EMV 101 May 10 2012

EMV 101
Michelle Lehouck
EMV Product Manager
CPI Card Group
Card Manufacturing Business Model(s)
Copyright 2012 CONFIDENTIAL
What is EMV?
The globally interoperable standard
specification governing transactions between
chip cards and terminals in the payments
industry is called EMV
From the initials of Europay, Mastercard and Visa
The payment networks that originally developed the
specifications
Today, the EMV standard, its management, and
future development are under the control of
EMVCo, a jointly owned body set up by the
payment networks for this purpose

*Mastercard, An Introduction to EMV, 2012
What is EMV?
EMV creates a stable basis for investment in
chip-based dynamic data payments across
multiple form factors (contact cards, contactless
devices, and mobile devices) and enables
product-level innovation across the payment
ecosystem without compromising
interoperability.
EMV 101
Consumer payment application is resident in a
secure Integrated Circuit Card (ICC) or chip
Contact chips in smart cards
Contactless chips in smart cards or personal devices
such as smart phones
Chip key features
Store information
Perform processing
Secure element which stores secrets and performs
cryptographic functions

Why EMV: Building a Business Case
EMV can transform the purchasing experience
and enable future innovations by making
payments safer, simpler and smarter for both
consumers and customers alike.
Many have upgraded to EMV to reduce:Fraud
however, the upgrade to the EMV standard also
will potentially deliver:
Reduced operational costs
Improved risk management
Increased card usage
A wide range of value added opportunities

*
EMV: Overview of Infrastructure
Card Issuance
Terminal Installation by Acquirer or Merchant
Testing and Certification
The Payment Process
Card Authentication (CAM)
Card Verification (CVMs)
Authorization
Clearing and Settlement
Issuer Host Systems
Acquirer Host Systems
Other Important Features of the EMV Chip
Scripts, Card Network Rules, Chip & Pin, Added value apps
How is the transaction different?
The card generates an EMV Application Cryptogram
(AC) at key transaction points
ACs are signatures created with a card unique DES key
composed of critical data elements that indicate the status at the
transaction point
To indicate if online authorization is required
Authorization ReQuest Cryptogram (ARQC)
At transaction completion
Transaction Certificate (TC) for an
approval
Application Authentication Cryptogram
(AAC) for a decline

How is the transaction different?
Risk management features under acquirer
control to select transactions for online approval
Floor limits
Domestic or retailer criteria
Random transaction selection
Together with issuer chip card
controls, protect against the use
of lost and stolen or counterfeit
cards which attempt to stay beneath
the floor limit

Cardholder Verification Process (CV)
EMV introduces new features for
cardholder verification
Cardholder verification method (CVM) list
Issuer can define multiple CVMs in the card and
define the conditions under which the CVM must
be applied
Offline PIN
Offline Plaintext PIN
Offline Enciphered PIN
EMV still supports traditional methods
Online enciphered PIN, signature, no CVM

EMV Card Standards
ISO 7816 Standards
ISO defines the principal standard for making,
controlling and testing smart cards.
ISO 7816-4
Memory management and
inter industry commands
ISO 7816-1
Dimensions and
physical constraints

Width
Max 85,72 mm
Min 85,47 mm

Height
Max 54,03 mm
Min 53,92 mm

Thickness
0,76 +/- 0,08 mm
ISO 7816-2
Electrical signals
ISO 7816-3
Communication Protocol
RAM : Random Access Memory
CPU : Processor unit
(RSA: cryptocontroller)
ROM : Read Only Memory
EEPROM : Electrically Erasable
Programmable Read Only
Memory
Components
Chip
Architecture
Decisions 101
What chip should I use?
When creating EMV cards there are many factors
that will affect the cost, software and production time.
Start by answering the following questions:
Choose from the following: Contact, Contactless, Dual Interface
What is the card type?
Visa, MC, AMEX, Discover, JCB, China UnionPay
What Association?
Choose from the following: Domestic, International, Global
Where is the market?
Our technology experts will help define the best technology that fits your
specific needs to determine the optimal solution.
When can we meet?
EMV Card Types
Contact:
Reader comes into contact with
the chip

Contactless:
Reader signals chip wirelessly

Dual Interface:
Reader can use contact with chip
or wireless
Memory
How much erasable memory do
you need on this EMV card?

Eeprom is where your service bureau would dynamically
load proprietary applications onto the card, like an app to
you or other (sector apps on the card) For example: a
ticketing application.

Contact Averages 8k
Dual Interface Averages 12k
More is needed for large
custom applications
Authorization?
SDA - Static Data Authentication
Cheapest, developed for off-line

DDA - Dynamic Data Authentication

CDA - Combined Data Authentication

See appendix for more details
Operating System
What software is supported on the chip?

Open:
JAVA
MULTOS (primarily for MC Banks Only)
GP VGP: Global Platform , Visa Global Platform
Native (proprietary)

Software Specifications
What level of VISA/MC specifications do you need?

VSDC 2.7.1
MChip4 Select (1.1a, or 1.1b) / MChip4 Advance

If you have picked a JAVA or GP OS, what level
of Java or GP (Global Platform) Card specification
would you like to comply to?

JAVA 2.1.1, Java 2.2.2
GP 2.1.1
Other Manufacturing Questions
Key Ceremony:
CPI can manufacture the card and rotate the public
manufacturing key to a secure issuer. To do this, a
key ceremony will need to be performed with the
issuer and service bureau
Who initializes the card?
CPI in a pre-personalization step?
Service bureau
CAP (Chip Authentication Program) files
These can be loaded at pre-perso and provides for
faster personalization
Association Mandates
EMV in the U.S.
The adoption of dual-interface chip
technology will help prepare the U.S.
payment infrastructure for the arrival of
NFC-based mobile payments by
building the necessary infrastructure to
accept and process chip transactions
that support either a signature or PIN
at the point of sale.
Source: Visa, August 9, 2011
Mandates
Effective October 1, 2012, Visa will expand its
Technology Innovation Program (TIP) to the U.S.

Visa will require U.S. acquirer processors and
sub-processor service providers to be able to support
merchant acceptance of chip transactions
no later than April 1, 2013.

Visa intends to institute a U.S. liability shift for domestic
and cross-border counterfeit card-present point-of-sale
(POS) transactions, effective October 1, 2015.
Source: Visa, August 9, 2011
Recommendations
Source: Visa, October 26, 2011
MasterCard
By April 2013, Acquirers need to be able to
compute EMV transaction (POS/ATMs)
Strongly supports DDA EMV card issuance
(contact or DI) with introduction of PIN
By October 2015, Liability Shift from Association
to Issuer if EMV chip is not enabled on all
financial cards (Credit and Debit)applies to:
Card Present
Card Not Present
Construction 101
Production Process
Lamination Milling Embedding
Lamination
Lamination consists of punching and applying
hot melt tape on the micromodule film.

Milling
Milling consists of the creation of the
cavity prior to receive the micromodule.

Embedding
Embedding consists of punching and
picking the micromodule from the film and
inserting it into the milled cavity.
Dual Interface
Compression Technology
Z axis adhesive

Flexible bump

Air coupled
SPS antenna
coupling

Hera
Pigtails module soldered to antenna Connections
Dual Interface cont.
More Resources
More Resources
http://www.smartcardalliance.org/
http://www.cpicardgroup.com/education
http://www.emvco.com/
http://www.linkedin.com/groups?gid=2242
262&trk=myg_ugrp_ovr

Appendix

Static Data Authentication (SDA)
Indicates that the signed data on the chip has not been
changed or manipulated
Cards DO NOT require RSA cryptographic processing capability
Each card is personalized with the Issuer public key certificate
and static signed application data
Static signed application data is composed of data elements
personalized onto the card and signed with issuer private key
Terminal performs RSA cryptographic processing using issuer
public key to authenticate signed static application data
Does NOT indicate that card is authenticated offline


Dynamic Data Authentication (DDA)
Indicates that the actual card issued is present at the
point of sale
Cards DO require RSA cryptographic processing capability
Each card is personalized with the issuer public key certificate,
card public key certificate and card private key
Card generates unique signed dynamic application dataper
transaction by signing data elements from both the card and
terminal with the card private key
Terminal performs RSA cryptographic processing using card
public key to authenticate signed dynamic application data
DOES indicate that the card is authenticated offline


Combined Data Authentication (CDA)

Dynamic Data Authentication with Application
Cryptogram generation (CDA)
The same personalisation requirements as DDA with an
additional step during card analysis
Cards DO require RSA cryptographic processing
capability
Card generates a dynamic signature using card private
key, in addition to the application cryptogram, to prove
that the card authenticated during DDA was the same
card that provided the application cryptogram
Assists in the detection of an attempted "man-in-the-
middle" attack where the fraudster alters data between
card and terminal to try to keep the card offline


EMV 101 May 10 2012

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EMV 101 May 10 2012

Uploaded by

Copyright:

Available Formats

EMV 101

You might also like