37
Fundamentals of EMV Guy Berg Senior Managing Consultant MasterCard Advisors’ [email protected] 914.325.8111
Fundamentals of EMV Guy Berg Senior Managing Consultant MasterCard Advisors’ [email protected] 914.325.8111
EMV Fundamentals
Transaction Processing Comparison – Magnetic Stripe vs. EMV Transaction Security Points
EMV Application Fundamentals Risk Management On-line authentication Off-line authentication Cardholder Verification Method Offline Authorization
EMV Component Impact View
Card
Terminal
Acquirer Issuer
Card Issuance EMV
System
Magnetic Stripe Transaction
Issuer Auth System
Acquirer System
Payment Brand
Auth Code
Track data
Auth Code
Track Data
3) Authorization/Capture message Track data is often in the clear The authentication data is static
1) Magnetic stripe is easily cloned
2) Terminal performs little or no risk assessment
4) Authorization/Authentication Risk assessment performed at the host Host cannot recognized cloned cards
EMV Transaction Framework
New EMV data
Issuer Auth System
Acquirer System
Payment Brand
ARPC
Field or DE 55
ARPC
Field or DE 55
(1) EMV Chip application performs risk assessment
(2) Terminal performs risk assessment
Add EMV Field 55 data (3) New EMV authentication data
(4) Issuer Authorization Changes Dynamic cryptogram validation May return an authentication cryptogram Post issuance updates
New EMV data
Offline Transaction
Security
EMV Security Components
Card Stock Security
• EMV Configuration
• Issuance Security
EMV Data
Risk Management Decision Criteria
Data Preparation Key
Management
PIN Online
Transaction Security PIN
EMV Chip Data
EMV Tag Chip Data
EMV Tag Chip Data
9F 26 9F 42 9F 51 9F 44 9F 52 9F 05 5F 25 5F 24 94 82 50 9F 12 5A 5F 34 87 9F 36 9F 07 9F 08 9F 5D 9F 7F 8C 8D 5F 20 9F 0B
Application Cryptogram Application Currency Code Application Currency Code VIS Application Currency Exponent Application Default Action Application Discretionary Data Application Effective Date Application Expiration Date Application File Locator Application Interchange Profile Application Label Application Preferred Name Application Primary Acct Number Primary Acct Number Seq Number Application Priority Indicator Application Transaction Counter Application Usage Control Application Version Number (ICC) Application offline Spending Amount Card Production Life Cycle History File Identifiers Card Risk Management Data Object List 1 Card Risk Management Data Object List 2 Cardholder Name Cardholder Name Extended
8E 8F 9F 53 9F 72 9F 54 9F 5C 9F 49 9F 55 9F 2D 9F 2E 9F 2F 9F 46 9F 47 9F 48 9F 0D 9F 0E 9F 0F 9F 10 9F 56 9F 11 5F 28
Cardholder Verification Method List Certification Authority Public Key Index Consecutive Transaction Limit International Consecutive Transaction Limit International Cryptogram Information Data Cumulative Total Transaction Amount Limit Dynamic Data Object List Geographic Indicator ICC PIN Encipherment Public Key Certificate ICC PIN Encipherment Public Key Exponent ICC PIN Encipherment Public Key Remainder ICC Public Key Certificate ICC Public Key Exponent ICC Public Key Remainder Issuer Action Code – Default Issuer Action Code – Denial Issuer Action Code – Online Issuer Application Data Issuer Authentication Indicator Issuer Code Table Index Issuer Country Code
EMV Risk Mgmt Data on the Chip
Issuer Action Codes - If issuer authentication failure, do not transmit next
transaction online - If new card, do not decline if unable to go online - …….
Issuer Interchange Profile - SDA supported - DDA supported - CDA supported - Cardholder verification supported - Perform terminal risk management - Issuer authentication required/or not
Application Usage Control Valid for : - Domestic cash transactions - International cash transactions - Domestic goods - International goods - Domestic services - International services - ATMs - Domestic cashback - International cashback
Cardholder Verification
CVM List CVM Options
• No CVM
• Signature
• On-line PIN at ATM
• On-line PIN at POS
• Off-line PIN plain texted
• Off-line PIN enciphered
Online PIN at ATM
Offline PIN at POS
Signature
No CVM
Offline Transaction
Security
EMV Online Transaction Security
Card Stock Security
• EMV Configuration
• Issuance Security
EMV Data
Risk Management Decision Criteria
Data Preparation Key
Management
Online Transaction
Security
EMV On-line Security
On-line EMV Authentication
On-the-Behalf EMV Authentication
On-line CAM (Card Authentication)
ARPC
Online Request (ARQC)
Issuer Auth System
Acquirer System
Payment Brand
ARPC
ARQC
EMV transaction data EMV
transaction data
ARPC
ARQC
3 DES Cryptogram
Shared Key
PIN
On-the-be-Half EMV Authentication
Auth
Online Request (ARQC)
Issuer Auth System
EMV Authentication
Acquirer System
Payment Brand
Auth
ARQC
Mag Stripe Transaction
Auth Code
Appears as Mag Stripe Transaction
EMV transaction
data
EMV data converted to Mag. Stripe
Auth Code converted to
EMV Response
Offline Transaction
Security
EMV Offline Transaction Security
Card Stock Security
• EMV Configuration
• Issuance Security
EMV Data
Risk Management Decision Criteria
Data Preparation Key
Management
Online Transaction
Security
EMV Off-line Transaction Security
SDA/DDA/CDA Card Authentication
• Offline CAM (Card Authentication) • Offline CVM (Cardholder Verification) • Offline Authorization
Off-line Security Options
Off-line Authentication Options
SDA • Static Data • Issuer Public Key
Certificate
DDA • Dynamic Data • Issuer Public Key
Certificate • ICC Public Key
Certificate
CDA • Combined Data • Issuer Public Key
Certificate • ICC Public Key
Certificate • Application
Cryptogram
Issuer Level Certificate Card Level Certificate
Off-line Transaction Authentication SDA (Issuer level certificate)
SDA Card Authentication
Certificate Authority
CA Private Key
CA Public Key
Issuer PK Certificate
CA Private Key signs
ISS Public key
PIN
Authenticates the card is legitimate
Does not verify who is using it!
Verifies the user. SDA (Static Data Authentication)
Loaded with Issuer Signed
Static Data
Load Public Key to the Terminal
Offline Cardholder Verification
Off-line Transaction
Security PIN
SDA Cards Clear Text PIN
DDA or CDA Cards Clear Text PIN Encrypted (Enciphered)
PIN
Offline Authorization
Offline Risk Data on the Chip Consecutive Transaction Counter Last Online Application Transaction Counter Lower Consecutive Offline Limit Upper Consecutive Offline Limit Cumulative Total Transaction Amount Cumulative Total Transaction Limit
PIN PIN Try Limit PIN Try Counter
Certification Authority Public Key Index Signed Static Application Data Signed Dynamic Application Data Static Data Authentication Tag List Issuer Action Codes
Authorization Parameters
EMV Security Components
Card Stock Security
On-line Transaction
Security
Off-line Transaction
Security
Issuance Security
Data Preparation &
Key Mgmt Security
Risk Management Decision Criteria
EMV Data & Keys
CMS System Emboss/ Mag Stripe File
Key Mgmt System
Data Prep System
EMV Issuance
Emboss/ Mag Stripe File
EMV Chip Personalization
> Contact EMV
> Contactless EMV > Contactless Mag Stripe Emulation
> Contact EMV > Contactless EMV > Contactless Mag Stripe Emulation
Card Types
Operating System Level
MULTOS Global Platform JavaCard Card Vendor 1 Proprietary Card Vendor 2 Proprietary Card Vendor 3 Proprietary Etc....
EMV Card Basics
EMV Application Level MasterCard
PayPass Contactless EMV Mchip Contact EMV
Visa payWave Contactless EMV VSDC Contact EMV
American Express Discover
Data Level
Personalization Data • Risk management criteria • Cardholder data • Security keys and certificates
Chip OS and Applications
Card Vendors have different chip operating systems
Brands have different chip application implementations
Brands have different EMV risk configuration options
Acquirers, Merchants and Terminals
Acquirer System
POS Terminal
Terminal Perspective EMV and AID Based Matching Logic
Terminal Operating System
EMV Contact Kernel EMV terminal functions that EMV Co tests against the
EMV standards and certifies
Visa EMV terminal processing functions
MC EMV terminal processing functions
AMEX EMV terminal processing functions
Discover EMV terminal processing functions
Others EMV terminal processing functions
Each Brand has different terminal certification requirements
Chip only cards Offline plain text PIN Offline enciphered PIN No CVM SDA DDA CDA Issuer authentication
supported
Chip only cards Offline plain text PIN Offline enciphered PIN SDA DDA CDA
Unattended Terminal Profile Supports but does not require
PIN
Terminal Profile (EMVCo Type Approval)
Unattended Terminal Profile Requires PIN
Acquirers’ Perspective
Acquirer System
Customer 1
Terminal Model 1
Terminal Model 2
Customer 2 Terminal Model 3
Customer 3
Customer 4 Integrated EMV Terminal
Customer 5 Petroleum Pay at the Pump
Customer…. Kiosk Terminals
Customer 100
Technology Selection
Application Selection
Card Authentication
Processing Restrictions
Processing Options
Card Holder Verification
Terminal Risk Management
Terminal Action Analysis
Card Action Analysis
Go 0n-line or Not
Issuer-to-Card Script Processing
EMV Transaction Flow
EMV Transaction Flow
Application Selection • What AID?
Card Authentication Method • SDA, DDA, CDA, No ODA
Cardholder Verification Method • CVM List Preferences
Offline Authorization Support – Y/N
Issuer Action Codes • Exception processing rules
Application Selection
Priority AID 1 A0000000041010 2 A0000xyz 3
AID Config Data A0000000031010 A0000000041010 A0000001523010 A0000000043060 A00000002501 A0000xyz
Identify mutually
supported AIDs
Application Selection Method
Explicit Selection • Displays the choices to
consumer
Implicit Selection • Terminal automatically
selects the AID
MasterCard Debit
XYZ Debit
P AID 1 A0000000041010 2 A0000xyz
Selected AID
Cardholder Verification
CVM List CVM Options
• No CVM
• Signature
• On-line PIN at ATM
• On-line PIN at POS
• Off-line PIN plain texted
• Off-line PIN enciphered
Online PIN at ATM
Offline PIN at POS
Signature
No CVM
EMV Message Data
Issuer Auth System
Acquirer System
Payment Brand
Field or DE 55
Field or DE 55
Add EMV Field 55 data New EMV authentication data
EMV Authorization Message ISO 8583 – Field or DE 55
Application Cryptogram
Issuer Application Data
Application Interchange Profile
Terminal Verification Result
Terminal Capabilities Cardholder Verification Method Results (CVM) Cryptogram Information Data Unpredictable Number Application Transaction Counter
Amount, Authorized (Numeric)
Transaction Currency Code
Transaction Date
Transaction Type Transaction Currency Code Terminal Country Code
EMV Transaction Framework
New EMV data
Issuer Auth System
Acquirer System
Payment Brand
ARPC
Field or DE 55
ARPC
Field or DE 55
Issuer Authorization Changes EMV ARQC dynamic cryptogram validation Authentication cryptogram generation Post issuance card updates Offline PIN Management Online PIN management Key Management Authorization assessment rules
New EMV data
EMV at a Glance
– Online CAM and CVM – Offline CAM and CVM – Offline Authorization – Chip Risk Management
Acquirer System
Issuer Auth System Messaging
Smart Card Alliance 191 Clarksville Rd. · Princeton Junction, NJ 08550 · (800) 556-6828 www.smartcardalliance.org
Guy Berg Mastercard Advisors’ 914.325.8111 [email protected]
