Visa Smart Debit/ Credit Transaction Flow Overview
Nov 07, 2014
Visa Smart Debit/ Credit
Transaction Flow Overview
This is a Smart Card
Magnetic
Stripe
Micro-
Processor Visa Smart
Debit/Credit
Visa
Credit or Debit
– ID (Govt., Health…)
– Loyalty
– Internet Access
ROM
EEPROM
RAM
CPU
Micro Processor
VSDC in a Variety of Forms
Visa Smart
Debit/Credit
-The VSDC Application-
VSDC Functionality
Magnetic Stripe Image
Offline Data Authentication
Expanded Cardholder Verification
Offline Authorization Controls
Online Card and Issuer Authentication
Post Issuance Updates
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
-Transaction Flow-
Magnetic
Stripe
The Magnetic Stripe Image (MSI)
Track 1 & Track 2 Data
(Track 1, Track 2 Data)
• PAN
• Cardholder Name
• Expiration Date
• Service Code (begins with 2 or 6)
• PVV
• CVV (iCVV (optional))
Magnetic
Stripe Image
(MSI)
$ 36.98
Chip
POS
Insert Chip Card into Reader
(Service Code „2‟ or „6‟)
*Terminal only reads Mag-Stripe or Chip depending on its capabilities
Different Applications, Different AIDs
A0000000031010
VSDC
Indonesian Air
F4840000035210
Visa Cash LAC
Public Transit
H162D923861C2 J00469L222A051
AID
Multi-application
Smart Card
RID (5 bytes)
A0 00 00 00 03 10 10
PIX (up to 11 bytes)
AID
A0 00 00 00 03 20 10 = Visa Electron
F8 40 00 00 03 52 10 = Visa Cash LAC
AID for VSDC
Suffix
01
Terminal Identifies Mutual Applications
Terminal Applications
K2640089111420
A0000000031010
DF000030016099
710P0H01888841
A0000000036010
Card Applications
1. A0000000031010
2. A0000000036010
3. CDA00002107431
4. H162D923861C2
1. VISA CREDIT?
2. VISA CASH?
Please enter your choice:
2. A0000000036010
1. A0000000031010
Application’s listed in
Issuer’s Priority Order
Terminal reads VSDC Data from Card
Card Data: MSI, AIP, PK Cert….
Terminal also identifies the Static data to be used for
Offline Data Authentication (SDA)
Terminal selects VSDC application and
reads Card Data
Read VSDC Records
11
Terminal identifies mutually supported
Risk Management functions using card’s
AIP
Application Interchange Profile (AIP)
Byte 1:
bit 7: 1 = Offline Static Data Authentication is supported
bit 6: 1 = Offline Dynamic Data Authentication is supported
bit 5: 1 = Cardholder Verification is supported
bit 4: 1 = Terminal Risk Management is to be performed
bit 3: 1 = Issuer Authentication is supported
bits 2-1: RFU (Reserved for future use)
Byte 2: RFU (‘00’)
Card Supported Risk Management Functions
Offline Data Authentication
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
Purpose: To ensure the card data is authentic and has not
been changed since the card was first personalized. The
results of Offline Data Authentication play a role in later
processing.
Two Types of Offline Data Authentication
Two options
Static Data Authentication
– non-skimming counterfeit protection
– similar to CVV
Dynamic Data Authentication
– skimming counterfeit protection
Expansion into new merchant segments
Reduced authorization costs
Business Use:
Occurs Offline between card and terminal
Uses RSA public key technology
Enables secure Offline transactions
Technically:
Offline Data Authentication Benefits
‘Hash Result’
Issuer Hashes Critical Card Data Elements
(20 Bytes)
Card Data…
HASH
ALGORITHM
• Application Effective Date
• Application Expiration Date
• PAN
• PAN sequence Number
• Application Usage Control
• CVM List
• Issuer Action Codes (IACs)
• Issuer Country Code
• Application Interchange Profile (AIP)
Recommended card data:
SHA -1
Issuer Signs the Hash Result with Private Key
RSA
Algorithm
Hash
Result
S.A.D.
Issuer‟s Private Key
Hash Result
S.A.D. is
Personalized
onto Chip card
SDA Requirements Overview
Signed Static
Application Data
SAD
Acquirer
Issuer Public Key Issuer Private Key
Static Data
Hash Result
Issuer PK
Certificate
Issuer PK
Certificate
CA Public Key CA Private Key
Issuer Certificate Authority
PKI 1
PKI 2
PKI 3
SAD Terminal’s
Hash
Result
Hash Result
Hash Algorithm
Indicator
…other data
elements
Static Data Authentication (SDA)
PK Certificate
Issuer Public
Key
DDA Requirements Overview
Acquirer
Issuer
Issuer
Public Key
Issuer
Private Key
Certification Authority
CA
Public Key
CA
Private Key
ICC PK
Certificate Issuer PK
Certificate
Dynamic Data Authentication
ICC
Public Key
ICC
Private Key
ICC
Issuer Country Code Terminal Country
Code
Processing Restrictions
Terminal also checks Application‟s Effective Date and Usage Controls
(i.e. Valid for Goods, Services, Cashback, ATM)
Card Expiry Date Terminal Date
Cardholder Verification
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
Cardholder Verification is used to ensure the cardholder is
legitimate and that the card is not lost or stolen
?
Provides greater control over
cardholder verification
– ability to tailor cardholder
verification to environment
Introduces Offline PIN
– secure cardholder validation
No Member system changes to
validate PIN offline
Reduces lost/stolen fraud losses
Enhanced Cardholder Verification
Reference
PIN
VSDC PIN Processing
ICC Public
Key
Online, DES
encrypted PIN
Offline, Plaintext
PIN
ICC Private
Key
Offline, PK
encrypted PIN
PIN Processing
1. Online PIN
2. Offline Plaintext PIN
3. Offline Enciphered PIN
PIN
Terminal Functions
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
Terminal Risk Management
Terminal Action Analysis
Prevents Fraud by going online with high
value transactions periodically
Three forms of Terminal Risk Management
- Floor Limit Checking
- Random Transaction Selection
- Velocity Checking
Terminal Risk Management
Terminal Risk Management
- merchant forced transaction online?
The terminal performs supported risk management checks:
- amount exceeds terminal floor limit?
- account on terminal exception file?
- transaction randomly selected to go online?
- new card?
- consecutive offline transactions?
Terminal Action Analysis (Mandatory)
The terminal reviews the results of:
Offline Data Authentication
Processing Restrictions
Terminal Risk Management
Cardholder Verification
2. Declined Offline
The results are checked against rules set in both the card and
terminal to determine whether the transaction should be:
1. Approved Offline
3. Sent Online for Authorization
TVR
.
Terminal
Verification
Results
TVR
TVR
Issuer
Action
Codes
IAC
Offline Data Auth.
Offline Data
Authentication
Go Online
Can’t Go Online:
Decline
Fails:
IAC
Processing Restrictions
Processing
Restrictions
Go Online
Can’t Go Online:
Decline
Fails:
IAC
Cardholder Verification
Cardholder
Verification
Go Online
Can’t Go Online:
Decline
Fails:
IAC
Terminal Risk Mgmt
Terminal Risk
Management
Go Online
Can’t Go Online:
Decline
Fails:
IAC
Terminal Action Analysis
Acquirer Rules
loaded in terminal
(Visa mandates
certain settings)
Issuer Rules
personalized onto card
Terminal Action Analysis
TVR
Offline Data Auth.
Processing Restrictions
Cardholder Verification
Terminal Risk Mgmt
Request ‘TC’ Cryptogram CDOL
Terminal Data used
in creation of
Cryptogram
Card Action Analysis
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
Activity Checking on Previous Transactions
New Card Checks
Velocity Checks
The card‟s risk management functions take
into account three broad areas:
CVR Byte 1 Byte 2 Byte 3 Byte 4
1
0
Issuer Script
Failure
Bit
1 8
During Initiate Application processing bytes 2-4 are reset to all zeros
1
0
Issuer
Authentication
Failure
1
0
Online
Authorization (Not Complete)
1
Last Online Auth. not
complete
1
0
1
0
*SDA/DDA
Failure
1
SDA Failure
1 Performed Failed
DDA
1
1
0
1
0
1 1
Issuer Auth. Failure
on last online
transaction
Issuer Auth.
Performed and failed Issuer Script Processing
failed last transaction
1
1
0
Indicators, Checks on Previous Transaction
0
1
0 0 0
ATC Last Online
ATC
0 0 0 0
CVR Byte 1 Byte 2 Byte 3 Byte 4
Using Counters and Velocity Checking
Bit
1
ADA (Byte 1)
If New Card, Transmit
Transaction Online
1
New Card
1
Lower
Consecutive
Offline Limit
3
Upper
Consecutive
Offline Limit
5
Unable to go
online
1 1
Exceeded Velocity
checking counters
1 1 2 3 4 5 5 3
PIN Try PIN Try
Limit
3 2 1 0
1
PIN Try Limit
Exceeded
1
Offline PIN
Performed 1
Offline PIN
failed
Application
blocked, PIN Try
Limit Exceeded
1 8
0 1 4 5 3
Cumulative Total
Transaction Amount Cumulative
Total
Transaction
Amount Limit
$50.00
Issuer Script
Command
1 3
Terminal: Card:
Processing Restrictions
Cardholder Verification
Terminal Risk Mgmt
Offline Data Authentication
Card Action Analysis
Offline Data Authentication
-SDA?
-DDA?
Processing Restrictions
-Usage Controls?
-International?
-Expiry Date?
Cardholder Verification
-Offline PIN?
Terminal Risk Management
-Floor Limit?
-Random?
-Velocity Checks?
Card Action Analysis
-Velocity Checks?
-Prior Transactions?
-New Card?
Terminal: Card: Terminal: Card:
‘TC’ Approve Offline
Transaction Approved
Offline
‘AAC’ Decline Offline
Transaction Declined
Offline
‘ARQC’ Go Online
Transaction Sent Online
Approve, Decline, or Go Online?
Card Responds
AAC ARQC TC
AAC Decline x x
Terminal
RequestsARQC Decline Go Online x
TC Decline Go Online Approve
Cryptogram Version 10
Amount, Authorized
Amount, Other
AIP
ATC
CVR
Terminal Country Code
TVR
Transaction Currency Code
Transaction Date
Transaction Type
Unpredictable Number
Data Element Terminal
CDOL1 & 2
Input by
Card
V.I.P
Field #
147
149
138
137
134.3
145
131
148
146
144
132
BASE I
BASE II
SMS
Online
SMS
Offline
Issuer Acquirer
BASE I
VIP
BASE I
2
3
TC05
TC
TC05
TC
$52.95
Member Bank
1 TC 1
2
3
BASE/BASE — POS Offline Approval
1. Transaction is approved offline by chip. Transaction data including chip data and transaction certificate
(TC) is sent to acquirer. Transaction has a response code of Y1 or Y3.
2. Acquirer sends a TC05 clearing message with chip data and a Transaction Certificate to BASE II.
Cryptogram checking is not done during clearing.
3. BASE II forwards the TC05 to the issuer.
Completion
Data
Authenti-
cation
Cardholder
Verifi-
cation
Terminal
Functions
Card
Action
Analysis
•Application Selection
•Read Card Data
•Mag. Stripe Image
The Card and Terminal perform final processing to complete
the transaction. An Issuer approved transaction may be
converted to a decline based upon Issuer Authentication
results and issuer-encoded parameters in the Card
Online Processing
Online Processing Overview
(1) Online request processing
(2) Online response processing
(3) Issuer Authentication
Three components:
Online Card and Issuer Authentication
Allows mutual validation
– Issuer validates card
– card validates Issuer
Uses DES key technology
Provides strongest protection against fraud
– counter measure to skimming
VisaNet Authentication Services
Online Card Authentication
UDK
+
MDK
Transaction Data (PAN, DKI (2), ARQC…) $52.95
Acquirer Issuer VisaNet
Store
MDK MDK
PAN (field 2), PAN Seq. No (field 23)
(3rd Bit Map)
ARQC ….Cryptogram Data Elements
Triple DES Algorithm
UDK ARQC
“YES”
CAM Passes
“No”
CAM Fails
Key derivation
3 DES (encipher,
decipher, encipher)
Double length key
PAN + PAN Seq.Nmbr.
UDKA
3 DES (encipher,
decipher, encipher)
Double length key
NOT(PAN + PAN Seq.Nmbr)
UDKB
Derived key = UDKA + UDKB
Double length key (16 bytes):
XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
Key derivation
Sample Data
PAN (Primary Account Number) : 40 00 00 00 00 00 00 10
PAN SEQ NUM : 01
•PAN + PAN SEQ NUM
(16 hex digits to the rigth):
40 00 00 00 00 00 00 10 01
•NOT(PAN + PAN SEQ NUM):
FF FF FF FF FF FF EF FE
Key derivation
3 DES (encipher,
decipher, encipher)
Double length key
PAN + PAN Seq.Nmbr
UDKA
{ DES
1st half of double
length key XX XX XX XX XX XX XX XX
PAN + PAN Seq.Nmbr
DES-1
DES
UDKA
Double length key (16 bytes):
XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
2nd half of double
length key XX XX XX XX XX XX XX XX
1st half of double
length key XX XX XX XX XX XX XX XX
Key derivation
3 DES (encipher,
decipher, encipher)
Double length key
NOT (PAN + PAN Seq.Nmbr)
UDKB
{ DES
1st half of double
length key XX XX XX XX XX XX XX XX
NOT (PAN + PAN Seq.Nmbr)
DES-1
DES
UDKB
Double length key (16 bytes):
XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
2nd half of double
length key XX XX XX XX XX XX XX XX
1st half of double
length key XX XX XX XX XX XX XX XX
Key derivation
3 DES (encipher,
decipher, encipher)
Clave de Transporte
(de longitud
doble)
1a Mitad clave a cifrar
1a. Mitad Clave Cifrada
3 DES (encipher,
decipher, encipher)
1a Mitad Clave Cifrada + 2a Mitad Clave Cifrada
Claves de Longitud doble (16 bytes):
XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
2a Mitad clave a cifrar Clave de Transporte
(de longitud
doble)
2a. Mitad Clave Cifrada
Response Code (field 139) … ARPC
$52.95
ARQC, Response Code (Field 139.2)
Issuer Authentication
ARPC Cryptogram
(3rd Bit Map)
ARPC
“YES”
Issuer Auth.
Passes
“No”
Issuer Auth.
Fails
Triple DES
Algorithm
UDK
Triple DES
Algorithm
UDK
Acquirer Issuer VisaNet
Store
$52.95
*AIP indicates Issuer
Auth. supported
ADA
1
If Issuer Authentication is
mandatory and no ARPC received,
decline transaction
1
If Issuer Authentication
performed and failed,
decline transaction
Card Changes Online Approval to a Decline
ARPC ARPC (Card Calculated) (Issuer Response)
AAC
BASE I
BASE II
SMS
Online
SMS
Offline
Issuer Acquirer
BASE I
VIP
BASE I
* 0400 may contain notice of issuer authentication failure and, if response contained issuer script, notifce of issuer script non-performance.
4
ARQC
9
10 0410 0400 *
ARPC 0110
0100 ARQC
8
11 0410 0400 *
ARPC 0110
0100 $52.95
Member Bank
ARQC
ARPC
AAC
12
13
TC48 TC48
BASE/BASE — POS Online Approval w/ Chip Decline
2 1 3
4 5
7
6 8 9
11 12
13
10
Post-Issuance Updates
Allows Issuer to change limited information on card
post-issuance
Enhances risk management
– ability to block/unblock account
– update velocity controls
Improves customer service
– change cardholder Offline PIN
Issuer Script Commands
Application Block
Application Unblock
Card Block
PIN Change/Unblock
Put Data
Update Record
Acquirer Issuer VisaNet
Store
$52.95
Post Issuance Updates
ARPC, Response Code, Issuer Script (Field 142), MAC
Terminal will display results after Issuer Script is processed
51
Questions?