EMV Overview

KONA SOFTWARE LAB LTD.

October 01, 2016

CONTENTS

Ⅰ

EMV Authentication & Authorization

Ⅱ

Ⅲ

EMV Overview

Current Payment Scenario

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Players and Roles for Payment System

Payment Network Provider

Offering products and services to

User

Signing up with Acquirer

Buying Merchant’s products and

services

Using payment card issued by Issuer User

Merchant

Acquirer

Issuer

Payment Network Provider

network

Transmitting collected transaction

data to Issuer

Signing up and underwriting

Merchant

Approval or rejection of

transaction

Issuing payment card

Providing network between Issuer and

Acquirer

Offering brand benefit

Payment eco-

system

Acquirer

User

Merchant

Issuer

POS ATM

Acquiring System

Issuing System

Host Payment Cards

Interchange Network

Authorization System

NPSB

3

Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card

Verification of Card & Cardholder

Penciling the embossed card

Imprinted sales slip, transaction slip, and signature verification

Transaction slip, PIN, and signature verification

Same principle as IC chip card but streamlined authentication

Same as RF card

Data Processing

Manually Electronically process transaction and settlement data for the first time

Payment application-installed-chip stores and processes data

Similar process to that of IC chip card but streamlined transaction flow

Comply with NFC transaction process by using NFC equipped cellphone

Validation Verification

- CVC, CVV verification, Hologram verification by eye

Offline data authentication through digital signature verification

ARQC verification Same as RF card

Note High risk of data duplication

Increase in risk of data duplication by popularization of MS card usage and technology

-Strong security provided by high grade of cryptosystem

-Inconvenience in simple transaction

Compatibility with MS card infrastructure

OTA post issuance of card

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Payment Card Evolution

Payment Card Evolution

4

Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card

Verification of Card & Cardholder

Penciling the embossed card

Imprinted sales slip, transaction slip, and signature verification

Transaction slip, PIN, and signature verification

Same principle as IC chip card but streamlined authentication

Same as RF card

Data Processing

Manually Electronically process transaction and settlement data for the first time

Payment application-installed-chip stores and processes data

Similar process to that of IC chip card but streamlined transaction flow

Comply with NFC transaction process by using NFC equipped cellphone

Validation Verification

- CVC, CVV verification, Hologram verification by eye

Offline data authentication through digital signature verification

ARQC verification Same as RF card

Note High risk of data duplication

Increase in risk of data duplication by popularization of MS card usage and technology

-Strong security provided by high grade of cryptosystem

-Inconvenience in simple transaction

Compatibility with MS card infrastructure

OTA post issuance of card

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Payment Card Evolution

Payment Card Evolution

5

Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card

Verification of Card & Cardholder

Penciling the embossed card

Imprinted sales slip, transaction slip, and signature verification

Transaction slip, PIN, and signature verification

Same principle as IC chip card but streamlined authentication

Same as RF card

Data Processing

Manually Electronically process transaction and settlement data for the first time

Payment application-installed-chip stores and processes data

Similar process to that of IC chip card but streamlined transaction flow

Comply with NFC transaction process by using NFC equipped cellphone

Validation Verification

- CVC, CVV verification, Hologram verification by eye

Offline data authentication through digital signature verification

ARQC verification Same as RF card

Note High risk of data duplication

Increase in risk of data duplication by popularization of MS card usage and technology

-Strong security provided by high grade of cryptosystem

-Inconvenience in simple transaction

Compatibility with MS card infrastructure

OTA post issuance of card

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Payment Card Evolution

Payment Card Evolution

6

Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card

Verification of Card & Cardholder

Penciling the embossed card

Imprinted sales slip, transaction slip, and signature verification

Transaction slip, PIN, and signature verification

Same principle as IC chip card but streamlined authentication

Same as RF card

Data Processing

Manually Electronically process transaction and settlement data for the first time

Payment application-installed-chip stores and processes data

Similar process to that of IC chip card but streamlined transaction flow

Comply with NFC transaction process by using NFC equipped cellphone

Validation Verification

- CVC, CVV verification, Hologram verification by eye

Offline data authentication through digital signature verification

ARQC verification Same as RF card

Note High risk of data duplication

Increase in risk of data duplication by popularization of MS card usage and technology

-Strong security provided by high grade of cryptosystem

-Inconvenience in simple transaction

Compatibility with MS card infrastructure

OTA post issuance of card

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Payment Card Evolution

Payment Card Evolution

7

Embossing Magnetic Stripe IC Chip Card RF Card Mobile Card

Verification of Card & Cardholder

Penciling the embossed card

Imprinted sales slip, transaction slip, and signature verification

Transaction slip, PIN, and signature verification

Same principle as IC chip card but streamlined authentication

Same as RF card

Data Processing

Manually Electronically process transaction and settlement data for the first time

Payment application-installed-chip stores and processes data

Similar process to that of IC chip card but streamlined transaction flow

Comply with NFC transaction process by using NFC equipped cellphone

Validation Verification

- CVC, CVV verification, Hologram verification by eye

Offline data authentication through digital signature verification

ARQC verification Same as RF card

Note High risk of data duplication

Increase in risk of data duplication by popularization of MS card usage and technology

-Strong security provided by high grade of cryptosystem

-Inconvenience in simple transaction

Compatibility with MS card infrastructure

OTA post issuance of card

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Payment Card Evolution

Payment Card Evolution

8

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Magnetic Stripe Cards

Magnetic Stripe Cards

• Stores data on the magnetic band usually

located on the back of the card.

• Contains Track 1 & Track 2 Data

• Track 1 Data

• Card Type, PAN, Cardholder Name, PAN

Expiry Date, Service Code.

• Track 2 Data

• PAN, PAN Expiry Date, Service Code

• Stored data can not be changed.

• Read by swiping past a magnetic reading

head.

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Magnetic Stripe Transaction Flow

Magnetic Stripe Transaction Flow

Static Authentication Data

Static Authentication Data

Static Authentication Data

Acquirer Payment Network Provider

Issuer

Transaction Response

Transaction Response

Transaction Response

Magnetic Stripe Card Swiped in

POS

10

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Security Issues for Magnetic Stripe Cards

Security Issues for Magnetic Stripe Cards

• Card Cloning

Magnetic stripe data is not encrypted and very easy to clone.

• Static Data

Static data is stored in the magnetic stripe during personalization

This data is not changed during its lifetime. So, if this data is compromised

once, it can be used for numerous number of times to perform fraud

transactions.

• Little Risk Assessment

No risk assessment is performed at the terminal or card.

Risk assessment is performed only at the host.

11

CONTENTS

Ⅰ

EMV Authentication & Authorization

Ⅱ

Ⅲ

EMV Overview

Current Payment Scenario

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV

EMV

• A standard for smart payment cards

and terminals.

• EMV stands for – EuroPay,

MasterCard and Visa, the three

companies who were the founder of

the standard.

• This standard is maintained by

EMVCo – a consortium with payment

brands like Visa, MasterCard, JCB,

American Express, China UnionPay,

Discover as members.

13

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Purpose of EMV Standards

Purpose of EMV Standards

• To prevent card fraud

Minimize the risk of card data

duplication and counterfeit that

were easy with MS card

• To reduce cost

Cut cost by activating offline

transaction

• Interoperability

Set up interoperable payment

infrastructure(chip, card, terminal,

and system) by defining business

role of players in Credit & Debit

Payment System

14

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Offerings

EMV Offerings

Cardholder and card authentication

Cryptographic processing capability of smart chip

Authorization by issuer by predefined rules

Acquirer Authorization

Request with dynamic data

Payment Network Provider

Issuer

Authorization Request with dynamic data

15

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Cryptographic Processing

EMV Cryptographic Processing

• EMV chip cards has cryptographic

processing capability.

• Cryptographic algorithms such as

Triple DES, RSA and SHA are used

throughout various phases of the

smart card’s lifecycle.

16

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

A Look Into Chip Cards

A Look Into Chip Cards

Contact Cards

Contactless Cards

Dual Interface Cards

• 1 square cm. contact area with gold plated contact pads.

• ISO/IEC 7816 standard defines the communication protocol, physical characteristics of card, security and command for interchange, commands for security operations, etc.

• Card communicates with the reader through RF Induction technology

• ISO/IEC 14443 standard defines the communication protocol, radio frequency power, transmission protocol, etc.

• Both contact and contactless interfaces are supported

• ISO/IEC 14443 standard defines the communication protocol, radio frequency power, transmission protocol, etc.

17

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Authentication

EMV Authentication

Card Authentication

• Online Authentication

• Offline Authentication

SDA – Static Data Authentication

DDA – Dynamic Data Authentication

CDA – Combined Data

Authentication

Cardholder Authentication

• Online PIN

• Offline PIN

18

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Authorization by the Issuer

Authorization by the Issuer

• Transaction cryptogram is

generated and sent to the issuer

online.

• The issuer authorizes the

transaction online.

Payment Network

Issuer

Cryptogram Request

Cryptogram Request

Cryptogram

Request

Authorization Response

Authorization Response

Authorization Response

Online Authorization

Offline Authorization

• Used when terminals don’t have

online connectivity.

• Card and terminal communicates

and decides whether the

transaction can be authorized.

19

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Risk Assessment

Risk Assessment

Terminal Risk Assessment

• Terminal can decide to perform the transaction online/offline

• For offline transactions, terminal checks the transaction amount against an offline

ceiling limit.

Card Risk Assessment

• Card takes part in the decision making of accepting/declining a transaction

• Different types of application cryptograms are generated

AAC – used for declining a transaction

TC – used for offline transaction

ARQC – used for online transaction

20

CONTENTS

Ⅰ

EMV Authentication & Authorization

Ⅱ

Ⅲ

EMV Overview

Current Payment Scenario

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

Initiation of the transaction

22

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Reading card data for transaction

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

23

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Card authentication by terminal

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

24

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Data Authentication

EMV Data Authentication

SDA DDA CDA

Static Data Authentication

Signed by Payment Brand Payment Brand Certificate kept at the terminal

Static Application Data

Verified by payment brand certificate

Verified by Issuer Public Key Certificate

Payment Brand Certificate

Issuer Public Key Certificate

Issuer Public Key Certificate

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Data Authentication

EMV Data Authentication

SDA DDA CDA

Dynamic Data Authentication

Signed by Payment Brand Payment Brand Certificate kept at the terminal

Issuer Public Key Certificate

Issuer Public Key Certificate

Verified by payment brand certificate

Payment Brand Certificate

Verified by Issuer Public Key Certificate

ICC Public Key Certificate + Static Application Data

Card & Terminal Dynamic Data

Verified by ICC Public Key Certificate

ICC Public Key Certificate

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Data Authentication

EMV Data Authentication

SDA DDA CDA

Combined Data Authentication

Generate Application Cryptogram

Issuer

Application Request Cryptogram (ARQC)

Send ARQC to Issuer

Cryptogram Validation

Application Response Cryptogram

Send ARPC to Card

DDA

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Confirming compatibility between terminal and card

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

28

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Confirming whether a cardholder is valid

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

29

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Cardholder Verification Method

Cardholder Verification Method

Verification Methods

• Online PIN

PIN is encrypted and verified by the issuer online

• Offline PIN

A copy of the PIN is stored at the card in encrypted form

During transaction, user provided PIN is matched with that stored encrypted PIN

• Signature

Cardholder’s signature on receipt is matched with the signature at the back of the

card

• No verification method

• Only Card is authenticated

• Usually takes place for small amount transaction

30

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Different steps taken by the terminal to prevent fraud

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

31

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Primary decision for transaction whether to approve or decline offline or online

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

32

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Final decision making for going online or offline for transaction by card self risk management based on terminal action analysis

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

33

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

Online Transaction with Application Cryptogram

34

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

EMV Online Transaction Flow

EMV Online Transaction Flow

Application Request Cryptogram (ARQC)

Acquirer Payment Network Provider

Issuer

Application Response Cryptogram (ARPC)

Application Request Cryptogram (ARQC)

Application Request Cryptogram (ARQC)

Cryptogram Validation

Application Response Cryptogram (ARPC)

Application Response Cryptogram (ARPC)

35

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Process Additional Commands from Issuer

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

36

|Copyright 2016, Kona SL Ltd. | All Rights Reserved

Card & Terminal Communication Steps for Transaction

Card & Terminal Communication Steps

Complete Transaction Process

Initiate Application

Data Authentication

Processing Restrictions

Cardholder Verification

Terminal Action Analysis

Online Processing & Issuer

Authentication

Card Action Analysis

Completion

Read Application Data

Script Processing

Online/ Offline

Decision

Online

Offline

Terminal Risk Management

37

Copyright ⓒ 1999-2013 Kona I Co., Ltd All Rights Reserved. Copyright © 2016, KONA Software Lab Ltd. All Rights Reserved

38