The algorithm uses the aforementioned data elements to calculate the TruTrace as follows:

TruTrace = {[9F06]#[50]#[last 4 digits 5A]#[5F25]#[5F28]#[5F2D]#[5F34]#[SHA256(S1 + [5F20])]#[ SHA256(S1 + [5F24])]}

where:

  • # is used as a data element separator
  • [XX…] denotes data element or SHA256 calculation
  • + denotes the data elements within the brackets ( ) are concatenated before any other operation takes place
  • S1 = {[42]+[last 4 digits 5A]}

A few comments with regards to the algorithm:

  • S1 is used as used as a ‘salt’ when calculating the SHA256 values
  • S1 is also effectively the masked PAN (i.e. IINnnnnnn5A)
  • The first SHA256 calculation combines S1 with the cardholder name (5F20) - this is called the ‘Name Hash’
  • The second SHA256 calculation combines S1 with the card expiry data (5F24) - this is called the ‘Expiry Hash’
  • Trailing spaces present in the cardholder name are to be removed for the TruTrace algorithm

NOTE: The algorithm requires that all data elements, within the brackets are in the order shown.

For those markets that use magnetic stripe or other non-EMV, the ‘Cardholder’ name (equivalent to [5F20]), ‘Expiry’ date (equivalent to [5F24]), Truncated PAN (equivalent to [42] [last 4 digits 5A]), and a few other elements may be available. These values are used as substitutes for their EMV tag equivalents in the algorithm above.

Analysis with TruTrace

Using TruTrace to identify repeat customers anonymously and across merchants is quite straight forward. Assuming TruTrace has been implemented correctly, the following is the preferred approach:

  • Always use the Name Hash as the primary identifier of the same anonymous customer. This is the most unique component in TruTrace

  • Having all the elements separated by hashes may mean it’s tempting to combine all of these into one token for analysis - this must be avoided. Start with the name hash and use any additional components you may need for further analysis or insights

  • 9F06 - Application ID (AID) - may be used to differentiate between cards with the same last 4 digits (5A) as well as provide card application and details such as Visa, MasterCard, Credit, Debit etc. Use references such as: https://www.eftlab.co.uk/index.php/site-map/knowledge-base/211-emv-aid-rid-pix for a list of AIDs and their description

  • 50 - Application Label - this is a short hand description of the AID (see point above), which provides a quick way of determining card scheme and type. (e.g. Visa Credit)

  • 5F24 - Application Expiry Date - this is part of the ‘Expiry Hash’. If the Name Hash remains the same across transactions, but there is a change in the Expiry Hash, then this indicates that the card has been renewed. Note that this assumes that the PAN remains unchanged across a renewal which may not be true in many cases

  • 5F25 - Application Effective Date - may be used to determine how long a card has been in circulation as well as estimate when it expires

  • 5F28 - Issuer Country Code - may be used to determine where the card was issued. Note that this tag uses the numeric ISO 3166 standard that can be found here: https://en.wikipedia.org/wiki/ISO_3166-1_numeric

  • 5F2D - Language preference - may be used to gain some additional information about the card user. It follows the ISO 639-1 standard (lower case, two-letter) which may be found here: https://en.wikipedia.org/wiki/List_of_ISO_639-1_codes

  • 5F34 - Application primary account number - may be used to resolve anonymous use across family members. (e.g. If the number changes and Name Hash is the same, then another member of the family is using the card

Guaranteed Uniqueness and TruTrace

In terms of the Name Hash, if the name is populated, then the resultant hash is for all intents and purposes unique. There are several edge cases we would encounter:

  • People can and do have the same name. If the IIN and last four digits of the PAN are identical, and this is not a family card then it will not be possible to differentiate these two customers using TruTrace. The odds of this occurring is very small (less than 0.000001 percent)

  • If in the above situation, the card is a family card, then the application primary sequence will be different. This is used to distinguish between the two anonymous transactions

So, the rule of thumb for the above analysis is to always check the application primary sequence number and the last four digits (5A) of TruTrace. If both are the same, then either you have:

  • hit the jackpot and identified someone with the same name, and masked Pan; or,
  • the name field is blank.

If the card holder name is not populated, then the only distinguishing factor between cards is the masked PAN (effectively S1). This should in most cases be unique enough to anonymously identify a customer. Note that additional information outside of TruTrace (such as time and location) can be used to also help identify the uniqueness of a customer.

In the edge case where no values are populated, and the Name Hash is calculated, a result of:

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

will be generated.

If you get this value, then you know that all the elements used within the calculation are empty which is clearly not true - in reality, the name may be blank, but the IIN (42) and 5A which constitute the masked PAN, can never be blank. However, there may be certain situations where these values are not available. These include:

  • The payment partner may not have access to these EMV tags outside of the EMV kernel they are using with their payment application (e.g. Some implementations of P2PE;

  • These EMV tags may only be available when a card insertion is conducted. Contactless EMV transactions, depending on the implementation of the EMV kernel, may not expose these EMV tags to the payment application. This could result in the same card having a unique TruTrace when used in a non-contactless mode and a non-unique one when contactless is used.

The above two situations and indeed the whole of TruTrace, are discussed with the payment partner by the Solution Architect on implementation. Every effort is made to ensure that in all situations TruTrace is implemented to ensure uniqueness and consistency.

Feedback