This is part two in a planned six-part series about the credit card in- dustry. It would be best if you read part one before reading this part. Enjoy. DEFINITIONS ----------- Some more new terms that are used in this posting. ABA - American Bankers Association ACH - Automated Clearing House - an organization that mechanically and electronically processes checks. ANSI - American National Standards Institute Embossing - creating raised letters and numbers on the face of the card. Encoding - recording data on the magnetic stripe on the back of the card. Imprinting - using the embossed information to make an impression on a charge slip. Interchange - sending authorization requests from one host (the acquirer) to another (the issuer) for approval. ISO - International Standards Organization NACHA - National Automated Clearing House Association PAN - Personal Account Number. The account number associated with a credit, debit or charge card. This is usually the same as the number on the card. PIN - Personal Identification Number. A number associated with the card, that is supposedly know only to the cardholder and the card issuer. This number is used for verification of cardholder identity. THE ORGANIZATIONS --- ------------- ISO sets standards for plastic cards and for data interchange, among other things. ISO standards generally allow for national expansion. Typically, a national standards organization, like ANSI, will take an ISO standard and develop a national standard from it. National stan- dards are generally subsets of the ISO standard, with extensions as al- lowed in the original ISO standard. Many credit card standards originated in the United States, and were generalized and adopted by ISO later. The ANSI committees that deal with credit card standards are sponsored by the ABA. Most members of these committees work for banks and other financial institutions, or for vendors who supply banks and financial institutions. Working committees report to governing committees. All standards go through a formal comment and review procedure before they are officially adopted. PHYSICAL STANDARDS -------- --------- ANSI X4.13, "American National Standard for Financial Services - Financial Transaction Cards" defines the size, shape, and other physical characteristics of credit cards. Most of it is of interest only to mechanical engineers. It defines the location and size of the magnetic stripe, signature panel, and embossing area. This standard also includes the Luhn formula used to generate the check digit for the PAN, and gives the first cut at identifying card type from the account number. (This part was expanded later in other standards.) Also, this standard identifies the character sets that can be used for embossing a card. Three character sets are allowed - OCR-A as defined in ANSI X3.17, OCR-B as defined in ANSI X3.49, and Farrington 7B, which is defined in the appendix of ANSI X4.13 itself. Almost all the cards I have use Farrington 7B, but Sears uses OCR-A. (Sears also uses the optional, smaller card size as, allowed in the standard.) These character sets are intended to be used with optical character readers (hence the OCR), and large issuers have some pretty impressive equipment to read those slips. ENCODING STANDARDS -------- --------- ANSI X4.16, "American National Standard for Financial Services - Finan- cial Transaction Cards - Magnetic Stripe Encoding" defines the physical, chemical, and magnetic characteristics of the magnetic stripe on the card. The standard defines a minimum and maximum size for the stripe, and the location of the three defined encoding tracks. (Some cards have a fourth, proprietary track.) Track 1 is encoded at 210 bits per inch, and uses a 6-bit coding of a 64-element character set of numerics, alphabet (one case only), and some special characters. Track 1 can hold up to 79 characters, six of which are reserved control characters. Included in these six charac- ters is a Longitudinal Redundancy Check (LRC) character, so that a card reader can detect most read failures. Data encoded on track 1 include PAN, country code, full name, expiration date, and "discretionary data". Discretionary data is anything the issuer wants it to be. Track 1 was originally intended for use by airlines, but many Automatic Teller Machines (ATMs) are now using it to personalize prompts with your name and your language of choice. Some credit authorization ap- plications are starting to use track 1 as well. Track 2 is encoded at 75 bits per inch, and uses a 4-bit coding of the ten digits. Three of the remaining characters are reserved as delimiters, two are reserved for device control, and one is left unde- fined. In practice, the device control characters are never used, ei- ther. Track 2 can hold up to 40 characters, including an LRC. Data encoded on track 2 include PAN, country code (optional), expiration date, and discretionary data. In practice, the country code is hardly ever used by United States issuers. Later revisions of this standard added a qualification code that defines the type of the card (debit, credit, etc.) and limitations on its use. AMEX includes an issue date in the discretionary data. Track 2 was originally intended for credit authorization applications. Nowadays, most ATMs use track 2 as well. Thus, many ATM cards have a "PIN offset" encoded in the discretionary data. The PIN offset is usually derived by running the PIN through an encryption algorithm (maybe DES, maybe proprietary) with a secret key. This allows ATMs to verify your PIN when the host is offline, generally allowing restricted account access. Track 3 uses the same density and coding scheme as track 1. The con- tents of track 3 are defined in ANSI X9.1, "American National Standard - Magnetic Stripe Data Content for Track 3". There is a slight contra- diction in this standard, in that it allows up to 107 characters to be encoded on track 3, while X4.16 only gives enough physical room for 105 characters. Actually, there is over a quarter of an inch on each end of the card unused, so there really is room for the data. In practice, nobody ever uses that many characters, anyway. The original intent was for track 3 to be a read/write track (tracks 1 and 2 are intended to be read-only) for use by ATMs. It contains information needed to maintain account balances on the card itself. As far as I know, nobody is actu- ally using track 3 for this purpose anymore, because it is very easy to defraud. COMMUNICATION STANDARDS ------------- --------- Formats for interchange of messages between hosts (acquirer to issuer) is defined by ANSI X9.2, which I helped define. Financial message au- thentication is described by ANSI X9.9. PIN management and security is described by ANSI X9.8. There is a committee working on formats of messages from accepter to acquirer. ISO has re-convened the interna- tional committee on host message interchange (TC68/SC5/WG1), and ANSI may need to re-convene the X9.2 committee after the ISO committee fin- ishes. These standards are still evolving, and are less specific than the older standards mentioned above. This makes them somewhat less useful, but is a natural result of the dramatic progress in the indus- try. ISO maintains a registry of card numbers and the issuers to which they are assigned. Given a card that follows standards (Not all of them do.) and the register, you can tell who issued the card based on the first six digits (in most cases). This identifies not just VISA, MasterCard, etc., but also which member bank actually issued the card. DE FACTO INDUSTRY STANDARDS -- ----- -------- --------- Most ATMs use IBM synchronous protocols, and many networks are migrat- ing toward SNA. There are exceptions, of course. Message formats used for ATMs vary with the manufacturer, but a message set originally de- fined by Diebold is fairly widely accepted. Many large department stores and supermarkets (those that take cards) run their credit authorization through their cash register controllers, which communicate using synchronous IBM protocols. Standalone Point-of-Sale (POS) devices, such as you would find at most smaller stores (i.e. not at department stores), restaurants and hotels use a dial-up asynchronous protocol devised by VISA. There are two generations of this protocol, with the second generation just beginning to get widespread acceptance. Many petroleum applications use multipoint private lines and a polled asynchronous protocol known as TINET. This protocol was developed by Texas Instruments for a terminal of the same name, the Texas Instru- ments Network E(something) Terminal. The private lines reduce response time, but cost a lot more money than dial-up. NACHA establishes standards for message interchange between ACHs, and between ACHs and banks, for clearing checks. This is important to this discussion due to the emergence of third-party debit cards, as dis- cussed in part 1 of this series. The issuers of third-party debit cards are connecting to ACHs, using the standard messages, and clearing POS purchases as though they were checks. This puts the third parties at an advantage over the banks, because they can achieve the same re- sults as a bank debit card without the federal and state legal restric- tions imposed on banks. In the next installment, I'll describe how an authorization happens, as well as how the settlement process gets the bill to you and your money to the merchant. After that I'll describe various methods of fraud, and how issuers, acquirers, and accepters protect themselves. Stay tuned. Joe Ziegler att!lznv!ziegler