Application Transaction Counter (ATC)
The Application Transaction Counter (ATC), is an EMV (Europay, Mastercard and Visa) field defined in the following specification - EMV 4.4 Book 2 - Security and Key Management - as a two-byte counter incremented at the start of a transaction, ranging in value from 0x0000 to 0xFFFF.
The card chip processor checks if a given transaction has an ATC lower than the one currently stored; if so, it may deny the transaction as a cloned card issue or replay attack.
ATC is required
Using an ATC on the Pismo platform is mandatory.
Internally, the Pismo platform stores an ATC as a string containing an array of around 2000 transaction sequence numbers. For example: "[5, 4, 3, 2, 1]". Pismo allocates 10,000 characters for this, so the actual amount of numbers may vary. If, in an incoming transaction, the received ATC value repeats a past sequence number, the transaction is denied.
The rationale to store an ATC as a string containing an array of numbers instead of the latest incoming value is to allow for ATC synchronization in situations such as offline purchases. For example - offline purchases on a cruise ship where a few values can be lost until the card is used again on an online machine. Keeping the list of previous ATC numbers helps the Pismo platform determine whether a given transaction fits such a case.
Combination cards
For Pismo combination cards, an ATC is kept for each program type - debit and credit. So, if you call Reset card ATC for a combination card, the access token needs to be encoded with the ID of the account (credit or debit) whose ATC you want to reset.
Authorization flow
An incoming ATC value, received in a Authorization/Base I ISO8583 message, is compared with the last value stored in Pismo's database. The difference between the values, received and stored, must be within the allowed range that is configured for the card with the ATC MIN OFFSET
and ATC MAX OFFSET
program parameters.
ATC MIN OFFSET
- Number that must be subtracted from the last ATC registered in the database to make up the lower range boundATC MAX OFFSET
- Number that must be added to the last ATC registered in the database to make up the upper range bound
Examples
Database ATC (Pismo): [64, 63, 62, 61, 60]
ATC max offset (Pismo): 15
ATC min offset (Pismo): 5
Current ATC (incoming from the card network): 81 -> Denied (81 > 64 + 15)
Current ATC (incoming from the card network): 58 -> Denied (58 < 64 - 5)
Current ATC (incoming from the card network): 70 -> Approved (64 + 15 > 70 > 64 - 5)
The Pismo platform does not increment the ATC stored on the card chip, the Point of Sale (POS) terminal or ATM does that where the card is used. This information is received from the network and we use the value received to validate it with the previously stored values. In case of success, we store the new ATC received in our database after we receive a message from the authorizer. Otherwise, the transaction is denied with the custom code FAT
. E-commerce transactions do not increment the ATC and this information is not present in the message, so we do not validate or update it in our database.
ATC denial scenarios
For each card swipe at a POS, a new ATC is counted. The ATC can lose synchronization in the situations below, for example, causing a card block and consequently not allowing a transaction.
- If you make purchases with the wrong type (debit type, with credit mode and vice versa), the POS can sometimes deny this and the transaction will not even reach Pismo.
- Installment purchase or withdrawal that is not configured for the program. For example, when it is configured only for cash purchases.
- Repeated retries in the scenarios above
- An invalid ATC may come (same as the last currently stored or older, due to a buyer shipping error or even fraud)
- From the moment you lose the ATC synchronization, the next purchases will also come with the ATC unsynchronized. In this case you need to reset the ATC (below).
Pismo platform ATC parameters and endpoints
The ATC minimum and maximum parameters - ATC MAX OFFSET
and ATC MIN OFFSET
- can be configured as program parameters via the Pismo Control Center program.
You can use the Reset card ATC endpoint to reset the ATC array. In this case, we continue to validate the ATC parameters (min and max) and store further incoming values starting from the next purchase.
Updated 17 days ago