Application Cryptogram ‐Offline Decline
Спойлер
In some cases, a transaction may be denied on the first Generate
Application Cryptogram (GENAC) command, but a Transaction
Request message is still sent to the host. This can occur if the
terminal denies the transaction after terminal action analysis
requests an Application Authentication Cryptogram (AAC), or if
the card denies the transaction after returning an AAC to the first
GENAC.
In these circumstances, the chip transaction completes offline but
the NDC environment means the terminal may pass the information
to the host and wait for it to instruct the terminal how to complete
the transaction.
For example, the required information could include screens to
display, next state number, any journal data, and so on. The
terminal does not have sufficient local information to complete this
transaction.
By going online, the terminal is simply requesting the host to
complete the NDC transaction; the transaction is already complete
according to the ICC.
The NDC host should recognise this request, and in these specific
cases should not involve the card’s issuer, but deal with the request
itself and simply close down the transaction.
The host can identify these scenarios by checking the Cryptogram
Information Data object sent by the terminal, which for an offline
decline is set to ʺ00ʺ, that is, AAC.
Additionally, if the ‘service not allowed’ bit is set in the Cryptogram
Information Data object, the same host behaviour is expected. CAM
data is not expected in the Transaction Reply.
In these scenarios, the relevant “CAM Flags” (byte 1 bit 5) will be set
to 0x1 to enable the host to identify the scenario.
Offline Behaviour 1
It is possible to configure the terminal to decline these transactions
without sending a message to the host, using parameters in the
transaction request state or the Wndows registry.
If the offline decline next state number (table entry 2 of the 2nd
extension to the transaction request state) is non‐zero, the terminal
will proceed to the offline decline next state number.
If the offline decline next state number (table entry 2 of the 2nd
extension to the transaction request state) is zero or the extension
state is not configured, the terminal will check the registry key
ʺHKEY_LOCAL_MACHINE\NCR\APTRA\EMV Exits\Declineʺ.
This key may contain the offline decline next state number to which
the terminal will proceed.
The registry key will be interpreted as follows:
● If there is a string value of length three which matches the
current transaction request state number, and the data is also
of length three, the terminal will use the data in this value as
the state number.
● If no value which matches the transaction request state is
under this key, then the terminal will look for a string value
ʺdefaultʺ, and if its data is length three it will be used for the
next state number. Otherwise all relevant ICC data will be
sent to the host.
Application Cryptogram (GENAC) command, but a Transaction
Request message is still sent to the host. This can occur if the
terminal denies the transaction after terminal action analysis
requests an Application Authentication Cryptogram (AAC), or if
the card denies the transaction after returning an AAC to the first
GENAC.
In these circumstances, the chip transaction completes offline but
the NDC environment means the terminal may pass the information
to the host and wait for it to instruct the terminal how to complete
the transaction.
For example, the required information could include screens to
display, next state number, any journal data, and so on. The
terminal does not have sufficient local information to complete this
transaction.
By going online, the terminal is simply requesting the host to
complete the NDC transaction; the transaction is already complete
according to the ICC.
The NDC host should recognise this request, and in these specific
cases should not involve the card’s issuer, but deal with the request
itself and simply close down the transaction.
The host can identify these scenarios by checking the Cryptogram
Information Data object sent by the terminal, which for an offline
decline is set to ʺ00ʺ, that is, AAC.
Additionally, if the ‘service not allowed’ bit is set in the Cryptogram
Information Data object, the same host behaviour is expected. CAM
data is not expected in the Transaction Reply.
In these scenarios, the relevant “CAM Flags” (byte 1 bit 5) will be set
to 0x1 to enable the host to identify the scenario.
Offline Behaviour 1
It is possible to configure the terminal to decline these transactions
without sending a message to the host, using parameters in the
transaction request state or the Wndows registry.
If the offline decline next state number (table entry 2 of the 2nd
extension to the transaction request state) is non‐zero, the terminal
will proceed to the offline decline next state number.
If the offline decline next state number (table entry 2 of the 2nd
extension to the transaction request state) is zero or the extension
state is not configured, the terminal will check the registry key
ʺHKEY_LOCAL_MACHINE\NCR\APTRA\EMV Exits\Declineʺ.
This key may contain the offline decline next state number to which
the terminal will proceed.
The registry key will be interpreted as follows:
● If there is a string value of length three which matches the
current transaction request state number, and the data is also
of length three, the terminal will use the data in this value as
the state number.
● If no value which matches the transaction request state is
under this key, then the terminal will look for a string value
ʺdefaultʺ, and if its data is length three it will be used for the
next state number. Otherwise all relevant ICC data will be
sent to the host.