EMV Tag 91 Issuer Authentication Data - How to Determine Format of Tag in Response

jabreu picture jabreu · Mar 7, 2018 · Viewed 8.9k times · Source

If present, EMV Tag 91 Issuer Authentication Data can have several different formats when returned in a transaction response. From my (limited) understanding, this may be determined by the card brand.

For example

  • MasterCard Tag 91 includes Card Status Update as part of Tag 91 data
  • Visa Tag 91 includes the Authorization Response Code as the last two bytes of Tag 91 data.

I need to solve a problem where Tag 8A Authorization Response Data is not returned as part of the EMV tag data in the case of a non approval response. The payment platform has advised to take the last 2 bytes of tag 91 and assign it to tag 8A, but tag 91 does not always contain the Authorization Response Code Value and Tag 8A is not always returned in some cases or brands.

I'd like to implement a more robust fix where we validate the format of tag 91 instead of just saying If Visa... do this... If Discover.... do that.

Any suggestions on how tag 91 is structured such as a reference to EMV Book documentation would be greatly appreciated.

Thank you,

Answer

iso8583.info support picture iso8583.info support · Mar 7, 2018

I investigated this problem in past and here are the results.

In case tag 0x8A is unknown it can be taken from tag 0x91, but only for some Card Brands/profiles.

In general, if the length of 0x91 is 10 bytes (20 hex chars), the tag value can split to:

  • 8 bytes ARPC;
  • 2 bytes Authorization Response Code (ARC, i.e. tag 0x8A) or Card Status Update (CSU) or ARPC Response Code;

The tag 0x8A presented inside tag 0x91 in next card profiles:

  • Amex (ref. AEIPS, "Issuer Authentication");
  • JCB (ref. JCB ICC Specification, "EXTERNAL AUTHENTICATE Command");
  • MasterCard (only for M/Chip Lite v2.1);
  • Visa (ref. VIS, "Online Request and Response Data");
  • UnionPay (ref. UICC, "Online processing");

IT IS NOT a case to extract 0x8A value from tag 0x91 for next card profiles:

  • Diners/Discover (ref. D-PAS, "ISSUER AUTHENTICATION"), inside tag 0x91 placed Card Status Update (CSU);
  • MasterCard (ref. M/Chip version <> 2.1), tag 0x91 with different length or inside tag 0x91 placed ARPC Response Code. It is not ARC;
  • CCD-complaint EMV cards (ref. EMV), used different length and format of tag 0x91;

Extraction of tag 0x8A value from tag 0x91 may work only as temporary solution. You may see not all card profiles allow it. In fact it needs to be returned in clear form Acquirer in the reply message.

Good luck.