Cover image for Implementing electronic card payment systems
Title:
Implementing electronic card payment systems
Author:
Radu, Cristian.
Personal Author:
Publication Information:
Boston: Artech House, [2003]

©2003
Physical Description:
xv, 446 pages : illustrations ; 24 cm.
General Note:
"Artech House computing library."
Language:
English
ISBN:
9781580533058
Format :
Book

Available:*

Library
Call Number
Material Type
Home Location
Status
Central Library HG1710 .R33 2003 Adult Non-Fiction Non-Fiction Area
Searching...

On Order

Summary

Summary

As magnetic stripe cards are being replaced by chip cards that offer consumers and business greater protection against fraud, a new standard for this technology is being introduced by Europay, MasterCard and Visa (EMV). This volume presents a comprehensive overview of the EMV chip solution and explains how this technology provides a chip migration path, where interoperability plays a central role in the business model. The work offers an understanding of the security problems associated with magnetic stripe cards, and presents the business case for chip migration. Moreover, it explains the implementation of multi-application selection mechanisms in EMV chip cards and terminals, and shows you how to design a multi-application EMV chip card layout.


Author Notes

Cristian Radu earned his Ph.D. in electrical engineering at the Catholic University of Leuven, Belgium.

Dr. Radu is currently an independent consultant for payment system and telecom operators in Belgium. He has over 15 years experience as an engineer, researcher and professor.

050


Table of Contents

Acknowledgmentsp. xv
1 Introductionp. 1
Part I Magnetic stripe debit and credit cardsp. 3
Part II Chip migration with EMVp. 3
Part III Remote debit and credit with EMVp. 5
Part I Magnetic Stripe Debit and Credit Cardsp. 7
2 Payment Card Processingp. 9
2.1 Payment card processing at a glancep. 10
2.2 Roles involved in payment card processingp. 13
2.3 Payment card brandsp. 15
2.4 Credit and debit payment cardsp. 16
2.5 Focusing on the magnetic stripe cardp. 17
2.5.1 Embossed financial datap. 18
2.5.2 Financial data on the magnetic stripep. 20
2.6 Threats and security protectionsp. 24
2.6.1 Channel protection versus eavesdroppingp. 25
2.6.2 Cardholder verification versus impersonationp. 27
2.6.3 Static authenticator versus modifying financial datap. 30
2.6.4 Timeliness versus card counterfeitingp. 31
2.6.5 Merchant attacks and colluding attacksp. 33
2.7 Processing at the point of servicep. 34
2.8 Payment network and interchange messagesp. 37
2.8.1 Message structurep. 38
2.8.2 Message flowsp. 41
2.9 On-line authorizationp. 45
2.10 Clearing and settlementp. 47
Referencesp. 50
Part II Chip Migration with EMVp. 51
3 Chip Migrationp. 53
3.1 A business case for chip migrationp. 54
3.2 An overview of the chip card technologyp. 56
3.2.1 Hardware and software structure of chip cardsp. 57
3.2.2 Card file system and file referencingp. 60
3.2.3 Command and response formatp. 65
3.2.4 Card application and terminal applicationp. 66
3.3 Proprietary payment applicationp. 69
3.3.1 Encoding data elements with a fixed formatp. 71
3.3.2 Fixed file system organizationp. 73
3.3.3 Preestablished command and response formatsp. 73
3.3.4 Symmetric cryptographic technologyp. 76
3.4 Interoperable payment applicationp. 80
3.4.1 Self-determined encoding of data elementsp. 82
3.4.2 Customized file system organizationp. 84
3.4.3 Variable formats for commands and responsesp. 87
3.4.4 Asymmetric cryptographic supportp. 87
Referencesp. 90
4 EMV Compliant Data Organizationp. 91
4.1 Organization of the EMV specificationsp. 92
4.2 EMV data elementsp. 96
4.3 EMV file systemp. 99
4.3.1 ADFsp. 99
4.3.2 AEFsp. 106
4.3.3 Directory definition filesp. 108
4.3.4 Payment system environmentp. 112
4.4 EMV application selectionp. 115
4.4.1 Building the candidate list from the PSEp. 118
4.4.2 Building the candidate list directlyp. 119
4.4.3 Final application selectionp. 121
Referencesp. 122
5 EMV Certificatesp. 125
5.1 Certification mechanism and algorithmp. 125
5.2 Public key certificate for RSA schemep. 126
5.3 Entities and certifiersp. 127
5.3.1 Issuer requires a public key certificatep. 127
5.3.2 ICC requires a public key certificatep. 128
5.4 Entity public key remainderp. 129
5.5 EMV certification chainsp. 129
5.6 Issuing EMV public key certificatesp. 132
5.6.1 Data items included in the certificatep. 132
5.6.2 Generating the public key certificatep. 135
5.7 Verifying EMV public key certificatesp. 136
5.7.1 Verification of the Issuer Public Key Certificatep. 136
5.7.2 Verification of the ICC Public Key Certificatep. 138
5.8 Issuing signed static application datap. 140
5.8.1 AFLp. 141
5.8.2 Creating the Static Data to Be Authenticatedp. 142
5.8.3 Generate the Signed Static Application Datap. 143
5.9 Verifying the Signed Static Application Datap. 144
Referencesp. 145
6 Debit and Credit with EMVp. 147
6.1 Overview of the EMV debit/credit transactionp. 148
6.2 Initiate application processingp. 152
6.2.1 TVR and TSI--two witnesses of terminal processingp. 152
6.2.2 PDOL and GET Processing Optionsp. 153
6.2.3 AIP and AFLp. 154
6.3 Read application datap. 156
6.3.1 AFL processingp. 156
6.3.2 Consistency rules for the data objectsp. 158
6.4 Off-line data authenticationp. 160
6.4.1 Selection of the off-line authentication mechanismp. 160
6.4.2 Off-line SDAp. 162
6.4.3 Off-line DDAp. 165
6.5 Processing restrictionsp. 174
6.5.1 Application Version Numberp. 174
6.5.2 Application usage controlp. 175
6.5.3 Application effective/expiration dates checkingp. 178
6.6 Cardholder verificationp. 178
6.6.1 Cardholder verification methods in EMVp. 179
6.6.2 Data objects involved in cardholder verificationp. 181
6.6.3 Common processing performed by the terminalp. 184
6.6.4 Off-line PIN processingp. 186
6.6.5 RSA digital envelope carrying the PINp. 191
6.6.6 On-line PIN processingp. 194
6.7 Terminal risk managementp. 195
6.7.1 Terminal floor limitp. 195
6.7.2 Random transaction selectionp. 196
6.7.3 Velocity checkingp. 199
6.8 Terminal action analysisp. 201
6.8.1 Action codes and security policiesp. 201
6.8.2 The terminal proposes and the card disposesp. 203
6.8.3 Off-line denial of a transactionp. 204
6.8.4 On-line transmission of a transactionp. 206
6.8.5 Default action in a transactionp. 207
6.8.6 Compute Application Cryptogram with GENERATE ACp. 208
6.9 On-line processing and issuer authenticationp. 217
6.9.1 Authorization request and response with chip datap. 218
6.9.2 Issuer Authenticationp. 221
6.10 Issuer scriptsp. 222
6.10.1 Processing of issuer script templatesp. 222
6.10.2 Post-Issuance Commandsp. 225
Referencesp. 225
7 EMV Chip Migration Issuesp. 227
7.1 EMV regulatory frameworkp. 228
7.1.1 Business objectivesp. 229
7.1.2 Functional requirementsp. 231
7.1.3 Security politicsp. 233
7.2 Deriving ICC specifications by issuersp. 236
7.3 Selection criteria of the ICC architecturep. 239
7.3.1 ICC hardware resourcesp. 239
7.3.2 ICC software platformp. 241
7.4 Multiapplication ICCp. 242
7.4.1 Choice of a set of card applicationsp. 243
7.4.2 Card layout definitionp. 246
7.5 Issuer's business casep. 253
7.5.1 Availability of the financial servicep. 253
7.5.2 Improved securityp. 254
7.5.3 Reduced operational costsp. 255
7.6 Adaptive initiate application processingp. 255
7.7 Design criteria for CAM selectionp. 259
7.7.1 On-line CAMp. 260
7.7.2 Off-line static CAMp. 261
7.7.3 Off-line dynamic CAMp. 262
7.7.4 Security considerations regarding CAMp. 263
7.8 Design criteria for CVMp. 267
7.8.1 Enciphered PIN verified on-linep. 267
7.8.2 Plaintext/enciphered PIN verification by ICCp. 268
7.8.3 Requirements for the implementation of various CVMp. 269
7.8.4 Criteria for the definition of the CVM Listp. 270
7.9 Processing restrictionsp. 271
7.9.1 Application usage controlp. 271
7.9.2 Application Version Numberp. 272
7.9.3 Application effective/expiration datesp. 272
7.10 Card risk managementp. 273
7.10.1 CRM Componentsp. 273
7.10.2 The set of CRM functionsp. 274
7.10.3 CRM datap. 278
7.10.4 CRM function definitionsp. 283
Referencesp. 286
Part III Remote Debit and Credit with EMVp. 289
8 Remote Card Payments and EMVp. 291
8.1 A model for remote card paymentsp. 293
8.2 Security aspects of remote card paymentsp. 295
8.2.1 Threats environmentp. 296
8.2.2 Security services for remote transactionsp. 300
8.2.3 Security services realizationp. 304
8.3 Remote payment method based on TLSp. 306
8.3.1 TLS handshake protocolp. 307
8.3.2 TLS record protocolp. 309
8.3.3 Security limitations of the TLS protocolp. 309
8.4 SET-based solutionsp. 310
8.4.1 SET modelp. 311
8.4.2 Setup of the SET payment schemep. 311
8.4.3 Registration of participantsp. 315
8.4.4 Secure SET channel over insecure networksp. 317
8.4.5 SET dual signaturesp. 321
8.4.6 SET payment methodp. 322
8.5 TLS versus SET or wallet servers and EMV cardsp. 332
8.5.1 Security makes the differencep. 332
8.5.2 Acceptability is a main concernp. 333
8.5.3 Improved solutions with wallet servers and EMV cardsp. 336
8.6 Transaction processing for chip e-commercep. 340
8.6.1 EMV application context in the cardholder systemp. 342
8.6.2 Purchase initialization (PinitReq/PInitRes)p. 346
8.6.3 Cardholder verificationp. 347
8.6.4 Terminal action analysisp. 349
8.6.5 Purchase request and responsep. 350
8.6.6 Authorization request/responsep. 353
8.6.7 Completion of the EMV transactionp. 355
Referencesp. 356
Appendix A Security Frameworkp. 359
Referencep. 361
Appendix B Generic Security Threatsp. 363
Appendix C Security Servicesp. 367
C.1 Service descriptionp. 367
C.2 Realization of security servicesp. 370
Referencesp. 371
Appendix D Security Mechanismsp. 373
D.1 Encryptionp. 373
D.1.1 Symmetric encryptionp. 374
D.1.2 Asymmetric encryptionp. 375
D.2 Cryptographic hash functionsp. 376
D.2.1 Hash functionp. 377
D.2.2 MACp. 379
D.3 Digital signature schemesp. 380
D.3.1 Signature scheme with appendixp. 382
D.3.2 Signature scheme with recoveryp. 383
D.4 Public key certificatesp. 384
D.4.1 Authenticity of public keysp. 384
D.4.2 Public key certificate generationp. 385
D.4.3 Public key certificate verificationp. 386
D.5 Cardholder verification mechanismsp. 387
D.5.1 Manual signaturep. 387
D.5.2 Enciphered PIN verified on-linep. 387
D.5.3 Plaintext PIN verification performed by the chip cardp. 388
D.5.4 Symmetric enciphered PIN verificationp. 389
D.5.5 Asymmetric enciphered PIN verificationp. 390
D.5.6 Cardholder verification based on biometricsp. 391
D.6 SDA mechanismsp. 392
D.6.1 MAC-based SDA mechanismp. 392
D.6.2 Signature-based SDA mechanismp. 393
D.7 DDA mechanismsp. 394
D.7.1 MAC-based DDAp. 394
D.7.2 Digital signature--based DDAp. 395
D.7.3 One-time passwordsp. 396
Referencesp. 397
Appendix E Block Ciphersp. 399
E.1 Definition and parametersp. 399
E.2 Modes of operationp. 400
E.3 DES, Triple-DES, and AESp. 402
E.4 MAC using a 64 bit-length block cipherp. 404
E.5 Key derivationp. 405
Referencesp. 406
Appendix F RSA Encryption and Signature Schemep. 407
F.1 Key generationp. 407
F.2 Public and secret RSA operationsp. 409
F.3 Digital signature giving message recoveryp. 410
F.3.1 Signature generationp. 411
F.3.2 Signature verificationp. 412
F.4 Digital signature and encryption with PKCS#1p. 414
Referencesp. 416
Appendix G E-Commerce and M-Commerce Related Technologiesp. 419
G.1 E-commerce and m-commercep. 419
G.2 SIM, STK, SMS, and WAPp. 420
G.3 Access devices for remote card paymentsp. 421
G.4 WAP protocol suite compared to Internetp. 426
Referencesp. 427
About the Authorp. 429
Indexp. 431

Google Preview