eBook - ePub

Acquiring Card Payments

Name: Acquiring Card Payments
Author: Ilya Dubinsky

Ilya Dubinsky

Share book

246 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Acquiring Card Payments

Ilya Dubinsky

Book details

Book preview

Table of contents

Citations

About This Book

This book delves into the essential concepts and technologies of acquiring systems. It fills the gap left by manuals and standards and provides practical knowledge and insight that allow engineers to navigate systems as well as the massive tomes containing standards and manuals.

Dedicated to card acquiring exclusively, the book covers:

Payment cards and protocols
EMV contact chip and contactless transactions
Disputes, arbitration, and compliance
Data security standards in the payment card industry
Validation algorithms
Code tables
Basic cryptography
Pin block formats and algorithms

When necessary the book discusses issuer-side features or standards insomuch as they are required for the sake of completeness. For example, protocols such as EMV 3-D Secure are not covered to the last exhaustive detail. Instead, this book provides an overview, justification, and logic behind each message of the protocol and leaves the task of listing all fields and their formats to the standard document itself. The chapter on EMV contact transactions is comprehensive to fully explain this complex topic in order to provide a basis for understanding EMV contactless transaction.

A guide to behind-the-scenes business processes, relevant industry standards, best practices, and cryptographic algorithms, Acquiring Card Payments covers the essentials so readers can master the standards and latest developments of card payment systems and technology

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Acquiring Card Payments an online PDF/ePUB?

Yes, you can access Acquiring Card Payments by Ilya Dubinsky in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Science General. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Auerbach Publications

Year

2019

ISBN

9781000627558

Edition

Topic

Computer Science

Subtopic

Computer Science General

Index

Computer Science

CARD-PRESENT ENVIRONMENT

III

Chapter 5

Contact Chip Transactions

CONTENTS

5.1Overview

5.1.1Introduction

5.1.2“ICC” vs. “EMV card”

5.1.3ICC Architecture Overview

5.1.4Card-Terminal Interaction

5.2ICC Architecture Details

5.2.1Chip and Antenna Hardware

5.2.2ICC File System

5.2.2.1Dedicated Files and AID

5.2.2.2Elementary Files

5.3Flow of a Chip Transaction

5.3.1Overview

5.3.2Card Interface

5.3.2.1Answer-to-Reset

5.3.2.2Command and Response

5.3.2.3CLA Format

5.3.2.4INS Values

5.3.2.5SW1 and SW2

5.3.2.6SFI

5.3.3EMV DOLs and Tags

5.3.4Terminal Verification Results (TVR) and Transaction Status Information (TSI)

5.3.5Application Selection

5.3.5.1Indirect Application Selection

5.3.5.2Direct Application Selection

5.3.5.3Final Selection

5.3.5.4File Control Information (FCI)

5.3.6Initiate Processing

5.3.6.1Application Interchange Profile

5.3.6.2Application File Locator

5.3.7Read Application Data

5.3.8Offline Card Authentication

5.3.8.1Common Steps of Offline Authentication

5.3.8.2Key Chain of Trust

5.3.8.3Public Key Recovery

5.3.8.4Signed Data Validation

5.3.8.5Static Data Authentication (SDA)

5.3.8.6Dynamic Data Authentication (DDA)

5.3.8.7Combined Data Authentication (CDA)

5.3.9Processing Restrictions

5.3.9.1Application Version Number

5.3.9.2Application Usage Control

5.3.9.3Application Effective and Expiration Date

5.3.10Cardholder Verification

5.3.10.1Amount Fields

5.3.10.2Cardholder Verification Rules

5.3.10.3CVM Results

5.3.10.4Example of a CVM List

5.3.10.5Offline PIN Verification

5.3.10.6Online PIN Verification

5.3.11Terminal Risk Management

5.3.11.1Offline Authorization and Terminal Risk Management

5.3.11.2Floor Limit

5.3.11.3Random Transaction Selection

5.3.11.4Velocity Checking

5.3.12Terminal Action Analysis

5.3.13Generation of Cryptograms and Issuer Authentication

5.3.13.1Card Action Analysis

5.3.13.2Generate AC (GAC) Command

5.3.14Script Processing

5.3.15Transaction Completion

5.1Overview

5.1.1Introduction

Introducing an entirely new complicated technology profoundly affects card issuers as well as acquirers and requires a nearly complete renewal of terminal, network and card production inventory and is an expensive and disruptive move. However, in the eyes of major industry stakeholders the move was justified for two reasons: combatting fraud and allowing smarter offline authorizations.

A card having a magnetic stripe is not hard to skim and replicate, and as the prices for electronics plummeted and skimming devices grew smaller, it became possible for fraudster waiters to swipe it on their way to the cashier inconspicuously. After such a swipe the card could be replicated and reused for fraudulent purchases.

Magnetic stripe technology made offline transactions authorization possible but imposed high risks on scheme participants as no limits for the numbers or amounts of offline authorizations could be efficiently imposed.

To address both issues scheme participants undertook a major technological transition to integrated circuit cards (ICCs), embedding in effect a small and very secure computer into each card.

Thus, the card becomes smart enough to maintain internal counters in a manner independent from the capabilities and integrity of a particular terminal and rely on cryptographic methods to authenticate cards and transactions. In addition, as faking a chip card is extremely hard, issuers are able to delegate some authority to the card itself allowing it to approve transactions offline.

The terminal, in turn, has to be sufficiently sophisticated to be able to participate in a meaningful dialog with the card, including not only the obvious ability to physically communicate with the chip on it via contact or contactless link but also support the appropriate communication protocol and application-level logic, including cryptographic means of data encryption and signature validation.

5.1.2“ICC” vs. “EMV card”

In the context of payment the, terms “ICC” and “EMV card” are frequently used interchangeably. That, however, is imprecise.

The term “ICC”, if used more accurately, refers to an ISO/IEC 7816-compatible chip card also called smart card. The term “EMV card” refers to a card that is compatible with a version of the EMV specification. It follows that every EMV card is an ICC but not necessarily vice versa.

To begin with, all GSM SIM cards are built using the ICC technology and essentially are ICCs with smaller form factors. But even without considering this example the area in which ICCs are used go way beyond boundaries of the EMV standard.

Smart cards can be used as means to achieve higher security during authentication, for example, to facilitate single sign-on in sensitive environments. Also, most HSMs rely on proprietary smart card solutions to store key components.

Governments are increasingly using smart cards for identification. For example, Turkey has relied on ICCs for its drivers’ licenses since 1987, and EU countries such as Belgium and Estonia have transitioned to smart card government IDs.

ICCs were (and still are, although decreasingly) used as electronic wallets not requiring a connection to a bank or processing host in order to perform a payment.

Smart cards are also widely used as transit tickets especially since contactless technology was introduced and gradually became affordable. Tapping a card on a terminal is much faster than having the bus driver punch a hole in a multi-ride ticket.

Furthermore, as it is described in more detail below, due to the fact that an ICC can host multiple applications, a single card can perform multiple functions.

Thus, many educational institutions around the globe have introduced student cards providing secure student identification and serving as a digital wallet for purchase of goods and services around the campus. Banks sometimes issue payment cards with applications from several card brands bundled together. In some regions banks issue a combined transit/payment card that can be used both as a transit pass and a payment card (such as OysterPass card in London or Troika card in Moscow).

In subsequent chapters we cover a minimum necessary subset of ICC ISO standards and refer to EMV standards when the latter supplants or extends the former.

5.1.3ICC Architecture Overview

As mentioned above, the notion of an Integrated Circuit Card means that a “small and secure” computer is embedded ...