At the end of part II (previous article) there was information about security functions - online and offline. These EMV security functions can be broken down further into manageable components. In an online transaction, there are two components -
Online Card Authentication Methodology: To confirm that the card is legitimate and not counterfeit
New Message Data for Authorization Assessment: To determine if that card has any risks or concerns
How do we confirm if the card is legitimate and not counterfeit? To determine this, first of all the issuer and the card must have a known secret (a shared key) on them. At both, the issuer location and on the card itself. Then there needs to be a hybrid security module that's used at that issuer host system, and then embedded in the card itself, there's a crypto processor that enables cryptographic functions to be performed. This is generally symmetric key or Triple DES key technology.
EMV Security Functions performed online:
When the card is inserted into the terminal, at certain point - the terminal is going to request ARQC which is generated by the card that is basically a cryptogram, which is dynamic and changes for every single transaction. This is also called as dynamic authentication that along with DE 55 goes all the way to the issuer host. The issuer host will then validate that cryptogram. If the cryptogram is found to be authentic then the card is confirmed as legitimate. At this stage, another cryptogram is created to send back to the card to indicate that a legitimate issuer has performed the authentication. Furthermore, it can send additional commands back to the card. This back and forth between card and issuer (after interaction with the terminal) is the foundation of online EMV security.
In addition to the cryptogram validation, the critical piece of the EMV payment framework is new authentication data - DE 55, which has a lot more information about the transaction on top of the following two parameters -
Terminal Verification Result
CVM Result
The information on the right would be a base of the data that is coming in DE 55 field. More specifically, this field has authentication information that was programmed to the chip so that the issuer and authorization system knows what has happened at that terminal. Beyond the application Cryptogram, it actually can reconstruct the process and the functions that would be performed at the time of authorization and that information goes through the authorization rules and the fraud rules as well. So, the issuers will be adapting their fraud rules, cross-checking the additional information to make sure that there are no other signs of potential risk that would lead to a decline.
When EMV technology is implemented, issuers can actually accept more transactions because every transaction is processed with enhanced risk assessment methodology. In summary, from an online transaction perspective (online only that does not use any offline card authentication functionality) what the issuer now has is - Dynamic crytogram ARQC, that they can validate and also leverage that next level authorization assessment rule set, because of the additional data that's coming in through the authorization messaging. The offline pin and online pin (if the issuer is supporting those) on the card and also there is something called "post issuing cards update" if the issuer need to make feature based changes on the card, a pin update or application block update on the card. Issuer has the ability to send changes out to it and also send back Authorization response code (ARPC) with the authorization response indicating that the chip has been validated, which in turn gives that chip, the ability to validate issuer response.
EMV Security Functions performed Offline:
There are three components of offline related security function -
Offline Card Authentication - Without going online, the legitimacy of the card can be determined. This is generally performed even when a transaction goes online, so vast majority of all cards in the world outside the U.S. that have implemented use offline card authentication and it is performed even though the transaction goes online and leverages that ARQC. So, it is important to note that offline card authentication is not just used in offline transactions.
Offline Authorization - This is where you actually provide the risk management parameters on the chip itself to determine if it cannot go online, whether it should accept the transaction or not
Offline pin - This is one of the CVM options and as mentioned in point 1, same goes for offline pin as well. Offline pin is not only used for offline transactions but also used (majority of the times - 98% or more) when the transaction goes online - the additional message data and that ARQC are still validated.
The online security and offline security use different technology. And the offline technology is public key technology or asymmetric key technology. Why is that used instead of symmetric key technology? In the online type symmetric key technology, the host and the card had to have the shared secret. As long as there is online connectivity they can validate their secrets with each other but if the online connectivity isn't there, the terminal cannot validate the secret without knowing what it is. In other words, if a secret that every issuer has, is sent to every terminal in the world; chances are, that secret would not remain secret very long because of this prominent distribution channel. So, in order to avoid this transparency and sloppiness with secret, asymmetric key technology is used.
How does asymmetric key technology work?
First of all, the payment network Visa, MasterCard, American Express, Discover, etc. all have a key pair - private key and a public key. Similarly, the issuer also has a key pair along with issuer public key certificate that has a public key in it. This issuer public key certificate has to be signed by the private key of the card association or the payment network. This signature by the private key hides the public key on the certificate and in the personalization process, this is programmed and loaded onto the chip. In the meantime, when terminals are first being deployed in the marketplace, public keys from the payment networks are sent out to the acquirers and the acquirers have the responsibility to get that loaded onto the terminals. These public keys very rarely change, often times many years before they change. Now, ones the terminals have their public keys installed in them (which is typically when the terminal is first installed), the chip card that already has the programmed certificate loaded on to it, can be inserted into the terminal. The issuer public key certificate is protected by the card association's private key and the terminal has the public key for that key pair to authenticate offline that the chip is legitimate and has not been authenticated. This is a fairly sophisticated process that protects the secret and authenticity of the card that is used for the transaction.
Not every entity in the payment transaction framework is required to understand this process, however, the most important thing to note here is that, there are two different cryptographic processes used in EMV - one for online functionality and one for offline functionality.
Comments