Sie sind auf Seite 1von 36

Europay, MasterCard & Visa - EMV Frequently Asked Questions

2012

INGENICO EMV FAQs Documented by Eddie Chu

Page 1

Table of Contents
1.
1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19

GENERAL ................................................................................................................. 6
What is EMV? ....................................................................................................................................................6 What are the key issues that acquirers or merchants need to take into account when migrating to EMV? 6 What is the difference between a smart card and a chip card? ......................................................................6 What is ICC?.......................................................................................................................................................6 What does an EMV card look like? ...................................................................................................................7 Why is EMV called Chip and PIN? .....................................................................................................................7 What does CVM mean? ....................................................................................................................................7 Can I read and dump all the data from a chip card? ........................................................................................7 What is an AID? .................................................................................................................................................8 What is the difference between a terminal and a reader?..............................................................................8 What is a smart reader?....................................................................................................................................8 How to Learn EMV? ..........................................................................................................................................9 What do I need to know about EMV as a Project Manager?...........................................................................9 What do I need to know about EMV as an application developer? ................................................................9 What do I need to know about EMV as a QA analyst? ....................................................................................9 What do I need to know about EMV as a Technical Support Engineer? ....................................................... 10 What is a PCD? ................................................................................................................................................ 10 What is a PICC?................................................................................................................................................ 10 Where can I get a copy of the EMV Specifications? ....................................................................................... 10

2.
2.1 2.2 2.3

INGENICO PRODUCTS AND SUPPORT ....................................................................... 11


What can Ingenico offer as a terminal vendor? ............................................................................................. 11 Can you provide more details regarding EMV Solutions for standalone terminal applications in INGENICO? ...................................................................................................................................................... 11 Can you provide more details regarding EMV Solutions for integrated environment in INGENICO? .......... 11

INGENICO EMV FAQs

Page 2

2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14

What is in scope of Ingenico's support during project development? .......................................................... 12 What is out of scope of Ingenico's support during project development? ................................................... 12 What is Easy Path to EMV? ............................................................................................................................. 12 What is Add-on CLESS and Easy Path to CLESS? ............................................................................................. 13 What is VEGA?................................................................................................................................................. 14 Can Ingenico customer simply plug in an Ingenico device and expect chip payment transactions to work immediately? .................................................................................................................................................. 16 What is required in payment systems in order to support chip payments using either Easy Path to EMV/CLESS or VEGA? ..................................................................................................................................... 16 What is an EP Editor? ...................................................................................................................................... 16 What is an EMV Data Viewer? ........................................................................................................................ 17 Does Ingenico device support Canadian Application Selection Flag (ASF) process? .................................... 18 Does Ingenico device support Domestic Visa Debit Opt-Out? ...................................................................... 18

3.
3.1 3.2 3.3 3.4 3.5 3.6 3.7

CERTIFICATIONS AND KERNEL CONFIGURATIONS ..................................................... 19


What kinds of certification are required for implementing contact EMV? ................................................... 19 What kinds of certification are required for implementing contactless payments? .................................... 19 What is a certified or approved terminal configuration? .............................................................................. 20 What does Ingenico configuration 27WW mean? ......................................................................................... 20 What is a major or minor EMV terminal configuration item? ....................................................................... 21 A customer asked me if our device is certified for terminal capabilities E0 B8 C8. What does it mean? ... 22 What is IRWIN? ............................................................................................................................................... 22

4.
4.1 4.2 4.3 4.4 4.5

EMV APPLICATION DESIGN ..................................................................................... 23


What is required in an EMV application? ....................................................................................................... 23 What are the basic topics for an application FRS regarding EMV transaction processing? ......................... 23 Can you provide a list of EMV related terminal parameters required? ........................................................ 23 Does my application need to support Canadian Application Selection Flag Processing? ............................ 24 Does my application need to support Domestic Visa Debit Opt-Out? .......................................................... 24

INGENICO EMV FAQs

Page 3

4.6 4.7 4.8 4.9

What does choice of technology mean? ........................................................................................................ 24 What is fallback to MSR? ................................................................................................................................ 25 What does non-EMV transaction using EMV functionality mean? ............................................................ 25 Under which situation(s), is a host approval required to be reversed? ........................................................ 25

5.
5.1 5.2 5.3 5.4 5.5 5.6

CONTACT EMV TECHNICAL ...................................................................................... 26


What is a typical contact EMV transaction flow? .......................................................................................... 26 What is AIP? .................................................................................................................................................... 27 What is AFL? .................................................................................................................................................... 27 What is TVR? ................................................................................................................................................... 27 What is TACs and IACs?................................................................................................................................... 27 What is AC (Application Cryptogram TC, ARQC, ARPC and AAC)? .............................................................. 29

6.
6.1 6.2 6.3 6.4

CONTACTLESS TECHNICAL ....................................................................................... 30


What is tearing? .............................................................................................................................................. 30 What is collision? ............................................................................................................................................ 30 What is contactless magstripe and contactless EMV? ................................................................................... 30 What does Entry Point Component that is included in the Add-on Contactless package do? ..................... 31

7.
7.1 7.2 7.3 7.4 7.5 7.6 7.7

EMV TESTING AND TEST TOOLS .............................................................................. 32


What kind of test tools is required for EMV testing? .................................................................................... 32 What are pre-loaded test cards? .................................................................................................................... 32 What is a SmartSpy? ....................................................................................................................................... 33 What is EMV Level 1 trace? ............................................................................................................................ 33 What is EMV Level 2 trace? ............................................................................................................................ 33 How to get card trace? .................................................................................................................................... 33 EMV data elements are hard to interpret, e.g. how can I tell what AIP = 7100 means? ............................. 33

INGENICO EMV FAQs

Page 4

8.
8.1 8.2 8.3

NEWS AND UPDATES .............................................................................................. 35


What is NFC? ................................................................................................................................................... 35 What is Google Wallet? .................................................................................................................................. 35 Why is Visas Announcement made on Aug 9, 2011 so important to the US?.............................................. 36

INGENICO EMV FAQs

Page 5

1.

General

1.1

What is EMV?

The term EMV comes from Europay, MasterCard and Visa. These 3 credit card companies got together in 1994 to start to develop the EMV Specifications to apply chip card technology in payment transactions. EMVCo was later formed to manage the maintenance of the Specifications and administration of EMV type approval process. Europay became part of MasterCard in 2002. EMVCo is now jointly owned by American Express, JCB, MasterCard and Visa. The current version of EMV Specifications is 4.2. 1.2 What are the key issues that acquirers or merchants need to take into account when migrating to EMV?

Getting the terminal ready to process chip cards is only a small part of the process. Chip acceptance will require acquirers and merchants to be able to carry and process additional data that is included in EMV transactions, including the cryptographic message that makes each transaction unique. MasterCard has published "An Introduction to Chip" document which is an excellent EMV introductory reading material. The chapter about Migrating to Chip provides useful information that you can make use of when answering customer enquiries. 1.3 What is the difference between a smart card and a chip card?

In EMV context, smart card, chip card, ICC (integrated circuit card) and EMV card are referred to the same thing. A chip card used in payment transactions is usually a card with a magstripe at the back plus a chip in front which is a self-contained microprocessor. A chip card can be, 1.4 Contact only Contactless only Dual-interface, i.e. contact and contactless

What is ICC?

See What is the difference between a smart card and a chip card.

INGENICO EMV FAQs

Page 6

1.5

What does an EMV card look like?

Cards used in EMV transactions are basically MSR cards with a chip, which is a self-contained computer.

1.6

Why is EMV called Chip and PIN?

When EMV was rolled out in UK, it was given a marketing name of Chip and PIN. This is because of the chip on the card and that offline PIN verification is usually required during the transaction, even for credit card transactions. However, whether PIN is required for cardholder verification is up to the issuer to decide. In many Asian Pacific countries, EMV cards were issued with signature as the preferred CVM for POS transactions. 1.7 What does CVM mean?

CVM stands for cardholder verification method. See How does EMV prevent frauds? 1.8 Can I read and dump all the data from a chip card?

No, you cannot. Unlike MSR card where all data on the magnetic stripe can be read after swiping the card at a reader, a chip card used in EMV cannot be read unless it allows you to. This is true for both contact and contactless chip card. Here are some facts, Before data can be read, an application in the chip card has to be selected first. Card applications are identified by an AID (Application ID). After an AID is selected, the chip card lets the terminal know where to read the card data. Reading outside what is allowed will result in error. That is how the chip card protects its sensitive data such as offline PIN value and private keys. To complete a chip transaction, there are a lot more to do than just reading the card data. Other processing steps are application selection, data authentication, cardholder verification, etc. See What is a typical contact EMV transaction flow for details.

INGENICO EMV FAQs

Page 7

1.9

What is an AID?

AID stands for Application Identifier. Every card application in EMV is identified by an AID. The structure of AID is defined in ISO 7816-4. It consists of 2parts, RID (registered application provider identifier) which is uniquely assigned by ISO 7816-4 to an application provider, e.g. RID for Visa is A0 00 00 00 03 Optional field called PIX (proprietary application identifier extension) assigned by application provider RID A0 00 00 00 03 AIDs Visa Credit/Debit A0 00 00 00 03 10 10 Visa Electron A0 00 00 00 03 20 10 Visa Plus - A0 00 00 00 03 80 10 MasterCard A0 00 00 00 04 MasterCard Credit/Debit A0 00 00 00 04 10 10 Maestro A0 00 00 00 04 30 60 Cirrus A0 00 00 00 04 60 00 American Express Interac Discover 1.10 A0 00 00 00 25 A0 00 00 02 77 A0 00 00 01 52 A0 00 00 00 25 01 A0 00 00 02 77 10 10 A0 00 00 01 52 30 10

Examples of RID and AID: Card Scheme Visa

What is the difference between a terminal and a reader?

A terminal is the device that runs the payment application. The chip reader used in the payment system can be physically separated from the terminal. For contact EMV, terminal and chip reader combined in one physical unit is the more popular configuration. For contactless, using a separate reader is equally popular. See also What is a smart reader? 1.11 What is a smart reader?

A smart reader is usually referred to a contactless reader that is capable to read a contactless chip card. The smart reader can be connected to a terminal that runs payment application. Typically, the smart reader contains the required components such as the contactless kernel which is able to manage the whole card session and decide jointly with the card the outcome of the transaction without intermediate involvement of the terminal. VivoTech readers are examples of smart readers. The result of the contactless transaction is passed from the smart reader to the terminal that drives the reader to complete the transaction. See also What is the difference between a terminal and a reader. Strictly speaking, it is not correct to use the verb read because there are a lot more to do than just reading the card. See Can I read and dump all the data from a chip card.

INGENICO EMV FAQs

Page 8

The concept of smart reader is only possible for contactless transactions due to its relatively simple transaction flow comparing to EMV transaction. Card schemes allow portability of smart reader kernel approval. See also What is IRWIN? 1.12 How to Learn EMV?

Ingenico offers EMV training. Currently I offer 3 types of training, namely General EMV Concepts, VEGA Training and Easy Path to EMV/CLESS Training. General EMV Concepts is device independent. It is suitable for account managers, project managers, QA testers and developers. VEGA Training covers both Telium and U32 VEGA. It is suitable for third party integrator or standalone application developer who will develop application to interface with VEGA. Easy Path to EMV/CLESS Training covers how to use Telium Easy Path to EMV and Easy Path to CLESS packages. It is suitable for Telium standalone application developer.

1.13

What do I need to know about EMV as a Project Manager?

I suggest that you should read all FAQs but your focus should be on those under 1.14 General Certifications and Kernel Configurations EMV Application Design Contact EMV and Contactless Technical

What do I need to know about EMV as an application developer?

I suggest that you should read all FAQs but your focus should be on those under 1.15 General EMV Application Design Contact EMV and Contactless Technical Test Tools

What do I need to know about EMV as a QA analyst?

I suggest that you should read all FAQs but your focus should be on those under General EMV Application Design Contact EMV and Contactless Technical Test Tools

INGENICO EMV FAQs

Page 9

1.16

What do I need to know about EMV as a Technical Support Engineer?

I suggest that you should read all FAQs but your focus should be on those under 1.17 General Ingenico Products and Support Contact EMV and Contactless Technical

What is a PCD?

PCD which stands for Promixity Coupling Device is the contactless reader used in contactless payments. It generates RF field through which the contactless card (PICC) gets the power and communicates with the reader. Anatomy of a contactless card:

1.18

What is a PICC?

PICC stands for Proximity ICC which is the contactless card used in contactless payments. See also What is a PCD? 1.19 Where can I get a copy of the EMV Specifications?

4.2 is the current version of EMV Specifications which consist of 4 books. They are available for download, free of charge, from EMVCos web site, http://www.emvco.com/ . INGENICO EMV FAQs Page 10

2.

Ingenico Products and Support

2.1

What can Ingenico offer as a terminal vendor?

Ingenico, as a terminal vendor, can provide all kinds of assistance that our customers need at the terminal level. That includes EMV solutions for standalone terminal applications EMV solutions for integrated environment EMV level 1 and level 2 certification MasterCard TQM certification Contactless kernels certification, for MasterCard PayPass, Visa payWave, Interac Flash, Amex ExpressPay and Discover Zip.

Note that the chip transaction process beyond the terminal level, e.g. how chip data are passed between acquirers and issuers, is out of scope of a terminal vendor's responsibility. When we're asked questions for process that is out of scope of a terminal vendor, we normally advise our customer to ask for help from card scheme, e.g. Visa, MasterCard, etc. 2.2 Can you provide more details regarding EMV Solutions for standalone terminal applications in INGENICO?

Standalone terminal applications are application that runs in Ingenico's devices. They have the capability to start and complete payment transactions without interacting to cash registers. They can be developed either in-house or by third party developers. For Telium devices, Easy Path to EMV and Easy Path to CLESS can be used. Components provided in these packages drive the chip transaction flow and call back to the payment application for customization. A Telium EMV Library has been created to allow payment application to use the Easy Path packages in an even more user friendly manner. In addition to that, the EMV Library has also implemented the Interac specific chip requirements which are not available in the Easy Path to EMV package. Telium EMV Library supports both contact EMV and contactless payment transactions. For U32 devices, VEGA (Versatile EMV Generic Application) is available to drive the transaction flow and call back to payment application for customization. Interac specific requirements are implemented in VEGA. VEGA supports both contact EMV and contactless payment transactions. 2.3 Can you provide more details regarding EMV Solutions for integrated environment in INGENICO?

In integrated environment, the main payment application functions are processed in an external machine such as cash register or PC. In such environment, Ingenico device acts as a card accepting device and/or a PINPAD. Usually external payment applications are developed by third party integrator. For both Telium and U32 devices, currently VEGA is the application that is responsible for controlling the chip transaction flow. Since VEGA does not communicate with external applications, CPX and UIA act as a

INGENICO EMV FAQs

Page 11

communication helper to facilitate the communication between an external payment application and VEGA. For Telium devices, CPX + VEGA can be used. For U32 devices, either CPX + VEGA or UIA + VEGA can be used. We have published CPX, UIA and VEGA API specifications for third party developers' reference. 2.4 What is in scope of Ingenico's support during project development?

The followings are in scope, Use of Ingenico EMV solutions and tools in third party development Facilitate troubleshooting in third party application (note that debug third party application is out of scope) Facilitate End to End Certification troubleshooting (note that the certification process is the responsibility of acquirers)

2.5

What is out of scope of Ingenico's support during project development?

The followings are out of scope, 2.6 Debug third party applications End to End Certification process

What is Easy Path to EMV?

Easy Path to EMV is package delivered by Ingenico group for use in Telium devices. It consists of 4 components: EMV DC which is the EMV kernel certified for EMV Level 2 requirements EMV Engine which is the component that controls the EMV transaction flow EMV Custom application which is a sample application that can be used as a template to create an EMV application EMV Comm which is a sample application that handles host communication
rd

Application developers can make use of this package to implement EMV payment application. Training course is available for 3 party developers which is a two day course. Day 1 is for EMV concepts and day 2 is for Easy Path to EMV and CLESS. The prerequisite of SDK training is required. See also What is Add-on CLESS and Easy Path to CLESS?

EMV Terminal Model Easy Path to EMV

INGENICO EMV FAQs

Page 12

2.7

What is Add-on CLESS and Easy Path to CLESS?

Both Add-on CLESS and Easy Path to CLESS are packages delivered by Ingenico group for use in Telium devices to support contactless chip card transactions. The Add-on CLESS is a package without card schemes contactless kernel. It is for proprietary contactless transactions such as transit systems. It consists of the following components Contactless Driver which handles low level interface with the PICC Contactless DLL which controls the contactless process flow Entry Point which implements the EMVCos Entry Point requirements A sample application showing how to use the library functions provided in the package payWave kernel PayPass kernel ExpressPay kernel Discover kernel Interac Flash kernel

The Easy Path to CLESS consists of all approved card schemes contactless kernels. They are

INGENICO EMV FAQs

Page 13

A sample application is also included in the package. Note that in order to use Easy Path to CLESS, the contactless driver, contactless DLL and Entry Point components from the Add-on CLESS package must be loaded in the device. Training is available for teaching 3 party developers to use Easy Path to CLESS for implementing standard contactless payment transactions. The training is combined with the one for Easy Path to EMV. See also What is Easy Path to EMV? Contactless Terminal Model
rd

2.8

What is VEGA?

VEGA stands for Versatile EMV Generic Application. It is a regional application for INGENICO which was first created for U32 devices. VEGA does the followings Save EMV terminal configuration defined by payment application (PA) Start an EMV transaction process at PAs request Control the EMV transaction flow and process the transaction according to the EMV terminal configuration defined by the PA

VEGA was ported over to run in Telium devices using Telicapt and U32 EMV Emulation. VEGA can be used in either standalone (resident model) or integrated environment (remote model).

INGENICO EMV FAQs

Page 14

Resident Model

Remote Model

Since VEGA only communicates with resident application, a Communication Helper is required for integrated environment. Currently the following Communication Helpers exist, U32: CPX and UIA Telium: CPX only
rd

VEGA supports both contact and contactless chip transactions. Training can be provided to 3 party developers upon request. The course will teach how PA interfaces with VEGA. INGENICO EMV FAQs Page 15

2.9

Can Ingenico customer simply plug in an Ingenico device and expect chip payment transactions to work immediately?

No, plug and play is not possible for EMV. Despite the fact that we have hardware and software ready for customers, customers will need to process the followings, through either a standalone or integrated payment application, Provide EMV terminal configurations, e.g. AID list supported, CAPKs, floor limit, etc Process callbacks for process customization Handle new EMV data such as Application Cryptogram in host communication Process non-EMV requirements which are required for EMV transactions, e.g. reversal if host approval is rejected by the card

The above is true for both Easy Path to EMV and VEGA. 2.10 What is required in payment systems in order to support chip payments using either Easy Path to EMV/CLESS or VEGA?

Payment application will need to perform the followings, Manage EMV terminal configurations such as languages supported, AID list supported, CAPKs per RID, floor limit per AID, Terminal Action Codes per AID, default TDOL and DDOL per AID Handle callbacks for transaction customization. This will mainly UI related, e.g. prompt for AID selection, display messages, receipt printing etc Handle host communication Handle non-EMV processing, such as choice of technology, fallback to MSR, reversal if host approval is rejected by the card

2.11

What is an EP Editor?

EP (which stands for EMV Parameter) Editor is a Windows application created to examine VEGA configuration data. It helps a user to visualize the VEGA configuration. It also allows user to modify and save a new configuration. The resulting configuration file can be loaded to the device where VEGA is run. It is very useful development tool. This tool is included in the VEGA training package. It can be distributed to 3 party developers after they have signed the NDA form.
rd

INGENICO EMV FAQs

Page 16

EP Editor

2.12

What is an EMV Data Viewer?

EMV Data Viewer is created by Ingenico Canada. It can be used to interpret EMV data elements. This tool is particularly useful for QA analysts to examine EMV data elements when analysing a card trace. It is an EXE file and installation is not required. Feel free to provide it to customers for use. EMV Data Viewer

INGENICO EMV FAQs

Page 17

2.13

Does Ingenico device support Canadian Application Selection Flag (ASF) process?

Yes. Canadian Application Selection Flag process requirement comes from the Interac IDP Specification which is a national EMV specification for Canada. Such requirement allows card issuer to issue multiple applications card and define which application is a primary AID when the card is used at ATM and which one is the primary AID when the card is used at POS. In order to do that VEGA analyzes the ICC commands during application selection to access the Interac proprietary tags to build a primary list and a secondary list. For example, a card is personalized to have a Visa Credit AID (as primary AID for POS) and an Interac AID (primary AID for ATM). When the card is used at ATM, only Interac AID will be included in the candidate list. When the card is used at POS, only Visa credit AID will be included in the candidate list. Note that when such card is used outside Canada, both AIDs will be included in the candidate list. Since it is a regional requirement, the process is not implemented in the groups EMV kernel. Both VEGA and Telium EMV Library have implemented this process. In either implementation, the feature is configurable, i.e. if the payment application is used outside Canada, the process can be turned off 2.14 Does Ingenico device support Domestic Visa Debit Opt-Out?

Yes. Visa Canada requires POS application to provide an option to exclude Canadian issued Visa Debit AID from being selected for the transaction but at the same being able to accept Visa credit (note that the issue is Visa debit and Visa credit have the same AID). Both VEGA and Telium EMV Library have implemented this option. When such option is activated (i.e. exclude Canadian Visa Debit), VEGA or Telium EMV Library will, after Interac ASF process, exclude the Canadian Visa Debit from the candidate list. The criteria for determining if the AID is a Canadian issued Visa Debit as specified by Visa Canada are, The AID starts with A0 00 00 00 03 10 10 The value of tag 5F56 (Issuer Country Code) must be "CAN" and comes from either BF0C or 73 template (as per EMVCo book 3) The value of tag 50 (Application Label) must be "Visa DEBIT" The comparison of tag 5F56 and 50 are case sensitive

INGENICO EMV FAQs

Page 18

3.

Certifications and Kernel Configurations

3.1

What kinds of certification are required for implementing contact EMV?

EMVCo defines and maintains EMV specifications. These provide global requirements to ensure interoperability. EMV Level 1 and Level 2 certifications are managed by EMVCo. The objective of these certifications is to prove that the device conforms to the EMV specifications. EMVCo does not own or operate any card scheme. Each card scheme defines its own implementation details in addition to the EMVCo's global requirements, e.g. Visa - VIS MasterCard - M/Chip Amex - AEIPS, etc Each card scheme manages its own End to End Certification for payment application that supports the card scheme's contact EMV requirements. All of the card schemes require EMV Level 1 and Level 2 certification as a pre-requisite for requesting the End to End Certification. End to End Certification is the responsibility of acquirers. All Ingenico devices are delivered with EMV Level 1 and Level 2 certified. 3.2 What kinds of certification are required for implementing contactless payments?

Unlike contact EMV requirement which was started off in a cooperation manner from Europay, MasterCard and Visa, contactless payment requirements were started off as competition. As a result, each card scheme defines its own contactless requirements which are totally different from each other. Thus, while there is only one contact EMV kernel in the device, it requires one contactless kernel for each card scheme's contactless requirement. The contactless kernel certification is managed by individual card scheme. Contactless kernel certification is the responsibility of the Ingenico group. Currently Telium devices are certified for Visa payWave, MasterCard PayPass, Amex ExpressPay, Interac Flash and Discover Zip U32 devices are certified for Visa payWave, MasterCard PayPass, Amex ExpressPay, Interac Flash and Discover Zip

Payment application supports a card scheme's contactless payment transactions will need to certify for the card scheme's End to End Certification. Acquirers are responsible for the End to End Certification.

INGENICO EMV FAQs

Page 19

3.3

What is a certified or approved terminal configuration? Different EMV terminal configurations used may result in different ways an EMV transaction be processed. For example, an offline only terminal will never request for an online host authorization while an online only terminal will never approve a transaction without online processing. Because this, EMV Level 2 type approval request for an EMV kernel is submitted with an ICS (Implementation Conformance Statement) with a list configurations to be used. The listed configurations are tested during the certification process. A Letter of Approval will be issued with all the configurations tested after the certification is successful. These configurations are known as certified or approved terminal configurations of the certified EMV kernel. When the EMV kernel is used in a payment system, the terminal configuration used has to be one the certified configurations. Otherwise, it is running in non-compliant mode. Vendor configuration naming is shown in the Letter of Approval. See What does Ingenico configuration 27WW mean? for details about Ingenico configuration naming convention.

3.4

What does Ingenico configuration 27WW mean? Ingenico configuration is internal to indicate an EMV terminal configuration. It is listed as a vendor configuration listed on EMV Level 2 Letter of Approval.

Ingenico configuration is expressed in the format of XXZZ, where X = hex number which is the terminal type less significant digit Y = hex number corresponds to bits 7 to 4 of byte 2 of the terminal capabilities (9F) ZZ = WW means General usage (World Wide ) or a character for specific country FR= France, DE = Germany, ...(ref ISO3166) for configuration that is certified as a result of special request from the country. Note that all certifications can be used worldwide, even when ZZ is not WW. For example, 27WW means 2 = attended offline with online capability terminal

INGENICO EMV FAQs

Page 20

7 = signature, offline PIN and No CVM Required

WW = general usage See also What is a certified or approved terminal configuration? 3.5 What is a major or minor EMV terminal configuration item? EMVCo issued type approval bulletins TA11 and TA31 to classify EMV terminal configuration items into Major, Minor, Hide-able and Variable categories. Major items must be followed exactly as the certified configurations shown on Letter of Approval. Other types of items are allowed to be different. Group EMV Expert, David Salmon, has the detailed explanation documented in the presentation EMV_Kernel_Options.ppt which is available in Ingenico City.

INGENICO EMV FAQs

Page 21

3.6

A customer asked me if our device is certified for terminal capabilities E0 B8 C8. What does it mean?

EMV specification defines the terminal capabilities (9F33) to indicate the card data input capability, CVM capability and security capability of a terminal with 3 bytes of data. Each bit in the data stands for one capability. Ingenico Canada has created a tool to help you interpret its value. See What is an EMV Data Viewer? Use the tool to find what it stands for and then look it up from the Letter of Approval to see if it is certified. E0 B8 C8 stands for

3.7

What is IRWIN?

Traditionally, when a separate contactless reader is connected to a terminal for processing contactless transactions, Visa would require the terminal and the reader to be certified as a pair. That is different combination of terminal and reader will require separate certifications. IRWIN which stands for Intelligent Reader with Implementation Notes was introduced by Visa to allow portability of the reader approval. The intelligent reader has to contain contactless kernel which performs all the necessary communication with the card to decide the outcome of the transaction without any intermediate involvement of the terminal. The decision is passed to the terminal to complete the transaction. See also What is a smart reader?

INGENICO EMV FAQs

Page 22

4.

EMV Application Design

4.1

What is required in an EMV application?

Bear in mind that all EMV requirements specified in the EMVCos Specifications have been implemented in the EMV kernel and the kernel has been certified. The application youre going to create is to address the followings, 4.2 Customize the transaction flow to meet the merchant or acquirers requirements, e.g. EMV related display messages, prompts, receipts etc EMV transaction related process that is not specified in EMV Specifications, e.g. enforcing to use chip technology, fallback to use magstripe in case of chip failure, etc Communicate with host with EMV specific transaction data

What are the basic topics for an application FRS regarding EMV transaction processing?

The followings shall be covered, How to check to reject when chip card is swiped for MSR transaction Language selection prompt if cardholder language selection is supported Application selection prompt if cardholder application selection is supported Fallback requirements in case of chip failure EMV related prompts such as DO NOT REMOVE CARD, <application label> IS SELECTED, INCORRECT PIN, LAST PIN TRY, PLEASE REMOVE CARD etc EMV related data to be included in host request and response Host reversal process, in case host approval is rejected by card or card is removed prematurely List of transaction type to be processed as EMV or non-EMV EMV data to be printed on receipt How EMV terminal configuration parameters are managed

These requirements should come or approved by from acquirer. 4.3 Can you provide a list of EMV related terminal parameters required?

EMV terminal parameters may include the followings. Parameters List of terminal languages List of supported AIDs Usage For selecting a terminal language by comparing them to the preferred language list on the card For building candidate list during Application Selection

INGENICO EMV FAQs

Page 23

CAPKs per RID Floor limit per AID Terminal Action Codes per AID Default TDOL per AID Default DDOL per AID

For data authentication For checking if transaction amount exceeds floor limit Set by Acquirer. Used with Issuer Action Codes set by issuer in the card to decide the outcome of the transaction. For use as TDOL for generating TC if it is not specified by the card For use as DDOL in INTERNAL AUTHENTICATE card command if it is not specified by the card

See also What is a typical contact EMV transaction flow? 4.4 Does my application need to support Canadian Application Selection Flag Processing?

Canadian Application Selection Flag processing is a requirement for Canada only. If your application is used outside Canada, it is generally not required. You should confirm it with the acquirer. See also Does Ingenico device support Canadian Application Selection Flag (ASF) process? 4.5 Does my application need to support Domestic Visa Debit Opt-Out?

Domestic Visa Debit Opt-Out is a requirement for Canada only. If your application is used outside Canada, it is generally not required. You should confirm it with the acquirer. See also Does Ingenico device support Domestic Visa Debit Opt-Out? 4.6 What does choice of technology mean?

If EMV is supported, at the point when a payment system invites cardholder to present a card for payment, the card can be MSR or chip card. If a chip card is used, it should only be used at chip reader. Since a chip card also has a magnetic stripe at the back, it is possible that the chip card is swiped. An EMVenabled payment system should reject such attempt. The only time when a chip card is allowed to process using MSR is when the chip technology process fails. See What is fallback to MSR? The followings are some consideration for rejecting a chip card swipe, Service code embedded on magnetic stripe of any chip card starts with either 2 or 6 Payment system should keep track of EMV-enabled card schemes supported. If the swiped chip card belongs to a card scheme that is not supported as EMV by the payment system, it should still be processed as MSR transaction. For example, the payment system only processes Visa and MasterCard for EMV transactions, but not for Amex. When an Amex chip card is swiped, the transaction should be processed as MSR.

INGENICO EMV FAQs

Page 24

4.7

What is fallback to MSR?

In EMV, use a chip card in MSR transaction is only allowed after attempting to process a chip transaction but failed due to chip malfunction. 4.8 What does non-EMV transaction using EMV functionality mean?

A full EMV transaction involves validation processing steps such as data authentication, cardholder verification, terminal risk management etc. See also What is a typical contact EMV transaction flow? The purpose of non-EMV transaction using EMV functionality is only to read the PAN or track 2 equivalent data from the chip card. This involves only the first few steps such as Application Selection, Initiate Application Selection and then Read Application Data. As soon as the PAN is received from the rest of the EMV transaction steps will be skipped. Also the rest of the transaction will then be processed as if the PAN is read from the magnetic stripe, i.e. non-EMV. 4.9 Under which situation(s), is a host approval required to be reversed?

The chip card is required to stay in the chip reader throughout the whole transaction. The reason is that at the end of the transaction, the card is required to generate an Application Cryptogram (AC). The AC will be stored by payment systems to proof that such transaction was performed with the genuine cards presence. After the online processing, if the host approves the transaction, the host decision (in the form of ARPC which is a type of AC) is required to be sent to the card. The card will authenticate the ARPC to make sure that the response is good before accepting the approval. If either the card rejects the decision or the card has been prematurely removed, a reversal is required to be sent back to the host.

INGENICO EMV FAQs

Page 25

5.

Contact EMV Technical

5.1

What is a typical contact EMV transaction flow?

From users point of view, a contact EMV transaction consists of the following steps, Cardholder inserts the chip card into the chip reader. Cardholder may be asked to select language, a card brand (technically referred to as cardholder application selection), confirm amount or enter PIN. Result of the transaction is displayed and a receipt may be printed. Cardholder removes the chip card. The terminal (reader) powers up the chip in the card. The terminal then negotiates with the card for the low level communication options for use during the transaction. Select Application: terminal builds a candidate list of mutually supported applications (each identified by an AID) by enquiring the card the application(s) it supports. At the end of this step, either no mutually supported application is found or an application in the card is selected for the transaction. Cardholder select language, application selection may be prompted in this step. The subsequent steps are processed if an application is selected for the transaction. Initiate Application: terminal provides necessary data to the card to decide if the transaction process shall be continued. If card agrees to continue, it will return to the terminal 2 pieces of information, one indicates its processing capabilities (AIP) and the other tells the terminal where to read the application data (AFL). Read Application Data: terminal reads application data based on the AFL. Actual data read varies depending on how the card is personalized by the issuer. Examples of data that may be read includes Track 2 Equivalent Data, CVM List, Certification Authority Public Key Index, Issuer Public Key Certificate, Issuer Action Codes (IACs) etc The card is in control of what data the terminal can read. Sensitive data, such as offline PIN value, are never revealed to the terminal. It is not possible to clone a chip card. Data Authentication: terminal authenticates the card is not a counterfeit card. Methods used can be SDA, DDA or CDA. CDA is the strongest method, followed by DDA and then SDA. The method used depends on the terminals capabilities and the AIP from the card. Certification Authority Public Key will be used for authenticating the card data. Processing Restrictions: terminal checks if the terminal application is compatible with the card application by comparing the application version number, if requested service is allowed, if application is effective and if application has expired. Cardholder Verification: terminal verifies the person presenting the card is the genuine cardholder based on the CVM list which defines the preferred method(s) set up in the card by the issuer. Offline PIN verification is a typical method used. Thats why EMV is commonly known as Chip and PIN. Terminal Risk Management: terminal checks if the transaction amount exceeds floor limit, if the transaction is randomly selected to go online and if the card has performed too many offline transactions that the current transaction should be sent online.

Internally, the followings are processed,

INGENICO EMV FAQs

Page 26

Terminal Action Analysis: The result of various validations during Data Authentication, Processing Restrictions, Cardholder Verification and Terminal Risk Management is saved in TVR. In this step, terminal compares TVR to TACs and IACs to decide the outcome of the transaction, which can be decline offline, go online for host authorization or approve offline. Its decision is sent to the card in the request of the GENERATE AC command. The GENERATE AC command sent in this step is often referred to as the first GENERATE AC. Card Action Analysis: card performs its own analysis which is issuer specific. Card may override the terminals decision with a stricter one. Its decision is indicated in the response of the GENERATE AC command. If the cards decision is to approve the transaction offline, the steps of Online Processing and Issuer Script Processing will be skipped. Online Processing: this is performed only if the card decides to send the transaction online for host authorization. In this case, the application cryptogram (ARQC) returned from the card will be sent to the issuer host for authentication. Under normal circumstances, the issuer will return an ARPC, which will be authenticated by the card. After host response is received, the EMV data received from the host will be sent to the card in another GENERATE AC command which is referred to as the second GENERATE AC. Terminal will request for approve or decline the transaction based on the hosts decision. Again, the card may override the host decision. For example the card may decline a host approval if the ARPC fails the authentication which an indication that the host response cannot be trusted. Issuer Script Processing: optionally, the issuer may return issuer script(s) in the host response. Terminal is required to forward the issuer script(s) to the card. This makes post-issuance update possible. Completion: this occurs when the transaction is to be either approved or declined. This can have after the first or second GENERATE AC. In either situation, when the transaction is approved, a TC is returned from the card. This TC is a powerful data element for use to prove that the transaction is performed using a genuine card. As a final step, terminal powers down the chip in the card.

5.2

What is AIP?

AIP is Application Interchange Profile. It specifies the application functions that are supported by the card application. 5.3 What is AFL?

AFL is Application File Locator. It consists of the list of files and related records for the currently selected application that shall be read by the terminal application for the subsequent transaction processing. 5.4 What is TVR?

TVR is Terminal Verification Results. It is a 5-byte data element which is used as a bitmap. Each bit records the result of a validation during Data Authentication, Processing Restrictions, Cardholder Verification and Terminal Risk Management. 5.5 What is TACs and IACs?

INGENICO EMV FAQs

Page 27

TAC is Terminal Action Code and IAC is Issuer Action Code. Each of them comes in a set of 3, namely, TAC Denial, TAC Online, TAC Default, and IAC Denial, IAC Online, IAC Default Each of these data element has the exactly same structure as TVR. They are used in pairs, e.g. TAC Denial and IAC Denial, to compare to the TVR to decide if the specific action shall be taken.

Deciding if specific action shall be taken,

Flow of TAC and IAC pairs processing,

INGENICO EMV FAQs

Page 28

5.6

What is AC (Application Cryptogram TC, ARQC, ARPC and AAC)?

AC is Application Cryptogram. It is generated by the card using an Issuer specific algorithm and cryptographic keys. There are 4 types of AC, TC, Transaction Certificate, which is generated for an approved transaction ARQC, Authorization Request Cryptogram, which is generated for host authorization request ARPC, Authorization Response Cryptogram, which is generated by the issuer host for host authorization response AAC, Application Authentication Cryptogram, which is generated for a declined transaction

INGENICO EMV FAQs

Page 29

6.

Contactless Technical

6.1

What is tearing?

During a chip payment transaction, the card has to communicate with the terminal throughout the transaction. For contact chip card, the card is required to stay in the reader. For contactless chip card, the card is required to stay within the RF field generated by the reader. Tearing occurs when the card removed such that the communication is no longer possible. Tearing is a lot easier to occur in contactless transactions. 6.2 What is collision?

Collision occurs when more than one contactless chip card is moved within the RF field generated by the contactless reader. This is not unusual in contactless transactions, e.g. a cardholder puts a Visa and a MasterCard contactless card in a wallet and presents the wallet to the reader during the transaction. Collision only occurs in contactless transactions. 6.3 What is contactless magstripe and contactless EMV?

Contactless payments were started off as competition. MasterCard and Visa defined separately their own requirements in applying contactless technology in payment. Early contactless chip specifications were designed for MSR payment network to address counterfeit fraud in MSR cards. A dynamic card verification code that can only be generated by a genuine card is added into the track 1 and track 2 data. The code is generated by the card and formatted by the reader into track data. The process is transparent to the existing terminal application. The dynamic code is verified by the issuer host. This code is known as CVC3 for MasterCard and dCVV for Visa. Both MasterCard and Visa later defined new requirements for EMV infrastructure. Visa called its requirement payWave qVSDC while MasterCard called it PayPass M/Chip. Their original requirement payWave MSD and PayPass magstripe respectively. Summary of card schemes contactless specifications: Card Scheme Visa MasterCard American Express Discover Interac Contactless Magstripe version payWave MSD PayPass magstripe ExpressPay Magstripe Discover Zip Nil Contactless EMV-like version payWave qVSDC PayPass M/Chip ExpressPay EMV Nil Flash

INGENICO EMV FAQs

Page 30

6.4

What does Entry Point Component that is included in the Add-on Contactless package do?

Contactless payments were started off as competition. See What is contactless magstripe and contactless EMV? The problem is that each card schemes contactless specification is totally different from the others. Therefore one contactless kernel is required for each card scheme. When a reader is required to support multiple contactless kernels, it needs a way to select which kernel to process for the transaction. The solution is constructed around a multi-kernel terminal approach, orchestrated by an overarching layer that is called the Entry Point. The Entry Point allows for legacy applications to coexist. Multi-kernels framework:

INGENICO EMV FAQs

Page 31

7.

EMV Testing and Test Tools

7.1

What kind of test tools is required for EMV testing?

For regional testing, packaged test tools for card schemes end to end certification tests should be used. Test Package Contact Chip Visa ADVT ICC Solutions Collis ADVT from Visa MasterCard M-TIP ICC Solutions Collis FIME Interac ICC Solutions Collis American Express Discover Contactless Chip Visa qVSDC Device Module Test ICC Solutions Collis MasterCard TIP Subset 6 & 8 Interac Reader Terminal Interoperability and Confidence Test American Express Discover 7.2 What are pre-loaded test cards? Collis FIME ICC Solutions Provided by American Express free of charge Provided by Discover free of charge Provided by American Express free of charge Provided by Discover free of charge Provider

Test cards provided in test packages may be pre-loaded cards or test cards with downloadable scripts. For pre-loaded cards, one physical card is for one test case. Replacing the card is required when either one of the followings occurs, The card is expired Card is blocked due to security reason

INGENICO EMV FAQs

Page 32

PIN try counter exhausted due to too many incorrect PIN entered

Test cards provided by ADVT from Visa or FIME are pre-loaded cards. Test cards with downloadable scripts will require only a small number of physical test cards. When a different test is required, a different test script can be loaded into the test card. Some tools may use a probe rather than a card, e.g. Collis. 7.3 What is a SmartSpy?

A SmartSpy is a device that can be used to capture data exchanged between a reader and a card. Contact SmartSpy Contactless SmartSpy

7.4

What is EMV Level 1 trace?

EMV Level 1 trace shows data captured between a reader and a card in level 1 format, i.e. protocol level information. 7.5 What is EMV Level 2 trace?

EMV Level 2 trace shows data captured between a reader and a card in level 2 format, i.e. application level information and tag data. 7.6 How to get card trace?

Some test packages come with built-in card trace, e.g. ICC Solutions, FIME and Collis. A SmartSpy can always be used to capture card trace. 7.7 EMV data elements are hard to interpret, e.g. how can I tell what AIP = 7100 means?

Use the EMV Data Viewer to help. See What is an EMV Data Viewer? AIP = 7100

INGENICO EMV FAQs

Page 33

INGENICO EMV FAQs

Page 34

8.

News and Updates

8.1

What is NFC?

NFC, which stands for Near Field Communication, is a standard-based, short-range (a few centimeters) wireless connectivity technology that enables simple and safe two-way interactions among electronic devices. Major smartphone makers are applying the technology in their devise. It can operate in 3 modes. NFC Architecture and Applications

At the present moment, as a terminal vendor, were only interested in the Card Emulation Mode. When an NFC device works in Card Emulation Mode, it works like a contactless chip card and works with existing contactless infrastructure. In theory, when NFC-enabled smartphones are used in remote payment, it can address the Card Not Present issue. However, currently the primary focus is given to application of NFC in proximity payment only. 8.2 What is Google Wallet?

Google Wallet is a mobile payment system developed by Google that allows its users to store credit cards, loyalty cards, and gift cards among other things, as well as redeeming sales promotions on their mobile phone. Google Wallet uses NFC technology to "make secure payments fast and convenient by simply tapping the phone on any PayPass-enabled terminal at checkout."

INGENICO EMV FAQs

Page 35

The service will work with over 300,000 MasterCard PayPass merchant locations. Google Wallet launch partners include Citi as the issuing bank, MasterCard as the initial payment network, and Sprint as the first mobile carrier.

8.3

Why is Visas Announcement made on Aug 9, 2011 so important to the US? Posted: 2011-09-16 Visa made an announcement on Aug 9, 2011 which is summarized below, Effective October 1, 2012, Visa will expand its Technology Innovation Program (TIP) to the U.S. TIP will eliminate the requirement for eligible merchants to annually validate their compliance with the PCI Data Security Standard for any year in which at least 75 percent of the merchant's Visa transactions originate from chip-enabled terminals. To qualify, terminals must be enabled to support both contact and contactless chip acceptance, including mobile contactless payments based on NFC technology. Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, 2015.

Liability shift is often used as an incentive to encourage acquirers or issuers to move to chip transactions. In the MSR world, POS counterfeit fraud is largely absorbed by card issuers. In EMV, the party that is not chip-capable will be liable for frauds that would have been prevented if the transaction were processed as chip-on-chip (chip card processed by chip terminal). The U.S. is often referred to as the only developed country in the world that has not committed to nationwide EMV implementation. However chip payment is not a total stranger here, Some card issuers in the U.S. have started to issue chip cards (using signature as preferred CVM) in order to allow U.S. cardholders to use their cards when travelling in countries where MSR cards are no longer accepted. Acquirers such as Chase Paymentech, First Data etc already have the structures and skills in place for chip payment. Merchants like WalMart, Home Depot etc are EMV capable.

Visa's announcement is expected to create the momentum that the U.S. market has been waiting for. INGENICO EMV FAQs Page 36