Introduction.
Today was a hard day for me, even if it was Sunday...but
anyway I want to start a new very interesting topic about one standard, which
is actually playing very important role in a world of Payment application, its
name is EMV.
Everyone today has his own banking card, and this is easy way
to get the access to your bank account and as a consequence to your money.
Whatever you do, going to buy something, to get some cash or to pay for your
mobile phone, each time you take your card from your wallet and starting from
this moment you oblige to follow some rules in order make a correct payment. To
be precisely, it is not you personally, this is your banking card which should
be complained to EMVco standard. Let's imagine you insert your card to the
reader of ATM or POS terminal and from this moment magic is takes a control on
your bank account. Interesting, is not it? Let's see what is going on between
your card and ATM or terminal.
First of all, I will give you some useful links about related
topics, which I hope will help you to understand the process of data exchange
between smart card and terminal and also helps to read this topic.
•
Global Platform general description and full set of
documents which can be downloaded from official web site.
Let’s start to see what is going on between card and
terminal. I need to say here, first we will speak about contact interface.About contactless interface I will describe later on.
Part I. EMV
transaction via Contact Interface.
When the card inserted in to terminal, it is going to be
powered and reset. Card must provide Acknowledge-To-Reset (ATR) and then will
wait for incoming commands.
This is a common part which is not directly related to EMV
transaction. More information about ATR you will find in ISO7816 part 3. So, now let’s have a look from EMV standard point
of view.The next step is to choose and select target application. Depending on what type of card you have (Visa, MasterCard, etc...), different payment schemes will apply during EMV transaction.
There are two approaches can be used to determine which application is going to be used:
1.
Terminal use PSE (Payment System Environment),
if the one is exists on card.
2.
Terminal build a list of candidates based on
list of application stored in terminal.
Approach 1: Using PSE
PSE is Payment System Environment which contains, roughly
speaking language preference, list of applications and their
priority in which they must be executed. It is not mandatory for all cards
to support PSE.
Terminal select PSE using SELECT command with filename
1PAY.SYS.DDF01. If there is no PSE, card should return “6A82”, which means
“file not found”. If card returns “9000”, terminal proceeds to the next step by
processing response from card. The response on the SELECT command for PSE
contains FCI data object, which should looks according EMV Book 1 like:
Tag
|
Value
|
Presence
|
|||
6F
|
FCI Template
|
M
|
|||
84
|
DF Name
|
M
|
|||
A5
|
FCI Proprietary Template
|
M
|
|||
88
|
SFI of the Directory
Elementary File
|
M
|
|||
5F2D
|
Language Preference
|
O
|
|||
9F11
|
Issuer Code Table Index
|
O
|
|||
BF0C
|
FCI Issuer Discretionary Data
|
O
|
|||
XXXX -Tag according EMV Book3,
Annex B
|
1 or more additional proprietary
data elements from an application provider, issuer, or IC card supplier, or EMV-defined
tags that are specifically allocated to 'BF0C'
|
O
|
|||
Response on SELECT
command for PSE
Tag
'70'
|
Data Length
(L)
|
Tag
'61'
|
Length
of
directory
entry 1
|
Directory
entry 1
(ADF)
|
…
|
Tag
'61'
|
Length
of
directory
entry
n
|
Directory
entry n
(ADF)
|
Payment System
Directory Record Format
Terminal process all directory entries and match ADF names with his own list of supported applications. If ADF name is equal to one supported by terminal, it join then the list of candidates for final application selection. When the terminal finishes processing all records, if at least one matching ADF name was found, the terminal makes the final decision in according with EMV standard. The process to take decision which application is going to be selected and used is conditional. You will find complete description in EMV Book 1, section 12.4 Final Selection.
For example, let’s have a look to the trace below:
T: RESET
C: ATR
T: SELECT
00A404000E315041592E5359532E444446303100
C: RESPONSE
6F20840E315041592E5359532E4444463031A50E88010A9F1101015F2D046672656E9000
T: READ RECORD
00B2015400
C: RESPONSE
701761154F07A0000000421010500243429F120243428701019000
T: READ RECORD
00B2025400
C: RESPONSE
702761254F07A0000000041010500A4D4153544552434152449F120A4D4153544552434152448701029000
T: READ RECORD
00B2035400
C: RESPONSE
6A83
As
a file name, SELECT APDU contains the name of the PSE, which is in our case 1PAY.SYS.DDF01
or in a hex format “315041592E5359532E4444463031”. In the response of SELECT we
can see the tag “6F” which gives us FCI content. Tag “84” contain name of PSE. Tag “88” gives
us the SFI=0Ah. Under tag “5F2D” we can see the preferred language which is in
my case “6672656E”or ASCII representation is “fren”, which means French language,
cause my card is French one.
Now Terminal knows the SFI of file which contains directory entries and can easy read it by using READ RECORD cmd. From the trace above, we can see how it looks.
By
parsing the READ RECORD command response, we can easily identify following
parameters:
Tag
|
Meaning
|
Hex Value
|
Description
|
4F
|
AID
|
A0000000041010
|
Application ID
|
50
|
Application Label
|
4342
4D415354455243415244
|
CB
MASTERCARD
|
9F12
|
Application Preferred Name
|
4342
4D415354455243415244
|
CB
MASTERCARD
|
87
|
Application Priority
Indicator
|
01
02
|
CB
MASTERCARD
|
Here
CB (Cartes Bancaires, French) is “CB Bank card Group”, short description you
can find in wiki.
Approach 2: Using a List of AIDs
If
at any reasons, terminal was not succeed with PSE to identify the target
application, or PSE is not supported by the card, terminal will need to build
the first the list of candidates by selecting one by one the applications, base
on application’s list stored in terminal.
In
this case, terminal send in the loop SELECT command and tries to match the AID
with DF Name field returned in the FCI on SELECT command. If they are matches
both together, the AID is going to be add into the list of candidates. So,
again after the list is ready, terminal is going to take the final decision
like described in EMV Book 1, section
12.4 Final Selection.
So,
the next step is to select the target application. To do that, terminal sends
the SELECT command with ADF name chosen in previous step. We will see how it
works in my next topic. Well, that is enough for today, I think…
