Presentation is loading. Please wait.

Presentation is loading. Please wait.

Transaction Flow end-end

Published byElaine Weaver Modified over 6 years ago

Similar presentations

Presentation on theme: "Transaction Flow end-end"— Presentation transcript:

1 Transaction Flow end-end

2 Chip End-to-End process
AUTHORISATIONS Offline Authentication Cardholder verification method Terminal Risk Management iCVV checking Card Risk Management ATC checking ISSUER HOST Online CAM Online PIN Script processing

3 Chip End-to-End process
AUTHORISATIONS Offline Authentication Offline PIN Validation CLEARING AND SETTLEMENT Transaction Certificate Certificate in BASEII file Terminal Risk Management iCVV checking Card Risk Management ATC checking ISSUER HOST Online CAM Online PIN Script processing

4 Offline authentication processes
IS THIS THE ACTUAL CARD? Static Data Authentication (SDA) Dynamic Data Authentication (DDA) Combined Data Authentication (CDA) Offline Authentication Offline PIN Validation Terminal Risk Management Card Risk Management

5 Offline authentication processes
IS THIS THE ACTUAL CARDHOLDER? Offline Plaintext PIN Offline Enciphered PIN Offline Authentication Offline PIN Validation Terminal Risk Management Card Risk Management

6 Card and terminal risk management
SHOULD THIS TRANSACTION PROCEED? Terminal Floor Limits Usage controls Start / Expiry Date checking Terminal hot card file Terminal Action Codes Offline Authentication Offline PIN Validation Terminal Risk Management Card Risk Management

7 Card and terminal risk management
SHOULD THIS TRANSACTION PROCEED? Chip card parameter decisions (Issuer Action Codes) Offline Authentication Offline PIN Validation Terminal Risk Management Card Risk Management

8 Online authentication processes
ISSUER HOST ONLINE – THE TERMINAL SENDS SPECIFIC VALUES TO HOST FOR VALIDATION. iCVV checking Chip card verification value stored in card ATC checking Card generated incremental counter Online CAM One-time only cryptographic value Generated by card secret DES key Online PIN Encrypted PIN reference value

9 Card usage management - scripts
ISSUER HOST ISSUER HOST HAS THE ABILITY TO CHANGE CERTAIN VALUES IN THE CARD OR BLOCK/UNBLOCK USAGE ACCOUNT MANAGEMENT Block card usage Block application usage PIN offline change processing TRANSACTION MANAGEMENT Offline usage values Domestic offline currency values

10 Guidelines to PKI cryptography
EMV Offline Authentication uses Public Key Infrastructure (PKI) based on Rivest Shamir and Alderman (RSA) cryptography Made up of Key pairs. Private and Public Private must be kept secret to the owner (Visa, Issuer, Card) Public is available to anybody Sign and verify concept – Secretly sign something with your private key which can be verified with your public key One way conversation only Used for SDA, DDA and CDA Offline Authentication

11 Guidelines to PKI cryptography
Within EMV, certificates are produced by signing data with Private Keys Validation and retrieval of data is performed in public with the corresponding Public Key Complex algorithm based on prime number calculations Current key lengths are 1920 and 2048 bits Offline Authentication

12 Risk protection method
Traditional Fraud Method Traditional prevention Chip prevention (additional to traditional methods) Skimming (copying magnetic stripe) Nothing SDA or DDA or CDA (all offline) Counterfeit CVV + Physical Characteristics Offline Authentication

13 Static Data Authentication - SDA
SET-UP Acquirer Host System Terminal Management System (TMS) Issuer Host System Card Management System Visa Public Key Visa Public Key Visa Private Key 1 Acquirer Terminal (POS) Issuer EMV Data Preparation System Issuer Public Key Issuer Private 2 (IPKC) Account data Signed 3

14 Static Data Authentication - SDA
SDA PROCESSING IPKC (signed by Visa) Visa Public Key Issuer Public Key Signed data (signed by Issuer) Data has not been changed since Issuance Card provides Issuer Public Key Certificate (signed by Visa’s private key) Terminal verifies data and retrieves Issuer Public Key Card provides signed account data (signed by Issuer Private Key) Terminal verifies data has not changed

15 Dynamic Data Authentication - DDA
SET-UP Acquirer Host System Terminal Management System (TMS) Issuer Public Key Issuer Private 1 Visa Public Key Issuer EMV Data Preparation System Visa Public Key Visa Private Key 3 Acquirer Terminal (POS) Account data Signed 2 (IPKC) Card Private Key Card Public 4

16 Dynamic Data Authentication - DDA
DDA PROCESSING Visa Public Key IPKC (signed by Visa) Issuer Public Key Signed data (signed by Issuer) Card Public Key Card signed data Challenge – random value Data has not been changed or copied since Issuance Card provides Issuer Public Key Certificate (signed by Visa’s private key) Terminal verifies data and retrieves Issuer Public Key Card provides signed account data (signed by Issuer Private Key) Terminal verifies data has not changed and retrieves the Card Public Key Terminal asks the card to sign some random data Card signs random data with Card Private Key Terminal verifies card certificate with Card Public Key

17 Combined DDA / Gen AC (CDA)
Card signed data (random number for validation) Plus the cards online random value (request cryptogram) Same set-up as DDA Same process as DDA With the exception of: When the card sends the final card certificate it includes the online cryptographic value used by the host.

18 Considerations Q - Is there an effective offline authentication process within magnetic stripe processing ? A - No Q -Is SDA more secure than magnetic stripe? A - Yes Q – Is DDA more secure than SDA? Q – Is CDA more secure than DDA? A – Yes HOWEVER, CDA may not be the best solution for your market just because it is the most secure. We have to consider where we are and where we are going!

19 Summary All processes (SDA, DDA, CDA) are skimming and counterfeit protection measures SDA is the cheapest (no need for a card crypto-processor) DDA and CDA require a card that can perform RSA cryptography Visa mandates SDA on all cards When choosing a method you should consider all functions of the card and likelyhood of a full compromise that can not be detected. Such as (Offline PIN, Online cryptography, Acquirer market floor limits, card terminal risk management)

20 Areas that Combat Fraud
ATC Checking CVM Usage DDA or CDA Scripts

Download ppt "Transaction Flow end-end"

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.

1 U.S. EMV Migration Update and Best Practices Hap Huynh, Senior Director Risk Products April 2015.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
PCI PIN Entry Device Security Requirements PCI PIN Security Standards

PCI PIN Entry Device Security Requirements PCI PIN Security Standards
Security of Electronic Transactions (Theory and Practice) Jan Krhovják, Marek Kumpošt, Vašek Matyáš Faculty of Informatics Masaryk University, Brno.

Security of Electronic Transactions (Theory and Practice) Jan Krhovják, Marek Kumpošt, Vašek Matyáš Faculty of Informatics Masaryk University, Brno.
May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.

May 28, 2002Mårten Trolin1 Protocols for e-commerce Traditional credit cards SET SPA/UCAF 3D-Secure Temporary card numbers Direct Payments.
R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.

R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
E-PAYMENT METHODS 1. FACT OR FICTION ??? VISA processed 15,200 credit card transactions per minute. The first ATM machine was developed in 1939?. Luther.

E-PAYMENT METHODS 1. FACT OR FICTION ??? VISA processed 15,200 credit card transactions per minute. The first ATM machine was developed in 1939?. Luther.
1 Using EMV cards for Single Sign-On 26 th June 2004 1 st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.

1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks Authors: Saar Drimer and Steven J. Murdoch Presented in: Usenix Security Symposium.

Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks Authors: Saar Drimer and Steven J. Murdoch Presented in: Usenix Security Symposium.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Similar presentations

Ads by Google