eBook - ePub
Acquiring Card Payments
Ilya Dubinsky
This is a test
Compartir libro
- 246 páginas
- English
- ePUB (apto para móviles)
- Disponible en iOS y Android
eBook - ePub
Acquiring Card Payments
Ilya Dubinsky
Detalles del libro
Vista previa del libro
Índice
Citas
Información del libro
This book delves into the essential concepts and technologies of acquiring systems. It fills the gap left by manuals and standards and provides practical knowledge and insight that allow engineers to navigate systems as well as the massive tomes containing standards and manuals.
Dedicated to card acquiring exclusively, the book covers:
- Payment cards and protocols
- EMV contact chip and contactless transactions
- Disputes, arbitration, and compliance
- Data security standards in the payment card industry
- Validation algorithms
- Code tables
- Basic cryptography
- Pin block formats and algorithms
When necessary the book discusses issuer-side features or standards insomuch as they are required for the sake of completeness. For example, protocols such as EMV 3-D Secure are not covered to the last exhaustive detail. Instead, this book provides an overview, justification, and logic behind each message of the protocol and leaves the task of listing all fields and their formats to the standard document itself. The chapter on EMV contact transactions is comprehensive to fully explain this complex topic in order to provide a basis for understanding EMV contactless transaction.
A guide to behind-the-scenes business processes, relevant industry standards, best practices, and cryptographic algorithms, Acquiring Card Payments covers the essentials so readers can master the standards and latest developments of card payment systems and technology
Preguntas frecuentes
¿Cómo cancelo mi suscripción?
¿Cómo descargo los libros?
Por el momento, todos nuestros libros ePub adaptables a dispositivos móviles se pueden descargar a través de la aplicación. La mayor parte de nuestros PDF también se puede descargar y ya estamos trabajando para que el resto también sea descargable. Obtén más información aquí.
¿En qué se diferencian los planes de precios?
Ambos planes te permiten acceder por completo a la biblioteca y a todas las funciones de Perlego. Las únicas diferencias son el precio y el período de suscripción: con el plan anual ahorrarás en torno a un 30 % en comparación con 12 meses de un plan mensual.
¿Qué es Perlego?
Somos un servicio de suscripción de libros de texto en línea que te permite acceder a toda una biblioteca en línea por menos de lo que cuesta un libro al mes. Con más de un millón de libros sobre más de 1000 categorías, ¡tenemos todo lo que necesitas! Obtén más información aquí.
¿Perlego ofrece la función de texto a voz?
Busca el símbolo de lectura en voz alta en tu próximo libro para ver si puedes escucharlo. La herramienta de lectura en voz alta lee el texto en voz alta por ti, resaltando el texto a medida que se lee. Puedes pausarla, acelerarla y ralentizarla. Obtén más información aquí.
¿Es Acquiring Card Payments un PDF/ePUB en línea?
Sí, puedes acceder a Acquiring Card Payments de Ilya Dubinsky en formato PDF o ePUB, así como a otros libros populares de Informatique y Sciences générales de l'informatique. Tenemos más de un millón de libros disponibles en nuestro catálogo para que explores.
Información
CARD-PRESENT ENVIRONMENT | III |
Chapter 5
Contact Chip Transactions
CONTENTS
5.1Overview
5.1.1Introduction
5.1.2“ICC” vs. “EMV card”
5.1.3ICC Architecture Overview
5.1.4Card-Terminal Interaction
5.2ICC Architecture Details
5.2.1Chip and Antenna Hardware
5.2.2ICC File System
5.2.2.1Dedicated Files and AID
5.2.2.2Elementary Files
5.3Flow of a Chip Transaction
5.3.1Overview
5.3.2Card Interface
5.3.2.1Answer-to-Reset
5.3.2.2Command and Response
5.3.2.3CLA Format
5.3.2.4INS Values
5.3.2.5SW1 and SW2
5.3.2.6SFI
5.3.3EMV DOLs and Tags
5.3.4Terminal Verification Results (TVR) and Transaction Status Information (TSI)
5.3.5Application Selection
5.3.5.1Indirect Application Selection
5.3.5.2Direct Application Selection
5.3.5.3Final Selection
5.3.5.4File Control Information (FCI)
5.3.6Initiate Processing
5.3.6.1Application Interchange Profile
5.3.6.2Application File Locator
5.3.7Read Application Data
5.3.8Offline Card Authentication
5.3.8.1Common Steps of Offline Authentication
5.3.8.2Key Chain of Trust
5.3.8.3Public Key Recovery
5.3.8.4Signed Data Validation
5.3.8.5Static Data Authentication (SDA)
5.3.8.6Dynamic Data Authentication (DDA)
5.3.8.7Combined Data Authentication (CDA)
5.3.9Processing Restrictions
5.3.9.1Application Version Number
5.3.9.2Application Usage Control
5.3.9.3Application Effective and Expiration Date
5.3.10Cardholder Verification
5.3.10.1Amount Fields
5.3.10.2Cardholder Verification Rules
5.3.10.3CVM Results
5.3.10.4Example of a CVM List
5.3.10.5Offline PIN Verification
5.3.10.6Online PIN Verification
5.3.11Terminal Risk Management
5.3.11.1Offline Authorization and Terminal Risk Management
5.3.11.2Floor Limit
5.3.11.3Random Transaction Selection
5.3.11.4Velocity Checking
5.3.12Terminal Action Analysis
5.3.13Generation of Cryptograms and Issuer Authentication
5.3.13.1Card Action Analysis
5.3.13.2Generate AC (GAC) Command
5.3.14Script Processing
5.3.15Transaction Completion
5.1Overview
5.1.1Introduction
Introducing an entirely new complicated technology profoundly affects card issuers as well as acquirers and requires a nearly complete renewal of terminal, network and card production inventory and is an expensive and disruptive move. However, in the eyes of major industry stakeholders the move was justified for two reasons: combatting fraud and allowing smarter offline authorizations.
A card having a magnetic stripe is not hard to skim and replicate, and as the prices for electronics plummeted and skimming devices grew smaller, it became possible for fraudster waiters to swipe it on their way to the cashier inconspicuously. After such a swipe the card could be replicated and reused for fraudulent purchases.
Magnetic stripe technology made offline transactions authorization possible but imposed high risks on scheme participants as no limits for the numbers or amounts of offline authorizations could be efficiently imposed.
To address both issues scheme participants undertook a major technological transition to integrated circuit cards (ICCs), embedding in effect a small and very secure computer into each card.
Thus, the card becomes smart enough to maintain internal counters in a manner independent from the capabilities and integrity of a particular terminal and rely on cryptographic methods to authenticate cards and transactions. In addition, as faking a chip card is extremely hard, issuers are able to delegate some authority to the card itself allowing it to approve transactions offline.
The terminal, in turn, has to be sufficiently sophisticated to be able to participate in a meaningful dialog with the card, including not only the obvious ability to physically communicate with the chip on it via contact or contactless link but also support the appropriate communication protocol and application-level logic, including cryptographic means of data encryption and signature validation.
5.1.2“ICC” vs. “EMV card”
In the context of payment the, terms “ICC” and “EMV card” are frequently used interchangeably. That, however, is imprecise.
The term “ICC”, if used more accurately, refers to an ISO/IEC 7816-compatible chip card also called smart card. The term “EMV card” refers to a card that is compatible with a version of the EMV specification. It follows that every EMV card is an ICC but not necessarily vice versa.
To begin with, all GSM SIM cards are built using the ICC technology and essentially are ICCs with smaller form factors. But even without considering this example the area in which ICCs are used go way beyond boundaries of the EMV standard.
Smart cards can be used as means to achieve higher security during authentication, for example, to facilitate single sign-on in sensitive environments. Also, most HSMs rely on proprietary smart card solutions to store key components.
Governments are increasingly using smart cards for identification. For example, Turkey has relied on ICCs for its drivers’ licenses since 1987, and EU countries such as Belgium and Estonia have transitioned to smart card government IDs.
ICCs were (and still are, although decreasingly) used as electronic wallets not requiring a connection to a bank or processing host in order to perform a payment.
Smart cards are also widely used as transit tickets especially since contactless technology was introduced and gradually became affordable. Tapping a card on a terminal is much faster than having the bus driver punch a hole in a multi-ride ticket.
Furthermore, as it is described in more detail below, due to the fact that an ICC can host multiple applications, a single card can perform multiple functions.
Thus, many educational institutions around the globe have introduced student cards providing secure student identification and serving as a digital wallet for purchase of goods and services around the campus. Banks sometimes issue payment cards with applications from several card brands bundled together. In some regions banks issue a combined transit/payment card that can be used both as a transit pass and a payment card (such as OysterPass card in London or Troika card in Moscow).
In subsequent chapters we cover a minimum necessary subset of ICC ISO standards and refer to EMV standards when the latter supplants or extends the former.
5.1.3ICC Architecture Overview
As mentioned above, the notion of an Integrated Circuit Card means that a “small and secure” computer is embedded ...