0% found this document useful (0 votes)

127 views

EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs

The document provides a high-level overview of an EMV chip card transaction, including the steps of candidate list creation, application selection, reading application data, data authentication, cardholder verification, processing restrictions, terminal risk management, card action analysis, online processing, and final action analysis. It also includes a captured log of the request and response messages exchanged during a sample transaction.

Uploaded by

art0928

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

127 views

EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs

Uploaded by

art0928

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 41

EMV (Chip & PIN) Protocol

Märt Bakhoff
Supervised: Arnis Paršovs
Objective

observe and describe a real world transaction

Agenda
● Tools & setup
● Quick overview of transaction processing
● High level overview of captured data
Tools & setup

● Osmocom Simtrace
● “upgraded” cardreader
● Visa Electron card
● friendly merchant
Simtrace
MITM board for SIM cards

TERMINAL >

CHIP > < PC

Reading binary dumps for the win?
● EMV = Europay, Mastercard, Visa
● standardized payment cards (currently v4.3)
● released as 4 “books” with a total of 747 pages
Transaction flow
Candidate List Creation

Candidate list creation Application Selection

Read Application Data
Data Authentication
iterate applications on Cardholder Verification
the card Processing Restrictions

read application ids Terminal Risk Management

Card Action Analysis
Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Application selection Application Selection

Read Application Data
Data Authentication
select the application in Cardholder Verification
the terminal Processing Restrictions

activate application in Terminal Risk Management

the chip Card Action Analysis

Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Read Application Data Application Selection

Read Application Data
Data Authentication
expiration date Cardholder Verification

pin options Processing Restrictions

Terminal Risk Management
online/offline support Card Action Analysis
crypto keys Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Data authentication Application Selection

Read Application Data
Data Authentication
offline mode: Cardholder Verification
verify data on the card Processing Restrictions
using digital signature Terminal Risk Management

online mode: Card Action Analysis

challenge&response Online Processing

with card's private key Final Action Analysis

Transaction flow
Candidate List Creation

Cardholder verification Application Selection

Read Application Data
Data Authentication
online pin / offline pin / Cardholder Verification
handwritten signature Processing Restrictions

pinpad->icc encrypted Terminal Risk Management

Card Action Analysis
Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Processing restrictions Application Selection

Read Application Data
Data Authentication
check expiration date Cardholder Verification

check “application Processing Restrictions

usage controls” Terminal Risk Management

Card Action Analysis
Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Terminal risk Application Selection

management Read Application Data

Data Authentication
Cardholder Verification
decide online/offline Processing Restrictions

“floor limits” Terminal Risk Management

Card Action Analysis
Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Card action analysis Application Selection

Read Application Data
Data Authentication
decide Cardholder Verification
online/offline/reject Processing Restrictions

can upgrade to online Terminal Risk Management

Card Action Analysis
can't upgrade to offline Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Online processing Application Selection

Read Application Data
Data Authentication
send ARQC to issuer Cardholder Verification

send response to chip Processing Restrictions

Terminal Risk Management
can downgrade to offline Card Action Analysis
Online Processing
Final Action Analysis
Transaction flow
Candidate List Creation

Final card analysis Application Selection

Read Application Data
Data Authentication
verify issuer online Cardholder Verification
response Processing Restrictions

decide to accept/reject Terminal Risk Management

Card Action Analysis
generate transaction Online Processing
certificate (TC)
Final Action Analysis
Captured data
(19 request/response pairs)
00 A4 SELECT

Request:
file '1PAY.SYS.DDF01'

Response:
ShortFileIdentifier of directory element: 1
language preference: et,en,ru,de
00 B2 READ RECORD

Request:
ShortFileIdentifier: 1; record: 1

Response:
application identifier: VISA electron
application priority: 1
00 B2 READ RECORD

Request:
ShortFileIdentifier: 1; record: 2

Response:
File not found
00 C0 GET RESPONSE

Request:
empty

Response:
application id: Visa Electron
application priority: 1
language preference: et,en,ru,de
issuer url: 0x9f4d020b14
80 A8 GET PROCESSING OPTS
Request:
empty list

Response:
dynamic data authentication (DDA) supported,
cardholder verification supported,
perform terminal risk mgmt supported,
issuer authentication supported
locations of data records:
SFI1, record 1-1
SFI2, record 1-6
00 B2 READ RECORD

Request:
SFI:1, record: 1

Response:
card number: xx xx xx xx 37 64 61 73
expiration date: 14 12
cardholder name: BAKHOFF/MART
00 B2 READ RECORD
Request:
SFI:2, record: 1

Response:
Application Effective Date: 12 10 01
Application Expiration Date: 14 12 31
Application Usage Control: all allowed
Primary Account Number: xxxx xxxx 3764 6173
CDOL1, CDOL2, CVM
Issuer country code: 0x0233
00 B2 READ RECORD

Request:
SFI:2, record: 2

Response:
Issuer Public Key Certificate
Issuer Public Key Exponent
Issuer Public Key Remainder
00 B2 READ RECORD

Request:
SFI:2, record: 3

Response:
DDOL
ICC Public Key Exponent
00 B2 READ RECORD

Request:
SFI:2, record: 4

Response:
ICC Public Key Certificate
00 B2 READ RECORD

Request:
SFI:2, record: 5

Response:
ICC PIN Encipherment Public Key Certificate
ICC PIN Encipherment Public Key Exponent
00 B2 READ RECORD

Request:
SFI:2, record: 6

Response:
Application Version Number: 0x008c
Service Code: 0x0221
Application Currency Code: 0x0978
Application Currency Exponent: 2
00 88 INTERNAL AUTHENTICATE

Request:
(DDOL) 4 bytes nonce 0xd6834217

Response:
Signed Dynamic Application Data
80 CA GET DATA

Request:
pin try counter

Response:
PIN Try Counter: 3 remaining
00 84 GET CHALLENGE

Request:
empty

Response:
6e 46 d1 ff 7f 6e 61 30
(8-byte nonce generated by the ICC)
00 20 VERIFY

Request:
encrypted pin

Response:
ok
80 AE GENETATE AC
Request:
request ARQC (online mode)
amount: 0.99
terminal country code: 0x0233
TVR: transaction exeeds floor limit
transaction date: 14 09 25
nonce: 4 bytes

Response:
Application Transaction Counter (ATC): 0x0377
Application Cryptogram: ac 74 08 bb 16 b2 b8 6d
00 82 EXTERNAL AUTHENTICATE

Request:
Issuer Authentication Data:
83 1c 2b df 91 08 e0 70 30 30

Response:
ok
80 AE GENERATE AC
Request:
request transaction certificate
authorization response code: 0x3030
amount: 0.99
terminal country code: 0x0233
TVR: transaction exeeds floor limit
transaction date: 14 09 25
nonce: 4 bytes

Response:
Application Transaction Counter (ATC): 0x0377
Application Cryptogram: c2 f1 92 98 bd 19 a7 fe
Q/A
References
● www.emvco.com/specifications.aspx
● www.level2kernel.com/flow-chart.html
● cotignac.co.nz/emv-offline-data-authentication

EMV Implementation Tandem Supplemental Guide
100% (2)
EMV Implementation Tandem Supplemental Guide
355 pages
GCAG ISO Oct2019 FINAL
No ratings yet
GCAG ISO Oct2019 FINAL
310 pages
0ikL3QgQKCejxyundxQ8 CoursematerialA4-1569849373450
No ratings yet
0ikL3QgQKCejxyundxQ8 CoursematerialA4-1569849373450
82 pages
SPARK Matrix - Card Management System (CMS) - 2022 - BPC - Full Report - Quadrant Knowledge Solutions Jan 2023
100% (1)
SPARK Matrix - Card Management System (CMS) - 2022 - BPC - Full Report - Quadrant Knowledge Solutions Jan 2023
54 pages
J-Secure 2.0 Acquirer Implementation Guide - v1.2
No ratings yet
J-Secure 2.0 Acquirer Implementation Guide - v1.2
32 pages
Technical - Specifications-PayPass - PDS v1.9 (June 2014)
100% (2)
Technical - Specifications-PayPass - PDS v1.9 (June 2014)
107 pages
EMV
No ratings yet
EMV
27 pages
EMV v4.3 Book 3 Application Specification 20120607062110791
No ratings yet
EMV v4.3 Book 3 Application Specification 20120607062110791
230 pages
EMV v4.2 Book 3
No ratings yet
EMV v4.2 Book 3
239 pages
book2-EMV v4.2 Book 2 Security and Key Management CR05 - 20090122094212
No ratings yet
book2-EMV v4.2 Book 2 Security and Key Management CR05 - 20090122094212
176 pages
EMV v4.2 Book 1 ICC To Terminal Interface CR05
100% (1)
EMV v4.2 Book 1 ICC To Terminal Interface CR05
197 pages
EMV v4.3 Book1 ICC To Terminal Interface 2011113003541414
100% (1)
EMV v4.3 Book1 ICC To Terminal Interface 2011113003541414
189 pages
3-5-Emv L2
No ratings yet
3-5-Emv L2
6 pages
Postilion Developer External
No ratings yet
Postilion Developer External
2 pages
Apple Pay Essentials: Harness the power of Apple Pay in your iOS apps and integrate it with global payment gateways
From Everand
Apple Pay Essentials: Harness the power of Apple Pay in your iOS apps and integrate it with global payment gateways
Ernest Bruce
No ratings yet
EMV Third Edition
From Everand
EMV Third Edition
Gerardus Blokdyk
No ratings yet
Chip Card Terminolgy Explained PDF
100% (2)
Chip Card Terminolgy Explained PDF
15 pages
Ten Key Certificate & Ten Key Test - Online 10 Key Test Certification at Learn2type - Com
No ratings yet
Ten Key Certificate & Ten Key Test - Online 10 Key Test Certification at Learn2type - Com
2 pages
EMV - Europay, MasterCard, Visa
100% (1)
EMV - Europay, MasterCard, Visa
21 pages
EMV v4.2 Book 3 Application Specification CR05 2011111807264590 PDF
No ratings yet
EMV v4.2 Book 3 Application Specification CR05 2011111807264590 PDF
239 pages
VISA CEMEA Personalisation Templates Version 1.5, August 2003
No ratings yet
VISA CEMEA Personalisation Templates Version 1.5, August 2003
107 pages
EMV - Understanding
No ratings yet
EMV - Understanding
3 pages
Users Manual 3704697
No ratings yet
Users Manual 3704697
442 pages
EMV v4.3 Book 1 ICC To Terminal Interface 2012060705394541
No ratings yet
EMV v4.3 Book 1 ICC To Terminal Interface 2012060705394541
189 pages
A Guide To EMV Chip Technology v3.0 1
No ratings yet
A Guide To EMV Chip Technology v3.0 1
33 pages
PBT 01 EFT Overview
100% (1)
PBT 01 EFT Overview
72 pages
Chip Card Acceptance Device Ref Guide 6 (1) .0
No ratings yet
Chip Card Acceptance Device Ref Guide 6 (1) .0
143 pages
Cryptomathic White Paper-Emv Key Management
100% (2)
Cryptomathic White Paper-Emv Key Management
13 pages
EMV-L2 ST100 Draft
No ratings yet
EMV-L2 ST100 Draft
72 pages
EMV Overview Unbranded
No ratings yet
EMV Overview Unbranded
26 pages
M/Chip Functional Architecture For Debit and Credit: Applies To: Summary
No ratings yet
M/Chip Functional Architecture For Debit and Credit: Applies To: Summary
12 pages
Terminal Information To Enhance Contactless Application Selection
No ratings yet
Terminal Information To Enhance Contactless Application Selection
10 pages
VISA Dynamic Passcode Authentication
No ratings yet
VISA Dynamic Passcode Authentication
4 pages
Intro To EMV
100% (2)
Intro To EMV
15 pages
EMV Overview Tecnica
No ratings yet
EMV Overview Tecnica
14 pages
EMVCo A Guide To EMV-Presentation 20110512031135763
No ratings yet
EMVCo A Guide To EMV-Presentation 20110512031135763
39 pages
EMV v4.2 Book 2 Security and Key Management CR05 20111118072236762
No ratings yet
EMV v4.2 Book 2 Security and Key Management CR05 20111118072236762
177 pages
EMV SWG NH20r2a Issuer Security Guidelines For 1st Gen August2018
No ratings yet
EMV SWG NH20r2a Issuer Security Guidelines For 1st Gen August2018
78 pages
EMV-SWG-NB53r4b Terminal Unpredictable Number Generation
No ratings yet
EMV-SWG-NB53r4b Terminal Unpredictable Number Generation
2 pages
Security Rules and Procedures 30 July 2015
No ratings yet
Security Rules and Procedures 30 July 2015
227 pages
ISO Global 2008 3
100% (1)
ISO Global 2008 3
294 pages
EMV A Toz PDF
No ratings yet
EMV A Toz PDF
7 pages
Pin Block Formats: David Tushie
No ratings yet
Pin Block Formats: David Tushie
3 pages
Quick Chip For EMV and QVSDC, Specification Version 2.0 (Visa, 2017)
No ratings yet
Quick Chip For EMV and QVSDC, Specification Version 2.0 (Visa, 2017)
18 pages
Collis b2 Emv and Contactless Offering
No ratings yet
Collis b2 Emv and Contactless Offering
52 pages
An Overview of The EMV Protocol and Its Security
No ratings yet
An Overview of The EMV Protocol and Its Security
5 pages
Visa TADG
No ratings yet
Visa TADG
212 pages
Visa Chip Simplifying Implementation
No ratings yet
Visa Chip Simplifying Implementation
2 pages
20331623-Visa-Integrated-Circuit-Card-Specification-ANEXO D
No ratings yet
20331623-Visa-Integrated-Circuit-Card-Specification-ANEXO D
14 pages
EMV Card and Terminal Basic Requirements FINAL 04 15 v2.2
No ratings yet
EMV Card and Terminal Basic Requirements FINAL 04 15 v2.2
29 pages
Emv Especifications
No ratings yet
Emv Especifications
44 pages
Emv 1
No ratings yet
Emv 1
110 pages
Base24 - From Host v1
No ratings yet
Base24 - From Host v1
20 pages
Transaction Acceptance Device Guide TADG V3 May 2015 PDF
No ratings yet
Transaction Acceptance Device Guide TADG V3 May 2015 PDF
273 pages
Canada's Role in the Payment Processing Industry
From Everand
Canada's Role in the Payment Processing Industry
Robert Ronning
No ratings yet
Fundamentals of Emv: Guy Berg Senior Managing Consultant Mastercard Advisors' 914.325.8111
No ratings yet
Fundamentals of Emv: Guy Berg Senior Managing Consultant Mastercard Advisors' 914.325.8111
37 pages
02
No ratings yet
02
37 pages
Lkjaclkajhdlkajshdlkajhdas
No ratings yet
Lkjaclkajhdlkajshdlkajhdas
98 pages
491-08-emv
No ratings yet
491-08-emv
98 pages
20 - EMV Data Element Tag List
No ratings yet
20 - EMV Data Element Tag List
4 pages
Book 3
No ratings yet
Book 3
164 pages
EMV Overview
100% (1)
EMV Overview
51 pages
Mart Report f14 PDF
No ratings yet
Mart Report f14 PDF
20 pages
ProFlex4 Trainings Overview
No ratings yet
ProFlex4 Trainings Overview
16 pages
Visa Smart Debit/Credit Acquirer Device Validation Toolkit: User Guide
No ratings yet
Visa Smart Debit/Credit Acquirer Device Validation Toolkit: User Guide
163 pages
Personalization Data Specifications: For Debit and Credit On Chip
No ratings yet
Personalization Data Specifications: For Debit and Credit On Chip
71 pages
596313307-Employee-Pay-Slip-Jan
No ratings yet
596313307-Employee-Pay-Slip-Jan
1 page
PRABHA AADHAR CARD
No ratings yet
PRABHA AADHAR CARD
1 page
ADHRA
No ratings yet
ADHRA
1 page
Internet of Things Privacy, Security and Governance: Unit 3
100% (2)
Internet of Things Privacy, Security and Governance: Unit 3
84 pages
Seminar Report On REDTACTON
100% (1)
Seminar Report On REDTACTON
34 pages
Amjad Survey Paper
No ratings yet
Amjad Survey Paper
22 pages
Composition Kills: A Case Study of Email Sender Authentication
No ratings yet
Composition Kills: A Case Study of Email Sender Authentication
17 pages
Aadhaar Aadhaar Informat Ion Informat Ion Aadhaar Aadhaar: Mera Aadhaar, Meri Pehachan
No ratings yet
Aadhaar Aadhaar Informat Ion Informat Ion Aadhaar Aadhaar: Mera Aadhaar, Meri Pehachan
1 page
Affidavit of Loss: IBP No. 017673 July 15, 2017 Tarlac Chapter
No ratings yet
Affidavit of Loss: IBP No. 017673 July 15, 2017 Tarlac Chapter
7 pages
Mims SSPR Slides
No ratings yet
Mims SSPR Slides
8 pages
Attestation Service in Qatar2024
No ratings yet
Attestation Service in Qatar2024
7 pages
Duncan Musangi
No ratings yet
Duncan Musangi
8 pages
COPPA 2.0: The New Battle Over Privacy, Age Verification, Online Safety & Free Speech
No ratings yet
COPPA 2.0: The New Battle Over Privacy, Age Verification, Online Safety & Free Speech
36 pages
ISO 27002 Policies Outline 2010
No ratings yet
ISO 27002 Policies Outline 2010
11 pages
What Is Token Authentication and How Does It Work
No ratings yet
What Is Token Authentication and How Does It Work
4 pages
E-AasthiApplication-AVAILABLE in () (2)
No ratings yet
E-AasthiApplication-AVAILABLE in () (2)
6 pages
Hall ticket
No ratings yet
Hall ticket
2 pages
CCNA Security v2.0 Final Exam Answers 100 1 PDF
100% (3)
CCNA Security v2.0 Final Exam Answers 100 1 PDF
26 pages
Pki MRTD Lixembourg
No ratings yet
Pki MRTD Lixembourg
18 pages
Blockchain in Supply Chain Management - Final Ver
No ratings yet
Blockchain in Supply Chain Management - Final Ver
19 pages
NIST SP 800-218 SSDF-table
No ratings yet
NIST SP 800-218 SSDF-table
47 pages
General Requirements
No ratings yet
General Requirements
3 pages
Online Voting
No ratings yet
Online Voting
22 pages
Ankit Kumar - Offer Letter
No ratings yet
Ankit Kumar - Offer Letter
1 page
197 2025 Certificate
No ratings yet
197 2025 Certificate
1 page
5 18
No ratings yet
5 18
1 page
FAQ's On E-Aadhaar
No ratings yet
FAQ's On E-Aadhaar
4 pages
grq51-justpasteit
No ratings yet
grq51-justpasteit
5 pages
STRIDE/DREAD Analysis: Threat Modelling of Trinity Wallet
No ratings yet
STRIDE/DREAD Analysis: Threat Modelling of Trinity Wallet
24 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs

Uploaded by

EMV (Chip & PIN) Protocol: Märt Bakhoff Supervised: Arnis Paršovs

Uploaded by

EMV (Chip & PIN) Protocol

observe and describe a real world transaction

CHIP > < PC

Candidate list creation Application Selection

read application ids Terminal Risk Management

Application selection Application Selection

activate application in Terminal Risk Management

the chip Card Action Analysis

Read Application Data Application Selection

pin options Processing Restrictions

Data authentication Application Selection

online mode: Card Action Analysis

challenge&response Online Processing

with card's private key Final Action Analysis

Cardholder verification Application Selection

pinpad->icc encrypted Terminal Risk Management

Processing restrictions Application Selection

check “application Processing Restrictions

usage controls” Terminal Risk Management

Terminal risk Application Selection

management Read Application Data

“floor limits” Terminal Risk Management

Card action analysis Application Selection

can upgrade to online Terminal Risk Management

Online processing Application Selection

send response to chip Processing Restrictions

Final card analysis Application Selection

decide to accept/reject Terminal Risk Management

You might also like

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.