EMV standard for microchip cards

Smart cards are bursting into our lives more and more decisively. Mobile phones, access control systems, e – tickets, information security systems, voting systems, electronic passports and various identity cards, Bank cards, mobile phones and satellite television are just some examples of their use. Today, several billion smart cards are circulating in the world. These are mainly SIM / UICC cards (Subscriber Identification Module/Universal Integrated Circuit Card) for cell phones, Bank cards, cards for paying for transport, telephone conversations in street telephones and commercial television services, cards for solving government tasks (social cards, electronic passports, etc.) and information security tasks.
According to estimates of the European Association Eurosmart, in 2008, the leading manufacturers of chips for microprocessor cards (Infineon, Renesas Technology, STMicroelectronics, NXP Semiconductors, Samsung, Atmel, etc.) produced more than five billion smart cards. Before the last global financial crisis, smart card sales grew at a rate of 15% per year.
The capabilities of smart cards are also growing. Today, design standards of 0.13 and 0.18 microns are used for their production. Microprocessors created in accordance with such design standards can have a RAM size of 4-8 KB, a non-volatile rewritable EEPROM memory size of up to 64-128 KB, and use 32-row CPU chips that operate at a clock frequency of up to 33-66 MHz.
New card characteristics, in turn, allow you to apply new technologies. The set of functions that ensure the security of operations performed using smart cards is expanded, and the characteristics of the card’s communication subsystem are improved. The smart card is gradually being adopted as a secure General-purpose hardware and software platform, becoming an integral element of various information systems. At the same time, the security of computing and the mobility of the smart card (the ability to carry the card with you, for example, in a clothing pocket) are still its main advantages in comparison with alternative computing tools.

The most important condition for mass distribution of smart cards is the availability of standards that define their characteristics and functionality. Today, the basic standard for all types of issued cards is ISO/IEC 7816. It is General in nature, defining requirements for the electrical and mechanical parameters of the card, communication protocols, file structure, data elements, and smart card command system. Therefore, in certain areas of human activity, there are specialized standards that specify the ISO/IEC 7816 standard for specific applications. An example of such a refinement of the ISO / IEC 7816 standard in the field of non-cash payments is the EMV specification, which is described in a significant part of this book.
The purpose of this book is to give the reader a General systematic idea of the microprocessor cards used in banking. It can be considered as a guide to the four volume EMV standard books and the payment system specifications created on their basis. This book provides the first insight into open operating systems used in microprocessor cards, as well as the GlobalPlatform universal platform used for secure remote download, installation, application extradition, and configuration after the card is released. The role of the GlobalPlatform platform is constantly growing. Today, it has an important place not only for loading applications on Bank microprocessor cards, but also in mobile payments and other applications.
Finally, an entire Chapter of the book is devoted to describing the current state of Affairs in the field of contactless Bank payments.
It contains a system description of the EMV standard. The emphasis is placed on the most important aspects of it, the subtleties and features of the implementation of the underlying methods and algorithms are revealed. It analyzes the impact of migration to micro-processor cards on the security of card transactions and the Bank’s processing system, and offers recommendations on the technology for choosing solutions for migration of the Bank to micro – processor cards.
The first Chapter provides an overview of card technology. It describes the architecture of the payment system, its participants, and the distribution of functions and responsibilities between them. Information is provided about the main international standards used for magnetic stripe cards and microprocessor cards, as well as about the standard for inter – host data exchange, which is the basis for the interfaces of Bank processing centers with all known payment systems.

A significant place in the first Chapter is occupied by the problem of security of operations performed using magnetic stripe cards. The classification of existing types of fraud is given. The article describes the main tools available in the framework of magnetic stripe card technology to combat card fraud.
The second Chapter provides General information about microprocessor cards. It describes the architecture of the chip, its main elements and their characteristics, and the production process of microprocessor cards. A General description of the communication protocols used in chip cards and the process of card initialization at the beginning of a payment transaction is provided. In addition, it provides an overview of the multi – platform operating systems Java Card and MULTOS, as well as the GlobalPlatform, which provides secure download, installation and removal of card applications.
In the second Chapter, considerable attention is paid to the physical security of the microprocessor card, various types of physical attacks and ways to counter them. The Chapter ends with a description of General trends in the development of microprocessor cards.
The third Chapter describes the basics of building a logical architecture of microprocessor cards. A detailed understanding of the card file structure, the commands used, the algorithms for card authentication, ensuring the integrity and confidentiality of information exchange between the card and the Issuer, and algorithms for calculating applied cryptograms that are proof of the fact of the operation and the result of its completion is given. When describing the functions of the card application of the EMV standard, explanations are given that allow you to understand in detail the algorithms and protocols that these functions are implemented with. The description is based on the latest version of EMV 4.2.
The fourth Chapter describes in detail the main stages of the transaction processing process, starting with the selection of the technology used to perform the transaction, and ending with a description of the procedures for issuing Script Processing and generating an applied cryptogram.
The fifth Chapter is devoted to the procedures for personalization of microprocessor cards. A description of the life cycle of the microprocessor card and the main elements of the EMV Card Personalization Specification standard is provided.
The sixth Chapter examines the impact of micro – credit card migration on the Bank’s system. Possible migration tasks are discussed in detail, as well as the choice of methods for card authentication and verification of its holder, and the requirements for the payment term are given. Attention is paid to the issue of compatibility of terminal and card applications.
An analysis of the real security of transactions on microprocessor cards in today’s payment infrastructure and how the use of microprocessor cards allows you to fight the main types of card fraud. The issues of key management, the choice of hardware and software platform for the microprocessor card and its application configuration, and the impact of migration on the Bank’s processing system are also highlighted.
The seventh Chapter is dedicated to contactless cards. It discusses the reasons why payment systems and banks are interested in contactless cards, details the physical principles underlying contactless card technology, ISO 14443 standards, EMV Contactless Communication Protocol, EMV Entry Point Specification, MasterCard PayPass and VISA Contactless standards. The Chapter ends with a description of the NFC Protocol and ways to implement contactless payments using cell phones. At the same time, various models of using the GlobalPlatform platform for downloading a payment application to a SIM/UICC card of a cell phone are considered.
The eighth Chapter contains a comparison of the most famous EMV applications — M/Chip, VSDC, and CPA — in terms of their functionality, transactional security, and implementation features.
Accepting the thesis that it is impossible to comprehend the immensity, the author limited himself to a detailed description of the EMV standard, periodically focusing on the features of its implementation in the specifics of leading payment systems. Chapter 8 only summarizes the specifics of implementing the EMV standard in VSDC, M/Chip 4, and CPA applications. There is no detailed description of the listed applications in the book. At the same time, the reader can be sure that when he understands the basics of EMV – standard microprocessor cards and the information provided, it will not be difficult for Him to master the specifications of applications for microprocessor cards of leading payment systems.
The book includes two appendices. Appendix A provides a brief overview of the mathematical foundations of cryptography. Definitions of the basic concepts of algebra (groups, rings, fields) are given and the most important results underlying cryptography are presented. These results are presented at an elementary level, accessible to the reader who does not have a University mathematical education. Thus, with the necessary perseverance, each reader will be able to understand the” device ” of cryptographic algorithms used in the EMV standard, at a level that allows them to independently assess the cryptographic strength of the information security methods used in the EMV standard, as well as the time required to implement these methods using various hardware and software tools.
Appendix B includes the basic concepts used in cryptography, a brief overview of symmetric and asymmetric encryption algorithms, and a description of the approach to evaluating the cryptographic strength of encryption algorithms.
There are many names for smart cards-smart card, chip card, and microprocessor card — and they will be used periodically in this book. In this case, the terms “smart card” and “chip card” are applied to all types of cards that use a chip for processing operations. Microprocessor cards are smart cards whose chip contains a processor capable of performing various types of calculations. Thus, a microprocessor card can independently make decisions programmed on it by its Issuer without contacting the Issuer.
The book uses English equivalents of the terms used in the standard along with translations into Russian. This is done so that the reader can confidently find these terms in the EMV and payment system specifications. In addition, many of these terms have already become elements of card slang, and experts in the field of plastic cards often use them in English.
When describing the various procedures used in the processing of transactions made using the card, the following terms are used
“the procedure failed” and “the procedure was unsuccessful”. The difference between the terms is significant. The fact that “the procedure was unsuccessful” means that during the processing of the operation, there were no conditions under which the procedure could have been performed. When it is said that “the procedure failed”, it means that the procedure was performed and ended with a negative result.
Let’s illustrate this with an example of the cardholder verification procedure. If no conditions were met for verification of the cardholder when processing the transaction, then the verification procedure is said to have been unsuccessful (for example, the terminal analyzed all the conditions defined by the Issuer for verification of the cardholder, but the conditions were not met, and as a result verification was not performed). If the cardholder was verified, for example, using the offline PIN verification method and the PIN value entered was incorrect, the terminology is used
“the verification procedure failed.”
An analogous example is Issuer authentication. If the terminal failed to send an authorization request to the Issuer, or if the Issuer did not generate a response cryptogram, the Issuer’s authentication cannot be performed, and it is said that it was unsuccessful. If the cryptogram was delivered to the card and its verification by the card showed that the cryptogram was incorrect, it is said that the Issuer’s authentication failed.
Finally, we note that the book will use the term “transaction”, which is familiar to banking professionals. This term refers to an operation performed using a plastic card. Examples of transactions are a non-cash purchase operation using a card, cash withdrawals at ATMs, and so on. Sometimes, along with this term, the book uses its synonym — the term “operation”. For this reason, if the book says “processing operations”, it means that we are talking about performing a transaction using a card.
This publication is intended for specialists in the field of information technologies and banking services.