Decoding ATM transaction messages for EMV monitoring and analytics

So you’ve just converted all your ATMs (or at least the ones that make the most sense) to support EMV chip capability. Good timing, given Mastercard’s looming October 21st fraud liability shift deadline for ATM acquirers. But although you may have reached an “all ATM terminals go” nirvana, you are not out of the chargeback zone – yet.

Over the next few months you’re going to want to keep a keen eye out for:

  1. An increase in fraudulent transaction attempts on ATMs that are not yet EMV capable, or using cards that are not yet EMV capable
  2. Device or card problems that are causing transactions that should be processed as EMV transactions to fall back to magstripe instead

INETCO has been working with a number of our customers to tackle these issues directly. We are helping them create a set of real-time transaction alerts and fraud visualization dashboards that will make it easier to dispute ATM Chip Liability Shift (CLS) chargebacks, understand the precise details of how transactions are being processed, and resolve a range of questions related to EMV chip migration, including:

  • Which of your remaining ATMs should be prioritized and migrated to EMV next?
  • Until your ATMs are chip-enabled, what potential fraud or usage patterns should you be on the lookout for?
  • How can you quickly know if the card transaction was an EMV chip transaction, or an EMV fallback to magstripe?
  • If it was a magstripe transaction, was the ATM terminal EMV capable?
  • If it was a magstripe transaction, was the card used EMV capable?

We thought we would share a condensed version of our answers below…

Question #1:  Which of your remaining ATMs should be prioritized, and migrated to EMV next? 

Answer:  Although this is a pretty simple question to answer, a good one-stop visual definitely helps. We suggest that you take into account a number of data points, such as transaction volumes, terminal profitability, customer density, competitive information, and where ATM fraud at the physical point has been attempted in the past:

atm-placement-dashboard

Question #2:  Until your ATMs are chip-enabled, what potential fraud or usage patterns should you be on the lookout for?

Answer:  Regardless of where you are at with your EMV migration, it is important to be on constant lookout for high velocity scenarios. This means setting up real-time alerts that notify you to anomalies such as:

  • Excessive repeat transaction activity over a set period of time – either on ATMs you own, or ATMs you do not own
  • A high number of card swipes over a set period of time – either one card used at one device with high velocity, or multiple cards at a common ATM
  • Either low value- or abnormally large value- transactions occurring
insight-dashboard
See larger version of dashboard by clicking on image

details-dashboard-1Question #3: How can you quickly know if the card transaction was an EMV chip transaction, or an EMV fallback to magstripe?

Answer:  Real-time transaction alerts can be set up to notify you when a single EMV fallback occurs, or when there are consecutive magstripe transactions at an ATM. By delving into decoded transaction message fields, you can identify what type of transaction it is, and if these transactions have originated from a specific card type.

The example alert below was set up to send out a “Warning” notification in the event that a magstripe transaction occurs at any of the terminals within an EMV-enabled ATM fleet. The first digit of the service code (2xx or 6xx) indicates the card is chip capable.  In this case, the service code starts with two, meaning the card is EMV capable.

Question #4:  If it was a magstripe transaction, was the ATM terminal EMV chip capable?

Answer: It’s important to know whether your ATM’s are reading EMV chips for ALL transactions. By correlating both the ISO 8583 protocol variants and the NDC+ protocols, you start getting a full, end-to-end transaction picture that can help you isolate the root cause of issues. For example, the transaction fields within the various ISO dialects indicate whether your ATM terminal is a magstripe or EMV chip enabled terminal. The authorization data contained within the transaction would also confirm things such as Improper Terminal Capability/Entry Condition (TEC), or a fallback error due to the terminal.

details-dashboardQuestion #5:  If it was a magstripe transaction, was the card used EMV capable?

Answer: Decoded transaction messages can also be used to determine whether a card is EMV capable. For instance, we can tell if, during the PIN verify sequence, the chip is not used. When a card is EMV capable, the fields (Field ID) will also indicate smart card data.

We realize that every ATM acquirer is at a different state in their EMV migration process, and what you care to analyze will be unique to your environment.If you are interested in learning more about decoding transaction messages, or would like to share your thoughts on EMV analytics and real-time transaction monitoring, we would love to hear from you.

You can also register for the “5 Awesome Ways to Improve Customer Engagement” webinar happening Tuesday, October 18th at 11:00am EDT.