ISO 8583

ISO 8583 is an international standard for ''financial transaction card originated'' interchange messaging. It is the International Organization for Standardization standard for systems that exchange electronic transactions initiated by cardholders using payment cards.

ISO 8583 defines a message format and a communication flow so that different systems can exchange these transaction requests and responses. The vast majority of transactions made when a customer uses a card to make a payment in a store ( EFTPOS) use ISO 8583 at some point in the communication chain, as do transactions made at ATMs. In particular, the Mastercard, Visa and Verve networks base their authorization communications on the ISO 8583 standard, as do many other institutions and networks.

Although ISO 8583 defines a common standard, it is not typically used directly by systems or networks. It defines many standard fields (data elements) which remain the same in all systems or networks, and leaves a few additional fields for passing network-specific details. These fields are used by each network to adapt the standard for its own use with custom fields and custom usages.

Introduction

The ISO 8583 specification has three parts:

* Part 1: Messages, data elements, and code values
* Part 2: Application and registration procedures for Institution Identification Codes (IIC)
* Part 3: Maintenance procedures for the aforementioned messages, data elements and code values

Message format

A card-based transaction typically travels from a transaction-acquiring device, such as a point-of-sale terminal (POS) or an automated teller machine (ATM), through a series of networks, to a card issuing system for authorization against the card holder's account. The transaction data contains information derived from the card (e.g., the card number or card holder details), the terminal (e.g., the terminal number, the merchant number), the transaction (e.g., the amount), together with other data which may be generated dynamically or added by intervening systems. Based on this information, the card issuing system will either authorize or decline the transaction and generate a response message which must be delivered back to the terminal within a predefined time period.

An ISO 8583 message is made of the following parts:
* Message type indicator (MTI)
* One or more bitmaps, indicating which data elements are present. It consists of primary bitmap and secondary bitmap. The first bit of the primary bitmap indicates whether the secondary bitmap is present or not.
* Data elements, the actual information fields of the message

The placements of fields in different versions of the standard varies; for example, the currency elements of the 1987 and 1993 versions of the standard are no longer used in the 2003 version, which holds currency as a sub-element of any financial amount element. As of June 2017, however ISO 8583:2003 has yet to achieve wide acceptance. ISO 8583 messaging has no routing information, so is sometimes used with a TPDU header.

Cardholder-originated transactions include purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers. ISO 8583 also defines system-to-system messages for secure key exchanges, reconciliation of totals, and other administrative purposes.

Message type indicator (MTI)

The message type indicator is a four-digit numeric field which indicates the overall function of the message. A message type indicator includes the ISO 8583 version, the Message Class, the Message Function and the Message Origin, as described below.

ISO 8583 version

The first digit of the MTI indicates the ISO 8583 version in which the message is encoded.

Message class

Position two of the MTI specifies the overall purpose of the message.

Message function

Position three of the MTI specifies the messages function which defines how the message should flow within the system. Requests are end-to-end messages (e.g., from acquirer to issuer and back with time-outs and automatic reversals in place), while advices are point-to-point messages (e.g., from terminal to acquirer, from acquirer to network, from network to issuer, with transmission guaranteed over each link, but not necessarily immediately).

Message origin

Position four of the MTI defines the location of the message source within the payment chain.

Examples

Given an MTI value of , the following example lists what each position indicates:
* → version of ISO 8583 ( = 1987 version)
* → class of the message ( = authorization message)
* → function of the message ( = response)
* → who began the communication ( = acquirer)

Therefore, MTI is an authorization response message where actual transaction was originated by the acquirer.

Bearing each of the above four positions in mind, an MTI will completely specify what a message should do, and how it is to be transmitted around the network. Unfortunately, not all ISO 8583 implementations interpret the meaning of an MTI in the same way. However, a few MTIs are relatively standard:

Bitmaps

In ISO 8583, a bitmap is a field or subfield within a message, which indicates whether other data elements or data element subfields are present elsewhere in the message.

A field is considered to be present only when the corresponding bit in the bitmap is set. For example, a hex with value (decimal 130) is binary , which means fields and are present in the message and fields 2, 3, 4, 5, 6 and 8 are not.

The bitmap may be represented as 8 bytes of binary data or as 16 hexadecimal characters (0–9, A–F) in the ASCII or EBCDIC character sets.
A message will contain at least one bitmap, called the ''primary bitmap'', which indicates data elements 1 to 64 are present. The presence of an optional secondary bitmap is also indicated by the first bit in the primary bitmap. If present, the secondary bitmap indicates whether data elements 65 to 128 are present. Similarly, a tertiary bitmap can be used to indicate the presence of fields 129 to 192, although these data elements are rarely used.

Examples

Given a bitmap value of ,

: = (counting from the left, the second ,third and fourth bits are 1, indicating that fields 2 , 3 and 4 are present)
: = (the first bit corresponds to field 9, so the fourth bit here indicates field 12 is present)
: = (no fields present)
: = (fields 28 and 32 are present)
: = (field 39 is present)
: = (fields 41 and 42 are present)
: = (fields 50 and 53 are present)
: = (field 62 is present)

Therefore, the given bitmap defines the following fields present in the message:

2, 3, 4, 12, 28, 32, 39, 41, 42, 50, 53, 62

Data elements

Data elements are the individual fields carrying the transaction information. There are up to 128 data elements specified in the original ISO 8583:1987 standard, and up to 192 data elements in later releases. The 1993 revision added new definitions, deleted some, while leaving the message format itself unchanged.

While each data element has a specified meaning and format, the standard also includes some general purpose data elements and system- or country-specific data elements which vary enormously in use and form from implementation to implementation.

Each data element is described in a standard format which defines the permitted content of the field (numeric, binary, etc.) and the field length (variable or fixed), according to the following table:

Additionally, each field may be either fixed or variable length. If variable, the length of the field will be preceded by a length indicator.

Examples

ISO-defined data elements (ver 1987)

Processing code

The following is a table specifying the message type and processing code for each transaction type.

Response code

=Ver 1987

=
The following table shows response codes and their meanings for ISO 8583-1987, later versions uses 3 and 4 digit response codes.

= Ver 1993

=

Point of service entry modes (Field 22)

The point of service (POS) mode field state what conditions the card has been read under, which type of authentication has been made, and depending on the version of the specification, what the capabilities of the terminal are.

= Ver 2003

=
For the 2003 specification the POS code consists of 16 binary characters split into four parts:
# Card reading method used
# Cardholder verification method used
# POS environment
# Security characteristics

= Ver 1993

=
For the 1993 version it is a 12-character field consisting of 5 parts:

# The terminal input capabilities (1st to 3rd character)
#* Card Data Input Capability
#* Cardholder Authentication Capability
#* Card capture capability
# The operating environment (4th to 6th character)
#* Operating Environment / Terminal placement
#* Cardholder Present indicator
#*Card Present indicator
# Authentication and verification done (7th to 9th character)
#*Card Data Input Method
#*Cardholder Verification Method
#*Cardholder Authentication Entity
# The terminal's output capabilities (10th and 11th character)
#*Card data output capability - can the terminal write to the magnetic stripe, or to the chip
#*Terminal output capability - can the terminal display or print something to the cardholder.
# PIN capture capability (12th character) indicates if the terminal can capture a pin code, and if so, the maximum length it can capture.

= Ver 1987

=
The point of service entry mode value consists of two parts:

# PAN entry mode, the first two digits
# PIN entry capability, the third digit

The following table shows PAN entry modes and their meanings.

The following table shows PIN entry capabilities and their meanings.

See also

* AS 2805
* Magnetic stripe card
* NCR Corporation
* Itautec
* Diebold
* ISO 20022

References

{{ISO standards

#08583
Payment interchange standards
Online payments