EMV 201 EMF June 2016

EMV 201: EMV Chip Profiles and
Considerations for Issuers and
Merchants
Philip Andreae, Oberthur Technologies

2© Oberthur Technologies 2016 - EMV 201 - PEA23 October 2016

No Longer Secure
Circa 1991 – In 1993 Europay, MasterCard And Visa came together to
economically solve for Counterfeit and Lost & Stolen Fraud
EMV Restored “The Token”
In 1996 The EMV Specifications were published with the collective
agreement that global Interoperability is the Goal; each at their own pace
SignatureOnline
PIN
Online
PIN
Match In
PIN
Why EMV?
© Oberthur Technologies 2016 - EMV 201 - PEA 3
What You Have
What You Know
Are You Able
Infra Red InkHologram Magnetic Stripe
OnlineTerminal
Floor Limit
&
cvv2/cvc2
What You Have
A Card/Phone
What You Know
A Secret
Authentication
Verification
Authorization
cvv1/cvc1

In 1998 Global Deployment Began
In 2012 The USA Embraced EMV
An Extrapolation using First Annapolis, EMVCO, AITA, SPA and First Annapolis input into consideration
These are not the views of Oberthur
23 October 2016

EMV EMPLOYS HARDWARE BASED
CRYPTOGRAPHY TO SECURE PAYMENTS

If Service
Code = 2xx
or 6xx
Magnetic Stripe Processing Was Easy For Everyone
23 October 2016 © Oberthur Technologies 2016 - EMV 201 - PEA 6
Read
Track
Data
Total >
Terminal
Floor Limit
Issuer
Authorizes
Transaction
Check Electronic
Stop List
Print
Receipt
Verify
Signature
Data
Capture for
Overnight
Settlement
Yes
No
Yes
No
EMV Start

ISO Specifications EMV Specifications
© Oberthur Technologies 2016 -
EMV 201 - PEA 7
EMV Is Not for the Light Hearted
ISO 8583 - Financial transaction card
originated messages
ISO 7816 – Smart Card
• Part 1: Physical characteristics
• Part 2: Cards with contacts – Dimensions and
location of the contacts
• Part 3: Cards with contacts – Electrical
interface and transmission protocols
• Part 4: Organization, security and commands
for interchange
ISO 14443 – Contactless
• Part 2: Radio frequency power and signal
interface
• Part 3: Initialization and anti-collision
• Part 4: Transmission protocol
EMVCo Version 4.3 – Contact
• Book 1: Application independent ICC to
terminal interface requirements
• Book 2: Security and key management
• Book 3: Application specification
• Book 4: Cardholder, attendant and acquirer
interface requirements
EMVCo Version 2.3 – Contactless
• Book A: Architecture and general
requirements
• Book B: Entry point specification
• Books C1-7: Kernel specifications
• Book D: Communications protocol
Payment System Specifications
AEIPS - D-Pas - MChip - VIS - CPA
23 October 2016

ISO Specifications EMV Specifications
ISO 8583 - Financial transaction card
originated messages
ISO 7816 – Smart Card
• Part 2: Cards with contacts – Dimensions and
location of the contacts
• Part 3: Cards with contacts – Electrical
interface and transmission protocols
• Part 4: Organization, security and commands
for interchange
ISO 14443 – Contactless
• Part 2: Radio frequency power and signal
interface
• Part 3: Initialization and anti-collision
• Part 4: Transmission protocol
EMVCo Version 4.3 – Contact
• Book 1: Application independent ICC to
terminal interface requirements
• Book 2: Security and key management
• Book 3: Application specification
• Book 4: Cardholder, attendant and acquirer
interface requirements
EMVCo Version 2.3 – Contactless
• Book A: Architecture and general
requirements
• Book B: Entry point specification
• Books C1-7: Kernel specifications
• Book D: Communications protocol
Payment System Specifications
AEIPS - D-Pas - MChip - VIS - CPA
EMV 201 - PEA 8
Based On Standards - Built on Evolving Technology
23 October 2016

Card design
Chip selection
Script processing
Cardholder verification
Authentication requirements
Key management requirements
Fraud and risk management systems
PIN management & PIN synchronization
Cardholder education and marketing messages
Education branch, call center & the team on EMV
Card Risk Management and Transaction Authorization
What are merchants doing to filter debit application selection
Credit & debit card processing must perform online authentication
And ….
9© Oberthur Technologies 2016 - EMV 201 - PEA
When Implementing EMV Issuers Think About
23 October 2016

Project
Initiation
Vendor
Selection
Negotiate
with
Processor
Define Profile
Select Chip
Define Input
File
Perform Key
Ceremonies
Profile
Development
Staff Training
Develop
Customer
Education
Payment
Scheme
Certification
End to End
Testing
Account
Conversion
Issue Chip
Cards
Accept First
Transaction
Implementing EMV Requires Your “A” Team
© Oberthur Technologies 2016 - EMV 201 - PEA 1023 October 2016

EMV Embedded an Integrated Circuit in the Card
Hardware CPU, Crypto processor,
Flash, E2PROM or ROM, RAM, Security & Sensors
BIOS Basic Input Output System
Operating System Native or Global Platform & Java Card API
Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic
Data
Antenna

The Chip Card is a Secure Element with Data Inside
Hardware Antenna, CPU, Crypto processor,
Flash, E2PROM or ROM, RAM, Security & Sensors
BIOS Basic Input Output System
Operating System Native or Global Platform & Java Card API
Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic
DataData
ADF(s), AID(s)
AIP, ATC, AUC, Cardholder Name, CID, CVM List, Expiry Date,
IAC(s), LCOL, PAN, UCOL Track 2 Equivalent Data…

Applications and Data are Specified and Structured
Application
The Payment Networks define, license and
approval implementations of their specification
running in the card and on the terminal
• Visa – VIS
• MasterCard – MChip
• Discover - D-Pas
• Amex – AEIPS
• EMVCo – CPA (OT = WISE)
• J/Smart – JCB
• EMVCo – CPA
The terminal specification defines how the
terminal will operate and use the EMV Tool Kit
The Chip Specification defines what the software
in the card must do in response to commands
from the Terminal
Tests Plans allow card and terminal vendors to
prove their products perform as required
AID – Application Identifier
The AID is the name of the Application Directory File
ADF in the chip
The terminal and consumer selects the AID
Application RID PIX
• Visa (credit or debit) A000000003 1010
Visa Plus A000000003 8010
Visa Interlink A000000003 3010
US Common Debit A000000098 0840
• MasterCard A000000004 1010
Maestro Int’l A000000004 3060
Cirrus A000000004 6000
US Maestro A000000004 2203
• Amex A000000025 01XX
• JCB A000000065 1010
• Oberthur A000000077 XXXX
• Discover A000000152 3010
Discover Common Debit A000000152 4010
• DNA Common Debit A000000620 0620
13
EMV 201 - PEA23 October 2016

ADF
SFI
EF EF
SFI
EF
Each Account is Stored in an Application Data File
© Oberthur Technologies 2016 - EMV 201 - PEA 1423 October 2016

THE PROFILE AND THE TERMINAL
CAPABILITIES DEFINE THE BEHAVIOR
15

EMV Defines the Terminal to Card Protocal
Offline by Terminal
Requires RSA Capable Chip
Online on Issuer Host
“What you have”
Authentication
“What you know”
Verification
Signature
Match PIN in Chip
Recommended for Offline Authorization
Online PIN
No CVM
“You have the funds”
Authorization
Online
Host Authorized
Offline at Merchant
Based on Issuer Defined Card Risk
Management Parameters
Requires Offline Authentication

Layering Security is the Right Answer
Offline Data Authentication
The Norm in Europe, Canada and Australia
Merchants and Acquirers
When the Network is down or running slow
the merchant at least knows the Card is
Authentic
If the Terminal Floor limit is not zero
knowing the card is authentic the merchant
can ask the card to approve
Issuers
Card requires a crypto-processor to support
DDA or CDA
Issuer must establish RSA Key Pair and
request Issuer Public Key certificate from
Payment Network
Online Data Authentication
The way PIN Debit transactions are secured
Merchants, Acquirers and Networks
Must manage keys necessary to encrypt the
PIN between POS and Payment Network
Must send Field 55 EMV to Issuer Host for
Authentication
Issuers
Authenticate the Cryptogram to prove the
card was or is present at time of purchase
• ARQC – Application Request Cryptogram
• ARPC – Application Response
Cryptogram
• TC – Transaction Certificate
• AAC – Application Authentication
Cryptogram
EMV 201 - PEA 1723 October 2016
Transit Authorities see offline data authentication as a requirement

Offline Card Authentication
Provides Merchant Authentication
Requires an RSA capable processor
Personalize the card with
• Card & Issuer public key & certificates
• Unique RSA Secret
Public keys simply need to be loaded
and maintained in the terminal
Terminal authenticates the card
Online Data Authentication
Provides Issuer Authentication
Personalization of the card with a
unique set of secret keys
Card generates a Cryptogram “ARQC”
& “TC” by signing card, terminal and
transaction data with the secret key
Terminal forwards Field 55 “ICC or
EMV data” including “ARQC” or “TC”
and signed data to Issuer
Issuer authenticates card data when
authorizing the transaction
Issuer returns “ARPC” and Scripts in
Field 55 to card allowing Issuer
authentication and parameter updates
23 October 2016 18© Oberthur Technologies 2016 - EMV 201 - PEA
EMV Gives The Merchant and Issuer Assurance

Public Key loaded
in Terminal
• Public keys are distributed to all
terminals supporting Offline Data
Authentication
Issuer is a
Member
• At personalization an RSA key pair
and issuer certificates are loaded
into the secure element
Card is Authentic
• The card generates a unique
certificate
• Point of sale authenticates the card
Authentication Addresses Counterfeit Fraud
EMV supports 4 methods of card
authentication methods:
• Online Data Authentication: The
Card creates a Unique Digital
Signature delivered to the Issuer
Host for Authentications
• Offline Data Authentication
• Static data authentication (SDA):
The data verified by the POS is
always the same
• Dynamic data authentication
(DDA): The data verified by the POS
is dynamic for each transaction
• Combined DDA and application
cryptogram (CDA): Merges DDA
with the application cryptogram
International schemes require DDA
or CDA if offline capable
Authentication

Issuer Keys
Clear text
SDA signature
Issuer Public Key certificate
Issuer Public Key
ICC Public Key certificate
EMV Offers Combined or Dynamic Data Authentication
Public Key
Private
Key
RSASign
RSASign
CAPKi
Public Key
Private
Key
RSASign
23 October 2016
Certificate
Authority

Plaintext PIN For ICC verification
Enciphered PIN for Online verification
Signature (paper)
Enciphered PIN for offline verification
NO CYM required
Each Kernel Has a Set of CVM Capabilities

Signature Preferring
• Signature
• No CVM
Pin Preferring
• Online PIN
• Signature
• No CVM
International Traveler
• Online PIN
• Offline Enciphered PIN
• Offline Clear Text PIN
• Signature
• No CVM
The Card Carries The CVM List
Common Debit
• Online PIN
• No CVM
Alternate Debit
• Online PIN
• No CVM
Address Unattended Terminals
• Online PIN
• Signature
• No CVM

Chip and Signature
Chip and PIN (lost and Stolen Fraud)
Chip and Choice
Support for PIN Selection
Pin Synchronization
Verified in ICC or Online
EMV Cardholder Verification For Every Occasion
Selectable Kernel
The terminal selects the EMVCo
approved Kernel based on
amount & tender type
The Kernel has a predefined set
of Terminal CVM Capabilities
The CVM List presents the
terminal with a prioritized list
e.g.
• Online PIN verification
• PIN verification in ICC
• Signature
• No CVM
The terminal selects the CVM
By comparing
The CVM List of the selected AID
To
Kernel’s CVM Capabilities
Verification

POS Must Understand the EMV Transaction Flow
EMV Start EMV Continue EMV Complete
Data
Authentication
Terminal Risk
Management
Processing
Restrictions
Cardholder
Verification
Terminal
Action
Analysis
Card Action
Analysis
Answer to
Reset
Application
Selection
Initiate
Application
Read
Application
Data
Completion
Online
Processing
Script
Processing
Online
Offline
Issuer
Authentication
Online/
Offline
Decision

Offline Capable, Online Preferring or 100% Online
If <
Floor Limit
Clearing (x240) - Clearing when not in a x200 message
Optionally Includes the TC or AAC
Issuing
Processor
Acquiring
Processor
ConsumerMerchant Scheme

If >
Floor Limit
Network
Down
Authorization (x100) or Financial Request (x200)
Includes the ARQC or AAC
Clearing (x240)
Includes the TC or AAC
Issuing
Processor
Acquiring
Processor
X

Always
Online
Authorization (x100) or Financial Request (x200)
Includes the ARQC or AAC
Authorization (x110) or Financial Response (x210)
Includes the ARPC and Scripts
Clearing (x240) - Clearing when not in a x200 message
Optionally Includes the TC or AAC
Funds
Available
Issuing
Processor
Acquiring
Processor

EMV Ensures Issuer Control of Authorization
The design of EMV assured Issuer
control of the authorization for each
transaction at the Point of
Interaction
• Terminal Risk Management allows the
merchant / acquirer and scheme to set
a floor limit under which the terminal
will ask the card to approve the
transaction
• Card Risk Management employs a
dynamic set of parameters, allowing
the Issuer to authorize the transaction
without the expense of an online
authorization request
The purpose - guarantee cardholder
satisfaction, manage financial risk
and reduce the cost of processing
payments for all stakeholders
T
e
r
m
i
n
a
l
R
e
q
u
e
s
t
s
Card/Issuer Decision is Final
TC
Offline
ARQC
Online
AAC
Decline
TC -
Offline
Card
Decides
Card
Decides
Card
Decides
ARQC -
Online
Not
Allowed
Card
Decides
Card
Decides
AAC -
Decline
Not
Allowed
Not
Allowed
Card
Decides
Authorization
23 October 2016

APPLICATION SELECTION - DESIGNED
TO SUPPORT MULTI-ACCOUNT CARDS
29

Insert
Cards
Consumer
Selection
The Terminal Must Read the Card
Answer
to reset
Select AID(s)
Typically Associated with Payment Brand
Develop Candidate
AID List
The Debit Conundrum

Consumer
Selection
$xxx.xx
Pay With
1. Your Bank’s Credit Card
2. Your Bank’s Debit Card
3. Your Bank’s T&E Card
1,2 or 3?
Application Selection Enables Multi Account Cards
Approved
Please Remove Card

Consumer
Selection
US Debit Is Different
US Debit Card
One Account
1. Visa or MasterCard
2. Pulse
3. Shazam
4. Star
Route and AID
are Linked in the
Payment
Network Rules

Consumer
Selection
$132.95
Pay With?
1. Visa or MasterCard
2. US Debit
Enter 1 or 2
To select payment method?
Out of the Box EMV

Consumer
Selection
Credit
Debit
As Today

Consumer
Selection
An alternate
Credit
Debit

Consumer
Selection
$132.95
Pay With?
1. US Debit
PIN Steering
PSE – Payment Systems Environment
AID – Application Identifier

Shared Data Enables Distinct Behaviors
© Oberthur Technologies 2016 - IC-Group Seminar 38
PIN,PINTryCounterandPINRetryLimit
10/23/2016

Key Management Assure the Security EMV Enables

Cosmo S v5
MC4 Multi-App VSDC 2.8.1t
VSDC 2.8.1am2s
Chrysalis v3.2
MC4 + NMC
VIS1.5.4
Operating System & Applications Each with an LOA
D-PAS v1.1
MC4 Multi-App VSDC2.8.1f1
AEIPS v4.2
Contact
(SDA)
Contact
RSA
(DDA, CDA)
Cosmo RSA v5
Offline Capable
Online Only
Application & Version
OT’s products are certified, available in multiple memory sizes and support data sharing for US Debit
Cosmo Fly v5
Dual
(DDA, CDA)
Offline Capable
PPMC1.3.1 VSDC2.8.1f D-PAS v1.1 + CL v1.0
MCA1.1 AEIPS v4.2 & EP2.0VSDC2.8.1G
MCA v1.1
MC4 Multi-App VSDC2.8.1g
AEIPS v4.2
Cosmo RSA v5.8
MCA v1.2 Multi-App
Cosmo Fly v5.9
MC2 +MC4 + NMC
VIS1.5.4
Chrysalis v4.0
PPMC1.3.1
VIS1.5.4 + VCPS2.1.2
MCA v1.1
Chrysalis Fly v3.4

The LOA Assures Compliance and Security

43
Account creation
or card renewal
Application is
transferred to
Issuer CMS
Account and card
request are created
Batch or Real
Time Card
request is
sent to CPS
Card request
blob is
generated
EMV blob is
retrieved by
workstation
APDUs are
exchanged
with Chip
Branch and Bureau Issuance
© Oberthur Technologies 2016 - IC-Group Seminar10/23/2016
OT Service Centre
Cards Prepared
for production
EMV file is
generated

44© Oberthur Technologies 2016 - EMV 201 - PEA
Philip Andreae
Vice President, Field Marketing
p.andreae@oberthur.com
+1 404 680 9640
23 October 2016

EMV 201 EMF June 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to EMV 201 EMF June 2016

Similar to EMV 201 EMF June 2016 (20)

EMV 201 EMF June 2016