Introduction to EMV standards

The most important condition for mass distribution of smart cards is the availability of standards that define their characteristics and functionality. Today, the basic standard for all types of issued cards is IS0/IEC 7816. It is General in nature, defining requirements for electrical and mechanical parameters of the card, communication protocols, file structure, data elements, and the smart card command system. Therefore, in certain areas of human activity, specialized standards are emerging that Refine and extend the IS0/IEC 7816 standard for specific applications. An example of such a standard is the EMV specifications, which are described in this book and related issues related to non-cash payments.
The purpose of this article is to give the reader a General systematic idea of the EMV standard microprocessor cards. This is a guide to the EMV standard and the payment system specifications created based on it.

Here is a General idea of card technology. It describes the architecture of the payment system, its participants, and the distribution of functions and responsibilities between them. It contains information about the main international standards used for magnetic stripe cards and microprocessor cards, as well as the standard for inter-host data exchange, which is the basis of the interfaces of Bank processing centers with all known payment systems. A significant place in the Chapter is occupied by the problem of security of operations performed using magnetic stripe cards. The classification of existing types of fraud is given. It describes the main tools available in the framework of the magnetic stripe card technology to combat card fraud.
The second Chapter provides General information about microprocessor cards. It describes the architecture of the chip, its main elements and their characteristics, and the production process of microprocessor cards. A General description of the communication protocols used in chip cards and the process of card initialization at the beginning of a payment transaction is given. It also provides an overview of the multi-platform Java Card/Global Platform and MULTI0S operating systems. Considerable attention is paid to the physical security of the microprocessor card, various types of physical attacks and ways to counter them. The Chapter ends with a description of General trends in the development of microprocessor cards.
The third Chapter describes the basics of building a logical architecture of microprocessor cards. It provides a detailed view of the file structure of the card, the commands used, the card authentication algorithms, ensuring the integrity and confidentiality of information exchange between the card and the Issuer, and algorithms for building application cryptograms that are evidence of the result of the operation completion. When describing algorithms, explanations are given that allow you to understand in detail the operation of certain algorithms and protocols. The description is based on the latest version of the EMV 4.1 standard.
In the fourth Chapter, the main steps of transaction processing are discussed in detail, starting with the choice of transaction execution technology and ending with the description of the Issuer Script Processing procedures and generation of the applied cryptogram.
The article is devoted to the procedures for personalization of microprocessor cards. The life cycle of the microprocessor card and the main elements of the EMV Card Personalization Specification are described.
The sixth Chapter of the article deals with the impact of EMV-MiG-radio on the Bank’s processing system. Possible solutions to the migration problem are discussed in detail, as well as the choice of the card authentication method and the verification method for its holder, and the requirements for the payment terminal are given. Special attention is paid to the compatibility of terminal and card applications. We are interested in the analysis of the real security of transactions on microprocessor cards in today’s payment infrastructure and how the use of microprocessor cards allows us to combat the main types of card fraud. The issues of key management, choice of hardware and software platform for the microprocessor card and configuration of its application, and the impact of migration on the Bank’s processing system are also covered.
The article includes two appendices. Appendix A provides a summary of the mathematical foundations of cryptography at the elementary level. The definitions and main results of algebra used in cryptography are given, and these results are presented in an elementary language accessible to the reader who does not have a University mathematical education. Thus, armed with the necessary perseverance, each reader will be able to understand the” device ” of cryptographic algorithms used in the EMV standard at a level that allows them to independently assess the cryptographic stability of the information security methods used in the standard, as well as the time required for their implementation using various hardware and software tools.
Appendix B includes the basic concepts used in cryptography, a brief overview of symmetric and asymmetric encryption algorithms, and a description of the approach to evaluating the cryptographic strength of encryption algorithms.
Accepting Kozma prutkov’s thesis about the impossibility of embracing the vast, the author limited the article to the EMV standard only, periodically dwelling on the features of its implementation in the specifications of leading payment systems. The reader can be sure that, having understood the basics of EMV microprocessor cards, it will not be difficult to master the specifications for microprocessor cards of leading payment systems.
There are many names for smart cards-smart card, chip card, and microprocessor card — and they will be used periodically in this article. In this case, the terms ” smart card “and” chip card ” are used for all types of cards that use a chip for processing operations. Microprocessor cards are smart cards whose chip contains a processor capable of performing various types of calculations. Thus, a microprocessor card can independently make decisions programmed by its Issuer without contacting the Issuer.
The article uses English equivalents of the terms used in the standard along with translations into Russian. This is done so that the reader can confidently find these terms in the EMV and payment system specifications. In addition, many of these terms have already become elements of card slang, and experts in the field of plastic cards often use them in English.
When describing the various procedures used in processing an operation performed using the card, the terms “the procedure failed” and “the procedure was unsuccessful”are used. The difference between the terms is significant. The fact that “the procedure was unsuccessful” means that no conditions occurred during the processing of the operation under which the procedure could have been performed. When it is said that “the procedure failed”, it means that the procedure was performed and had a negative result.
Let’s illustrate this with an example of cardholder verification. If during the processing of a transaction, no conditions were implemented that allow the cardholder verification procedure to be performed, then it is said that the verification procedure was unsuccessful (the terminal analyzed all the conditions defined by the Issuer for verifying the cardholder, but the conditions were not met, and verification was not performed). If the cardholder was verified, for example, using the offline PIN verification method, and the entered PIN value was incorrect, then we need to say that the verification procedure failed.
A similar example is the authentication of the Issuer. If the terminal failed to send an authorization request to the Issuer or if the Issuer did not generate a response cryptogram, the Issuer’s authentication cannot be performed, and it is said that it was unsuccessful. If the cryptogram was

if the card is delivered to the card and the card’s cryptogram check shows that it is incorrect, it is said that the Issuer’s authentication failed.
Finally, we note that the article uses the term “transaction”, which is familiar to banking specialists. This term refers to an operation performed using a plastic card. Examples of transactions are a purchase operation using a card, a cash withdrawal at ATMs, etc. Sometimes, along with this term, the article uses its synonym — the term “operation”. Therefore, if the article says “processing an operation”, it means that we are talking about performing a transaction using a card.
This publication is intended for specialists in the field of information technology and banking services.