How ISO8583 Works: The Protocol Behind Payments

What Is ISO8583

ISO8583 is an international standard for exchanging messages in electronic financial transactions. When you tap or swipe your card at a POS terminal, the message traveling between the terminal, the acquirer, the card scheme, and the issuing bank follows — almost always — this standard.

Originally developed by the ISO (International Organization for Standardization), the standard defines the structure, format, and meaning of each field in a financial transaction message — yet it is flexible enough for each network (Visa, Mastercard, Elo, national networks) to define its own variations.

Structure of an ISO8583 Message

An ISO8583 message consists of three parts:

[ MTI ] [ Bitmap ] [ Data Elements ]

1. MTI — Message Type Indicator (4-digit BCD or ASCII)

The MTI identifies the protocol version, class, function, and originator of the message.

0200  →  Authorization Request
0210  →  Authorization Response
0400  →  Reversal Request
0800  →  Network Management Request

Breaking down MTI 0200:

0 — ISO8583:1987 version
2 — Financial Transaction (class)
0 — Request (function)
0 — Acquirer (originator)

2. Bitmap (8 or 16 bytes)

The bitmap is a bit map indicating which Data Elements (DEs) are present in the message. Each bit represents one DE:

Primary Bitmap (8 bytes / 64 bits): covers DEs 1 to 64
Secondary Bitmap (8 bytes / 64 bits): covers DEs 65 to 128 — present when bit 1 of the primary bitmap is set

If bit 3 is 1, DE 3 (Processing Code) is present in the message.

Bitmap in hex: F2 30 05 80 20 C0 80 00

In binary:     1111 0010  0011 0000  0000 0101  1000 0000
               DE1–DE8    DE9–DE16   DE17–DE24  DE25–DE32

3. Data Elements (DEs)

These are the transaction fields. Each DE has a number, a type, and a size defined by the standard.

| DE | Name | Type | Size | |----|------|------|------| | 2 | Primary Account Number (PAN) | LLVAR | up to 19 | | 3 | Processing Code | n | 6 | | 4 | Transaction Amount | n | 12 | | 7 | Transmission Date & Time | n | 10 | | 11 | System Trace Audit Number (STAN) | n | 6 | | 22 | POS Entry Mode | n | 3 | | 37 | Retrieval Reference Number (RRN) | an | 12 | | 39 | Response Code | an | 2 | | 41 | Card Acceptor Terminal ID | ans | 8 | | 49 | Currency Code | n | 3 |

Flow of a Debit/Credit Transaction

Customer (card)
    → POS Terminal
        → Acquirer (0200)
            → Card Scheme (Visa/Mastercard/Elo)
                → Issuing Bank
                ← Response (0210) with Response Code
            ← Response forwarded
        ← Authorization or decline
    ← Result on screen

The Response Code (DE 39) is critical:

00 — Approved
05 — Do not honor (generic decline)
51 — Insufficient funds
54 — Expired card
55 — Incorrect PIN
96 — System malfunction

Field Format Types

ISO8583 defines fixed and variable formats:

n — numeric (6 = 6 digits)
an — alphanumeric
ans — alphanumeric + special characters
b — binary
LLVAR — variable length, prefixed with 2 digits indicating the length
LLLVAR — variable length, prefixed with 3 digits

Example: PAN (DE 2) is LLVAR n..19 — the first 2 bytes indicate the PAN length, followed by the numeric PAN of up to 19 digits.

Implementing with jPOS (Java)

jPOS is the reference open-source library for ISO8583 in Java:

ISOMsg msg = new ISOMsg();
msg.setMTI("0200");
msg.set(2,  "4111111111111111");  // PAN
msg.set(3,  "000000");            // Processing Code (debit purchase)
msg.set(4,  "000000001000");      // Amount: $10.00
msg.set(11, "000001");            // STAN
msg.set(22, "051");               // POS Entry Mode: chip + PIN
msg.set(41, "TERM0001");          // Terminal ID
msg.set(49, "986");               // BRL

ISOPackager packager = new ISO87APackager();
byte[] packed = packager.pack(msg);

Practical Challenges

Network variations: The standard is extensible and each network defines its own use of private fields (DE 48, DE 55 for EMV data, etc.). This means that an integration with one acquirer will differ from an integration with another.

Binary fields and cryptography: DE 52 (PIN Block) and DE 55 (ICC Data / EMV) are binary fields that require special handling. The PIN Block in particular requires cryptographic operations using the HSM's session key.

Timeouts and reversals: Every transaction that does not receive a response within the timeout must trigger a reversal message (MTI 0400) to ensure financial consistency — otherwise the customer may be charged without approval.

Conclusion

ISO8583 is a robust and well-established protocol, but with a significant learning curve. The real complexity lies not in the format itself, but in the variations between networks, PIN cryptography, EMV handling, and the fallback and reversal logic required to guarantee financial consistency in production.

If you are building a payment gateway or integrating with an acquiring network, jPOS (Java) is the most solid starting point in the open-source ecosystem.