Emv Concepts Terminology
Emv Concepts Terminology
Emv Concepts Terminology
b) The format of the track 2 data can be useful. When the track 2 is
read from the magnetic stripe, the field separator will be an equal sign
(“=”); when the track 2 equivalent data is obtained from the chip, the field
separator will be a capital D (“D”), since the data in the EMV tags stored
in the chip cannot contain special characters such as an equal sign. The
discretionary data part of the track 2 will not be the same in the magnetic
stripe as it is in the track 2 equivalent data from the chip. Based on the
format of the track 2 data, you can tell whether the chip was actually
read or not.
c) The first byte of the service code in the track 2 will have a value of
1 or 5 for magnetic stripe cards, and 2 or 6 for most contact chip cards.
d) If an ARQC is present, it is clear that the chip was read. Most
ISO8583-based network specifications will carry the ARQC (EMV Tag
9F26), and other critical EMV Tags, in Data Element 55. If DE55 is
present, the chip was read successfully.
Q: If the service code on the magnetic stripe tells the POS that it is a
chip card, couldn’t the fake card be made with a service code that says it
is a mag stripe card, in an attempt to prevent fallback?
A: Criminals often skim the magnetic stripe from the chip card, and write
this data “as is” to a counterfeit card. In this case, it’s easy to see that
the track 2 indicates this should be a chip card. If the criminal was smart
enough to change the service code on the track 2 to show it’s a
magnetic stripe card, and create the counterfeit card that way, the
terminal would not try to read a chip, and would process the transaction
as magnetic stripe. It is then the issuer’s responsibility to detect that the
track 2 data they receive indicates this is a magnetic stripe card, but the
card was actually created as a chip card. Hopefully the issuer’s data
base will have some way to indicate that the card in question was
actually created as a chip card. This could be done by using different
BINs for chip cards, or by having a flag in the card record indicating this
is a chip card, or by the presence of EMV-related data in the card record.
Q: Which tags in the EMV data carry the ARQC and ARPC information?
Q: Do the additional EMV card authentications that take place add
additional time to a transaction, or is it actually faster than typical mag
stripe CV/PIN validation?
Q: Are both the online and offline PINs the same value?
A: When a card supports both online and offline PIN, the card can
certainly be configured so that all applications on the card use the same
PIN for both online and offline functions. It should be transparent to the
cardholder whether online PIN or offline PIN is being used. The vast
majority of cardholders would not understand the concept of an offline
PIN and an online PIN, or when to use one vs. the other, or having a
different PIN for each application on their card. Imagine a card where the
online PIN is 9876 but the offline PIN is 2222. The cardholder goes to an
ATM, where PIN verification is always performed online, and enters PIN
9876; the transaction is approved. The cardholder goes to a POS device
that does not support offline PIN verification (but the cardholder knows
nothing about this), enters PIN 9876, and the transaction is approved.
Then the cardholder goes to a POS device that does support offline PIN
verification (but again the cardholder knows nothing about this), enters
PIN 9876, and the terminal says the PIN is invalid (the PIN entered by
the cardholder does not match the offline PIN stored in the chip). This
introduces many opportunities for cardholder confusion and frustration;
so issuers should consider having a single PIN associated with a card,
regardless of how many applications or online/offline functions are
supported by that card.
A: “Chip and PIN” refers to a chip card that supports EMV and typically
requires a PIN when performing a transaction. “Chip and PIN” is not an
EMV term; it was coined in some countries to refer to their particular
EMV implementation, where the decision was made to use PIN as the
primary CVM. EMV supports several cardholder verification methods
(CVMs): online PIN, offline PIN, signature and “No CVM required”.
Q: What is the difference between chip and signature, and chip and PIN
cards, and how they would be processed at a POS?
A: The issuer will personalize a chip card to support one or more CVMs
for each application on the card. The CVMs that the application supports
are found in the CVM List in the chip. An application might support online
PIN only, or online PIN and signature, or online PIN, signature, and “No
CVM”, or offline PIN, or any combination of the above, depending on the
issuer’s business requirements and where and how they believe the card
will be used.
If the card contains an offline PIN, the issuer must provide a way for the
cardholder to change their PIN. This can be done via ATM or in the
branch (and potentially in other ways under certain circumstances). In
any case, if the card can also be used in situations where only the online
PIN can be used (e.g. at an ATM), this means that the PIN offset or
some other PIN-verification value must be stored on the host. The PIN in
the chip and the PIN value on the host system must be kept in sync,
because the cardholder would not understand having a different offline
PIN from an offline PIN. If the cardholder changes their PIN at the ATM,
the PIN verification value on the host is updated, and the host system
must send a command to the chip card to update the PIN that is stored
in the chip. This is done via an issuer script, which is tacked onto the PIN
change response sent from the host to the terminal and forwarded by the
terminal to the chip card. When the chip card receives the response, it
will execute the PIN change command in the script, which updates the
offline PIN stored in the chip.
MasterCard Maestro
MasterCard Cirrus
MasterCard debit/credit
Visa debit/credit
Visa PLUS
Visa Electron
A: The issuer will personalize the chip card to support one or more
applications. Each application will have an identifier, or AID. If there is
more than one application on the card, the issuer will prioritize each
application. The order of priority is up to the issuer, and is based on
business requirements and how and where the issuer believes the card
will typically be used. For each application, the issuer must also indicate
whether the terminal can automatically select the application without
asking the cardholder to do so, and whether the terminal can
automatically select the application without prompting the cardholder to
confirm that selection. If the issuer were to require the cardholder to
select or confirm an application, this would typically be confusing to
cardholders; imagine if you were at the ATM or POS device and you
were asked to choose between MasterCard Cirrus and MasterCard
debit. So issuers often personalize their cards so the terminal can
handle the application selection automatically, without requiring any
selection of confirmation by the cardholder.
Similarly, each terminal will support one or more applications/AIDs. The
terminal will support the applications and AIDs for the networks the
terminal owner belongs to, where it makes sense. For example, if an
application did not support online PIN, it would not make sense for an
ATM to support that application, since online PIN is the only CVM
allowed at ATMs today.
The EMV specification states that a terminal “should” support the ability
to allow the cardholder to select or confirm the application proposed by
the terminal (EMV Integrated Circuit Card Specifications for Payment
Systems, Version 4.3, Book 1, Section 12.4). So it’s not
a requirement that terminals support this, but there will be a time in the
future when this is a very good idea, and that is when we have true
multi-application cards, e.g. a card with both a debit and credit
application on it. In this case, it would be important for the customer to
select debit vs. credit, otherwise they might be unpleasantly surprised if
the terminal selects cash advance with a credit application rather than
cash withdrawal with a debit application. Note that this selection is
different from the account selection (e.g. checking vs. savings) function
already offered at terminals.
Q: Regarding scripting: can I send both tag 71 and 72 at the same time?
A: The EMV specifications state that the length of the command to the
chip and the length of the response from the chip may not exceed 256
bytes (see EMV Integrated Circuit Card Specifications for Payment
Systems, Version 4.3, Book 1, Section 9.4). Even though the tags are
BER-TLV encoded, these commands require a 1 byte length. If the data
is to exceed 128, then this would make it a two byte length (according to
BER-DER encoding rules). That is why there is a limit. For more
information, see EMV Integrated Circuit Card Specifications for Payment
Systems, Version 4.3, Book 3, Annex B, or search on “BER Encoding
Rules” on Wikipedia.