The Application Transaction Counter (ATC), is an EMV (Europay, Mastercard and Visa) field defined in the following specification - EMV 4.4 Book 2 - Security and Key Management - as a two-byte counter incremented at the start of a transaction, ranging in value from 0x0000 to 0xFFFF.

The card chip processor checks if a given transaction has an ATC lower than the one currently stored; if so, it may be discarded as a cloned card issue or replay attack.

📘

ATC is required

Using an ATC on the Pismo platform is mandatory.

Internally, the Pismo platform stores an ATC as a string containing an array of around 2000 transaction sequence numbers. For example: "[5, 4, 3, 2, 1]". Pismo allocates 10,000 characters for this, so the actual amount of numbers may vary. If, in an incoming transaction, the received ATC value repeats a past sequence number, the transaction is denied.

The rationale to store an ATC as a string containing an array of numbers instead of the latest incoming value is to allow for ATC synchronization in situations such as offline purchases. For example - offline purchases on a cruise ship where a few values can be lost until the card is used again on an online machine. Keeping the list of previous ATC numbers helps the Pismo platform determine whether a given transaction fits such a case.

📘

Combination cards

For Pismo combination cards, an ATC is kept for each program type - debit and credit. So, if you call Reset card ATC for a combination card, the access token needs to be encoded with the ID of the account (credit or debit) whose ATC you want to reset.

Authorization flow

An incoming ATC value, received in a Authorization/Base I ISO8583 message, is compared with the last value stored in Pismo's database. The difference between the values, received and stored, must be within the allowed range that is configured for the card with the ATC MIN OFFSET and ATC MAX OFFSET program parameters.

• ATC MIN OFFSET - Number that must be subtracted from the last ATC registered in the database to make up the lower range bound
• ATC MAX OFFSET - Number that must be added to the last ATC registered in the database to make up the upper range bound

Examples

Database ATC (Pismo): [64, 63, 62, 61, 60]  
ATC max offset (Pismo): 15  
ATC min offset (Pismo): 5  
Current ATC (incoming from the card network): 81 -> Denied (81 > 64 + 15)  
Current ATC (incoming from the card network): 58 -> Denied (58 < 64 - 5)  
Current ATC (incoming from the card network): 70 -> Approved (64 + 15 > 70 > 64 - 5)  

The Pismo platform does not increment the ATC stored on the card chip, the POS/ATM does that where the card is used. This information is received from the network and we use the value received to validate it with the previously registered values. In case of success, we register the new ATC received in our database after we receive a message from the authorizer - either api-networktransactions or payments-api in the case of the on-us flow. Otherwise, the transaction is denied with the custom code FAT . E-commerce transactions do not increment the ATC and this information is not present in the message, so we do not validate or update it in our database.

ATC denial scenarios

For each card swipe at a POS, a new ATC is counted. The ATC can lose synchronization in the situations below, for example, causing a card block and consequently not allowing a transaction.

• If you make purchases with the wrong type (debit type, with credit mode and vice versa), the POS can sometimes deny this and the transaction will not even reach Pismo.
• Installment purchase or withdrawal that is not configured for the program. For example, when it is configured only for cash purchases.
• Repeated retries in the scenarios above
• An invalid ATC may come (same as the last currently stored or older, due to a buyer shipping error or even fraud)
• From the moment you lose the ATC synchronization, the next purchases will also come with the ATC unsynchronized. In this case you need to reset the ATC (below).

Pismo platform ATC parameters and endpoints

The ATC minimum and maximum parameters - ATC MAX OFFSET and ATC MIN OFFSET- can be configured as program parameters via the Pismo Control Center program.

You can use the Reset card ATC endpoint to reset the ATC array. In this case, we continue to validate the ATC parameters (min and max) and store further incoming values starting from the next purchase.