Online Decision Process

Agenda Chip EMV End-to-End Process Online authentication processes Online PIN ATC DES cryptography principles CVV / iCVV Chip Online Card Authentication ARQC Chip issuer Authentication ARPC Host decisions – transaction data Stand In Processing (STIP) options Summary

Online authentication processes ISSUER HOST ONLINE – THE TERMINAL SENDS SPECIFIC VALUES TO HOST FOR VALIDATION. Online PIN Encrypted PIN reference value ATC checking Card generated incremental counter iCVV checking Chip card verification value stored in card Online CAM One-time only cryptographic value Generated by card secret DES key

Online authentication processes Traditional Fraud Method Traditional prevention Chip prevention (additional to traditional methods) Skimming (copying magnetic stripe) Nothing SDA or DDA or CDA Online CAM ATC checking Counterfeit CVV Physical Characteristics Lost and stolen / cards not received Activation processes Secure transportation Domestic online PIN Offline Plaintext PIN Offline Enciphered PIN Online PIN

Online authentication processes Fraud Type Traditional prevention Chip prevention (additional to traditional methods) Wire tapping None iCVV Chip Fraud Type (conceptual) Chip prevention Copying SDA Upgrade to DDA or CDA Online CAM Wedge attack – copying DDA Upgrade to CDA Copying iCVV Ensure online CAM Obtaining cardholder PIN None

Online PIN On-line PIN validation - use of PIN keys Uses existing process. No change with EMV LWK LWKà AWK AWKà IWK IWK Acquirer VisaNet Issuer LWK – Local Working Key AWK – Acquirer Working Key IWK – Issuer Working Key

Online ATC checking Card contains an internal counter called an Application Transaction Counter (ATC) This value increments by one every time the application is selected This value is sent in the authorisation to the Issuer Issuer can check this value against the previous value held on the host (from the previous online transaction) Expected - If transaction ATC is greater than the previous ATC (below a threshold) HOWEVER If transaction ATC is less than the previous ATC there maybe a problem If transaction ATC is greater than the previous ATC (above a threshold) there maybe a problem

DES cryptography principles Data Encryption Standard (DES) EMV uses double length algorithm. Also known as triple DES or 3DES Very good for privacy and data integrity Input data into a key and produce a value (cryptogram) Cryptogram can be validated with the same input repeated through the same key Two concepts used within payment processing One Master key used to create and validate Two keys used. One to create and One to validate

Card Verification Value - CVV ONE KEY CONCEPT SET-UP Account Number Service Code (101) Expiry Date Issuer Host System (Host Security Module) DES Key fwfoihbbever Unique Card Verification Value (CVV) PROCESS DES Key Recalculate The CVV value and compare fwfoihbbever Account Number Service Code Expiry Date fwfoihbbever

Card Verification Value - CVV ONE KEY CONCEPT If a fraudster ‘wire taps’ a line of a magnetic stripe transaction they will be able to copy the CVV value and generate counterfeit or skimmed cards If the same value was present in a chip transaction (CVV on the chip) the fraudster will still be able to extract the magnetic stripe data and use counterfeit / skimmed cards in a magnetic stripe (only) terminal How can we prevent ‘wire tapping’ of chip transactions?

ICC Card Verification Value - iCVV ONE KEY CONCEPT SET-UP Account Number Service Code Expiry Date (999) (201) Issuer Host System (Host Security Module) DES Key fwfuiygmjju Unique Card Verification Value (iCVV) DETECT THE FRADUSTER IN A MAG STRIPE TERMINAL DES Key Recalculate The CVV value and compare vaeroihqoi X Fail Account Number Service Code (201)(101) Expiry Date fwfuiygmjju 999 will not come online 201 will fail CVV 101 will fail CVV

ICC Card Verification Value - iCVV ONE KEY CONCEPT SET-UP Account Number Service Code Expiry Date (999) (201) Issuer Host System (Host Security Module) DES Key fwfuiygmjju Unique Card Verification Value (iCVV) PROCESS IN A CHIP TERMINAL DES Key Recalculate The iCVV value with (999) and compare fwfuiygmjju Account Number Service Code (201) Expiry Date fwfuiygmjju

Chip Online Card Authentication (ARQC/ARPC) TWO KEY CONCEPT SET-UP Account Number Sequence No: Issuer Host System (Host Security Module) MASTER UNIQUE CARD KEY DES Key DES Key

Chip Online Card Authentication (ARQC) TWO KEY CONCEPT PROCESS Recalculate The ARQC value and compare vairufheiuvaeirufgvergv 4 MASTER ARQC Authorisation ReQuest Cryptogram vairufheiuvaeirufgvergv 2 DES Key 3 UNIQUE CARD KEY DES Key 1 Amount Amount other Terminal Country code Unpredictable number Currency code Date Trans type TVR and CVR AIP ATC

Chip Issuer Authentication (ARPC) TWO KEY CONCEPT PROCESS 1 Create the ARPC value and send to card MASTER ARPC Authorisation ResPonse Cryptogram ruwyvbpasrihfvreuih 2 DES Key 3 ruwyvbpasrihfvreuih UNIQUE CARD KEY DES Key Amount Amount other Terminal Country code Unpredictable number Currency code Date Trans type TVR and CVR AIP ATC

Going Online Acquirer Affects It is important to understand that the Acquirer no longer controls the transaction. The Issuer EMV application controls it. The Acquirer has no access the PKI encryption or the DES encryption. The card has the last say in any transaction. If the ARPC returned does not check out the transaction is stopped by the card and declined. Any override by the merchant or acquirer makes them liable

STIP Stand-in Processing (STIP) can still operate But the entity standing in has to have access to the ARQC/ARPC DES keys and the Signed Static Data encoded on the card. Without these the ARQC cannot be decrypted and checked and the ARPC cannot be encrypted. If this happens the ARPC will fail in the card check and the transaction will be declined.