MasterCard® PayPass
Around the World
From the desk of the Global PayPass Product Manager
3Q2008

<- back to main

MasterCard® PayPass™ On-Behalf-Of Services Help Issuers Take Advantage of Advanced Security Features

Dynamic CVC3 Validation and Alternate PayPass Account Number Processing Made Easy

All the speed and convenience in the world would be of little interest to MasterCard® PayPass™ cardholders without the robust features that make contactless payments secure. Two formidable security components—the mandated validation of dynamic CVC3, and the recommended use of an alternate PayPass account number (PPAN) on the PayPass chip rather than the primary account number (PAN)—help keep fraudsters at bay. PayPass On-Behalf-Of Services can help issuers quickly implement these important features.

PayPass On-Behalf-Of Services were put in place to help issuers with the processing of PayPass transactions,” says David Liscia, business leader, Advanced Payments, MasterCard Worldwide. “MasterCard recognizes that building the dynamic CVC3 validation and the alternate PPAN processing capabilities in-house can have an impact on an issuer’s systems and budget. The PayPass On-Behalf-Of Services enable issuers to reap the benefits of our advanced security features with a lot less work and expense—and to offer more-compelling options for accountholders without many of the implementation headaches.”

Going Dynamic

Two MasterCard CVC3 validation services allow issuers to take advantage of the robust risk-management benefits of CVC3 validation for PayPass without having to implement validation functionality in their host systems.

The Dynamic CVC3 Pre-validation Service supports dynamic CVC3 validation for all of a participating issuer’s PayPass transactions, which are routed to MasterCard for processing. (Use of dynamic CVC3 is currently mandated for all MasterCard PayPass magstripe transactions conducted by PayPass magstripe cards and devices, and effective January 1, 2010, MasterCard will require the use of dynamic CVC3 for all new M/Chip™ PayPass cards and devices that conduct MasterCard PayPass magstripe profile transactions in non-EMV environments.) The CVC3 Validation in Stand-In Service supports dynamic CVC3 and also static CVC3 for legacy PayPass cards or devices. Both services use the participating issuer’s own risk parameters and CVC3 keys, which are managed to industry-leading standards by the MasterCard Key Management Center.

“The Dynamic CVC3 Pre-validation Service reduces time to market, implementation costs, and the number of changes to legacy systems for PayPass magstripe issuers,” says Liscia, “while the CVC3 Validation in Stand-In Service adds CVC3 validation and its security benefits to the existing list of tests performed in stand-in when a PayPass transaction cannot reach an issuer host.”

PayPass Mapping Service

The issuance of an alternate PPAN—either on a card’s PayPass chip or on a separate PayPass device—provides an effective safeguard against fraudulent noncontactless transactions.

“If a fraudster were able in some way to retrieve a cardholder’s PayPass account information, then he or she could try to use that information, for example, to purchase something over the telephone,” says Liscia.

“However, if the stolen account number is a PPAN, then any attempt to use that account number outside of a PayPass context will be instantly recognized in the approval process and would signal a likely fraudulent transaction,” he says. “The request for authorization would be declined.”

The alternate PPAN scheme requires that an issuer be able, first, to recognize two account numbers for a single customer, and second, to apply a different set of acceptance rules to each.

“Not all issuers can currently do this,” says Liscia. “The PayPass Mapping Service helps issuers deploy the alternate PPAN structure while reducing the time and cost for development and implementation.”

To use the service, the issuer assigns a PAN and an associated PPAN to each cardholder, securely provides a list of these numbers to MasterCard, and shares its dynamic CVC3 keys with MasterCard as well. Authorization requests for a participating issuer’s PayPass transactions are routed to MasterCard for processing, and MasterCard

  • Confirms the transaction was originated at a PayPass terminal
  • Validates the CVC3

“Then, MasterCard replaces the PPAN with the cardholder PAN in the authorization message before forwarding it to the issuer,” says Liscia.

Because the PayPass Mapping Service can help with the tracking of the dynamic CVC3 Application Transaction Counter (ATC) for multiple PayPass devices issued against one cardholder account, some issuers have found it a useful tool when trialing new devices. “For instance, the service can help issuers authorize transactions that originate from a cardholder PayPass card and from its companion PayPass device without having to worry about how the ATC will be tracked for each PayPass chip,” says Liscia.

For More Information

To learn more about the PayPass On-Behalf-Of Services and their availability, please refer to the PayPass On-Behalf Services Guide, which can be obtained via MasterCard Online Member Publications under the authorization section. You may also contact David Liscia at paypass_obo_services@mastercard.com or your MasterCard relationship manager.