Scribd
Upload
52 views37 pages

Fundamentals of Emv: Guy Berg Senior Managing Consultant Mastercard Advisors' 914.325.8111

The document discusses EMV transaction processing and security. It compares magnetic stripe transactions to EMV transactions, noting that EMV uses dynamic cryptograms and risk assessment performed on the chip. It then outlines the key components of EMV including the application, data, and risk management features stored on the chip. Finally, it describes the security methods used in online and offline EMV transactions, such as cryptograms, terminal risk assessment, and issuer authentication.

Uploaded by

Abiy Mulugeta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
52 views37 pages

Fundamentals of Emv: Guy Berg Senior Managing Consultant Mastercard Advisors' 914.325.8111

The document discusses EMV transaction processing and security. It compares magnetic stripe transactions to EMV transactions, noting that EMV uses dynamic cryptograms and risk assessment performed on the chip. It then outlines the key components of EMV including the application, data, and risk management features stored on the chip. Finally, it describes the security methods used in online and offline EMV transactions, such as cryptograms, terminal risk assessment, and issuer authentication.

Uploaded by

Abiy Mulugeta
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 37

Fundamentals of EMV

 Guy Berg
 Senior Managing Consultant
 MasterCard Advisors’
 [email protected]
 914.325.8111
EMV Fundamentals

Transaction Processing Comparison


– Magnetic Stripe vs. EMV Transaction Security Points

EMV Application Fundamentals


  Risk Management
  On-line authentication
  Off-line authentication
  Cardholder Verification Method
  Offline Authorization
EMV Component Impact View

Card

Card
Terminal
Issuance EMV
System

Issuer Acquirer
Magnetic Stripe Transaction
Track data

Auth
Code

Auth
Code
Payment Acquirer
Track
Data
Brand System
3)  Authorization/Capture message
 Track data is often in the clear
 The authentication data is static

2) Terminal performs little or no risk


assessment

1) Magnetic stripe is easily cloned

Issuer Auth
System 4) Authorization/Authentication
 Risk assessment performed at the host
 Host cannot recognized cloned cards
EMV Transaction Framework
Field or DE 55
New EMV data
ARPC

ARPC

Field or DE Payment Acquirer


55
Brand System

(3) Add
NewEMV
EMVField
authentication
55 data (2) Terminal performs
data risk assessment New EMV
data

(1) EMV Chip application


performs risk assessment

(4) Issuer Authorization Changes


Issuer Auth
 Dynamic cryptogram validation
System  May return an authentication cryptogram
 Post issuance updates
EMV Security Components

Risk Management Decision


Criteria
Card Stock •  EMV Online Offline
Security Configuration Transaction Transaction
•  Issuance PIN
Security PIN
Security
Security

Data
Preparation Key
Management

EMV
Data
EMV Chip Data

EMV EMV
Tag Chip Data Tag Chip Data
9F 26 Application Cryptogram 8E Cardholder Verification Method List
9F 42 Application Currency Code 8F Certification Authority Public Key Index
9F 51 Application Currency Code VIS 9F 53 Consecutive Transaction Limit International
9F 44 Application Currency Exponent 9F 72 Consecutive Transaction Limit International
9F 52 Application Default Action 9F 54 Cryptogram Information Data
9F 05 Application Discretionary Data 9F 5C Cumulative Total Transaction Amount Limit
5F 25 Application Effective Date 9F 49 Dynamic Data Object List
5F 24 Application Expiration Date 9F 55 Geographic Indicator
94 Application File Locator 9F 2D ICC PIN Encipherment Public Key Certificate
82 Application Interchange Profile 9F 2E ICC PIN Encipherment Public Key Exponent
50 Application Label 9F 2F ICC PIN Encipherment Public Key Remainder
9F 12 Application Preferred Name 9F 46 ICC Public Key Certificate
5A Application Primary Acct Number 9F 47 ICC Public Key Exponent
5F 34 Primary Acct Number Seq Number 9F 48 ICC Public Key Remainder
87 Application Priority Indicator 9F 0D Issuer Action Code – Default
9F 36 Application Transaction Counter 9F 0E Issuer Action Code – Denial
9F 07 Application Usage Control 9F 0F Issuer Action Code – Online
9F 08 Application Version Number (ICC) 9F 10 Issuer Application Data
9F 5D Application offline Spending Amount 9F 56 Issuer Authentication Indicator
9F 7F Card Production Life Cycle History File Identifiers 9F 11 Issuer Code Table Index
8C Card Risk Management Data Object List 1 5F 28 Issuer Country Code
8D Card Risk Management Data Object List 2
5F 20 Cardholder Name
9F 0B Cardholder Name Extended
EMV Risk Mgmt Data on the Chip
Issuer Interchange Profile
-  SDA supported
-  DDA supported
-  CDA supported
-  Cardholder verification supported
-  Perform terminal risk management
-  Issuer authentication required/or not

Application Usage Control


Valid for :
-  Domestic cash transactions
-  International cash transactions
-  Domestic goods
-  International goods
-  Domestic services
-  International services
-  ATMs
-  Domestic cashback
-  International cashback

Issuer Action Codes


-  If issuer authentication failure, do not transmit next
transaction online
-  If new card, do not decline if unable to go online
-  …….
Cardholder Verification

CVM Options CVM List


•  No CVM Online PIN
at ATM
•  Signature
•  On-line PIN at ATM Offline PIN
at POS
•  On-line PIN at POS
•  Off-line PIN plain texted Signature

•  Off-line PIN enciphered


No CVM
EMV Online Transaction Security

Risk Management Decision


Criteria
Card Stock •  EMV Online Offline
Security Configuration Transaction Transaction
•  Issuance Security Security
Security

Data
Preparation Key
Management

EMV
Data
EMV On-line Security

 On-line EMV Authentication


 On-the-Behalf EMV Authentication
On-line CAM (Card Authentication)
EMV transaction
EMV PIN
data
transaction
ARQC
data
ARPC

Payment Acquirer
ARQC Online
Brand System Request
(ARQC)
ARPC 3 DES
Cryptogram ARPC

Shared Key

Issuer Auth
System
On-the-be-Half EMV Authentication
EMVAuth
data
Code EMV
converted
converted
to to transaction
Mag.
EMVStripe
Response data
ARQC

Auth

EMV
Auth Authentication
Code

Mag Stripe Payment Acquirer


Transaction Online
Brand System Request
(ARQC)

Auth

Appears as Mag
Stripe Transaction

Issuer Auth
System
EMV Offline Transaction Security

Risk Management Decision


Criteria
Card Stock •  EMV Online Offline
Security Configuration Transaction Transaction
•  Issuance Security Security
Security

Data
Preparation Key
Management

EMV
Data
EMV Off-line Transaction Security

•  Offline CAM (Card Authentication)


•  Offline CVM (Cardholder Verification)
•  Offline Authorization

SDA/DDA/CDA
Card Authentication
Off-line Security Options

Off-line Authentication Options

SDA DDA CDA


•  Static Data •  Dynamic Data •  Combined Data
•  Issuer Public Key •  Issuer Public Key •  Issuer Public Key
Certificate Certificate Certificate
•  ICC Public Key •  ICC Public Key
Certificate Certificate
•  Application
Cryptogram

Issuer Level Certificate Card Level Certificate


Off-line Transaction Authentication
SDA (Issuer level certificate)

SDA (Static Data Authentication) PIN


Verifies the user.
Certificate Authority

CA Private CA Public Load Public Key


Key Key to the Terminal

CA Private Key SDA


signs Card Authentication
ISS Public key

Authenticates the card


is legitimate
Loaded with
Issuer PK
Issuer Signed
Certificate
Static Data
Does not verify who is
using it!
Offline Cardholder Verification

 SDA Cards
Off-line
Transaction  Clear Text PIN
PINSecurity

 DDA or CDA Cards


 Clear Text PIN
 Encrypted (Enciphered)
PIN
Offline Authorization

Offline Risk Data on the Chip


Consecutive Transaction Counter
Last Online Application Transaction Counter
Lower Consecutive Offline Limit Authorization
Upper Consecutive Offline Limit Parameters
Cumulative Total Transaction Amount
Cumulative Total Transaction Limit

PIN
PIN Try Limit
PIN Try Counter

Certification Authority Public Key Index


Signed Static Application Data
Signed Dynamic Application Data
Static Data Authentication Tag List
Issuer Action Codes
EMV Security Components
Risk Management Decision
Criteria
Card Stock Issuance Off-line On-line
Security Security Transaction Transaction
Security Security
Data Preparation
&
Key Mgmt
Security
EMV Chip Personalization

Data Prep Key Mgmt


System System

Emboss/
Mag Stripe File

Emboss/ EMV
CMS System Mag Stripe File Issuance

EMV Data & Keys


Card Types

> Contact EMV

> Contactless EMV


> Contactless Mag Stripe Emulation

> Contact EMV


> Contactless EMV
> Contactless Mag Stripe Emulation
EMV Card Basics
Chip OS and Applications

Operating System Level EMV Application Level


 MasterCard
 MULTOS  PayPass Contactless EMV
 Global Platform JavaCard  Mchip Contact EMV
 Card Vendor 1 Proprietary  Visa
 Card Vendor 2 Proprietary  payWave Contactless EMV
 Card Vendor 3 Proprietary  VSDC Contact EMV
 Etc....  American Express
 Discover

  Card Vendors have different chip


operating systems Data Level
  Brands have different chip Personalization Data
application implementations •  Risk management criteria
  Brands have different EMV risk •  Cardholder data
configuration options •  Security keys and certificates
Acquirers, Merchants and Terminals

Acquirer POS
System Terminal
Terminal Perspective
EMV and AID Based Matching Logic

Each Brand has different terminal certification requirements

Visa EMV MC EMV AMEX Discover Others


terminal terminal EMV EMV EMV
processing processing terminal terminal terminal
functions functions processing processing processing
functions functions functions

EMV Contact Kernel


EMV terminal functions that EMV Co tests against the
EMV standards and certifies

Terminal Operating System


Terminal Profile (EMVCo Type Approval)
Unattended Terminal Profile Unattended Terminal Profile
Supports but does not require Requires PIN
PIN

 Chip only cards  Chip only cards


 Offline plain text PIN  Offline plain text PIN
 Offline enciphered PIN  Offline enciphered PIN
 No CVM  SDA
 SDA  DDA
 DDA  CDA
 CDA
 Issuer authentication
supported
Acquirers’ Perspective
Terminal
Model 1
Customer 1
Terminal
Model 2

Terminal
Customer 2
Model 3

Customer 3

Integrated
Customer 4
EMV Terminal

Acquirer Customer 5
Petroleum Pay
System at the Pump

Kiosk
Customer….
Terminals

Customer 100
EMV Transaction Flow

Technology Selection

Application Selection

Processing Options

Card Authentication

Processing Restrictions

Card Holder Verification

Terminal Risk Management

Terminal Action Analysis

Card Action Analysis

Go 0n-line or Not

Issuer-to-Card Script Processing


EMV Transaction Flow

Application Selection
•  What AID?

Card Authentication Method


•  SDA, DDA, CDA, No ODA

Cardholder Verification Method


•  CVM List Preferences

Offline Authorization Support – Y/N

Issuer Action Codes


•  Exception processing rules
Application Selection

Identify
mutually
supported AIDs

Priority AID AID Config Data


1 A0000000041010 A0000000031010
2 A0000xyz A0000000041010
3 A0000001523010
A0000000043060
A00000002501
A0000xyz
Application Selection Method

Explicit Selection
•  Displays the choices to
consumer
MasterCard Debit

XYZ Debit

Implicit Selection
•  Terminal automatically
selects the AID

P AID
Selected AID 1 A0000000041010
2 A0000xyz
Cardholder Verification

CVM Options CVM List


•  No CVM Online PIN
at ATM
•  Signature
•  On-line PIN at ATM Offline PIN
at POS
•  On-line PIN at POS
•  Off-line PIN plain texted Signature

•  Off-line PIN enciphered


No CVM
EMV Message Data
Field or DE 55

Field or DE Payment Acquirer


55
Brand System

New
AddEMV
EMVauthentication
Field 55 data
Issuer Auth data
System
EMV Authorization Message
ISO 8583 – Field or DE 55

Application Cryptogram
Issuer Application Data
Application Interchange Profile
Terminal Verification Result
Terminal Capabilities
Cardholder Verification Method Results (CVM)
Cryptogram Information Data
Unpredictable Number
Application Transaction Counter
Amount, Authorized (Numeric)

Transaction Currency Code


Transaction Date
Transaction Type
Transaction Currency Code
Terminal Country Code
EMV Transaction Framework
Field or DE 55
New EMV data
ARPC

ARPC

Field or DE Payment Acquirer


55
Brand System

New EMV
Issuer Authorization Changes data
 EMV ARQC dynamic cryptogram validation
  Authentication cryptogram generation
 Post issuance card updates
 Offline PIN Management
 Online PIN management
 Key Management
Issuer Auth  Authorization assessment rules
System
EMV at a Glance

Issuer Auth
System
Messaging

– Online CAM and CVM


– Offline CAM and CVM
– Offline Authorization
– Chip Risk Management

Acquirer
System
Guy Berg
Mastercard Advisors’
914.325.8111
[email protected]

 Smart Card Alliance


 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828
 www.smartcardalliance.org

You might also like