Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online Decision Process

Published byVerity Watson Modified over 8 years ago

Similar presentations

Presentation on theme: "Online Decision Process"— Presentation transcript:

1 Online Decision Process

2 Agenda Chip EMV End-to-End Process Online authentication processes
Online PIN ATC DES cryptography principles CVV / iCVV Chip Online Card Authentication ARQC Chip issuer Authentication ARPC Host decisions – transaction data Stand In Processing (STIP) options Summary

3 Online authentication processes
ISSUER HOST ONLINE – THE TERMINAL SENDS SPECIFIC VALUES TO HOST FOR VALIDATION. Online PIN Encrypted PIN reference value ATC checking Card generated incremental counter iCVV checking Chip card verification value stored in card Online CAM One-time only cryptographic value Generated by card secret DES key

4 Online authentication processes
Traditional Fraud Method Traditional prevention Chip prevention (additional to traditional methods) Skimming (copying magnetic stripe) Nothing SDA or DDA or CDA Online CAM ATC checking Counterfeit CVV Physical Characteristics Lost and stolen / cards not received Activation processes Secure transportation Domestic online PIN Offline Plaintext PIN Offline Enciphered PIN Online PIN

5 Online authentication processes
Fraud Type Traditional prevention Chip prevention (additional to traditional methods) Wire tapping None iCVV Chip Fraud Type (conceptual) Chip prevention Copying SDA Upgrade to DDA or CDA Online CAM Wedge attack – copying DDA Upgrade to CDA Copying iCVV Ensure online CAM Obtaining cardholder PIN None

6 Online PIN On-line PIN validation - use of PIN keys
Uses existing process. No change with EMV LWK LWKà AWK AWKà IWK IWK Acquirer VisaNet Issuer LWK – Local Working Key AWK – Acquirer Working Key IWK – Issuer Working Key

7 Online ATC checking Card contains an internal counter called an Application Transaction Counter (ATC) This value increments by one every time the application is selected This value is sent in the authorisation to the Issuer Issuer can check this value against the previous value held on the host (from the previous online transaction) Expected - If transaction ATC is greater than the previous ATC (below a threshold) HOWEVER If transaction ATC is less than the previous ATC there maybe a problem If transaction ATC is greater than the previous ATC (above a threshold) there maybe a problem

8 DES cryptography principles
Data Encryption Standard (DES) EMV uses double length algorithm. Also known as triple DES or 3DES Very good for privacy and data integrity Input data into a key and produce a value (cryptogram) Cryptogram can be validated with the same input repeated through the same key Two concepts used within payment processing One Master key used to create and validate Two keys used. One to create and One to validate

9 Card Verification Value - CVV
ONE KEY CONCEPT SET-UP Account Number Service Code (101) Expiry Date Issuer Host System (Host Security Module) DES Key fwfoihbbever Unique Card Verification Value (CVV) PROCESS DES Key Recalculate The CVV value and compare fwfoihbbever Account Number Service Code Expiry Date fwfoihbbever

10 Card Verification Value - CVV
ONE KEY CONCEPT If a fraudster ‘wire taps’ a line of a magnetic stripe transaction they will be able to copy the CVV value and generate counterfeit or skimmed cards If the same value was present in a chip transaction (CVV on the chip) the fraudster will still be able to extract the magnetic stripe data and use counterfeit / skimmed cards in a magnetic stripe (only) terminal How can we prevent ‘wire tapping’ of chip transactions?

11 ICC Card Verification Value - iCVV
ONE KEY CONCEPT SET-UP Account Number Service Code Expiry Date (999) (201) Issuer Host System (Host Security Module) DES Key fwfuiygmjju Unique Card Verification Value (iCVV) DETECT THE FRADUSTER IN A MAG STRIPE TERMINAL DES Key Recalculate The CVV value and compare vaeroihqoi X Fail Account Number Service Code (201)(101) Expiry Date fwfuiygmjju 999 will not come online 201 will fail CVV 101 will fail CVV

12 ICC Card Verification Value - iCVV
ONE KEY CONCEPT SET-UP Account Number Service Code Expiry Date (999) (201) Issuer Host System (Host Security Module) DES Key fwfuiygmjju Unique Card Verification Value (iCVV) PROCESS IN A CHIP TERMINAL DES Key Recalculate The iCVV value with (999) and compare fwfuiygmjju Account Number Service Code (201) Expiry Date fwfuiygmjju

13 Chip Online Card Authentication (ARQC/ARPC)
TWO KEY CONCEPT SET-UP Account Number Sequence No: Issuer Host System (Host Security Module) MASTER UNIQUE CARD KEY DES Key DES Key

14 Chip Online Card Authentication (ARQC)
TWO KEY CONCEPT PROCESS Recalculate The ARQC value and compare vairufheiuvaeirufgvergv 4 MASTER ARQC Authorisation ReQuest Cryptogram vairufheiuvaeirufgvergv 2 DES Key 3 UNIQUE CARD KEY DES Key 1 Amount Amount other Terminal Country code Unpredictable number Currency code Date Trans type TVR and CVR AIP ATC

15 Chip Issuer Authentication (ARPC)
TWO KEY CONCEPT PROCESS 1 Create the ARPC value and send to card MASTER ARPC Authorisation ResPonse Cryptogram ruwyvbpasrihfvreuih 2 DES Key 3 ruwyvbpasrihfvreuih UNIQUE CARD KEY DES Key Amount Amount other Terminal Country code Unpredictable number Currency code Date Trans type TVR and CVR AIP ATC

16 Going Online Acquirer Affects
It is important to understand that the Acquirer no longer controls the transaction. The Issuer EMV application controls it. The Acquirer has no access the PKI encryption or the DES encryption. The card has the last say in any transaction. If the ARPC returned does not check out the transaction is stopped by the card and declined. Any override by the merchant or acquirer makes them liable

17 STIP Stand-in Processing (STIP) can still operate
But the entity standing in has to have access to the ARQC/ARPC DES keys and the Signed Static Data encoded on the card. Without these the ARQC cannot be decrypted and checked and the ARPC cannot be encrypted. If this happens the ARPC will fail in the card check and the transaction will be declined.

Download ppt "Online Decision Process"

Similar presentations

Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.

Smart Cards Our Inevitable Future Mark Shippy. What are smart cards? Credit card sized plastic card with an embedded chip. Credit card sized plastic card.
Card Verification Support

Card Verification Support
WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,

WHAT IS EMV? A joint effort between Europay, MasterCard and Visa It is a security framework that defines the payment interaction at the physical, electrical,
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.

HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.

CONFIDENTIAL AND PROPRIETARY ©2014 DISCOVER FINANCIAL SERVICES 2014 Discover ® Dealer Incentive Program & EMV Update.
Cryptography and Network Security

Cryptography and Network Security
1 fairCASH: Concepts and Framework Yen Choon Ching Institute of Computer Science, University of Kiel, Germany Ver 3.1 15 Sept 2008.

1 fairCASH: Concepts and Framework Yen Choon Ching Institute of Computer Science, University of Kiel, Germany Ver Sept 2008.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.

Understanding Networked Applications: A First Course Chapter 14 by David G. Messerschmitt.
Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.

Harvesting High Value Foreign Currency Transactions from EMV Contactless Credit Cards without the PIN 21st ACM Conference on Computer and Communications.
Www.winman.com ©2008 TTW Where “Lean” principles are considered common sense and are implemented with a passion! Product Training Credit Cards.

©2008 TTW Where “Lean” principles are considered common sense and are implemented with a passion! Product Training Credit Cards.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Chapter 8 Web Security.

Chapter 8 Web Security.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS eCommerce Technology 20-763 Lecture 9 Micropayments I.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS eCommerce Technology Lecture 9 Micropayments I.
An Introduction to EMV Presented to:

An Introduction to EMV Presented to:
PCI PIN Entry Device Security Requirements PCI PIN Security Standards

PCI PIN Entry Device Security Requirements PCI PIN Security Standards
EMV: The Future is Now. Moderator: Jason Putnam Vice President of Sales, First American Payment Systems Panelists: Patty Walters Senior Vice President.

EMV: The Future is Now. Moderator: Jason Putnam Vice President of Sales, First American Payment Systems Panelists: Patty Walters Senior Vice President.

Similar presentations

Ads by Google