List of commands used in EMV applications

List of commands used in EMV applications:

CLA INS Value
1 2 3
’8x’ ‘ IE* APPLICATION BLOCK
‘8x’ ’18’ APPLICATION UNBLOCK
‘8x’ ’16’ CARD BLOCK
‘Oh’ ’82’ EXTERNAL AUTHENTICATE
‘8x’ ‘ AE ‘ GENERATE APPLICATION CRYPTOGRAM
‘Oh’ ’84’ GET CHALLENGE
‘8x’ ‘CA’ GET DATA

1 2 In
‘8x’ ‘ A81 GET PROCESSING OPTIONS
‘Oh’ ’88’ INTERNAL AUTHENTICATE
‘8x’ ’24’ PERSONAL IDENTIFICATION NUMBER (PIN) CHANGE/UNBLOCK
‘Oh’ ‘B2’ READ RECORD
‘Oh’ ‘A4’ SELECT
‘Oh’ ’20’ VERIFY
‘8x’ ‘Dx’ is Reserved for the payment system
‘8x ”Ex’ is Reserved for the payment system
‘9x’ ‘ XX’ Reserved for card manufacturers
‘Ex’ ‘XX’ Reserved for the Issuer

In addition to these commands, VISA and MasterCard payment systems use additional PUT DATA and UPDATE RECORD commands in their applications, which are used to change the card data by the Issuer.
READ RECORD. The command is intended for reading writing in a linear file and has the following structure:

Code Value
CLA ‘ 00’h
INS ‘B2’h
P1 number of the record to read
P2 xxxxxx (SFI) zzz (P1 – entry number)
Lc Is Missing
Data Is Missing
Le ‘ 00’h

The value of SFI varies in the range from 1 to 10. The response to the successfully completed READ command contains the read entry. For a successfully completed command, SWl=90’h, SW2= ‘ 00’h.

GET DATA. The command is intended for reading PBX objects (Tag “9F36”), LATC (Tag “9F13”), PTC (Tag ‘9F17’) and has the following structure:

Code Value
CLA ‘ 00’h
INS ‘ CA’h
Pi, P2 Tag of the read parameter
Lc Is Missing
Data Is Missing
Le ‘ 00’h

The response to the successfully completed GET DATA command contains the read parameter. For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
GET PROCESSING OPTIONS. The command initiates the card to complete the transaction. The card response contains AIP (Application Interchange Profile) and AFL (Application File Locator) data objects. The command has the following format:

Code Value
CLA ’80’h
INS ‘A8’h
PI, P2 ‘ 00’h; other values are reserved
Lc Variable
Data Data in accordance with PDOL
Le ‘ 00’h

The data field of the card response to the GET PROCESSING OPTIONS command contains data objects represented in the PDOL (Processing Options Data Object List) list. The PDOL list can be stored in the FCI Proprietary Template of the selected card application and passed to the terminal in response to the SELECT command when selecting the card application.
The data field of the GET PROCESSING OPTIONS response consists of a ber-TLV encoded data object. There are two possible presentation formats.
Format 1. The data object returned in the response to the GET PROCESSING OPTIONS command is a primitive data object with Tag ’80’. The value field consists of the Application Interchange Profile (AIP) and Application File Locator (AFL) fields that are joined without separators.

Format 2. The data object returned in the response to the GET PROCESSING OPTIONS command is a composite data object with Tag 77′. The value field can contain several ber-TLV encoded objects, including AIP and AFL objects.
For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
GET CHALLENGE. This command is used to get a random number from the card that the terminal needs to perform various cryptographic procedures. For example, in the EMV standard, the command is used in the procedure for encrypting the PIN code when it is transmitted from the card to the terminal.
The result of executing the command (the resulting random number) is only available for use by the next command after GET CHALLENGE. The command has the following format:

The data field for the card response to the GET CHALLENGE command contains a random number. For a successfully completed command, SWl=90’h, SW2= ‘ 00’h.
SELECT. Use this command to select PSE, DDF, or ADF files by file name. The command has the following format:

Code Value
CLA ‘ OO’h
INS ‘ A4’h
P1 00000100 (select by name)
P2 ‘OO’h or’ 02’h
Lc ’05’ – ’10’h
Data File Name (PSE, DDF, or AID)
Le ‘ OO’h

Possible values for the P2 parameter are shown below:

B8 B7 BB B5 B4 b3 b2 s Value
0 0 First and (or) only occurrence)
1 0 the Following statement (Next occurrence)

The value P2= ‘ 02’h is used in procedures for selecting an application by partial file name. The card may not support this P2 value.
The data field of the R-APDU block returned in response to the SELECT command to select a DDF file has the form:

Tag Value Presence
‘6F’ FCI Template Required
’84’ DF Name Required
‘A5’ FCI Proprietary Template Required
’88’ SFI of the directory file Necessarily
’BFOC FCI Issuer Discretionary Data Optional
‘XXXX’
(Tag) One or more additional data elements for the app provider, Issuer, card manufacturer, etc. Optional

For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
INTERNAL AUTHENTICATE. This command initiates the calculation of a digital signature by the card (Signed Dynamic Application Data) under data provided by the terminal and necessarily containing a random number, and is used in the dynamic authentication procedure for the card. The card response contains a digital signature and has the following format:

Code Value
CLA ‘ 00’h
INS ‘ 88’h
P1 ’00’h
P2 ‘ 00’h
Lc Length of data transmitted to the card
Data terminal Data
Le ‘ 00’h

The command data field contains the values of data elements defined by the card Issuer in the DDOL (Dynamic Data Authentication List) object.
There are two possible formats for representing the data field returned in the card response to the INTERNAL AUTHENTICATE command.
Format 1. The returned data object is a primitive object with Tag ’80’ containing the value of the Signed Dynamic Application Data signature in the Value field.
Format 2. The returned data object is a composite object with Tag 77′ that contains several ber-TLV encoded objects in the Value field, including the Signed Dynamic Application Data object.
For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
EXTERNAL AUTHENTICATE. The command asks the card app to check the cryptogram. It is used in the authentication procedure with the card of its Issuer and has the following format:

Code Value
From LA ‘ 00’h
INS ’82’h
PI ‘ 00’h
P2 ’00’h
Lc 8-16
Data Issuer Authentication Data
Le No

The Data field contains an Issuer Authentication Data object (Tag ’91’) containing a mandatory cryptogram of 8 bytes and additional optional 1-8 bytes of information defined by the card Issuer.
For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
VERIFY. This command is used to check the PIN value in the Offline PIN verification procedure. The VERIFY command is used if the Offline PIN method is selected from the Cardholder verification Method List.
The command has the following format:

Code Value
CLA ‘ OO’h
INS ’20’h
P1 ‘ OO’h
P2 Link to data
Lc Variable length
Data Transaction PIN Data
Le Is Missing

The P2 parameter can take the following values:

B8 B7 BB B5 B4 BZ B2 s Value
0 0 0 0 0 0 0 0 Outside EMV
1 0 0 0 0 0 0 0 Open PIN
1 0 0 0 0 X X X Reserved for EMV
1 0 0 0 1 0 0 0 Encrypted PIN code
1 0 0 0 1 0 X x Reserved for EMV
1 0 0 0 1 1 X x Reserved for the payment system
1 0 0 1 X X X x Reserved for the Issuer

The PIN block is formatted with N P P P P P P P/F P/F P / F P / F P/F P / F P/ F p / F f f f the Value of the PIN block characters is defined in the following table:

name-value
With The Control
field Binary two (‘OOYU’)
N PIN Length 4-bit binary number with valid values in binary representation from ‘0100’ TO ‘1100’ (from 4 to 12 in decimal representation)
P PIN digit 4-a 6-bit representation of a PIN number with valid values from ‘0000’ TO ‘1001’ (from 0 to 9 in decimal representation)
P/F PIN/
the placeholder is Determined by the length of the PIN code
F placeholder 4-bit binary number ‘IP’

The following command execution status values are of interest:

SW1 SW2 Value
’90’h ’00’h If the command was executed successfully
’63’h ‘CX’h x – number of remaining PIN verification attempts
’63’h ‘ CO’h there are no PIN verification attempts left, the verification procedure should be blocked

If the PIN verification procedure is blocked, any subsequent VERIFY command must be answered with SWl= ’69’h, SW2=’ 83’h.
GENERATE APPLICATION CRYPTOGRAM (GENERATE AC). This command is used to get an applied cryptogram from the card with the result of executing the transaction. To do this, in the command data field, the terminal sends the card the transaction and terminal data that the card needs to make a decision about the result of completing the operation, as well as its proposal for the result of completing the operation. However, the cryptogram type returned by the card may differ from the cryptogram type requested by the terminal in the GENERATE AC command.
The command has the following format:

Code Value
CLA ’80’h
INS ‘ AE’h
P1 Control parameter
P2 ‘ OO’h
Lc Variable length
Data transaction Data
Le ‘ OO’h

The control parameter P1 takes the following values in the command:

B8 B7 BB B5 B4 BZ B2 s Value
0 0 AAS
0 1 vehicle
1 0 ARQC
1 1 Reserved
0 Combined DDA/AC requested implicitly
1 Combined DDA/AC requested explicitly
X X X X X Reserved

Bits B8 and B7 of parameter P1 determine the type of cryptogram requested by the terminal. If the terminal requests the card to perform the dynamic card authentication procedure using the Combined DDA/AC Generation method, the BB bit of parameter P1 is set to 1. If the data sent by the terminal to the card contains the Terminal Capabilities data object (Tag ‘9F33’), the value of the BB bit of parameter P1 may remain equal to 0, since in this case the card can independently determine that the Combined DDA/AC Generation method will be used. This method of selecting the card authentication method is called implicit selection of the Combined DDA/AC Generation method.
The command response data field consists of a ber-TLV encoded data object. There are two possible presentation formats.
Format 1. The data object returned in the response message to THE generate AC command is a primitive data object with Tag ’80’. The Value field of this object consists of the following data objects joined Without separators:

The Value Of The Stock
Cryptogram Information Data Required
Application Transaction Counter (ATC) Must
Application Cryptogram (AC) be Sure to
Issuer Application Data Optional

Format 2. The data field of the R-APDU response block to THE generate AC command is a composite data object passed in the Tag ‘IT template. The Value field of this object can contain several ber-TLV encoded objects. This requires the presence of data objects Cryptogram Information Data, Application Transaction Counter, and cryptograms calculated by the card. If the cryptogram is determined by the Issuer, the interpretation or use of this data is not determined by these specifications.
Format 2 is required when using the Combined Dynamic Data Authentication / GENERATE AC card authentication method.
The Cryptogram Information Data object returned in the response to THE generate AC command has the following structure:

B8 B7 B6 B5 B4 BZ B2 s Value
0 0 AAS
0 1 vehicle
1 0 ARQC
1 1 AAR
X X Cryptogram defined for a specific payment system
0 Advice not required
1 Advice required
X X X Reason/advice/referral code
0 0 0 Information is not given
0 0 1 the Service is not allowed
0 1 0 exceeded the number of attempts to enter the PIN code
0 1 1 Issuer Authentication failed
X X X Other values are reserved
For a successfully completed command, SWl= ‘ 90’h, SW2=Wh.

APPLICATION BLOCK (post-issuance command). Use the APPLICATION BLOCK command to block the selected application. The command has the following format:

Code Value
CLA ‘8C’h or’ 84’h
INS ‘Le’h
P1 ‘ OO’h; other values are reserved
P2 ‘ OO’h; other values are reserved
Lc Number of bytes of data
Data Message Authentication Code (MAC);
Le No

The response to the command contains only status bytes. The value SWl= ’90’h, SW2=’ 00’h means that the command was executed successfully, regardless of whether the application was blocked before the command was executed.
APPLICATION UNBLOCK (post-issuance command). Command removes a lock from a previously locked apps. After the APPLICATION BLOCK command is successfully completed, the restrictions set by the APPLICATION BLOCK command are removed. The command in the following format:

Code Value
CLA ‘8C’h or’ 84’h
INS ’18’h
PI ‘ OO’h; other values are reserved
P2 ‘ OO’h; other values are reserved
Lc Number of bytes of data
Data Message Authentication Code (MAC);
Le No

The response contains only status bytes. The value SWl= ’90’h, SW2=’ 00’h indicates that the command was executed successfully.
CARD BLOCK (post-issuance command). The command permanently blocks all card applications, including those that can be selected implicitly. The command has the following format:

Code Value
CLA ‘8C’h or’ 84’h
INS ’16’h
PI, P2 ‘ 00’h; other values are reserved
Lc Number of bytes of data
Data Message Authentication Code (MAC);
Le Is Missing

The response contains only status bytes. The value SWl= ’90’h, SW2=’ 00’h means that the command was executed successfully, regardless of whether the card was already blocked before the command was executed.
After successful execution of the CARD BLOCK command, all subsequent SELECT commands end with the response ‘Function not supported’ (SWlSW2=’6A81’h) and no actions are performed.
PIN CHANGE/UNBLOCK (post-issuance command). This command allows the Issuer to either only unblock the PIN verification procedure, or simultaneously unblock the PIN verification procedure and change its value. After executing the command successfully, the card must perform the following actions:
the value of the PIN Try Counter card counter is set to PIN Try Limit;
if required, the PIN value changes.
When transmitting a command from the Issuer to the card, the value of the PIN block must be encrypted.
The command has the following format:

Code Value
1 2
CLA ‘8C’h or’ 84’h
INS ’24’h

1 2
PI ‘ OO’h
P2 ’00’, ‘ 01 ‘ or ‘ 02’h
Lc Number of bytes in the Data field
Data Encrypted PIN value + MAC,
Le Is Missing

The P2 value is Wh. The values ‘Ol’h or’ 02’h of the P2 parameter are reserved for use by payment systems. If the data field is missing in the command, it means that you only need to unblock the PIN verification procedure. The PIN value does not change.
There is no data field in the response to the command. For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.
UPDATE RECORD (post-issuance command). The command allows the Issuer to change an entry in a linear file and has the following format:

Code Value
CLA ’04’
INS ‘ DC’h
P1 entry Number
P2 xxxxx(SFI)zzz(Pl)
Lc Number of bytes in the Data field
Data Write data + MAC
Le Is Missing

The data field of the command contains the data to be written and the value of the Message Authentication Code (MAC), which is used to ensure the integrity of the transmitted data and authenticate its source.
There is no data field in the response to the command. For a successfully completed command, SWl= ’90’h, SW2=’ 00’h.

PUT DATA (post-issuance command). The command allows the Issuer to change data that is not stored in linear files, and has the following structure:

Code Value
CLA ‘ 04’h
INS ‘ DA’h
PI, P2 Tag of the parameter to change
Lc Number of bytes in the Data field
Data New parameter value
Le Is Missing

Data signed by the payment system certification authority to get the Issuer Public Key Certificate

Name of the Length field,
byte Description Format
Certificate
Format 1 ‘ 02’h b
Issuer
Identification
Number 4 far left 3-8 digits from Primary Account number SP 8
Certificate Expiration Date 2 date (month and year) after which the certificate is invalid P4
Certificate Serial Number 3 a Binary number unique to this certificate assigned by the Certificate Authority.
Hash Algorithm Indicator 1 Identifies the hashing algorithm; in the current implementation, EMV takes the value ‘ ol’ti corresponding to the SHA-1 b algorithm
Publisher Public
Key Algorithm Indicator 1 Identifies the digital signature algorithm; in the current implementation, EMV takes the value ‘ Ol’h corresponding to the RSA b algorithm
Publisher Public
Key Length 1 Length of the Issuer’s public key module in bytes – b
Publisher Public
Key Exponent Length 1 The length of the public key exponent in bytes b
Publisher Public
Key or its leftmost digits V36 If N < N -36, this field must contain the full public key of the Issuer, supplemented on the right with bytes with the value ‘ BB’h. If L / ^A/^Is ZB, this field contains the Nu-36 most significant bytes of the Issuer’s public key. Publisher Public Key Remainder or L/-L/+36 CA this field is present if L/;> N[a – 36, and consists of L / – L/and+36 least significant bytes of the public key b
Publisher Public
Key Exponent 1 or 3 Value 3 or 21B+1 b

Data signed by the Issuer to form the Signed Static Application Data element (Tag ’93’)

Name of the Length field,
byte Description Format
Signed Data Format 1 ‘ 03’h
Hash Algorithm Indicator 1 Identifies the hashing algorithm; in the current implementation, EMV takes the value ‘ Ol’h corresponding to the SHA-1 b algorithm :
Data
Authentication
Code 2 card Details calculated by the Issuer during its personalization b
Pad Pattern N-26 Consists of L/-26 bytes filled with the value ‘ BB’h b
Static Data to be Authenticated
exchange Critical card data for which integrity is ensured –

Example of critical application data

byte Tag
Application Effective Date Pb 3 ‘5F25’
Application Expiration Date Pb 3 ‘5F24’
Application Usage Control b 2 ‘9F07’
Application Primary Account Number (PAN) cn up to 19 characters up to 10 ‘5 A’
Application PAN Sequence Number n2 1 ‘5F34’
Issuer Action Code Default b 5 ‘9F0D’
Issuer Action Code-Denial b 5 ‘9F0E’
Issuer Action Code-Online b 5 ‘9F0F
SDA Tag List ‘9F4A’

Data objects required for static authentication

Tag Length,
byte Value Format

  • 5 Registered Application Provider Identifier (RID) b
    ‘8F 1 Certification Authority Public Key Index’
    ’90’ Issuer Public Key Certificate b
    ’92’ Issuer Public Key Remainder, if present b
    ‘9F32’ 1 or 3 Issuer Public Key Exponent.
    93′ N, Signed Static Application Data.
  • Variable Static data that must be authenticated