Upload
philip-andreae
View
45
Download
8
Embed Size (px)
Citation preview
EMV 201: EMV Chip Profiles and Considerations for Issuers and MerchantsPhilip Andreae, Oberthur Technologies
May 2, 2023 2© Oberthur Technologies 2016 - EMV 201 - PEA
Keep It Interactive
3
No Longer SecureCirca 1991 – In 1993 Europay, MasterCard And Visa came together to economically solve for Counterfeit and Lost & Stolen Fraud
EMV Restored “The Token”In 1996 The EMV Specifications were published with the collective agreement that global Interoperability is the Goal; each at their own pace
Signature Online PIN
Online PIN
Match InPIN
Why EMV?
© Oberthur Technologies 2016 - EMV 201 - PEA
What You Have
What You Know
Are You Able
Infra Red Ink
Hologram Magnetic Stripe
OnlineTerminalFloor Limit
& cvv2/cvc2
What You HaveA Card/Phone
What You KnowA Secret
Authentication
Verification
Authorization
cvv1/cvc1
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 4
In 1998 Global Deployment Began In 2012 The USA Embraced EMV
An Extrapolation using First Annapolis, EMVCO, AITA, SPA and First Annapolis input into considerationThese are not the views of Oberthur
EMV EMPLOYS HARDWARE BASED CRYPTOGRAPHY TO SECURE PAYMENTS
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 6
If Service Code = 2xx
or 6xx
Magnetic Stripe Processing Was Easy For Everyone
Read Track Data
Total > Terminal
Floor Limit
Issuer Authorizes Transaction
Check Electronic Stop List
Print Receipt
Verify Signature
Data Capture for Overnight Settlement
Yes
NoYes
No
EMV Start
May 2, 2023 7© Oberthur Technologies 2016 - EMV 201 - PEA
ISO Specifications EMV Specifications
EMV Is Not for the Light Hearted
ISO 8583 - Financial transaction card originated messagesISO 7816 – Smart Card• Part 1: Physical characteristics • Part 2: Cards with contacts – Dimensions and
location of the contacts • Part 3: Cards with contacts – Electrical
interface and transmission protocols • Part 4: Organization, security and commands
for interchange
ISO 14443 – Contactless• Part 1: Physical characteristics • Part 2: Radio frequency power and signal
interface • Part 3: Initialization and anti-collision • Part 4: Transmission protocol
EMVCo Version 4.3 – Contact• Book 1: Application independent ICC to
terminal interface requirements• Book 2: Security and key management • Book 3: Application specification • Book 4: Cardholder, attendant and acquirer
interface requirements
EMVCo Version 2.3 – Contactless• Book A: Architecture and general
requirements• Book B: Entry point specification• Books C1-7: Kernel specifications• Book D: Communications protocol
Payment System Specifications
AEIPS - D-Pas - MChip - VIS - CPA
May 2, 2023 8© Oberthur Technologies 2016 - EMV 201 - PEA
ISO Specifications EMV SpecificationsISO 8583 - Financial transaction card originated messagesISO 7816 – Smart Card• Part 1: Physical characteristics • Part 2: Cards with contacts – Dimensions and
location of the contacts • Part 3: Cards with contacts – Electrical
interface and transmission protocols • Part 4: Organization, security and commands
for interchange
ISO 14443 – Contactless• Part 1: Physical characteristics • Part 2: Radio frequency power and signal
interface • Part 3: Initialization and anti-collision • Part 4: Transmission protocol
EMVCo Version 4.3 – Contact• Book 1: Application independent ICC to
terminal interface requirements• Book 2: Security and key management • Book 3: Application specification • Book 4: Cardholder, attendant and acquirer
interface requirements
EMVCo Version 2.3 – Contactless• Book A: Architecture and general requirements• Book B: Entry point specification• Books C1-7: Kernel specifications• Book D: Communications protocol
Payment System Specifications
AEIPS - D-Pas - MChip - VIS - CPA
Based On Standards - Built on Evolving Technology
May 2, 2023 9© Oberthur Technologies 2016 - EMV 201 - PEA
Card designChip selectionScript processingCardholder verificationAuthentication requirements Key management requirementsFraud and risk management systems PIN management & PIN synchronizationCardholder education and marketing messagesEducation branch, call center & the team on EMVCard Risk Management and Transaction AuthorizationWhat are merchants doing to filter debit application selectionCredit & debit card processing must perform online authenticationAnd ….
When Implementing EMV Issuers Think About
May 2, 2023 10
Project InitiationVendor Selection
Negotiate with ProcessorDefine Profile Select ChipDefine Input File
Perform Key CeremoniesProfile DevelopmentStaff TrainingDevelop Customer Education
Payment Scheme CertificationEnd to End TestingAccountConversion
Issue Chip CardsAccept First Transaction
Implementing EMV Requires Your “A” Team
© Oberthur Technologies 2016 - EMV 201 - PEA
Card Fulfillment BureauCore System Providers
Card ManufacturerPayment Scheme
EFT ProcessorsExecutive, Marketing Customer ExperienceProduct Management
OperationsCompliance
IT & SecurityFraud and Risk
Branch Operations
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 11
EMV Embedded an Integrated Circuit in the Card
Hardware CPU, Crypto processor, Flash, E2PROM or ROM, RAM, Security & Sensors
BIOS Basic Input Output System
Operating System Native or Global Platform & Java Card API
Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic
Data
ADF
SFI
EF EF
SFI
EF
Antenna
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 12
The Chip Card is a Secure Element with Data Inside
Hardware Antenna, CPU, Crypto processor, Flash, E2PROM or ROM, RAM, Security & Sensors
BIOS Basic Input Output System
Operating System Native or Global Platform & Java Card API
Application AEIPS, CPA, D-Pas, MChip, VSDC … Domestic
Data
ADF
SFI
EF EF
SFI
EFData
ADF(s), AID(s)AIP, ATC, AUC, Cardholder Name, CID, CVM List, Expiry Date,
IAC(s), LCOL, PAN, UCOL Track 2 Equivalent Data…
May 2, 2023 13
Applications and Data are Specified and Structured
ApplicationThe Payment Networks define, license and approval implementations of their specification running in the card and on the terminal• Visa – VIS• MasterCard – MChip• Discover - D-Pas• Amex – AEIPS• EMVCo – CPA (OT = WISE)• J/Smart – JCB• EMVCo – CPA
The terminal specification defines how the terminal will operate and use the EMV Tool Kit
The Chip Specification defines what the software in the card must do in response to commands from the Terminal
Tests Plans allow card and terminal vendors to prove their products perform as required
AID – Application IdentifierThe AID is the name of the Application Directory File ADF in the chip
The terminal and consumer selects the AID
Application RIDPIX
• Visa (credit or debit) A0000000031010
Visa Plus A0000000038010
Visa Interlink A0000000033010
US Common Debit A0000000980840
• MasterCard A0000000041010
Maestro Int’l A0000000043060
Cirrus A0000000046000
US Maestro A0000000042203
• Amex A00000002501XX
• JCB A0000000651010
• Oberthur A000000077XXXX
• Discover A0000001523010
Discover Common Debit A0000001524010
• DNA Common Debit A0000006200620
© Oberthur Technologies 2016 - EMV 201 - PEA
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 14
ADF
SFI
EF EF
SFI
EF
Each Account is Stored in an Application Data File
THE PROFILE AND THE TERMINAL CAPABILITIES DEFINE THE BEHAVIOR
15
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 16
EMV Defines the Terminal to Card Protocal
Offline by Terminal Requires RSA Capable Chip
Online on Issuer Host“What you have”
Authentication
“What you know”
Verification
Signature
Match PIN in ChipRecommended for Offline Authorization
Online PIN
No CVM
“You have the funds”
Authorization
Online Host Authorized
Offline at MerchantBased on Issuer Defined Card Risk
Management ParametersRequires Offline Authentication
May 2, 2023 17© Oberthur Technologies 2016 - EMV 201 - PEA
Layering Security is the Right Answer
Offline Data AuthenticationThe Norm in Europe, Canada and AustraliaMerchants and Acquirers
When the Network is down or running slow the merchant at least knows the Card is AuthenticIf the Terminal Floor limit is not zero knowing the card is authentic the merchant can ask the card to approve
IssuersCard requires a crypto-processor to support DDA or CDAIssuer must establish RSA Key Pair and request Issuer Public Key certificate from Payment Network
Online Data AuthenticationThe way PIN Debit transactions are securedMerchants, Acquirers and Networks
Must manage keys necessary to encrypt the PIN between POS and Payment NetworkMust send Field 55 EMV to Issuer Host for Authentication
IssuersAuthenticate the Cryptogram to prove the card was or is present at time of purchase• ARQC – Application Request Cryptogram• ARPC – Application Response
Cryptogram• TC – Transaction Certificate• AAC – Application Authentication
Cryptogram
Transit Authorities see offline data authentication as a requirement
May 2, 2023 18© Oberthur Technologies 2016 - EMV 201 - PEA
Offline Card Authentication
Provides Merchant AuthenticationRequires an RSA capable processorPersonalize the card with• Card & Issuer public key & certificates• Unique RSA Secret
Public keys simply need to be loaded and maintained in the terminalTerminal authenticates the card
Online Data Authentication
Provides Issuer AuthenticationPersonalization of the card with a unique set of secret keysCard generates a Cryptogram “ARQC” & “TC” by signing card, terminal and transaction data with the secret keyTerminal forwards Field 55 “ICC or EMV data” including “ARQC” or “TC” and signed data to IssuerIssuer authenticates card data when authorizing the transactionIssuer returns “ARPC” and Scripts in Field 55 to card allowing Issuer authentication and parameter updates
EMV Gives The Merchant and Issuer Assurance
May 2, 2023 19© Oberthur Technologies 2016 - EMV 201 - PEA
Public Key loaded in Terminal •Public keys are distributed to all
terminals supporting Offline Data Authentication
Issuer is a Member •At personalization an RSA key pair
and issuer certificates are loaded into the secure element
Card is Authentic •The card generates a unique certificate
•Point of sale authenticates the card
Authentication Addresses Counterfeit Fraud
EMV supports 4 methods of card authentication methods:
• Online Data Authentication: The Card creates a Unique Digital Signature delivered to the Issuer Host for Authentications
• Offline Data Authentication• Static data authentication (SDA):
The data verified by the POS is always the same
• Dynamic data authentication (DDA): The data verified by the POS is dynamic for each transaction
• Combined DDA and application cryptogram (CDA): Merges DDA with the application cryptogram
International schemes require DDA or CDA if offline capable
Authentication
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 20
Issuer Keys
Clear textSDA signature
Issuer Public Key certificate
Issuer Public KeyICC Public Key certificate
EMV Offers Combined or Dynamic Data Authentication
Public Key
Private Key
Clear Text DataE.G. PAN, Expiry Date,
Issuer Public Key
RSAS
ign
RSAS
ign
CAPKi
Public Key
Private Key
RSAS
ign
CertificateAuthority
May 2, 2023 21© Oberthur Technologies 2016 - EMV 201 - PEA
Plaintext PIN For ICC verification
Enciphered PIN for Online verification
Signature (paper)
Enciphered PIN for offline verification
NO CYM required
Each Kernel Has a Set of CVM Capabilities
May 2, 2023 22© Oberthur Technologies 2016 - EMV 201 - PEA
Signature Preferring• Signature• No CVM
Pin Preferring• Online PIN• Signature• No CVM
International Traveler• Online PIN• Offline Enciphered PIN• Offline Clear Text PIN• Signature• No CVM
The Card Carries The CVM List
Common Debit• Online PIN• No CVM
Alternate Debit• Online PIN• Offline Enciphered PIN• Offline Clear Text PIN• No CVM
Address Unattended Terminals• Online PIN• Signature• Offline Enciphered PIN• Offline Clear Text PIN• No CVM
May 2, 2023 23© Oberthur Technologies 2016 - EMV 201 - PEA
Chip and Signature
Chip and PIN (lost and Stolen Fraud)
Chip and Choice
Support for PIN Selection
Pin Synchronization
Verified in ICC or Online
EMV Cardholder Verification For Every Occasion
Selectable KernelThe terminal selects the EMVCo approved Kernel based on amount & tender typeThe Kernel has a predefined set of Terminal CVM CapabilitiesThe CVM List presents the terminal with a prioritized list e.g.• Online PIN verification• PIN verification in ICC• Signature • No CVMThe terminal selects the CVMBy comparingThe CVM List of the selected AID
To Kernel’s CVM Capabilities
Verification
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 24
POS Must Understand the EMV Transaction Flow
EMV Start
EMV Continue
EMV Complete
Data Authentication
Terminal Risk Management
Processing Restrictions
Cardholder Verification
Terminal Action
Analysis
Card Action Analysis
Answer to Reset
Application Selection
Initiate Application
Read Application
Data
Completion
Online Processing
Script Processing
Online
Offline
Issuer Authentication
Online/ Offline
Decision
May 2, 2023 25
Card Risk Management and Transaction Authorization Offline Capable, Online
Preferring or 100% Online
© Oberthur Technologies 2016 - EMV 201 - PEA
If <Floor Limit
Clearing (x240) - Clearing when not in a x200 message
Optionally Includes the TC or AAC
Issuing Processor
Acquiring Processor ConsumerMerchant Scheme
26
If >Floor LimitNetwork
Down
Card Risk Management and Transaction Authorization Offline Capable, Online
Preferring or 100% Online
© Oberthur Technologies 2016 - EMV 201 - PEA
Authorization (x100) or Financial Request (x200)
Includes the ARQC or AAC
Clearing (x240)
Includes the TC or AAC
Issuing Processor
Acquiring Processor ConsumerMerchant Scheme
X
27
Always Online
Card Risk Management and Transaction Authorization
Offline Capable, Online Preferring or 100% Online
© Oberthur Technologies 2016 - EMV 201 - PEA
Authorization (x100) or Financial Request (x200)
Includes the ARQC or AAC
Authorization (x110) or Financial Response (x210)
Includes the ARPC and Scripts
Clearing (x240) - Clearing when not in a x200 message
Optionally Includes the TC or AAC
Funds Available
Issuing Processor
Acquiring Processor ConsumerMerchant Scheme
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 28
EMV Ensures Issuer Control of Authorization
The design of EMV assured Issuer control of the authorization for each transaction at the Point of Interaction• Terminal Risk Management allows the
merchant / acquirer and scheme to set a floor limit under which the terminal will ask the card to approve the transaction
• Card Risk Management employs a dynamic set of parameters, allowing the Issuer to authorize the transaction without the expense of an online authorization request
The purpose - guarantee cardholder satisfaction, manage financial risk and reduce the cost of processing payments for all stakeholders
Terminal
Requests
Card/Issuer Decision is Final
TCOffline
ARQCOnline
AACDecline
TC - Offline
Card Decides
Card Decides
Card Decides
ARQC - Online
Not Allowed
Card Decides
Card Decides
AAC - Decline
Not Allowed
Not Allowed
Card Decides
Authorization
APPLICATION SELECTION - DESIGNED TO SUPPORT MULTI-ACCOUNT CARDS
29
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 30
Insert Cards
Consumer Selection
The Terminal Must Read the Card
Answer to reset
Select AID(s)Typically Associated with Payment Brand
Develop Candidate AID List
The Debit Conundrum
May 2, 2023 © Oberthur Technologies 2016 - EMV 201 - PEA 31
Consumer Selection
$xxx.xxPay With
1. Your Bank’s Credit Card2. Your Bank’s Debit Card3. Your Bank’s T&E Card
1,2 or 3?
Application Selection Enables Multi Account Cards
ApprovedPlease Remove Card
© Oberthur Technologies 2016 - EMV 201 - PEA 32
Consumer Selection
US Debit Is Different
US Debit CardOne Account
1. Visa or MasterCard2. Pulse3. Shazam4. Star
Route and AID are Linked in the
Payment Network Rules
© Oberthur Technologies 2016 - EMV 201 - PEA 33
Consumer Selection
$132.95Pay With?
1. Visa or MasterCard2. US Debit
Enter 1 or 2To select payment method?
Out of the Box EMV
THE USER EXPERIENCEIS IN DESIGN
© Oberthur Technologies 2016 - EMV 201 - PEA 34
Consumer Selection
Credit
Debit
As Today
THE USER EXPERIENCEIS IN DESIGN
© Oberthur Technologies 2016 - EMV 201 - PEA 35
Consumer Selection
An alternate
THE USER EXPERIENCEIS IN DESIGN
Credit
Debit
© Oberthur Technologies 2016 - EMV 201 - PEA 36
Consumer Selection
$132.95Pay With?
1. US Debit
PIN Steering
PSE – Payment Systems EnvironmentAID – Application Identifier
THE USER EXPERIENCEIS IN DESIGN
PUTTING IT ALL TOGETHER
May 2, 2023© Oberthur Technologies 2016 - EMV 201 - PEA 37
05/02/2023 © Oberthur Technologies 2016 - IC-Group Seminar 38
Shared Data Enables Distinct Behaviors
PIN, PIN Try Counter and PIN Retry Limit
THE PROFILE
DEFINES THE
BEHAVIOR
CardholderVerification
CardAuthentication
Card RiskManagement
TransactionAuthorization
05/02/2023
The Profile Defines The CPU, Applet and Memory
© Oberthur Technologies 2016 - IC-Group Seminar 39
OFFLINE AUTHENTICATION
DETERMINES THE CPU
PAYMENT NETWORK SPECIFICATION
DEFINES THE APPLET
VALUE ADDED SERVICES WILL
REQUIRE ADDITIONAL MEMORY
DEFINE THE EMV PROFILE BEFORE
FINALIZING THE CHIP TO BE EMBEDDED
40
Key Management Assure the Security EMV Enables
© Oberthur Technologies 2016 - EMV 201 - PEA
IT DEPENDSKMC
To Lock and Unlock The Chips
CAPKiTo Support
Offline Data Authentication
MSK(s)To create and Authenticate
the Cryptograms & …
Cosmo S v5
MC4 Multi-App VSDC 2.8.1tVSDC 2.8.1am2s
Chrysalis v3.2MC4 + NMC
VIS1.5.4
Operating System & Applications Each with an LOA
© Oberthur Technologies 2016 - EMV 201 - PEA 41
D-PAS v1.1
MC4 Multi-App
VSDC2.8.1f1
AEIPS v4.2
Contact (SDA)
Contact RSA
(DDA, CDA)
Cosmo RSA v5
Offline Capable
Online Only
Application & VersionApplication & Version
Application & Version
Application & Version
OT’s products are certified, available in multiple memory sizes and support data sharing for US Debit
Cosmo Fly v5
Dual(DDA, CDA)
Offline Capable
PPMC1.3.1 VSDC2.8.1f
D-PAS v1.1 + CL v1.0
MCA1.1
AEIPS v4.2 & EP2.0
VSDC2.8.1G
MCA v1.1
MC4 Multi-App
VSDC2.8.1g
AEIPS v4.2
Cosmo RSA v5.8
MCA v1.2 Multi-App
Cosmo Fly v5.9
MC2 +MC4 + NMC
VIS1.5.4
Chrysalis v4.0
PPMC1.3.1VIS1.5.4 + VCPS2.1.2
MCA v1.1
Chrysalis Fly v3.4
42
The LOA Assures Compliance and Security
© Oberthur Technologies 2016 - EMV 201 - PEA
MasterCardRequires an RCCN and EOL-LOA Letter of Approval
VisaIs shifting to a 12 year End of Use policyBased on the EMVCo ICCN Integrated Circuit Certificate Number
05/02/2023 © Oberthur Technologies 2016 - IC-Group Seminar 43
Account creation or card renewal
Application is transferred to Issuer CMS
1
2
3
Account and card request are created
4
Batch or Real Time Card request is sent to CPS
Card request blob is generated
6
5
EMV blob is retrieved by workstation
7 APDUs are exchanged with Chip
NEW ACCOUNT
LOST AND STOLEN
Branch and Bureau IssuanceOT Service Centre
6
Cards Prepared for production
EMV file is generated
May 2, 2023 44© Oberthur Technologies 2016 - EMV 201 - PEA
Philip AndreaeVice President, Field Marketing
[email protected]+1 404 680 9640