Validation code definitions
810 - Available limit validation
If the balance or withdrawal limits are insufficient to complete a transaction, the Pismo platform denies the transaction. For insufficient balance, the response code is 51
. For insufficient withdrawal limit, the denial code is 61
.
998 - Card hash not present in the database
There is an encrypted database that associates a hash with a primary account number. If no card is retrieved using the given hash, or if more than one card is retrieved, the transaction is denied.
For a tokenized card, if its status is not active, the transaction is also denied.
ACE - network-transactions-api communication error
This error occurs when there is a communication error or a timeout with the authorization system during the stateful validations. In this case, there could be a problem with the authorization flow.
ACT - A timeout occurred while fetching account
During the transaction flow, the Accounts API is called in order to retrieve account details. If a timeout happens in the Accounts API, the transaction is denied.
AEE - Anti-fraud external generic error
This custom code addresses generic errors (4xx, 5xx) when calling the external anti-fraud system.
AET - Anti-fraud external API timeout
This custom code applies when the external API does not respond in a timely matter.
AFE - Anti-fraud internal generic error
This custom code addresses generic errors (4xx) when calling the internal Anti-fraud API, a Pismo API that handles calls to anti-fraud systems. This exception is also used when the internal Anti-fraud API is down.
AGE - Unexpected error while fetching account
During the transaction flow, the Accounts API is called in order to retrieve account details. If an unexpected error happens while fetching those details in the Accounts API, the transaction is denied.
AIT - Anti-fraud internal API timeout
This custom code applies when the internal Anti-fraud API, a Pismo API that handles calls to anti-fraud systems, does not respond in a timely manner.
ANF - Acceptance not found
Check to see if the first two positions of sub-field Transaction Type from Processing Code (DE3) present at the authorization message body are in internal program parameters. Each Transaction Type domain is an acceptance. If a domain isn’t parameterized, the transaction is denied.
Currently the processing codes 11 - Quasi-Cash Transaction, 39 - Eligibility Inquiry, 40 - Cardholder Account Transfer, 70 - PIN Change, and 72 - PIN Unblock are not mapped.
AUD - Authorization disabled
This denial code is generated when an option is enabled on the network transactions configuration. The option deny_all_authorizations
disables all authorizations where the configuration is set. deny_all_authorizations
can be enabled at the organization, program, or account level. It can also be enabled on a BIN, but must be related to a configuration made on the other levels. This is useful for migration flow scenarios where you want a guarantee that you will process any authorizations before the go-live signal.
BCE - Balance Config generic error
When the authorization gets an error when trying to retrieve information from the Balance Config API, in this case the card network must be notified that we have an internal error and a message will be generated for this authorization.
BCT - Balance Config Timeout
This denial occurs when the Balance config API exceeds the time allowed to respond.
Card status validation
A card's status determines whether the card can be used. For statuses NORMAL
and REISSUED
, all transactions are approved. The CREATED
status is only approved for tokenized transactions from digital wallets. This provides the cardless experience, which enables a customer to use their card before the physical one arrives. For all other statuses, transactions are denied.
The following table shows the card statuses that are associated with denial codes.
Denial Code | Card Status |
---|---|
FRB | CREATED (Note that tokenized transactions from digital wallets are allowed for this status.) |
UBT | BLOCKED (This denial code also happens when the number of password tries are exceeded.) |
BND | CANCELLED or CLIENTORDER |
BNW | WARNING |
BNF | FRAUD |
BNP | LOST |
BNR | ROBBED or THEFT |
VED | DELETED (Applies only for virtual cards) |
BNU | UNRECEIVED |
BNI | INOPERATIVE |
BNB | Any other status |
BNM | DAMAGED |
CPE | PENDING |
CSU | CARD UNKNOWN |
CAV - CAVV 3DS validation result
If CAV was returned in the denial_code
field, it is necessary to call the PCI-Cards team (cards).
For a 3DS transaction, it's necessary to do the CAVV validation with the Hardware Security Module (HSM). This validation is only needed when the 3DS transaction/customer uses the CAVV algorithm.
To ELO, those 3DS-related values are found on BIT-122.
CED - Invalid expiration date provided
If a purchase has a cardholder verification method (CVM), such as CVV, password, or chip, it's necessary to verify it using the HSM. If the provided expiration date is invalid inside the Hardware Security Module (HSM), check to see if the transaction is denied. This is a stateless validation, so a further validation to check the values in the database is made: VNM - Expired card.
CET - Card timeout
When the authorization gets a error (timeout reached) while trying to retrieve the card data, the network will be notified that we have an internal error and in some cases a message will be generated for this authorization.
CGE - Card generic error
When the authorization gets an error (invalid response code) trying to retrieve the card data, the network will be notified that we have an internal error and in some cases a message will be generated for this authorization.
CLF - Credit limit impact not found
When the authorization gets an error while trying to retrieve information from the Credit Limit Impact, the card network is notified that there is an internal error and a message is generated for this authorization.
CMD - Card mode disabled
Scenarios in which the card mode is invalid or not registered (very unlikely). This can happen with combo cards that don't have the DEBIT or CREDIT mode specified or if the card is pure credit and doesn’t have the specified credit mode. The same happens for a pure debit card when it doesn’t have the debit mode specified.
CNC - Account cancelled
Indicates if an account is cancelled, it is not allowed to operate. It’s a domain from Accounts team and we validate in the online authorization time.
CND - Account blocked
The following parameters are checked for a transaction.
AuthorizationStatus
– Indicates if an account is allowed to operate.CreditStatus
– Indicates if an account can receive a credit.DebitStatus
– Indicates if an account can receive a debit.CollectionStatus
– Indicates if an account is in normal or overdue status. If an account is overdue, the account holder cannot do a cash-out (purchase, cash withdrawal, and so on).
CNU - Account status unknown
Indicates if the account status is unknown, then it is not allowed to operate–only NORMAL
account status is valid. It’s a domain from Accounts team and we validate in the online authorization time.
CTE - Transaction counter exceeded
Internationalization in progress
Work to internationalize the Pismo platform is ongoing. Some parameter names, such as
LIMITE TRANSACOES CARTAO TEMPORARIO
, are still in the original Portuguese.
Applies only for virtual cards. These cards have a transaction counter. When the count exceeds the value set in the program parameter LIMITE TRANSACOES CARTAO TEMPORARIO
, the transaction is denied.
CV3 - CVC3 not configured
Purchases with entry mode 91 (910, 911, and 912) that are not made via wallet are denied with code CV3, if there is no CVC3 validation configured.
DCC - DCC transaction not allowed for program
Each program is configured to allow or deny dynamic currency conversion (DCC) transactions. The default is to allow them.
If a program is configured to deny DCC transactions, any transaction that is of type DCC is denied with code DCC.
DCE - distributor-api communication error
This error occurs when there is a communication error between the authorization system and the Parser API, or there is a timeout during the stateless validations. This could indicate a problem with the authorization flow. Note that the Parser API has 5 seconds to complete authorization validation. If validation is not completed in time, a DCE error occurs.
DCM - Original authorization not found at refund
When a refund transaction (MTI 0400 or 0420) is received, the original authorization must be retrieved from the database before proceeding. If the original authorization is not found, the transaction is declined.
DIC - Invalid country for DCC definition
The Pismo platform needs a valid country code to determine if a transaction is a DCC transaction. If there is no valid country code, the platform denies the transaction with code DIC.
DIY - Invalid currency for DCC definition
The Pismo platform needs a valid currency code to determine if a transaction is a DCC transaction. If there is no valid currency code, the platform denies the transaction with code DIY.
ETR - Exceed time to reversal
This denial code is specific for ELO. It means that the reversal advice (mti 0420) came 24 hours or more after the persisted authorization. This behavior is not allowed for ELO in reversal advice cases.
FAT - ATC validation
The chip card application maintains an Application Transaction Counter (ATC) for security. (Since it runs locally on the chip, it qualifies as a fat application.) The ATC is incremented when the physical card is used to make a purchase.
ATC validation is performed to make the platform safe from fraud attempts such as cloned cards. A duplicated ATC or an unusual jump in its value could be a fraud warning sign.
Duplicated ATC
The platform compares a provided ATC value with a list of values from previous authorizations. This list can store around 2000 previous ATC values. If a duplicate is found, the authorization is denied.
ATC minimum offset
The parameter ATC MIN OFFSET
represents the minimum allowed difference between the provided ATC value and the last ATC value. If the provided ATC value minus the last ATC value is less than ATC MIN OFFSET
, the platform treats the event as a replay attack and the authorization is denied.
ATC maximum offset
The parameter ATC MAX OFFSET
represents the maximum allowed difference between the provided ATC value and the last ATC value. If the provided ATC value minus the last ATC value is greater than ATC MAX OFFSET
, this indicates unusual behavior. It's not necessarily a replay attack, but it suggests that the chip data was captured for a future attack.
For information about how to reset an ATC list, refer to Reset card ATC.
FL6 - Card blocked by anti-fraud
When the anti-fraud mechanism flags a transaction as a referral (which is a specific designation of fraud used by some Brazilian clients), the card is blocked and the Pismo platform denies the transaction with this code.
FR1 and FR2 - CVV/CVC validation
If CVV/CVC1 is present in the authorization message body, a validation by the Hardware Security Module (HSM) is necessary using the following data: cryptographic key, primary account number, service code, and expiration date. If an error occurs in this HSM validation, the platform returns denial code FR1. However, if CVV/CVC2 is present, the same thing happens, except that FR2 is returned in case of error.
The CVV/CVC 1 or 2 validation is skipped in the following scenarios:
- Tokenized transactions with a safe authentication flag like MDES or VTS (Apple Pay, Samsung Pay, etc.).
- The emitter allowed no-CVM transactions.
- Recurring billing with 3DS authentication (SLI - 210), like Netflix or Spotify.
- Pre-authorization with 3DS authorization (SLI - 210).
- E-commerce authorizations.
FR3 - IAV - intelligent account validation
FR3 refers to an error message that may be displayed while processing a transaction with a card. The code indicates that the transaction was denied because the previously provided authorization number for the original transaction is invalid or does not match the expected authorization number.
This can occur for a number of reasons, including entering the authorization number incorrectly or attempting to use a previously invalid or expired authorization number.
FR5 - Transaction made with magnetic stripe in a country where it's not allowed to be used
When the currency code is 986 - BRL, and the Track 1 or Track 2 data are present in the authorization message body without the chip data, this message is handled as a magnetic stripe and is denied.
At this point, the expiration date, service code, and CVV/CVC are not validated.
At the EMV POS (Europay, Mastercard, and Visa point-of-sale) entry mode, this denial happens before FRE, which is often used to deal with this specific situation.
FR6 - Password validation
If the password is present, it is validated by the Hardware Security Module (HSM) against the password in the database. If it does not match, the transaction is denied. When the cardholder enters an invalid password, denial code FR6
is returned.
FR7 - Card not present in database
Besides the encrypted database, there is a PCI database with card data. If the card is not present in this database, the transaction is denied.
FRE - Cryptogram data validation
There are two possible scenarios for this denial code:
- Missing cryptogram in EMV chip authorizations
- Cryptogram was sent out of context
The first scenario happens when the POS entry mode is 05 (chip) or 07 (contactless) from a physical card (e.g., not a tokenized transaction) without the cryptogram. It’s possible that FR5 occurs in this case due to a validation conflict.
The second scenario occurs when a cryptogram is retrieved from a message, but the entry mode is neither 05 (chip) nor 07 (contactless).
FRH - POS (point-of-sale) entry mode validation
Denial list for terminal capability validation (POS or input device) and entry mode. This validation checks how the card data was acquired (card machine, online purchase, NFC, etc.) and the entry mode information. For example, in e-commerce, it’s not possible to retrieve the card chip data, so it’s not a valid entry mode and should be denied. For Visa, entry mode is in Field 60. For Mastercard, it's in DE 61.
The following combinations should be denied according to this specification:
Visa
0 - Unknown
91 - Contactless device-read-originated using magnetic stripe data rules
1 - Terminal not used
02 - Magnetic stripe read. CVV checking might not be possible.
03 - Optical code
04 - Reserved for future use
05 - Contact integrated circuit card read using VSDC chip data rules
06 - Reserved for future use
07 - Contactless device-read-originated using qVSDC chip data rules
90 - Magnetic stripe read and exact content of Track 1 or Track 2 included (CVV check possible)
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
2 - Magnetic stripe read capability
03 - Optical code
04 - Reserved for future use
05 - Contact integrated circuit card read using VSDC chip data rules
06 - Reserved for future use
07 - Contactless device-read-originated using qVSDC chip data rules
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
3 - Barcode read capability
02 - Magnetic stripe read. CVV checking might not be possible.
04 - Reserved for future use
05 - Contact integrated circuit card read using VSDC chip data rules
06 - Reserved for future use
07 - Contactless device-read-originated using qVSDC chip data rules
90 - Magnetic stripe read and exact content of Track 1 or Track 2 included (CVV check possible)
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
4 - OCR-read capability
02 - Magnetic stripe read. CVV checking might not be possible.
03 - Optical code
05 - Contact integrated circuit card read using VSDC chip data rules
06 - Reserved for future use
07 - Contactless device-read-originated using qVSDC chip data rules
90 - Magnetic stripe read and exact content of Track 1 or Track 2 included (CVV check possible)
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
5 - Chip-readable capability
03 - Optical code
04 - Reserved for future use
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
8 - Proximity-read-capable terminal
02 - Magnetic stripe read. CVV checking might not be possible.
03 - Optical code
04 - Reserved for future use
05 - Contact integrated circuit card read using VSDC chip data rules
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
9 - Terminal does not have the capability to read cards data
02 - Magnetic stripe read. CVV checking might not be possible.
03 - Optical code
04 - Reserved for future use
05 - Contact integrated circuit card read using VSDC chip data rules
06 - Reserved for future use
07 - Contactless device-read-originated using qVSDC chip data rules
90 - Magnetic stripe read and exact content of Track 1 or Track 2 included (CVV check possible)
91 - Contactless device-read-originated using magnetic stripe data rules
95 - Integrated circuit card read. CVV or iCVV checking might not be possible.
Mastercard
0 - Input capability unknown or unspecified
91 - Contactless magnetic stripe
1 - No terminal used (voice/ARU authorization)
02 - Magnetic stripe - not qualified
03 - Bar code reader
04 - OCR
05 - Chip
07 - Contactless magnetic stripe / chip
09 - PAN entry via eCommerce, including remote chip
79 - Chip --> Manual
80 - Chip --> Magnetic stripe
82 - PAN auto entry via server (issuer, acquirer, or third party)
90 - Magnetic sripe - full data
91 - Contactless magnetic stripe
95 - Visa Only - Chip with unreliable CVV
2 - Supports magnetic stripe input only
03 - Bar code reader
04 - OCR
05 - Chip
07 - Contactless magnetic stripe / chip
09 - PAN entry via eCommerce, including remote chip
82 - PAN auto entry via server (issuer, acquirer, or third party)
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
3 - Supports contactless EMV input
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
4 - Contactless magnetic stripe (proximity chip)
03 - Bar code reader
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
5 - Supports EMV contact chip input and magnetic stripe input
03 - Bar code reader
04 - OCR
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
6 - Supports key entry input only
02 - Magnetic stripe - not qualified
03 - Bar code reader
04 - OCR
05 - Chip
07 - Contactless magnetic stripe / chip
79 - Chip --> Manual
80 - Chip --> Magnetic stripe
90 - Magnetic stripe - full data
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
7 - Supports magnetic stripe input and key entry input
03 - Bar code reader
04 - OCR
05 - Chip
07 - Contactless magnetic stripe / chip
91 - Contactless magnetic stripe
95 - Visa only - Chip with unreliable CVV
8 - Supports EMV contact chip input, magnetic stripe input, and key entry input
03 - Bar code reader
04 - OCR
07 - Contactless magnetic stripe / chip
91 - Contactless magnetic stripe
9 - Supports EMV contact chip input only
02 - Magnetic stripe - not qualified
03 - Bar code reader
04 - OCR
07 - Contactless magnetic stripe / chip
79 - Chip --> Manual
80 - Chip --> Magnetic stripe
90 - Magnetic stripe - full data
91 - Contactless magnetic stripe
95 - Visa Only - Chip with unreliable CVV
FRN - Chip field validation
Validation of the chip cryptogram. When the field DE55
is present in the authorization message body, it’s necessary to recalculate the chip cryptogram from the following tags and chip keys:
Tag | Chip key |
---|---|
5F34 | Application Primary Account Number (PAN) |
9F02 | Amount Authorized |
9F03 | Amount Other |
9F1A | Terminal Country Code |
95 | Terminal Verification Results |
5F2A | Transaction Currency Code |
9A | Transaction Date |
9C | Transaction Type |
9F37 | Unpredictable Number |
82 | Application Interchange Profile |
9F36 | Application Transaction Counter |
9F10 | Issuer Application Data (tag content, key index, and cryptogram version) |
9F33 | Terminal Capability Profile |
The calculated response is compared to tag 9F26 - Application Cryptogram, which contains the cryptogram generated by the card. If the values are identical, you should send back the ARPC - Application Response Cryptogram (tag 91) so it can be verified that the transaction was authorized by a trusted comparison method. However, if the values are different, the transaction is denied. The tags C0 - Secondary PIN Block and 91 - Issuer Authentication Data are not used in this validation.
For Visa transactions, the transaction amount and country code are checked against the values present in the DE55
field (chip data).
FRO - Chip signature validation
Check the cardholder verification type used by POS at byte 1 of tag 9F34. If it is a deprecated value (1F - No CVM required, 1E or 5E - Signature), then the transaction is denied after the first CVM fails.
GCD - GCD Gift card denial
This code is returned when a gift card transaction is denied.
It was necessary to create a new denial code to be used in an ELO response when the transaction kind is a gift card. In this case, the ELO network does not allow this kind of transaction, but this type of block can be done by the client. When GCD appears in the answer, the response code is 57
.
HCE - HSM communication error
This occurs when there’s a communication error between our applications and the Hardware Security Module (HSM).
IAT - Invalid account type
Compares the field Account Type content of the Processing Code (DE3
) sent in the authorization message body with the given card type. If the authorization mode (credit or debit) isn’t allowed for this card, the transaction is denied. For example, a credit card transaction with Account Type 20 (debit) is denied.
IMA - Invalid message authentication code
If the message authentication code received from the network is invalid, the transaction cannot be processed and is denied.
Currently, this validation is only performed for the RuPay network.
IMF - Invalid message format
If the message received from the network has an invalid format, domain, or value, the transaction cannot be processed and is denied with code IMF.
ISE - Insufficient statements
If there are installments and interest to be calculated for the transaction, the Pismo platform has to fetch all the statements related to the installments, so it can use the due dates in its calculations. If the number of statements does not match the number of installments, the transaction is denied with code ISE. For example, if the transaction is for 36 installments, but there are only 30 statements created for the account, the transaction is denied.
LAE - An unexpected error happened while getting the account information
If the authorization system attempts to get a list of the available limits on an account from the Ledger API and a communication error occurs, this can result in an LAE error. For example, if there is a status code 500 - Internal Error
from the API, the Pismo platform sends an LAE error in response.
LCT - Ledger account timeout
During transaction flow, the Ledger API is called to get a list of account limits. If the request times out, the transaction is denied.
LNF - Account not found
If a communication error occurs when authorization tries to get a list of account limits from the Ledger API, this can result in an LNF error. For example, if the authorization system sends an invalid field or value in the request payload, it generates a 400 - Bad Request
error, and the Pismo platform sends an LNF error in response.
LUD - Limit update duplicated ID error
This error occurs when there is a duplicate call. This would change the customer's balance twice for the same purchase, so the transaction is denied.
LUE - Error on update Ledger
Any error that occurs in the Ledger API service that is not a timeout is denied with this code.
LUT - Ledger timeout
If a timeout in the Ledger API service prevents the platform from completing a transaction, the Pismo platform denies the transaction.
MPC - Program config not found
This error occurs if the authorization platform doesn't have a valid program configuration. You need to contact a Pismo representative to fix the configuration.
NCV - Entry mode not allowed with no CVM
By default, the Pismo platform does not allow authorizations without any cardholder validation method (CVM)–CVV, stripe, chip, password–and that is not marked as recurring and secure.
OP1 - Message consistency or generic error
OP1 can appear for generic errors in stateless authorizations, such as when the Hardware Security Module (HSM) is unavailable, unexpected content in messages, invalid fields, or any unforeseen/platform-mapped error.
PAE - Unexpected error while fetching parameters
During the transaction flow, the Programs API is called in order to retrieve parameters details. If an unexpected error happens while fetching those details in the Programs API, the transaction is denied.
PAT - A timeout occurred while fetching parameters
During the transaction flow, the Programs API is called in order to retrieve parameters details. If a timeout happens in Programs API, the transaction is denied.
PIC - Program has invalid currency code
If the program has an invalid currency code, the transaction is denied with code PIC.
PCE - Unexpected error in processing code definition
This could be the result of a timeout in the processing code API.
PCT - A timeout occurred in processing code definition
This occurs when there is a communication error between the authorization flow and the processing code API. This can be a 400 - Bad Request
, a 500 - Internal Error
, or some other error. In the case of a 400 - Bad Request
, the authorization system could be sending an invalid field or value in the request payload. In all other cases, there is a processing error, which could indicate a bug in the flow.
PFT - Denied by anti-fraud
This response indicates that an anti-fraud mechanism denied the transaction. In some cases, such as a referral, a different response might override this one. A referral is a specific designation of fraud used by some Brazilian clients. This kind of response is regarded as more serious than a simple “fraud” response.
PGE - Program Config Generic Error
This occurs when the program configuration cannot be retrieved, either because of a communication failure with the API or an internal error.
PNP - PIN not present
Indicates that an authorization request was sent with no PIN in a card-present transaction. This custom code will not affect the PIN count.
PRE - Unexpected error while fetching program
If an unexpected error occurs while attempting to retrieve the program details, the transaction is denied with code PRE.
PRN - Program not found
If the program associated with a transaction is not found, the transaction is denied with code PRN.
PRT - A timeout occurred while fetching program
If a timeout occurs while attempting to retrieve the program details, the transaction is denied with code PRT.
RAD - Rates API denial
Occurs when a transaction is denied by some logical error in Rates API. This error is the result of a 422 - Unprocessable Entity.
RAE - Error calling API-Rates
This code indicates an error in the communication with the Rates API service during the authorization amount calculation. This error can be a result of a 400 - Bad Request
response, a 500 - Internal Error
response, or an error in the communication between the authorization system and the API-Rates service. In the Bad Request scenario, the authorization system could be sending an invalid field or value in the request payload. In other scenarios, there could be an error in the processing. If it is a single error, a retry might be enough to fix the problem. Multiple errors might indicate a bug in the flow.
RED - Operation not allowed by rules / Rules do not honor / Rules internal error / Operation not permitted - credit voucher
This error occurs when flexible transaction control validation fails. It can be the result of a 400 - Bad Request
, a 500 - Internal Error
, or an error in communication between the authorization system and the API flex controls. However, in this case, the transaction is a credit voucher.
In the case of a 400 - Bad Request
, the authorization system could be sending an invalid field or value in the request payload.
In other cases, there is an error in the processing. If there is a single error, a retry could be enough to fix the problem. If there are multiple errors, there could be a bug in the flow.
The application of API rules can sometimes result in a transaction being denied and an error with code RED being generated.
STD - Denied by second authorizer
This error occurs when the second authorizer denies the transaction.
TSM - Password tries exceeded
Internationalization in progress
Work is ongoing to internationalize parameter names. The guide uses the English phrase “Wrong password attempts” for param
TENTATIVAS SENHA ERRADA
When the password is present in the body of the authorization message and the password attempt counter exceeds the Wrong password attempts
program parameter, the transaction will be denied and the card will be blocked.
The program parameter Wrong password attempts
specifies the maximum number of tries the user is allowed when entering their password. When the password is present in the authorization message body, and the number of tries exceeds the value in Wrong password attempts
, the transaction is denied.
For example, if the program has the Wrong password attempts
parameter set to 3, the Pismo platform will send the label BLOCK_CARD
and the card will have the card status BLOCKED
at the end of this transaction.
This denial code will only be issued when the password is present and correct after reaching the maximum number of attempts or it is a transaction without a password. Otherwise, the authorization will be denied by FR6 after checking the Hardware Security Module (HSM), as the FR6 code takes precedence over TSM.
When the correct password is entered before the limit is exceeded, the counter is reset to 0. However, when the limit is exceeded, the card is blocked.
For further information about the password tries reset endpoint, refer to Get OpenID access token.
UBN - NFC disabled
The purchase is denied with code UBN when it is of the contactless type (entry mode 07) and the function is disabled.
VEV - Expired virtual card
Temporary cards are created with their expiration date set to their creation date plus one day. If a transaction occurs after the expiration date, the transaction is denied. This applies only to the TEMPORARY
card type, which is the only one that has this value set.
VNM - Expired card
For transactions which don’t have verification methods (CVV, password, chip), like recurring billings or purchases with a safe flag, this code indicates that the card is expired, based on the printed date on the card (which also is present in the database). This validation is made in two different scenarios:
- Transactions which have verification methods (CVV, password, chip) – In this case, the validation is made by the Hardware Security Module (HSM).
- CED – Invalid expiration date provided.
Z30 - Token found, but does not match card
The token and card were found but they are not related to each other, in other words the PAN given by network is not related with the token.
ZBA - Zero balance client webhook returns 401 status code, unauthorized.
If the zero balance client webhook returns status code 401 - Unauthorized, the transaction is denied with code ZBA.
ZBE - Zero balance client webhook returns general error
If the zero balance client webhook returns an error status code not covered by one of the other custom codes, the transaction is denied with code ZBE. Example: status code 400, 404, and others.
ZBF - Zero balance client webhook returns 403 status code, forbidden.
If the zero balance client webhook returns status code 403 - Forbidden, the transaction is denied with code ZBF.
ZBP - Partial authorization response invalid in Zero Balance Flow
In zero balance flow, it's possible to authorize transactions partially. A response code of "10" signifies that the transaction has been partially approved and the issuer must return the approved amounts. If these amounts are not returned or the amounts are negative, Pismo issues the custom code ZBP.
ZBT - Zero balance client webhook throws timeout exception.
If the zero balance client webhook exceeds the allowed time (2 seconds), it throws a timeout exception, and the transaction is denied with code ZBT.
ZBU - Unavailable endpoint, zero balance client webhook returns 503 status code.
If the zero balance client webhook returns status code 503 - Service Unavailable
, the transaction is denied with code ZBU.
Updated 14 days ago