This document provides an overview of EMV transaction flows, including: 1) EMV transactions involve application selection on the chip card to route transactions to the issuer bank, as well as terminal action analysis and cryptogram generation for online or offline authorization. 2) Offline authentication can involve static data authentication, dynamic data authentication, or combined authentication along with PIN verification on the chip card. 3) Security for e-commerce has evolved with techniques like CVV numbers, address verification, and tokenization to protect stored payment data.

1. EMV Transaction Flow

2. Contents
 Introduction to EMV
 Traditional MSR Vs EMV Transaction flow
 Online Data Authentication
 Offline Data Authentication
 EMV Migration
 Security in E-Commerce

3. Introduction to EMV
 EMV is a technical standard that defines interaction at the physical and electrical
data authentication levels between IC cards and their processing devices for
financial transactions .
 EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally
created the standard.
 The standard is now managed by EMVCo, a consortium with control split equally
among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.
 EMV cards are also called as IC credit Chip and PIN Cards.
 EMV cards were introduced to improve security (Fraud Reduction) and for finer
control of "offline" credit-card transaction approvals.
 One of the original goals of EMV was to allow for multiple applications to be held on
a card: for a credit and debit card application or an e-purse.

4. MSR Vs EMV Transaction Flow

5. EMV Transaction Flow

6. EMV Transaction Flow
Application Selection:
 EMV chip is loaded with a application version number and the Application
Identification Numbers(AID’s) that the issuer supports.
 Based on the AID selected a particular Application in the terminal is selected
through which routing to the Issuer bank do happen.
 The PDOL (Processing Data Object Lists) is provided by the card to the terminal
during application selection.

7. Terminal Action Analysis
 Terminal risk management is done in the terminal to decide whether or not to go
online, checks the transaction amount against an offline ceiling limit.
 For online authorization transactions CDOL1 (Card Data object List),a list of tags
that the card wants to be sent to it to make a decision on whether to approve or
decline a transaction.
 Terminal sends this data and requests a cryptogram using the generate application
cryptogram command usually called 1st Gen AC
 Depending on the terminal′s decision (offline, online, decline), the terminal
requests one of the following cryptograms from the card:
 Transaction certificate (TC)—Offline approval
 Authorization Request Cryptogram (ARQC)—Online authorization
 Application Authentication Cryptogram (AAC)—Offline decline.
 The issuer responds to an authorization request with a response code (accepting or
declining the transaction), an authorization response cryptogram (ARPC) and
optionally an issuer script (a string of commands to be sent to the card).

8. EMV Chip Data
The data that is present in a chip card and few tags are sent to the issuer for
authorization

9. Cardholder verification
 Cardholder verification is used to evaluate whether the person presenting the card is the
legitimate cardholder. There are many cardholder verification methods (CVMs)
supported in EMV. They are:
 Signature.
 Offline plaintext PIN.
 Offline enciphered PIN.
 Offline plaintext PIN and signature.
 Offline enciphered PIN and signature.
 Online PIN.
 No CVM required.
 Both PIN and signature.
 Fail CVM processing.
 The terminal uses a CVM list read from the card to determine the type of verification to
be performed based on the terminal capability and business involved in it.
 When a verification is done successfully the results are updated in TVR and CVR and the
transaction is approved
 A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of
CVM to be used, while the second specifies in which condition this CVM will be applied.

10. Offline Data Processing:
The offline authentication options in EMV are :-
Static Data Authentication:-
 For SDA, the smart card contains application data which is signed by the private key of
the issuer’s RSA key pair.
 When a card with an SDA application is inserted into a terminal, the card sends this
signed static application data, the CA index, and the issuer certificate to the terminal.
 The terminal verifies the issuer certificate and the digital signature by comparing these to
the actual application data present on the card.
 In short, an RSA signature gives the assurance that the data is in fact original and created
by the authorized issuer.
 SDA does not prevent replay attacks as it is the same static data that is presented in every
transaction.
Dynamic Data Authentication:
 In this the smart card has its own card-unique RSA key that signs dynamic data.
 This produces an unique unpredictable and transaction-dependent data, and sends this
to the terminal.
 When a card with a DDA application is inserted into a terminal, the card sends the signed
dynamic application data, the CA index, the issuer certificate and the card certificate to
the terminal.
 The terminal then verifies the issuer certificate, the smart card certificate and the signed
dynamic application data.

11. Combined Data Authentication:
• The security mechanism in SDA is there to compare what is on the actual card (PAN,
expiry date etc.) with signed data generated at the time of personalization.
• DDA is stronger and makes use of a card resident unique RSA key to dynamically sign
unpredictable and transaction unique data.
• The EMV protocol for transaction approval or denial does contain more logical
processing, and there is a potential weakness between the steps of verifying the
card (using SDA or DDA) and the step comprising of approving the actual
transaction.
• Additionally the card makes that decision based on other card parameters such as
card-generated cryptograms.
• A scheme has been devised that combines both the card authentication and the
transaction approval decision in one step.
• To make it more secure offline PIN verification is present in chip cards to verify the
card holder.
• In addition to this authentication can be done using a PIN to verify that the right
person is using the card

12. Plaintext PIN verification performed by ICC :
• This is a cost effective cardholder verification method, which is specific for chip card products.
• The terminal captures the PIN from the user and sends it in clear to the chip card. The chip
compares the value received with a witness value stored in its permanent memory.
•The terminal should be offline PIN capable and tamper resistant
Enciphered PIN verification performed by ICC
• This is an expensive cardholder verification method, which is applicable for chip card
products able to perform RSA operations.
• The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the
chip card.
• The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value
with a witness value stored in its permanent memory since the personalization stage.
• EMV also supports a combined cardholder verification method, which is referred to an
enciphered PIN verification performed by ICC and signature (paper) .
• EMV card keeps a track of number of transactions performed offline using LCOL and UCOL
registers.

13. • TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the
registers that store the data the authentication that the terminal has performed.
• The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the
processing performed by the terminal during one of the following stages of the
EMV debit/credit transaction
• Off-line data authentication (byte 1)
• Processing restrictions (byte 2)
• Cardholder verification (byte 3)
• Terminal risk management (byte 4)
• Issuer authentication/issuer scripts processing (byte 5)

14. EMV Migration
 The EMV Migration Forum is an independent, cross-industry body created by the Smart Card
Alliance in order to successfully introduce secure EMV contact and contactless technology in
the United States by liability shift.
 Liability shift means that those issuers and merchants using non-EMV compliant devices that
choose to accept transactions made with EMV-compliant cards assume liability for any and
all transactions that are found to be fraudulent.
 The deadline for liability shift as decided by EMV Co is October 2015 in US.
 To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way
with migrating from the legacy magnetic stripe standard to EMV chip card technology.
 Estimated cost calculation for EMV migration in US.

15. Liability Table
• This is Applicable to Visa , MasterCard and American Express Associations

16. EMV Adaption at various regions in world

17. Security for E-Commerce
 EMV cards were designed when E commerce was not fully operational.
 Various other methods were introduced to make transaction secure:
 CVV Number
 Address Verification System(AVS)
 Dynamic number Verification System.
 In Future cards will be designed to produce dynamic number using the Chip technology.

18. TransArmor Tokenization and Encryption Solution
• The data is protected by two layers of security, known as encryption and tokenization.

19. Benefits of Tokenization
 Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment
(CDE).
 The tokens can then be used to perform customer analytics and understand consumer
buying behavior.
 Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking
sensitive data out of their databae.
 Used for Recurring Payments.