EMV 201 EMF June 2016

EMV 201: EMV Chip Profiles and Considerations for Issuers and MerchantsPhilip Andreae, Oberthur Technologies

May 2, 2023 2© Oberthur Technologies 2016 - EMV 201 - PEA

Keep It Interactive

3

No Longer SecureCirca 1991 – In 1993 Europay, MasterCard And Visa came together to economically solve for Counterfeit and Lost & Stolen Fraud

EMV Restored “The Token”In 1996 The EMV Specifications were published with the collective agreement that global Interoperability is the Goal; each at their own pace

Signature Online PIN

Online PIN

Match InPIN

Why EMV?

© Oberthur Technologies 2016 - EMV 201 - PEA

What You Have

What You Know

Are You Able

Infra Red Ink

Hologram Magnetic Stripe

OnlineTerminalFloor Limit

& cvv2/cvc2

What You HaveA Card/Phone

What You KnowA Secret

Authentication

Verification

Authorization

cvv1/cvc1

May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 4

In 1998 Global Deployment Began In 2012 The USA Embraced EMV

An Extrapolation using First Annapolis, EMVCO, AITA, SPA and First Annapolis input into considerationThese are not the views of Oberthur

EMV EMPLOYS HARDWARE BASED CRYPTOGRAPHY TO SECURE PAYMENTS


If Service Code = 2xx

or 6xx

Magnetic Stripe Processing Was Easy For Everyone

Read Track Data

Total > Terminal

Floor Limit

Issuer Authorizes Transaction

Check Electronic Stop List

Print Receipt

Verify Signature

Data Capture for Overnight Settlement

Yes

NoYes

No

EMV Start


ISO Specifications EMV Specifications

EMV Is Not for the Light Hearted

ISO 8583 - Financial transaction card originated messagesISO 7816 – Smart Card• Part 1: Physical characteristics • Part 2: Cards with contacts – Dimensions and

location of the contacts • Part 3: Cards with contacts – Electrical

interface and transmission protocols • Part 4: Organization, security and commands

for interchange

ISO 14443 – Contactless• Part 1: Physical characteristics • Part 2: Radio frequency power and signal

interface • Part 3: Initialization and anti-collision • Part 4: Transmission protocol

EMVCo Version 4.3 – Contact• Book 1: Application independent ICC to

terminal interface requirements• Book 2: Security and key management • Book 3: Application specification • Book 4: Cardholder, attendant and acquirer

interface requirements

EMVCo Version 2.3 – Contactless• Book A: Architecture and general

requirements• Book B: Entry point specification• Books C1-7: Kernel specifications• Book D: Communications protocol

Payment System Specifications

AEIPS - D-Pas - MChip - VIS - CPA


ISO Specifications EMV SpecificationsISO 8583 - Financial transaction card originated messagesISO 7816 – Smart Card• Part 1: Physical characteristics • Part 2: Cards with contacts – Dimensions and

location of the contacts • Part 3: Cards with contacts – Electrical

interface and transmission protocols • Part 4: Organization, security and commands

for interchange

ISO 14443 – Contactless• Part 1: Physical characteristics • Part 2: Radio frequency power and signal

interface • Part 3: Initialization and anti-collision • Part 4: Transmission protocol

EMVCo Version 4.3 – Contact• Book 1: Application independent ICC to

terminal interface requirements• Book 2: Security and key management • Book 3: Application specification • Book 4: Cardholder, attendant and acquirer

interface requirements

EMVCo Version 2.3 – Contactless• Book A: Architecture and general requirements• Book B: Entry point specification• Books C1-7: Kernel specifications• Book D: Communications protocol

Payment System Specifications

AEIPS - D-Pas - MChip - VIS - CPA

Based On Standards - Built on Evolving Technology


Card designChip selectionScript processingCardholder verificationAuthentication requirements Key management requirementsFraud and risk management systems PIN management & PIN synchronizationCardholder education and marketing messagesEducation branch, call center & the team on EMVCard Risk Management and Transaction AuthorizationWhat are merchants doing to filter debit application selectionCredit & debit card processing must perform online authenticationAnd ….

When Implementing EMV Issuers Think About

May 2, 2023 10

Project InitiationVendor Selection

Negotiate with ProcessorDefine Profile Select ChipDefine Input File

Perform Key CeremoniesProfile DevelopmentStaff TrainingDevelop Customer Education

Payment Scheme CertificationEnd to End TestingAccountConversion

Issue Chip CardsAccept First Transaction

Implementing EMV Requires Your “A” Team


Card Fulfillment BureauCore System Providers

Card ManufacturerPayment Scheme

EFT ProcessorsExecutive, Marketing Customer ExperienceProduct Management

OperationsCompliance

IT & SecurityFraud and Risk

Branch Operations


EMV Embedded an Integrated Circuit in the Card

Hardware CPU, Crypto processor, Flash, E2PROM or ROM, RAM, Security & Sensors

BIOS Basic Input Output System

Operating System Native or Global Platform & Java Card API

Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic

Data

ADF

SFI

EF EF

SFI

EF

Antenna


The Chip Card is a Secure Element with Data Inside

Hardware Antenna, CPU, Crypto processor, Flash, E2PROM or ROM, RAM, Security & Sensors

BIOS Basic Input Output System

Operating System Native or Global Platform & Java Card API

Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic

Data

ADF

SFI

EF EF

SFI

EFData

ADF(s), AID(s)AIP, ATC, AUC, Cardholder Name, CID, CVM List, Expiry Date,

IAC(s), LCOL, PAN, UCOL Track 2 Equivalent Data…

May 2, 2023 13

Applications and Data are Specified and Structured

ApplicationThe Payment Networks define, license and approval implementations of their specification running in the card and on the terminal• Visa – VIS• MasterCard – MChip• Discover - D-Pas• Amex – AEIPS• EMVCo – CPA (OT = WISE)• J/Smart – JCB• EMVCo – CPA

The terminal specification defines how the terminal will operate and use the EMV Tool Kit

The Chip Specification defines what the software in the card must do in response to commands from the Terminal

Tests Plans allow card and terminal vendors to prove their products perform as required

AID – Application IdentifierThe AID is the name of the Application Directory File ADF in the chip

The terminal and consumer selects the AID

Application RIDPIX

• Visa (credit or debit) A0000000031010

Visa Plus A0000000038010

Visa Interlink A0000000033010

US Common Debit A0000000980840

• MasterCard A0000000041010

Maestro Int’l A0000000043060

Cirrus A0000000046000

US Maestro A0000000042203

• Amex A00000002501XX

• JCB A0000000651010

• Oberthur A000000077XXXX

• Discover A0000001523010

Discover Common Debit A0000001524010

• DNA Common Debit A0000006200620



ADF

SFI

EF EF

SFI

EF

Each Account is Stored in an Application Data File

THE PROFILE AND THE TERMINAL CAPABILITIES DEFINE THE BEHAVIOR

15


EMV Defines the Terminal to Card Protocal

Offline by Terminal Requires RSA Capable Chip

Online on Issuer Host“What you have”

Authentication

“What you know”

Verification

Signature

Match PIN in ChipRecommended for Offline Authorization

Online PIN

No CVM

“You have the funds”

Authorization

Online Host Authorized

Offline at MerchantBased on Issuer Defined Card Risk

Management ParametersRequires Offline Authentication


Layering Security is the Right Answer

Offline Data AuthenticationThe Norm in Europe, Canada and AustraliaMerchants and Acquirers

When the Network is down or running slow the merchant at least knows the Card is AuthenticIf the Terminal Floor limit is not zero knowing the card is authentic the merchant can ask the card to approve

IssuersCard requires a crypto-processor to support DDA or CDAIssuer must establish RSA Key Pair and request Issuer Public Key certificate from Payment Network

Online Data AuthenticationThe way PIN Debit transactions are securedMerchants, Acquirers and Networks

Must manage keys necessary to encrypt the PIN between POS and Payment NetworkMust send Field 55 EMV to Issuer Host for Authentication

IssuersAuthenticate the Cryptogram to prove the card was or is present at time of purchase• ARQC – Application Request Cryptogram• ARPC – Application Response

Cryptogram• TC – Transaction Certificate• AAC – Application Authentication

Cryptogram

Transit Authorities see offline data authentication as a requirement


Offline Card Authentication

Provides Merchant AuthenticationRequires an RSA capable processorPersonalize the card with• Card & Issuer public key & certificates• Unique RSA Secret

Public keys simply need to be loaded and maintained in the terminalTerminal authenticates the card

Online Data Authentication

Provides Issuer AuthenticationPersonalization of the card with a unique set of secret keysCard generates a Cryptogram “ARQC” & “TC” by signing card, terminal and transaction data with the secret keyTerminal forwards Field 55 “ICC or EMV data” including “ARQC” or “TC” and signed data to IssuerIssuer authenticates card data when authorizing the transactionIssuer returns “ARPC” and Scripts in Field 55 to card allowing Issuer authentication and parameter updates

EMV Gives The Merchant and Issuer Assurance


Public Key loaded in Terminal •Public keys are distributed to all

terminals supporting Offline Data Authentication

Issuer is a Member •At personalization an RSA key pair

and issuer certificates are loaded into the secure element

Card is Authentic •The card generates a unique certificate

•Point of sale authenticates the card

Authentication Addresses Counterfeit Fraud

EMV supports 4 methods of card authentication methods:

• Online Data Authentication: The Card creates a Unique Digital Signature delivered to the Issuer Host for Authentications

• Offline Data Authentication• Static data authentication (SDA):

The data verified by the POS is always the same

• Dynamic data authentication (DDA): The data verified by the POS is dynamic for each transaction

• Combined DDA and application cryptogram (CDA): Merges DDA with the application cryptogram

International schemes require DDA or CDA if offline capable

Authentication


Issuer Keys

Clear textSDA signature

Issuer Public Key certificate

Issuer Public KeyICC Public Key certificate

EMV Offers Combined or Dynamic Data Authentication

Public Key

Private Key

Clear Text DataE.G. PAN, Expiry Date,

Issuer Public Key

RSAS

ign

RSAS

ign

CAPKi

Public Key

Private Key

RSAS

ign

CertificateAuthority


Plaintext PIN For ICC verification

Enciphered PIN for Online verification

Signature (paper)

Enciphered PIN for offline verification

NO CYM required

Each Kernel Has a Set of CVM Capabilities


Signature Preferring• Signature• No CVM

Pin Preferring• Online PIN• Signature• No CVM

International Traveler• Online PIN• Offline Enciphered PIN• Offline Clear Text PIN• Signature• No CVM

The Card Carries The CVM List

Common Debit• Online PIN• No CVM

Alternate Debit• Online PIN• Offline Enciphered PIN• Offline Clear Text PIN• No CVM

Address Unattended Terminals• Online PIN• Signature• Offline Enciphered PIN• Offline Clear Text PIN• No CVM


Chip and Signature

Chip and PIN (lost and Stolen Fraud)

Chip and Choice

Support for PIN Selection

Pin Synchronization

Verified in ICC or Online

EMV Cardholder Verification For Every Occasion

Selectable KernelThe terminal selects the EMVCo approved Kernel based on amount & tender typeThe Kernel has a predefined set of Terminal CVM CapabilitiesThe CVM List presents the terminal with a prioritized list e.g.• Online PIN verification• PIN verification in ICC• Signature • No CVMThe terminal selects the CVMBy comparingThe CVM List of the selected AID

To Kernel’s CVM Capabilities

Verification


POS Must Understand the EMV Transaction Flow

EMV Start

EMV Continue

EMV Complete

Data Authentication

Terminal Risk Management

Processing Restrictions

Cardholder Verification

Terminal Action

Analysis

Card Action Analysis

Answer to Reset

Application Selection

Initiate Application

Read Application

Data

Completion

Online Processing

Script Processing

Online

Offline

Issuer Authentication

Online/ Offline

Decision

May 2, 2023 25

Card Risk Management and Transaction Authorization Offline Capable, Online

Preferring or 100% Online


If <Floor Limit

Clearing (x240) - Clearing when not in a x200 message

Optionally Includes the TC or AAC

Issuing Processor

Acquiring Processor ConsumerMerchant Scheme

26

If >Floor LimitNetwork

Down

Card Risk Management and Transaction Authorization Offline Capable, Online

Preferring or 100% Online


Authorization (x100) or Financial Request (x200)

Includes the ARQC or AAC

Clearing (x240)

Includes the TC or AAC

Issuing Processor


X

27

Always Online

Card Risk Management and Transaction Authorization

Offline Capable, Online Preferring or 100% Online


Authorization (x100) or Financial Request (x200)

Includes the ARQC or AAC

Authorization (x110) or Financial Response (x210)

Includes the ARPC and Scripts

Clearing (x240) - Clearing when not in a x200 message

Optionally Includes the TC or AAC

Funds Available

Issuing Processor



EMV Ensures Issuer Control of Authorization

The design of EMV assured Issuer control of the authorization for each transaction at the Point of Interaction• Terminal Risk Management allows the

merchant / acquirer and scheme to set a floor limit under which the terminal will ask the card to approve the transaction

• Card Risk Management employs a dynamic set of parameters, allowing the Issuer to authorize the transaction without the expense of an online authorization request

The purpose - guarantee cardholder satisfaction, manage financial risk and reduce the cost of processing payments for all stakeholders

Terminal

Requests

Card/Issuer Decision is Final

TCOffline

ARQCOnline

AACDecline

TC - Offline

Card Decides

Card Decides

Card Decides

ARQC - Online

Not Allowed

Card Decides

Card Decides

AAC - Decline

Not Allowed

Not Allowed

Card Decides

Authorization

APPLICATION SELECTION - DESIGNED TO SUPPORT MULTI-ACCOUNT CARDS

29


Insert Cards

Consumer Selection

The Terminal Must Read the Card

Answer to reset

Select AID(s)Typically Associated with Payment Brand

Develop Candidate AID List

The Debit Conundrum


Consumer Selection

$xxx.xxPay With

1. Your Bank’s Credit Card2. Your Bank’s Debit Card3. Your Bank’s T&E Card

1,2 or 3?

Application Selection Enables Multi Account Cards

ApprovedPlease Remove Card

© Oberthur Technologies 2016 - EMV 201 - PEA 32

Consumer Selection

US Debit Is Different

US Debit CardOne Account

1. Visa or MasterCard2. Pulse3. Shazam4. Star

Route and AID are Linked in the

Payment Network Rules


Consumer Selection

$132.95Pay With?

1. Visa or MasterCard2. US Debit

Enter 1 or 2To select payment method?

Out of the Box EMV

THE USER EXPERIENCEIS IN DESIGN


Consumer Selection

Credit

Debit

As Today



Consumer Selection

An alternate


Credit

Debit


Consumer Selection

$132.95Pay With?

1. US Debit

PIN Steering

PSE – Payment Systems EnvironmentAID – Application Identifier


PUTTING IT ALL TOGETHER

May 2, 2023© Oberthur Technologies 2016 - EMV 201 - PEA 37

05/02/2023 © Oberthur Technologies 2016 - IC-Group Seminar 38

Shared Data Enables Distinct Behaviors

PIN, PIN Try Counter and PIN Retry Limit

THE PROFILE

DEFINES THE

BEHAVIOR

CardholderVerification

CardAuthentication

Card RiskManagement

TransactionAuthorization

05/02/2023

The Profile Defines The CPU, Applet and Memory

© Oberthur Technologies 2016 - IC-Group Seminar 39

OFFLINE AUTHENTICATION

DETERMINES THE CPU

PAYMENT NETWORK SPECIFICATION

DEFINES THE APPLET

VALUE ADDED SERVICES WILL

REQUIRE ADDITIONAL MEMORY

DEFINE THE EMV PROFILE BEFORE

FINALIZING THE CHIP TO BE EMBEDDED

40

Key Management Assure the Security EMV Enables


IT DEPENDSKMC

To Lock and Unlock The Chips

CAPKiTo Support

Offline Data Authentication

MSK(s)To create and Authenticate

the Cryptograms & …

Cosmo S v5

MC4 Multi-App VSDC 2.8.1tVSDC 2.8.1am2s

Chrysalis v3.2MC4 + NMC

VIS1.5.4

Operating System & Applications Each with an LOA


D-PAS v1.1

MC4 Multi-App

VSDC2.8.1f1

AEIPS v4.2

Contact (SDA)

Contact RSA

(DDA, CDA)

Cosmo RSA v5

Offline Capable

Online Only

Application & VersionApplication & Version

Application & Version

Application & Version

OT’s products are certified, available in multiple memory sizes and support data sharing for US Debit

Cosmo Fly v5

Dual(DDA, CDA)

Offline Capable

PPMC1.3.1 VSDC2.8.1f

D-PAS v1.1 + CL v1.0

MCA1.1

AEIPS v4.2 & EP2.0

VSDC2.8.1G

MCA v1.1

MC4 Multi-App

VSDC2.8.1g

AEIPS v4.2

Cosmo RSA v5.8

MCA v1.2 Multi-App

Cosmo Fly v5.9

MC2 +MC4 + NMC

VIS1.5.4

Chrysalis v4.0

PPMC1.3.1VIS1.5.4 + VCPS2.1.2

MCA v1.1

Chrysalis Fly v3.4

42

The LOA Assures Compliance and Security


MasterCardRequires an RCCN and EOL-LOA Letter of Approval

VisaIs shifting to a 12 year End of Use policyBased on the EMVCo ICCN Integrated Circuit Certificate Number

05/02/2023 © Oberthur Technologies 2016 - IC-Group Seminar 43

Account creation or card renewal

Application is transferred to Issuer CMS

1

2

3

Account and card request are created

4

Batch or Real Time Card request is sent to CPS

Card request blob is generated

6

5

EMV blob is retrieved by workstation

7 APDUs are exchanged with Chip

NEW ACCOUNT

LOST AND STOLEN

Branch and Bureau IssuanceOT Service Centre

6

Cards Prepared for production

EMV file is generated


Philip AndreaeVice President, Field Marketing

[email protected]+1 404 680 9640

mailto:[email protected]

Documents

EMV 201 EMF June 2016