Scribd
Upload
536 views

Emv Stepbystep

The EMV transaction process involves 12 steps: 1) The terminal determines if the chip or magnetic stripe will be used. 2) The terminal initiates the transaction and starts the EMV application on the card. 3) The terminal reads application data from the card, such as track 2 data. 4) The terminal checks the card for processing restrictions like transaction limits. 5) The terminal and card agree on a cardholder verification method like a PIN or signature.

Uploaded by

Mehmet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
536 views

Emv Stepbystep

The EMV transaction process involves 12 steps: 1) The terminal determines if the chip or magnetic stripe will be used. 2) The terminal initiates the transaction and starts the EMV application on the card. 3) The terminal reads application data from the card, such as track 2 data. 4) The terminal checks the card for processing restrictions like transaction limits. 5) The terminal and card agree on a cardholder verification method like a PIN or signature.

Uploaded by

Mehmet
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 27

EMV-Step by step

Steps of an EMV transaction:


1. Technology Selection
• Task: Use chip or magnetic stripe (Fallback)
• Chip Command: Get ATR
• Chip card, but the chip is not readable
• Terminal could fall back to magnetic stripe (depends also on configuration)
• Issuer can still decline
Steps of an EMV transaction:
2. Initiate Transaction
• Task: Reset internal card data and give application information
• about the card‘s EMV features
• Start the EMV application
• Chip commands: Select, Get Processing Options
Steps of an EMV transaction:
3. Read Application Data
• Task: Get all data needed for a transaction
• I.E. track 2 data *
• Chip commands: Read Record

* The Chip has it's own track 2 data (equivalent) stored inside.
This means that we have
track 2 data on the magnetic stripe, and also,
track 2 data equivalent (tag 57) on the chip (possibly different!)
Steps of an EMV transaction:
Background Information AID
• Every application in the world has a unique Application Identifier (AID)
• AID is used to address an application in the card
• Every Terminal has a list of all AIDs it supports
• Consists of
• a registered application provider identifier (RID) defined in ISO 7816-5 (5 bytes)
• followed by a proprietary application identifier extension (PIX), which enables the application provider to differentiate among the
different applications offered (0-11 bytes)
• AID is printed on all cardholder receipts
• Use of PSE (Payment System Environment = list of available applications), if supported
• Direct selection of AID if PSE is not supported
• Customer chooses one or automatically by terminal in case there is only one
Steps of an EMV transaction:
4. Processing Restrictions
• Application Usage Control AUC ('9F07')
• Card defines which services can be authorized:
• International / Domestic
• Type of service
• Cash / Cashback / Goods / Services
• Terminal type
• ATM / POS
• Application version number ('9F08')
• Terminal knows the range of versions that are supported
• Application effective date ('5F25')
• Application expiry date ('5F24')
Steps of an EMV transaction:
5. Cardholder Verification Method (CVM)
• Various methods are available
• Card defines which services can be authorized:
• Plaintext PIN against chip
• Enciphered PIN against chip
• Enciphered PIN verified online
• Signature
• Biometrics
• No CVM required
• Terminal and chip must agree on one
Steps of an EMV transaction:
6. Terminal Risk Management
• Floor Limits
• Random Transaction Selection
• Velocity Checking
• Not required in online-only environments!
• Prevents split sales
Steps of an EMV transaction:
7. Terminal Action Analysis
• The TERMINAL shall make a preliminary decision to reject the
transaction, complete it online, or complete it offline
• The TERMINAL checks the TVR, TAC and IAC (see next slides)
• The TERMINAL may contain three data elements to reflect the
acquirer‘s and Terminal selected action to be taken based upon the
content of the TVR (in this order of priority):
• Terminal Action Code – Denial ("TAC_DENIAL") (see next slides)
• Terminal Action Code – Online ("TAC_ONLINE")
• Terminal Action Code – Default ("TAC_DEFAULT")
Steps of an EMV transaction:
7. Rules for Terminal Action Analysis
• Processing of the action codes is done in pairs
• Issuer Action Code - Denial is processed together with the Terminal
Action Code - Denial
• Issuer Action Code - Online is processed together with the Terminal
Action Code - Online
• Issuer Action Code - Default is processed together with the Terminal
Action Code - Default
• Processing of the action codes shall be performed in the specified
order. The TERMINAL shall make a preliminary decision to reject the
transaction, complete it online, or complete it offline
Steps of an EMV transaction:
7. Rules for Terminal Action Analysis
• Action Code Denial
• No Issuer Action Code - Denial default value with all bits set to 0 is to be
used
• Issuer Action Code - Denial and the Terminal Action Code - Denial specify
the conditions that cause denial of a transaction without attempting to go
online
• For each bit in the TVR that has a value of 1, the terminal shall check the
corresponding bits in the Issuer Action Code - Denial and the Terminal
Action Code – Denial
• If the corresponding bit in either of the action codes is set to 1, it indicates
that the issuer or the acquirer wishes the transaction to be rejected offline
• In this case, the terminal shall issue a GENERATE AC command to request
an AAC from the ICC
Steps of an EMV transaction:
7. Rules for Terminal Action Analysis
• Action Code Online
• No Issuer Action Code - Online present, value with all bits set to 1 is to be used instead
• Issuer Action Code - Online and the Terminal Action Code - Online specify the conditions
that cause a transaction to be completed online
• Not already before rejected - Terminal is capable of online processing - inspect each bit
• in the TVR
• Crosscheck each bit in the TVR that has a value of 1 with corresponding bits of the Issuer
Action Code - Online and the Terminal Action Code – Online
• If the bit in one of the action codes is set to 1, the terminal shall complete transaction
processing online
• Terminal issue a GENERATE AC command requesting an ARQC from the ICC
• Otherwise, the terminal shall issue a GENERATE AC command requesting a TC from the
• ICC
Steps of an EMV transaction:
7. Terminal Action Codes
• Terminal Action Code – Denial ("TAC_DENIAL")
• Terminal Action Code – Online ("TAC_ONLINE")
• Terminal Action Code – Default ("TAC_DEFAULT")
• Configured on the terminal (Acquirers responsibility)
• Denial
Bits, which correspond to the TVR conditions, which should cause an offline decline
• Online
Bits, which correspond to the TVR conditions, which should generate an online
authorization
• Default
Bits, which correspond to the TVR conditions for which the transaction defaults to an
offline decline if online processing is not available.
• (we assume that we can always go online, thus TAC – Default is not used!)
Steps of an EMV transaction:
7. Terminal Action Codes
• Issuer Action Code – Denial ("IAC_DENIAL")
• Issuer Action Code – Online ("IAC_ONLINE")
• Issuer Action Code – Default ("IAC_DEFAULT")
• Configured by the Issuer and read from the chip at runtime
Steps of an EMV transaction:
7. Terminal Action Codes
• 40 bits (5 bytes) that describe the current status off the transaction
TVR
• 40 bits describing reasons to decline the trx offline set by the Issuer
IAC Denial
• 40 bits describing reasons to decline the trx offline set by the Acquirer
TAC Denial
• TAC Denial and IAC Denial describe equally reasons to decline offline
we OR them

• If no reason to decline offline was found, internal defaults will result in an


online authorization
• we never Approve offline
Steps of an EMV transaction:
7. Terminal Action Codes
Check Action Code Denial
TVR 80 10 04 00 00
1000 0000 (Offline data authentication was not performed)
0001 0000 (Requested service not allowed for card product)
0000 0100 (PIN entry required, PIN pad present, but PIN was not entered)
ISSUER ACTION CODE 00 50 40 00
0101 0000 (Expired Application, Requested service not allowed for card product)
0100 000 (Unrecognized CVM)
TERMINAL ACTION CODE 00 10 00 00 00
0001 0000 (Requested service not allowed for card product)
TVR compare with IAC Match in Byte2 b5
TVR compare with TAC Match in Byte2 b5
Rejected Offline – Request AAC
Steps of an EMV transaction:
8. Generate 1st AC
An ICC may perform its own risk management to protect the issuer
from fraud or excessive credit risk
• Details of card risk management algorithms within the ICC are specific
to the issuer
• As a result of the risk management process, an ICC may decide to
• complete a transaction online
• or decline offline
• The ICC may also decide that an advice message should be sent to the
issuer to inform the issuer of an exceptional condition
• The terminal calls the ICC's "Generate AC" command
Steps of an EMV transaction:
8. Generate 1st AC
The terminal forwards it's decision to
• complete it offline
• complete it online
• decline offline
to the chip, by calling the Generate 1st AC command:
Steps of an EMV transaction:
9. Card Action Analysis
• Task: Card (ICC) gets the terminal‘s decision of the "Terminal Action
Analysis" and decides to decline offline, approve offline or ask for
online authorization
• ICC performs here his own card risk management
• Chip command: Generate AC
Steps of an EMV transaction:
9. Card Action Analysis
Cryptogram type, possible returns:
Steps of an EMV transaction:
10. Issuer Authentication
• “External Authentication“ - Issuer Authentication Data shall be sent to
the ICC
• Task: Check whether host response is valid
• Chip commands: External Authenticate
• The ICC verifies that the host response is a valid host response from
the issuer host
Steps of an EMV transaction:
11. Script Processing
• Issuer can transmit script commands in response message
• To alter parameters, including PIN
• Block / Unblock Applications
• Block the card
• PIN Change/Unblock
• Terminal transmits these commands to EMV card
• Script 71
• Executed BEFORE calling Generate 2nd AC
• Script 72
• Executed AFTER calling Generate 2nd AC
• Scripts may contain several commands
Steps of an EMV transaction:
12. Generate 2nd AC
• Chip command: Generate 2nd AC
• Card gets issuer decision received from host and completes the
transaction processing by executing the 2nd Generate AC command
• The chip returns:
• AAC: transaction rejected (if TC was requested)
• from EMV point of view: close/terminate transaction
• TC: transaction accepted
• Do transaction
Steps of an EMV transaction:
12. Generate 2nd AC
EMV Spec original text:
• The terminal completes the transaction by requesting
• either a TC (in the case an approval was obtained)
• or an AAC (in case the issuer‘s instruction is to reject the transaction) from the ICC
• If a TC was requested, the ICC shall reply with either a TC or an AAC
• If an AAC was requested, the ICC shall reply with an AAC
• The ICC shall permit at most two GENERATE AC commands in a transaction
• If the terminal issues more than two,
• the third and all succeeding GENERATE AC commands shall end with SW1 SW2 =
'6985', and no cryptogram shall be returned
• Command not allowed; conditions of use not satisfied
The entire EMV transaction
• ARQC – Authorization Request Cryptogram
• From terminal to Issuer
• Cryptogram generated by the ICC during 1st AC for transactions
requiring online authorization.
• The issuer host validates the ARQC during the CAM (Card
Authentication Method) process to ensure the card is authentic.
• ARPC – Authorization Response Crytogram
• From Issuer to terminal
• Cryptogram generated by the issuer as a result of the ARQC.
• Sent to the ICC to ensure that the response came from a valid issuer.
The entire EMV transaction
The entire EMV transaction

You might also like