Know your customer: Capturing cardholder data for Value-Added Services

Payment terminals are expensive but necessary assets, so merchants need to be making the most use of them. This product snippet looks at how G8 can be used to capture cardholder data. As well as accepting card payments, terminals can be used to enable other value-added services, such as loyalty acceptance or conducting customer surveys. Thinking about a terminal in its constituent parts–display, keypad, card reader, printer–rather than as a whole can help spark ideas for alternative applications of this prevalent technology.


Identifying the customer

Often a value-added service will require some form of customer identification, which could be sourced from a card the customer carries, which may or not be a payment card. For example, a merchant may want to use a payment card to identify a returning customer in order to apply a discount, attribute loyalty points, or to provide targeted offers or advertising. In the airline industry payment cards can be used as a form of customer identification (FOID) when looking up flight details at a check-in desk, or in order to access ancillary services. In cinema foyers and other venues it is common for a payment card to be used to identify a customer at a self-service kiosk to collect reserved tickets.

Alternatively, captured data could be used for other types of transactions, for example by storing data centrally as cards-on-file for future transacting, performing a card-not-present transaction instead of card-present, or used to perform a transaction through an alternative network to that of the card schemes, such as topping up a pre-paid card over a private network or performing a direct bank transfer (e.g. as is enabled by SEPA).

These use cases all require the ability to capture a customer’s payment card data without actually performing a sale transaction. They also have to be processed securely and prevent sensitive card data getting into the hands of criminals.


Capturing data with G8

Of the different interfaces a terminal offers, the card reader is the most complex to work with. This is due to the low-level exchange of commands and responses (called APDUs) needed in order to interact with a chip. STS’ EMV level 2 kernel, Emvelink, and flexible payment application, G8, have both long since allowed integrators to interact with chip cards at this low level (owing to the inclusion of STS’ Smart Card Framework, SmartNS). Although offering the most flexibility, this method can be onerous and requires a detailed knowledge of EMV and smart cards.

To ease integration, G8 supports a specific transaction type for capturing cardholder data without performing a sale. Rather than starting a GOODS_AND_SERVICES transaction, the integrator starts a DATA_CAPTURE transaction. G8 will prompt for card presentment (tap, insert or swipe), read the card data, and return the data to the integrator. Optionally, G8 will then prompt for card removal (if card inserted) or the terminal display can be customised to allow further interactions and other flows.

Example code to capture redacted PAN and cardholder name:

Tender t = g8.createTender(DATA_CAPTURE);

TenderResult r = t.process();



If a magnetic stripe card is swiped, G8 can expose the data from tracks 1, 2 or 3, as read from the card by the terminal. Furthermore, G8 can be configured to understand specific formats of track data, allowing G8 to extract the different fields, such as the Primary Account Number (PAN), and expose them to the integrator separately.

Data capture transactions can also be used for reading non-payment data from a card, such as the cardholder name, EMV Payment Account Reference, or a loyalty number. For example, some airlines have partnered with credit card providers to include the customer’s Frequent Flyer number in the chip or track data.


Providing services from the Payment Gateway

Some payment gateways (or “processors”) may offer additional services which could be leveraged within a data capture transaction. After capturing the data from the card G8 can send this data online to the payment gateway and then expose any additional data provided by the gateway back to the integrator. For example, if Point-to-point Encryption (P2PE) is in use on the terminal then G8 will not be able to extract the necessary fields from magnetic stripe data. In this case G8 can send the encrypted data to the payment gateway, where it can be decrypted and non-sensitive fields can be extracted and returned to G8. In a similar way the gateway could also:

·         Tokenise the card data

·         Perform an IIN/BIN-range lookup and apply other business logic

·         Look up customer information in a CRM system


PCI compliance

It is important for merchants to maintain compliance with the PCI DSS to minimise the risk of suffering a data breach, fraud or negative customer experience. The PCI DSS is applicable when storing, processing or transmitting cardholder account data, chiefly the PAN, and so may be applicable when performing a data capture transaction.

It might be necessary to bring value-added services into scope of PCI DSS, but not always. In most instances the value-added services will not require full account data, a redacted PAN (which reveals only the first 6 and last 4 digits) may be sufficient. If the full PAN is required then tokenisation is a good alternative option which offers the same level of uniqueness as a PAN.

As mentioned above, if P2PE is in operation then the encrypted account data can be sent upstream to the payment gateway for processing, and G8 and the EPOS application can remain out of scope, receiving only non-sensitive data in response from the gateway.



For most merchants it is imperative to have a payment terminal available at every point of customer interaction in order to quickly accept card transactions and reduce purchase abandonment. These might be countertop units with built-in printers and digital signature pads, or lightweight mobile terminals for sales assistants on the shop floor. However they are deployed, this prevalence presents an opportunity to add additional services within a familiar customer journey, be it to better understand the customer, provide loyalty benefits or to solve a technical difficulty. It can be done with minimal friction and while maintaining PCI DSS compliance.

To find out more about how G8 could enable an enriched customer journey with value-added services please get in contact – we’d love to hear your thoughts.

Wednesday, October 11, 2017