Top Banner
EMV 101 Michelle Lehouck EMV Product Manager CPI Card Group
38
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: EMV 101 May 10 2012

EMV 101

Michelle LehouckEMV Product ManagerCPI Card Group

Page 2: EMV 101 May 10 2012

Card Manufacturing Business Model(s)

Copyright © 2012 CONFIDENTIAL

Page 3: EMV 101 May 10 2012

What is EMV?• “The globally interoperable standard

specification governing transactions between chip cards and terminals in the payments industry is called EMV– From the initials of Europay, Mastercard and

Visa– The payment networks that originally

developed the specifications• Today, the EMV standard, it’s

management, and future development are under the control of EMVCo, a jointly owned body set up by the payment networks for this purpose” *Mastercard, “An Introduction to EMV”, 2012

Page 4: EMV 101 May 10 2012

What is EMV?

• EMV creates a stable basis for investment in chip-based dynamic data payments across multiple form factors (contact cards, contactless devices, and mobile devices) and enables product-level innovation across the payment ecosystem without compromising interoperability.

Copyright © 2012 CONFIDENTIAL

Page 5: EMV 101 May 10 2012

EMV 101

• Consumer payment application is resident in a secure Integrated Circuit Card (ICC) or chip– Contact chips in smart cards– Contactless chips in smart cards or personal

devices such as smart phones

• Chip key features– Store information– Perform processing– Secure element which stores secrets and

performs cryptographic functions

Copyright © 2012 CONFIDENTIAL

Page 6: EMV 101 May 10 2012

Why EMV: Building a Business Case

• “EMV can transform the purchasing experience and enable future innovations by making payments safer, simpler and smarter for both consumers and customers alike.

• Many have upgraded to EMV to reduce:Fraud however, the upgrade to the EMV standard also will potentially deliver:– Reduced operational costs– Improved risk management– Increased card usage– A wide range of value added opportunities”*

*Mastercard, “An Introduction to EMV”, 2012

Page 7: EMV 101 May 10 2012

EMV: Overview of Infrastructure• Card Issuance• Terminal Installation by Acquirer or Merchant• Testing and Certification• The Payment Process

– Card Authentication (CAM)– Card Verification (CVMs)– Authorization– Clearing and Settlement

• Issuer Host Systems• Acquirer Host Systems• Other Important Features of the EMV Chip

– Scripts, Card Network Rules, Chip & Pin, Added value apps

*Mastercard, “An Introduction to EMV”, 2012

Page 8: EMV 101 May 10 2012

How is the transaction different?

• The card generates an EMV Application Cryptogram (AC) at key transaction points– AC’s are signatures created with a card unique DES key

composed of critical data elements that indicate the status at the transaction point

• To indicate if online authorization is required– Authorization ReQuest Cryptogram (ARQC)

• At transaction completion– Transaction Certificate (TC) for an

approval– Application Authentication Cryptogram

(AAC) for a decline

Copyright © 2012 CONFIDENTIAL

Page 9: EMV 101 May 10 2012

How is the transaction different?

• Risk management features under acquirer control to select transactions for online approval– Floor limits– Domestic or retailer criteria– Random transaction selection

• Together with issuer chip card controls, protect against the use of lost and stolen or counterfeit cards which attempt to stay beneath the floor limit

Copyright © 2012 CONFIDENTIAL

Page 11: EMV 101 May 10 2012

EMV Card StandardsISO 7816 Standards

ISO defines the principal standard for making, controlling and testing smart cards.

ISO 7816-4Memory management and inter industry commands

ISO 7816-1Dimensions and

physical constraints

WidthMax 85,72 mmMin 85,47 mm

HeightMax 54,03 mmMin 53,92 mm

Thickness0,76 +/- 0,08 mm

ISO 7816-2Electrical signals

ISO 7816-3Communication Protocol

Copyright © 2012 CONFIDENTIAL

Page 12: EMV 101 May 10 2012

RAM : Random Access MemoryCPU : Processor unit (RSA: cryptocontroller)ROM : Read Only MemoryEEPROM : Electrically Erasable Programmable Read Only

Memory

Components

Chip Architecture

Copyright © 2012 CONFIDENTIAL

Page 13: EMV 101 May 10 2012

Decisions 101

Page 14: EMV 101 May 10 2012

What chip should I use?When creating EMV cards there are many factors

that will affect the cost, software and production time. Start by answering the following questions:

• Choose from the following: Contact, Contactless, Dual Interface

What is the card type?

• Visa, MC, AMEX, Discover, JCB, China UnionPay

What Association?

• Choose from the following: Domestic, International, Global

Where is the market?

• Our technology experts will help define the best technology that fits your specific needs to determine the optimal solution.

When can we meet?

Copyright © 2012 CONFIDENTIAL

Page 15: EMV 101 May 10 2012

EMV Card Types

• Contact: Reader comes into ‘contact’ with the chip

• Contactless: Reader signals chip wirelessly

• Dual Interface: Reader can use contact with chip or wireless

Copyright © 2012 CONFIDENTIAL

Page 16: EMV 101 May 10 2012

MemoryHow much erasable memory do

you need on this EMV card?

• Eeprom is where your service bureau would dynamically load proprietary applications onto the card, like an app to you or other (sector apps on the card) For example: a ticketing application.

– Contact – Averages 8k– Dual Interface – Averages 12k– More is needed for large

custom applications

Copyright © 2012 CONFIDENTIAL

Page 17: EMV 101 May 10 2012

Authorization?

• SDA - Static Data Authentication– Cheapest, developed for off-line

• DDA - Dynamic Data Authentication

• CDA - Combined Data Authentication

• See appendix for more details

Copyright © 2012 CONFIDENTIAL

Page 18: EMV 101 May 10 2012

Operating System

What software is supported on the chip?

• Open:– JAVA – MULTOS (primarily for MC Banks Only)

• GP – VGP: Global Platform , Visa Global Platform• Native (proprietary)

Copyright © 2012 CONFIDENTIAL

Page 19: EMV 101 May 10 2012

Software Specifications

What level of VISA/MC specifications do you need?

• VSDC 2.7.1• MChip4 Select (1.1a, or 1.1b) / MChip4 Advance

If you have picked a JAVA or GP OS, what level

of Java or GP (Global Platform) Card specification would you like to comply to?

• JAVA 2.1.1, Java 2.2.2• GP 2.1.1Copyright © 2012

CONFIDENTIAL

Page 20: EMV 101 May 10 2012

Other Manufacturing Questions• Key Ceremony:

– CPI can manufacture the card and rotate the public manufacturing key to a secure issuer. To do this, a key ceremony will need to be performed with the issuer and service bureau

• Who initializes the card?– CPI in a pre-personalization step?– Service bureau

• CAP (Chip Authentication Program) files– These can be loaded at pre-perso and provides

for faster personalization

Copyright © 2012 CONFIDENTIAL

Page 21: EMV 101 May 10 2012

Association Mandates

Page 22: EMV 101 May 10 2012

EMV in the U.S.

The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile

payments by building the necessary infrastructure to accept

and process chip transactions that support either a signature or

PIN at the point of sale.

Source: Visa, August 9, 2011

Page 23: EMV 101 May 10 2012

Mandates

Effective October 1, 2012, Visa will expand its Technology Innovation Program (TIP) to the U.S.

Visa will require U.S. acquirer processors and sub-processor service providers to be able to

support merchant acceptance of chip transactions

no later than April 1, 2013.

Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-

present point-of-sale (POS) transactions, effective October 1, 2015.

Source: Visa, August 9, 2011

Page 24: EMV 101 May 10 2012

Recommendations

Copyright © 2012 CONFIDENTIAL

Source: Visa, October 26, 2011

Page 25: EMV 101 May 10 2012

MasterCard• By April 2013, Acquirers need to be able to

compute EMV transaction (POS/ATMs)• Strongly supports DDA EMV card issuance

(contact or DI) with introduction of PIN • By October 2015, Liability Shift from

Association to Issuer if EMV chip is not enabled on all financial cards (Credit and Debit)applies to:– Card Present– Card Not Present

Copyright © 2012 CONFIDENTIAL

Page 26: EMV 101 May 10 2012

Construction 101

Page 27: EMV 101 May 10 2012

Production Process

Lamination Milling Embedding

Copyright © 2012 CONFIDENTIAL

Page 28: EMV 101 May 10 2012

LaminationLamination consists of punching and applying

hot melt tape on the micromodule film.

Copyright © 2012 CONFIDENTIAL

Page 29: EMV 101 May 10 2012

Milling

Milling consists of the creation of the cavity prior to receive the micromodule.

Copyright © 2012 CONFIDENTIAL

Page 30: EMV 101 May 10 2012

Embedding

Embedding consists of punching and picking the micromodule from the film and

inserting it into the milled cavity.

Copyright © 2012 CONFIDENTIAL

Page 31: EMV 101 May 10 2012

Dual Interface• Compression Technology

– “Z” axis adhesive

– Flexible bump

Copyright © 2012 CONFIDENTIAL

Page 32: EMV 101 May 10 2012

• Air coupled – SPS “antenna coupling”

• Hera– Pigtails module soldered to antenna Connections

Copyright © 2012 CONFIDENTIAL

Dual Interface cont.

Page 33: EMV 101 May 10 2012

More Resources

Page 34: EMV 101 May 10 2012

More Resources

• http://www.smartcardalliance.org/• http://www.cpicardgroup.com/educati

on• http://www.emvco.com/• http://www.linkedin.com/groups?gid=

2242262&trk=myg_ugrp_ovr

Copyright © 2012 CONFIDENTIAL

Page 35: EMV 101 May 10 2012

Appendix

Copyright © 2012 CONFIDENTIAL

Page 36: EMV 101 May 10 2012

Static Data Authentication (SDA)• Indicates that the signed data on the chip has not

been changed or manipulated– Cards DO NOT require RSA cryptographic processing

capability– Each card is personalized with the Issuer public key

certificate and static signed application data– Static signed application data is composed of data

elements personalized onto the card and signed with issuer private key

– Terminal performs RSA cryptographic processing using issuer public key to authenticate signed static application data

– Does NOT indicate that card is authenticated offline

Copyright © 2012 CONFIDENTIAL

Page 37: EMV 101 May 10 2012

Dynamic Data Authentication (DDA)• Indicates that the actual card issued is present at

the point of sale– Cards DO require RSA cryptographic processing

capability– Each card is personalized with the issuer public key

certificate, card public key certificate and card private key

– Card generates unique signed dynamic application dataper transaction by signing data elements from both the card and terminal with the card private key

– Terminal performs RSA cryptographic processing using card public key to authenticate signed dynamic application data

– DOES indicate that the card is authenticated offline

Copyright © 2012 CONFIDENTIAL

Page 38: EMV 101 May 10 2012

Combined Data Authentication (CDA)

• Dynamic Data Authentication with Application Cryptogram generation (CDA) – The same personalisation requirements as DDA with an

additional step during “card analysis”• Cards DO require RSA cryptographic processing

capability• Card generates a “dynamic signature” using card

private key, in addition to the “application cryptogram”, to prove that the card authenticated during DDA was the same card that provided the “application cryptogram”

• Assists in the detection of an attempted "man-in-the-middle" attack where the fraudster alters data between card and terminal to try to keep the card offlineCopyright © 2012

CONFIDENTIAL