This document provides an overview of EMV transaction flows, including:
1) EMV transactions involve application selection on the chip card to route transactions to the issuer bank, as well as terminal action analysis and cryptogram generation for online or offline authorization.
2) Offline authentication can involve static data authentication, dynamic data authentication, or combined authentication along with PIN verification on the chip card.
3) Security for e-commerce has evolved with techniques like CVV numbers, address verification, and tokenization to protect stored payment data.
EMV is a standard for smart payment cards and terminals. EMV stands for – EuroPay, MasterCard and Visa, the three companies who were the founder of the standard. This standard is maintained by EMVCo – a consortium with payment brands like Visa, MasterCard, JCB, American Express, China UnionPay, Discover as members.
How does an online payment gateway work? What important features do reliable payment gateways have? What should merchants look for in payment gateways? Learn these and other answers from our guide - https://goo.gl/PtDiqj
Start accepting payments on your website →→→ https://bit.ly/2xIN1Oj
EMV is a standard for smart payment cards and terminals. EMV stands for – EuroPay, MasterCard and Visa, the three companies who were the founder of the standard. This standard is maintained by EMVCo – a consortium with payment brands like Visa, MasterCard, JCB, American Express, China UnionPay, Discover as members.
How does an online payment gateway work? What important features do reliable payment gateways have? What should merchants look for in payment gateways? Learn these and other answers from our guide - https://goo.gl/PtDiqj
Start accepting payments on your website →→→ https://bit.ly/2xIN1Oj
The document is an attempt to give insights into digital payments space on the whole. It describes the different payment scenarios or methods and how the underlying technology works. Topics covered - NFC;;contacless payments;Mobile Payments;smart cards chips technology;apple pay;Card operating system
A very understanding presentation about Payment Gateways .
A Payment Gateway is an E-commerce Application service provider. Service that authorises payments for E-business.
please check my slide for further study.
What is Payment Tokenization?
Tokenization enables banks, acquirers and merchants to offer more secure (mobile) payment services.
It is the process of replacing card data with alternate values.
The original personal account number (PAN) is disconnected and replaced with a unique identifier called a payment token.
The ‘mapping’ between the real PAN and the payment tokens is safely stored in the token vault.
With tokenization the original PAN information is removed from environments where data can be vulnerable.
Why tokenization?
Tokenization heavily reduces payment fraud by removing confidential consumer credit card data from the network.
The original data stays in the bank’s control. External systems have no access to this.
Tokens are not based on cryptography and can therefore not be traced back to the original value.
How does tokenization work?
Step 1: A payment token is generated from the PAN for one time use within a specific domain such as a merchant’s website or channel.
Tokens are sent to the token vault and stored in a PCI-compliant environment which does not allow merchants to store credit card numbers.
Step 2: Tokens are loaded on the mobile device.
Step 3: The NFC device makes a payment at a merchant’s NFC point-of-sales (POS) terminal.
Step 4: The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network.
Step 5: The issuer de-tokenizes the token to the real PAN and, if in order, approves the payment.
Step 6: After authorization from the card issuer, the token is returned to the merchant’s POS terminal.
Payment tokens perform like the original PAN for returns, sales reports, marketing analysis, recurring payments etc.
20. How can I issue tokens?
In order to use tokenization, a bank or merchant should become a token service provider (TSP).
A TSP manages the entire lifecycle of payment credentials including:
1. Tokenization: replaces the PAN with a payment token.
2. De-Tokenization: converts the token back to the PAN using the token vault.
3. Token vault: establishes and maintains the payment token to PAN mapping.
4. Domain management: improves protection by defining payment tokens for specific use.
5. Clearing and settlement: ad-hoc de-tokenization during clearing and settlement process.
6. Identification and verification: ensures the original PAN is legitimately used by the token requestor.
Thinking of issuing payment tokens to e.g. secure mobile payments or secure your online sales channel? Bell ID can help: www.bellid.com – info@bellid.com
Martin Cox – Global Head of Sales
This presentation contains the total understanging of Digital Certificate ,What is the need and what are the main types of Digital certificates available.
The document is an attempt to give insights into digital payments space on the whole. It describes the different payment scenarios or methods and how the underlying technology works. Topics covered - NFC;;contacless payments;Mobile Payments;smart cards chips technology;apple pay;Card operating system
A very understanding presentation about Payment Gateways .
A Payment Gateway is an E-commerce Application service provider. Service that authorises payments for E-business.
please check my slide for further study.
What is Payment Tokenization?
Tokenization enables banks, acquirers and merchants to offer more secure (mobile) payment services.
It is the process of replacing card data with alternate values.
The original personal account number (PAN) is disconnected and replaced with a unique identifier called a payment token.
The ‘mapping’ between the real PAN and the payment tokens is safely stored in the token vault.
With tokenization the original PAN information is removed from environments where data can be vulnerable.
Why tokenization?
Tokenization heavily reduces payment fraud by removing confidential consumer credit card data from the network.
The original data stays in the bank’s control. External systems have no access to this.
Tokens are not based on cryptography and can therefore not be traced back to the original value.
How does tokenization work?
Step 1: A payment token is generated from the PAN for one time use within a specific domain such as a merchant’s website or channel.
Tokens are sent to the token vault and stored in a PCI-compliant environment which does not allow merchants to store credit card numbers.
Step 2: Tokens are loaded on the mobile device.
Step 3: The NFC device makes a payment at a merchant’s NFC point-of-sales (POS) terminal.
Step 4: The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network.
Step 5: The issuer de-tokenizes the token to the real PAN and, if in order, approves the payment.
Step 6: After authorization from the card issuer, the token is returned to the merchant’s POS terminal.
Payment tokens perform like the original PAN for returns, sales reports, marketing analysis, recurring payments etc.
20. How can I issue tokens?
In order to use tokenization, a bank or merchant should become a token service provider (TSP).
A TSP manages the entire lifecycle of payment credentials including:
1. Tokenization: replaces the PAN with a payment token.
2. De-Tokenization: converts the token back to the PAN using the token vault.
3. Token vault: establishes and maintains the payment token to PAN mapping.
4. Domain management: improves protection by defining payment tokens for specific use.
5. Clearing and settlement: ad-hoc de-tokenization during clearing and settlement process.
6. Identification and verification: ensures the original PAN is legitimately used by the token requestor.
Thinking of issuing payment tokens to e.g. secure mobile payments or secure your online sales channel? Bell ID can help: www.bellid.com – info@bellid.com
Martin Cox – Global Head of Sales
This presentation contains the total understanging of Digital Certificate ,What is the need and what are the main types of Digital certificates available.
The question of co-existence of EMV and P2PE in a single payment system or application becomes as relevant as ever in view of the approaching liability shift of October 15, 2015. While EMV is rarely used without point-to-point encryption, some companies rely on P2PE as their major protection. To lean more about EMV and point-to-point encryption visit #UniPayGateway unipaygateway.com
This slide is prepared from an interview perspective, to help others answer the very famous question "Difference between Comparable and Comparator and when to use which?"
Opening a New Conversation with Business Leaders: It's Time For ActionLaura Overton
Aligning learning with business is the hot topic in L&D, but many business leaders still think we are there to take orders for course. This session was delivered at Learning Technologies Summer Forum in the UK for L&D leaders who are tired of moaning about ‘If only my leaders understood me’ and want to take action. It’s was aimed at the energetic and enthusiastic who want to roll up their sleeves to crowdsource pragmatic strategies that will win the toughest business hearts and minds.
The ideas generated in the session of over 50 L&D leaders are captured in this slide deck on slides 13, 14, 17 and 21. A pack of curated resources was generated for all participants and Slideshare viewers of the slide deck can request one by completing the pop-up form at the end of this presentation.
This session will provide a complete tour of using the Spring MVC framework to build Java Portlets. It will include an in-depth review of a sample portlet application developed using the latest features of Spring MVC, including Annotation-based Controllers. If you are writing Portlets and using Spring, this session is for you.
We'll begin by discussing the unique differences and challenges when developing Portlets instead of traditional Servlet webapps. Then we'll talk about the unique approach that Spring MVC takes towards Portlets that fully leverages the Portlet lifecycle, instead of masking it like many other frameworks. We'll take an extensive tour of a sample application so we can see all the unique pieces of the framework in action. Finally we'll conclude with discussion of the upcoming support for the Portlet 2.0 (JSR 286) specification that will be part of Spring 3.0.
Nowaday, embedded systems are widely used and connected to networks, especially the Internet. This become the Internet of Things (IoT) era. When a device is on the Internet, it may be attacked or intentionally used by an unauthorized persons. How can we make IoT devices secure under the limited resources?
This presentation will explain the lesson learned from banking and card payment industry how the embedded systems process financial transaction reliably and securely.
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxgerardkortney
P1Cab Company Schedulinglet Di = # of drivers who start their 8 hour shift in period I (I = 1,2,3,4,5,6)period 112:00:00 AM--4:00amperiod 412 noon -- 4:00pmperiod 24:00am -- 8:00amperiod 54:00pm -- 8:00pmperiod 38:00am -- 12 noonperiod 68:00pm -- midnightperiod 1period 2period 3period 4period 5period 6average fare/ driver 80500420300270210# of drivers in each period>=>=>=>=>=>=minimum # of drivers101220253218DVD1D2D3D4D5D6# of drivers/periodObjective function
P2Denim JeansCD PlayerCompact discsprofit9015030weight231Denim JeansCD PlayerCompact discsDVConstraint<=5Objective function
P3Texas Consolidated Electronics Company ProjectExpense ($1,000s)Management Scientists requiredEstimated Profit(1,000,000s)Project Selection constraints1$506$0.30210580.8535690.244530.1559070.568050.4577880.5586050.4Constraints<=<=30040DVProject12Please include the following constraints in your solutions34Note: project 5 >= project 256Note: All projects must be integer (1 or 0)78ObjectiveMaximize Profits
P4Mortgage AssociatesLet P = # of permanent operators and T = # of temporary operatorsPermanent operatorTemporary operatoraverage pay/operator12075daily # of accounts/per operator220140>=6300#of computers available11<=32average errors/ day0.40.9<=15PTDecision variablesobjective function
P5Global Investment CapitalYear Sold(Estimated returns in $ 1000000)Company12311418232911153182327416212551216226212328constraints1231<=12<=13<=14<=15<=16<=1Decision variables are C15:E20this a 0-1 integer problem. Each decision variable has to be restricted to have the value 0 or 1Objective function
An Online Security Protocol for NFC Payment
Formally Analyzed by The Scyther Tool
Nour El Madhoun∗, Fouad Guenane†, Guy Pujolle∗
∗Sorbonne Universités, UPMC Univ Paris 06, CNRS, LIP6 UMR 7606, 4 place Jussieu 75005 Paris, France
†Devoteam Group, 1 Rue Galvani 91300 Massy, France
Email: {nour.el-madhoun, guy.pujolle}@lip6.fr; [email protected]
Abstract—Nowadays, NFC technology is integrated into bank
cards, smartphones and sales point terminals in order to immedi-
ately execute payment transactions without any physical contact.
EMV is the standard intended to secure both contact (traditional)
and contactless-NFC payment operations. In fact, researchers in
recent years have detected some security vulnerabilities in this
protocol (EMV). Therefore, in this paper, we introduce the risks
entailed by the vulnerabilities of EMV and particularly those at
stake in the case of NFC payment. Hence, in order to overcome
EMV weaknesses, we propose a new security protocol based on
an online communication with a trusted entity. The proposal is
destined to secure contactless-NFC payment transactions using
NFC bank cards that are unconnected client payment devices
(without Wi-Fi or 4G). A security verification tool called Scyther
is used to analyze the correctness of the proposal.
Index Terms—NFC, EMV, mutual authentication, confidential-
ity, NFC bank card, NFC payment terminal.
I. INTRODUCTION
.
Merchant tokenization and EMV® Secure Remote CommerceNetcetera
Talk by our expert Kurt Schmid about merchant tokenization and EMV® Secure Remote Commerce, held at MPE on 19 February 2019. Merchant Payments Ecosystems is a leading payment conference for merchants and PSPs.
Does security and convenience go well one with another and how to increase customer's convenience in digital commerce? What's new in ACS 2.0 and how SA supports online commerce safety? Presentation will give you answers to all of those questions but also an insight about advanced security options topics.
In the present scenario ATM transaction are carried out with the help of ATM cards which have to be physically swiped at the ATM machine. The present cash withdrawal system involves swiping the ATM card at an ATM Machine and then input a four digit pin into the terminal for verification. This method is susceptible to many types of attacks such as shoulder surfing, replay attack and ATM card skimming. In this paper, we are proposing a system in which a QR code is used as an alternative to the physical ATM card based authentication. This system can be incorporated in smartphones and other wearable device thereby eliminating the need for carrying ATM cards. QR codes are generated in the wearable device as well as the ATM machine to carry out User Authorization. An eight-digit long pin is generated to make the system more secure than present one. A background server is used to generate unique 8 digit pins for each transaction. This background server also manages transactions and links them to a user’s bank account when a transaction is underway. This scheme protects the user from shoulder surfing or observation attacks, replay attacks and partial observation attacks.
Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know
by Mike English
Executive Director, Product Development
Heartland Payment Systems
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Contents
Introduction to EMV
Traditional MSR Vs EMV Transaction flow
Online Data Authentication
Offline Data Authentication
EMV Migration
Security in E-Commerce
3. Introduction to EMV
EMV is a technical standard that defines interaction at the physical and electrical
data authentication levels between IC cards and their processing devices for
financial transactions .
EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally
created the standard.
The standard is now managed by EMVCo, a consortium with control split equally
among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.
EMV cards are also called as IC credit Chip and PIN Cards.
EMV cards were introduced to improve security (Fraud Reduction) and for finer
control of "offline" credit-card transaction approvals.
One of the original goals of EMV was to allow for multiple applications to be held on
a card: for a credit and debit card application or an e-purse.
6. EMV Transaction Flow
Application Selection:
EMV chip is loaded with a application version number and the Application
Identification Numbers(AID’s) that the issuer supports.
Based on the AID selected a particular Application in the terminal is selected
through which routing to the Issuer bank do happen.
The PDOL (Processing Data Object Lists) is provided by the card to the terminal
during application selection.
7. Terminal Action Analysis
Terminal risk management is done in the terminal to decide whether or not to go
online, checks the transaction amount against an offline ceiling limit.
For online authorization transactions CDOL1 (Card Data object List),a list of tags
that the card wants to be sent to it to make a decision on whether to approve or
decline a transaction.
Terminal sends this data and requests a cryptogram using the generate application
cryptogram command usually called 1st Gen AC
Depending on the terminal′s decision (offline, online, decline), the terminal
requests one of the following cryptograms from the card:
Transaction certificate (TC)—Offline approval
Authorization Request Cryptogram (ARQC)—Online authorization
Application Authentication Cryptogram (AAC)—Offline decline.
The issuer responds to an authorization request with a response code (accepting or
declining the transaction), an authorization response cryptogram (ARPC) and
optionally an issuer script (a string of commands to be sent to the card).
8. EMV Chip Data
The data that is present in a chip card and few tags are sent to the issuer for
authorization
9. Cardholder verification
Cardholder verification is used to evaluate whether the person presenting the card is the
legitimate cardholder. There are many cardholder verification methods (CVMs)
supported in EMV. They are:
Signature.
Offline plaintext PIN.
Offline enciphered PIN.
Offline plaintext PIN and signature.
Offline enciphered PIN and signature.
Online PIN.
No CVM required.
Both PIN and signature.
Fail CVM processing.
The terminal uses a CVM list read from the card to determine the type of verification to
be performed based on the terminal capability and business involved in it.
When a verification is done successfully the results are updated in TVR and CVR and the
transaction is approved
A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of
CVM to be used, while the second specifies in which condition this CVM will be applied.
10. Offline Data Processing:
The offline authentication options in EMV are :-
Static Data Authentication:-
For SDA, the smart card contains application data which is signed by the private key of
the issuer’s RSA key pair.
When a card with an SDA application is inserted into a terminal, the card sends this
signed static application data, the CA index, and the issuer certificate to the terminal.
The terminal verifies the issuer certificate and the digital signature by comparing these to
the actual application data present on the card.
In short, an RSA signature gives the assurance that the data is in fact original and created
by the authorized issuer.
SDA does not prevent replay attacks as it is the same static data that is presented in every
transaction.
Dynamic Data Authentication:
In this the smart card has its own card-unique RSA key that signs dynamic data.
This produces an unique unpredictable and transaction-dependent data, and sends this
to the terminal.
When a card with a DDA application is inserted into a terminal, the card sends the signed
dynamic application data, the CA index, the issuer certificate and the card certificate to
the terminal.
The terminal then verifies the issuer certificate, the smart card certificate and the signed
dynamic application data.
11. Combined Data Authentication:
• The security mechanism in SDA is there to compare what is on the actual card (PAN,
expiry date etc.) with signed data generated at the time of personalization.
• DDA is stronger and makes use of a card resident unique RSA key to dynamically sign
unpredictable and transaction unique data.
• The EMV protocol for transaction approval or denial does contain more logical
processing, and there is a potential weakness between the steps of verifying the
card (using SDA or DDA) and the step comprising of approving the actual
transaction.
• Additionally the card makes that decision based on other card parameters such as
card-generated cryptograms.
• A scheme has been devised that combines both the card authentication and the
transaction approval decision in one step.
• To make it more secure offline PIN verification is present in chip cards to verify the
card holder.
• In addition to this authentication can be done using a PIN to verify that the right
person is using the card
12. Plaintext PIN verification performed by ICC :
• This is a cost effective cardholder verification method, which is specific for chip card products.
• The terminal captures the PIN from the user and sends it in clear to the chip card. The chip
compares the value received with a witness value stored in its permanent memory.
•The terminal should be offline PIN capable and tamper resistant
Enciphered PIN verification performed by ICC
• This is an expensive cardholder verification method, which is applicable for chip card
products able to perform RSA operations.
• The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the
chip card.
• The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value
with a witness value stored in its permanent memory since the personalization stage.
• EMV also supports a combined cardholder verification method, which is referred to an
enciphered PIN verification performed by ICC and signature (paper) .
• EMV card keeps a track of number of transactions performed offline using LCOL and UCOL
registers.
13. • TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the
registers that store the data the authentication that the terminal has performed.
• The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the
processing performed by the terminal during one of the following stages of the
EMV debit/credit transaction
• Off-line data authentication (byte 1)
• Processing restrictions (byte 2)
• Cardholder verification (byte 3)
• Terminal risk management (byte 4)
• Issuer authentication/issuer scripts processing (byte 5)
14. EMV Migration
The EMV Migration Forum is an independent, cross-industry body created by the Smart Card
Alliance in order to successfully introduce secure EMV contact and contactless technology in
the United States by liability shift.
Liability shift means that those issuers and merchants using non-EMV compliant devices that
choose to accept transactions made with EMV-compliant cards assume liability for any and
all transactions that are found to be fraudulent.
The deadline for liability shift as decided by EMV Co is October 2015 in US.
To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way
with migrating from the legacy magnetic stripe standard to EMV chip card technology.
Estimated cost calculation for EMV migration in US.
15. Liability Table
• This is Applicable to Visa , MasterCard and American Express Associations
17. Security for E-Commerce
EMV cards were designed when E commerce was not fully operational.
Various other methods were introduced to make transaction secure:
CVV Number
Address Verification System(AVS)
Dynamic number Verification System.
In Future cards will be designed to produce dynamic number using the Chip technology.
18. TransArmor Tokenization and Encryption Solution
• The data is protected by two layers of security, known as encryption and tokenization.
19. Benefits of Tokenization
Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment
(CDE).
The tokens can then be used to perform customer analytics and understand consumer
buying behavior.
Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking
sensitive data out of their databae.
Used for Recurring Payments.