EMV Application Data

Like magnetic stripe cards, EMV applications also have open readable data. And although it is impossible to read the application itself, it is impossible to get to the keys and pin code – access to open application data is always open.

What kind of data are we talking about?

The picture above is an indicative list of the data stored inside the EMV application. Of course, for each specific application, it may be slightly different. At this stage, it is important to note that the client’s personal information is not stored in the EMV application. Indeed, the larger memory capacity of the chip allows payment systems and banks to store more information on the card – however, the client’s personal information is not there.

The previous picture clearly illustrates the fact that the card stores a lot of technical data necessary for efficient operations and access to the account. EMV application data is placed in records (records or tracks). A list of them can be obtained in response to the Get Processing Options command. A specific record can be read using the Read Record command. Inside may be: key certificates, card number (PAN – Primary Account Number), CVM list– Card Verification Methods list, and a lot of other information. Reading these records is very similar to reading tracks from a magnetic strip. The technical settings of the card, counters and limits can be obtained using the “Get Data” command, indicating the required type.

Interestingly, almost all data on the cardholder’s account and application settings can be subtracted from the card without any difficulties. The only things that can’t be reached are the application keys and the value of the pin code.

Can I copy data from one chip card to another?

If you have a card with a “clean” (not personalized) application, then this is technically feasible. However, due to the lack of the ability to make a copy of the card keys, the application will generate incorrect transaction signatures. As a result, the issuer will reject any online transactions. Also, the lack of keys will not allow CDA / DDA authentication. The only flaw is SDA offline. However, at the moment, this method as the only authentication method is considered obsolete. Next, we will consider in detail how the EMV transaction is protected.

Can I copy EMV application data to a magnetic strip?

From the data of the EMV application, it is possible to compose tracks for a card with a magnetic strip, with the exception of one small parameter – the Service Code. As data for the EMV application, the service code indicates to the terminal that the transaction should be conducted using the card application. If you take this code “as is” and copy it onto the magnetic track, the terminal will try to complete the transaction using the application. It would seem that you can edit the service code, but data integrity is protected by the CVV / CVC code. It is the closest analogue to a digital signature.

It feels like the EMV card is copy protected on all sides. Although one trivial opportunity is still known. For compatibility mode, manufacturers produce a combined type of EMV card – that is, with a microprocessor and a magnetic strip. It is possible to copy the magnetic stripe data to another combined card with an inoperative chip (clean or burned) and try to carry out the so-called fallback (if it is impossible to read the chip, the terminal performs an operation on the magnetic stripe). Currently, such operations are not welcomed by payment systems, and the risk of these operations lies with the acquirer or issuer.

There are two different (although they perform the same function) options for conducting a payment transaction – online and offline. Above, we broadly considered an online transaction, which the issuer confirms in real time. An offline transaction is carried out by the terminal without immediate confirmation by the bank. Such transactions are used for operations with low risk or in the case of, for example, lack of communication with the issuing bank.

For these two types of transactions, there are two types of authentications, respectively – online and offline. In the case of online authentication, the operation is performed with the participation of the issuer, and offline authentication is confirmed by the payment terminal. It should be clarified that during an online transaction, both online and offline authentication can be performed simultaneously (if both the card and the terminal support this). Despite the redundancy of the scheme, at the authentication stage it is not always clear in what mode the transaction will take place.

The security features discussed below are only part of the EMV transaction. In addition to authentication, the security functions include: risk assessment of the transaction and verification of the card holder (online and offline pin, transaction amount, country, currency, etc.).