| Acknowledgments | p. xv |
| Introduction | p. 1 |
| Magnetic stripe debit and credit cards | p. 3 |
| Chip migration with EMV | p. 3 |
| Remote debit and credit with EMV | p. 5 |
| Magnetic Stripe Debit and Credit Cards | p. 7 |
| Payment Card Processing | p. 9 |
| Payment card processing at a glance | p. 10 |
| Roles involved in payment card processing | p. 13 |
| Payment card brands | p. 15 |
| Credit and debit payment cards | p. 16 |
| Focusing on the magnetic stripe card | p. 17 |
| Embossed financial data | p. 18 |
| Financial data on the magnetic stripe | p. 20 |
| Threats and security protections | p. 24 |
| Channel protection versus eavesdropping | p. 25 |
| Cardholder verification versus impersonation | p. 27 |
| Static authenticator versus modifying financial data | p. 30 |
| Timeliness versus card counterfeiting | p. 31 |
| Merchant attacks and colluding attacks | p. 33 |
| Processing at the point of service | p. 34 |
| Payment network and interchange messages | p. 37 |
| Message structure | p. 38 |
| Message flows | p. 41 |
| On-line authorization | p. 45 |
| Clearing and settlement | p. 47 |
| References | p. 50 |
| Chip Migration with EMV | p. 51 |
| Chip Migration | p. 53 |
| A business case for chip migration | p. 54 |
| An overview of the chip card technology | p. 56 |
| Hardware and software structure of chip cards | p. 57 |
| Card file system and file referencing | p. 60 |
| Command and response format | p. 65 |
| Card application and terminal application | p. 66 |
| Proprietary payment application | p. 69 |
| Encoding data elements with a fixed format | p. 71 |
| Fixed file system organization | p. 73 |
| Preestablished command and response formats | p. 73 |
| Symmetric cryptographic technology | p. 76 |
| Interoperable payment application | p. 80 |
| Self-determined encoding of data elements | p. 82 |
| Customized file system organization | p. 84 |
| Variable formats for commands and responses | p. 87 |
| Asymmetric cryptographic support | p. 87 |
| References | p. 90 |
| EMV Compliant Data Organization | p. 91 |
| Organization of the EMV specifications | p. 92 |
| EMV data elements | p. 96 |
| EMV file system | p. 99 |
| ADFs | p. 99 |
| AEFs | p. 106 |
| Directory definition files | p. 108 |
| Payment system environment | p. 112 |
| EMV application selection | p. 115 |
| Building the candidate list from the PSE | p. 118 |
| Building the candidate list directly | p. 119 |
| Final application selection | p. 121 |
| References | p. 122 |
| EMV Certificates | p. 125 |
| Certification mechanism and algorithm | p. 125 |
| Public key certificate for RSA scheme | p. 126 |
| Entities and certifiers | p. 127 |
| Issuer requires a public key certificate | p. 127 |
| ICC requires a public key certificate | p. 128 |
| Entity public key remainder | p. 129 |
| EMV certification chains | p. 129 |
| Issuing EMV public key certificates | p. 132 |
| Data items included in the certificate | p. 132 |
| Generating the public key certificate | p. 135 |
| Verifying EMV public key certificates | p. 136 |
| Verification of the Issuer Public Key Certificate | p. 136 |
| Verification of the ICC Public Key Certificate | p. 138 |
| Issuing signed static application data | p. 140 |
| AFL | p. 141 |
| Creating the Static Data to Be Authenticated | p. 142 |
| Generate the Signed Static Application Data | p. 143 |
| Verifying the Signed Static Application Data | p. 144 |
| References | p. 145 |
| Debit and Credit with EMV | p. 147 |
| Overview of the EMV debit/credit transaction | p. 148 |
| Initiate application processing | p. 152 |
| TVR and TSI--two witnesses of terminal processing | p. 152 |
| PDOL and GET Processing Options | p. 153 |
| AIP and AFL | p. 154 |
| Read application data | p. 156 |
| AFL processing | p. 156 |
| Consistency rules for the data objects | p. 158 |
| Off-line data authentication | p. 160 |
| Selection of the off-line authentication mechanism | p. 160 |
| Off-line SDA | p. 162 |
| Off-line DDA | p. 165 |
| Processing restrictions | p. 174 |
| Application Version Number | p. 174 |
| Application usage control | p. 175 |
| Application effective/expiration dates checking | p. 178 |
| Cardholder verification | p. 178 |
| Cardholder verification methods in EMV | p. 179 |
| Data objects involved in cardholder verification | p. 181 |
| Common processing performed by the terminal | p. 184 |
| Off-line PIN processing | p. 186 |
| RSA digital envelope carrying the PIN | p. 191 |
| On-line PIN processing | p. 194 |
| Terminal risk management | p. 195 |
| Terminal floor limit | p. 195 |
| Random transaction selection | p. 196 |
| Velocity checking | p. 199 |
| Terminal action analysis | p. 201 |
| Action codes and security policies | p. 201 |
| The terminal proposes and the card disposes | p. 203 |
| Off-line denial of a transaction | p. 204 |
| On-line transmission of a transaction | p. 206 |
| Default action in a transaction | p. 207 |
| Compute Application Cryptogram with GENERATE AC | p. 208 |
| On-line processing and issuer authentication | p. 217 |
| Authorization request and response with chip data | p. 218 |
| Issuer Authentication | p. 221 |
| Issuer scripts | p. 222 |
| Processing of issuer script templates | p. 222 |
| Post-Issuance Commands | p. 225 |
| References | p. 225 |
| EMV Chip Migration Issues | p. 227 |
| EMV regulatory framework | p. 228 |
| Business objectives | p. 229 |
| Functional requirements | p. 231 |
| Security politics | p. 233 |
| Deriving ICC specifications by issuers | p. 236 |
| Selection criteria of the ICC architecture | p. 239 |
| ICC hardware resources | p. 239 |
| ICC software platform | p. 241 |
| Multiapplication ICC | p. 242 |
| Choice of a set of card applications | p. 243 |
| Card layout definition | p. 246 |
| Issuer's business case | p. 253 |
| Availability of the financial service | p. 253 |
| Improved security | p. 254 |
| Reduced operational costs | p. 255 |
| Adaptive initiate application processing | p. 255 |
| Design criteria for CAM selection | p. 259 |
| On-line CAM | p. 260 |
| Off-line static CAM | p. 261 |
| Off-line dynamic CAM | p. 262 |
| Security considerations regarding CAM | p. 263 |
| Design criteria for CVM | p. 267 |
| Enciphered PIN verified on-line | p. 267 |
| Plaintext/enciphered PIN verification by ICC | p. 268 |
| Requirements for the implementation of various CVM | p. 269 |
| Criteria for the definition of the CVM List | p. 270 |
| Processing restrictions | p. 271 |
| Application usage control | p. 271 |
| Application Version Number | p. 272 |
| Application effective/expiration dates | p. 272 |
| Card risk management | p. 273 |
| CRM Components | p. 273 |
| The set of CRM functions | p. 274 |
| CRM data | p. 278 |
| CRM function definitions | p. 283 |
| References | p. 286 |
| Remote Debit and Credit with EMV | p. 289 |
| Remote Card Payments and EMV | p. 291 |
| A model for remote card payments | p. 293 |
| Security aspects of remote card payments | p. 295 |
| Threats environment | p. 296 |
| Security services for remote transactions | p. 300 |
| Security services realization | p. 304 |
| Remote payment method based on TLS | p. 306 |
| TLS handshake protocol | p. 307 |
| TLS record protocol | p. 309 |
| Security limitations of the TLS protocol | p. 309 |
| SET-based solutions | p. 310 |
| SET model | p. 311 |
| Setup of the SET payment scheme | p. 311 |
| Registration of participants | p. 315 |
| Secure SET channel over insecure networks | p. 317 |
| SET dual signatures | p. 321 |
| SET payment method | p. 322 |
| TLS versus SET or wallet servers and EMV cards | p. 332 |
| Security makes the difference | p. 332 |
| Acceptability is a main concern | p. 333 |
| Improved solutions with wallet servers and EMV cards | p. 336 |
| Transaction processing for chip e-commerce | p. 340 |
| EMV application context in the cardholder system | p. 342 |
| Purchase initialization (PinitReq/PInitRes) | p. 346 |
| Cardholder verification | p. 347 |
| Terminal action analysis | p. 349 |
| Purchase request and response | p. 350 |
| Authorization request/response | p. 353 |
| Completion of the EMV transaction | p. 355 |
| References | p. 356 |
| Security Framework | p. 359 |
| Reference | p. 361 |
| Generic Security Threats | p. 363 |
| Security Services | p. 367 |
| Service description | p. 367 |
| Realization of security services | p. 370 |
| References | p. 371 |
| Security Mechanisms | p. 373 |
| Encryption | p. 373 |
| Symmetric encryption | p. 374 |
| Asymmetric encryption | p. 375 |
| Cryptographic hash functions | p. 376 |
| Hash function | p. 377 |
| MAC | p. 379 |
| Digital signature schemes | p. 380 |
| Signature scheme with appendix | p. 382 |
| Signature scheme with recovery | p. 383 |
| Public key certificates | p. 384 |
| Authenticity of public keys | p. 384 |
| Public key certificate generation | p. 385 |
| Public key certificate verification | p. 386 |
| Cardholder verification mechanisms | p. 387 |
| Manual signature | p. 387 |
| Enciphered PIN verified on-line | p. 387 |
| Plaintext PIN verification performed by the chip card | p. 388 |
| Symmetric enciphered PIN verification | p. 389 |
| Asymmetric enciphered PIN verification | p. 390 |
| Cardholder verification based on biometrics | p. 391 |
| SDA mechanisms | p. 392 |
| MAC-based SDA mechanism | p. 392 |
| Signature-based SDA mechanism | p. 393 |
| DDA mechanisms | p. 394 |
| MAC-based DDA | p. 394 |
| Digital signature--based DDA | p. 395 |
| One-time passwords | p. 396 |
| References | p. 397 |
| Block Ciphers | p. 399 |
| Definition and parameters | p. 399 |
| Modes of operation | p. 400 |
| DES, Triple-DES, and AES | p. 402 |
| MAC using a 64 bit-length block cipher | p. 404 |
| Key derivation | p. 405 |
| References | p. 406 |
| RSA Encryption and Signature Scheme | p. 407 |
| Key generation | p. 407 |
| Public and secret RSA operations | p. 409 |
| Digital signature giving message recovery | p. 410 |
| Signature generation | p. 411 |
| Signature verification | p. 412 |
| Digital signature and encryption with PKCS#1 | p. 414 |
| References | p. 416 |
| E-Commerce and M-Commerce Related Technologies | p. 419 |
| E-commerce and m-commerce | p. 419 |
| SIM, STK, SMS, and WAP | p. 420 |
| Access devices for remote card payments | p. 421 |
| WAP protocol suite compared to Internet | p. 426 |
| References | p. 427 |
| About the Author | p. 429 |
| Index | p. 431 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
