Payment Technology — ISO 8583 & ISO 20022

ISO 8583

ISO 8583 — Financial Transaction Message Standard

ISO 8583 defines the structure for electronic financial transaction messages — the language spoken between terminals, acquirers, switches, and issuers. Mastery of this standard is essential for certification, interoperability, and production debugging.

Message Structure: MTI, Bitmap & Data Elements

Every ISO 8583 message has three structural components:

Message Type Indicator (MTI) — a 4-digit code encoding version, message class, message function, and transaction originator. MTI 0100 means: version 0 (ISO 8583:1987), financial message class (0xxx), request function (xx0x), acquirer originator (xxx0).
Primary Bitmap — 8 bytes (64 bits) where each bit indicates whether the corresponding Data Element (DE01–DE64) is present in the message. Bit 1 of the primary bitmap, when set, signals the presence of a Secondary Bitmap (DE65–DE128), extending the message to 128 potential fields.
Data Elements (DEs) — variable-length or fixed-length fields carrying the transaction data. Each DE has a defined format (n = numeric, a = alpha, an = alphanumeric, b = binary, z = track 2) and maximum length.

Bitmap Interpretation

To read a primary bitmap, convert each hex byte to 8 binary bits and map bit positions to DE numbers. A bit value of 1 means the field is present; 0 means absent.

Primary Bitmap (hex):  F2 3C 40 81 28 E0 92 00

Byte 1: F2 = 1111 0010  → DE01 DE02 DE03 DE04 _ _ DE07 _
Byte 2: 3C = 0011 1100  → _ _ DE11 DE12 DE13 DE14 _ _
Byte 3: 40 = 0100 0000  → _ DE19 _ _ _ _ _ _
Byte 4: 81 = 1000 0001  → DE25 _ _ _ _ _ _ DE32
Byte 5: 28 = 0010 1000  → _ _ DE38 _ DE41 _ _ _
Byte 6: E0 = 1110 0000  → DE42 DE43 DE44 _ _ _ _ _
Byte 7: 92 = 1001 0010  → DE49 _ _ _ DE53 _ _ _  (bit 1 = secondary bitmap present? No: DE65 not set in byte 1 bit 1 = 1 — yes, secondary present if DE01=1)
Byte 8: 00 = 0000 0000  → no fields DE57–DE64

Note: DE01 = 1 (F2 bit 1 = 1) → Secondary Bitmap present in this message.
Fields present: DE02, DE03, DE04, DE07, DE11, DE12, DE13, DE14,
                DE19, DE25, DE32, DE38, DE41, DE42, DE43, DE44, DE49, DE53

Key Data Elements Reference

DE	Name	Format	Max Len	Notes
DE02	Primary Account Number (PAN)	n, LLVAR	19	Never logged in full in production systems; truncate or mask
DE03	Processing Code	n	6	First 2 digits = transaction type (00=purchase, 01=cash withdrawal, 20=credit)
DE04	Amount, Transaction	n	12	In minor currency units (cents); right-justified, zero-padded
DE07	Transmission Date & Time	n	10	MMDDhhmmss format in UTC; used for duplicate detection
DE11	Systems Trace Audit Number (STAN)	n	6	Unique per originator terminal per day; loops 000001–999999
DE12	Local Transaction Time	n	6	hhmmss in terminal local time
DE13	Local Transaction Date	n	4	MMDD in terminal local time
DE14	Expiration Date	n	4	YYMM format
DE22	POS Entry Mode	n	3	First 2 digits = entry mode (01=manual, 05=chip, 07=contactless); digit 3 = PIN capability
DE35	Track 2 Data	z, LLVAR	37	PAN=separator=expiry=service code=discretionary data; never stored post-auth
DE37	Retrieval Reference Number (RRN)	an	12	Acquirer-assigned; echoed in response; key for chargeback matching
DE38	Authorisation Identification Response	an	6	Auth code from issuer; present only in approved responses
DE39	Response Code	an	2	00=approved, 05=do not honour, 51=insufficient funds, 54=expired card, 55=incorrect PIN
DE41	Card Acceptor Terminal ID (TID)	ans	8	Identifies the terminal; used in dispute resolution and MCC assignment
DE42	Card Acceptor Identification Code (MID)	ans	15	Merchant ID assigned by acquirer; links to merchant master record
DE49	Currency Code, Transaction	n	3	ISO 4217 numeric code (840=USD, 978=EUR, 784=AED, 356=INR)

Message Type Pairs

ISO 8583 uses request/response pairs and advice/acknowledgement pairs. Understanding the pairing logic is critical for timeout handling and duplicate detection:

Request MTI	Response MTI	Function	Notes
0100	0110	Authorisation Request / Response	Auth-only; no funds movement until capture
0120	0130	Authorisation Advice / Acknowledgement	Issuer offline approval; acquirer notifies issuer
0200	0210	Financial Transaction Request / Response	Auth + capture in single message; ATM cash withdrawal
0400	0410	Reversal Request / Response	Initiated by acquirer to cancel previously approved txn
0420	0430	Reversal Advice / Acknowledgement	Offline reversal — issuer was unavailable at reversal time
0800	0810	Network Management Request / Response	Sign-on (DE70=001), sign-off (DE70=002), echo test (DE70=301)

Sample 0100 Message — Hex Dump Interpretation

The following illustrates how to read a raw 0100 authorisation request off the wire. Field boundaries are computed by reading the bitmap and applying each DE’s length rules:

Raw hex (simplified example — TPDU omitted):

  30 31 30 30                        ← MTI: "0100" (ASCII-encoded)
  72 34 04 C0 28 80 10 00            ← Primary Bitmap
  10 4761739001010119                ← DE02: LLVAR n19 — PAN (len=10 encoded as "10", PAN follows)
  00 00 00                           ← DE03: Processing Code "000000" (purchase, from/to unspecified)
  00 00 00 01 00 00                  ← DE04: Amount "000000010000" = 100.00 in minor units
  04 02 11 49 30                     ← DE07: Transmission DateTime "0402114930" = Apr 02 11:49:30 UTC
  00 04 37                           ← DE11: STAN "000437"
  11 49 30                           ← DE12: Local Time "114930"
  04 02                              ← DE13: Local Date "0402"
  27 01                              ← DE22: POS Entry Mode "270" — 07=contactless, 0=unverified PIN
  31 36 35 34 30 30 30 30 30 30 30 31← DE41: TID "16540000001" (8 bytes, space-padded)
  31 32 33 34 35 36 37 38 39 41 42 43← DE42: MID "123456789ABC" (15 bytes, space-padded)
  08 40                              ← DE49: Currency Code "840" (USD)

Field breakdown:
  ├── MTI       : 0100   (Auth Request, Acquirer-originated)
  ├── DE02 (PAN): 4761739001010119  [masked in logs as 476173******0119]
  ├── DE03      : 000000  (Purchase transaction)
  ├── DE04      : 000000010000  (USD 100.00)
  ├── DE07      : 0402114930  (Apr 02, 11:49:30 UTC)
  ├── DE11      : 000437  (STAN for retry/duplicate matching)
  ├── DE12      : 114930  (local time)
  ├── DE13      : 0402   (local date)
  ├── DE22      : 270    (contactless NFC entry, unverified PIN capability)
  ├── DE41      : 16540000001  (Terminal ID)
  ├── DE42      : 123456789ABC  (Merchant ID)
  └── DE49      : 840   (USD)

Network Management — Sign-On & Sign-Off

Before a terminal or host can process transactions, it must establish a session with the switch using 0800 Network Management messages:

Sign-On (0800 / DE70=001) — terminal sends an 0800 with DE70 set to 001. The switch validates the terminal ID and PIN key exchange (where applicable), then responds with an 0810 and DE39=00 to confirm the session is active.
Sign-Off (0800 / DE70=002) — terminal sends an 0800 with DE70=002 at end of business or before a restart. The switch closes the session.
Echo Test (0800 / DE70=301) — used for keep-alive / link health monitoring. The switch echoes DE70 back in the 0810 response; a response of DE39=00 confirms the communications path is active.

Network Interface Identifier (NII) in the TPDU header identifies the switch endpoint. Correct NII configuration is required for multi-switch environments (e.g. domestic switch and Visa/Mastercard international switch on the same host).

ISO 20022

ISO 20022 — Next-Generation Payment Messaging

ISO 20022 is the global standard for financial messaging, replacing legacy SWIFT MT formats and underpinning SEPA, UK Faster Payments, SWIFT gpi/CBPR+, and central bank RTGS systems worldwide.

Message Families

ISO 20022 messages are grouped by business domain and prefixed with a four-letter code:

pain

Payment Initiation

pain.001 — Customer Credit Transfer Initiation (corporate to bank)
pain.002 — Payment Status Report (bank to corporate, ACK/reject)
pain.007 — Payment Reversal

pacs

Payment Clearing & Settlement

pacs.008 — FI-to-FI Customer Credit Transfer (interbank)
pacs.002 — FI-to-FI Payment Status Report
pacs.004 — Payment Return
pacs.009 — Financial Institution Credit Transfer (cover payment)

camt

Account Management

camt.052 — Bank-to-Customer Account Report (intraday)
camt.053 — Bank-to-Customer Statement (end-of-day)
camt.054 — Bank-to-Customer Debit/Credit Notification
camt.056 — FI-to-FI Payment Cancellation Request

Credit Transfer Flow: pain.001 → pacs.008 → pacs.002

The standard credit transfer lifecycle for a corporate payment across two financial institutions:

01

pain.001 — Customer Credit Transfer Initiation
Corporate ERP sends a pain.001 to its bank (Debtor Agent). Contains CdtTrfTxInf with debtor IBAN, creditor IBAN/BIC, amount, currency, remittance information, and payment purpose code. May contain multiple transactions in a single file (batch payment).

02

pain.002 — Payment Status Report (ACK)
Debtor Agent returns a pain.002 acknowledging receipt. Status code ACCP (Accepted Customer Profile) or ACSC (Accepted Settlement Completed). Rejection at this stage typically carries reason code AC01 (incorrect account number) or AGNT (incorrect agent in chain).

03

pacs.008 — FI-to-FI Customer Credit Transfer
Debtor Agent sends a pacs.008 to the Creditor Agent via the clearing mechanism (SWIFT, SEPA CSM, domestic RTGS). Carries the original end-to-end ID, UETR (Unique End-to-end Transaction Reference — a UUID4), and the full remittance data. The UETR enables SWIFT gpi tracking across correspondent chains.

04

pacs.002 — Payment Status Report (Interbank)
Creditor Agent sends a pacs.002 back to the Debtor Agent confirming settlement (ACSC) or rejection. Rejection reason codes at interbank level include RR04 (regulatory reason — AML/sanctions hold) and MS03 (not specified — catch-all for unclassified rejects).

CBPR+ — SWIFT MT to MX Migration

Cross-Border Payments and Reporting Plus (CBPR+) is SWIFT’s mandatory migration from legacy MT messages (MT103, MT202, MT199) to ISO 20022 MX messages (pacs.008, pacs.009, camt.056). Key points:

Coexistence period — during the transition, SWIFT’s translator service wraps legacy MT content inside an MX envelope using the SWIFTSrcBrdgng / OriginalMessageReference construct. MX-native banks receive a pacs.008 with the legacy MT103 embedded as an UndrlygCstmrCdtTrf supplementary data block.
Truncation risk — MT103 field 70 (remittance) is 4 × 35 characters (140 chars); ISO 20022 RmtInf/Ustrd supports 140 characters per unstructured line. Rich structured remittance (RmtInf/Strd with CdtrRefInf) may be truncated during MT translation — a major reconciliation risk.
LEI requirements — CBPR+ mandates Legal Entity Identifier (LEI) in Dbtr/Id/OrgId/LEI for corporate originators above certain thresholds, enforced from November 2025.

pain.002 / pacs.002 Status Reason Codes

Code	Name	Description	Typical Initiator
`AC01`	IncorrectAccountNumber	Account number format invalid or IBAN check digit fails	Debtor Agent or CSM validation
`AC04`	ClosedAccountNumber	Creditor account has been closed	Creditor Agent
`AGNT`	AgentInChainInvalid	Intermediary or creditor agent BIC is invalid or unreachable	Debtor Agent / CSM
`AM04`	InsufficientFunds	Insufficient funds in debtor account	Debtor Agent
`RR04`	RegulatoryReason	Regulatory / compliance hold — AML screening or sanctions match	Any agent in chain
`MS03`	NotSpecifiedReasonAgentGenerated	Unclassified reject — agent unable or unwilling to specify reason	Any agent
`CUST`	RequestedByCustomer	Payment cancelled at customer request (via camt.056)	Debtor Agent

Testing

Simulator Log Analysis

Reading Visa VTC and Mastercard MIP simulator output is a core skill during scheme certification. Knowing exactly what each log line tells you — and what a mismatch or error code means — dramatically shortens the debug cycle.

Reading Visa VTC Simulator Output

The Visa Test Center (VTC) simulator logs each test case transaction with a structured output. Key fields to examine:

MTI mismatch — if the simulator expected a 0200 but received a 0100, the acquirer’s host is classifying the transaction type incorrectly. Check DE03 (Processing Code) interpretation — ATM cash withdrawal should be 0200, not 0100.
DE39 Response Code anomalies — unexpected response codes (e.g. 05 Do Not Honour for what should be an approval) indicate the acquirer host is declining simulator test cards. Verify the test BIN ranges are configured in the host’s routing table and approval overrides.
MAC errors — Message Authentication Code validation failures in the VTC output indicate a key management problem. Check that the session keys are correctly derived from the master key, that the MAC algorithm (DES, 3DES, or AES) matches the scheme specification, and that the MAC data field boundaries are correctly implemented.
DE55 (ICC Data) content errors — Visa VTC validates EMV tag content within DE55. Common failures: missing mandatory tags (9F26 Application Cryptogram, 9F36 ATC, 84 DF Name), incorrect tag order (tags must be BER-TLV compliant but scheme rules impose additional ordering requirements), or cryptogram type mismatch (TC sent when ARQC expected).

Reading Mastercard MIP Simulator Output

The Mastercard Interface Processor (MIP) simulator provides detailed field-level validation output for each test case:

Field presence errors — MIP flags missing mandatory fields (e.g. DE61 absent on a contactless transaction). Cross-reference the MIP test case specification table for the exact required/optional/prohibited field set per transaction type and entry mode.
DE22 POS Entry Mode errors — contactless transactions must carry POS entry mode 07x. If the terminal sends 05x (chip contact) for a tap transaction, MIP will fail the test case with an entry mode mismatch. Similarly, fallback to magnetic stripe from EMV must set the correct fallback indicator in DE22 digit 3.
Reversal handling — MIP verifies that timeout reversals (0400) are sent correctly when a response is not received within the configured timeout window. Missing reversals, or reversals with incorrect DE90 (Original Data Elements) content, are common certification failures.
DE48 additional data errors — Mastercard uses DE48 sub-fields extensively. Incorrect sub-field delimiters, missing sub-element tags (e.g. SE61 for wallet data), or incorrect sub-element lengths are flagged as DE48 format errors in MIP output.

Pro tip: Always cross-reference the simulator output error code against the scheme’s Interface Specification (IS) document and the test case expected result. Simulators often provide a short error description but the IS contains the precise field-level rule being validated — essential for root cause analysis.

Frequently Asked Questions

A Hardware Security Module (HSM) is mandatory whenever a payment system generates, stores, or uses cryptographic keys for cardholder data protection or transaction authentication. PCI DSS Requirement 3 mandates HSM-based key management for any organisation that stores, processes, or transmits PAN data. Specifically, HSMs are required for: PIN block encryption and decryption in ATM and POS PIN flows (PCI PIN standard); EMV ARQC/ARPC generation and verification (the Application Master Key must reside in an HSM); card personalisation key management; and 3DES or AES MAC generation for host-to-host message authentication. Common HSMs in payment deployments include Thales payShield 9000/10K, Utimaco CryptoServer, and nCipher. HSMs must be certified to FIPS 140-2 Level 3 or PCI HSM standards as mandated by your scheme agreements.

ISO 8583 was designed for authorisation speed with minimal structured data — many fields are free-text or coded values with limited semantic meaning. ISO 20022 introduces structured XML/JSON schemas with named fields and codified value sets, enabling machines to reliably parse remittance information, ultimate debtor/creditor identities, purpose codes, and regulatory reporting fields without string matching. For AML screening, ISO 20022 pacs.008 provides structured creditor and debtor names, addresses, LEIs, and account identifiers that can be screened against sanctions lists with higher accuracy and fewer false positives than free-text DE parsing. For fraud, the Transaction Category Purpose Code (TCPC) and End-to-End Identification enable cross-institution transaction linkage that supports network analysis fraud detection.

Both Visa (BASE I) and Mastercard (BANKNET/DE) use ISO 8583 as their base specification but have diverged significantly in field usage, DE definitions, and bitmap extensions. Key differences include: DE 48 (Additional Data — Private Use) has entirely different sub-field structures between the two schemes; DE 60, 62, and 63 are used for different scheme-specific purposes; the EMV DE 55 content is broadly the same (BER-TLV) but the handling of discretionary data and issuer script results differs. Acquirers processing both schemes must implement a translation layer or use a scheme-agnostic gateway that normalises these fields. For MTIP and ADVT certification, test cases explicitly validate scheme-specific DE 48 population — errors in DE 48 sub-field encoding are among the most frequent defect categories in Visa and Mastercard certification submissions.

Payment Messaging Standards: ISO 8583 & ISO 20022

ISO 8583 — Financial Transaction Message Standard

Message Structure: MTI, Bitmap & Data Elements

Bitmap Interpretation

Key Data Elements Reference

Message Type Pairs

Sample 0100 Message — Hex Dump Interpretation

Network Management — Sign-On & Sign-Off

ISO 20022 — Next-Generation Payment Messaging

Message Families

Payment Initiation

Payment Clearing & Settlement

Account Management

Credit Transfer Flow: pain.001 → pacs.008 → pacs.002

CBPR+ — SWIFT MT to MX Migration

pain.002 / pacs.002 Status Reason Codes

Simulator Log Analysis

Reading Visa VTC Simulator Output

Reading Mastercard MIP Simulator Output

Frequently Asked Questions

Need ISO 8583 or ISO 20022 expertise?