EMV is a standard for smart payment cards and terminals. EMV stands for – EuroPay, MasterCard and Visa, the three companies who were the founder of the standard. This standard is maintained by EMVCo – a consortium with payment brands like Visa, MasterCard, JCB, American Express, China UnionPay, Discover as members.
3. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Players and Roles for Payment System
Payment
Network
Provider
Offering products and services to
User
Signing up with Acquirer
Buying Merchant’s products and
services
Using payment card issued by IssuerUser
Merchant
Acquirer
Issuer
Payment
Network
Provider
network
Transmitting collected transaction
data to Issuer
Signing up and underwriting
Merchant
Approval or rejection of
transaction
Issuing payment card
Providing network between Issuer and
Acquirer
Offering brand benefit
Payment
eco-
system
Acquirer
User
Merchant
Issuer
POSATM
Acquiring
System
Issuing
System
HostPayment
Cards
Interchange Network
Authorization
System
NPSB
3
4. Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification
of Card &
Cardholder
Penciling the
embossed card
Imprinted sales slip,
transaction slip, and
signature verification
Transaction slip, PIN, and
signature verification
Same principle as IC
chip card but
streamlined
authentication
Same as RF card
Data
Processing
Manually Electronically process
transaction and
settlement data for the
first time
Payment application-
installed-chip
stores and processes data
Similar process to that
of IC chip card but
streamlined transaction
flow
Comply with NFC
transaction process by
using NFC equipped
cellphone
Validation
Verification
- CVC, CVV verification,
Hologram verification by
eye
Offline data authentication
through digital signature
verification
ARQC verification Same as RF card
Note High risk of data
duplication
Increase in risk of data
duplication by
popularization of MS
card usage and
technology
-Strong security provided
by high grade of
cryptosystem
-Inconvenience in simple
transaction
Compatibility with MS
card infrastructure
OTA post issuance of
card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
4
5. Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification
of Card &
Cardholder
Penciling the
embossed card
Imprinted sales slip,
transaction slip, and
signature verification
Transaction slip, PIN, and
signature verification
Same principle as IC
chip card but
streamlined
authentication
Same as RF card
Data
Processing
Manually Electronically process
transaction and
settlement data for the
first time
Payment application-
installed-chip
stores and processes data
Similar process to that
of IC chip card but
streamlined transaction
flow
Comply with NFC
transaction process by
using NFC equipped
cellphone
Validation
Verification
- CVC, CVV verification,
Hologram verification by
eye
Offline data authentication
through digital signature
verification
ARQC verification Same as RF card
Note High risk of data
duplication
Increase in risk of data
duplication by
popularization of MS
card usage and
technology
-Strong security provided
by high grade of
cryptosystem
-Inconvenience in simple
transaction
Compatibility with MS
card infrastructure
OTA post issuance of
card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
5
6. Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification
of Card &
Cardholder
Penciling the
embossed card
Imprinted sales slip,
transaction slip, and
signature verification
Transaction slip, PIN, and
signature verification
Same principle as IC
chip card but
streamlined
authentication
Same as RF card
Data
Processing
Manually Electronically process
transaction and
settlement data for the
first time
Payment application-
installed-chip
stores and processes data
Similar process to that
of IC chip card but
streamlined transaction
flow
Comply with NFC
transaction process by
using NFC equipped
cellphone
Validation
Verification
- CVC, CVV verification,
Hologram verification by
eye
Offline data authentication
through digital signature
verification
ARQC verification Same as RF card
Note High risk of data
duplication
Increase in risk of data
duplication by
popularization of MS
card usage and
technology
-Strong security provided
by high grade of
cryptosystem
-Inconvenience in simple
transaction
Compatibility with MS
card infrastructure
OTA post issuance of
card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
6
7. Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification
of Card &
Cardholder
Penciling the
embossed card
Imprinted sales slip,
transaction slip, and
signature verification
Transaction slip, PIN, and
signature verification
Same principle as IC
chip card but
streamlined
authentication
Same as RF card
Data
Processing
Manually Electronically process
transaction and
settlement data for the
first time
Payment application-
installed-chip
stores and processes data
Similar process to that
of IC chip card but
streamlined transaction
flow
Comply with NFC
transaction process by
using NFC equipped
cellphone
Validation
Verification
- CVC, CVV verification,
Hologram verification by
eye
Offline data authentication
through digital signature
verification
ARQC verification Same as RF card
Note High risk of data
duplication
Increase in risk of data
duplication by
popularization of MS
card usage and
technology
-Strong security provided
by high grade of
cryptosystem
-Inconvenience in simple
transaction
Compatibility with MS
card infrastructure
OTA post issuance of
card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
7
8. Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card
Verification
of Card &
Cardholder
Penciling the
embossed card
Imprinted sales slip,
transaction slip, and
signature verification
Transaction slip, PIN, and
signature verification
Same principle as IC
chip card but
streamlined
authentication
Same as RF card
Data
Processing
Manually Electronically process
transaction and
settlement data for the
first time
Payment application-
installed-chip
stores and processes data
Similar process to that
of IC chip card but
streamlined transaction
flow
Comply with NFC
transaction process by
using NFC equipped
cellphone
Validation
Verification
- CVC, CVV verification,
Hologram verification by
eye
Offline data authentication
through digital signature
verification
ARQC verification Same as RF card
Note High risk of data
duplication
Increase in risk of data
duplication by
popularization of MS
card usage and
technology
-Strong security provided
by high grade of
cryptosystem
-Inconvenience in simple
transaction
Compatibility with MS
card infrastructure
OTA post issuance of
card
|Copyright 2016, Kona SL Ltd. | All Rights Reserved
Payment Card Evolution
Payment Card Evolution
8
9. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Magnetic Stripe Cards
Magnetic Stripe Cards
• Stores data on the magnetic band usually
located on the back of the card.
• Contains Track 1 & Track 2 Data
• Track 1 Data
• Card Type, PAN, Cardholder Name, PAN
Expiry Date, Service Code.
• Track 2 Data
• PAN, PAN Expiry Date, Service Code
• Stored data can not be changed.
• Read by swiping past a magnetic reading
head.
10. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Magnetic Stripe Transaction Flow
Magnetic Stripe Transaction Flow
Static Authentication
Data
Static Authentication
Data
Static Authentication
Data
Acquirer Payment
Network Provider
Issuer
Transaction
Response
Transaction
Response
Transaction
Response
Magnetic Stripe
Card Swiped in
POS
10
11. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Security Issues for Magnetic Stripe Cards
Security Issues for Magnetic Stripe Cards
• Card Cloning
Magnetic stripe data is not encrypted and very easy to clone.
• Static Data
Static data is stored in the magnetic stripe during personalization
This data is not changed during its lifetime. So, if this data is compromised
once, it can be used for numerous number of times to perform fraud
transactions.
• Little Risk Assessment
No risk assessment is performed at the terminal or card.
Risk assessment is performed only at the host.
11
13. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV
EMV
• A standard for smart payment cards
and terminals.
• EMV stands for – EuroPay,
MasterCard and Visa, the three
companies who were the founder of
the standard.
• This standard is maintained by
EMVCo – a consortium with payment
brands like Visa, MasterCard, JCB,
American Express, China UnionPay,
Discover as members.
13
14. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Purpose of EMV Standards
Purpose of EMV Standards
• To prevent card fraud
Minimize the risk of card data
duplication and counterfeit that
were easy with MS card
• To reduce cost
Cut cost by activating offline
transaction
• Interoperability
Set up interoperable payment
infrastructure(chip, card, terminal,
and system) by defining business
role of players in Credit & Debit
Payment System
14
15. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Offerings
EMV Offerings
Cardholder and card
authentication
Cryptographic processing
capability of smart chip
Authorization by issuer
by predefined rules
Acquirer
Authorization
Request with dynamic data
Payment Network
Provider
Issuer
Authorization
Request with dynamic data
15
16. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Cryptographic Processing
EMV Cryptographic Processing
• EMV chip cards has cryptographic
processing capability.
• Cryptographic algorithms such as
Triple DES, RSA and SHA are used
throughout various phases of the
smart card’s lifecycle.
16
17. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
A Look Into Chip Cards
A Look Into Chip Cards
Contact Cards
Contactless Cards
Dual Interface Cards
• 1 square cm. contact area with gold plated contact
pads.
• ISO/IEC 7816 standard defines the communication
protocol, physical characteristics of card, security and
command for interchange, commands for security
operations, etc.
• Card communicates with the reader through RF
Induction technology
• ISO/IEC 14443 standard defines the communication
protocol, radio frequency power, transmission
protocol, etc.
• Both contact and contactless interfaces are
supported
• ISO/IEC 14443 standard defines the communication
protocol, radio frequency power, transmission
protocol, etc.
17
18. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Authentication
EMV Authentication
Card Authentication
• Online Authentication
• Offline Authentication
SDA – Static Data Authentication
DDA – Dynamic Data Authentication
CDA – Combined Data
Authentication
Cardholder Authentication
• Online PIN
• Offline PIN
18
19. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Authorization by the Issuer
Authorization by the Issuer
• Transaction cryptogram is
generated and sent to the issuer
online.
• The issuer authorizes the
transaction online.
Payment
Network
Issuer
Cryptogram
Request
Cryptogram
Request
Cryptogram
Request
Authorization
Response
Authorization
Response
Authorization
Response
Online Authorization
Offline Authorization
• Used when terminals don’t have
online connectivity.
• Card and terminal communicates
and decides whether the
transaction can be authorized.
19
20. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Risk Assessment
Risk Assessment
Terminal Risk Assessment
• Terminal can decide to perform the transaction online/offline
• For offline transactions, terminal checks the transaction amount against an offline
ceiling limit.
Card Risk Assessment
• Card takes part in the decision making of accepting/declining a transaction
• Different types of application cryptograms are generated
AAC – used for declining a transaction
TC – used for offline transaction
ARQC – used for online transaction
20
22. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
Initiation of the transaction
22
23. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Reading card data for transaction
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
23
24. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Card authentication by terminal
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
24
25. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA
DDA
CDA
Static Data Authentication
Signed by Payment Brand Payment Brand Certificate kept at the terminal
Static Application Data
Verified by payment brand
certificate
Verified by Issuer Public Key
Certificate
Payment Brand
Certificate
Issuer Public
Key Certificate
Issuer Public
Key Certificate
26. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA
DDA
CDA
Dynamic Data Authentication
Signed by Payment Brand Payment Brand Certificate kept at the terminal
Issuer Public
Key Certificate
Issuer Public
Key Certificate
Verified by payment brand
certificate
Payment Brand
Certificate
Verified by Issuer Public Key
Certificate
ICC Public
Key Certificate
+
Static Application Data
Card & Terminal
Dynamic Data
Verified by ICC Public Key
Certificate
ICC Public
Key Certificate
27. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
EMV Data Authentication
EMV Data Authentication
SDA
DDA
CDA
Combined Data Authentication
Generate Application
Cryptogram
Issuer
Application
Request
Cryptogram
(ARQC)
Send ARQC
to Issuer
Cryptogram
Validation
Application Response
Cryptogram
Send ARPC
to Card
DDA
28. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Confirming compatibility between
terminal and card
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
28
29. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Confirming whether a
cardholder is valid
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
29
30. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Cardholder Verification Method
Cardholder Verification Method
Verification Methods
• Online PIN
PIN is encrypted and verified by the issuer online
• Offline PIN
A copy of the PIN is stored at the card in encrypted form
During transaction, user provided PIN is matched with that stored encrypted PIN
• Signature
Cardholder’s signature on receipt is matched with the signature at the back of the
card
• No verification method
• Only Card is authenticated
• Usually takes place for small amount transaction
30
31. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Different steps taken by the
terminal to prevent fraud
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
31
32. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Primary decision for transaction
whether to approve or decline
offline or online
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
32
33. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Final decision making for going online or offline
for transaction by card self risk management based
on terminal action analysis
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
33
34. |Copyright 2016, Kona SL Ltd. | All Rights Reserved
Card & Terminal Communication Steps for Transaction
Card & Terminal Communication Steps
Initiate
Application
Data
Authentication
Processing
Restrictions
Cardholder
Verification
Terminal Action
Analysis
Online
Processing
& Issuer
Authentication
Card Action
Analysis
Completion
Read
Application Data
Script
Processing
Online/
Offline
Decision
Online
Offline
Terminal Risk
Management
Online Transaction with
Application Cryptogram
34