News
EMV command analysis
When checking a payment card, the following mandatory steps and optional actions are performed as planned by the user. Initial analysis of the installed card. • ATR cards: 3B 6e 00 00 80 31 80 66 B0 84 0C 01 6e 01 83 00 90 00 • contact mode is assumed • Protocol: t0Setting the verified payment application as the current application on the card (the operation that starts any payment transaction). • resets the credit card to eliminate the side effects of previous actions • install the current application using the select command • the following...
read moreCDA method for offline data authentication
CDA method The method of offline data authentication, called CDA (Combined Data Authentication), is now the most common for card products. This is the most complex of offline authentication methods, so analyzing a payment application that uses the CDA method can be difficult. In this regard, a description of the operations that the card and terminal must perform in order to provide offline data authentication using the CDA method is provided. The CDA signature (the certificate provided in the Signed Dynamic Application Data object) is...
read moreRestoring the Issuer’s public key
For a number of actions with the payment application (performing offline data authentication, presenting an encrypted PIN code), the terminal must have a public card key. To get the card’s public key from the payment application data, the terminal must first restore the Issuer’s public key from the Issuer’s public key certificate signed with the certification Authority (CA) secret key. The following is an algorithm for this process. The terminal performs the following steps to verify the Issuer’s public key...
read moreTracing cryptographic of EMV operations.
Tracing cryptographic operations. If you set a trace for data exchange with the card, the Protocol will contain information about commands sent to the card and the response received from the card. For rice. 15 shows a fragment of the Protocol with the enabled trace of data exchange with the card (the lines explaining how to work with the card are highlighted in red). For any command, its encoding, data transmitted with the command, as well as data received from the card, and status bytes (the card return code) are displayed. Keep in mind that...
read moreControl the security of the EMV standard
Additional check A group of control elements that define additional checks that are performed during the card analysis process allows you to perform the following checks: ▪ checking the PSE (Payment System Environment) ▪ analysis of the PPSE (Proximity Payment System Environment) ▪ display information from the payment application’s transaction log, if supported ▪ getting and analyzing objects using the GET DATA command The following is a brief description of these additional features for checking the payment application and its...
read moreOnline processing emulation EMV parameters
You should immediately say that online processing is modeled only for contact mode, since in contactless mode, the terminal emulator always performs a transaction for one touch of the terminal. After you finish working with the card and get all the data from it, the emulator considers that processing is complete. In the real terminal, the Issuer’s response is analyzed and a decision is made to approve or reject the transaction. These actions are never performed in the terminal emulator, because they will not provide anything new for...
read moreEMV Cryptography – Common Core Definitions
Let’s analyze why the terminal needs public keys of payment systems (more precisely, keys of payment system certification centers) to perform a transaction. As described earlier (see the section “security Issues”), in order to get access to the public RSA key of the card, the terminal must first restore the Issuer’s public key from the certificate of this key signed on the secret key of the certification Authority (CA). Why does the terminal need a public RSA card key? First, to perform offline data authentication....
read moreEMV application and monitor
The workplace of the ECV testing complex is a special smart card reader with a license card installed and a payment card verification program that can only function if it detects a special smart card reader connected. Other smart card readers can also be connected to the workplace of the test Suite, but a special device with a license card installed is required. This is only due to the fact that Scantek licenses the use of the ECV testing Suite using a license card. All smart card readers that the ECV testing Suite works with are PCSC...
read moreProcessing a transaction in contactless mode.
After selecting an application, the kernel corresponding to the application to which the terminal’s Entry Point passes control is activated. The kernel completes processing by generating the result for the Entry Point. Possible results of processing the kernel are rejection of the transaction or approval in offline mode, sending the transaction for authorization to the Issuer, requiring switching to contact mode, and so on. One of the main features of working in contactless mode is that the transaction is usually performed in one touch...
read moreEMV Contactless Application
Authentication Data and updated data of their own checks (TVR). In the second GENERATE AC command, the terminal can request the card to generate one of the following cryptograms. AAC cryptograms if the transaction should be rejected. TC cryptograms if the terminal believes that the transaction should be approved. The decision-making process for the card after receiving the second GENERATE AC command includes the following steps. 1. If the terminal requests an AAC cryptogram, the card generates the requested cryptogram. 2. When the terminal...
read more