Acquirer-only processing is used where the Acquirer is also the Card Issuer. The simplified data flow diagram shows the processing that has security implications. When a message is received from the Terminal by the Host, the Host establishes the validity of the message by verifying the MAC (the process depends on whether or not a PIN is in use for the transaction).
The Acquirer Host checks the cardholder’s account for availability of funds (no HSM involvement) etc. If a PIN is in use, (sent encrypted from the Terminal to the Host), the HSM uses one of a standard range of verification algorithms to confirm that the PIN is correct.
The Host produces the MAC for the response message to be sent to the Terminal. This includes the Authorization Parameter (Auth Para) if the response message indicates acceptance of the transaction, and excludes it if the transaction is not accepted (Auth Para is a cryptographically-generated value).
If a cardholder enters an incorrect PIN, the Acquirer returns a "decline" type of response, usually with a request to re-enter the PIN. A re-entry is processed as a new transaction.
The Terminal optionally sends a Completion Confirmation containing a MAC, which the Host checks. The last message, the Completion Response also contains a MAC, generated by the Host.