19
EMV Transaction Flow

EMV chip cards

Embed Size (px)

Citation preview

Page 1: EMV chip cards

EMV Transaction Flow

Page 2: EMV chip cards

Contents

Introduction to EMVTraditional MSR Vs EMV Transaction flowOnline Data AuthenticationOffline Data AuthenticationEMV MigrationSecurity in E-Commerce

Page 3: EMV chip cards

Introduction to EMV

EMV is a technical standard that defines interaction at the physical and electrical data authentication levels between IC cards and their processing devices for financial transactions .

EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally created the standard.

The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.

EMV cards are also called as IC credit Chip and PIN Cards. EMV cards were introduced to improve security (Fraud Reduction) and for finer

control of "offline" credit-card transaction approvals. One of the original goals of EMV was to allow for multiple applications to be held on

a card: for a credit and debit card application or an e-purse.

Page 4: EMV chip cards

MSR Vs EMV Transaction Flow

Page 5: EMV chip cards

EMV Transaction Flow

Page 6: EMV chip cards

EMV Transaction FlowApplication Selection: EMV chip is loaded with a application version number and the Application

Identification Numbers(AID’s) that the issuer supports. Based on the AID selected a particular Application in the terminal is selected

through which routing to the Issuer bank do happen. The PDOL (Processing Data Object Lists) is provided by the card to the terminal

during application selection.

Page 7: EMV chip cards

Terminal Action Analysis Terminal risk management is done in the terminal to decide whether or not to go

online, checks the transaction amount against an offline ceiling limit. For online authorization transactions CDOL1 (Card Data object List),a list of tags

that the card wants to be sent to it to make a decision on whether to approve or decline a transaction.

Terminal sends this data and requests a cryptogram using the generate application cryptogram command usually called 1st Gen AC

Depending on the terminal s decision (offline, online, decline), the terminal ′requests one of the following cryptograms from the card: Transaction certificate (TC)—Offline approval Authorization Request Cryptogram (ARQC)—Online authorization Application Authentication Cryptogram (AAC)—Offline decline.

The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorization response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).

Page 8: EMV chip cards

EMV Chip DataThe data that is present in a chip card and few tags are sent to the issuer for authorization

Page 9: EMV chip cards

Cardholder verification Cardholder verification is used to evaluate whether the person presenting the card is the

legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are: Signature. Offline plaintext PIN. Offline enciphered PIN. Offline plaintext PIN and signature. Offline enciphered PIN and signature. Online PIN. No CVM required. Both PIN and signature. Fail CVM processing.

The terminal uses a CVM list read from the card to determine the type of verification to be performed based on the terminal capability and business involved in it.

When a verification is done successfully the results are updated in TVR and CVR and the transaction is approved

A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of CVM to be used, while the second specifies in which condition this CVM will be applied.

Page 10: EMV chip cards

Offline Data Processing:The offline authentication options in EMV are :-

Static Data Authentication:- For SDA, the smart card contains application data which is signed by the private key of the issuer’s

RSA key pair. When a card with an SDA application is inserted into a terminal, the card sends this signed static

application data, the CA index, and the issuer certificate to the terminal. The terminal verifies the issuer certificate and the digital signature by comparing these to the

actual application data present on the card. In short, an RSA signature gives the assurance that the data is in fact original and created by the

authorized issuer. SDA does not prevent replay attacks as it is the same static data that is presented in every

transaction.

Dynamic Data Authentication:

In this the smart card has its own card-unique RSA key that signs dynamic data. This produces an unique unpredictable and transaction-dependent data, and sends this to the

terminal. When a card with a DDA application is inserted into a terminal, the card sends the signed dynamic

application data, the CA index, the issuer certificate and the card certificate to the terminal. The terminal then verifies the issuer certificate, the smart card certificate and the signed dynamic

application data.

Page 11: EMV chip cards

Combined Data Authentication:• The security mechanism in SDA is there to compare what is on the actual card (PAN, expiry date etc.) with signed data generated at the time of personalization.

• DDA is stronger and makes use of a card resident unique RSA key to dynamically sign unpredictable and transaction unique data.

• The EMV protocol for transaction approval or denial does contain more logical processing, and there is a potential weakness between the steps of verifying the card (using SDA or DDA) and the step comprising of approving the actual transaction.

• Additionally the card makes that decision based on other card parameters such as card-generated cryptograms.

• A scheme has been devised that combines both the card authentication and the transaction approval decision in one step.

• To make it more secure offline PIN verification is present in chip cards to verify the card holder.

• In addition to this authentication can be done using a PIN to verify that the right person is using the card

Page 12: EMV chip cards

Plaintext PIN verification performed by ICC : • This is a cost effective cardholder verification method, which is specific for chip card products.• The terminal captures the PIN from the user and sends it in clear to the chip card. The chip compares the value received with a witness value stored in its permanent memory.•The terminal should be offline PIN capable and tamper resistant

Enciphered PIN verification performed by ICC• This is an expensive cardholder verification method, which is applicable for chip card products able to perform RSA operations.• The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the chip card.• The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value with a witness value stored in its permanent memory since the personalization stage.• EMV also supports a combined cardholder verification method, which is referred to an enciphered PIN verification performed by ICC and signature (paper) .•  EMV card keeps a track of number of transactions performed offline using LCOL and UCOL registers.

Page 13: EMV chip cards

witnesses of terminal processing • TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the registers that store the data the authentication that the terminal has performed.• The TVR is a register encoded on 5 bytes  Each byte of the TVR witnesses the results of the processing performed by the terminal during one of the following stages of the EMV debit/credit transaction

• Off-line data authentication (byte 1)• Processing restrictions (byte 2)• Cardholder verification (byte 3)• Terminal risk management (byte 4)• Issuer authentication/issuer scripts processing (byte 5)

Page 14: EMV chip cards

EMV Migration The EMV Migration Forum is an independent, cross-industry body created by the Smart Card

Alliance in order to successfully introduce secure EMV contact and contactless technology in the United States by liability shift.

Liability shift means that those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.

The deadline for liability shift as decided by EMV Co is October 2015 in US. To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way

with migrating from the legacy magnetic stripe standard to EMV chip card technology. Estimated cost calculation for EMV migration in US.

Page 15: EMV chip cards

Liability Table• This is Applicable to Visa , MasterCard and American Express Associations

Page 16: EMV chip cards

EMV Adaption at various regions in world

Page 17: EMV chip cards

Security for E-Commerce EMV cards were designed when E commerce was not fully operational. Various other methods were introduced to make transaction secure:

CVV Number Address Verification System(AVS)

Dynamic number Verification System.

In Future cards will be designed to produce dynamic number using the Chip technology.

Page 18: EMV chip cards

TransArmor Tokenization and Encryption Solution

• The data is protected by two layers of security, known as encryption and tokenization.

Page 19: EMV chip cards

Benefits of Tokenization

Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment

(CDE). The tokens can then be used to perform customer analytics and understand consumer

buying behavior. Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking

sensitive data out of their databae. Used for Recurring Payments.


A Guide to EMV Chip Technology - Home - EMVCo · PDF file... EMV chip cards used for credit and debit ... A Guide to EMV Chip Technology Version 2.0 ... EMV ’96 Integrated Circuit

A Guide to EMV Chip Technology - Home - EMVCo · PDF file... EMV chip cards used for credit and debit ... A Guide to EMV Chip Technology Version 2.0 ... EMV ’96 Integrated Circuit

Documents
EMV Chip Cards Not as Scary as it Used to be · EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards based

EMV Chip Cards Not as Scary as it Used to be · EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards based

Documents
Provided by North American BikeshareAssociation Presented ... · payment processing, EMV migration strategies, and vendor technology ... EMV CHIP CARDS (EUROPAY, MASTERCARD, VISA)

Provided by North American BikeshareAssociation Presented ... · payment processing, EMV migration strategies, and vendor technology ... EMV CHIP CARDS (EUROPAY, MASTERCARD, VISA)

Documents
Euronet’s EMV Chip Solutionseuronetsoftware.com/assets/files/Euronet_EMV_Chip_Solutions...moving the market toward EMV ® chip solutions. EMV chip-based payment cards contain an

Euronet’s EMV Chip Solutionseuronetsoftware.com/assets/files/Euronet_EMV_Chip_Solutions...moving the market toward EMV ® chip solutions. EMV chip-based payment cards contain an

Documents
What’s an EMV chip card?EMV chip cards do everything magnetic stripe cards do but even more securely; plus, you are still protected from fraud by Visa’s Zero Liability policy*

What’s an EMV chip card?EMV chip cards do everything magnetic stripe cards do but even more securely; plus, you are still protected from fraud by Visa’s Zero Liability policy*

Documents
Understand the Business Impact of EMV Chip Cards · EMV transactions (over 85 percent in Canada, Mexico and the Caribbean), only 0.12 percent in the U.S. were EMV transactions as

Understand the Business Impact of EMV Chip Cards · EMV transactions (over 85 percent in Canada, Mexico and the Caribbean), only 0.12 percent in the U.S. were EMV transactions as

Documents
Chip Cards: EMV Updates for Parking

Chip Cards: EMV Updates for Parking

Technology
Chip and Skim: cloning EMV cards with the pre-play attack

Chip and Skim: cloning EMV cards with the pre-play attack

Education
Fiscal Service EMV Education Series · PDF fileFiscal Service EMV Education Series ... Brief History of Chip Cards ... 3rd party ATM must support EMV . Liability shift of

Fiscal Service EMV Education Series · PDF fileFiscal Service EMV Education Series ... Brief History of Chip Cards ... 3rd party ATM must support EMV . Liability shift of

Documents
Emv chip card buyers guide

Emv chip card buyers guide

Business
EMV Chip Cards Not as Scary as it Used to be - Visa...EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards

EMV Chip Cards Not as Scary as it Used to be - Visa...EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards

Documents
Visit our Web site: info barsnet.com ... - Car Rental Software · Bluebird’s Chip & Pin (EMV) Strategy With the introduction of EMV or Chip & PIN credit cards coming in October

Visit our Web site: info barsnet.com ... - Car Rental Software · Bluebird’s Chip & Pin (EMV) Strategy With the introduction of EMV or Chip & PIN credit cards coming in October

Documents
The EMV Chip Card Transition: Background, Status, and ... · The EMV Chip Card Transition: Background, Status, and Issues for Congress Congressional Research Service 2 cards offer

The EMV Chip Card Transition: Background, Status, and ... · The EMV Chip Card Transition: Background, Status, and Issues for Congress Congressional Research Service 2 cards offer

Documents
EMV Chip & Pin

EMV Chip & Pin

Documents
EMV chip and pin the business case. What is EMV? New Standard in “Chip Card” Technologies Replacing Magnetic Strip Cards New Standard in “Chip Card” Technologies

EMV chip and pin the business case. What is EMV? New Standard in “Chip Card” Technologies Replacing Magnetic Strip Cards New Standard in “Chip Card” Technologies

Documents
EMV Chip Payments Introduction Introduction...Ver. OCT 2015 3 EMV Chip Card • Chip cards allow exchange of information between the card and terminal for verification purposes •

EMV Chip Payments Introduction Introduction...Ver. OCT 2015 3 EMV Chip Card • Chip cards allow exchange of information between the card and terminal for verification purposes •

Documents
EMV Chip Cards Not as Scary as it Used to be - Visa€¦ · EMV Chip Cards Not as Scary as it Used to be Brian Hamilton Senior Director –Risk and Authentication Products Visa Inc

EMV Chip Cards Not as Scary as it Used to be - Visa€¦ · EMV Chip Cards Not as Scary as it Used to be Brian Hamilton Senior Director –Risk and Authentication Products Visa Inc

Documents
EMV (Chip & PIN) Protocolkodu.ut.ee/~arnis/emv_slides.pdf · EMV = Europay, Mastercard, Visa standardized payment cards (currently v4.3) released as 4 “books” with a total of

EMV (Chip & PIN) Protocolkodu.ut.ee/~arnis/emv_slides.pdf · EMV = Europay, Mastercard, Visa standardized payment cards (currently v4.3) released as 4 “books” with a total of

Documents
How credit cards with EMV chip work - The Nilson Report · EMV chip. The use of Offline pin is entirely optional to the issuer. Without any doubt, card issuers migrating to EMV Strips

How credit cards with EMV chip work - The Nilson Report · EMV chip. The use of Offline pin is entirely optional to the issuer. Without any doubt, card issuers migrating to EMV Strips

Documents
EMV Technology & smart cards

EMV Technology & smart cards

Economy & Finance
EMV Security for Bank Cards

EMV Security for Bank Cards

Technology
What’s an EMV chip card? Kits... · 2.4 billion EMV chip cards in circulation and 36.9 million terminals active worldwide, ensuring you can use your account conveniently wherever

What’s an EMV chip card? Kits... · 2.4 billion EMV chip cards in circulation and 36.9 million terminals active worldwide, ensuring you can use your account conveniently wherever

Documents
Infineon Chip Card & Security ICs Portfolio Chip Card & Security ICs Portfolio ... Typical applications EMV DDA, EMV CDA, ... Typical applications EMV SDA, Loyalty EMV DDA, EMV CDA,

Infineon Chip Card & Security ICs Portfolio Chip Card & Security ICs Portfolio ... Typical applications EMV DDA, EMV CDA, ... Typical applications EMV SDA, Loyalty EMV DDA, EMV CDA,

Documents
Banking Cards And Emv

Banking Cards And Emv

Documents
Chip Cards - Utah's Credit Unions · EMV Chip Cards 1. Card Type: • Contact (chip) • contactless (tap or wave), • Dual interface (both contact and contactless) 2. Card Authentication

Chip Cards - Utah's Credit Unions · EMV Chip Cards 1. Card Type: • Contact (chip) • contactless (tap or wave), • Dual interface (both contact and contactless) 2. Card Authentication

Documents
The Migration of EMV Chip Technology - …...to EMV chip technology for debit and credit payments. According to EMVCo, approximately 1.62 billion EMV payment cards are in circulation

The Migration of EMV Chip Technology - …...to EMV chip technology for debit and credit payments. According to EMVCo, approximately 1.62 billion EMV payment cards are in circulation

Documents
EMV Chip Cards

EMV Chip Cards

Documents
Unleashing EMV Cards - HYPERLINKcrypto.hyperlink.cz/files/EMV_unleashed_rosa_v1.pdfUnleashing EMV Cards For Security Research ... EMV is a Europay-MasterCard-VISA general chip

Unleashing EMV Cards - HYPERLINKcrypto.hyperlink.cz/files/EMV_unleashed_rosa_v1.pdfUnleashing EMV Cards For Security Research ... EMV is a Europay-MasterCard-VISA general chip

Documents
What’s an EMV chip card? pages/What... · 2019-11-22 · 2.4 billion EMV chip cards in circulation and 36.9 million terminals active worldwide, ensuring you can use your account

What’s an EMV chip card? pages/What... · 2019-11-22 · 2.4 billion EMV chip cards in circulation and 36.9 million terminals active worldwide, ensuring you can use your account

Documents
Accepting EMV Chip Cards at the Fuel Pump · 9/20/2017  · Overview of EMV. 18 EMV What is it? •EMV is a global standard for terminals and chip cards and devices (debit, credit,

Accepting EMV Chip Cards at the Fuel Pump · 9/20/2017  · Overview of EMV. 18 EMV What is it? •EMV is a global standard for terminals and chip cards and devices (debit, credit,

Documents