obOpen Banking Lab
GlossarySTETBlogContact
Technical

ISO 8583

ISO 8583 — card messaging standard (acquiring, authorization)

An ISO standard published in 1987 defining the format of messages exchanged between card players (POS terminal, acquiring PSP, scheme, issuer). It remains the dominant standard for card authorization, acquiring and settlement. Visa, Mastercard, CB and Amex all use it.

See also:ISO 20022Visa / MastercardCBAcquéreur / ÉmetteurPSP acquéreurEMV / NFCPOS / TPE / mPOS / SoftPOS

Definition

ISO 8583 is the ISO standard (1987, revised in 1993 and 2003) that defines the format of messages exchanged between card-payment players: the POS terminal, the acquiring PSP, the network switch (Visa, Mastercard, CB) and the issuing bank.

It is the dominant standard for card authorization, acquiring and settlement. A binary format based on an MTI (Message Type Indicator, 4 digits: 0100 request, 0110 response…), a bitmap indicating which fields are present, and up to 128 data elements. Designed in 1987, it remains essential — Visa (BASE I/II), Mastercard (MIP/MDS), CB, Amex, JCB and UnionPay all use it, with proprietary variants.

Structure of a message

MTI            : 0100 (Authorization Request)
Bitmap         : 7234050108E18000... (indique champs présents)
DE2  PAN       : 4242424242424242
DE3  Proc Code : 000000 (purchase)
DE4  Amount    : 000000050000 (50.00 €)
DE7  Trans DT  : 0419103045 (avril 19, 10:30:45)
DE11 STAN      : 123456 (System Trace Audit Number)
DE22 POS Entry : 051 (chip + PIN)
DE32 Acquirer  : 12345678 (BIN PSP)
DE41 TID       : 00012345 (terminal)
DE42 MID       : 123456789012345 (merchant)
DE49 Currency  : 978 (EUR)
DE52 PIN Block : ... (encrypted)
DE55 EMV Data  : 9F26... (chip data)

A message is roughly 300 to 500 bytes, transmitted in under 200 ms.

The lifecycle of a transaction

Three stages: authorization (online in under a second), clearing (a daily batch) and settlement (net settlement between issuer and acquirer via the network, at T+1 or T+2).

Variants by network

Each network derives ISO 8583 into its own format: Visa (BASE I for auth, BASE II for clearing), Mastercard (MIP + MDS), CB (close to Visa), Amex (proprietary), as well as JCB, Discover and UnionPay. A multi-network acquiring PSP (Stripe, Adyen, Worldline) must therefore handle several dialects.

ISO 8583 vs ISO 20022

AspectISO 8583 (1987)ISO 20022 (2004)
FormatBinary bitmapXML / JSON
ReadabilityLowGood
RichnessLimitedVery rich
Latency< 200 msHeavier (XML parsing)
DomainCardsEverything (payments, securities, FX)
AdoptionUniversal (cards)Universal (SEPA / SWIFT MX)

ISO 8583 holds on for four reasons: ultra-low latency (critical auth in < 200 ms), compactness (~300 bytes vs several KB in XML), 40 years of legacy in core systems, and a migration cost estimated in the billions of dollars. Visa and Mastercard are nonetheless working on a gradual shift (Visa Direct and Mastercard Send are already on ISO 20022), with card clearing in ISO 20022 envisaged after 2030.

Players

  • Networks: Visa, Mastercard, Amex, JCB, Discover, UnionPay, CB (FR).
  • Switches / processors: Worldline (FR), Nexi (IT), Fiserv, TSYS / Global Payments, FIS.
  • Tools: jPOS (the reference open-source Java library), OpenISO8583.Net, iso8583py, and Thales or Utimaco HSMs for cryptograms.

What ISO 8583 is not

  • Not a universal payment standard: it is specific to cards; transfers and direct debits fall under ISO 20022.
  • Not a transport protocol: it describes the message format, the transport being TCP/IP (or X.25 historically).
  • Not required for the new rails: FedNow, TIPS and SCT Inst are on ISO 20022.
  • Not encrypted by default: additional layers are needed (TLS, P2PE, HSM).
  • Not strictly standardized: each network has its own variant (Visa, Mastercard, CB "flavors").

In the PSD2 / Open Finance ecosystem

ISO 8583 is invisible to PSD2 TPPs (which work in REST/JSON APIs), but ubiquitous on the card side: acquirers (Stripe, Adyen) translate their REST APIs into ISO 8583, BaaS issuers (Treezor, Swan, Solaris) translate received ISO 8583 into their business APIs, and part of the 3DS challenges travel through it. It therefore remains fundamental to understanding card payments, even in the Open Banking era.

Concrete examples

  • Stripe: receives a payment request, translates it into ISO 8583 to Visa BASE I, receives the 0110 approval, and confirms to the merchant.
  • Treezor: receives an 0100 from the card switch, checks the balance and scoring, and returns an 0110 approve/decline.
  • Worldline: operates several FR and EU switches processing more than 50M transactions per day.
  • jPOS: an open-source library used by hundreds of processors and issuing fintechs.
  • ISO 20022 migration: Visa Direct and Mastercard Send (push payments) already migrated, but the legacy 0100/0110 will stay on 8583 until after 2030.
  • Two worlds: a credit fintech developer sees JSON/REST; an acquiring PSP developer sees 8583 bitmaps in hexadecimal.

Sources

Back to glossary