verification can be locally performed as the cardholder verification method at the point of service when two conditions are fulfilled. First, the PIN image stored value parameter is recorded on the magnetic stripe of the card. Second, the terminal has a secure PIN pad, which was loaded by the interchange
If the card encodes the amount remaining this cycle field on track 3, the risk management at the point of service is improved with a rudimentary card risk management component intended for protecting the issuer against cardholders that overspend. The transaction is authorized off-line if the transaction amount is smaller than both the upper floor limit (acquirer's requirement) and the amount remaining this cycle parameter, which specifies the spending limitation as imposed by the issuer.
The payment messages describing the transactions authorized off-line are gathered in the permanent memory of the terminal at the point of service. Periodically, or when the capacity of the permanent memory is exhausted, the payment messages are compiled in batch files, which are forwarded to the acquirer. Periodically, the acquirer transmits these batch files in the interchange system for clearing.
