eBook - ePub
Acquiring Card Payments
Ilya Dubinsky
This is a test
Buch teilen
- 246 Seiten
- English
- ePUB (handyfreundlich)
- Über iOS und Android verfügbar
eBook - ePub
Acquiring Card Payments
Ilya Dubinsky
Angaben zum Buch
Buchvorschau
Inhaltsverzeichnis
Quellenangaben
Über dieses Buch
This book delves into the essential concepts and technologies of acquiring systems. It fills the gap left by manuals and standards and provides practical knowledge and insight that allow engineers to navigate systems as well as the massive tomes containing standards and manuals.
Dedicated to card acquiring exclusively, the book covers:
- Payment cards and protocols
- EMV contact chip and contactless transactions
- Disputes, arbitration, and compliance
- Data security standards in the payment card industry
- Validation algorithms
- Code tables
- Basic cryptography
- Pin block formats and algorithms
When necessary the book discusses issuer-side features or standards insomuch as they are required for the sake of completeness. For example, protocols such as EMV 3-D Secure are not covered to the last exhaustive detail. Instead, this book provides an overview, justification, and logic behind each message of the protocol and leaves the task of listing all fields and their formats to the standard document itself. The chapter on EMV contact transactions is comprehensive to fully explain this complex topic in order to provide a basis for understanding EMV contactless transaction.
A guide to behind-the-scenes business processes, relevant industry standards, best practices, and cryptographic algorithms, Acquiring Card Payments covers the essentials so readers can master the standards and latest developments of card payment systems and technology
Häufig gestellte Fragen
Wie kann ich mein Abo kündigen?
Gehe einfach zum Kontobereich in den Einstellungen und klicke auf „Abo kündigen“ – ganz einfach. Nachdem du gekündigt hast, bleibt deine Mitgliedschaft für den verbleibenden Abozeitraum, den du bereits bezahlt hast, aktiv. Mehr Informationen hier.
(Wie) Kann ich Bücher herunterladen?
Derzeit stehen all unsere auf Mobilgeräte reagierenden ePub-Bücher zum Download über die App zur Verfügung. Die meisten unserer PDFs stehen ebenfalls zum Download bereit; wir arbeiten daran, auch die übrigen PDFs zum Download anzubieten, bei denen dies aktuell noch nicht möglich ist. Weitere Informationen hier.
Welcher Unterschied besteht bei den Preisen zwischen den Aboplänen?
Mit beiden Aboplänen erhältst du vollen Zugang zur Bibliothek und allen Funktionen von Perlego. Die einzigen Unterschiede bestehen im Preis und dem Abozeitraum: Mit dem Jahresabo sparst du auf 12 Monate gerechnet im Vergleich zum Monatsabo rund 30 %.
Was ist Perlego?
Wir sind ein Online-Abodienst für Lehrbücher, bei dem du für weniger als den Preis eines einzelnen Buches pro Monat Zugang zu einer ganzen Online-Bibliothek erhältst. Mit über 1 Million Büchern zu über 1.000 verschiedenen Themen haben wir bestimmt alles, was du brauchst! Weitere Informationen hier.
Unterstützt Perlego Text-zu-Sprache?
Achte auf das Symbol zum Vorlesen in deinem nächsten Buch, um zu sehen, ob du es dir auch anhören kannst. Bei diesem Tool wird dir Text laut vorgelesen, wobei der Text beim Vorlesen auch grafisch hervorgehoben wird. Du kannst das Vorlesen jederzeit anhalten, beschleunigen und verlangsamen. Weitere Informationen hier.
Ist Acquiring Card Payments als Online-PDF/ePub verfügbar?
Ja, du hast Zugang zu Acquiring Card Payments von Ilya Dubinsky im PDF- und/oder ePub-Format sowie zu anderen beliebten Büchern aus Computer Science & Computer Science General. Aus unserem Katalog stehen dir über 1 Million Bücher zur Verfügung.
Information
CARD-PRESENT ENVIRONMENT | III |
Chapter 5
Contact Chip Transactions
CONTENTS
5.1Overview
5.1.1Introduction
5.1.2“ICC” vs. “EMV card”
5.1.3ICC Architecture Overview
5.1.4Card-Terminal Interaction
5.2ICC Architecture Details
5.2.1Chip and Antenna Hardware
5.2.2ICC File System
5.2.2.1Dedicated Files and AID
5.2.2.2Elementary Files
5.3Flow of a Chip Transaction
5.3.1Overview
5.3.2Card Interface
5.3.2.1Answer-to-Reset
5.3.2.2Command and Response
5.3.2.3CLA Format
5.3.2.4INS Values
5.3.2.5SW1 and SW2
5.3.2.6SFI
5.3.3EMV DOLs and Tags
5.3.4Terminal Verification Results (TVR) and Transaction Status Information (TSI)
5.3.5Application Selection
5.3.5.1Indirect Application Selection
5.3.5.2Direct Application Selection
5.3.5.3Final Selection
5.3.5.4File Control Information (FCI)
5.3.6Initiate Processing
5.3.6.1Application Interchange Profile
5.3.6.2Application File Locator
5.3.7Read Application Data
5.3.8Offline Card Authentication
5.3.8.1Common Steps of Offline Authentication
5.3.8.2Key Chain of Trust
5.3.8.3Public Key Recovery
5.3.8.4Signed Data Validation
5.3.8.5Static Data Authentication (SDA)
5.3.8.6Dynamic Data Authentication (DDA)
5.3.8.7Combined Data Authentication (CDA)
5.3.9Processing Restrictions
5.3.9.1Application Version Number
5.3.9.2Application Usage Control
5.3.9.3Application Effective and Expiration Date
5.3.10Cardholder Verification
5.3.10.1Amount Fields
5.3.10.2Cardholder Verification Rules
5.3.10.3CVM Results
5.3.10.4Example of a CVM List
5.3.10.5Offline PIN Verification
5.3.10.6Online PIN Verification
5.3.11Terminal Risk Management
5.3.11.1Offline Authorization and Terminal Risk Management
5.3.11.2Floor Limit
5.3.11.3Random Transaction Selection
5.3.11.4Velocity Checking
5.3.12Terminal Action Analysis
5.3.13Generation of Cryptograms and Issuer Authentication
5.3.13.1Card Action Analysis
5.3.13.2Generate AC (GAC) Command
5.3.14Script Processing
5.3.15Transaction Completion
5.1Overview
5.1.1Introduction
Introducing an entirely new complicated technology profoundly affects card issuers as well as acquirers and requires a nearly complete renewal of terminal, network and card production inventory and is an expensive and disruptive move. However, in the eyes of major industry stakeholders the move was justified for two reasons: combatting fraud and allowing smarter offline authorizations.
A card having a magnetic stripe is not hard to skim and replicate, and as the prices for electronics plummeted and skimming devices grew smaller, it became possible for fraudster waiters to swipe it on their way to the cashier inconspicuously. After such a swipe the card could be replicated and reused for fraudulent purchases.
Magnetic stripe technology made offline transactions authorization possible but imposed high risks on scheme participants as no limits for the numbers or amounts of offline authorizations could be efficiently imposed.
To address both issues scheme participants undertook a major technological transition to integrated circuit cards (ICCs), embedding in effect a small and very secure computer into each card.
Thus, the card becomes smart enough to maintain internal counters in a manner independent from the capabilities and integrity of a particular terminal and rely on cryptographic methods to authenticate cards and transactions. In addition, as faking a chip card is extremely hard, issuers are able to delegate some authority to the card itself allowing it to approve transactions offline.
The terminal, in turn, has to be sufficiently sophisticated to be able to participate in a meaningful dialog with the card, including not only the obvious ability to physically communicate with the chip on it via contact or contactless link but also support the appropriate communication protocol and application-level logic, including cryptographic means of data encryption and signature validation.
5.1.2“ICC” vs. “EMV card”
In the context of payment the, terms “ICC” and “EMV card” are frequently used interchangeably. That, however, is imprecise.
The term “ICC”, if used more accurately, refers to an ISO/IEC 7816-compatible chip card also called smart card. The term “EMV card” refers to a card that is compatible with a version of the EMV specification. It follows that every EMV card is an ICC but not necessarily vice versa.
To begin with, all GSM SIM cards are built using the ICC technology and essentially are ICCs with smaller form factors. But even without considering this example the area in which ICCs are used go way beyond boundaries of the EMV standard.
Smart cards can be used as means to achieve higher security during authentication, for example, to facilitate single sign-on in sensitive environments. Also, most HSMs rely on proprietary smart card solutions to store key components.
Governments are increasingly using smart cards for identification. For example, Turkey has relied on ICCs for its drivers’ licenses since 1987, and EU countries such as Belgium and Estonia have transitioned to smart card government IDs.
ICCs were (and still are, although decreasingly) used as electronic wallets not requiring a connection to a bank or processing host in order to perform a payment.
Smart cards are also widely used as transit tickets especially since contactless technology was introduced and gradually became affordable. Tapping a card on a terminal is much faster than having the bus driver punch a hole in a multi-ride ticket.
Furthermore, as it is described in more detail below, due to the fact that an ICC can host multiple applications, a single card can perform multiple functions.
Thus, many educational institutions around the globe have introduced student cards providing secure student identification and serving as a digital wallet for purchase of goods and services around the campus. Banks sometimes issue payment cards with applications from several card brands bundled together. In some regions banks issue a combined transit/payment card that can be used both as a transit pass and a payment card (such as OysterPass card in London or Troika card in Moscow).
In subsequent chapters we cover a minimum necessary subset of ICC ISO standards and refer to EMV standards when the latter supplants or extends the former.
5.1.3ICC Architecture Overview
As mentioned above, the notion of an Integrated Circuit Card means that a “small and secure” computer is embedded ...