Understanding Verifone Machines

by Dr. No

While shopping for some clothes, I encountered a situation in which a man's credit card was cut up.  The man asked an interesting question - "How does that 'thing' work anyway?" saying it in a sarcastic manner.  I intend to help you understand the basics of this machine called: the Verifone.

The Verifone comes under different names.  This article is from hacking a ZON Jr XL, but I have also seen ones that look very similar under the name TRANZ.  This is the basic layout of the machine, and some information on how it works.

       VeriFone  ZON Jr XL
       (Michigan Bankcard)

 |||||||||||||||||||||||||||||||||||
 |||||||16 CHARACTER DISPLAY||||||||
 |||||||||||||||||||||||||||||||||||

+-sale-+  +credit+   +force+  +-----+
| QZ.  |  | ABC  |   | DEF |  |     |
|  1   |  |  2   |   |  3  |  |CLEAR|
+------+  +------+   +-----+  +-----+

+------+  +check-+   +auth-+  +-----+
| GHI  |  | JKL  |   | MNO |  |BACK-|
|  4   |  |  5   |   |  6  |  |SPACE|
+------+  +------+   +-----+  +-----+
           cash-     balance/
+------+  +-mgmt-+   +settle+ +-----+
| PRS  |  | TUV  |   | WXY  | |     |
|  7   |  |  8   |   |  9   | |ALPHA|
+recall+  +-store+   +----- + +-----+

+------+  +-check+   +auth-+  +-----+
| ,'"  |  | -SP  |   |     |  |FUNC |
|  *   |  |  0   |   |  #  |  |ENTER|
+------+  +------+   +-----+  +-----+

  

Commands

Here is a list of commands the Verifone uses:

CLEAR  - Pressing CLEAR at any time brings the Verifone back to the READY state.

BACKSPACE  - Used to erase previously enterd characters.

ALPHA  - Used to scroll through the letters on each key.  Pressing an 8 will display 8.  Pressing ALPHA will change this first to T, and successive presses will change this to U, then V, then T again.

FUNC/ENTER  - Usually a blue key where all the other keys are gray.  Used to indicate end of input when entering information, or to change the functions of the keys to do alternate things.

(1) SALE  - Pressing SALE means you want to process a sale transaction.  The Verifone will ask for the credit card number.  The unit uses the CC number algorithm to check this number and can display BAD CC NUMBER.  The expiration date may be entered at this time at the end of the CC number, or after pressing ENTER it will ask for the expiration date which is of the form MMYY or MYY.  This information can be entered with the keypad or by sliding the credit card through the CC reader slot.

Then the amount of the transaction is entered (without a decimal point and without rounding the cents) followed by ENTER.

The Verifone calls in to get a 6-digit authorization number.  Usually this is six numbers, but I have seen it composed of two letters followed by 4-digits as well.  It usually begins with AP which indicates approval.  If the transaction in not approved it returns various messages depending on the reason.  This could be DECLINE, meaning there is not enough money left in the account; CALL-HOLD meaning there is enough money but someone has done an AUTHORIZATION (not a SALE) which reserves some of the accounts money and will be released after 7-10 days if not DRAFT is received; or just CALL, which usually means the card is stolen or canceled.

This transaction is stored in the batch, if approved, and the approval number is displayed.

Pressing CLEAR returns the unit to its READY state.

(2) CREDIT  - Pressing CREDIT is used for the processing of a CREDIT (as opposed to SALE) draft.  Information same as above but the Verifone does not call to get any kind of authorization.  After all the information is entered the unit returns to the READY state.

This information is stored in the batch with CI in place of MC, VI, etc. to indicate a credit.

(3) FORCE  - Similar to a SALE except that the unit does not call to get an approval number.  Used when an transaction is DENIED, or erased.  The unit does not call to get an approval number.  The information is stored in the batch.

(4) UNDEFINED  - Could be used for special services, like American Express transactions or Collection Services.

(5) CHECK  Something to do with authorization of checks and check cashing, but I'm unclear about this one.

(6) AUTH  - Like SALE, returns approval or decline code but is not stored in batch.  Places a HOLD on the card for the entered amount for 7-10 days.  A sales draft can be sent in based on this, otherwise the HOLD will be removed.  Used to reserve money on the account or to check to see if the card is good.

(7) UNDEFINED  - Can be used for more special services.

(8) CASH-MGMT  I have no idea.  Write in if you have an idea...

(9) BALANCE & SETTLE FUNCTIONS  - At the end of day or whenever the batch is filled (about 100 transactions) a batch number is obtained.  This is a 9-digit number that is used to reference the batch of transactions when dealing with credit corporations.  First one must BALANCE the batch.  Pressing 9 (to BALANCE) will ask for a password (stored in location 053).  Enter this number and press ENTER.  The Verifone will ask for the number of transactions which is simply a count of the number of transactions followed by ENTER.

If this is correct then it will ask for total amount, which is the total amount of all the transactions (the decimal point is not entered but the cents must not be rounded so that if the total was $174.30 it would be 17430) followed by ENTER.  If either the number of transactions of total amount is incorrect, then the Verifone displays the first entry of the batch which is the last 5-digits of the credit card number followed by credit card type (VI, MC, etc.) followed by the 6-digit authorization number, followed by the amount of the transaction.

By entering digits at this time, followed by ENTER, the amount of the transaction can be changed.  The batch is scrolled forward by pressing ENTER.

When the information is correctly entered, the Verifone displays READY (or whatever is stored in location 030.)  When the 9 is pressed again (to SETTLE) it calls to process the batch.  It transmits its information (if any of the information has been changed, it sends it twice) and receives the 9-digit batch number, which it displays.

(0) AUTO  - An auto-dialer of some sort.  Phone numbers can be stored in memory, and pressing AUTO will dial it for you and tell you to pick up the handset when it is finished.  I'm not sure how to use it.

Memory Functions

To review the Verifone's memory, press: FUNC+7

The screen will display: =

and will wait for you to enter three numbers or press ENTER which will start at 000.  Pressing ENTER will increment the location displayed, ALPHA will decrement.

To change the Verifone's memory, press: FUNC+8

You are asked for a password, but this is not the password stored at location 053 (this password is used for functions like getting batch numbers, clearing the batch, changing the information in the batch, etc.)  On the two machines I have checked this password is 166831, which I obtained to when the local authorization phone number was changed.

Valid memory locations of form ### are: 000-399, 400-412, 500-512, 600-612, 700-712, 800-812, 900-912

Location    Information     Meaning (?)

000         12146808459     Phone number of some computer.
019         JXL0001         Type of machine.
021         2-ART,VIDEO     Type of store.
022-029     [EMPTY]
030         READY           Message displayed when machine is ready.
053         123456          Some functions require password, this is it (?)
056,058     18002221455     More computers.
057,059     18005543363     More computers.
100         9299783         More computers.
108         SALE            Message display when (1) SALE key is pressed.
208         CREDIT          Message display when (2) CREDIT key is pressed.
#08                         Locations 108, 208, 308, etc. are messages displayed when that key is pressed.
                            Not true for 008.  Can be changed to whatever you want.
311-399     [EMPTY]

Many of the other locations contain long strings of characters that are some sort of password/ID/information (up to 40 characters, I think) that the Verifone passes when it calls in.  Others are empty or used to store new information.  Changing these can upset the functionality of the unit.  Local numbers are called first, and if no successful connection, then the 1-800 number is called.

Clearing the Batch

Pressing FUNC+6(?) followed by the password (location 053) followed by ENTER.

The Verifone asks: CLEAR BATCH?

Pressing ENTER clears the BATCH, CLEAR cancels this.  To restore the BATCH, FORCE would be used to restore this information instead of SALE, as SALE would obtain a second transaction and approval number.

Unit Send and Unit Receive

Pressing FUNC+* or FUNC+#(?) does UNIT SEND or UNIT RECEIVE which does some sort of upload/download function.  I'm not sure how this one works.

Useful if important memory locations of the Verifone are changed and upset some of the functions, then the central company can replace the information easily.

Conclusion

hope this helps you gain some knowledge about why your credit card was cut.

This was mainly intended for information.  If you think you know how to hack these machines (for what purpose, you got me), write in and tell us all!

Thanks to Shmooey and Vulture for the help.
Return to $2600 Index