Previous | Table of Contents | Next |
EMV extends the ISO 7816 command set, and the EMV specification goes to great lengths to define the details of the specific commands that a smart card must respond to in order to be EMV compliant. The EMV smart card commands are:
The EMV specification defines two methods for authenticating the data on an EMV smart cardstatic and dynamic. These techniques are not unique to payment system applications and could be used to authenticate important data in any application domain. Data authentication ensures that the card is authentic and not a counterfeit or spoof card.
Static data authentication simply checks whether unvarying data that was placed on the card when it was originally created is still valid. Dynamic data validation checks data that can change during the lifetime of the card. Both methods employ public/private key pairs for authentication.
An EMV application that supports static data authentication carries the digital certificate of the issuers public key, along with the static data signed with the issuers private key. The digital certificate of the issuers public key is signed by a certificate authority whose public key is held by the terminal. The authentication of the static data is performed by the terminal as follows:
Dynamic data authentication is a little more complicated but runs along the same lines. In order to support dynamic data authentication, the smart card carries its own private key and a digital certificate for the corresponding public key in addition to the digital certificate containing the public key of the issuer. The authentication of dynamic data is performed by the terminal as follows:
It is easy to see the beginning of the SET protocols in this simple EMV data validation protocol.
The Visa Integrated Circuit Card (ICC) specification is Visas extension of EMV96 beyond credit and debit payment systems to stored value and loyalty applications. In particular, it applies EMV96 to two Visa stored value applications, the Chip Card Payment Service (CCPS) and VisaCash.
The Visa ICC specification also covers Visas Easy Entry smart card application. Easy Entry defines a way for a smart card to behave like a magnetic stripe cardnot electrically of course, but with respect to the format and content of the data it emits. As a result, a smart card containing Easy Entry applications can be used with the existing and extensive magstripe infrastructure. It is the duty of the terminal to perform the electrical translations between the ISO 7816 interface to the smart card and the needs of the magstrip transaction processing network.
Because stored value and loyalty applications make it necessary to be able to write data to the card as well as read from it (to add cash or points to the card, for example), the CCPS specification adds a PUT DATA command (CLA=0416, INS DA16) to the basic EMV96 commands. Furthermore, since this command which essentially mints money just might attract some hacker interest, the secure messaging and data validation capabilities of EMV96 are also considerably strengthened in CCPS so that only the right people can increase cash value or the loyalty point totals on the card.
As of this writing, neither the specifications for SET 2.0 nor the specifications for Visas Open Technology Platform have been released. SET 2.0 is claimed to include smart cart support and you can imagine that it will be the next step in the evolution of EMV96. Clearly, the stage has been set in EMV96 and CCPS to handle SET.
The Visa Open Technology Platform (OTP) is a customization of the Java Card specification, which is a closed and highly constrained multiapplication environment. A primary concern of the Java Card and the OTP is to provide the card issuer with quality control over the applications on the card. What impact this has on cardholders and application developers remains to be seen.
Previous | Table of Contents | Next |