Debit Card Agreement Banking Forms

Document Sample
Debit Card Agreement Banking Forms Powered By Docstoc
					      NATIONAL
DEBIT CARD STANDARDS
          for

CANADIAN CREDIT UNIONS




                Credit Union Central of Canada
                Payments Policy Department
                Phone: 416-232-3428
                Facsimile: 416-232-9196
                E-Mail: grahamp@cucentral.com

                Version: #13.4, 05/04/05
                Effective Date: Immediate
      NATIONAL DEBIT CARD STANDARDS FOR CANADIAN CREDIT UNIONS




                                                       Table of Contents

                                                                                                                                         Page

1.0   INTRODUCTION ............................................................................................................ 1
       1.1 Goals .......................................................................................................................... 1
       1.2 Adoption, management and enforcement .................................................................. 1
       1.3 General Compliance Conditions ................................................................................ 2

2.0   CARD DESIGN AND APPROVAL ................................................................................ 3
      2.1 Design ......................................................................................................................... 3

3.0   CARD MANUFACTURE, PROCESSING ORDERING AND DISTRIBUTION ......... 6
      3.1 Card Manufacturing and Card Processing .................................................................. 6
      3.2 Card Ordering ........................................................................................................... 12
      3.3 Card Distribution ...................................................................................................... 13
      3.4 PINning Cards .......................................................................................................... 14
      3.5 Re-encoding Cards ................................................................................................... 17
      3.6 Track Standards ........................................................................................................ 17

4.0   DEFINITIONS AND QUALIFICATIONS ................................................................... 19

5.0   CARD FACE .................................................................................................................. 26

6.0   CARD BACK ................................................................................................................. 31

      APPENDIX I:
      Track II Pictorial
      National Debit Card Check Digit Calculation

      APPENDIX II:
      Functional Guidelines: 1. Issue - Daily Limits

      APPENDIX III:
      National Standard Debit Card/PIN Agreement
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 1

1.0    INTRODUCTION

1.1    Goals

1.1.1. Through adopting credit union debit card standards (the “Standards”), the goals are:
       - to ensure compliance with national and international technical requirements,
       - to ensure a high degree of reliability, assuring cardholder and merchant satisfaction,
       - to establish common graphic elements to ease identification and promotion,
       - to save time and cost in card design, processing and manufacture,
       - to increase security,
       - to reduce the complexity and cost of card inventory management,
       - to permit effective monitoring of card production, and
       - to support good trade mark management and avoid legal complications.

1.2    Adoption, amendment, management and enforcement

1.2.1 In February, 1991, the National Technology Committee (NTC) and the Service & Product
       Development Committee (SPDC) agreed that there must be national standards governing
       credit union debit cards for use in networks accessed through Credit Union Central of
       Canada (“Canadian Central”).

1.2.2 All credit unions that participate in electronic networks accessed through Canadian
      Central are required to be members of Cooperative EFT Development Association
      (CEDA) and to participate in the Credit Union Network (ie., the AccuLink Network).
      Version #1 of the Standards was adopted by CEDA in September, 1991. Subsequently, in
      meetings of the National Technology Advisory Committee (NTAC), then the Retail
      Services Advisory Committee (RSAC), and the Business Development Advisory
      Committee (BDAC), the Standards have been progressively updated to reflect changes in
      technology, operations, market practices, security requirements, and external standards, as
      recommended by credit unions, Centrals and others. Canadian Central manages and
      enforces the Standards on behalf of CEDA.

1.2.3 Canadian Central drafts proposed changes for review by a select group including auditors,
      risk management advisers, service bureaus and card suppliers. When agreement on
      proposed revisions is reached, the CEDA Board is asked to adopt the amendments. The
      Standards are then binding on all CEDA-member credit unions.

1.2.4 Compliance is maintained through monitoring performance in networks, Network
      Security audits, and investigation of reports of non-compliance. Credit unions in a
      condition of non-compliance are advised, in writing, and must either immediately move to
      correct the non-compliance or seek a temporary Exemption while steps are taken to be in
      compliance. The penalty for refusing to accept conditions of compliance may include
      prohibition of use of an entire card production run, withdrawal of Trade Mark Licences,
      and termination of membership in CEDA. The Exemption Procedure permits a credit
      union to apply to Canadian Central for exemption from a given Standard for reason of
      inability to meet the standard for a specified period of time normally not to exceed one
      year, but renewable on thirty-days notice if compliance is soon forthcoming.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 2

1.3    General Compliance Conditions

1.3.1 These Standards meet International Standards Organization (ISO) Standards 7810, 7811,
      7812, 7813, 13569 (7.14.1-7.14.6) and 9564-1, and CPA Standards 020, 021 and 022; and
      also meet related external guidelines and regulations (e.g.- Canadian Code of Practice for
      Consumer Debit Card Services, and Interac Operating Regulations).

1.3.2 These Standards encompass related card-issuance requirements, such as PIN issuance.
      With regard to a Chip Card version, these Standards cover only general references and
      Design Standards.

1.3.3 The MEMBER CARD debit card may be issued only by a credit union that:
      a) is a member of a Provincial Central that is a member of Canadian Central; and,
      b) participates in the Credit Union Network (i.e., the AccuLink Network), as required by
         Co-operative EFT Development Association (CEDA).
      c) participates in the INTERAC shared cash and point-of-sale (“POS”) service; and,
      d) meets all Interac security standards in any proprietary network operated by the credit
         union in which the MEMBER CARD debit card will be used; and,
      e) subscribes to or operates a 24-hour-a-day, seven-days-a-week, telephone-accessible
         Lost/Stolen Card/PIN service that guarantees the cardholder relief from liability at the
         precise time of notification that a card is lost or stolen or the PIN compromised; e.g.-
         the service offered by CU Electronic Transaction Services (CUETS).

       Item e) is required to assure credit union members that their protection from liability at
       their credit union is at least as good as that afforded by any major bank. It also addresses
       the requirements of the Canadian Code of Practice for Consumer Debit Card Services. It
       is acknowledged that existing services may not be able to guarantee the credit union relief
       from liability at the precise time of cardholder notification and, until such time as the
       Lost/Stolen Card/PIN service can block the card at the credit union banking system, the
       credit union must carry a liability until they are able to respond to a message from the
       Lost/Stolen Card/PIN service.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 3

2.0    CARD DESIGN AND APPROVAL

2.1    Design

2.1.1 Designers of credit union debit cards and card production houses will follow these
      standards precisely. Failure to do so can result in an entire card production run being
      prohibited from use in electronic funds transfer (“EFT”) networks. All original generic
      card designs, original personalizations, initial customized designs, and revised re-runs of
      front and/or back of the MEMBER CARD debit card must be approved by Canadian
      Central prior to production. Preliminary approval can usually be obtained by facsimile
      within 24 hours. Final colour approval will be based on comparison of a high-fidelity
      colour proof (e.g.- Chromalin, Iris or Press Match) with a master colour sample held by
      Canadian Central.

2.1.2 The MEMBER CARD, MEMBRE CARTE (for use in French) trade marks and names
      have been adopted for the authorized national card as well as two official national designs
      for the generic card (one for the standard, magnetic stripe version and one for a chip card
      version). Use of the trade marks is by licence only. Graphic and design standards are
      specifically prescribed in the Graphic Standard Guidelines, which constitute part of the
      Standards and are distributed separately at the time of licensing use of the trade marks, as
      well as held by Canadian Central Trade Mark Representatives in each region.

2.1.3 Generic Card:
      a) Definition: A standard, national card design, with permitted “Personalization” (see
         2.1.4 below), for a credit union debit card that delivers full functionality of any
         network in which it is used, e.g.- Withdrawal, Transfer, Balance Enquiry and Deposit
         services, as may be available in shared cash dispensing networks, or retail point-of-
         sale Payment, in networks in which the issuing credit union is enrolled, whether
         proprietary or otherwise.
      b) Mandatory Elements:
         Card Face:
         - size, position and colour of MEMBER CARD logotype and HANDS & GLOBE
            logo;
         - position, size and length of Lines 1, 2, 3, and 4 (see “Schematic”);
         - position and size of a computer chip and an electronic cash trade mark (if any); and,
         - Background Design in specified colours.
         Card Back:
         - Magnetic Stripe width and position;
         - Signature Stripe width and position;
         - Disclaimer Text position and area;
         - Network Logos , including conditions of position, size and area (Note: Certain of
            these may be positioned on the Card Face, subject to approval); and,
         - Authorization Line position and text, in accordance with network rules:
         i) Cards Bearing the PLUS logo:
             ® Licensed User of the Marks. * VISA Int/Licensed User of the Mark. † Authorized User of the Marks.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 4

              Note: With regard to PLUS branded cards, all logos or logotypes on the Card Face
              or Card Back that are owned by Canadian Central retain the “” legend, all other
              marks have the “” removed and instead have an asterisk (*) to the upper-right of
              the logo or, in the case of the PLUS logo, to the lower-left.
           ii)Cards Bearing the CIRRUS logo:
             Credit Union Authorized User of the Marks.
            Note: With regard to CIRRUS branded cards, all marks on the Card Face or Card
            Back retain the “” legend
       c) Discretionary Elements:
          Card Face:
          - See “Personalization” (2.1.4).
          Card Back:
          - 3 Track Magnetic Stripe (which dictates the width of the stripe);
          - colour of the Magnetic Stripe;
          - width of the Signature Stripe (with 10 mm. width being recommended);
          - customization of the Signature Stripe (e.g. – background printing);
          - the exact wording of the Disclaimer Text (the illustrated wording is recommended);
          - the specific logos to define networks in which the card works; and,
          - the inclusion of the actual credit union name in the Authorization Line.

2.1.4 Personalization (for Personalization Area on the Card Face, see "Schematic"):
      a) Definition: The optional addition of visible information to the generic Card Face to
         more prominently identify the credit union issuing the card and/or a network or
         program within which the card functions (e.g.- the card may also be a HERITAGE
         CLUB membership card), subject to written approval by Canadian Central.
      b) Area: Personalization Area is limited to 505 sq. mm. (10.9% of the Card Face) within
         a 960 sq. mm. Personalization Field above the MEMBER CARD logotype.
         Calculation of the area is based on the amount of coverage of the actual
         Personalization Image, including text, any logos, or other graphic elements.
         (Note: Any network logo, other than a proprietary network logo, is restricted to visual
         parity with any other similar network logo, normally a maximum of 100 sq. mm.)
         (Note: Credit Union identification may optionally be in Line 4 below the MEMBER
         CARD logotype, through embossing or surface printing, and this is not considered
         part of the Personalization Area calculation.)
      c) Conditions: Personalization is in the form of a single line or a double line of type
         across the top of the card (not to exceed the point size of the MEMBER CARD
         logotype) and/or a trade mark or logotype of the credit union, a network or other
         program within which the card functions, and may be in any visually-pleasing, durable
         colours. Typesetting will be in a standard face (e.g.- Helvetica Bold, upper and lower
         case), unless an alternative is specifically approved. Reproduction of personalization
         logos will be from official art, reproduction proof sheets or official digitized images
         only. Canadian Central will not be responsible for the validity of any personalized
         marks, or the consequences of their use.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 5




2.1.5 Customization:
      a) Definition: Customization refers to a major design variance to identify a valid card
         customized to reflect the issuer’s image and branding strategy, or which has
         significant functional variation from the generic card, strictly subject to written
         approval by Canadian Central. The customization area may be the entire Card Face,
         with the exception of Mandatory Elements.
         i) Customization Standard I: To reflect the issuer’s image and branding strategy or to
             signify a different service level than that afforded by the generic card, e.g.- the
             addition of Buyer Protection and Extended Warranty coverage or a significant, but
             approved, limitation in service level, such as U.S. $ service.
             Mandatory Elements (also see 5.1 “Schematic”):
             - MEMBER CARD and the HANDS & GLOBE logos in designated size and
                position;
             - position, size and length of Lines 1, 2, 3, and 4; and,
             - position and size of a computer chip and an electronic cash trade mark (if any).
         ii) Customization Standard II: To signify a credit union debit card issued under the
             identity of another party, but with the account and PIN controlled by the credit
             union (e.g.- an affinity card with a university campus).
             Mandatory Elements:
             - Credit Union name in not less than 6 point type and/or Credit Union or related
                Network logo in not less than 100 sq. mm. on the Card Face or, in the instance of
                an acceptable contract for a sweep account, on the Card Back;
             - position, size and length of Lines 1, 2, 3, and 4 (see 5.1 “Schematic”); and,
             - position and size of a computer chip and the electronic cash trade mark
                (if any).

2.1.6 Credit Union Debit Cards other than the MEMBER CARD debit card: Designers
      and production houses should submit the card designs to Canadian Central for approval if
      the design bears marks owned by, or used under the authority of, Canadian Central, such
      as the HANDS & GLOBE design or CU marks, to ensure these marks are used correctly.

2.1.7 Card Carrier forms and PIN Carrier forms: Such forms are also subject to approval
      by Canadian Central not later than the colour proof stage, if the forms bear marks owned
      by Canadian Central or refer to the MEMBER CARD generic card or Customization
      Standard I or II cards.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 6

3.0    CARD MANUFACTURE, PROCESSING, ORDERING AND DISTRIBUTION

3.1    Card Manufacture and Card Processing

3.1.1 The term “Card Manufacture” includes the manufacture of generic or customized plastic
      cards, and is restricted to card suppliers that meet the production and security standards
      of, and are licenced by, either MasterCard International or VISA International. The term
      “Card Processing” includes card surface printing, embossing, encoding, and preparation
      for distribution, whether carried out in a manufacturing plant or on credit union premises.
      Card control is an increasingly critical area. Without a high degree of security and
      control, as specified in the following standards, fraudulent or counterfeit cards could
      come into use, resulting in losses to credit unions and their members.

3.1.2 Production and Processing Standards are based on ISO/TR 13569:1996; 7.14.1-7.14.6;
      and 9564-1, and current magnetic stripe technology to meet high standard of utility and
      fraud prevention. Use of High Coercivity (“Hi-Co”) magnetic stripe is required. The
      intent of ISO Standards has been faithfully retained in this document. The editing changes
      to the ISO Standards for this document includes: amending structure to conform with the
      format of this document; deleting references not relevant to present credit union practices;
      and not including standards related to PIN transmission, standards governing
      configuration or physical security of PIN pads and other devices, PIN block formats, PIN
      verification, journaling of transactions containing PIN data, encipherment algorithms, or
      standards covered elsewhere in this document:

3.1.3 Physical Security: To protect against the destruction, disclosure, or modification of
      transaction card information while in the processing stages, the facility is located in an
      area regularly patrolled by public law enforcement services, served by fire protection
      services, and protected by an intrusion alarm system with auxiliary power. The
      physically-secured environment is equipped with access controls or other mechanisms
      designed to prevent any penetration which would result in the disclosure of all or part of
      any cryptographic key or PIN stored within the environment, and shall remain such until
      all PINs, cryptographic keys and useful residue from PIN and key have been erased from
      the environment.

3.1.4 Production Security: To prevent fraudulent transactions being made through access to
      card information, all media containing valid account numbers, PIN numbers, limits, and
      account balances shall be stored in an area limited to authorized personnel. The
      production and issuing function for cards shall be kept physically separate from the
      production and issuing function for PINs. Card inventory shall be under dual custody.
      Data loading between host and embossing or imprinting equipment should be automated,
      if possible. A new card or re-newed card issued to a Member should be easily identified
      as different from the card previously issued to the Member, e.g.- with a new version
      number.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 7

3.1.5 Management of PINs:
      a) PIN Management - General: For all PIN management functions, the following
         controls shall be applied so that hardware and software used cannot be fraudulently
         modified or accessed without recording, detection, and/or disabling:
         i)      the hardware and software is correctly performing its designed function and
                 only its designed function;
         ii)     the hardware and software cannot be modified or accessed without detection
                 and/or disabling;
         iii)    information cannot be fraudulently accessed or modified without detection and
                 rejection of the attempt, and;
         iv)     the system shall not be capable of being used or misused to determine a PIN,
                 even by exhaustive trial and error.
         All issuance functions involving personnel (i.e. not applicable to self-selected PIN
         functions) shall be under dual control. The PIN shall never be retrieved and
         deciphered or regenerated to be recorded, processed, displayed, or printed except in a
         secure PIN mailer (or its equivalent). At no point in the delivery process shall the PIN
         appear in plain text where it can be associated with a customer’s account.

       b) PIN Storage: After selection, the PIN, if stored, shall be enciphered. When the PIN
          (assigned or Member-selected) is stored on the card, it shall be enciphered (e.g.- PIN
          offset), and shall never be stored as clear text. Any recording media (e.g.- magnetic
          tape, discs) containing data from which a plain text PIN might be determined shall be
          demagnetized, overwritten or physically destroyed immediately after use. Only if all
          storage areas used in the above process can be specifically identified, demagnetized or
          overwritten may a computer system be used for these procedures. (Also see “c”
          below).

       c) PIN Encipherment: For different accounts, encipherment of the same PIN value
          under a given encipherment key shall not predictably produce the same cipher text.
          One of the approved algorithms specified in ISO 9564-2 shall be used. Different
          encipherment keys shall be used to protect the reference PIN and the transaction PIN.
          PIN encipherment keys shall not be used for any other cryptographic purpose. (Also
          see Annex B of ISO 9564-1 for Key Management Principles.)

       d) Security of Enciphered PIN: Security of an enciphered PIN shall not rely on the
          secrecy of the encipherment design or algorithm but on a secret key, as defined in “c”
          above.

       e) PIN Selection, Issuance, Entry: Only the Member and/or personnel authorized by
          the Issuer shall be involved with PIN selection, PIN issuance, or any PIN entry
          process in which the PIN can be related to account identity information. Such
          personnel shall operate only under strictly enforced procedures, including dual control
          (N.B. – not applicable to self-selected PIN functions). PIN selection may be by one or
          more of: assigned derived PIN; assigned random PIN; Member-selected PIN.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 8

       f) Protection Against PIN Substitution: A stored enciphered PIN shall be protected
          from substitution, as specified in “c)” above. PIN encipherment (reversible or
          irreversible) shall incorporate the account number (or other data) such that the
          verification process would detect substitution of one value for another stored value.
          When the PIN (assigned or Member-selected) is stored on the card, it shall be
          enciphered (e.g.- PIN offset), and shall never be stored as clear text.

       g) PIN Deactivation: Actual or suspected compromise of the PIN shall result in the
          ending of the PIN life cycle. An Issuer shall deactivate a PIN if any of the following
          occurs:
          - the PIN is actually, or suspected to be, compromised;
          - all of the Member’s accounts associated with the PIN are closed;
          - the Member requests deactivation of the PIN;
          - the lifetime of the PIN ends.
          In the case of compromise of the PIN, the Member shall be advised of the action
          taken. The Issuer shall establish appropriate measures to ensure that the deactivated
          PIN cannot subsequently be used with its associated account number (e.g.- erasure of
          the deactivated PIN from the Issuer’s records and/or blocking access to the account).

       h) PIN Verification: Responsibility for PIN verification shall rest with the Issuer,
          although the verification function may be delegated to another institution.

       i) PIN Encipherment Keys: Different encipherment keys shall be used for protection of
          PIN storage and transmission, as defined in “b”.

       j) PIN Protection: The Member shall be advised in writing of the importance of the PIN
          and PIN secrecy, in particular the following:
          The Member:
          i)     should never orally communicate the plain text PIN to any person or device.
          ii)    should never enter a PIN by means of a telephone keypad, unless the keypad is
                 in compliance with the requirements for PIN pads.
          iii)   should be advised, when selecting or changing the PIN, that:
                 - the PIN should not have a value that is readily associated with the Member
                      (e.g. surname, telephone number, birth date);
                  - the selected PIN value should not comprise a sequence of the associated
                      account number, strings of the same number, historically-significant dates,
                      an alpha-based string of less than 6 and not more than 12 characters, or a
                      numeric string of less than 4 and not more than 6 characters (many
                      international systems do not accept more than 6 digits and/or do not
                      support alpha PIN entry);
                  - the selected PIN value should not be used in the clear, e.g.- for use with
                      telephone service as a Personal Access Code (PAC), nor as any part of a
                      PAC, nor should a PAC be the same length as the PIN;
                  - unsolicited information should not be included on or with the returned PIN
                      selection form.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 9

                   -   in instances where the Member has asked for a PIN change from a remote
                       location, (other than through a credit union acting as an agent of the Issuer
                       – see 3.4.3.d) the Member should receive, by mail, notification of the
                       change, in the form of a PIN Mailer, when the PIN change is put into
                       effect, with instruction to contact the Issuer immediately if the change had
                       not been requested by the Member.
                   -   the PIN should be entered in a way that cannot be observed by others.
                   -   although the Issuer supports alpha-numeric PIN selection, it may not be
                       possible to use other than a numeric PIN value on systems other than the
                       Issuer’s.
                   -   the PIN should be memorized and not written on the card.
                   -   the Issuer should be notified if a PIN mailer has been previously opened or
                       not received intact.

3.1.6 PIN Security:
      a) PIN Hardware, Software Security: Hardware and software used in PIN
         management functions shall be implemented in such a way that the following are
         assured:
         i)     The hardware and software is correctly performing its designed function and
                only its designed function.
         ii)    The hardware and software cannot be modified or accessed without detection
                and/or disabling.
         iii)   Information cannot be fraudulently accessed or modified without detection
                and/or rejection of the attempt.
         iv)    The system shall not be capable of being used or misused to determine a PIN
                by exhaustive trial and error.
         Printed or microfilm listings of programs or dumps used in the selection, calculation,
         or encipherment of the PIN shall be controlled during use, delivery, storage, and
         disposal.

       b) PIN Storage Security: Any recording media (e.g.- magnetic tape, discs) containing
          data from which a plain text PIN might be determined shall be demagnetized,
          overwritten or physically destroyed immediately after use. Only if all storage areas
          used in the above process can be specifically identified, demagnetized or overwritten
          may a computer system be used for these procedures.

       c) Oral Communication: No procedure shall require or permit oral communications of
          the plain text PIN, either by telephone or in person. Employees shall never be
          permitted to ask a Member to disclose the PIN or to recommend specific values.

       d) Telephone Keypad: Entry of the plain text PIN through a keypad of a telephone shall
          not be permitted, unless the telephone device is designed and constructed to meet
          specified requirements for PIN pads (ISO 9564-1, 5.4) and transmission (ISO 9564-1,
          8.2).
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 10

       e) Encipherment: For different accounts, encipherment of the same PIN value under a
          given encipherment key shall not predictably produce the same cipher text. One of the
          approved algorithms specified in ISO 9564-2 shall be used. Different encipherment
          keys shall be used to protect the reference PIN and the transaction PIN. PIN
          encipherment keys shall not be used for any other cryptographic purpose. (Also see
          Annex B of ISO 9564-1 for Key Management Principles.)

3.1.7 PIN Delivery Options, Selection Options, Change and Replacement Options:
      a) Delivery of an Assigned PIN (PIN Mailer): A PIN assigned by an Issuer shall be
         conveyed to the Member by means of a PIN Mailer. The PIN Mailer shall be printed
         in such a way that the plain text PIN cannot be observed until the envelope is opened.
         The envelope shall display the minimum data necessary to deliver the PIN Mailer to
         the correct Member. A PIN Mailer shall be constructed such that it is highly likely
         that accidental or fraudulent opening will be obvious to the Member. The Issuer shall
         warn the Member not to use the PIN that is contained in an opened or tampered PIN
         Mailer, and to notify the Issuer of such an event. If the PIN Mailer contains “residue
         of the PIN” (e.g.- carbon paper), the Issuer should warn the Member that, after
         memorizing the PIN, the PIN Mailer should be destroyed or kept in a safe place. If
         multiple cards are issued on the same account, each with a different PIN, the outside
         of the PIN Mailer may have to display details of the Member’s identification to
         facilitate correct delivery. The PIN and debit card shall not be mailed in the same
         mailer nor at the same time.

       b) Delivery of a Member Selected PIN or PIN Change at an Issuer’s Location
          (Attended Terminal): PIN selection or change at an Issuer’s location shall be by
          means of a PIN Pad complying with the requirements for a “physically secure device”
          (ISO 9564-1, 6.3.1) or a “PIN entry device” (ISO 9564-1, 6.3.3). Selection and entry
          of the PIN shall not involve the Member disclosing the PIN to any Issuer’s employee
          or a third party. The following procedures shall apply:
          - An authorized employee of the Issuer (or of an agent of the Issuer) shall obtain
             proper identification of the Member.
          - The system shall require identification of the authorized employee.
          - The PIN selection process shall be enabled by an authorized employee and the
             process terminated by completion of a PIN selection.
          - The authorized employee’s identification, together with the date and time, shall
             become part of the Transaction Record.

       c) PIN Change at an Unattended Terminal: The procedure for PIN change at an
          unattended terminal in the Issuer’s system shall require the current PIN to be entered
          and verified before selection and activation of the replacement Member-selected PIN.
          The new PIN shall be entered twice and both entries should be identical.

       d) PIN Selection and Change by Mail: PIN selection or change by mail shall only be
          accomplished by use of a form containing a control number and space for a selected
          PIN. The control number shall not disclose the Member account number. Any
          cryptographic key used to generate a control number shall not be used for any other
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 11

           purpose and shall be managed in accordance with general principles of key
           management (ISO 9564-1, Annex B). The completed form shall not contain any
           information, which relates the PIN to the Member’s name, address, or account
           number. The following procedures apply:
           - The PIN Mailer to the Member shall contain the PIN selection form and
              instructions.
           - The mailing shall be in accordance with the procedures defined in 3.1.7, a), treating
              the control number as the PIN. (Note that the control number may be the reversibly
              enciphered account number. Some Issuers instruct the Member to enter an
              enciphered PIN on the form.)
           - The Member shall be instructed to write the PIN on the form, not to write any other
              information on the form unless specifically requested, not to enclose any other
              correspondence, and to return the form to the stated address. A special pre-
              addressed envelope should be used.
           - The processing of received PIN selection forms shall only be by authorized
              employees of the Issuer.

       e) Replacement of Forgotten PIN: Replacement of a forgotten PIN shall be performed
          through the Issuer’s system; it shall not be performed in an interchange environment.
          All issuance functions involving personnel shall be under dual control. The PIN shall
          never be retrieved and deciphered or regenerated to be recorded, processed, displayed,
          or printed except in a secure PIN mailer (or its equivalent). At no point in the delivery
          process shall the PIN appear in plain text where it can be associated with a customer’s
          account. Where an assigned PIN has been forgotten and the effect is to generate a PIN
          Mailer communicating the same, or a newly-assigned PIN value, the requirements of
          3.1.7, a) apply.

       f) Replacement of a Compromised PIN: When a PIN is believed to be compromised, it
          shall be deactivated as soon as possible (see 3.1.5, i) and the Member informed of a
          replacement value or given the opportunity to select one. A replacement PIN shall not
          be intentionally the same as the original PIN. When an assigned derived PIN is
          believed to have been exposed, at least one data element used in deriving the PIN shall
          be changed and a new PIN derived or issued. This may require that any corresponding
          debit card be re-issued or re-encoded and that the old debit card be blocked from use.

       g) Disposal of Waste Material: Issuers shall ensure that adequate security measures are
          taken over the internal mailing and disposal of redundant PIN Mailers and any waste
          material associated with the initial printing of PIN Mailers, as well as the destruction
          of redundant plastics and materials used in embossing and surface printing. Disposal
          or destruction of all such materials shall be under dual custody. Consideration should
          be given to different return addresses in case of non-delivery for Card and PIN
          Mailers.

3.1.8 Personnel: To prevent assignment of unsuitable personnel to processing duty, conduct
      credit and criminal record checks for all employees handling cards, including part-time
      and temporary employees, where permissible by law.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 12

3.1.9 Audit: To ensure integrity of control and audit information, require that controls and
      audit logs be maintained for imprinting and/or embossing and encoding equipment and
      processing, as well as for semi-finished and finished cards, any other materials necessary
      for card production, sample cards, cardholder account number information, and waste
      disposal equipment. Ensure that card production, processing and reconciliation duties are
      completely segregated, with close supervision and sign-off for all cards at each stage.
      Ensure that an independent, monthly inventory count is performed;

3.1.10 Enforcement: To ensure continued compliance with security standards and maintenance
       of Audit Control Logs, appoint at least one person to serve as primary security control
       officer responsible for performing security functions.

3.1.11 Other: Attention is also called to ISO 9564-1 Annexes:
       - Annex A (Procedure for approval of an enciphered algorithm),
       - Annex B (General principles of key management),
       - Annex C (PIN verification techniques),
       - Annex D (PIN entry device),
       - Annex E (Example of pseudo-random PIN generation),
       - Annex F (Additional guidelines for PIN pad design),
       - Annex G (Guidance on clearing and destruction procedures for sensitive data),
       - Annex H (Information for customers).

3.2    Card Ordering

3.2.1 Cards may be ordered in the following ways, depending on the Card Distribution method:
      a) Fully-finished cards.
         The banking system consolidates orders and creates an electronic file that is provided
         to a Card Manufacturer on a regular basis. The Card Processor or Card Manufacturer
         produces the cards with the correct configuration of network logos, completes
         encoding and embossing or surface printing, and mounts the cards on an approved
         Card Carrier form.
      b) Generic cards for activation at the credit union.
         Low inventory triggers an order to the card supplier for generic cards, either embossed
         or surface-printed and preferably encoded, bearing the next series of card numbers.

3.2.2 The Credit Union has an option of Embossing or Surface Printing for the Discretionary
      elements of the Card Face. Embossing produces a durable image, permits “Tipping”, and
      will increase life of printing on the card due to raising the contact surface. Tipping adds
      visual excitement, makes the images easier to read than in non-tipped embossed cards,
      and is durable, but does wear off and becomes somewhat unsightly with extensive card
      use. Surface printing is commonly used to add the Account Number and, optionally, the
      Expiry Date, Member’s Name and the Credit Union or a Network Name to the Card Face,
      as well as any discretionary information or images to the Generic Card Back. Surface
      Printing may be used instead of embossing, permitting a cleaner, flat card and greater
      scope in design. It results in a reasonably durable image but is not as durable as
      embossing.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 13

3.3    Card Distribution

3.3.1 It is mandatory that the national standard Card/PIN Agreement (Schedule III) or an
      alternate agreement with the same headings and substantially the same text, as approved
      in writing by Canadian Central, be utilized, and that processing of a card be subject to a
      written request by the member for debit card service, such as signing of the Card/PIN
      Agreement. The cards may be delivered to the member by the following methods:

3.3.2 Delivery of a Fully-finished Card to the Member from the Card Manufacturer or
      Processor:
      a) Delivery to the member’s home.
         It is very important to confirm that the correct name and address of the member are
         used. It is recommended that the card be mounted on an approved Card Carrier,
         permitting cross-reference that the correct card is being sent, and sent by first class
         mail or similar delivery method, to assure delivery to the intended cardholder.
         Delivery shall be made in a non-descript envelope, so as not to attract attention in the
         mailing process. Other precautions may be recommended by postal authorities.
      b) Delivery in bulk to the credit union by courier.
         If it is intended that the card will be sent to the member, it is very important to confirm
         that the correct name and address of the member are used. It is recommended that the
         card be mounted on an approved Card Carrier, permitting cross-reference that the
         correct card is being sent, and sent from the credit union by first class mail or similar
         delivery method, to assure delivery to the intended cardholder. Alternatively, cards
         are available for pick up by the member in-branch (see 3.3.3 b).

3.3.3 In-branch Pick-up: Having the member pick up the card in-branch permits absolute
      verification of the member’s identity. Establish a follow-up procedure to contact the
      member if the card is not picked up within a week. Cards may be delivered in-branch in
      three ways:
      a) Day-one Temporary (or “Starter”) Card.
         A pre-encoded generic card, bearing a pre-determined serial card number, either
         embossed or surface printed, to be issued to a member in-branch upon request, by
         electronically linking such a card number with the member’s account number at the
         banking system. Such cards are issued subsequent to preparation of a “Fully-finished
         Permanent Card” and do not display the Member Name, Account Number or the card
         Expiry Date. The encoded Expiry Date may be as much as ten years, but the card is
         programmed at the banking system, upon issuance, for the card to expire within four
         weeks of when the Fully-finished Permanent Card is ordered.
      b) Fully-finished Permanent Card.
         The fully encoded and embossed or surface printed card, preferably mounted on a
         Card Carrier, may be mailed or handed over to the member in-branch. The advantages
         of this card are that it provides the Member with more information on the Card Face,
         including the Member Name, Account Number, and Expiry Date. This option may be
         preferred by credit unions that can’t manage in-branch processing or don’t want the
         risk of card inventory on credit union premises, and prefer these functions to be
         carried out by a reputable manufacturer or processor. The disadvantages include
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 14

          higher card processing costs and a delay in placing the permanent card in the
          Member’s hands.
       c) Day-one Permanent Card.
          A pre-encoded generic card, bearing a pre-determined serial card number, either
          embossed or surface printed, may be issued to a member in-branch immediately upon
          request, by electronically linking such a card number with the member’s account
          number at the banking system. This is exactly the same description as the Day-one
          Temporary Card (3.3.3.a), including the identified disadvantages. However, issuing
          the card by this method permits the member to have a Permanent Card on the first day
          of application, saves the credit union the cost of production and delivery of a Fully-
          finished Permanent Card, and saves the member the inconvenience of cutting up and
          replacing the Temporary Card.

3.4    PINning Cards

3.4.1. PINning the Card: The member must encode a PIN at the credit union branch, unless the
       credit union has pre-PINned the card and sent the PIN separately to the member. It is
       very important to emphasize to the member in every possible way that the PIN is a
       personal, confidential number for the exclusive use of the member, and to outline the
       potential member liability if their PIN and card are used by others (also see 3.1.5,l).

3.4.2. PINning Equipment: The PINning equipment “scrambles” (encrypts) the PIN input by
       the member to ensure neither the credit union nor the data processing supplier can
       decipher it. A variety of equipment is available, with equipment capable of encoding
       High Coercivity (“HiCo”) Magnetic Stripe (2,700-3,200 oersteds) being required,
       effective October 15, 1999, in order to ensure a high standard of reliability and longer life
       for the card (also see 3.1.6, 3.1.7b,c).

3.4.3. PINning Procedures: (Procedures will vary by type of equipment; routine procedures
       follow:)
       a) Initial or Replacement Card: (Staff assisted - ensure expert staff are always
           available - also see 3.1.6c, 3.1.7b, 3.1.8)
           i)     Check Identification: In the instance of a first-time applicant or a member not
                  known at the branch, obtain at least two pieces of identification bearing a
                  signature, one of which should include photo identification and a birth date.
                  Visually assess the age of the applicant, and check against the birth date.
                  Record the identification on the Agreement or PIN Log. If the member is
                  known at the branch, note this.
           ii)    Review the Terms and Conditions of the Agreement: Ensure that the member
                  has read and understands the Terms and Conditions of the Card/PIN
                  Agreement, particularly their responsibility for card and PIN security, and
                  liability for loss.
           iii)   Obtain Member’s Signature: Regardless of whether or not there is already a
                  signed Card/PIN Agreement on file, obtain the member’s signature on the
                  Agreement, to ensure that the member has the most current form of the
                  Agreement. Verify the signature against the signature on the identification.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 15

           iv)    Provide the Member with a Copy of the Agreement: Advise member to keep
                  the Agreement in a safe place, in case there is need to check rights and
                  obligations in future. Also, provide a copy of the “Canadian Code of Practice
                  for Consumer Debit Card Services” if the member wants to know more.
          v)      Provide the Member with Advice on Card Security: Using the , call the
                  member’s attention to the section on “Protect Your Card” and particularly the
                  guidelines on PIN selection; i.e.- avoid numbers that are easily deciphered
                  (e.g.- sequential numbers such as 1234 or 2468) or which are obviously
                  related to them (e.g.- birth date, social insurance, home address, telephone,
                  licence plate). Advise the member to use a different PIN for each PINned
                  card (to avoid all being used fraudulently should the common PIN be devised)
                  and not to carry the PIN on their person unless in a carefully disguised form,
                  as described in the leaflet (also see 3.1.5. l. iii).
          vi)     Verify the PAN: Ensure the Primary Account Number and sequence numbers
                  embossed or printed on the card correspond to those displayed on the PINning
                  equipment.
          vii)    Encode the PIN on the Card: Following the manufacturer’s procedures and the
                  Encoding Standards that follow, encode the initial (or replacement) PIN.
                  Ensure that the PIN is encoded in Track 2, to ensure it is not exposed in some
                  terminals.
          viii) Record the Card PINned: Record each card PINned in the PIN Log.
          ix)     Demonstrate Use of the Card: If this is a first-time cardholder, demonstrate
                  use of the card in ATM or in-branch service devices (there may be
                  demonstration cards and accounts for this purpose). Provide instructional
                  literature and locations of AccuLink ATMs.
       b) Re-PINning an Existing Card: (Member has forgotten the original PIN, the original
          PIN may be known to others, the original PIN was improperly encoded – also see
          3.1.7b - e).
          i)     Check Identification: In the instance of a first-time applicant or a member not
                 known at the branch, obtain at least two pieces of identification bearing a
                 signature, one of which should include photo identification and a birth date.
                 Visually assess the age of the applicant, and check against the birth date.
                 Record the identification on the Agreement or PIN Log. If the member is
                 known at the branch, note this.
          ii)    Check that the Card has been activated on the system
          iii)   Check that the Card has not been reported as “Hot” (Lost/Stolen)
          iv)    Re-PIN the Card: Assuming the card has been activated and is not reported as
                 hot, re-PIN the card, following the steps in 3.4.3.a) above or 3.4.3.d) below.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 16

           c)  Existing Card - Self-Selected PIN: (Member operated.)
                i)     Instructions: Ensure expert staff are available to coach members in use
                       of the PIN equipment and that clear instructions are provided at the
                       equipment.
                ii)    Maintenance: Scrupulously follow manufacturer’s specifications for
                       cleaning and maintenance of the equipment, with special care and
                       attention to the equipment heads, in order to ensure reliable member
                       service.
           d) PINning Cards for Another Credit Union’s Members:
                i)   Data Processor: All such credit unions must use the same data processor,
                     or must have the agreement of all other credit unions in the region to
                     maintain the same PIN encryption key for PIN issuance regardless of the
                     Banking System of the Issuer, e.g.- through universal use of compatible
                     terminals.
                ii) PIN Service Agreement: The credit union must have a mutual PIN Service
                     Agreement with all other such credit union(s) individually or through a
                     blanket agreement at the common data processor, or through phoning the
                     other such credit union for permission.
                iii) Card Source: All such credit unions must obtain their cards from the same
                     supplier.
                iv) Consistent Standards: All such credit unions must adhere to the debit card
                     standards, encoders must be configured to not look at the INN, and
                     common keys must be utilized.
                v) Procedures: Follow the procedures in 3.4.3.a) or b).
                vi) Card/PIN Agreement Distribution: Forward the top copy of the Card/PIN
                     Agreement to the member’s credit union.
           e) Security of PIN Equipment: (Also see 3.1.3 - 3.1.6, 3.1.9, 3.1.10)
               i)    Key Maintenance: Maintain all unassigned keys and/or program cards for
                     PINning equipment in a dual custody vault.
               ii)   Card/Key Register: Maintain a Register for assigning cards/keys to staff
                     members and ensure that staff members sign the Register to acknowledge
                     receipt.
               iii) Possession of Cards/Keys: Ensure staff maintains possession of their
                     assigned Operator and/or Supervisor Cards/Keys at all times. Cards or
                     Keys must not be left in the branch or be surrendered to another staff
                     member. Regular semi-annual review of PIN process and security shall be
                     part of credit union policy.
               iv) Authorized Access: Ensure PIN equipment is maintained in an area that is
                     not accessible to unauthorized personnel.
              v)     Record Maintenance: Maintain a record (e.g.- PIN Log) of all cards
                     PINned, and balance this record to Applications/PIN Assignment
                     Forms/PIN Equipment records at the end of each business day.
              vi)    Equipment Security: Ensure PIN equipment is powered off and locked in
                     the vault over night.
              vii)   Cards/Keys Security: Maintain Operator and/or Supervisor Keys in the
                     vault over night. Maintenance of these keys shall be under dual custody.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 17

3.5    Re-encoding Cards:

3.5.1 Re-encoding of cards is permitted only if the encoders are configured in a manner to
      enable re-formatting of non-compliant Track II data, e.g.- to enable the entry of PIN
      offset, and involves no manual entry of PAN data by the operator. Manual entry is not
      permitted due to the probability of operator error resulting in the card being non-
      functional, e.g.- due to incorrect encoding, or the PAN being encoded in the wrong track.

3.6    Track Standards

3.6.1 The following information provides Canadian Central, its member Centrals and credit
      unions, and affiliated organizations guidelines and standards for data content on Tracks I,
      II and III. Canadian Central and member organizations are bound by the rules and
      regulations pertaining to the use of these tracks, e.g.- ISO standards, and regulations set
      by networks in which the card is expected to function. Information on these standards can
      be obtained from the Standards Department at Canadian Central.

3.6.2 Track I Format: Use of Track I is optional. Information on data content and positioning
      can be obtained from ISO standards 7811 and 7812. A use of Track I may be for the
      Member Name; however, there have been instances of POS Terminals picking up the
      name and printing it on the Transaction Record (especially when configured with an
      Electronic Cash Register, or “ECR”), causing member distress regarding invasion of
      privacy. The requirements of encoding Track I are at the input level:
          a) exact definition of Member First Name/Last Name, and
          b) limit of 26 characters for Member Name.

3.6.3 Track II Format: Use of Track II is mandatory. All encoded information on Track II
      must conform to ISO 7813.
      a) Discretionary Data Fields: Central members using the Discretionary Data fields, as
         defined by ISO, must adhere to the standards as approved by the Business
         Development Advisory Committee:
         - First 5 digits: PIN Offset. Using any one alpha/numeric digit routinely is not
            acceptable for PIN Offset.
         - Branch Information: Up to 3 additional digits.
         - All remaining fields: Are not in use and zero (0) must be used as filler. Placement
            of any code within these fields must receive the approval of the Business
            Development Advisory Committee. This applies to members using 16 to 19 digit
            PAN lengths (field length and use may vary).
      b) Primary Account Number (PAN): Please refer to the following text, and the
         attached pictorial of the Track II layout and the “National Debit Card Check Digit
         Calculation” reference in Appendix I. The PAN may be 16 to 19 digits long. The
         specific components of the PAN and the order in which they appear are mandatory,
         with the exception of noted options or areas of flexibility regarding length of the field:

                 Institution Identification Number (I.I.N.)      6*      6*     6*    6*
                 Branch Identification                           3*      3*     3*    4*
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 18

                  Account Number                                 6*       7*   8*     8*
                  Check digit                                    1       1      1     1
                  TOTAL Digits                                 16       17    18    19
          * There is some flexibility permitted in the length of I.I.N., the Branch Identification
            and the Account Number. The Account Number may be six to eight positions in any
            sequence, one being a Version Number, if applicable.

       c) Card Expiry: Expiry may be from 1 to 10 years from date of issue, or more if the
          card operates on a system that counts electronic transactions generated by the card
          and automatically triggers re-issuance as the card approaches a usage level where
          failure is likely. Normally, a well-used card will begin to fail in three to five years,
          with cards bearing High Coercivity magnetic stripe expected to last longer. A reason
          for retention of an Expiry Date is that some international networks will reject a card
          not bearing an expiry date due to suspicion of forgery.

3.6.4 Track III Format: Use of Track III is optional. Information on data content and
      positioning can be obtained from the CPA Standard 020, with specific references to ISO
      Standard 4909.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 19

4.0.   DEFINITIONS AND QUALIFICATIONS

4.1.1 Affiliated Credit Unions: Credit Unions that choose to be members of a Central that is a
      member of Canadian Central.

4.1.2 Affinity Card: An officially-approved credit union Debit Card issued under the identity of
      another party, e.g.- a university campus card. Also see “Customization”.

4.1.3 Algorithm: A clearly specified mathematical process for computation.

4.1.4 ATM (also known as “ABM”): Automated Teller Machine (also known as “Automated
      Banking Machine”), an unattended electronic terminal used by cardholders to access
      financial services provided by financial institutions that hold their accounts.

4.1.5 Background Design: A specified design, in specified colour, across the surface of the
      Card Face. There may be more than one approved Background Design to differentiate
      functional differences in use of the MEMBER CARD Debit Card (see “Customization”)

4.1.6 Canadian Credit Unions/Caisses Populaires: As used in these standards, all credit unions
      or caisses populaires that are members of a Central or Caisses Populaires Federation that
      is a member of Credit Union Central of Canada (“Canadian Central”). Credit unions
      which adopt these standards are committed to ensuring plastic debit cards under their
      jurisdiction conform to the Standards (unless under an approved exemption), and to the
      correction of any breach.

4.1.7 Canadian Central: The short-form name for the Credit Union Central of Canada, the
      national trade association and banking intermediary for the Affiliated Credit Unions.
      Canadian Central administers product, operational and graphic standards on behalf of
      Affiliated Credit Unions and, with regard to electronic services, as enforced by CEDA.

4.1.8 Canadian Payments Association: Also known as CPA, this is an organization that
      governs how payments are cleared and settled between financial institutions. Canadian
      Central is a Direct Group Clearer in the CPA on behalf of Affiliated Credit Unions.
      These Standards are intended to be in compliance with CPA rules and standards.

4.1.9 Canadian Code of Practice for Consumer Debit Card Services: A voluntary code
      developed through consultation among representatives of consumer organizations,
      financial institutions, retailers, regulators, and federal and provincial governments. These
      Standards are intended to be fully compliant with this code of practice.

4.1.10 Cardholder: The person to whom a valid card is issued.

4.1.11 Card Carrier: A heavy-weight paper surface designed to carry a mounted, plastic card and
       to carry corroborative text to enable quality-control and assure that the correct card has
       been sent to the designated cardholder. The Card Carrier also affords the opportunity to
       market the card and to refresh the terms and conditions of the Card/PIN Agreement.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 20


4.1.12 Card Issuer: The organization that issues a valid card.

4.1.13 Card Manufacture, Card Manufacturer: The creation of the physical plastic, whether
       generic or customized, by a licensed card manufacturing company (Card Manufacturer).

4.1.14 Card/PIN Agreement: A national standard agreement to be used by all credit unions
       issuing valid debit cards, to be reviewed with, and signed by, the Member to effect a
       binding agreement between the Issuer Credit Union and the Member, and to serve as the
       written request for Debit Card Service required in the “Canadian Code of Practice for
       Consumer Debit Card Services”.

4.1.15 Card Processing, Card Processor: The fulfillment and distribution of card orders,
       including surface printing, embossing, encoding, preparation for mailing or for in-branch
       issuance, whether carried out at a Card Processor, at a Card Manufacturer or at a Credit
       Union. The Card Processor is the organization that processes official, valid credit union
       Debit Cards, such as CUETS and certain Service Bureaus, that facilitate Card Ordering,
       Card Processing and Distribution on behalf of client credit unions.

4.1.16 CEDA: Cooperative EFT Development Association, an organization formed to enable
       individual Affiliated Credit Unions to participate in national and international EFT
       networks, through binding them collectively to comply with network and trade mark
       regulations and standards.

4.1.17 Central: See “Provincial Central or Caisses Populaires Federation”.

4.1.18 Chip Card: Also may be known, in an electronic cash application as a “Stored Value
       Card” and, in a multi-application, as “Smart Card”. A plastic card bearing an embedded
       microcomputer chip, permitting the cardholder to carry discreet, variable, personal data
       related to usage of the card, in the card itself. Initially, it is anticipated that such cards
       will bear a magnetic stripe, require use of a PIN, and be, in essence, a debit card with
       added functionality. These Standards cover only the Design standards for Chip Cards.

4.1.19 Combination Card: A plastic card that not only accesses a credit card account, but also
       accesses positive balances. As with the Payment Card, these cards are denied access to
       the INTERAC Direct Payment network.

4.1.20 Cooperative EFT Development Association: See “CEDA”.

4.1.21 CPA: See “Canadian Payments Association”.

4.1.22 Credit Union Central of Canada: See “Canadian Central”.

4.1.23 CU Electronic Transaction Services (CUETS): An organization owned by the Alberta
       and Saskatchewan Centrals and offering a wide range of credit card, Payment Card, Debit
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 21

       Card and related merchant services, including a fully-functional Lost/Stolen Card/PIN
       Service, and Card Processing services.
4.1.24 CU Marks: A family of trade marks owned by Canadian Central featuring the CU image
       to stand for “Credit Union”, used under licence.

4.1.25 CUETS: See “CU Electronic Transaction Services”.

4.1.26 Customization: Refers to a major design variance to identify a valid card which has
       significant functional variation from the Generic Card, strictly subject to written approval
       by Canadian Central.

4.1.27 Customization Area: The entire Card Face, with the exception of Mandatory Elements.

4.1.28 Debit Card: A card with electronically-readable data that is used, in conjunction with a
       PIN, to confirm the identity of a cardholder and authorize electronic funds transfer
       functions, e.g. - by means of ATM or EFT/POS.

4.1.29 Direct Payment: The name used for the INTERAC EFT/POS Network.

4.1.30 Discretionary Data: Under ISO Standards, certain data fields are “discretionary”. The
       National Debit Card Standards for Canadian Credit Unions prescribes mandatory
       standards for these fields in order to extend national common standards.

4.1.31 EFT/POS: Electronic Funds Transfer at Point Of Sale (or Point Of Service), describing
       the transfer of funds using electronically-transmitted instructions, e.g.- payment for goods
       and services at a Point Of Sale Terminal in a retail store or service outlet; deposits,
       withdrawals and transfers of funds between a cardholder’s accounts at a publicly-
       accessible Point Of Service Terminal (e.g.- an ATM); and/or payments and transfers of
       funds made at a personal Point Of Service Terminal in the home.

4.1.32 Electronic Cash (or “E-Cash”): The generic name for cash value, also known as “Stored
       Value” electronically stored in the microprocessor chip of a Chip Card.

4.1.33 Embossing: Use of a machine to press (“emboss”) letters or numbers above the surface of
       the plastic card. Embossing has been commonly used as the most expedient means of
       adding the Account Number, Expiry Date, Cardholder’s Name and, optionally, the Credit
       Union or a Network Name to the Card Face.

4.1.34 Encoding: The application of electronically-readable data to the Magnetic Stripe.

4.1.35 Expiry Date: The date the card will expire, at the option of the credit union, within a
       period of 1 - 10 years unless card usage monitoring is used, to automatically re-issue the
       card as it approaches wear-out. Some international networks will not accept a card unless
       is has an encoded expiry date.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 22

4.1.36 Encipher, Encipherment: The rendering of text unintelligible by means of an encoding
       mechanism.

4.1.37 Fully-finished Card: A card completely finished by the Card Production House for
       delivery either directly to the Member or to the Credit Union for distribution to the
       Member.

4.1.38 Generic Card: The basic MEMBER CARD Debit Card, with national Standard elements
       and background design, affording the best opportunity for lower cost through greater
       volume production (but permitting Personalization for Credit Union or Network identity,
       and Customization to designate a different service level or significant functional
       variance).

4.1.39 Graphic Standards Guidelines: The graphic standards in these Standards are only those
       that are required for operational purposes, either as dictated by other national or
       international standards or standards the credit union system voluntarily adopts to ensure
       national recognition (e.g. - use of the HANDS & GLOBE trademark). For other card
       design standards, refer to the Graphic Standards Guidelines, distributed separately at the
       time of licensing use the trade marks.

4.1.40 HANDS & GLOBE Logo: The symbol of the international family of credit unions,
       owned by the World Council Of Credit Unions, use of which is licensed in Canada by
       Canadian Central.

4.1.41 Interac Association: An association that develops and operates shared financial service
       network services on behalf of its members. Canadian Central is a Charter Member of the
       association on behalf of Affiliated Credit Unions that process transactions through the
       National Node. These Standards are intended to be fully compliant with Interac By-laws
       and Operating Regulations.

4.1.42 INTERAC: Trade mark of Interac Inc., licensed to Canadian Central for use by Affiliated
       Credit Unions under terms of membership in CEDA.

4.1.43 International Standards Organization: Also known as ISO, an organization dedicated to
       uniform international EFT standards. These Standards include applicable ISO standards.

4.1.44 Initial Card: The first debit card produced for a given member.

4.1.45 ISO: See “International Standards Organization”.

4.1.46 Issuer: An organization that issues a PIN or a Debit Card.

4.1.47 Lost/Stolen Card/PIN Service: As required in these Standards, a 24-hour-a-day, seven-
       days-a-week, telephone accessible service to enable cardholders to cancel their debit card
       and be guaranteed relief from liability at the precise time of notification.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 23

4.1.48 Magnetic Stripe: The encodable stripe on the Card Back intended to carry electronically-
       readable data which, when used with a PIN, confirms the identity of the cardholder and
       facilitates routing of debit card transactions. Use of at least a two-track stripe is required
       and use of a three track stripe is optional. Track I is exclusively designated for
       Cardholder Name. Use of High-Coercivity tape is required.

4.1.49 Mandatory Elements: Design elements that must be evident on the Card Face or Card
       Back, regardless of card type.

4.1.50 MEMBER CARD (or MEMBRE CARTE in French) Debit Card: The mandated debit
       card for use by all Affiliated Credit Unions for EFT services accessed through Canadian
       Central.

4.1.51 National Node: The National Electronic Switch owned and operated by CGI, to switch
       affiliated credit union electronic transactions within the ACCULINK Network and with
       international networks.

4.1.52 NTC, NTAC: The National Technology Committee, later known as the National
       Technology Advisory Committee, and replaced by the Business Development Advisory
       Committee.

4.1.53 PAC (Personal Access Code): The secret code used by a Member in systems that may not
       be protected by encryption, such as telephone access systems.

4.1.54 PAN: Primary Account Number (Line 1 on the Card Face Schematic), which includes the
       Banking Industry Number (BIN) comprising the Institution Identification Number (IIN)
       and the Branch Identification, as well as the personal Account Number of the Member
       and a Check Digit. This number may be 16 to 19 digits long, as determined by the Issuer
       Credit Union.

4.1.55 Payment Card: The generic name adopted by the credit union system to designate a
       MasterCard card that accesses positive balances, either through EFT channels (e.g.- ATM
       or in-branch POS Terminals) or payment for goods or services (initiated in much the
       same manner as a credit card purchase but routed to a positive balance account).
       Although the Payment Card is capable of functioning in EFT/POS, Interac Association
       prohibits use in their EFT/POS network of any card bearing a credit card logo.

4.1.56 Permanent Card: A valid debit card, often replacing a Temporary Card, issued for use by
       the cardholder either until re-issued, expired or terminated.

4.1.57 Personalization: The optional addition of visible information to the generic Card Face to
       more prominently identify the credit union issuing the card and/or a network or program
       within which the card functions (e.g.- the card may also be a HERITAGE CLUB
       membership card), subject to written approval by Canadian Central.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 24

4.1.58 Personalization Area: The Personalization Area is not to exceed 505 sq. mm. within the
       960 sq. mm. Personalization Field above the MEMBER CARD logotype.

4.1.59 Personalization Field: An area of 960 sq. mm., located above the MEMBER CARD
       logotype (see “Schematic”), within which the Personalization Area of 505 sq. mm.
       appears.
4.1.60 Personalization Logos: The logos of the credit union, network or program to be surface
       printed on the Card Face or Card Back, as supplied in Official Art, Reproduction Proof or
       Digitized format by the Issuer Credit Union.

4.1.61 PIN: Personal Identification Number, an alpha-numeric secret code intended for the sole
       use of a cardholder, in conjunction with a debit card to confirm the identity of the
       cardholder and to authorize debit card transactions.

4.1.62 PIN Envelope/Mailer: A printed form, with provision for the confidential printing on the
       interior surfaces of the Member’s PIN, which is distributed to the Member personally in-
       branch or sent to the Member by first class mail or similar distribution method, to ensure
       delivery to the intended cardholder.

4.1.63 Plain Text PIN: PIN data in its original unenciphered form.

4.1.64 Point Of Sale (or Point Of Service) Terminal: An electronic terminal incorporating a card
       reader and a PIN pad (a keyboard), used to make Debit Card transactions.

4.1.65 Provincial Central or Caisses Populaires Federation: The trade association and financial
       intermediary for Affiliated Credit Unions or Caisses Populaires within a province.

4.1.66 Renewal (or Reissue) Card: Designates a card to replace one that is defective or expiring,
       which may have the same PIN as the prior card. (Note that, in the Card Manufacturing
       industry, a card to replace a defective card is often described as a “Replacement Card”).

4.1.67 Replacement Card: Designates a card to replace one that has been cancelled due to being
       lost or stolen, normally requiring a new PIN. (Note that, in the Card Manufacturing
       industry, this term is also often used to describe the card that replaces a defective card.)

4.1.68 RSAC: A committee of Canadian Central replaced by the Business Development
       Advisory Committee, formerly the Service and Product Development Committee
       (“SPDC”).

4.1.69 Serial Card Numbering: The Banking System process of maintaining Card Number
       sequences, by Issuer Credit Union, to permit the credit union to maintain an inventory,
       and periodically re-order a stock of uniquely-numbered cards for in-branch issuance.

4.1.70 Shared Cash Dispensing (SCD): The generic name for the INTERAC shared cash-
       dispensing service.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 25

4.1.71 Smart Card: See “Chip Card”.

4.1.72 SPDC: The Service and Product Development Committee, later known as the Retail
       Services Advisory Committee, which has since been replaced by the Business
       Development Advisory Committee.

4.1.73 Standards: Here refers to the “Debit Card Standards for Canadian Credit Unions”.
4.1.74 Surface Printing: Addition of images by printing them on the surface of the Generic Card
       Face or the Generic Card Back.

4.1.75 Temporary (or “Starter”) Card: A pre-encoded generic card, bearing a pre-determined
       serial card number, either embossed or surface printed, to be issued to a member in-
       branch upon request, by electronically linking such a card number with the member’s
       account number at the banking system. Such cards are issued subsequent to preparation
       of a “Fully-finished Permanent Card” and do not display the Member Name, Account
       Number or the card Expiry Date. The encoded Expiry Date may be as much as ten years,
       but the card is programmed at the banking system, upon issuance, for the card to expire
       within four weeks of when the Fully-finished Permanent Card is ordered.

4.1.76 Tipping: The addition of a coloured foil to the raised (“embossed”) numbers and letters on
       the Card Face.

4.1.77 Valid Card: An officially-authorized credit union Debit Card that meets all Standards.

4.1.78 Version Number: The “Version Number” indicates the number of times a card has been
       issued to an individual Member, and is optional.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 26

5.0.    CARD FACE
5.1.    Schematic (Incorporating mandatory card dimensions)




 Fully Finished
Permanent Card




   Day One
Permanent Card
or Starter Card




 Chip/Portrait
    Card
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 27




5.2.                                                              Embossing:        Typesetting:
Line   Description                               Maximum         ISO1073-1,OCRB Gothic,Bold Condensed

1:     Primary Account Number (Mandatory)   19 digits          Size I                   16pt.
2:     Valid/Expiry Date (MM/YY) (Optional) 27 characters1.2 Size IV                    12pt.
3:     Member Name (Optional)               26 characters1. 3. Size IV                  12pt.
4:     Card Issuer Name (Optional Location) 27 characters1. 4. Size IV                  12pt.

5.3.   Dimensions and Specifications                                               (Millimetres)
A.     Width of card                                                      85,48      ()     ,125
B.     Height of card                                                     53,97      ()       ,05
C.     Thickness of card                                                  00,76      ()       ,08
D.     Radius of corners                                                  03,18
E.     Centreline of Primary Account Number line to bottom of card        21,42      ()         ,12
F.     Centreline of first character position to edge of card             10,18      ()         ,25
G.     Maximum length of Line 1                                           68,00
       Maximum cumulative tolerance between centrelines of
       first and last digits of the Primary Account Number                           ()         ,08

5.3.   Dimensions and Specifications (cont'd)
                                                                                     (Millimetres)

H. Maximum relief height of imprinting surface above card surface              00,46       ()    ,05
I. Centreline of first digit of lines 2, 3, and 4 to left edge of card5.       07,65       ()    ,25
                                                                            5.
   Centreline of first digit of embossed Valid Date to left edge of card       23,00       ()    ,25
   Centreline of first digit of embossed Expiry Date to left edge of card5.    38,00       ()    ,25
                                                          2.
   Centreline of “VALID” word to left edge of card                             28,00       ()    ,25
   Centreline of "TO END OF" phrase to left edge of card                        43,50      ()    ,25
                                                                               5., 6.
   Centreline of “CARD NO.” or “MEMBER NO.” phrase to left edge of card
                                            19 digit format                     61,00      ()    ,25
                                            18 digit format                     58,33      ()    ,25
                                            17 digit format                     55,67      ()    ,25
                                            16 digit format                     53,00      ()    ,25
                                                                         6.
   Centreline of “Account Number Delineator” to left edge of card :
                                            19 digit format                     61,00      ()    ,25
                                            18 digit format                     58,33      ()    ,25
                                            17 digit format                     55,67      ()    ,25
                                            16 digit format                     53,00      ()    ,25
   Width of “Account Number Delineator”6.:
                                            19 digit format                    25,00
                                            18 digit format                    24,50
                                            17 digit format                    23,00
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 28

                                      16 digit format                          21,50
     Baseline of “Account Number Delineator” to bottom of card6.               18,00 (),25

     Baseline of “VALID”2., “TO END OF”, “CARD NO.” /”MEMBER NO.”6. 16,50                  () ,25
           legends to base of card (words are set in 4½ point Helvetica typeface)
     Baseline of “MM” and “YY” Codes to bottom of card5.                          15,00   ()   ,25
                                                            2.
     Centreline of VALID “MM” Code to left edge of card                           24,00   ()   ,25
     Centreline of VALID “YY” Code to left edge of card2.                         31,50   ()   ,25
     Centreline of TO END OF “MM” Code to left edge of card                       40,50   ()   ,25
     Centreline of TO END OF “YY” Code to left edge of card                       47,50   ()   ,25
J.   Preferred maximum length of lines 2 and 3                                    62,00
     Absolute maximum length of lines 2 and 4                                     68,58
     Absolute maximum length of line 3                                            66,00
                                7.
K.   Minimum bottom margin                                                        02,86   ()   ,44
L.   Centreline of line 2 to bottom of card7.                                     12,55   ()   ,44
                                            7.
M.   Centreline of line 3 to bottom of card                                       08,45   ()   ,44
N.   Centreline of line 4 to bottom of card7.                                     04,35   ()   ,44
O.   Height of HANDS & GLOBE trademark8.                                          10,00
P.   Top of HANDS & GLOBE trademark to bottom of card                             15,50   () ,25
Q.   Right hand edge of HANDS & GLOBE trademark to                                05,50   () ,25
          right hand edge of card
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 29

Note 1: Effort should be made to stay within 23 characters, to avoid over-imprinting or over-
        embossing the HANDS & GLOBE trademark, even though 26 characters are permitted
        in Line 3, and 27 characters are permitted in Line 2. These lines may only be used for
        the specified purposes.

Note 2: Printed word “VALID”, related Date Codes “MM” and “YY”, and embossed or
        imprinted date (MM/YY) are optional, but if used, must be in the designated position.
        Printed words "TO END OF", related Date Codes “MM” and “YY”, and embossed or
        imprinted date (MM/YY) are optional, but if used, must be in the designated shown.
        All printed words and Date Codes, including “CARD NO.” or “MEMBER NO.” are
        set in 4.5 point Helvetica typeface. Maximum valid period is 10 years, unless the
        credit union can provide written verification from its transaction processor that there is
        a system in place to monitor use and automatically trigger re-issuance when the card
        nears wear out.

Note 3: MEMBER NAME is mandatory on the Fully-finished Permanent Card, but optional on
        other card types. If MEMBER NAME is used, it is highly desirable to use Given
        Name/Surname format.
        Arguments in favour of showing the MEMBER NAME:
        1. Establishes a more personal feeling of ownership of the card.
        2. Enables the Member to identify their card, even if mixed with others.
        3. Facilitates return of the card, if lost.
        Reasons to issue the card without the MEMBER NAME:
        1. Permits retention of card stock in-branch for issuance to the Member at application.
        2. Provides less information for fraudulent use.
        3. Convenience to Member of issuance in-branch at the time of application.
        4. Member is able to commence use immediately.
        5. Reduces card fraud through eliminating theft in the mail.
        6. Saves effort and cost of two-card issuance (Starter Card followed by Permanent
            Card).
        If a Starter Card is used, the MEMBER NAME and VALID/EXPIRY dates are not
        required, but it must in every other way comply with all other National Debit Card
        Standards, and is intended to expire within four weeks of ordering a permanent card
        which includes the MEMBER NAME and VALID/EXPIRY dates.

Note 4: In Line 4, it is highly desirable that the words "CREDIT UNION" be imprinted or
        embossed at the end of the Credit Union name, but, given only 27 spaces, this is only
        possible when the name of the credit union is within 14 characters. It is mandatory that
        the Credit Union Name appear on the face of the card, either in Line 4 or in the
        Personalization Area. If Personalization is used, Line 4 may be used for another
        message, subject to approval.

Note 5: There is no present intent to use LINE 2 for other than the Valid and Expiry Dates;
        and, possibly, a "MEMBER SINCE" designation. However, the full specifications for
        LINE 2 are shown. Use of a Valid Date and Expiry Date is optional.
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 30

Note 6: Printing of “CARD NO.” or “MEMBER NO.” and the Account Number Delineator are
        optional. Only the 19 digit format is illustrated (see 5.1). The PAN must be imprinted
        or embossed exactly as encoded.

Note 7: I.S.O. Standard 7811:
            Bottom of card to top of LINE 2 - 14.53mm (min.), 17.83mm (max.) (use of area
            above 14.53mm not recommended). Bottom of card to base of LINE 4 - 2.41mm
            (min.), 3.30mm (max.).
        This standard is too flexible for our purposes, so a more precise standard is indicated.

Note 8: HANDS & GLOBE trademark must be reproduced:
         including the “” legend at the lower right corner of the design mark,
         including the words "Credit Union" in the exact position and typestyle as in the
           officially licensed version,
         from the official artwork, reproduction sheets, or official digitized version only (see
           Graphics Standards Guidelines available from Canadian Central).
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 31

6.0.   CARD BACK

6.1.   Schematic (Incorporating mandatory card standards)
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 32

6.2.    Dimensions and Specifications
                                                                                        (Millimetres)

A.     Width of card                                                                 85,48    ()   ,125
B.     Height of card                                                                53,97    ()     ,05
R.     Top of Magnetic Stripe to top edge of card                                    05,54   max
                                                       9.
S.     Depth of Magnetic Stripe:       Track II format                               06,35   min
                                       Track III format9.                            10,28   min
T.     Depth of Signature Stripe:      Track II format10.                            10,00   max
                                                        10.
                                       Track III format                              08,00   max
U.     Base of Signature Stripe to bottom of card10.                                 25,00    ()    ,25
W.     Top of “SIGNATURE” heading to bottom of card                                  23,50    ()    ,25
X.     Vertical area for Disclaimer Text11., including “SIGNATURE” heading. 07,00
       Preferably set in 6 point Helvetica for the heading and 5 point for the text.
       Text illustrated is standard for credit union debit cards, but not mandatory.
Y.     Vertical area for Network Logos12.                                            14,00   min
Z.     Base of Authorization Line to bottom of card13.                               01,50    () ,25
AA.    Margin between ends of Signature Stripe and edge of card                      07,11    () ,25
BB.    Width of Signature Stripe                                                     71,50
CC.    Base of Manufacturer Code Line to top of card                                 03,00    () ,25
DD.    Margin between text in Manufacturer Code Line and
       either edge of the card                                                       04,50    () ,25
National Debit Card Standards
for Canadian Credit Unions
Version #13.4 – Page 33

Note 9:     The vertical distance between the base of the Magnetic Stripe and the top of the
            Signature Stripe is minimum 3mm.

Note 10:    Height of the Signature Stripe is optional, but 10mm is recommended, to better
            accommodate variations in signatures. Use of “SIGNATURE” or “AUTHORIZED
            SIGNATURE” is optional.

Note 11:    Vertical area for the Disclaimer Text is optional, but it is recommended that the full
            7mm be utilized, in order to set text as large as possible. Also note that, if embossing
            is used, this text occurs in the Line 1 embossing area which will interfere with
            readability. Finally, note that recommended text is illustrated, but some variation is
            possible, including substitution of the actual credit union name for “issuing Credit
            Union”.

Note 12:    Vertical area for Network Logos is optional, but the dimension shown is strongly
            recommended, if embossing is used, in that it places the marks in the more lightly
            embossed area for embossed Lines 2, 3, and 4. Only official artwork, reproduction
            sheets, or digitized images will be utilized for Network Logos and all applicable
            graphic standards must be complied with. Each such logo will be separated by a
            minimum of 1.5mm from any other logo, text, or edge of the card. All applicable
            network logos must be illustrated, space permitting.

Note 13:    Text for the Authorization Line is mandatory, but varies, depending on network
            affiliation:

            1.    INTERAC and PLUS networks affiliation (as illustrated in 6.1):

                  ® Licensed User of the Marks. * VISA Int/ Licensed User of the Mark. † Authorized User of the Marks.

                  Marks on the card that are registered and Canadian Central owns, must bear
                  the “ ® ” legend. Marks on the card that are owned by VISA International
                  must bear the “ * ” legend. Marks on the card that are owned by others must
                  not bear the “ ® ” or the “ * ” legend, but must bear a sword symbol (“†”).

            2.    INTERAC and CIRRUS networks affiliation (as illustrated in 6.1):

                   Credit Union Authorized User of the Marks

                  All marks on the card must be registered and must bear the “  “ legend.

            The actual credit union name may be used in the Authorization Line, in place of
            “Credit Union” in Options 1. or 2. above, in the instance of personalized card stock.
                                                                       F:\SHARED\EBK\DEV\STANDARD\/NTJE0122.DOC
                                                                             APPENDIX I
                                                                          TRACK II PICTORIAL
               ISO 7813                                       ISO 7813                                          ISO 7813                                          ISO 7813
            16 DIGIT PAN                                   17 DIGIT PAN                                      18 DIGIT PAN                                      19 DIGIT PAN
1         START SENTINEL         X      1         1      START SENTINEL         X       1           1       START SENTINEL         X      1          1       START SENTINEL       X   1
                                 X      2                                       X       2                                          X      2                                       X   2
                                 X      3                                       X       3                                          X      3                                       X   3
16              PAN              X      4         17            PAN             X       4          18             PAN              X      4          19            PAN            X   4
                                 X      5                                       X       5                                          X      5                                       X   5
                                 X      6                                       X       6                                          X      6                                       X   6
                                 X      7                                       X       7                                          X      7                                       X   7
                                 X      8                                       X       8                                          X      8                                       X   8
                                 X      9                                       X       9                                          X      9                                       X   9
                                 X     10                                       X       10                                         X      10                                      X   10
                                 X     11                                       X       11                                         X      11                                      X   11
                                 X     12                                       X       12                                         X      12                                      X   12
                                 X     13                                       X       13                                         X      13                                      X   13
                                 X     14                                       X       14                                         X      14                                      X   14
                                 X     15                                       X       15                                         X      15                                      X   15
                                 X     16                                       X       16                                         X      16                                      X   16
             CHECK DIGIT         X     17                                       X       17                                         X      17                                      X   17
1         FIELD SEPARATOR        X     18                   CHECK DIGIT         X       18                                         X      18                                      X   18
                                 Y     19         1      FIELD SEPARATOR        X       19                    CHECK DIGIT          X      19                                      X   19
4              EXPIRY            Y     20                                       Y       20          1      FIELD SEPARATOR         X      20                   CHECK DIGIT        X   20
                DATE             M     21         4           EXPIRY            Y       21                                         Y      21         1      FIELD SEPARATOR       X   21
                                 M     22                      DATE             M       22          4            EXPIRY            Y      22                                      Y   22
           INTERCHANGE           1     23                                       M       23                        DATE             M      23         4            EXPIRY          Y   23
3             SERVICE            2     24                 INTERCHANGE           1       24                                         M      24                       DATE           M   24
                CODE             0     25         3          SERVICE            2       25                   INTERCHANGE           1      25                                      M   25
          Discretionary Data     X     26                      CODE             0       26          3           SERVICE            2      26                  INTERCHANGE         1   26
5          Positions 26 - 40     X     27                Discretionary Data     X       27                        CODE             0      27         3           SERVICE          2   27
                                 X     28         5       Positions 27 - 40     X       28                  Discretionary Data     X      28                       CODE           0   28
                 PIN             X     29                                       X       29          5        Positions 28 - 40     X      29                 Discretionary Data   X   29
               OFFSET            X     30                        PIN            X       30                                         X      30         5        Positions 29 - 40   X   30
1            FILLER ***          X     31                     OFFSET            X       31                         PIN             X      31                                      X   31
3             BRANCH             X     32                     BRANCH            X       32                       OFFSET            X      32                        PIN           X   32
           INFORMATION           X     33         3        INFORMATION          X       33                      BRANCH             X      33                      OFFSET          X   33
                  **             X     34                         **            X       34          3        INFORMATION           X      34                     BRANCH           X   24
2              FILLER            X     35         2            FILLER           X       35                          **             X      35         3        INFORMATION         X   35
                                 X     36                                       X       36          1            FILLER            X      36                         **           X   36
2           LANGUAGE             X     37         2        LANGUAGE             X       37          2          LANGUAGE            X      37         2          LANGUAGE          X   37
               CODE              X     38                     CODE              X       38                        CODE             X      38                       CODE           X   38
1          END SENTINEL          X     39         1       END SENTINEL          X       39          1        END SENTINEL          X      39         1        END SENTINEL        X   39
1               LRC              X     40         1            LRC              X       40          1              LRC             X      40         1              LRC           X   40
     :
     [Regarding the use of Discretionary Data Fields, Issuers using these fields must adhere to the standards as approved by the Business Development Advisory
     Committee whereby the first 5 digits of the discretionary data are used for PIN Offset, and up to 3 additional digits are used for branch information. All remaining
     fields are not in use and 0 (zero) must be used as filler. Placement of any code within these filled fields (0) must receive approval of the Business Development
     Advisory Committee.

     **        Note: Name Code and Card Type can be designated as Branch Information

     **        Note: 16 Digit PAN length Branch Information field may be expanded to include position 31 for card type information. Total field length 4 digits. If not in
               use 0 (zero) must be used as a filler.

     F:\SHARED\EBK\DEV\STANDARD\NTJE0122.DOC
               NATIONAL DEBIT CARD CHECK DIGIT CALCULATION
                                                 APPENDIX I
Check Digit
The individual account identification is followed by a check digit character, which is calculated
on all the preceeding digits of the identification number, including the Major Industry Identifier
number (MII). The Check Digit is computed according to the Luhn formula for modulus 10
check-digit.


    Issuer identification number               Individual account identification               Check digit


         MII         Issuer Identifier
                                              Identification Number


         Luhn formula for computing modulus 10 “double-add-double” check-digit
(Figure - Composition of the identification number on identification cards)

The following steps are involved in this calculation:

Step 1:Double the value of alternate digits beginning with the first right-hand digit (low order).

Step 2:Add the individual digits comprising the products obtained in step 1 to each of the
       unaffected digits in the original number.

Step 3:Subtract the total obtained in step 2 from the next higher number ending in 0 this is the
       equivalent of calculating the “tens complement” of the low order digit (unit digit) of the
       total. If the total obtained in step 2 is a number ending in zero (30, 40, etc.), the check
       digit is 0.

Example:

Account number without check-digit 4992 73 9871
                                                                                         Steps
4    9     9     2    7    3    9     8   7     1
    x2          x2        x2         x2        x2                                          1
    18           4         6         16         2

4 + 1 + 8 + 9 + 4 + 7 + 6 + 9 + 1 + 6 + 7 + 2 = 64                                         2

70 - 64 = 6                                                                                3

Account number with check digit 4992 73 9871 6
                                                                            F:\SHARED\EBK\DEV\STANDARD\NTJE0122.DOC
                         NATIONAL DEBIT CARD STANDARDS

                                        APPENDIX II

Functional Guidelines

1.    Issue - Daily Limits:

      Technology permits real time access by the cardholder to the available funds in their
      account. Most financial institutions maintain a daily limit on access to these funds
      through EFT/POS (e.g. - Direct Payment) as a control on Lost/Stolen Card/PIN
      transactions.

      Large volume card users favour having their entire available balance as the limit to permit
       large dollar purchases. Other cardholders worry about overspending, favouring a daily
      limit of about $50, but want to be able to check their balance at any time (e.g. - at the PIN
      pad).

      Merchants favour available balance as the daily limit, since it permits larger dollar value
      transactions, and reduces declines.

      When the network is down between the retailer and the National Node, there may be
      continuing need for Back-Up Vouchers. Also, when the credit union banking system is
      unavailable, there may be continuing need for a “Stand-In Limit”.

      Commentary:

      Considering that the Card/PIN Agreement makes the cardholder primarily responsible for
      card use, there is a strong argument for available balance as the daily limit, along with
      strong cardholder education on good account balance management.

      With regard to the use of Back-Up Vouchers, all participating Interac Members have to
      agree on a Voucher limit. Some financial institutions have a combined limit for ATM and
      POS, while others have separate limits; ranging from $500 to $10,000 in real time, and
      $100 to $5,000 for Back-Up, depending on the evaluation of the cardholder (most have
      $1,000 as the normal daily limit).

      Merchants play a role in setting the limit, as they are usually liable for returned vouchers,
      although some financial institutions provide indemnity. It may be that the Back-Up
      Voucher will be discontinued, now that experience indicates that it is so seldom necessary
      and alternate payment methods are usually available.

      Recommendation:

      Participating credit unions are encouraged to establish a minimum stand-in value of
      $1,000, and the available balance as the maximum real-time limit.
                                                            F:\SHARED\EBK\DEV\STANDARD\National Debit Card Standards – V4
                 NATIONAL DEBIT CARD PIN AGREEMENT

                                 APPENDIX III


   You can obtain a copy of this from Credit Union Central of Canada’s Website

  www.cucentral.com – Login User Name – “CUCCPRIV” Password “CUCCWEB”

or by contacting Peter Graham at (416) 232-3428 or email “grahamp@cucentral.com”

				
DOCUMENT INFO
Description: Debit Card Agreement Banking Forms document sample