Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

Transcription

1 Fundamentals of EMV Guy Berg Senior Managing Consultant MasterCard Advisors

2 EMV Fundamentals Transaction Processing Comparison Magnetic Stripe vs. EMV Transaction Security Points EMV Application Fundamentals Risk Management On-line authentication Off-line authentication Cardholder Verification Method Offline Authorization

3 EMV Component Impact View Card Card Issuance EMV Terminal Issuer Acquirer

4 Magnetic Stripe Transaction Track data Auth Code Track Data Auth Code Payment Brand Acquirer 3) Authorization/Capture message Track data is often in the clear The authentication data is static 2) Terminal performs little or no risk assessment 1) Magnetic stripe is easily cloned Issuer Auth 4) Authorization/Authentication Risk assessment performed at the host Host cannot recognized cloned cards

5 EMV Transaction Framework Field or DE 55 ARPC New EMV data Field or DE 55 ARPC Payment Brand Acquirer (3) Add New EMV EMV Field authentication 55 data data (2) Terminal performs risk assessment New EMV data (1) EMV Chip application performs risk assessment Issuer Auth (4) Issuer Authorization Changes Dynamic cryptogram validation May return an authentication cryptogram Post issuance updates

6 EMV Security Components Risk Management Decision Criteria Card Stock Security EMV Configuration Issuance Security Online Transaction PIN Security Offline Transaction PIN Security Data Preparation Key Management EMV Data

7 EMV Chip Data EMV Tag Chip Data EMV Tag Chip Data 9F 26 9F 42 9F 51 9F 44 9F 52 9F 05 5F 25 5F F 12 5A 5F F 36 9F 07 9F 08 9F 5D 9F 7F 8C 8D 5F 20 9F 0B Application Cryptogram Application Currency Code Application Currency Code VIS Application Currency Exponent Application Default Action Application Discretionary Data Application Effective Date Application Expiration Date Application File Locator Application Interchange Profile Application Label Application Preferred Name Application Primary Acct Number Primary Acct Number Seq Number Application Priority Indicator Application Transaction Counter Application Usage Control Application Version Number (ICC) Application offline Spending Amount Card Production Life Cycle History File Identifiers Card Risk Management Data Object List 1 Card Risk Management Data Object List 2 Cardholder Name Cardholder Name Extended 8E 8F 9F 53 9F 72 9F 54 9F 5C 9F 49 9F 55 9F 2D 9F 2E 9F 2F 9F 46 9F 47 9F 48 9F 0D 9F 0E 9F 0F 9F 10 9F 56 9F 11 5F 28 Cardholder Verification Method List Certification Authority Public Key Index Consecutive Transaction Limit International Consecutive Transaction Limit International Cryptogram Information Data Cumulative Total Transaction Amount Limit Dynamic Data Object List Geographic Indicator ICC PIN Encipherment Public Key Certificate ICC PIN Encipherment Public Key Exponent ICC PIN Encipherment Public Key Remainder ICC Public Key Certificate ICC Public Key Exponent ICC Public Key Remainder Issuer Action Code Default Issuer Action Code Denial Issuer Action Code Online Issuer Application Data Issuer Authentication Indicator Issuer Code Table Index Issuer Country Code

8 EMV Risk Mgmt Data on the Chip Issuer Interchange Profile - SDA supported - DDA supported - CDA supported - Cardholder verification supported - Perform terminal risk management - Issuer authentication required/or not Application Usage Control Valid for : - Domestic cash transactions - International cash transactions - Domestic goods - International goods - Domestic services - International services - ATMs - Domestic cashback - International cashback Issuer Action Codes - If issuer authentication failure, do not transmit next transaction online - If new card, do not decline if unable to go online -.

9 Cardholder Verification CVM Options CVM List No CVM Signature Online PIN at ATM On-line PIN at ATM On-line PIN at POS Offline PIN at POS Off-line PIN plain texted Signature Off-line PIN enciphered No CVM

10 EMV Online Transaction Security Risk Management Decision Criteria Card Stock Security EMV Configuration Issuance Security Online Transaction Security Offline Transaction Security Data Preparation Key Management EMV Data

11 EMV On-line Security On-line EMV Authentication On-the-Behalf EMV Authentication

12 On-line CAM (Card Authentication) EMV transaction data ARQC EMV transaction data PIN ARPC ARQC ARPC Payment Brand 3 DES Cryptogram Acquirer ARPC Online Request (ARQC) Shared Key Issuer Auth

13 On-the-be-Half EMV Authentication EMV Auth data Code converted to to Mag. EMV Stripe Response Auth ARQC EMV transaction data Mag Stripe Transaction Auth Code EMV Authentication Payment Brand Acquirer Online Request (ARQC) Auth Appears as Mag Stripe Transaction Issuer Auth

14 EMV Offline Transaction Security Risk Management Decision Criteria Card Stock Security EMV Configuration Issuance Security Online Transaction Security Offline Transaction Security Data Preparation Key Management EMV Data

15 EMV Off-line Transaction Security Offline CAM (Card Authentication) Offline CVM (Cardholder Verification) Offline Authorization SDA/DDA/CDA Card Authentication

16 Off-line Security Options Off-line Authentication Options SDA Static Data Issuer Public Key Certificate DDA Dynamic Data Issuer Public Key Certificate ICC Public Key Certificate CDA Combined Data Issuer Public Key Certificate ICC Public Key Certificate Application Cryptogram Issuer Level Certificate Card Level Certificate

17 Off-line Transaction Authentication SDA (Issuer level certificate) SDA (Static Data Authentication) Certificate Authority Verifies the user. PIN CA Private Key CA Public Key Load Public Key to the Terminal CA Private Key signs ISS Public key SDA Card Authentication Issuer PK Certificate Loaded with Issuer Signed Static Data Authenticates the card is legitimate Does not verify who is using it!

18 Offline Cardholder Verification Off-line Transaction PIN Security SDA Cards Clear Text PIN DDA or CDA Cards Clear Text PIN Encrypted (Enciphered) PIN

19 Offline Authorization Offline Risk Data on the Chip Consecutive Transaction Counter Last Online Application Transaction Counter Lower Consecutive Offline Limit Upper Consecutive Offline Limit Cumulative Total Transaction Amount Cumulative Total Transaction Limit Authorization Parameters PIN PIN Try Limit PIN Try Counter Certification Authority Public Key Index Signed Static Application Data Signed Dynamic Application Data Static Data Authentication Tag List Issuer Action Codes

20 EMV Security Components Risk Management Decision Criteria Card Stock Security Issuance Security Data Preparation & Key Mgmt Security Off-line Transaction Security On-line Transaction Security

21 EMV Chip Personalization Data Prep Key Mgmt Emboss/ Mag Stripe File CMS Emboss/ Mag Stripe File EMV Issuance EMV Data & Keys

22 Card Types > Contact EMV > Contactless EMV > Contactless Mag Stripe Emulation > Contact EMV > Contactless EMV > Contactless Mag Stripe Emulation

23 EMV Card Basics Chip OS and Applications Operating Level MULTOS Global Platform JavaCard Card Vendor 1 Proprietary Card Vendor 2 Proprietary Card Vendor 3 Proprietary Etc... Card Vendors have different chip operating systems Brands have different chip application implementations Brands have different EMV risk configuration options EMV Application Level MasterCard PayPass Contactless EMV Mchip Contact EMV Visa paywave Contactless EMV VSDC Contact EMV American Express Discover Data Level Personalization Data Risk management criteria Cardholder data Security keys and certificates

24 Acquirers, Merchants and Terminals Acquirer POS Terminal

25 Terminal Perspective EMV and AID Based Matching Logic Each Brand has different terminal certification requirements Visa EMV terminal processing functions MC EMV terminal processing functions AMEX EMV terminal processing functions Discover EMV terminal processing functions Others EMV terminal processing functions EMV Contact Kernel EMV terminal functions that EMV Co tests against the EMV standards and certifies Terminal Operating

26 Terminal Profile (EMVCo Type Approval) Unattended Terminal Profile Supports but does not require PIN Chip only cards Offline plain text PIN Offline enciphered PIN No CVM SDA DDA CDA Issuer authentication supported Unattended Terminal Profile Requires PIN Chip only cards Offline plain text PIN Offline enciphered PIN SDA DDA CDA

27 Acquirers Perspective Customer 1 Terminal Model 1 Terminal Model 2 Customer 2 Terminal Model 3 Customer 3 Customer 4 Integrated EMV Terminal Acquirer Customer 5 Customer. Petroleum Pay at the Pump Kiosk Terminals Customer 100

28 EMV Transaction Flow Technology Selection Application Selection Processing Options Card Authentication Processing Restrictions Card Holder Verification Terminal Risk Management Terminal Action Analysis Card Action Analysis Go 0n-line or Not Issuer-to-Card Script Processing

29 EMV Transaction Flow Application Selection What AID? Card Authentication Method SDA, DDA, CDA, No ODA Cardholder Verification Method CVM List Preferences Offline Authorization Support Y/N Issuer Action Codes Exception processing rules

30 Application Selection Identify mutually supported AIDs Priority AID 1 A A0000xyz 3 AID A A A A A A0000xyz Config Data

31 Application Selection Method Explicit Selection Displays the choices to consumer MasterCard Debit XYZ Debit Implicit Selection Terminal automatically selects the AID Selected AID P AID 1 A A0000xyz

32 Cardholder Verification CVM Options CVM List No CVM Signature Online PIN at ATM On-line PIN at ATM On-line PIN at POS Offline PIN at POS Off-line PIN plain texted Signature Off-line PIN enciphered No CVM

33 EMV Message Data Field or DE 55 Field or DE 55 Payment Brand Acquirer Issuer Auth Add EMV Field 55 data New EMV authentication data

34 EMV Authorization Message ISO 8583 Field or DE 55 Application Cryptogram Issuer Application Data Application Interchange Profile Terminal Verification Result Terminal Capabilities Cardholder Verification Method Results (CVM) Cryptogram Information Data Unpredictable Number Application Transaction Counter Amount, Authorized (Numeric) Transaction Currency Code Transaction Date Transaction Type Transaction Currency Code Terminal Country Code

35 EMV Transaction Framework Field or DE 55 ARPC New EMV data Field or DE 55 ARPC Payment Brand Acquirer Issuer Auth Issuer Authorization Changes EMV ARQC dynamic cryptogram validation Authentication cryptogram generation Post issuance card updates Offline PIN Management Online PIN management Key Management Authorization assessment rules New EMV data

36 EMV at a Glance Issuer Auth Messaging Online CAM and CVM Offline CAM and CVM Offline Authorization Chip Risk Management Acquirer

37 Guy Berg Mastercard Advisors Smart Card Alliance 191 Clarksville Rd. Princeton Junction, NJ (800)