View
2
Download
0
Category
Preview:
Citation preview
Br ian Summerhayes
Managing Director
Barnes Internat ional
© 2014 BARNES INTERNATIONAL LIMITED 1
Personalisation Quality Control of EMV Cards
ICMA EuroForum
Munich, October 2014
Agenda
Payment Application Personalisation Quality Control
Offline Card Personalisation Validation Testing QC
Inline QC + Offline Card Personalisation Validation Testing QC
100% Inline QC with Card Personalisation Testing Validation QC
© 2014 BARNES INTERNATIONAL LIMITED 2
Personalisation Quality Control Testing
© 2014 BARNES INTERNATIONAL LIMITED 3
Personalisation Quality Control – Why?
© 2014 BARNES INTERNATIONAL LIMITED 4
Chip cards have far more complicated coding compared with a simple magnetic stripe
Chip cards have far more information inside them compared with a magnetic stripe
Dual interface cards are also complex to code with shared parameters
• Magnetic Stripe vs Chip Data
• Correct Keys • Validation vs
Payments Scheme
• Issuer/ Card Tag values
Data sent to card during personalisation
© 2014 BARNES INTERNATIONAL LIMITED 5
Data Elements
Magnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic KeysEmbossing on card facePrinting, including CVV on reverse
Card Personalisation
© 2014 BARNES INTERNATIONAL LIMITED 6
Most of the data fields are particular to one type of card template for each issuer, e.g. CVM List
Some of the data fields will be unique to the cardholder e.g. Account Number (PAN) and cardholder name
Some of the data fields should be standard across all products e.g. Issuer Country Code
Potential Personalisation Errors
© 2014 BARNES INTERNATIONAL LIMITED 7
Data errors
Magnetic Stripe encoding errorsCardholder data Transposition errorsCryptographic ErrorsFormatting Errors Incorrect Perso Data, e.g. Country / Currency code missmatch
Specification errors
Personalisation QC
© 2014 BARNES INTERNATIONAL LIMITED 8
Quality Control of the cards in manufacturing and during personalisation is essentialChip cards – many data Tags any one of which could be incorrectly set upChip cards are far more expensive than magnetic stripe and thus are costly
to reissueReputation/customer service impact can result in substantial lost revenue
Offline or Inline Quality Control of the cards during personalisationOfflineSingle Card tests with Batch Testing
InlineEnables 100% testing
PersoMachine Controller
EMV Card Perso with Offline QC
© 2008-2014 BARNES INTERNATIONAL LIMITED 9
PersoData File
Mag-Stripe Encode Emboss Chip Perso
Finished Card
Blank Card
Card Movement Perso Data Flow
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
Audit Log
Audit Data Flow
Offline CPT
Offline Perso QC Testing Card Personalisation Validation Testing Tool
Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation Identifies incorrect data Contact and Contactless chip validation testsMultiple Application data validation -single card insertionMulti-level user interface for Production, QA & Bank personnel with complete analysis
facilities for Experts
Validation – Standard Card Perso Tool (“CPT”)
All the features of a CPT, PLUS: Test Script development Issuer scripts and Cryptography
Host Simulation + HSM interface (e.g. with Thales 8000/9000 and Safenet)
Test Development + Card Validation
10© 2014 BARNES INTERNATIONAL LIMITED
Validation Test Report
1. Summary of Test
2. Individual Fail/ Observations with Explanatory Annotations
3. Refers to Applicable Specification
4. List of all Tags Tested & Result
© 2014 BARNES INTERNATIONAL LIMITED 11
3
4
2
1
Offline QC Testing Architecture
© 2008-2014 BARNES INTERNATIONAL LIMITED 12
CPT GUI
Card Reader Interface
Certification Test Scripts and Scenarios
MC CPV/ Visa GPR etc
QC Test Scripts and Scenarios
Bespoke Scripts & Scenarios
CPT Test Engine
Card Reader(s)Contact/ CL/ DI
PersoMachine Controller
Inline QC Testing – Offline EMV Data Validation
© 2008-2014 BARNES INTERNATIONAL LIMITED 13
PersoData File
Mag-Stripe Read
Mag-Stripe Encode Emboss Chip Perso
Reject Bin
Test StationFinished Card
Blank Card
Card Movement Perso Data Flow
Chip Read Camera Image Gate
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
Audit Log
QC Data Flow
Offline CPT
Magnetic Stripe QC
© 2014 BARNES INTERNATIONAL LIMITED 14
Magnetic Stripe – standard inline QC
Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent to Perso Machine ControllerValidation vs input file
Drawback: System assumes data sent in Perso file was valid
Magnetic Stripe – QC data validated by inline Card Perso Tool
Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent via Perso Machine Controller to CPTCorrelation vs ISO data rulesValidation vs input file &/or against Magnetic Stipe equivalent data in ChipValidation of iCVV/ Chip CVC/ iCSC/ Chip CAV
Contact Chip QC
© 2014 BARNES INTERNATIONAL LIMITED 15
Contact Chip Data – standard inline QC
Chip ATR activated and read by Contact couplerATR sent to Perso Machine ControllerConfirms that chip is working
Drawback: Unable to fully validate personalised data
Contact Chip Data – QC data validated by inline Card Perso Tool
ATR activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via Perso Machine Controller to CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Chip Data Validation vs Mag Stripe & Contactless ChipValidation that correct Keys were put onto the card
Contactless Chip QC
© 2014 BARNES INTERNATIONAL LIMITED 16
Contactless Chip Data – standard inline QC
Chip ATS activated and read by Contactless couplerATS read and sent to Perso Machine ControllerConfirms that contactless chip is working
Drawback: Unable to fully validate personalised data
Contactless Chip Data – QC data validated by inline Card PersoToolATS activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to a CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Contactless Chip Data Validation vs Mag Stripe & Contact ChipValidation that correct Keys were put into the contactless chip
Embossing Verification
© 2014 BARNES INTERNATIONAL LIMITED 17
Embossing – standard inline QC
Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent to Perso Machine Controller Validation vs input file
Drawback: No validation against Mag Stripe or Chip cardholder data, issue and expiry dates
Embossing – QC data validated by inline Card Perso Tool Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent via Perso Machine Controller to CPT Validation vs Data personalised in Magnetic Stripe and Chip
Advantage: This is superior to an offline CPT where operator checks embossing against screen image
Card Stock Verification
© 2014 BARNES INTERNATIONAL LIMITED 18
Card Stock verification – standard inline QC
Vision system captures image of front and back of card including stock reference Images sent to Perso Machine Controller Validation vs images of correct card stock for the card batch
Drawback: Validation separate from the rest of card validation test
Card Stock verification – QC data validated by inline Card PersoTool Vision system captures image of front and back of card including stock reference Images sent via Perso Machine Controller to a Card Perso Tool (CPT) Card stock reference recorded in card validation file
Potential for 100% Data QC
© 2014 BARNES INTERNATIONAL LIMITED 19
Data – read by Mag Reader/ Chip CouplersMagnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic Keys
Data – read by CameraEmbossing on card facePrinting, including card stock ID and CVV on reverse
For 100% QC All Data Elements should be Validated
Inline QC Testing Architecture
© 2008-2014 BARNES INTERNATIONAL LIMITED 20
Offline CPT with GUI
Scenario creationFailure investigation
QC Test Scripts and Scenarios
Bespoke Scripts & Scenarios
CPT Test Engine
Perso Machine Interface Module
Card Perso Machine
Inline QC Testing with Card Personalisation Validation
Machinery Manufacturer QC module(s) to collect dataMagnetic Stripe Contact and Contactless Chip Data Printed/ Embossed Data
Data Collection: Machine Modules
Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation (depending on machine modules)
Identifies incorrect data or keys
Contact and Contactless chip validation testsMultiple Application data validation
Validation: CPT Test Engine
Good / Bad card result Bad card reject Test Result recorded – for audit purposes
Test Results can be saved
Reporting: Machine interface + CPT Report
21© 2014 BARNES INTERNATIONAL LIMITED
PersoMachine Controller
Inline Testing – 100% EMV Validation QC
© 2008-2014 BARNES INTERNATIONAL LIMITED 22
PersoData File
Mag-Stripe Read
Mag-Stripe Encode Emboss Chip Perso
Reject Bin
Test Station with inline CPT
moduleFinished Card
Blank Card
Card Movement Perso Data Flow
Chip Read Camera Image Gate
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
QC Management
Audit LogOffline CPT
Test Scenarios
QC Data Flow
Offline CPT
Inline Testing
© 2008-2014 BARNES INTERNATIONAL LIMITED 23
Data loaded into card using “Store Data” APDUs, data is organised in Data Group Indicators (DGIs)
Differences in techniques and formats depending on the card stock and operating system
Data extracted from card using EMV defined APDUs, data is organised by files and records
All cards must present the same interface to the terminal, regardless of internal organisation
Benefits of 100% Inline QC
100% of Cards Tested in Real Time
Efficient use of Human Resources
Inline QC can work 24/7 and does not get tired or distracted No extra time & no extra QC staff required Faster ROI
No Human Intervention – better Data Security
Full Data Validation
EMV and Payment Scheme rules, TAG Values and Keys
Source: Datacard 24© 2014 BARNES INTERNATIONAL LIMITED
Br ian Summerhayes
bsummerhayes@barnestest .com
www.barnestest .com
b a r n es - inter n at ion a l - l td @ ba r nes_ test
© 2014 BARNES INTERNATIONAL LIMITED 25
100% Personalisation Quality Control
Thank you for your attention – Questions
Recommended