Beruflich Dokumente
Kultur Dokumente
• Q&A
Global EMV Adoption*: 2.37 Billion Cards and 36.9
Million EMV Terminals
* Excluding U.S.
Source: EMVCo, as of Q4 2013
U.S. Migration Progress
Card / NFC
Contactless
Device
Terminal
EMV
Contact
Magnetic Stripe Transactions use static authentication
data that can be skimmed
Track data
Auth
Code
Auth
Code Payment Acquirer
Network System
Track
Data
3) Authorization message
Track data is often in the clear
The authentication data is static
Field/DE 55
Field/DE 55
ARPC
(3)Add
NewEMV
EMVField
authentication
55 data (2) Terminal performs New dynamic
data risk assessment authentication
data
Issuer Auth
System (4) New Issuer Authorization Functions
Dynamic cryptogram validation
May return an authentication cryptogram
Post issuance updates
The AID provides a method for the terminal to
recognize what applications exist on a chip card
So what is an AID?
AID
Payment Network
An Identifier that must be registered with (Application owner)
ISO Operating rules are
linked to AIDs
Identifies an application owner MasterCard
Dynamic
EMV ARQC
Cryptogram
Chip security provides both card stock security and
transaction security
Pre-issuance Security Transaction Security
EMV Application
• EMV Card Risk Management Decision
Card Stock Configuration Criteria
Security Data
• Issuance Online Offline
Security Security Security
Key Functions Functions
Management
Symmetric Keys Asymmetric Keys
Data
Preparation
EMV
Data Cardholder Verification
Methods
EMV security functions performed online
Online
Transaction Online Card Authentication
Security 1 (Online CAM)
Payment Acquirer
ARQC Online
Brand System Request
(ARQC)
ARPC Dynamic
Authentication Code ARPC
3DES
cryptography
Shared Key
Hardware Security Module
Issuer Auth and Key Management
Embedded 3DES
System
System crypto processor
EMV message data also increases online fraud detection
security
Field/DE 55
Payment Acquirer
Field/DE 55
Brand System Terminal EMV
transaction
analysis data
New EMV
Add EMV Field 55 data
authentication data Chip EMV
Transaction
Analysis data
Issuer Auth
System
New EMV data in the authorization message enhances
authorization decisioning
ISO 8583 – Field or DE 55
Application Cryptogram
Cryptogram Information Data
Issuer Application Data
Application Interchange Profile
Authorization
Terminal Verification Result Rules
Terminal Capabilities
Cardholder Verification Method Results
Unpredictable Number Fraud Rules
Application Transaction Counter
Transaction Date
Transaction Type
Transaction Currency Code
Terminal Country Code
The new EMV information in the authorization message
increases the issuers security tools
Offline
Offline Card Authentication
Security 1 (Offline CAM)
Functions
Asymmetric Keys
Offline Authorization
2 (Offline Transaction)
Offline PIN
3 (Cardholder Verification Option)
EMV Offline security functions require asymmetric keys
and certificates
Offline Security
relies upon
Asymmetric Key Technology
Key Pair
DDA/CDA
Card Authentication
Public Private
Key Key
Offline card authentication leverages asymmetric key
technology
Public key infrastructure required for EMV offline functions
Issuer Payment
Network
Acquirer
Key Pair
Retailer
Issuer Public
Key Certificate
Offline Authorization
2 (Offline Transaction)
PIN
PIN Try Limit
PIN Try Counter
Additional
Issuer Action Codes Processing
Card Issuer Action Codes Rules
EMV Cardholder Verification Settings
Example: CVM List
CVM Options
Selected
• No CVM Online PIN
at ATM
• Signature
Offline PIN
• On-line PIN at ATM at POS
Priority
Card profiles and terminal profiles work together to
determine the method of cardholder verification
Terminal
Capability Card CVM List
Profile
No “Offline PIN”
support CVM 3 Signature at POS
No “Online PIN”
support CVM 5 No CVM
at POS
EMV From a Terminal Perspective
Issuing Banks
EMV Terminals Become a Workflow Engine
Customer 3
Acquirer Customer 5
Petroleum Pay EMV Kernel EMV Brand
at the Pump Type Approval Certification
System
Kiosk EMV Kernel EMV Brand
Customer….
Terminals Type Approval Certification
Customer.…
A U.S. Debit EMV card will have two EMV
applications/AIDs in the chip
To meet Durbin routing option compliance the application selection
process changes and two AIDs relate to one funding account
Risk Risk
Management Management
Controls Controls
Signature
Online PIN Online PIN
Offline PIN No CVM
No CVM
All stakeholders need to migrate to receive the full
benefit of EMV
Acquirer
Issuer EMV Messaging
Card / NFC
Contactless
Device Terminal
EMV
Contact
EMV 101
Q&A
EMV Resources
EMV Connection web site – http://www.emv-connection.com
EMV Migration Forum Resources
• “Standardization of Terminology” glossary
• “Testing and Certification: Current U.S. Payment Brand
Requirements for the Acquiring Community” white paper
• “U.S. Debit EMV Technical Proposal” white paper
Other Resources for Issuers, Merchants and
Acquirers/Processors
• EMV FAQ
• “Card Payments Roadmap in the U.S.” white paper
• “How EMV Changes Payment Workshop” recording
• U.S. issuers of EMV chip cards
• Cathy Medich, cmedich@us-emvforum.org
• Guy Berg, guy_berg@mastercard.com