News

Inter-host interface

In order for banks working in the same Association to understand each other during transaction authorization, clearing and settlement, it is necessary to agree on the syntax and semantics of information exchange within the payment system. For this purpose, the ISO 8583 standard was created, which defines the formats and purpose of messages circulating between banks that are members of the payment Association. Issuers and servicing banks can act as both the sender and the recipient of information. The ISO 8583 standard defines the following...

read more

Location of the embossing and magnetic strip

If the card contains a magnetic stripe, it is located at the top edge on the back of the card. In accordance with the standard, the magnetic stripe and embossing zones do not overlap. Among the financial data that is stamped on the card, the most important is the card identification number. It represents the sequence of digits and is defined by the IS0/IEC 7812 standard. Note that the card identification number is equivalent to the Primary Account Number (or PAN), which is entered by the IS0/IEC 4909 standard. Therefore, we will refer to the...

read more

Specifications of magnetic stripe cards

By mid-2005, banks participating in the largest international payment systems VISA, MasterCard, American Express, Diners Club, and JCB issued a total of about 3 billion cards to their customers. Plastic cards have become a familiar attribute of today’s everyday life, and it can be argued that many people on our planet are at least generally aware of what plastic cards are and how to use them. However, in order to continue to adhere to a common and understandable terminology, we will briefly describe how non-cash payment systems based on...

read more

Introduction to EMV standards

The most important condition for mass distribution of smart cards is the availability of standards that define their characteristics and functionality. Today, the basic standard for all types of issued cards is IS0/IEC 7816. It is General in nature, defining requirements for electrical and mechanical parameters of the card, communication protocols, file structure, data elements, and the smart card command system. Therefore, in certain areas of human activity, specialized standards are emerging that Refine and extend the IS0/IEC 7816 standard...

read more

EMV Card Risk Management Commands

• Card Risk Management DOL 1 (CDOL1): 9F 02 06 9F 03 06 9F 1A 02 95 05 5F 2A 02 9A 03 9C 01 9F 37 04 9F 35 01 9F 45 02 9F 4C 08 9F 34 03 • 9F02.6 Amount, Authorized (numeric) • 9F03.6 Amount, Other (numeric) • 9F1A.2 Terminal Country Code • 95.5 Terminal Verification Results • 5F2A.2 Transaction Currency Code • 9A. 3 Transaction Date • 9C.1 Transaction Type • 9F37.4 Unpredictable Number • 9F35. 1 Terminal Type • 9F45.2 Data Authentication Code (DAC) • 9F4C.8 ICC Dynamic Number • 9F34.3 CVM Results Card Risk Management DOL 2 (CDOL2):...

read more

EMV command analysis

When checking a payment card, the following mandatory steps and optional actions are performed as planned by the user. Initial analysis of the installed card. • ATR cards: 3B 6e 00 00 80 31 80 66 B0 84 0C 01 6e 01 83 00 90 00 • contact mode is assumed • Protocol: t0Setting the verified payment application as the current application on the card (the operation that starts any payment transaction). • resets the credit card to eliminate the side effects of previous actions • install the current application using the select command • the following...

read more

CDA method for offline data authentication

CDA method The method of offline data authentication, called CDA (Combined Data Authentication), is now the most common for card products. This is the most complex of offline authentication methods, so analyzing a payment application that uses the CDA method can be difficult. In this regard, a description of the operations that the card and terminal must perform in order to provide offline data authentication using the CDA method is provided. The CDA signature (the certificate provided in the Signed Dynamic Application Data object) is...

read more

Restoring the Issuer’s public key

For a number of actions with the payment application (performing offline data authentication, presenting an encrypted PIN code), the terminal must have a public card key. To get the card’s public key from the payment application data, the terminal must first restore the Issuer’s public key from the Issuer’s public key certificate signed with the certification Authority (CA) secret key. The following is an algorithm for this process. The terminal performs the following steps to verify the Issuer’s public key...

read more

Tracing cryptographic of EMV operations.

Tracing cryptographic operations. If you set a trace for data exchange with the card, the Protocol will contain information about commands sent to the card and the response received from the card. For rice. 15 shows a fragment of the Protocol with the enabled trace of data exchange with the card (the lines explaining how to work with the card are highlighted in red). For any command, its encoding, data transmitted with the command, as well as data received from the card, and status bytes (the card return code) are displayed. Keep in mind that...

read more

Control the security of the EMV standard

Additional check A group of control elements that define additional checks that are performed during the card analysis process allows you to perform the following checks: ▪ checking the PSE (Payment System Environment) ▪ analysis of the PPSE (Proximity Payment System Environment) ▪ display information from the payment application’s transaction log, if supported ▪ getting and analyzing objects using the GET DATA command The following is a brief description of these additional features for checking the payment application and its...

read more