top of page
Writer's pictureUtkarsh Parhate

EMV Technology Fundamentals - Part II

Updated: Mar 24, 2020

In the previous article we ended the discussion with AID, which is also called - Application Selection Process. When the terminal is deployed in the marketplace by a retailer that will have pre-configured application AID that it can support whether it's MasterCard, Visa, Discover, American Express, any of the payment networks that it plans to support. When the chip is first personalized and sent out to the cardholder, AID is written to that chip. So when the chip is first inserted into that terminal the very first thing that it would do is to follow "application selection process" and make sure that the terminal recognizes the ID on the card and then switches to the appropriate logic or process flow that is relative to that particular AID on that card.


In addition to AID, there is an extensive data set that is involved in an EMV transaction. There is no additional personal information of the cardholder. Often times people think that, there's a chip on this credit card, so this must be additional personal information. In reality, this data consists of -


  • Configuration data

  • Security data

  • Risk management data


This has nothing to do with the person themselves. There is a lot more information to manage both in - setup process and in transaction processing to effectively utilize the authentication technology. For instance, there is a dynamic cryptogram called ARQC (Authorization Request Cryptogram) which works together with the Chip CVC and helps with the identification - Theoretically to evaluate the channel that the transaction came through and to secure that channel from a counterfeit perspective. Let's say that if I use my chip card with a EMV compliant POS terminal and someone were to skim that data or copy that data, then intend to make a magnetic strip card, they would basically be taking chip CVC data and trying to make a magstripe expecting to have CVC 1 data. When the transaction goes through the authorization system would check that the wrong type of CVC is on that transaction and the transaction should be declined.



EMV provides protection of the card stock itself and it also provides the required transaction security. There are security keys that must be submitted to the memory of the chip before you can program that chip and so if ever a card stock is stolen in transit that card stock is useless unless somebody knows what that security key is.


A second step before we get to the point of being able to utilize the EMV transaction security is the host setup of the chip security and the EMV transaction. Setting up the keys that are used in the transaction process, setting up the configuration data to tell the chip how it's supposed to operate in different conditions. Often times, it is referred to as a data preparation and the key management profit. Once everything is setup, the next step is to move to the core of the EMV application and what is used in the transaction process.


Online and Offline Security Functions:

This terminology is different from online or offline transaction. One of the most important things to notice on for online security functions is Symmetric Keys are used so the specific technology of cryptography that's used for online transaction (online security function) and there is offline security functions use asymmetric key technology. There is also risk management decision criteria that governs how the online security and offline security functions are performed at the time of the transaction and then finally there is something called as Cardholder Verification Method which is used to authenticate the cardholder. The PIN pad uses the CVM list from the chip on the card to determine the type of verification to be performed (for Eg. signature, offline pin or online pin). The CVM list on the chip establishes a priority of CVMs to be used relative to the capabilities of the PIN pad and characteristics of the transaction. There are certain transactions where you do not need any type of verification if it's a low value, maybe it's a $3 or $4 transaction. In that case, may be there is no need for a verification. So all these components work together to provide the EMV functionality.

36 views0 comments

Recent Posts

See All

Comments


bottom of page