News

Development of contactless EMV cards

The idea of using a chip that interacts with the outside world using electromagnetic waves, i.e. contactless, appeared in the first half of the 90s. Cards using such chips became known as contactless cards.At first, contactless cards were exclusively memory cards. These cards were mainly used as a means of identifying an object (Radio Frequency ID, or RFID). For example, they were used to detect an object that fell into the reader’s working area (single-bit chips used in anti-theft systems), identify the object (in addition to detecting...

read more

Forgery of the cryptogram type

Let’s focus on another type of fraud on the part of an unscrupulous merchant. In simplified form, fraud looks like this.When a microprocessor card holder applies to a merchant for a purchase, the merchant completes any terminal/card decision by rejecting the transaction. In this case, the cardholder either leaves the merchant with nothing, or pays for the product in cash.Next, the fraudulent merchant sends data on the unsuccessful transaction to the servicing Bank, as if the transaction was completed successfully in offline mode. In...

read more

ARQC cryptogram generation

The CAP standard defines the most common OTP generation algorithm in the banking sector.The essence of CAP technology is as follows. It is assumed that the client has:a card with a standard EMV application that supports the PIN Offline cardholder verification method;a special device with a screen, keyboard, special buttons and a card reader for IPC (we will continue to call it a reader, in the literature it is often called PCR-Personal Card Reader).After the customer has inserted the card into the reader, the latter offers the cardholder to...

read more

GlobalPlatform Card Security Requirements Specification

GlobalPlatformIn the late 1990s, VISA developed a set of VISA OpenPlatform (VOP) standards that defined how applications can be remotely managed on the card, terminal, and systems related to downloading, installing, deleting, and personalization of applications.It soon became clear that in order for the VOP platform to be widely distributed, it had to be as open as possible. As a result, the VOP specifications were transferred by VISA to the OpenPlatform consortium, consisting of a number of organizations that expressed interest in the VOP...

read more

Generating a cryptogram of the EMV transaction

All three applications support the generation of a transaction cryptogram, which acts as proof that the card operation was performed, as well as to ensure the integrity of the data transmitted to the Issuer. The only difference in cryptograms is that the CPA application cryptogram, unlike the M/Chip 4 and VSDC applications, uses the IAD object instead of the CVR object, which includes the CVR object, among other things.Conclusion. The cryptogram generated in the CPA application, in addition to its main purpose — online authentication of the...

read more

Verification of the card holder

All the applications under consideration support cardholder verification in the same way: verification methods (CVM Code) and their application codes (Condition Code) are the same in all applications and comply with the EMV V. 4.2 standard.Output. All the applications under consideration support cardholder verification in exactly the same way: the verification methods and their application codes are the same in all applications.Card risk management proceduresThe card’s risk management procedures are the main component of its...

read more

Specification of the EMV standard in the CPA application

Additional requirements for the CPA applicationFurther refinements of the EMV standard adopted in application CPA are listed below:if the payment System Environment (PSE) directory is supported on the CCD card, it is the only DDF File on the card. In other words, in the PSE CPA card DEF file, all Directory Entry objects (Tag ‘61’) represent only ADF files. At the same time, the CPA card must support selecting the application by the shortened name of the card application directory (selecting the application by at least 5 higher bytes of DF...

read more

Comparison of EMV-compatible applications

The purpose of this section is to compare the functionality, security, and implementation features of the most popular EMV-compatible applications on the market. These applications primarily include applications of the leading payment systems VISA and MasterCard, known under the brands VSDC and M/Chip, respectively.The previous version of the EMV standard (version 4.1, approved in may 2004) introduced the Common Core Definition (CCD) specification and introduced the concept of a CCD application.The CCD specification specifies the set and...

read more

Security issues for EMV payments

For contactless cards, along with the standard set of security threats typical for contact microprocessor cards, there are special threats associated with the use of a radio channel for data exchange between the reader and the card. Here we can start with the fact that today’s contactless card technology violates certain provisions of the PCI Data Security Standard (PCI DSS). Since the terminal and card dialog data are not encrypted (asymmetric encryption is too slow to meet the requirements for contactless payments), the PCI DSS...

read more

Stage of card manufacturing

To manage SIM/UICC card content, two refinements are required in part of the GlobalPlatform Messaging Specification. The first refinement is related to adding the Controlling Authority role with two functions:controlling the Controlling Authority Security Domain (CASD), which provides secure loading of the initial keys of the card security domains;control of a special security domain that performs the function of mandatory verification of the signature of the downloaded code of the Mandated DAP application.In practice, the role of Controlling...

read more