EMV/Chip Cards – What is it?
Payment systems standard for integrated chip cards and devices; developed by Europay, MasterCard and Visa to ensure interoperability.
Defines minimum functionality for debit and credit payment applications to ensure correct operation and interoperability– Some mandatory requirements and a wide range of optional features and Characteristics. Basis for chip migration by payment schemes in markets around the world.
Supported Mechanisms
· Static data authentication (SDA)
· Dynamic data authentication (DDA)
· Combined DDA and application cryptogram generation (CDA)
Basics of SDA
· Performed by terminal
· Confirms legitimacy of critical ICC-resident static data
· Detects unauthorized alteration of data after personalization
Settings and process of SDA
· Public key of CA is stored in each terminal
· Public key of issuer bank is certified by CA and stored on ICC
· Static application data are signed by issuer bank and stored on ICC
Security of SDA
· Based on secrecy of private RSA keys
· Counterfeiting/duplication not solved
DDA: Dynamic Data Authentication
Basics of DDA
· Performed by terminal & card (ICC with coprocessor required)
· Confirms legitimacy of critical ICC-resident/generated data and data received from terminal.
· Detects counterfeited/duplicated cards
Settings and process of DDA
· Similar as for SDA
· New unique ICC RSA key pair is stored on each card
· ICC private key is securely stored (cannot leave the card)
· ICC public key is signed & stored together with static application data
· Terminal sends random challenge to be signed by ICC private key
Security of DDA
· Based on secrecy of private RSA keys
· The chip card must be able to protect ICC private key
CDA: Combined DDA and Application Cryptogram (AC) Generation
Basics of CDA
Performed by terminal & card in parallel with card action analysis.
Settings and process of CDA
· Similar as for DDA
· Random challenge is a part of request for AC
· Signed AC contains this random challenge
Security of CDA
· Extra security for AC
· Advantage if secure communication between terminal and ICC cannot be guaranteed.
Automatic Risk Management
Protects against offline undetectable threats
Decides if transaction should be:
approved offline, declined offline, or transmitted online
· Terminal risk management
· Floor limit checking
· Random transaction selection
· Velocity checking
Terminal & card action analysis
· T: reject transaction offline
· C: reject offline
· T: transaction should go online
· C: go online _ reject offline
· T: transaction might be completed offline
· C: go online _ reject offline _ approve offline
EMV Offline Data Authentication
The goal is offline detection of fake (altered/duplicated) cards
Based on asymmetric cryptography (namely on RSA)
RSA public key must be always 3 or 216 − 1
Existence of a certification authority (CA) is required
Integrity of transmitted public keys must be secured
Each EMV terminal must contain actual CA public key
Basic Terminology
· Merchant, payee
· Cardholder, customer, payer, or simply user
· Card issuer, cardholder’s bank, or simply bank
· Fraud, a deception made for a personal gain
· All parties should be protected against the fraud
· Unauthorized and illegal use of a credit card to purchase property
· ICC, an acronym for integrated circuit(s) card
Great write up for us all to read.We will appreciate if you will treat other issues that relate to ATM operation in Nigeria.
ReplyDelete