In every payment transaction, there’s a critical moment when the terminal must decide:
Can this transaction be approved offline, or should it reach out to the issuing bank for authorization?
This decision lies at the heart of EMV risk management a balance between security, speed, and network efficiency. The process is governed by one of the most vital configuration parameters in an EMV terminal: the Terminal Action Code – Online (TAC–Online).
While TAC–Denial protects against transactions that must never proceed, TAC–Online acts as the decision-maker that determines when to seek validation from the issuer, ensuring that even uncertain transactions are handled intelligently and securely.
Understanding TAC Online: The “Call Home” Rule for EMV Terminals
The TAC–Online defines the set of conditions under which the terminal should send a transaction to the issuer for online authorization.
This happens when the terminal detects certain risk conditions that are not severe enough for outright denial (as defined in TAC–Denial) but still require the issuer’s confirmation to proceed.
In simple terms, TAC–Online is the safety bridge between acceptance and denial. It empowers the terminal to act prudently escalating uncertain cases to the bank’s decision engine instead of taking risks locally.
When such a condition occurs, the terminal sends a transaction request to the issuer host containing the Transaction Verification Results (TVR), Application Cryptogram (ARQC), and related EMV data for validation. The issuer then verifies the cryptographic authenticity and account status before returning an Authorization Response Cryptogram (ARPC) signaling approval or decline.
The Role of TAC–Online in EMV Risk Management
Every EMV transaction goes through several layers of validation: card authentication, terminal risk management, and cardholder verification. These processes generate insights into whether a transaction can be trusted.
TAC–Online comes into play when these checks indicate potential risk that only the issuer can evaluate with full confidence for example, verifying available funds, suspicious merchant category, or unusual spending patterns.
By defining when to go online, TAC–Online ensures that risk decisions are contextual, data-driven, and dynamic rather than static or overly restrictive.
Conditions That Commonly Trigger TAC–Online
Several conditions can activate TAC–Online beheviour during an EMV transaction. These conditions are defined within the TVR bits and mapped against the TAC–Online code bits.
Common triggers include:
- Offline data authentication failed but the terminal still considers the card potentially valid.
- Transaction amount exceeds the terminal’s offline limit, requiring issuer confirmation.
- Velocity checking or floor limit exceeded meaning too many transactions without issuer approval.
- Cardholder verification method failed, such as incorrect PIN or missing signature.
- Card or terminal version mismatch indicating that configuration updates might be needed.
When any of these conditions are true and their corresponding TAC–Online bits are set, the terminal generates an ARQC (Authorization Request Cryptogram) and routes it to the issuer host for authorization.
How TAC–Online Differs from TAC–Denial
At first glance, TAC–Denial and TAC–Online might appear similar both define actions triggered by risk conditions. However, their purposes and impact differ fundamentally:
Aspect | TAC–Denial | TAC–Online |
Purpose | Prevent transactions that must never proceed | Identify cases that need issuer authorization |
Decision Type | Immediate offline decline | Online authorization attempt |
Severity | High – indicates critical failure or fraud risk | Medium – indicates uncertainty or elevated risk |
Network Usage | No network communication | Requires network communication |
Outcome | Transaction rejected | Transaction sent online for issuer’s decision |
Together, these TAC layers form a hierarchical decision model, ensuring that each transaction is processed at the right level of scrutiny.
TAC–Online in Real World Scenarios
To understand the significance of TAC–Online, consider a few practical examples:
- High-Value Retail Purchase
A customer attempts a large purchase exceeding the terminal’s offline limit. Even if the card passes authentication and PIN verification, the amount surpasses the threshold that the acquirer considers safe for offline approval.
→ The terminal compares the “amount exceeds floor limit” bit in the TVR with TAC–Online, recognizes the condition, and sends the transaction for online authorization.
- Borderline Authentication Case
A card passes Dynamic Data Authentication (DDA) but fails in Combined DDA/AC Generation (CDA) due to communication interference.
→ Instead of declining, the terminal invokes TAC–Online, requesting issuer validation. This minimizes false declines while keeping the network secure.
- Cardholder Verification Issues
If the PIN entry fails twice but other parameters are valid, TAC–Online ensures that the transaction is sent to the issuer rather than declined locally — giving the bank the final decision on approval.
In all these cases, TAC–Online serves as the intelligent middle ground — ensuring that potentially valid transactions are not lost while still maintaining strict compliance.
Balancing Risk, Connectivity and Performance
In the early days of EMV, offline approvals were common due to limited connectivity. Today, with always-on networks and cloud-based host systems, online authorization is fast and efficient. However, even now, TAC–Online plays a critical role in balancing performance with risk control.
If every transaction were sent online, network congestion and issuer load would increase unnecessarily. Conversely, if too many transactions were handled offline, fraud risk would rise. TAC–Online helps strike this equilibrium by defining precisely when online authorization should be triggered ensuring optimal efficiency without compromising safety.
This balance is particularly crucial in transit, fuel, and low-latency payment systems, where milliseconds matter and connectivity can fluctuate. Proper TAC–Online configuration ensures consistent user experience across devices, geographies, and network environments.
TAC–Online in Certification and EMV Testing
During EMV Level 2 and Level 3 certification, TAC–Online configuration undergoes rigorous testing to ensure terminals behave predictably under all scenarios.
EazyPay Tech and other EMV solution providers simulate multiple transaction environments including network failures, offline limits, and authentication mismatches to validate that TAC–Online triggers correctly and aligns with issuer expectations.
This testing ensures that when a terminal moves from the lab to the field, it consistently performs as expected, preserving both transaction security and user experience.
Conclusion: The Bridge Between Terminal and Issuer Intelligence
TAC–Online represents the dynamic intelligence layer in EMV transaction processing. It’s not just a rule set but a communication strategy ensuring that only relevant transactions reach the issuer, reducing unnecessary network load, and preserving security integrity.
It demonstrates how EMV systems combine terminal logic with issuer insight to build a seamless and adaptive payment environment one that’s as secure as it is efficient.
In the next and final part of this series, we’ll explore TAC–Default, the fallback mechanism that ensures business continuity even when connectivity is lost or issuer responses are unavailable.
About EazyPay Tech
At EazyPay Tech, we empower payment device manufacturers, POS solution providers, and financial institutions to achieve end-to-end EMV certification and compliance. Our expert team specializes in EMV Kernel Development, Level 2/3 Testing, and Transaction Risk Parameter Optimization, helping partners configure TAC–Online logic precisely to meet global scheme requirements.
