1. Presented by David Cole Changing the Card – Scripts

2.  Chip EMV End-to-End Process  What is a script?  Risk protection  How does a script work?  What can the Issuer change in the card?  Common transaction data scripts  Common account status scripts  Summary Agenda

3. Chip End-to-End process ATC checking Online CAM Script processing Offline Authentication Terminal Risk Management Card Risk Management iCVV checking ISSUER HOST Online PIN AUTHORISATIONS Cardholder verification method

4. What is a script ISSUER HOST ISSUER HOST HAS THE ABILITY TO CHANGE CERTAIN VALUES IN THE CARD OR BLOCK/UNBLOCK USAGE TRANSACTION MANAGEMENT  Offline usage values  Domestic offline currency values ACCOUNT MANAGEMENT  Block card usage  Block application usage  PIN change processing

5. Risk protection  Tools provided to the Risk Manager to enhance the following strategies:  Card pick-up and usage  Offline PIN usage  Credit risk control and card usage (online v offline)

6. How does script work? SET-UP Issuer Host System (Host Security Module) DES Key MASTER MAC UNIQUE CARD MAC DES Key MASTER ENC UNIQUE CARD ENC DES Key TWO KEY CONCEPT ENC – Encipherment Key, used for data integrity (has not changed) MAC – Message Authentication Code Provides a secure message, authenticating the Issuer

7. How does script work? PROCESS IN AUTHORISATION RESPONSE TWO KEY CONCEPT Issuer Host System (Host Security Module) DES Key MASTER DES Key MASTER UNIQUE CARD MAC DES Key UNIQUE CARD ENC DES Key ENC – Encipherment Key, used for data integrity (has not changed) MAC – Message Authentication Code Provides a secure message, authenticating the Issuer Authorised message From the Issuer aoiafjaopi Change me! gbtgjgrnerr

8. What can an Issuer change in the card? Script’s supported today Application block Application un-block Card block (cannot be reversed) PIN Change / unblock Lower Consecutive Offline Limit LCOL (Domestic) Upper Consecutive Offline Limit UCOL (Domestic) Consecutive Transaction Limit (International) Domestic transaction offline amount limits Transaction offline amount limit (2 nd currency) Currency conversion factor (2 nd currency) VLP Funds limit VLP Single transaction limit

9. What can an Issuer change in the card? Transaction data Description Do we send a script (E.g. block card, application or reset LCOL) Data Authentication not performed No Script Data Authentication failed No Script ICC Data missing No Script Card Appears on terminal exception No Script ICC and Terminal have different version No Script Expired application Block Card Application not yet effective No Script Requested service is not allowed this card product Block Card (check card IAC!) New cardNo Script Cardholder verification was not successful No Script

10. What can an Issuer change in the card? Description Do we send a script (E.g. block card, application or reset LCOL) Unrecognised CVMNo Script PIN try limit exceededNo Script PIN entry required, PIN pad not present or not working No Script PIN required, PIN pad present but PIN not entered No Script Online PIN entered No Script Transaction exceeds floor limit No Script LCOL exceededNo Script UCOL exceededNo Script Transaction selected randomlyNo Script Merchant forced onlineNo Script Issuer authentication failedNo Script Transaction data

11. What can an Issuer change in the card? Account Status COMMON SCRIPTS USED TODAY TO MANAGE RISK Block card Block application PIN Change Unblock Zero LCOL and UCOL When the Issuer does not want the card to be used again in a chip environment. Blocks all applications on the card and is irreversible. When the Issuer does not want the card application to be used. However, other applications on the card can be used as normal (e.g. Visa Cash). Block can be reversed. When the Issuer allows the cardholder to change their PIN at a PIN change request device. Also, if the offline PIN gets ‘out of synchronisation’ with the host. Must be performed at a device that the Issuer owns or has an agreement to use. If a card is allowed to perform offline transactions the Issuer has the ability to force all transactions online Decision may be taken to support credit risk control.

12. What can an Issuer change in the card? Account status examples Do we send a script (E.g. block card, application or reset LCOL) DelinquentNo Script Write offBlock Card VIP No Script, or increase to LCOL/UCOL Percentage limit (e.g. 105%OL)No Script Lost or StolenBlock Card Account Status’

13. Summary  Scripts enable the Issuer to change the cards profile whilst in issuance  Uses 3DES cryptography to authenticate the Issuer and to secure the message  Scripts can be triggered by:  Data provided by the transaction  The status of an account  PIN change requires a device that has been specifically developed to support functionality