Payment Card Transaction Authorization & Verification

Prime Factors' Bank Card Security System (BCSS) plays an important role in the verification and authorization process for magnetic stripe and EMV payment card transactions.  BCSS meets standards for security code verification and authorization established by the network brands including use of a hardware security module (HSM).  It also decrypts PIN blocks and supports a variety of PIN functions such as PIN translation, PIN selection, PIN bridging and PIN verification.

For developers, BCSS reduces the programming necessary to facilitate the use of a Thales HSM in the authorization processes.  There is no need to learn a proprietary machine level language to deploy HSM capabilities.  BCSS addresses the Thales HSM through higher level function calls to provide comprehensive key management.

BCSS verifies any security code you need including CVV, CVV2, CAVV, CVC, CVC2, CVC3, CSC, PVV and PINs, and performs dynamic CVV/CVC3 verification for contactless cards.  BCSS also verifies ARQCs and generates ARPCs for authorization of an EMV transaction.

The verification process for magnetic stripe payment card transactions begins when a point-of-sale device, or ATM, encrypts the cardholder PIN block, and through the aquiring bank and processor, sends it to the card issuer for authentication.  BCSS receives the encrypted PIN block, secret keys and security information and decrypts it inside the HSM so that the PIN and keys are never in the clear.  The expected security code is compared to the one in the transaction.  If the codes match, the transaction is authorized.

In an EMV transaction environment, the card initiates a transaction authorization request called an application request cryptogram (ARQC) at the POS terminal.  It is a cryptographic algorithm that incorporates specific transactions and unique card key data.  It is sent by the terminal through the acquirer network to the issuer for verification and transaction authorization.  At the issuer host system, the ARQC is verified and an authorization response cryptogram for that specific transaction, called ARPC, is sent back to the card and POS terminal.