SlideShare une entreprise Scribd logo

EMV chip cards

Télécharger en tant que PPTX, PDF
D
Dilip Kumar

PPT on EMV chip security

Technologie
1  sur  19
EMV Transaction Flow
Contents  Introduction to EMV  Traditional MSR Vs EMV Transaction flow  Online Data Authentication  Offline Data Authentication  EMV Migration  Security in E-Commerce
Introduction to EMV  EMV is a technical standard that defines interaction at the physical and electrical data authentication levels between IC cards and their processing devices for financial transactions .  EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally created the standard.  The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.  EMV cards are also called as IC credit Chip and PIN Cards.  EMV cards were introduced to improve security (Fraud Reduction) and for finer control of "offline" credit-card transaction approvals.  One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse.
MSR Vs EMV Transaction Flow
EMV Transaction Flow
EMV Transaction Flow Application Selection:  EMV chip is loaded with a application version number and the Application Identification Numbers(AID’s) that the issuer supports.  Based on the AID selected a particular Application in the terminal is selected through which routing to the Issuer bank do happen.  The PDOL (Processing Data Object Lists) is provided by the card to the terminal during application selection.
Terminal Action Analysis  Terminal risk management is done in the terminal to decide whether or not to go online, checks the transaction amount against an offline ceiling limit.  For online authorization transactions CDOL1 (Card Data object List),a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction.  Terminal sends this data and requests a cryptogram using the generate application cryptogram command usually called 1st Gen AC  Depending on the terminal′s decision (offline, online, decline), the terminal requests one of the following cryptograms from the card:  Transaction certificate (TC)—Offline approval  Authorization Request Cryptogram (ARQC)—Online authorization  Application Authentication Cryptogram (AAC)—Offline decline.  The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorization response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).
EMV Chip Data The data that is present in a chip card and few tags are sent to the issuer for authorization
Cardholder verification  Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:  Signature.  Offline plaintext PIN.  Offline enciphered PIN.  Offline plaintext PIN and signature.  Offline enciphered PIN and signature.  Online PIN.  No CVM required.  Both PIN and signature.  Fail CVM processing.  The terminal uses a CVM list read from the card to determine the type of verification to be performed based on the terminal capability and business involved in it.  When a verification is done successfully the results are updated in TVR and CVR and the transaction is approved  A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of CVM to be used, while the second specifies in which condition this CVM will be applied.
Offline Data Processing: The offline authentication options in EMV are :- Static Data Authentication:-  For SDA, the smart card contains application data which is signed by the private key of the issuer’s RSA key pair.  When a card with an SDA application is inserted into a terminal, the card sends this signed static application data, the CA index, and the issuer certificate to the terminal.  The terminal verifies the issuer certificate and the digital signature by comparing these to the actual application data present on the card.  In short, an RSA signature gives the assurance that the data is in fact original and created by the authorized issuer.  SDA does not prevent replay attacks as it is the same static data that is presented in every transaction. Dynamic Data Authentication:  In this the smart card has its own card-unique RSA key that signs dynamic data.  This produces an unique unpredictable and transaction-dependent data, and sends this to the terminal.  When a card with a DDA application is inserted into a terminal, the card sends the signed dynamic application data, the CA index, the issuer certificate and the card certificate to the terminal.  The terminal then verifies the issuer certificate, the smart card certificate and the signed dynamic application data.
Combined Data Authentication: • The security mechanism in SDA is there to compare what is on the actual card (PAN, expiry date etc.) with signed data generated at the time of personalization. • DDA is stronger and makes use of a card resident unique RSA key to dynamically sign unpredictable and transaction unique data. • The EMV protocol for transaction approval or denial does contain more logical processing, and there is a potential weakness between the steps of verifying the card (using SDA or DDA) and the step comprising of approving the actual transaction. • Additionally the card makes that decision based on other card parameters such as card-generated cryptograms. • A scheme has been devised that combines both the card authentication and the transaction approval decision in one step. • To make it more secure offline PIN verification is present in chip cards to verify the card holder. • In addition to this authentication can be done using a PIN to verify that the right person is using the card
Plaintext PIN verification performed by ICC : • This is a cost effective cardholder verification method, which is specific for chip card products. • The terminal captures the PIN from the user and sends it in clear to the chip card. The chip compares the value received with a witness value stored in its permanent memory. •The terminal should be offline PIN capable and tamper resistant Enciphered PIN verification performed by ICC • This is an expensive cardholder verification method, which is applicable for chip card products able to perform RSA operations. • The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the chip card. • The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value with a witness value stored in its permanent memory since the personalization stage. • EMV also supports a combined cardholder verification method, which is referred to an enciphered PIN verification performed by ICC and signature (paper) . • EMV card keeps a track of number of transactions performed offline using LCOL and UCOL registers.
• TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the registers that store the data the authentication that the terminal has performed. • The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the processing performed by the terminal during one of the following stages of the EMV debit/credit transaction • Off-line data authentication (byte 1) • Processing restrictions (byte 2) • Cardholder verification (byte 3) • Terminal risk management (byte 4) • Issuer authentication/issuer scripts processing (byte 5)
EMV Migration  The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance in order to successfully introduce secure EMV contact and contactless technology in the United States by liability shift.  Liability shift means that those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.  The deadline for liability shift as decided by EMV Co is October 2015 in US.  To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way with migrating from the legacy magnetic stripe standard to EMV chip card technology.  Estimated cost calculation for EMV migration in US.
Liability Table • This is Applicable to Visa , MasterCard and American Express Associations
EMV Adaption at various regions in world
Security for E-Commerce  EMV cards were designed when E commerce was not fully operational.  Various other methods were introduced to make transaction secure:  CVV Number  Address Verification System(AVS)  Dynamic number Verification System.  In Future cards will be designed to produce dynamic number using the Chip technology.
TransArmor Tokenization and Encryption Solution • The data is protected by two layers of security, known as encryption and tokenization.
Benefits of Tokenization  Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment (CDE).  The tokens can then be used to perform customer analytics and understand consumer buying behavior.  Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking sensitive data out of their databae.  Used for Recurring Payments.

Recommandé

Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System OverviewNarudom Roongsiriwong, CISSP
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emvAnil Chaurasiya
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system60ml
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words Banque Populaire Du Rwanda
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcDefconRussia
 

Recommandé

Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System OverviewNarudom Roongsiriwong, CISSP
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emvAnil Chaurasiya
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system60ml
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Emv Explained in few words
Emv Explained in few words Emv Explained in few words
Emv Explained in few words Banque Populaire Du Rwanda
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcDefconRussia
 
Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmadMohd. Ahmad Siddiqi
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And EmvKingshuk1
 
Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)Sahan Walpitagamage
 
Contactless payment technology
Contactless payment technologyContactless payment technology
Contactless payment technologyLaw of Compounding
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
Online payment system
Online payment systemOnline payment system
Online payment systemmyangel27
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functionsMikhail Miroshnichenko
 
Credit Card Issuers
Credit Card IssuersCredit Card Issuers
Credit Card IssuersFloyd Saunders
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016Philip Andreae
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
All about Contactless payments
All about Contactless paymentsAll about Contactless payments
All about Contactless paymentsPaxcel Technologies
 
Ec2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systemsEc2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systemsNuth Otanasap
 
Digital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer ServiceDigital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer ServiceGianluca Ferranti
 
Credit and debit card
Credit and debit cardCredit and debit card
Credit and debit cardnaresh prajapati
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0Nugroho Gito
 
Cardless and contactless transactions
Cardless and contactless transactionsCardless and contactless transactions
Cardless and contactless transactionsMichal Voldrich, MBA
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayPiyush Dua
 
HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic TrainingMd. Budrul Hasan Bhuiyan
 
Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Karina Khemani
 

Contenu connexe

Tendances

Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And EmvKingshuk1
 
Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)Sahan Walpitagamage
 
Contactless payment technology
Contactless payment technologyContactless payment technology
Contactless payment technologyLaw of Compounding
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
Online payment system
Online payment systemOnline payment system
Online payment systemmyangel27
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
Ec2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systemsEc2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systemsNuth Otanasap
 
Digital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer ServiceDigital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer ServiceGianluca Ferranti
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0Nugroho Gito
 
Cardless and contactless transactions
Cardless and contactless transactionsCardless and contactless transactions
Cardless and contactless transactionsMichal Voldrich, MBA
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayPiyush Dua
 

Tendances (20)

Electronic payment by ahmad
Electronic payment by ahmadElectronic payment by ahmad
Electronic payment by ahmad
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
 
Banking Cards And Emv
Banking Cards And EmvBanking Cards And Emv
Banking Cards And Emv
 
Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)Electronic Payment Systems (EPS)
Electronic Payment Systems (EPS)
 
Contactless payment technology
Contactless payment technologyContactless payment technology
Contactless payment technology
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Online payment system
Online payment systemOnline payment system
Online payment system
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway provider
 
Mobile Wallet functions
Mobile Wallet functionsMobile Wallet functions
Mobile Wallet functions
 
Credit Card Issuers
Credit Card IssuersCredit Card Issuers
Credit Card Issuers
 
EMV 201 EMF June 2016
EMV 201 EMF June 2016EMV 201 EMF June 2016
EMV 201 EMF June 2016
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAAS
 
All about Contactless payments
All about Contactless paymentsAll about Contactless payments
All about Contactless payments
 
Ec2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systemsEc2009 ch11 electronic payment systems
Ec2009 ch11 electronic payment systems
 
Digital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer ServiceDigital Banking - Industry Trends for Customer Service
Digital Banking - Industry Trends for Customer Service
 
Credit and debit card
Credit and debit cardCredit and debit card
Credit and debit card
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0
 
Cardless and contactless transactions
Cardless and contactless transactionsCardless and contactless transactions
Cardless and contactless transactions
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 

En vedette

Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Karina Khemani
 
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingEnd-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingLennon808
 
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip CardsReport on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip CardsDarshana Senavirathna
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment InterfaceAkash Chandra
 
EMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of SaleEMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of Sale- Mark - Fullbright
 
Chip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for ParkingChip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for ParkingCreditcall
 
14 key management & exchange
14 key management & exchange14 key management & exchange
14 key management & exchangedrewz lin
 
Summit Keynote: Banks and EMV
Summit Keynote: Banks and EMVSummit Keynote: Banks and EMV
Summit Keynote: Banks and EMVVivastream
 
Spelunking Credit Cards with Ruby
Spelunking Credit Cards with RubySpelunking Credit Cards with Ruby
Spelunking Credit Cards with RubySau Sheong Chang
 
Comparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussionComparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussionDharmendra Prasad
 
Opening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For ActionOpening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For ActionLaura Overton
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVCJohn Lewis
 

En vedette (20)

HSM Basic Training
HSM Basic TrainingHSM Basic Training
HSM Basic Training
 
Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)Emv overview-payscape-2015 (1)
Emv overview-payscape-2015 (1)
 
End-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card ProcessingEnd-to-End Encryption for Credit Card Processing
End-to-End Encryption for Credit Card Processing
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraud
 
EMV: What you Need to Know
EMV: What you Need to KnowEMV: What you Need to Know
EMV: What you Need to Know
 
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip CardsReport on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
Report on ISO8583,EDCPOS vs mPOS and EMV vs Magnetic Strip Cards
 
Unified Payment Interface
Unified Payment InterfaceUnified Payment Interface
Unified Payment Interface
 
Payment Hsm Payshield9000
Payment Hsm Payshield9000Payment Hsm Payshield9000
Payment Hsm Payshield9000
 
EMV, P2PE, or both?
EMV, P2PE, or both?EMV, P2PE, or both?
EMV, P2PE, or both?
 
EMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of SaleEMV Payments: Changes at the Point of Sale
EMV Payments: Changes at the Point of Sale
 
Chip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for ParkingChip Cards: EMV Updates for Parking
Chip Cards: EMV Updates for Parking
 
14 key management & exchange
14 key management & exchange14 key management & exchange
14 key management & exchange
 
EMV Technology_Risk Management
EMV Technology_Risk ManagementEMV Technology_Risk Management
EMV Technology_Risk Management
 
Summit Keynote: Banks and EMV
Summit Keynote: Banks and EMVSummit Keynote: Banks and EMV
Summit Keynote: Banks and EMV
 
Spelunking Credit Cards with Ruby
Spelunking Credit Cards with RubySpelunking Credit Cards with Ruby
Spelunking Credit Cards with Ruby
 
Chip card ppt
Chip card pptChip card ppt
Chip card ppt
 
Comparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussionComparable and comparator – a detailed discussion
Comparable and comparator – a detailed discussion
 
Opening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For ActionOpening a New Conversation with Business Leaders: It's Time For Action
Opening a New Conversation with Business Leaders: It's Time For Action
 
Spring Portlet MVC
Spring Portlet MVCSpring Portlet MVC
Spring Portlet MVC
 
v 1.0
v 1.0v 1.0
v 1.0
 

Similaire à EMV chip cards

EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process- Mark - Fullbright
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxP1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxgerardkortney
 
Merchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote CommerceMerchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote CommerceNetcetera
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testingAtul Pant
 
QR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONSQR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONSJournal For Research
 
Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...Netcetera
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment SystemRitesh Goyal
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIThiteshasnani94
 
Shift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October DeadlineShift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October DeadlineConstellation Payments
 
Out of Scope Whitepaper
Out of Scope WhitepaperOut of Scope Whitepaper
Out of Scope WhitepaperMark Moreno
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment systempankhadi
 
Best Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptxBest Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptxRani Sinha
 
Corporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdfCorporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdfRani Sinha
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction pptSubhash Gupta
 

Similaire à EMV chip cards (20)

EMV Credit Card Technology in Parking
EMV Credit Card Technology in ParkingEMV Credit Card Technology in Parking
EMV Credit Card Technology in Parking
 
EMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment ProcessEMV: Preparing for Changes to the Retail Payment Process
EMV: Preparing for Changes to the Retail Payment Process
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docxP1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
P1Cab Company Schedulinglet Di = # of drivers who start their 8 ho.docx
 
Merchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote CommerceMerchant tokenization and EMV® Secure Remote Commerce
Merchant tokenization and EMV® Secure Remote Commerce
 
Can security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceCan security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerce
 
Payment gateway testing
Payment gateway testingPayment gateway testing
Payment gateway testing
 
QR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONSQR BASED CARD-LESS ATM TRANSACTIONS
QR BASED CARD-LESS ATM TRANSACTIONS
 
Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...Increase conversion, convenience and security in e-commerce checkouts - Silke...
Increase conversion, convenience and security in e-commerce checkouts - Silke...
 
Heartland Secure PPT
Heartland Secure PPTHeartland Secure PPT
Heartland Secure PPT
 
Ch 2
Ch 2Ch 2
Ch 2
 
Electronic Payment System
Electronic Payment SystemElectronic Payment System
Electronic Payment System
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
 
Shift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October DeadlineShift Happens. What You Need to Know About EMV & The October Deadline
Shift Happens. What You Need to Know About EMV & The October Deadline
 
Class 13
Class 13Class 13
Class 13
 
Out of Scope Whitepaper
Out of Scope WhitepaperOut of Scope Whitepaper
Out of Scope Whitepaper
 
Electronic payment system
Electronic payment systemElectronic payment system
Electronic payment system
 
Best Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptxBest Law Firms in India - Khaitan Legal Associates.pptx
Best Law Firms in India - Khaitan Legal Associates.pptx
 
Corporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdfCorporate Law Firms in India - Khaitan Legal Associates.pdf
Corporate Law Firms in India - Khaitan Legal Associates.pdf
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 

Dernier

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Dernier (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

EMV chip cards

  • 2. Contents  Introduction to EMV  Traditional MSR Vs EMV Transaction flow  Online Data Authentication  Offline Data Authentication  EMV Migration  Security in E-Commerce
  • 3. Introduction to EMV  EMV is a technical standard that defines interaction at the physical and electrical data authentication levels between IC cards and their processing devices for financial transactions .  EMV stands for EuroPay, MasterCard, and Visa, the three companies which originally created the standard.  The standard is now managed by EMVCo, a consortium with control split equally among Visa, Mastercard, JCB, American Express, China Union Pay, and Discover.  EMV cards are also called as IC credit Chip and PIN Cards.  EMV cards were introduced to improve security (Fraud Reduction) and for finer control of "offline" credit-card transaction approvals.  One of the original goals of EMV was to allow for multiple applications to be held on a card: for a credit and debit card application or an e-purse.
  • 4. MSR Vs EMV Transaction Flow
  • 6. EMV Transaction Flow Application Selection:  EMV chip is loaded with a application version number and the Application Identification Numbers(AID’s) that the issuer supports.  Based on the AID selected a particular Application in the terminal is selected through which routing to the Issuer bank do happen.  The PDOL (Processing Data Object Lists) is provided by the card to the terminal during application selection.
  • 7. Terminal Action Analysis  Terminal risk management is done in the terminal to decide whether or not to go online, checks the transaction amount against an offline ceiling limit.  For online authorization transactions CDOL1 (Card Data object List),a list of tags that the card wants to be sent to it to make a decision on whether to approve or decline a transaction.  Terminal sends this data and requests a cryptogram using the generate application cryptogram command usually called 1st Gen AC  Depending on the terminal′s decision (offline, online, decline), the terminal requests one of the following cryptograms from the card:  Transaction certificate (TC)—Offline approval  Authorization Request Cryptogram (ARQC)—Online authorization  Application Authentication Cryptogram (AAC)—Offline decline.  The issuer responds to an authorization request with a response code (accepting or declining the transaction), an authorization response cryptogram (ARPC) and optionally an issuer script (a string of commands to be sent to the card).
  • 8. EMV Chip Data The data that is present in a chip card and few tags are sent to the issuer for authorization
  • 9. Cardholder verification  Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:  Signature.  Offline plaintext PIN.  Offline enciphered PIN.  Offline plaintext PIN and signature.  Offline enciphered PIN and signature.  Online PIN.  No CVM required.  Both PIN and signature.  Fail CVM processing.  The terminal uses a CVM list read from the card to determine the type of verification to be performed based on the terminal capability and business involved in it.  When a verification is done successfully the results are updated in TVR and CVR and the transaction is approved  A Cardholder Verification Rule (CVR) consists of 2 bytes: the first indicates the type of CVM to be used, while the second specifies in which condition this CVM will be applied.
  • 10. Offline Data Processing: The offline authentication options in EMV are :- Static Data Authentication:-  For SDA, the smart card contains application data which is signed by the private key of the issuer’s RSA key pair.  When a card with an SDA application is inserted into a terminal, the card sends this signed static application data, the CA index, and the issuer certificate to the terminal.  The terminal verifies the issuer certificate and the digital signature by comparing these to the actual application data present on the card.  In short, an RSA signature gives the assurance that the data is in fact original and created by the authorized issuer.  SDA does not prevent replay attacks as it is the same static data that is presented in every transaction. Dynamic Data Authentication:  In this the smart card has its own card-unique RSA key that signs dynamic data.  This produces an unique unpredictable and transaction-dependent data, and sends this to the terminal.  When a card with a DDA application is inserted into a terminal, the card sends the signed dynamic application data, the CA index, the issuer certificate and the card certificate to the terminal.  The terminal then verifies the issuer certificate, the smart card certificate and the signed dynamic application data.
  • 11. Combined Data Authentication: • The security mechanism in SDA is there to compare what is on the actual card (PAN, expiry date etc.) with signed data generated at the time of personalization. • DDA is stronger and makes use of a card resident unique RSA key to dynamically sign unpredictable and transaction unique data. • The EMV protocol for transaction approval or denial does contain more logical processing, and there is a potential weakness between the steps of verifying the card (using SDA or DDA) and the step comprising of approving the actual transaction. • Additionally the card makes that decision based on other card parameters such as card-generated cryptograms. • A scheme has been devised that combines both the card authentication and the transaction approval decision in one step. • To make it more secure offline PIN verification is present in chip cards to verify the card holder. • In addition to this authentication can be done using a PIN to verify that the right person is using the card
  • 12. Plaintext PIN verification performed by ICC : • This is a cost effective cardholder verification method, which is specific for chip card products. • The terminal captures the PIN from the user and sends it in clear to the chip card. The chip compares the value received with a witness value stored in its permanent memory. •The terminal should be offline PIN capable and tamper resistant Enciphered PIN verification performed by ICC • This is an expensive cardholder verification method, which is applicable for chip card products able to perform RSA operations. • The terminal captures the PIN from the user and sends it encrypted in an RSA envelope to the chip card. • The chip decrypts the envelope, retrieves the PIN in clear, and compares the retrieved value with a witness value stored in its permanent memory since the personalization stage. • EMV also supports a combined cardholder verification method, which is referred to an enciphered PIN verification performed by ICC and signature (paper) . • EMV card keeps a track of number of transactions performed offline using LCOL and UCOL registers.
  • 13. • TVR(Terminal Verification Results) TSI(Transaction Verification Information) are the registers that store the data the authentication that the terminal has performed. • The TVR is a register encoded on 5 bytes Each byte of the TVR witnesses the results of the processing performed by the terminal during one of the following stages of the EMV debit/credit transaction • Off-line data authentication (byte 1) • Processing restrictions (byte 2) • Cardholder verification (byte 3) • Terminal risk management (byte 4) • Issuer authentication/issuer scripts processing (byte 5)
  • 14. EMV Migration  The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance in order to successfully introduce secure EMV contact and contactless technology in the United States by liability shift.  Liability shift means that those issuers and merchants using non-EMV compliant devices that choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.  The deadline for liability shift as decided by EMV Co is October 2015 in US.  To date, Europe, Canada, Latin America, and the Asia/Pacific region are all well on their way with migrating from the legacy magnetic stripe standard to EMV chip card technology.  Estimated cost calculation for EMV migration in US.
  • 15. Liability Table • This is Applicable to Visa , MasterCard and American Express Associations
  • 16. EMV Adaption at various regions in world
  • 17. Security for E-Commerce  EMV cards were designed when E commerce was not fully operational.  Various other methods were introduced to make transaction secure:  CVV Number  Address Verification System(AVS)  Dynamic number Verification System.  In Future cards will be designed to produce dynamic number using the Chip technology.
  • 18. TransArmor Tokenization and Encryption Solution • The data is protected by two layers of security, known as encryption and tokenization.
  • 19. Benefits of Tokenization  Reduces the risk of stored Primary Account Numbers (PANs) in their card data environment (CDE).  The tokens can then be used to perform customer analytics and understand consumer buying behavior.  Replacing PAN data with tokens reduces a merchant’s burden of PCI compliance by taking sensitive data out of their databae.  Used for Recurring Payments.