22 November 2020
Introduction
In this article, we will consider the limits used nowadays in the processing of transactions using contactless cards (Contactless Limits). We will also give brief recommendations from the Payment systems on how to configure them. Note that those are exactly the limits configured on the POS terminals. We will not consider the card application limits in this article.
Contactless Limits, Visa
Reader Contactless Transaction Limit: maximum allowable limit of a transaction through the contactless interface. Its value is usually zero or maximum (for example, 9999999.99), i.e., it is virtually not in use. If it is in use, and the limit is exceeded, POS will either decline the transaction or suggest using another interface.
Reader CVM Required Limit: maximum allowable limit of a transaction, the exceedance of which will lead to verification of the cardholder (i.e., PIN or Signature will be requested).
Reader Contactless Floor Limit: maximum allowable limit of a transaction, the exceedance of which will lead to the transaction sending to the issuer for authorization.
Nowadays, Visa IPS recommends setting Reader CVM Required Limit value to 3,000 rubles at most for the regions of the Russian Federation. In other words, an acquirer can configure its POS terminals in a way that a transaction using a Visa contactless card to an amount less than 3,000 rubles be carried out according to NoCVM, i.e., the cardholder’s PIN and/or Signature will not be requested. Note that in accordance with the requirements of Visa, a 3,000 rubles transaction is to be carried out after the request of PIN and/or Signature, the verification method supported by both the card and the POS.
Reader Contactless Floor Limit is usually left to the acquirer’s discretion. Normally, it is disabled, and all transactions are sent online to the issuer for authorization.
Visa, optional limits — Dynamic Reader Limit (DRL)
In addition to the above-mentioned limits, the optional specification of Visa enables using of so-called Dynamic Reader Limits (DRL). The logic of this mechanism’s operation is the acquirer’s ability to configure different limits for Visa cards, even if they have the same AID. For example, to set one limit for the Visa cards issued in the Russian Federation and another for the foreign Visa cards, etc.
This can be achieved through the use of the 9F5A card tag — Application Program Identifier (APID) which identifies the card’s regional affiliation, currency code, and some other parameters of the card application. Consequently, when a card sends back a certain APID in the 9F5A tag, the core of the terminal will activate a set of limits configured for that exact APID. Provided, certainly, that the functionality is supported by the terminal and properly configured.
Contactless Limits, Mastercard
Reader Contactless Transaction Limit (No On-device CVM): maximum allowable limit of a transaction, if the verification on the mobile device is not supported.
Reader Contactless Transaction Limit (On-device CVM): maximum allowable limit of a transaction, if the verification on the mobile device is supported.
Basically, the functionality of both those limits is similar to the Reader Contactless Transaction Limit of the Visa IPS. The only difference is that Mastercard offers the ability to configure different limits for contactless cards and mobile devices.
Reader CVM Required Limit: maximum allowable limit of a transaction, the exceedance of which will lead to verification of the cardholder (i.e., PIN or Signature will be requested).
Reader Contactless Floor Limit: maximum allowable limit of a transaction, the exceedance of which will lead to the transaction sending to the issuer for authorization.
One of the key values in the Mastercard specification is Reader CVM Required Limit. It is the thing that activates the CVM Capability mechanism that implies the use of two objects in the core of the terminal:
- CVM Capability — CVM Required: the object that describes CVM methods if the amount of transaction exceeds CVM Required Limit. Usually, NoCVM will be excluded from those methods, and only PIN and/or Signature will become available in this case.
- CVM Capability — No CVM Required: the object that describes CVM methods if the amount of transaction does not exceed CVM Required Limit. In this case, all methods except for NoCVM will be excluded.
Suppose the Reader CVM Required Limit is 1,000 rubles. A 1,500 rubles transaction is being carried out, i.e., the limit is exceeded. POS will request PIN and Signature. Another example: a 500 rubles transaction is being carried out. POS carries out NoCVM verification, i.e., PIN or Signature will not be requested.
Mastercard IPS recommends setting Reader CVM Required Limit value to 5,000 rubles at most for the Russian Federation. In this case, a 5,000 rubles transaction is to be carried out using the NoCVM method (i.e., PIN and/or Signature will not be requested), and in the case of a 5,001 rubles transaction, for example, PIN and/or Signature will be requested.
Reader Contactless Floor Limit is left to the acquirer’s discretion. Usually, its value is zero, which means that the offline processing is disabled.
Contactless Limits, American Express
AMEX Contactless Transaction Limit: maximum allowable limit of a transaction through the contactless interface. Usually, the maximum value (for example, 9999999.99) is set, i.e., it is virtually not in use. If it is in use, and the limit is exceeded, POS will either decline the transaction or suggest using another interface.
AMEX CVM Required Limit: maximum allowable limit of a transaction, the exceedance of which will lead to verification of the cardholder (i.e., PIN or Signature will be requested).
AMEX Contactless Floor Limit: maximum allowable limit of a transaction, the exceedance of which will lead to the transaction sending to the issuer for authorization.
American Express, optional limits — Dynamic Reader Limit (DRL)
AmEx specification provides for the use of «Dynamic Limits». The mechanism is implemented as follows: the card contains the 9F70 tag (AmEx Card Interface and Payment Capabilities), where the limit «profiles» (DRL Sets) consisting of the following three components are personalized: AMEX Contactless Transaction Limit + AMEX Contactless Floor Limit + AMEX CVM Required Limit. Should the core support the AmEx DRL mechanism, and should it be configured for this purpose, the terminal will analyze the above-mentioned tag and make decisions regarding the use of one or another DRL Set.
Contactless Limits, Mir National Payment Card System
CL Transaction Limit (Non CD-CVM): maximum allowable limit of a transaction, if the verification on the mobile device is not supported.
CL Transaction Limit (CD-CVM): maximum allowable limit of a transaction, if the verification on the mobile device is supported.
Terminal No CVM Limit: maximum allowable limit of a transaction, the exceedance of which will lead to verification of the cardholder (i.e., PIN or Signature will be requested).
Terminal Floor Limit: maximum allowable limit of a transaction, the exceedance of which will lead to the transaction sending to the issuer for authorization.
As we can see, the mechanism for Mir cards is, in general, the same as the mechanism for Mastercard IPS. This includes CVM Required and No CVM Required objects.
The National Payment Card System recommends the acquirers set the Terminal No CVM Limit value to 3,000 rubles.
Terminal Floor Limit: at the acquirer’s discretion.
Conclusion
Those are the terminal limits and mechanisms of their operation involving contactless cards. Note that the value of the key No CVM Limit parameter is advisory rather than mandatory, and it is ultimately left to the discretion of the acquirer. This is why nowadays some of them continue to use the «seasoned» value of 1,000 rubles.
