EMV Software in contactless mode
Interest in contactless cards can be attributed to several technical advantages:
- the usability of the card (the card will not need to pass to the cashier, properly Orient and insert into the slot of the reader won’t even have to pull out of)
- the higher the speed of the transaction
- higher reliability of the use of cards and terminals – due to the lack of mechanical contact card and terminal is provided by a lower level of physical deterioration
- better protection of contactless terminals from cases of vandalism
EMVCo has long been working on the creation of a single contactless application EMV Contactless Application-an analogue of the Common Payment Application (CPA) for contact cards. However, EMVCo is in no hurry to develop this standard. The reason voiced by EMVCo is the lack of experience in using contactless cards. Every year, an internal discussion is held on the feasibility of developing a standard,but there is still no positive decision. The appearance of a standard for a single contactless application in the future is not entirely obvious. Therefore, EMVCo, anticipating the appearance of such a standard, developed the EMV Contactless Specifications for Payment Systems – Entry Point Specification (in the future we will call it Entry Point Specification for short), which solves a number of issues.
‘This standard defines a general scheme for processing a contactless card transaction on the terminal side (Entry Point) and describes in sufficient detail the procedures that precede the selection of the application. Figure 5 shows the general scheme of transaction processing in contactless mode. Without dwelling on the details of processing, we note that after pre-processing and activation of the protocol, the terminal begins the procedure for selecting a contactless application. If the terminal supports a single contactless application, it immediately selects that application using the SELECT command. Otherwise, the terminal selects the PPSE (Proximity Payment System Environment) application, which has the ID 2PAY. SYS.DDF01, and receives an FCI object in response, which contains information about contactless applications on the card.
Although the idea that the card can not be pulled out of the wallet, still passes from book to book, from article to article, it is difficult to implement. First, a good wallet significantly reduces the ability of the terminal to recognize the card due to the reduced signal strength. Secondly, if there are other contactless cards in the wallet, the terminal will most likely be unable to recognize the card due to collisions.The terminal determines which of the supported applications are on the card, localizes the application with the highest priority, and selects it with the second SELECT command.
Processing a transaction in contactless mode.
After selecting the application, the kernel corresponding to the application to which the terminal’s Entry Point transfers control is activated. The kernel completes the processing by generating the result for the Entry Point. Possible results of core processing are transaction rejection or approval in offline mode, sending the transaction for authorization to the issuer, requiring switching to contact mode, and so on.
One of the main features of working in contactless mode is that a transaction is usually performed in one touch of the terminal.1 In addition, it is required that the time spent by the card in the reading area of the terminal is minimal. For example, MasterCard insists that the card and the terminal have time to exchange data in 150 ms (although it violates these requirements). As a result, the implementation of a contactless transaction in a payment application is characterized by the following features:
- the offline PIN verification method cannot be used to verify the cardholder
- risk management procedures performed by a terminal, take into account that the transaction is performed in a contactless mode
- in the case of an online authorization transaction, the response of the Issuer was diagnosed to be a card, the teams, the script processing is not performed (the card is not available for the terminal), and there is no possibility to perform the actions determined by the Issuer in CSU (for example, installation of the meter presentations PIN-Cola, reset the offline counters, etc.)
- the set of commands used by the terminal (the application processing core) to execute a transaction is usually minimized to reduce the time the card is in the terminal’s readout zone. 3
1 A number of payment systems (for example, AmEx) have followed the path of implementing a transaction in two touches to the terminal. The second touch is needed after receiving the issuer’s response to process it. In this case, non-contact processing is practically the same as contact processing. This method is not only inconvenient for the cardholder, but also slows down the payment for goods (services). Therefore, most payment systems still use a single touch. This method is described below.
2 Offline PIN verification is undesirable for many reasons. First, it’s not safe. Secondly, it is inconvenient for the cardholder. Not without reason, a common feature of the specifications of contactless applications is the refusal to present a PIN code in offline mode. Contactless applications use two verification methods – presenting the PIN code online (when sending a transaction for authorization to the issuer) and signing (offline).
3 For example, a number of payment applications do not use the GENERATE AC command, and the data necessary for the issuer to approve the transaction (the cryptogram and other parameters of the transaction) is provided to the terminal in the GET PROCESSING OPTIONS command.
Verification of the contactless card holder is limited to several methods:
- verification of the encrypted PIN code performed by the issuer (online PIN code)
- obtaining the cardholder’s signature
- verification of the cardholder is not required (this is important in some cases when the transaction amount is small or it is necessary to ensure high payment speed)
In addition, there is a special case of verification for a mobile device. The mobile device can inform the terminal that the verification of the cardholder has already been completed (a PIN code has been entered on the device or a fingerprint has been presented).
It should be noted that to select the verification method, the contactless card may not use the CVM List, which defines the list of methods and conditions for verifying the cardholder for the contact mode. For a number of applications, other objects are used that determine the choice of verification method for contactless mode.
The risk management procedures performed by the terminal in contactless mode are quite simple. First, the terminal must compare the transaction amount with the Contactless Transaction Limit threshold amount. If the transaction amount exceeds this value, the contactless transaction is not executed. Second, the terminal compares the transaction amount with the CVM Required Limit threshold amount. When the transaction amount exceeds this threshold, the terminal considers that the cardholder must be verified.
Usually, after that, the terminal issues the GET PROCESSING OPTIONS command, which transmits the data necessary for the card to make a decision on how to process the transaction. This data is determined by the PDOL list and determines not only the transaction parameters, but also the terminal’s capabilities, as well as the result of the terminal’s pre-processing of the transaction in contactless mode.
The card performs risk management procedures and generates a CVR. When setting individual CVR bits, signs of special situations that occurred during the processing of the previous transaction in contact mode are taken into account (signs of special situations in contactless mode are usually not set).
After completing all the procedures, the card makes a decision regarding the completion of the transaction in accordance with the CIAC1 array. One of the following decisions can be made:
- the transaction is approved offline
- requires online authorization of the transaction by the issuer
- the transaction must be rejected
- switching to contact mode is required
The latter decision can be made by the card in the case when, due to a number of factors, it is impossible (or undesirable) to perform a transaction in contactless mode. However, the decision to switch to contact mode is made only if the terminal supports contact mode (otherwise, the transaction is rejected). Thus, the decision of the payment application is always consistent with the capabilities of the terminal and is final.
Depending on the decision made, the card may provide different data. The only element that is always included in the returned data informs the terminal about the card selection. If the card returns the cryptogram of the transaction, it also provides other data that the terminal may need to continue processing (for example, to form an authorization request to the issuer). Among this data is the Application File Locator (AFL) element, which contains references to the data that the terminal must read in order to successfully complete the transaction.
After reading the data defined by the AFL, using the READ RECORD command, the kernel processing is completed by generating the result. Starting from this point in time, the card is no longer needed for further processing and can be removed from the reading area of the terminal.
- Further actions of the terminal depend on the result of processing the kernel. The following options are possible.
- Switching to the contact processing mode is required. The terminal attempts to perform a transaction in contact mode.
- The transaction was rejected. The terminal finishes processing the transaction.
Please note that the CIAC for contactless mode may differ from the CIAC used for processing a transaction in contact mode. Or CIAC is not used at all for contactless mode.
Online processing must be performed. The terminal requests the PIN code, if required, generates an authorization request for the issuer, and forwards this request to the host. The main difference between online transaction processing in contactless mode is that the issuer’s response is checked not by the card (it has already been deleted), but by the terminal. Of course, the terminal cannot authenticate the issuer. Its decision to process the transaction must be consistent with the issuer’s choice.