F.

CODE
Issuers & Processors impact with
VISA VBSS 1.0.2

07/06/2024
VISA SPECIFICATIONS

Visa documentation
• Visa Biometric Sensor Specification VBSS 1.0.1
• Biometric sensor-on-card products, Global Issuer Implementation Guide Version 1.0

IAD & IDD Issuer Application Data & Issuer Discretionary Data
• Set of supported formats
→ IAD 0/1/3 with IDD Option ‘B’
→ IAD 2 with IDD Option ‘B’ or ‘7’

Biometric CVMs
• Contact : No CVM used for Biometry
→ Biometry details are in IAD / IDD
• Contactless : CDCVM
→ Biometry details are in CVR / IAD / IDD

2
All Information and Intellectual property rights reserved at ©IDEMIA 2024
VISA DETAILS

On IAD Supported :
• Contact : Biometric results available only in IDD or new CVR bits
• Contactless : legacy CDCVM Successfully performed in CVR B2 / b3

IAD 0/1/3 IDD Option B Offline Biometric

Last Try Template
Offline Biometric
Last Try Result
• New IDD data (Contact & Contactless) ’10’ = Finger ‘00’ = Matching successful
→ Bio Performed / Bio Failed / CDCVM Successfully performed ’01’ = Matching failed
‘FF’ = Unknown Error
→ Offline Biometric Last Try Template Offline Biometric Last Try result
‘FE’ = No ’03’ = No Template Enrolled
→ Bio verification Counter Information ‘07’ = Try limit exceeded
‘08’ = Capture timed out
‘FE’ = Biometry Deactivated ->
IAD 2 Option B or 7 Proprietary
• New bits in CVR and IDD (Contact & Contactless) ‘FF’ = Unknown Error

→ CVR : CDCVM successfully performed , Bio Performed, Bio failed

→ IDD : Offline Biometric Last Try Template Offline Biometric Last Try result, Bio verification Counter

3
All Information and Intellectual property rights reserved at ©IDEMIA 2024
VISA
Is there any implementation not requiring host update for a pilot

Preconditions : IAD 0/1/3 Option B or IAD Option 2 is supported

• Contactless: CDCVM performed CVR B2 / b3 supported
• Contact : No CVM Transaction is authorized when going online

Limitations :
• No view on Biometry counter lock
• No view on Biometry not performed
• No view on Enrolment not performed

6/7/2024
All Information and Intellectual property rights reserved at ©IDEMIA 2024
WHAT SHOULD ISSUER HOST PROCESSOR DO?

Refer to Biometric sensor-on-card products, Global Issuer Implementation Guide Version 1.0
And then
• Option 1: Do Nothing
• Option 2: Read the Biometric Information Data from IAD
• Option 3: Shortcut method to identify BIO verified/unverified

6/7/2024 5
All Information and Intellectual property rights reserved at ©IDEMIA 2024
OPTION 1
Do Nothing

Pros:
• Visa mentions No development required. Only good for providing biometric card experience.
• Rely on :
→ successful Offline Authentication and valid ARQC cryptogram and accept No CVM transaction on contact
→ CDCVM transaction on contactless

Cons:
• There may be host rules that decline the biometric transaction. Need to identify biometric transactions and
relax those rules.
• Difficult for processor to identify biometric transactions from non-biometric transactions
• No information whether biometric try counter is locked

6/7/2024 6
All Information and Intellectual property rights reserved at ©IDEMIA 2024
OPTION 2
Read the Biometric Information Data from IAD

Pros:
• Processor knows exactly biometric
results, history, biometric count
• Can identify biometric cards that are
locked out and needs re-enrollment.

Cons:
• Extensive development effort

Offline Biometric Offline Biometric

Last Try Template Last Try Result
’10’ = Finger ‘00’ = Matching successful
’01’ = Matching failed
‘FF’ = Unknown Error
‘FE’ = No ’03’ = No Template Enrolled
Information ‘07’ = Try limit exceeded
‘08’ = Capture timed out
‘FE’ = Biometry Deactivated ->
Proprietary
‘FF’ = Unknown Error

6/7/2024 7
All Information and Intellectual property rights reserved at ©IDEMIA 2024
OPTION 3
Shortcut method to identify BIO verified/unverified

Check value of Issuer Discretionary Data Option ID in IAD for presence of biometric
sensor
• “0B” or “07” means transaction coming from card with biometric sensor

When IDD indicates biometric sensor is present:

For contact transactions, CVM List Tag 8E will only contain « NO CVM Required. »

For contactless transactions, check CVR value – Byte 2 Bit 3

→ 1 – CDCVM successful (BIO verified)
→ 0 – CDCVM not successful (PIN prompted if transaction above terminal limit, No CVM if transaction below terminal limit

Pros:
• Smaller development effort than Option 2

Cons:
• Information limited to identifying which transactions are biometric or not.

6/7/2024 8
All Information and Intellectual property rights reserved at ©IDEMIA 2024
F.CODE
Issuers & Processors impact with
Mastercard M/Chip Bio 1.2.3

07/06/2024
MASTERCARD BIO SPECIFICATIONS

Mastercard documentation
• Mastercard M/Chip Advance 1.2.3 Bio – Dec 2019
• Mastercard Biometric Card - Issuer Implementation guide 1.1

Biometric CVM
• In Contact : ‘no CVM performed’ ➔ biometric results in CVR
• In Contactless : CDCVM ➔ biometric results in CVR

→ Redefinition of IDD in CVR meaning with : Biometric verification performed & Biometric verification try limit exceeded
→ Redefinition of PIN verification successful to indicate Biometric verification results

→ Backward compatibility is possible ➔ Less or no impact on host but less information are available

All Information and Intellectual property rights reserved at ©IDEMIA 2024

MASTERCARD BIO SPEC DETAILS

Contact transaction
• CVM Results is set to ‘no CVM performed’.
→ CVR bits indicating successful biometric verification for making the authorization response.

Contactless transaction
• “CDCVM supported” bit + CVR new meanings

CVR handling
• Without backward compatibility
→ CVR indicates result of Bio & PIN results
Previous IDD CVR are reused to indicate Biometry verification performed & Biometry verification try limit exceeded
PIN verification Bytes interpretation is changed to indicate Biometry verification results or PIN results
• With backward compatibility
→ When required backward compatibility is supported (CVR interpretation differ)
to MChip 4 V1.1 / MChip4 V1.3.1
to MChip 2 V2.05 or MChip 2 V2.1/2.2

All Information and Intellectual property rights reserved at ©IDEMIA 2024

IMPACTS
What should Issuer Host Processor do?

Refer to Mastercard Biometric Card - Issuer Implementation guide 1.1

Select one of the option below
• Option 1: Use Mastercard Biometric Card Cardholder Authentication Service
• Option 2: After Checks, no additional implementations required
• Option 3: Find out Biometric Verification Status from CVR
• Option 4: Shortcut method to identify BIO verified/unverified

All Information and Intellectual property rights reserved at ©IDEMIA 2024

OPTION 1
Use Mastercard Biometric Card Cardholder Authentication Service

Pros:
• Biometric Card Cardholder Authentication Service can simplify reading biometric status from CVR.
• Similar to Chip On-Behalf Service, the transaction routed through Mastercard service first. Service
interprets CVR bits and a simplified indicator is passed to Issuer’s host to indicate whether Bio was
successful or not.
• Issuer still decides final outcome but will use indicator obtained from Mastercard.

Cons:
• Setup time at Mastercard
• Cost for service

All Information and Intellectual property rights reserved at ©IDEMIA 2024

OPTION 2
After Checks, no additional implementations required

Pros:
• Some Issuers have been lucky to observe no issues with their current host configurations on biometric
transactions. Only good for providing biometric card experience.
• Rely on :
→ successful Offline Authentication and valid ARQC cryptogram and accept No CVM transaction on contact
→ CDCVM transaction on contactless

Cons:
• There may be host rules that decline the biometric transaction. Need to identify biometric transactions and
relax those rules.
• Difficult for processor to identify biometric transactions from non-biometric transactions
• No information whether biometric try counter is locked

All Information and Intellectual property rights reserved at ©IDEMIA 2024

OPTION 3
Find out Biometric Verification Status from CVR
(assumption : no backward compatibility required )

Pros:
• Processor knows exactly biometric results, history, biometric count
• Can identify biometric cards that are locked out and needs re-enrollment.

Cons:
• May require extensive development effort

Scenario CVR B1b1 CVR B1b3 CVR B2b2 CVR B4b5 CVR B4b6 AIP B1b5 AIP B1b2
Offline Offline BSOC Offline PIN Offline PIN Cardholder CDCVM is
PIN PIN Verification Verification Verification verification is supported
Verificatio Verificatio Performed Failed Not supported
n n Performed
Successf Performe
ul d

Contactless: Cardholder doesn’t attempt biometric verification 0 0 0 0 1 1 0

Contactless: Cardholder fails biometric verification 0 0 1 0 1 1 0
Contactless: Cardholder provides biometric verification successfully 1 0 1 0 1 0 1
Contact: Cardholder skips biometric verification altogether and enters 1 1 0 0 0 1 0
PIN
Contact: Cardholder attempts biometric verification, which fails, and 0 1 1 0 0 1 0
then enters PIN
Contact: Cardholder provides biometric verification successfully 1 0 1 0 1 0 0

CVR also indicates when Biometry Try Counter is locked (B2b1)

All Information and Intellectual property rights reserved at ©IDEMIA 2024

OPTION 4
Shortcut method to identify BIO verified/unverified

Issue Biometric Cards with specific BIN or PAN range

• For contact transactions, AIP byte 1 bit 5 would indicate support for Cardholder Verification.
→ If AIP = 2900, Cardholder Verification not Supported and will not be done because Bio verification successful
→ If AIP = 3900, Cardholder Verification is Supported. PIN would be prompted because Bio verification not successful or not performed.

• For contactless transactions, all transactions seen at host have been successfully Bio verified if default profile was chosen. Failed Bio will cause terminal to decline on the spot
and prompt user to insert contact interface. Transaction will not reach host.

Pros:
• Smaller development effort than Option 3

Cons:
• Information limited to identifying which transactions are biometric or not.

All Information and Intellectual property rights reserved at ©IDEMIA 2024

 Join us on

www.Idemia.com

All Information and Intellectual property rights reserved at ©IDEMIA 2024