Upload
kona-software-lab-limited
View
326
Download
0
Embed Size (px)
Citation preview
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Players and Roles for Payment System
Payment Network Provider
Offering products and services to
User
Signing up with Acquirer
Buying Merchant’s products and
services
Using payment card issued by Issuer User
Merchant
Acquirer
Issuer
Payment Network Provider
network
Transmitting collected transaction
data to Issuer
Signing up and underwriting
Merchant
Approval or rejection of
transaction
Issuing payment card
Providing network between Issuer and
Acquirer
Offering brand benefit
Payment eco-
system
Acquirer
User
Merchant
Issuer
POS ATM
Acquiring System
Issuing System
Host Payment Cards
Interchange Network
Authorization System
NPSB
3
Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification of Card & Cardholder
Penciling the embossed card
Imprinted sales slip, transaction slip, and signature verification
Transaction slip, PIN, and signature verification
Same principle as IC chip card but streamlined authentication
Same as RF card
Data Processing
Manually Electronically process transaction and settlement data for the first time
Payment application-installed-chip stores and processes data
Similar process to that of IC chip card but streamlined transaction flow
Comply with NFC transaction process by using NFC equipped cellphone
Validation Verification
- CVC, CVV verification, Hologram verification by eye
Offline data authentication through digital signature verification
ARQC verification Same as RF card
Note High risk of data duplication
Increase in risk of data duplication by popularization of MS card usage and technology
-Strong security provided by high grade of cryptosystem
-Inconvenience in simple transaction
Compatibility with MS card infrastructure
OTA post issuance of card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
4
Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification of Card & Cardholder
Penciling the embossed card
Imprinted sales slip, transaction slip, and signature verification
Transaction slip, PIN, and signature verification
Same principle as IC chip card but streamlined authentication
Same as RF card
Data Processing
Manually Electronically process transaction and settlement data for the first time
Payment application-installed-chip stores and processes data
Similar process to that of IC chip card but streamlined transaction flow
Comply with NFC transaction process by using NFC equipped cellphone
Validation Verification
- CVC, CVV verification, Hologram verification by eye
Offline data authentication through digital signature verification
ARQC verification Same as RF card
Note High risk of data duplication
Increase in risk of data duplication by popularization of MS card usage and technology
-Strong security provided by high grade of cryptosystem
-Inconvenience in simple transaction
Compatibility with MS card infrastructure
OTA post issuance of card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
5
Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification of Card & Cardholder
Penciling the embossed card
Imprinted sales slip, transaction slip, and signature verification
Transaction slip, PIN, and signature verification
Same principle as IC chip card but streamlined authentication
Same as RF card
Data Processing
Manually Electronically process transaction and settlement data for the first time
Payment application-installed-chip stores and processes data
Similar process to that of IC chip card but streamlined transaction flow
Comply with NFC transaction process by using NFC equipped cellphone
Validation Verification
- CVC, CVV verification, Hologram verification by eye
Offline data authentication through digital signature verification
ARQC verification Same as RF card
Note High risk of data duplication
Increase in risk of data duplication by popularization of MS card usage and technology
-Strong security provided by high grade of cryptosystem
-Inconvenience in simple transaction
Compatibility with MS card infrastructure
OTA post issuance of card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
6
Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification of Card & Cardholder
Penciling the embossed card
Imprinted sales slip, transaction slip, and signature verification
Transaction slip, PIN, and signature verification
Same principle as IC chip card but streamlined authentication
Same as RF card
Data Processing
Manually Electronically process transaction and settlement data for the first time
Payment application-installed-chip stores and processes data
Similar process to that of IC chip card but streamlined transaction flow
Comply with NFC transaction process by using NFC equipped cellphone
Validation Verification
- CVC, CVV verification, Hologram verification by eye
Offline data authentication through digital signature verification
ARQC verification Same as RF card
Note High risk of data duplication
Increase in risk of data duplication by popularization of MS card usage and technology
-Strong security provided by high grade of cryptosystem
-Inconvenience in simple transaction
Compatibility with MS card infrastructure
OTA post issuance of card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
7
Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification of Card & Cardholder
Penciling the embossed card
Imprinted sales slip, transaction slip, and signature verification
Transaction slip, PIN, and signature verification
Same principle as IC chip card but streamlined authentication
Same as RF card
Data Processing
Manually Electronically process transaction and settlement data for the first time
Payment application-installed-chip stores and processes data
Similar process to that of IC chip card but streamlined transaction flow
Comply with NFC transaction process by using NFC equipped cellphone
Validation Verification
- CVC, CVV verification, Hologram verification by eye
Offline data authentication through digital signature verification
ARQC verification Same as RF card
Note High risk of data duplication
Increase in risk of data duplication by popularization of MS card usage and technology
-Strong security provided by high grade of cryptosystem
-Inconvenience in simple transaction
Compatibility with MS card infrastructure
OTA post issuance of card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
8
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Magnetic Stripe Cards
Magnetic Stripe Cards
• Stores data on the magnetic band usually
located on the back of the card.
• Contains Track 1 & Track 2 Data
• Track 1 Data
• Card Type, PAN, Cardholder Name, PAN
Expiry Date, Service Code.
• Track 2 Data
• PAN, PAN Expiry Date, Service Code
• Stored data can not be changed.
• Read by swiping past a magnetic reading
head.
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Magnetic Stripe Transaction Flow
Magnetic Stripe Transaction Flow
Static Authentication Data
Static Authentication Data
Static Authentication Data
Acquirer Payment Network Provider
Issuer
Transaction Response
Transaction Response
Transaction Response
Magnetic Stripe Card Swiped in
POS
10
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Security Issues for Magnetic Stripe Cards
Security Issues for Magnetic Stripe Cards
• Card Cloning
Magnetic stripe data is not encrypted and very easy to clone.
• Static Data
Static data is stored in the magnetic stripe during personalization
This data is not changed during its lifetime. So, if this data is compromised
once, it can be used for numerous number of times to perform fraud
transactions.
• Little Risk Assessment
No risk assessment is performed at the terminal or card.
Risk assessment is performed only at the host.
11
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV
EMV
• A standard for smart payment cards
and terminals.
• EMV stands for – EuroPay,
MasterCard and Visa, the three
companies who were the founder of
the standard.
• This standard is maintained by
EMVCo – a consortium with payment
brands like Visa, MasterCard, JCB,
American Express, China UnionPay,
Discover as members.
13
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Purpose of EMV Standards
Purpose of EMV Standards
• To prevent card fraud
Minimize the risk of card data
duplication and counterfeit that
were easy with MS card
• To reduce cost
Cut cost by activating offline
transaction
• Interoperability
Set up interoperable payment
infrastructure(chip, card, terminal,
and system) by defining business
role of players in Credit & Debit
Payment System
14
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Offerings
EMV Offerings
Cardholder and card authentication
Cryptographic processing capability of smart chip
Authorization by issuer by predefined rules
Acquirer Authorization
Request with dynamic data
Payment Network Provider
Issuer
Authorization Request with dynamic data
15
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Cryptographic Processing
EMV Cryptographic Processing
• EMV chip cards has cryptographic
processing capability.
• Cryptographic algorithms such as
Triple DES, RSA and SHA are used
throughout various phases of the
smart card’s lifecycle.
16
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
A Look Into Chip Cards
A Look Into Chip Cards
Contact Cards
Contactless Cards
Dual Interface Cards
• 1 square cm. contact area with gold plated contact pads.
• ISO/IEC 7816 standard defines the communication protocol, physical characteristics of card, security and command for interchange, commands for security operations, etc.
• Card communicates with the reader through RF Induction technology
• ISO/IEC 14443 standard defines the communication protocol, radio frequency power, transmission protocol, etc.
• Both contact and contactless interfaces are supported
• ISO/IEC 14443 standard defines the communication protocol, radio frequency power, transmission protocol, etc.
17
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Authentication
EMV Authentication
Card Authentication
• Online Authentication
• Offline Authentication
SDA – Static Data Authentication
DDA – Dynamic Data Authentication
CDA – Combined Data
Authentication
Cardholder Authentication
• Online PIN
• Offline PIN
18
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Authorization by the Issuer
Authorization by the Issuer
• Transaction cryptogram is
generated and sent to the issuer
online.
• The issuer authorizes the
transaction online.
Payment Network
Issuer
Cryptogram Request
Cryptogram Request
Cryptogram
Request
Authorization Response
Authorization Response
Authorization Response
Online Authorization
Offline Authorization
• Used when terminals don’t have
online connectivity.
• Card and terminal communicates
and decides whether the
transaction can be authorized.
19
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Risk Assessment
Risk Assessment
Terminal Risk Assessment
• Terminal can decide to perform the transaction online/offline
• For offline transactions, terminal checks the transaction amount against an offline
ceiling limit.
Card Risk Assessment
• Card takes part in the decision making of accepting/declining a transaction
• Different types of application cryptograms are generated
AAC – used for declining a transaction
TC – used for offline transaction
ARQC – used for online transaction
20
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
Initiation of the transaction
22
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Reading card data for transaction
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
23
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Card authentication by terminal
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
24
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA DDA CDA
Static Data Authentication
Signed by Payment Brand Payment Brand Certificate kept at the terminal
Static Application Data
Verified by payment brand certificate
Verified by Issuer Public Key Certificate
Payment Brand Certificate
Issuer Public Key Certificate
Issuer Public Key Certificate
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA DDA CDA
Dynamic Data Authentication
Signed by Payment Brand Payment Brand Certificate kept at the terminal
Issuer Public Key Certificate
Issuer Public Key Certificate
Verified by payment brand certificate
Payment Brand Certificate
Verified by Issuer Public Key Certificate
ICC Public Key Certificate + Static Application Data
Card & Terminal Dynamic Data
Verified by ICC Public Key Certificate
ICC Public Key Certificate
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA DDA CDA
Combined Data Authentication
Generate Application Cryptogram
Issuer
Application Request Cryptogram (ARQC)
Send ARQC to Issuer
Cryptogram Validation
Application Response Cryptogram
Send ARPC to Card
DDA
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Confirming compatibility between terminal and card
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
28
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Confirming whether a cardholder is valid
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
29
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Cardholder Verification Method
Cardholder Verification Method
Verification Methods
• Online PIN
PIN is encrypted and verified by the issuer online
• Offline PIN
A copy of the PIN is stored at the card in encrypted form
During transaction, user provided PIN is matched with that stored encrypted PIN
• Signature
Cardholder’s signature on receipt is matched with the signature at the back of the
card
• No verification method
• Only Card is authenticated
• Usually takes place for small amount transaction
30
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Different steps taken by the terminal to prevent fraud
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
31
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Primary decision for transaction whether to approve or decline offline or online
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
32
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Final decision making for going online or offline for transaction by card self risk management based on terminal action analysis
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
33
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
Online Transaction with Application Cryptogram
34
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Online Transaction Flow
EMV Online Transaction Flow
Application Request Cryptogram (ARQC)
Acquirer Payment Network Provider
Issuer
Application Response Cryptogram (ARPC)
Application Request Cryptogram (ARQC)
Application Request Cryptogram (ARQC)
Cryptogram Validation
Application Response Cryptogram (ARPC)
Application Response Cryptogram (ARPC)
35
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Process Additional Commands from Issuer
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
36
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Complete Transaction Process
Initiate Application
Data Authentication
Processing Restrictions
Cardholder Verification
Terminal Action Analysis
Online Processing & Issuer
Authentication
Card Action Analysis
Completion
Read Application Data
Script Processing
Online/ Offline
Decision
Online
Offline
Terminal Risk Management
37