Fundamentals of EMV

!!Guy Berg !!Senior Managing Consultant !!MasterCard Advisors !!guy_berg@mastercard.com !!914.325.8111

EMV Fundamentals
Transaction Processing Comparison
! Magnetic Stripe vs. EMV Transaction Security Points

EMV Application Fundamentals

"! Risk Management "! On-line authentication "! Off-line authentication "! Cardholder Verification Method "! Offline Authorization

EMV Component Impact View

Card

Card Issuance

EMV System

Terminal

Issuer

Acquirer

Magnetic Stripe Transaction

Track data

Auth Code

Auth Code
Track Data

Payment Brand

Acquirer System
3)! Authorization/Capture message
"!Track data is often in the clear "!The authentication data is static

2) Terminal performs little or no risk assessment 1) Magnetic stripe is easily cloned

Issuer Auth System

4) Authorization/Authentication "!Risk assessment performed at the host "!Host cannot recognized cloned cards

EMV Transaction Framework

Field or DE 55 New EMV data

ARPC

ARPC
Field or DE 55

Payment Brand
(3)Add ! New EMVField authentication EMV 55 data data

Acquirer System
(2) Terminal performs risk assessment
New EMV data

(1) EMV Chip application performs risk assessment

Issuer Auth System

(4) Issuer Authorization Changes "!Dynamic cryptogram validation "!May return an authentication cryptogram "!Post issuance updates

EMV Security Components

Risk Management Decision Criteria
Card Stock Security ! EMV Configuration ! Issuance Security Online Transaction PIN Security Offline Transaction PIN Security

Data Preparation Key Management

EMV Data

EMV Chip Data

EMV Tag
9F 26 9F 42 9F 51 9F 44 9F 52 9F 05 5F 25 5F 24 94 82 50 9F 12 5A 5F 34 87 9F 36 9F 07 9F 08 9F 5D 9F 7F 8C 8D 5F 20 9F 0B

Chip Data
Application Cryptogram Application Currency Code Application Currency Code VIS Application Currency Exponent Application Default Action Application Discretionary Data Application Effective Date Application Expiration Date Application File Locator Application Interchange Profile Application Label Application Preferred Name Application Primary Acct Number Primary Acct Number Seq Number Application Priority Indicator Application Transaction Counter Application Usage Control Application Version Number (ICC) Application offline Spending Amount Card Production Life Cycle History File Identifiers Card Risk Management Data Object List 1 Card Risk Management Data Object List 2 Cardholder Name Cardholder Name Extended

EMV Tag
8E 8F 9F 53 9F 72 9F 54 9F 5C 9F 49 9F 55 9F 2D 9F 2E 9F 2F 9F 46 9F 47 9F 48 9F 0D 9F 0E 9F 0F 9F 10 9F 56 9F 11 5F 28

Chip Data
Cardholder Verification Method List Certification Authority Public Key Index Consecutive Transaction Limit International Consecutive Transaction Limit International Cryptogram Information Data Cumulative Total Transaction Amount Limit Dynamic Data Object List Geographic Indicator ICC PIN Encipherment Public Key Certificate ICC PIN Encipherment Public Key Exponent ICC PIN Encipherment Public Key Remainder ICC Public Key Certificate ICC Public Key Exponent ICC Public Key Remainder Issuer Action Code Default Issuer Action Code Denial Issuer Action Code Online Issuer Application Data Issuer Authentication Indicator Issuer Code Table Index Issuer Country Code

EMV Risk Mgmt Data on the Chip

Issuer Interchange Profile
-! -! -! -! -! -! SDA supported DDA supported CDA supported Cardholder verification supported Perform terminal risk management Issuer authentication required/or not

Application Usage Control Valid for :

-! -! -! -! -! -! -! -! -!
-! -! -!

Domestic cash transactions International cash transactions Domestic goods International goods Domestic services International services ATMs Domestic cashback International cashback
If issuer authentication failure, do not transmit next transaction online If new card, do not decline if unable to go online .

Issuer Action Codes

Cardholder Verification
CVM Options
! No CVM ! Signature ! On-line PIN at ATM ! On-line PIN at POS ! Off-line PIN plain texted ! Off-line PIN enciphered
No CVM Signature Online PIN at ATM

CVM List

Offline PIN at POS

EMV Online Transaction Security

Risk Management Decision Criteria
Card Stock Security ! EMV Configuration ! Issuance Security Online Transaction Security Offline Transaction Security

Data Preparation Key Management

EMV Data

EMV On-line Security

"!On-line EMV Authentication "!On-the-Behalf EMV Authentication

On-line CAM (Card Authentication)

EMV transaction data EMV transaction data
ARQC ARPC

PIN

ARQC ARPC

Payment Brand 3 DES Cryptogram

Acquirer System

Online Request (ARQC) ARPC

Shared Key Issuer Auth System

On-the-be-Half EMV Authentication

EMV Auth data Code converted converted to to Mag. EMVStripe Response
ARQC Auth

EMV transaction data

Auth Code Mag Stripe Transaction

EMV Authentication

Payment Brand

Acquirer System

Online Request (ARQC) Auth

Appears as Mag Stripe Transaction

Issuer Auth System

EMV Offline Transaction Security

Risk Management Decision Criteria
Card Stock Security ! EMV Configuration ! Issuance Security Online Transaction Security Offline Transaction Security

Data Preparation Key Management

EMV Data

EMV Off-line Transaction Security

! Offline CAM (Card Authentication) ! Offline CVM (Cardholder Verification) ! Offline Authorization

SDA/DDA/CDA Card Authentication

Off-line Security Options Off-line Authentication Options

SDA
! Static Data ! Issuer Public Key Certificate

DDA
! Dynamic Data ! Issuer Public Key Certificate ! ICC Public Key Certificate

CDA
! Combined Data ! Issuer Public Key Certificate ! ICC Public Key Certificate ! Application Cryptogram

Issuer Level Certificate

Card Level Certificate

Off-line Transaction Authentication

SDA (Issuer level certificate)
SDA (Static Data Authentication) Certificate Authority
Verifies the user.

PIN

CA Private Key

CA Public Key

Load Public Key to the Terminal

CA Private Key signs ISS Public key

SDA Card Authentication Authenticates the card is legitimate

Issuer PK Certificate

Loaded with Issuer Signed Static Data

Does not verify who is using it!

Offline Cardholder Verification

Off-line Transaction PIN Security

"!SDA Cards #!Clear Text PIN

"!DDA or CDA Cards #!Clear Text PIN #!Encrypted (Enciphered) PIN

Offline Authorization
Offline Risk Data on the Chip
Consecutive Transaction Counter Last Online Application Transaction Counter Lower Consecutive Offline Limit Upper Consecutive Offline Limit Cumulative Total Transaction Amount Cumulative Total Transaction Limit PIN PIN Try Limit PIN Try Counter Certification Authority Public Key Index Signed Static Application Data Signed Dynamic Application Data Static Data Authentication Tag List Issuer Action Codes

Authorization Parameters

EMV Security Components

Risk Management Decision Criteria
Card Stock Security Issuance Security
Data Preparation & Key Mgmt Security

Off-line Transaction Security

On-line
Transaction Security

EMV Chip Personalization

Data Prep System Key Mgmt System

Emboss/ Mag Stripe File

CMS System

Emboss/ Mag Stripe File EMV Data & Keys

EMV Issuance

Card Types
> Contact EMV

> Contactless EMV

> Contactless Mag Stripe Emulation > Contact EMV > Contactless EMV > Contactless Mag Stripe Emulation

EMV Card Basics Chip OS and Applications

Operating System Level "!MULTOS "!Global Platform JavaCard "!Card Vendor 1 Proprietary "!Card Vendor 2 Proprietary "!Card Vendor 3 Proprietary "!Etc....

EMV Application Level

"!MasterCard #!PayPass Contactless EMV #!Mchip Contact EMV "!Visa #!payWave Contactless EMV #!VSDC Contact EMV "!American Express "!Discover

"! Card Vendors have different chip operating systems "! Brands have different chip application implementations "! Brands have different EMV risk configuration options

Data Level
Personalization Data ! Risk management criteria ! Cardholder data ! Security keys and certificates

Acquirers, Merchants and Terminals

Acquirer System

POS Terminal

Terminal Perspective

EMV and AID Based Matching Logic

Each Brand has different terminal certification requirements

Visa EMV terminal processing functions

MC EMV terminal processing functions

AMEX EMV terminal processing functions

Discover EMV terminal processing functions

Others EMV terminal processing functions

EMV Contact Kernel

EMV terminal functions that EMV Co tests against the EMV standards and certifies

Terminal Operating System

Terminal Profile (EMVCo Type Approval)

Unattended Terminal Profile Supports but does not require PIN Unattended Terminal Profile Requires PIN

"!Chip only cards "!Offline plain text PIN "!Offline enciphered PIN "!No CVM "!SDA "!DDA "!CDA "!Issuer authentication supported

"!Chip only cards "!Offline plain text PIN "!Offline enciphered PIN "!SDA "!DDA "!CDA

Acquirers Perspective
Terminal Model 1 Customer 1 Terminal Model 2 Customer 2 Terminal Model 3

Customer 3 Integrated EMV Terminal Petroleum Pay at the Pump Kiosk Terminals

Customer 4

Acquirer System

Customer 5

Customer.

Customer 100

EMV Transaction Flow

Technology Selection Application Selection Processing Options Card Authentication Processing Restrictions Card Holder Verification Terminal Risk Management Terminal Action Analysis Card Action Analysis Go 0n-line or Not Issuer-to-Card Script Processing

EMV Transaction Flow

Application Selection
! What AID?

Card Authentication Method

! SDA, DDA, CDA, No ODA

Cardholder Verification Method

! CVM List Preferences

Offline Authorization Support Y/N Issuer Action Codes

! Exception processing rules

Application Selection
Identify mutually supported AIDs

Priority 1 2 3 A0000xyz

AID A0000000041010

AID A0000000031010 A0000000041010 A0000001523010 A0000000043060 A00000002501 A0000xyz

Config Data

Application Selection Method

Explicit Selection ! Displays the choices to consumer
MasterCard Debit XYZ Debit

Implicit Selection ! Terminal automatically selects the AID

P Selected AID 1 2 AID A0000000041010 A0000xyz

Cardholder Verification
CVM Options
! No CVM ! Signature ! On-line PIN at ATM ! On-line PIN at POS ! Off-line PIN plain texted ! Off-line PIN enciphered
No CVM Signature Online PIN at ATM

CVM List

Offline PIN at POS

EMV Message Data

Field or DE 55

Field or DE 55

Payment Brand

Acquirer System

Issuer Auth System

New EMV authentication Add EMV Field 55 data data

EMV Authorization Message

ISO 8583 Field or DE 55
Application Cryptogram Issuer Application Data Application Interchange Profile Terminal Verification Result Terminal Capabilities Cardholder Verification Method Results (CVM) Cryptogram Information Data Unpredictable Number Application Transaction Counter Amount, Authorized (Numeric) Transaction Currency Code Transaction Date Transaction Type Transaction Currency Code Terminal Country Code

EMV Transaction Framework

Field or DE 55 New EMV data

ARPC

ARPC
Field or DE 55

Payment Brand

Acquirer System
New EMV data

Issuer Auth System

Issuer Authorization Changes "!EMV ARQC dynamic cryptogram validation "! Authentication cryptogram generation "!Post issuance card updates "!Offline PIN Management "!Online PIN management "!Key Management "!Authorization assessment rules

EMV at a Glance

Issuer Auth System

Messaging

! Online CAM and CVM ! Offline CAM and CVM ! Offline Authorization ! Chip Risk Management

Acquirer System

Guy Berg
Mastercard Advisors 914.325.8111 Guy_berg@Mastercard.com

!!Smart Card Alliance

!!191 Clarksville Rd. ! Princeton Junction, NJ 08550 ! (800) 556-6828 !!www.smartcardalliance.org"

"