SlideShare a Scribd company logo

EMV chip cards

Download as PPTX, PDF
D
Dilip Kumar

PPT on EMV chip security

Technology
1 of 19
EMV Transaction Flow
Contents  Introduction to EMV  Traditional MSR Vs EMV Transaction flow  Online Data Authentication  Offline Data Authentication  EMV Migration  Security in E-Commerce
Introduction to EMV  EMV is a technical standard that defines interaction at the physical and electrical data authentication levels between IC cards and their processing devices for financial transactions .  EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally created the standard.  The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.  EMV cards are also called as IC credit Chip and PIN Cards.  EMV cards were introduced to improve security (Fraud Reduction) and for finer control of "offline" credit-card transaction approvals.  One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse.
MSR Vs EMV Transaction Flow
EMV Transaction Flow
EMV Transaction Flow Application Selection:  EMV chip is loaded with a application version number and the Application Identification Numbers(AID’s) that the issuer supports.  Based on the AID selected a particular Application in the terminal is selected through which routing to the Issuer bank do happen.  The PDOL (Processing Data Object Lists) is provided by the card to the terminal during application selection.
Terminal Action Analysis  Terminal risk management is done in the terminal to decide whether or not to go online, checks the transaction amount against an offline ceiling limit.  For online authorization transactions CDOL1 (Card Data object List),a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction.  Terminal sends this data and requests a cryptogram using the generate application cryptogram command usually called 1st Gen AC  Depending on the terminal′s decision (offline, online, decline), the terminal requests one of the following cryptograms from the card:  Transaction certificate (TC)—Offline approval  Authorization Request Cryptogram (ARQC)—Online authorization  Application Authentication Cryptogram (AAC)—Offline decline.  The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorization response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).
EMV Chip Data The data that is present in a chip card and few tags are sent to the issuer for authorization
Cardholder verification  Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:  Signature.  Offline plaintext PIN.  Offline enciphered PIN.  Offline plaintext PIN and signature.  Offline enciphered PIN and signature.  Online PIN.  No CVM required.  Both PIN and signature.  Fail CVM processing.  The terminal uses a CVM list read from the card to determine the type of verification to be performed based on the terminal capability and business involved in it.  When a verification is done successfully the results are updated in TVR and CVR and the transaction is approved  A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of CVM to be used, while the second specifies in which condition this CVM will be applied.
Offline Data Processing: The offline authentication options in EMV are :- Static Data Authentication:-  For SDA, the smart card contains application data which is signed by the private key of the issuer’s RSA key pair.  When a card with an SDA application is inserted into a terminal, the card sends this signed static application data, the CA index, and the issuer certificate to the terminal.  The terminal verifies the issuer certificate and the digital signature by comparing these to the actual application data present on the card.  In short, an RSA signature gives the assurance that the data is in fact original and created by the authorized issuer.  SDA does not prevent replay attacks as it is the same static data that is presented in every transaction. Dynamic Data Authentication:  In this the smart card has its own card-unique RSA key that signs dynamic data.  This produces an unique unpredictable and transaction-dependent data, and sends this to the terminal.  When a card with a DDA application is inserted into a terminal, the card sends the signed dynamic application data, the CA index, the issuer certificate and the card certificate to the terminal.  The terminal then verifies the issuer certificate, the smart card certificate and the signed dynamic application data.
Combined Data Authentication: • The security mechanism in SDA is there to compare what is on the actual card (PAN, expiry date etc.) with signed data generated at the time of personalization. • DDA is stronger and makes use of a card resident unique RSA key to dynamically sign unpredictable and transaction unique data. • The EMV protocol for transaction approval or denial does contain more logical processing, and there is a potential weakness between the steps of verifying the card (using SDA or DDA) and the step comprising of approving the actual transaction. • Additionally the card makes that decision based on other card parameters such as card-generated cryptograms. • A scheme has been devised that combines both the card authentication and the transaction approval decision in one step. • To make it more secure offline PIN verification is present in chip cards to verify the card holder. • In addition to this authentication can be done using a PIN to verify that the right person is using the card
Plaintext PIN verification performed by ICC : • This is a cost effective cardholder verification method, which is specific for chip card products. • The terminal captures the PIN from the user and sends it in clear to the chip card. The chip compares the value received with a witness value stored in its permanent memory. •The terminal should be offline PIN capable and tamper resistant Enciphered PIN verification performed by ICC • This is an expensive cardholder verification method, which is applicable for chip card products able to perform RSA operations. • The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the chip card. • The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value with a witness value stored in its permanent memory since the personalization stage. • EMV also supports a combined cardholder verification method, which is referred to an enciphered PIN verification performed by ICC and signature (paper) . • EMV card keeps a track of number of transactions performed offline using LCOL and UCOL registers.
• TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the registers that store the data the authentication that the terminal has performed. • The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the processing performed by the terminal during one of the following stages of the EMV debit/credit transaction • Off-line data authentication (byte 1) • Processing restrictions (byte 2) • Cardholder verification (byte 3) • Terminal risk management (byte 4) • Issuer authentication/issuer scripts processing (byte 5)
EMV Migration  The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance in order to successfully introduce secure EMV contact and contactless technology in the United States by liability shift.  Liability shift means that those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.  The deadline for liability shift as decided by EMV Co is October 2015 in US.  To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way with migrating from the legacy magnetic stripe standard to EMV chip card technology.  Estimated cost calculation for EMV migration in US.
Liability Table • This is Applicable to Visa , MasterCard and American Express Associations
EMV Adaption at various regions in world
Security for E-Commerce  EMV cards were designed when E commerce was not fully operational.  Various other methods were introduced to make transaction secure:  CVV Number  Address Verification System(AVS)  Dynamic number Verification System.  In Future cards will be designed to produce dynamic number using the Chip technology.
TransArmor Tokenization and Encryption Solution • The data is protected by two layers of security, known as encryption and tokenization.
Benefits of Tokenization  Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment (CDE).  The tokens can then be used to perform customer analytics and understand consumer buying behavior.  Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking sensitive data out of their databae.  Used for Recurring Payments.

Recommended

EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
AnnMargaret Tutu (AMT)
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
Kona Software Lab Limited.
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
Anil Chaurasiya
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
Silly Beez
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
Banque Populaire Du Rwanda
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System Overview
Narudom Roongsiriwong, CISSP
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway works
Ikajo International
 

Recommended

EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
AnnMargaret Tutu (AMT)
 
EMV Overview
EMV OverviewEMV Overview
EMV Overview
Kona Software Lab Limited.
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
Anil Chaurasiya
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
Silly Beez
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words
Banque Populaire Du Rwanda
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System Overview
Narudom Roongsiriwong, CISSP
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway works
Ikajo International
 
Epayments system in India and globally iit project
Epayments system in India and globally iit project Epayments system in India and globally iit project
Epayments system in India and globally iit project
abhiROCKS1103
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
Mannu Khani
 
Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And Emv
Kingshuk1
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
Piyush Dua
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
Atul Pant
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
ShujaShah
 
How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing Works
Business.com
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway
Rohit Srivastav
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
Asif Hussain
 
e-wallet , The future of Cards and Money
e-wallet , The future of Cards and Moneye-wallet , The future of Cards and Money
e-wallet , The future of Cards and Money
Vikram Dahiya
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functions
Mikhail Miroshnichenko
 
Payments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian OverviewPayments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian Overview
Akshay Kaul
 
Electronic payments ystem
Electronic payments ystem Electronic payments ystem
Electronic payments ystem
Aditya Kumar
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
Danail Yotov
 
Chapter 8 / Electronic Payment
Chapter 8 / Electronic PaymentChapter 8 / Electronic Payment
Chapter 8 / Electronic Payment
Eyad Almasri
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
Harsh Mehta
 
E Cheques
E ChequesE Cheques
E Cheques
Sumant Diwakar
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
Philip Andreae
 
HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic Training
Md. Budrul Hasan Bhuiyan
 
Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)
Karina Khemani
 

More Related Content

What's hot

Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And Emv
Kingshuk1
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
Atul Pant
 
Payments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian OverviewPayments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian Overview
Akshay Kaul
 
Electronic payments ystem
Electronic payments ystem Electronic payments ystem
Electronic payments ystem
Aditya Kumar
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
Danail Yotov
 

What's hot (20)

Epayments system in India and globally iit project
Epayments system in India and globally iit project Epayments system in India and globally iit project
Epayments system in India and globally iit project
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 
Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And Emv
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing Works
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
e-wallet , The future of Cards and Money
e-wallet , The future of Cards and Moneye-wallet , The future of Cards and Money
e-wallet , The future of Cards and Money
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functions
 
Payments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian OverviewPayments and transaction processing systems - Global and Indian Overview
Payments and transaction processing systems - Global and Indian Overview
 
Electronic payments ystem
Electronic payments ystem Electronic payments ystem
Electronic payments ystem
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...
 
Chapter 8 / Electronic Payment
Chapter 8 / Electronic PaymentChapter 8 / Electronic Payment
Chapter 8 / Electronic Payment
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transaction
 
E Cheques
E ChequesE Cheques
E Cheques
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
 

Viewers also liked

Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip CardsReport on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Darshana Senavirathna
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment Interface
Akash Chandra
 
Chip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for ParkingChip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for Parking
Creditcall
 
14 key management & exchange
14 key management & exchange14 key management & exchange
14 key management & exchange
drewz lin
 
Summit Keynote: Banks and EMV
Summit Keynote: Banks and EMVSummit Keynote: Banks and EMV
Summit Keynote: Banks and EMV
Vivastream
 
Spelunking Credit Cards with Ruby
Spelunking Credit Cards with RubySpelunking Credit Cards with Ruby
Spelunking Credit Cards with Ruby
Sau Sheong Chang
 
Opening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For ActionOpening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For Action
Laura Overton
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
John Lewis
 

Viewers also liked (20)

HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic Training
 
Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)
 
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingEnd-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraud
 
EMV: What you Need to Know
EMV: What you Need to KnowEMV: What you Need to Know
EMV: What you Need to Know
 
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip CardsReport on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment Interface
 
Payment Hsm Payshield9000
Payment Hsm Payshield9000Payment Hsm Payshield9000
Payment Hsm Payshield9000
 
EMV, P2PE, or both?
EMV, P2PE, or both?EMV, P2PE, or both?
EMV, P2PE, or both?
 
EMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of SaleEMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of Sale
 
Chip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for ParkingChip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for Parking
 
14 key management & exchange
14 key management & exchange14 key management & exchange
14 key management & exchange
 
EMV Technology_Risk Management
EMV Technology_Risk ManagementEMV Technology_Risk Management
EMV Technology_Risk Management
 
Summit Keynote: Banks and EMV
Summit Keynote: Banks and EMVSummit Keynote: Banks and EMV
Summit Keynote: Banks and EMV
 
Spelunking Credit Cards with Ruby
Spelunking Credit Cards with RubySpelunking Credit Cards with Ruby
Spelunking Credit Cards with Ruby
 
Chip card ppt
Chip card pptChip card ppt
Chip card ppt
 
Comparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussionComparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussion
 
Opening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For ActionOpening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For Action
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
 
v 1.0
v 1.0v 1.0
v 1.0
 

Similar to EMV chip cards

P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxP1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
gerardkortney
 
QR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONSQR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONS
Journal For Research
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
Ritesh Goyal
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
pankhadi
 

Similar to EMV chip cards (20)

EMV Credit Card Technology in Parking
EMV Credit Card Technology in ParkingEMV Credit Card Technology in Parking
EMV Credit Card Technology in Parking
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxP1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
 
Merchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote CommerceMerchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote Commerce
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0
 
Can security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceCan security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerce
 
QR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONSQR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONS
 
Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...
 
Heartland Secure PPT
Heartland Secure PPTHeartland Secure PPT
Heartland Secure PPT
 
Ch 2
Ch 2Ch 2
Ch 2
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
 
Shift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October DeadlineShift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October Deadline
 
Class 13
Class 13Class 13
Class 13
 
Out of Scope Whitepaper
Out of Scope WhitepaperOut of Scope Whitepaper
Out of Scope Whitepaper
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Best Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptxBest Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptx
 
Corporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdfCorporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdf
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 

EMV chip cards

  • 2. Contents  Introduction to EMV  Traditional MSR Vs EMV Transaction flow  Online Data Authentication  Offline Data Authentication  EMV Migration  Security in E-Commerce
  • 3. Introduction to EMV  EMV is a technical standard that defines interaction at the physical and electrical data authentication levels between IC cards and their processing devices for financial transactions .  EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally created the standard.  The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.  EMV cards are also called as IC credit Chip and PIN Cards.  EMV cards were introduced to improve security (Fraud Reduction) and for finer control of "offline" credit-card transaction approvals.  One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse.
  • 4. MSR Vs EMV Transaction Flow
  • 6. EMV Transaction Flow Application Selection:  EMV chip is loaded with a application version number and the Application Identification Numbers(AID’s) that the issuer supports.  Based on the AID selected a particular Application in the terminal is selected through which routing to the Issuer bank do happen.  The PDOL (Processing Data Object Lists) is provided by the card to the terminal during application selection.
  • 7. Terminal Action Analysis  Terminal risk management is done in the terminal to decide whether or not to go online, checks the transaction amount against an offline ceiling limit.  For online authorization transactions CDOL1 (Card Data object List),a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction.  Terminal sends this data and requests a cryptogram using the generate application cryptogram command usually called 1st Gen AC  Depending on the terminal′s decision (offline, online, decline), the terminal requests one of the following cryptograms from the card:  Transaction certificate (TC)—Offline approval  Authorization Request Cryptogram (ARQC)—Online authorization  Application Authentication Cryptogram (AAC)—Offline decline.  The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorization response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).
  • 8. EMV Chip Data The data that is present in a chip card and few tags are sent to the issuer for authorization
  • 9. Cardholder verification  Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:  Signature.  Offline plaintext PIN.  Offline enciphered PIN.  Offline plaintext PIN and signature.  Offline enciphered PIN and signature.  Online PIN.  No CVM required.  Both PIN and signature.  Fail CVM processing.  The terminal uses a CVM list read from the card to determine the type of verification to be performed based on the terminal capability and business involved in it.  When a verification is done successfully the results are updated in TVR and CVR and the transaction is approved  A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of CVM to be used, while the second specifies in which condition this CVM will be applied.
  • 10. Offline Data Processing: The offline authentication options in EMV are :- Static Data Authentication:-  For SDA, the smart card contains application data which is signed by the private key of the issuer’s RSA key pair.  When a card with an SDA application is inserted into a terminal, the card sends this signed static application data, the CA index, and the issuer certificate to the terminal.  The terminal verifies the issuer certificate and the digital signature by comparing these to the actual application data present on the card.  In short, an RSA signature gives the assurance that the data is in fact original and created by the authorized issuer.  SDA does not prevent replay attacks as it is the same static data that is presented in every transaction. Dynamic Data Authentication:  In this the smart card has its own card-unique RSA key that signs dynamic data.  This produces an unique unpredictable and transaction-dependent data, and sends this to the terminal.  When a card with a DDA application is inserted into a terminal, the card sends the signed dynamic application data, the CA index, the issuer certificate and the card certificate to the terminal.  The terminal then verifies the issuer certificate, the smart card certificate and the signed dynamic application data.
  • 11. Combined Data Authentication: • The security mechanism in SDA is there to compare what is on the actual card (PAN, expiry date etc.) with signed data generated at the time of personalization. • DDA is stronger and makes use of a card resident unique RSA key to dynamically sign unpredictable and transaction unique data. • The EMV protocol for transaction approval or denial does contain more logical processing, and there is a potential weakness between the steps of verifying the card (using SDA or DDA) and the step comprising of approving the actual transaction. • Additionally the card makes that decision based on other card parameters such as card-generated cryptograms. • A scheme has been devised that combines both the card authentication and the transaction approval decision in one step. • To make it more secure offline PIN verification is present in chip cards to verify the card holder. • In addition to this authentication can be done using a PIN to verify that the right person is using the card
  • 12. Plaintext PIN verification performed by ICC : • This is a cost effective cardholder verification method, which is specific for chip card products. • The terminal captures the PIN from the user and sends it in clear to the chip card. The chip compares the value received with a witness value stored in its permanent memory. •The terminal should be offline PIN capable and tamper resistant Enciphered PIN verification performed by ICC • This is an expensive cardholder verification method, which is applicable for chip card products able to perform RSA operations. • The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the chip card. • The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value with a witness value stored in its permanent memory since the personalization stage. • EMV also supports a combined cardholder verification method, which is referred to an enciphered PIN verification performed by ICC and signature (paper) . • EMV card keeps a track of number of transactions performed offline using LCOL and UCOL registers.
  • 13. • TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the registers that store the data the authentication that the terminal has performed. • The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the processing performed by the terminal during one of the following stages of the EMV debit/credit transaction • Off-line data authentication (byte 1) • Processing restrictions (byte 2) • Cardholder verification (byte 3) • Terminal risk management (byte 4) • Issuer authentication/issuer scripts processing (byte 5)
  • 14. EMV Migration  The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance in order to successfully introduce secure EMV contact and contactless technology in the United States by liability shift.  Liability shift means that those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.  The deadline for liability shift as decided by EMV Co is October 2015 in US.  To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way with migrating from the legacy magnetic stripe standard to EMV chip card technology.  Estimated cost calculation for EMV migration in US.
  • 15. Liability Table • This is Applicable to Visa , MasterCard and American Express Associations
  • 16. EMV Adaption at various regions in world
  • 17. Security for E-Commerce  EMV cards were designed when E commerce was not fully operational.  Various other methods were introduced to make transaction secure:  CVV Number  Address Verification System(AVS)  Dynamic number Verification System.  In Future cards will be designed to produce dynamic number using the Chip technology.
  • 18. TransArmor Tokenization and Encryption Solution • The data is protected by two layers of security, known as encryption and tokenization.
  • 19. Benefits of Tokenization  Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment (CDE).  The tokens can then be used to perform customer analytics and understand consumer buying behavior.  Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking sensitive data out of their databae.  Used for Recurring Payments.