Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMV 101 Michelle Lehouck EMV Product Manager CPI Card Group.

Similar presentations

Presentation on theme: "EMV 101 Michelle Lehouck EMV Product Manager CPI Card Group."— Presentation transcript:

1 EMV 101 Michelle Lehouck EMV Product Manager CPI Card Group

2 Card Manufacturing Business Model(s) Copyright © 2012 CONFIDENTIAL

3 What is EMV? The globally interoperable standard specification governing transactions between chip cards and terminals in the payments industry is called EMV –From the initials of Europay, Mastercard and Visa –The payment networks that originally developed the specifications Today, the EMV standard, its management, and future development are under the control of EMVCo, a jointly owned body set up by the payment networks for this purpose *Mastercard, An Introduction to EMV, 2012

4 What is EMV? EMV creates a stable basis for investment in chip-based dynamic data payments across multiple form factors (contact cards, contactless devices, and mobile devices) and enables product-level innovation across the payment ecosystem without compromising interoperability. Copyright © 2012 CONFIDENTIAL

5 EMV 101 Consumer payment application is resident in a secure Integrated Circuit Card (ICC) or chip –Contact chips in smart cards –Contactless chips in smart cards or personal devices such as smart phones Chip key features –Store information –Perform processing –Secure element which stores secrets and performs cryptographic functions Copyright © 2012 CONFIDENTIAL

6 Why EMV: Building a Business Case EMV can transform the purchasing experience and enable future innovations by making payments safer, simpler and smarter for both consumers and customers alike. Many have upgraded to EMV to reduce:Fraud however, the upgrade to the EMV standard also will potentially deliver: –Reduced operational costs –Improved risk management –Increased card usage –A wide range of value added opportunities * *Mastercard, An Introduction to EMV, 2012

7 EMV: Overview of Infrastructure Card Issuance Terminal Installation by Acquirer or Merchant Testing and Certification The Payment Process –Card Authentication (CAM) –Card Verification (CVMs) –Authorization –Clearing and Settlement Issuer Host Systems Acquirer Host Systems Other Important Features of the EMV Chip –Scripts, Card Network Rules, Chip & Pin, Added value apps *Mastercard, An Introduction to EMV, 2012

8 How is the transaction different? The card generates an EMV Application Cryptogram (AC) at key transaction points –ACs are signatures created with a card unique DES key composed of critical data elements that indicate the status at the transaction point To indicate if online authorization is required –Authorization ReQuest Cryptogram (ARQC) At transaction completion –Transaction Certificate (TC) for an approval –Application Authentication Cryptogram (AAC) for a decline Copyright © 2012 CONFIDENTIAL

9 How is the transaction different? Risk management features under acquirer control to select transactions for online approval –Floor limits –Domestic or retailer criteria –Random transaction selection Together with issuer chip card controls, protect against the use of lost and stolen or counterfeit cards which attempt to stay beneath the floor limit Copyright © 2012 CONFIDENTIAL

10 Cardholder Verification Process (CV) EMV introduces new features for cardholder verification –Cardholder verification method (CVM) list Issuer can define multiple CVMs in the card and define the conditions under which the CVM must be applied –Offline PIN Offline Plaintext PIN Offline Enciphered PIN –EMV still supports traditional methods Online enciphered PIN, signature, no CVM Copyright © 2012 CONFIDENTIAL

11 EMV Card Standards ISO 7816 Standards ISO defines the principal standard for making, controlling and testing smart cards. ISO Memory management and inter industry commands ISO Dimensions and physical constraints Width Max 85,72 mm Min 85,47 mm Height Max 54,03 mm Min 53,92 mm Thickness 0,76 +/- 0,08 mm ISO Electrical signals ISO Communication Protocol Copyright © 2012 CONFIDENTIAL

12 RAM : Random Access Memory CPU : Processor unit (RSA: cryptocontroller) ROM : Read Only Memory EEPROM : Electrically Erasable Programmable Read Only Memory Components Chip Architecture Copyright © 2012 CONFIDENTIAL

13 Decisions 101

14 What chip should I use? When creating EMV cards there are many factors that will affect the cost, software and production time. Start by answering the following questions: Choose from the following: Contact, Contactless, Dual Interface What is the card type? Visa, MC, AMEX, Discover, JCB, China UnionPay What Association? Choose from the following: Domestic, International, Global Where is the market? Our technology experts will help define the best technology that fits your specific needs to determine the optimal solution. When can we meet? Copyright © 2012 CONFIDENTIAL

15 EMV Card Types Contact: Reader comes into contact with the chip Contactless: Reader signals chip wirelessly Dual Interface: Reader can use contact with chip or wireless Copyright © 2012 CONFIDENTIAL

16 Memory How much erasable memory do you need on this EMV card? Eeprom is where your service bureau would dynamically load proprietary applications onto the card, like an app to you or other (sector apps on the card) For example: a ticketing application. –Contact – Averages 8k –Dual Interface – Averages 12k –More is needed for large custom applications Copyright © 2012 CONFIDENTIAL

17 Authorization? SDA - Static Data Authentication –Cheapest, developed for off-line DDA - Dynamic Data Authentication CDA - Combined Data Authentication See appendix for more details Copyright © 2012 CONFIDENTIAL

18 Operating System What software is supported on the chip? Open: –JAVA –MULTOS (primarily for MC Banks Only) GP – VGP: Global Platform, Visa Global Platform Native (proprietary) Copyright © 2012 CONFIDENTIAL

19 Software Specifications What level of VISA/MC specifications do you need? VSDC MChip4 Select (1.1a, or 1.1b) / MChip4 Advance If you have picked a JAVA or GP OS, what level of Java or GP (Global Platform) Card specification would you like to comply to? JAVA 2.1.1, Java GP Copyright © 2012 CONFIDENTIAL

20 Other Manufacturing Questions Key Ceremony: –CPI can manufacture the card and rotate the public manufacturing key to a secure issuer. To do this, a key ceremony will need to be performed with the issuer and service bureau Who initializes the card? –CPI in a pre-personalization step? –Service bureau CAP (Chip Authentication Program) files –These can be loaded at pre-perso and provides for faster personalization Copyright © 2012 CONFIDENTIAL

21 Association Mandates

22 EMV in the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the arrival of NFC-based mobile payments by building the necessary infrastructure to accept and process chip transactions that support either a signature or PIN at the point of sale. Source: Visa, August 9, 2011

23 Mandates Effective October 1, 2012, Visa will expand its Technology Innovation Program (TIP) to the U.S. Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, Visa intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale (POS) transactions, effective October 1, Source: Visa, August 9, 2011

24 Recommendations Copyright © 2012 CONFIDENTIAL Source: Visa, October 26, 2011

25 MasterCard By April 2013, Acquirers need to be able to compute EMV transaction (POS/ATMs) Strongly supports DDA EMV card issuance (contact or DI) with introduction of PIN By October 2015, Liability Shift from Association to Issuer if EMV chip is not enabled on all financial cards (Credit and Debit)applies to: –Card Present –Card Not Present Copyright © 2012 CONFIDENTIAL

26 Construction 101

27 Production Process LaminationMillingEmbedding Copyright © 2012 CONFIDENTIAL

28 Lamination Lamination consists of punching and applying hot melt tape on the micromodule film. Copyright © 2012 CONFIDENTIAL

29 Milling Milling consists of the creation of the cavity prior to receive the micromodule. Copyright © 2012 CONFIDENTIAL

30 Embedding Embedding consists of punching and picking the micromodule from the film and inserting it into the milled cavity. Copyright © 2012 CONFIDENTIAL

31 Dual Interface Compression Technology – Z axis adhesive –Flexible bump Copyright © 2012 CONFIDENTIAL

32 Air coupled –SPS antenna coupling Hera –Pigtails module soldered to antenna Connections Copyright © 2012 CONFIDENTIAL Dual Interface cont.

33 More Resources

34 &trk=myg_ugrp_ovr &trk=myg_ugrp_ovr Copyright © 2012 CONFIDENTIAL

35 Appendix Copyright © 2012 CONFIDENTIAL

36 Static Data Authentication (SDA) Indicates that the signed data on the chip has not been changed or manipulated –Cards DO NOT require RSA cryptographic processing capability –Each card is personalized with the Issuer public key certificate and static signed application data –Static signed application data is composed of data elements personalized onto the card and signed with issuer private key –Terminal performs RSA cryptographic processing using issuer public key to authenticate signed static application data –Does NOT indicate that card is authenticated offline Copyright © 2012 CONFIDENTIAL

37 Dynamic Data Authentication (DDA) Indicates that the actual card issued is present at the point of sale –Cards DO require RSA cryptographic processing capability –Each card is personalized with the issuer public key certificate, card public key certificate and card private key –Card generates unique signed dynamic application dataper transaction by signing data elements from both the card and terminal with the card private key –Terminal performs RSA cryptographic processing using card public key to authenticate signed dynamic application data –DOES indicate that the card is authenticated offline Copyright © 2012 CONFIDENTIAL

38 Combined Data Authentication (CDA) Dynamic Data Authentication with Application Cryptogram generation (CDA) –The same personalisation requirements as DDA with an additional step during card analysis Cards DO require RSA cryptographic processing capability Card generates a dynamic signature using card private key, in addition to the application cryptogram, to prove that the card authenticated during DDA was the same card that provided the application cryptogram Assists in the detection of an attempted "man-in-the- middle" attack where the fraudster alters data between card and terminal to try to keep the card offline Copyright © 2012 CONFIDENTIAL

Download ppt "EMV 101 Michelle Lehouck EMV Product Manager CPI Card Group."

Similar presentations

Ads by Google