News
EMV application and monitor
The workplace of the ECV testing complex is a special smart card reader with a license card installed and a payment card verification program that can only function if it detects a special smart card reader connected. Other smart card readers can also be connected to the workplace of the test Suite, but a special device with a license card installed is required. This is only due to the fact that Scantek licenses the use of the ECV testing Suite using a license card. All smart card readers that the ECV testing Suite works with are PCSC...
read moreProcessing a transaction in contactless mode.
After selecting an application, the kernel corresponding to the application to which the terminal’s Entry Point passes control is activated. The kernel completes processing by generating the result for the Entry Point. Possible results of processing the kernel are rejection of the transaction or approval in offline mode, sending the transaction for authorization to the Issuer, requiring switching to contact mode, and so on. One of the main features of working in contactless mode is that the transaction is usually performed in one touch...
read moreEMV Contactless Application
Authentication Data and updated data of their own checks (TVR). In the second GENERATE AC command, the terminal can request the card to generate one of the following cryptograms. AAC cryptograms if the transaction should be rejected. TC cryptograms if the terminal believes that the transaction should be approved. The decision-making process for the card after receiving the second GENERATE AC command includes the following steps. 1. If the terminal requests an AAC cryptogram, the card generates the requested cryptogram. 2. When the terminal...
read moreConsecutive Offline Transaction Amount – COTA
Each of the counters has two limits defined by the Issuer: the lower limit and the upper limit. The card sets the CVR signs of exceeding the specified limits. Any of the counters can be used to limit the amount of money spent in consecutive offline transactions performed by the card. For example, the Issuer wants to use the number of consecutive operations performed offline for this purpose The logic of limiting offline transactions performed sequentially by the card can be described as follows: if the counter is less than or equal to the...
read moreRisk management cards
Card risk management an Important role in the process of transaction processing is assigned to the card, which is delegated by the Issuer functions related to the decision on how to complete the transaction. The card, like the terminal, performs its own risk management procedures (Card Risk Management-CRM). Based on the performed checks, the card analyzes the results obtained and makes its decision (more precisely, the decision of the Issuer) on the way to complete the transaction. By analogy with the terminal, the card writes the results of...
read moreEMV Terminal risk management
Procedures performed by the terminal are an element of ensuring the security of payment transactions and include three mechanisms to combat card fraud: ▪ control the size of operations performed on the card ▪ random selection of the transaction for its online authorization by the Issuer ▪ the transaction must be approved offline ▪ the transaction must be sent for authorization to the Issuer ▪ the transaction must be rejected offline ▪ checking offline card usage activity as the card authentication procedures are performed, transaction...
read moreEncryption algorithms for chip card reading
Data on the card The data that is necessary for the transaction is read by the terminal from the records of the payment application files using the READ RECORD command. But not all the data that the terminal may need is located in the file records. Some data is stored as separate objects and if necessary, the terminal extracts them from the card using the GET DATA command. Security issues the most Important feature of a payment application is the use of cryptographic functions to improve the security of financial transactions. The main tasks...
read moreSecurity vulnerabilities in EMV standard
Data on the card The data that is required to complete the transaction is read terminal from the records of the payment application files by the READ command RECORD. But not all the data that the terminal may need, located in the file record. Some data is stored as separate objects and, if necessary, the terminal extracts them from the card using the GET DATA command. Security concerns The most important property of the payment application is the use of cryptographic functions to enhance the security of financial operations’. The main...
read moreContact mode transaction processing
The terminal reads all entries specified by the card using the READ commands RECORD and proceed to perform offline data authentication, provided by card. At this point completely can be performed only SDA or DDA authentication. Data authentication by the method of CDA (due to the peculiarities of the implementation) is performed completely only after receiving a response from the first GENERATE AC command. The terminal then proceeds to perform constraint checking procedures on application application (version numbers are checked, the term is...
read moreEMV data object specifications
In EMV specifications, a composite data object is called a template (for example, FCI Template). The data object length field specifies the number of bytes in the object value field. In the EMV standard, the length field is specified by one, two, or three bytes. If the highest bit of the leftmost byte of the length field is 0, the length field occupies one byte and defines the length of the value from 0 to 127. If the highest bit is 1, the subsequent bits determine the number of additional bytes used to represent the length field. The BER-TLV...
read more