Mobile NFC at Point of Sale Flow
With mobile NFC at point of sale (POS) flow, a Payment Token is stored within an NFC-enabled
mobile device or alternatively in a remote server and delivered just-in-time to the device.
Token Provisioning can be accomplished by the Token Requestor interfacing with the Token Service Provider.
When a transaction is initiated, the mobile device and/or remote server will generate a contactless transaction including the Payment Token, Token Expiry Date, Token Cryptogram, and other chip data elements, and pass the transaction to the Merchant's point of sale terminal (electronic pos terminal) via the NFC interface.
The following steps explain the mobile NFC POS flow of the standard Payment Token data fields in the authorisation message when the mobile device is used at an NFC-enabled point of sale terminal. The following steps explain the mobile pos flow of the standard Payment Token data fields in the authorisation message when the mobile device is used at an NFC-enabled point of sale terminal.
1. The mobile device will interact with the NFC terminal through the payment application and pass the following key Payment Token data elements to the Merchant terminal:
- Payment Token will be passed in the existing PAN field.
- Token Expiry Date will be passed in the PAN Expiry Date field
- Token Cryptogram will be generated based on the Token data elements and will be passed in the Chip Cryptogram field. (The cryptogram may be a full chip cryptogram, or an abbreviated Track 2 equivalent cryptogram.)
- Token Requestor ID will be passed as an optional field.
- All other contactless data elements will be created and passed following the contactless data standards.
NOTE that the Token Cryptogram generated from the mobile device along with POS Entry Mode will serve as the Domain Restriction Control fields that will be used by the Token Service Provider to validate the integrity of the transaction using that Payment Token.
2. The Merchant terminal will pass the contactless authorisation request to the Acquirer, carrying all of the standard Payment Token data fields and contactless data elements; POS Entry Mode will be set to indicate contactless transaction.
3. The Acquirer will perform routine processing checks and pass the Token data fields and the contactless data to the Payment Network.
4. The Payment Network will interface with the Token Service Provider to:
- Retrieve the PAN.
- Verify the state of the Payment Token to PAN mapping in the Token Vault for the active Payment Token, and other controls that may be defined for that Payment Token.
- Validate the Token Cryptogram and validate the Token Domain Restriction Controls for that Payment Token (alternatively the Card Issuer may validate the cryptogram if it has the necessary keys).
- Retrieve the Token Requestor ID if it was not provided in the authorisation message.
5. The Payment Network will send the authorisation request to the Card Issuer, with the following changes to the authorisation request message:
- Replace Payment Token with PAN.
- Replace Token Expiry Date with PAN Expiry Date.
- Add an indicator that conveys to the Card Issuer that an on-behalf-of validation has been completed by the Token Service Provider of that Payment Token.
- The following Payment Token-related fields are passed to the Card Issuer in the authorisation request:
- Payment Token
- Token Expiry Date (Optional)
- Token Assurance Data (Optional)
- Token Assurance Level
- Token Requestor ID
- POS Entry Mode Code
6. The Card Issuer completes the account-level validation and the authorisation check, and sends the PAN back in the authorisation response to the Payment Network.
7. The Payment Network (possibly in communication with the Token Service Provider) may generate a response cryptogram and will replace the PAN with the Payment Token based on the mapping, and will pass the following required fields to the Acquirer as part of the authorisation response, in addition to other standard data elements:
- Payment Token
- Token Assurance Level
- Last 4 digits of PAN
- PAN Product ID (Optional)
8. The Acquirer will pass the authorisation response to the Merchant.
9. The consumer will be notified of the success or failure of the transaction.
NOTE that this mobile NFC POS flow accommodates use of a Payment Token loaded into
a contact and/or contactless chip at time of issuance.
Such a Payment Token would be different from the PAN embossed/printed on the Card and encoded on the magnetic stripe.