Appendix A: Message Authentication Code (MAC) Generation and Validation

Field 64 (MAC) is derived by creating a composite (a simple linear concatenation) of the following fields:

  1. Field 2 (PAN)
  2. Field 3 (Processing Code)
  3. Field 4 (Transaction Amount)
  4. Field 11 (System Trace Audit Number (STAN))
  5. Field 14 (Expiry Date)
  6. Field 25 (Reason Code)
  7. Field 32 (Acquirer Institution ID Code)
  8. Field 38 (Approval Code)
  9. Field 39 (Response Code)

The resulting value is encrypted it with a MAC key. If a field is not present in a particular message, it is omitted from the composite.

The encryption method used is a single DES calculation. Using a Thales/Racal HSM, the encryption/MAC generation is performed within the Elavon host system using HSM command "M6" and the decryption/MAC validation is performed using the HSM command "M8".

Key management will be performed manually. A three-part transport key will be created by Elavon and then sent in the clear (but in an appropriately secure manner) to the third party integrator. Elavon will then send a MAC key (encrypted under the transport key) to the third party integrator.