tag:blogger.com,1999:blog-31063093603917246962024-02-19T07:03:18.213-08:00Chip and PINJaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-3106309360391724696.post-72883705488085073522017-08-26T16:45:00.000-07:002017-08-27T05:48:02.936-07:00What are BACS, CHAPS and FPS?<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
They are all payment related systems in use in the UK. So, what's the difference between BACS, CHAPS and FPS?<br />
<br />
<b>BACS </b>(Banker's Automated Clearing Service) is the slowest and the oldest of other "automated" payment systems; it's an electronic system to make payments directly from one bank account to another, partially replacing former payment systems such as cash and cheques. The payments go through a central authority, which happens to be be Bacs Payment Schemes Limited. It usually takes 3 days to clear a payment made through BACS.<br />
<br />
The Direct Debit system in the UK is based on BACS. Employee wages are also usually sent via BACS by employers.<br />
<br />
<b>CHAPS </b>guarantees same-day payments, as long as the instructions are received before 2:30pm on that day. Since this is much faster than BACS, there is a payment processing fee of £25. The network is managed by a company called The Clearing House Automated Payment System.<br />
<br />
These days, after the introduction of FSPS (see below), CHAPS usage is mostly limited to high value transactions, such as purchasing a house.<br />
<br />
<b>FPS </b>(Faster Payments Systems) was introduced in 2008, promising much faster payment processing as compared to CHAPS; the usual processing time is less than 2-hours, often instantaneous, and there is no processing fee for personal accounts. However, the originator and the beneficiary bank accounts need to be part of the FPS network.<br />
<br />
Faster Payments is available 24x7. However, there is an upper limit on the amount that can be transferred in a single transaction via Faster Payments, which happens to be £250,000.<br />
<br />
<br />
<a name='more'></a><br />
<br />
In short, below is the summary:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc0aiUHIKxVqegeGDsZZDIY-6pRT7hBouH20OMOax5W9ndnF6tmedqRXpa59GB-WZOUUXRRLyzuUrviOdIi1PSMCEjLj2xPFt1b0NIjjPism7DvuIEhazu80GCNCdorVAGAnXt8J1cCqc/s1600/bacs_chaps_fps.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="805" data-original-width="1600" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc0aiUHIKxVqegeGDsZZDIY-6pRT7hBouH20OMOax5W9ndnF6tmedqRXpa59GB-WZOUUXRRLyzuUrviOdIi1PSMCEjLj2xPFt1b0NIjjPism7DvuIEhazu80GCNCdorVAGAnXt8J1cCqc/s400/bacs_chaps_fps.png" width="400" /></a></div>
<br /></div>
</div>
Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com0tag:blogger.com,1999:blog-3106309360391724696.post-13456072730804565502014-09-07T14:23:00.000-07:002014-09-07T14:26:21.875-07:00How to parse DE55<div dir="ltr" style="text-align: left;" trbidi="on">
DE 55, also called Field 55, in ISO-8583 is Integrated Chip Data; so, it's easy to deduce that the EMV tags of an online transaction should be put in DE 55 when creating the corresponding ISO-8583 financial transaction message. But how?<br />
<br />
Well, firstly, one needs to know that EMV tags are <a href="http://chipnpin.blogspot.co.uk/2012/09/ber-tlv-encoding-of-emv-tags.html">BER-TLV encoded in Field 55</a>. Secondly, once you know the encoding itself, it's just a matter of putting all tags together one after another and you get your DE 55---no delimiters and no meta information; it's as simple as that. The only extra stuff that you might need will be the length/ encoding required by the ISO-8583 variant you are implementing. For example, if DE 55 is an LLVAR field, you'll need to add the overall length of the EMV data as LL in DE 55 before putting in all the EMV data.<br />
<br />
Below is an example of DE 55 in an ISO-8583 message.<br />
<br />
<span style="color: #262626; font-size: 13px; line-height: 16px;"><span style="font-family: Courier New, Courier, monospace;">01495F2A0201245F34010182021C008407A0000000031010950580000000009A031102249B0268009C01009F02060000000000009F03060000000000009F0607A00000000310109F0802008C9F0902008C9F100706010A039000009F1A0201249F2608423158936ED6C38F9F2701809F3303E0B0C89F34034103029F3501229F360200019F3704ACAC66E89F5800DF0100DF0200DF0400</span></span><br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Here, 0149 is the LL-part of the LLVAR field, which indicates that the data is 149 bytes (or 298 hex characters), starting from 5F and ending at 00. You can copy this data, excluding the starting 0149, into <a href="http://www.emvlab.org/tlvutils/" target="_blank">EMV Lab's TLV Utilities</a> and get this decoding by just a click of the button:<br />
<br /></div>
<div style="text-align: left;">
<table align="center" border="1" style="width: 50%;">
<tbody>
<tr>
<td>Tag</td>
<td>Value</td>
</tr>
<tr>
<td>5F2A</td>
<td>0124</td>
</tr>
<tr>
<td>5F34</td>
<td>01</td>
</tr>
<tr>
<td colspan="2">...and so on</td>
</tr>
</tbody></table>
</div>
</div>
Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com11tag:blogger.com,1999:blog-3106309360391724696.post-53816598339249982502013-08-18T10:20:00.002-07:002013-08-18T10:22:50.046-07:00What is white label ATM?<div dir="ltr" style="text-align: left;" trbidi="on">
It's an "unbranded" ATM---that is, an ATM which is owned by a non-bank entity.<br />
<br />
Traditionally, ATM's have been owned by banks. But an ATM is just a machine with some software running inside it. It's possible for a non-banking business entity to own an ATM and make profit from service provided to customers of various banks.<br />
<br />
As I said earlier, <b>a white label ATM</b> is one which is owned by a non-banking entity. It seems that the term is more common in India as compared to other countries. The Reserve Bank of India has recently issued a licence to Tata Communications Payment Solutions (TCPS) to operate such machines. </div>
Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com0tag:blogger.com,1999:blog-3106309360391724696.post-13428481294763354582012-09-16T14:26:00.002-07:002012-12-21T13:51:47.797-08:00BER-TLV Encoding of EMV Tags<div dir="ltr" style="text-align: left;" trbidi="on">
ISO-8583 messages encode EMV tags using BER-TLV scheme in Field 55 of the message. The formal name of the encoding scheme is ASN.1 Basic Encoding Rule (ISO 8825).<br />
<br />
The term <b>TLV</b> stands for <span style="color: blue;">T</span>ag <span style="color: blue;">L</span>ength and <span style="color: blue;">V</span>alue (sometimes also referred to as <span style="color: blue;">T</span>ype, <span style="color: blue;">L</span>ength and <span style="color: blue;">V</span>alue). For EMV tags, the tag is usually 2-4 bytes in size; the length part is again 2-4 bytes in size,<br />
<br />
<br />
<h3 style="text-align: left;">
Valid EMV Tag Names</h3>
<div>
<br /></div>
Some sample EMV tag names are 81, 9F02, 9F26, 4F and 5A. You can find a complete list of tags and their description on EMV Lab's <a href="http://www.emvlab.org/emvtags/all/" target="_blank">EMV Tags page</a>. BER-TLV encoding rules divide the tag name (sometimes called tag type) into following parts: class (2 bits), primitive/ constructed identifier (1 bit) and tag name (5 bits followed by 0 or more bytes).<br />
<br />
Take tag 9F26, for example. In binary, it's equivalent to byte<subscript>1</subscript> = 1001 1111, and <subscript>byte2</subscript> = 0010 0110. The first two bits are 10, which indicate that its class is "Context-Specific". The next bit is 0, which indicates that it's a primitive tag. The next 5 bits of the first byte are all 1, which indicates that the tag name is of the "long form" and we need to look at the next byte as well. All bits in byte 2 form part of the tag name. However, the highest bit of byte 2 (and all following bytes) must be turned on if there are more bytes included in the tag name. In our case, 9F26 is just two bytes; hence, the second byte has it's first bit turned off.<br />
<br />
<br />
<h3 style="text-align: left;">
Constructed EMV Tags</h3>
<div>
<br /></div>
<div>
The term "constructed" in the context of BER-TLV encoding means that the tag's value is a set of EMV tags itself; i.e., the tag has recursive BER-TLV encoding structure. Let' use Tag 71 as an example.</div>
<div>
<br /></div>
<div>
The hex value of 71 is represented as 0111 0001 in binary. The first two bits are 01 which indicate that it has an "Application" class. The third bit 1 indicates that the tag's value is a set of EMV tags itself. The rest of the bits 10001 indicate the actual tag identifier.</div>
<div>
<br /></div>
<div>
Now, one of the valid values of Tag 71 would be "9F06021234", i.e., the value of Tag 71 is the tag 9F06 along with it's length and content. However, the value "1234" will be incorrect as "1234" is not valid BER-TLV data.</div>
</div>
Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com1tag:blogger.com,1999:blog-3106309360391724696.post-61283172582595634252012-07-03T14:30:00.000-07:002012-07-03T14:30:21.143-07:00What is ARPC?<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="background-color: white;">ARPC is the cryptogram generated in the response message. Just like ARQC, it ensures that the response originated from the issuer, and that it's not tampered with.</span><br />
<div>
<br /></div>
<h3 style="text-align: left;">
ARPC Generation</h3>
ARPC generation is not much different from <a href="http://chipnpin.blogspot.com/2012/01/what-is-arqc.html">ARQC generation</a>. The steps for the two cryptograms are similar to each other:<br />
<br />
<ol style="text-align: left;">
<li><span style="background-color: white;">Card Key Derivation</span></li>
<li><span style="background-color: white;">Session Key Derivation</span></li>
<li><span style="background-color: white;">Preparation of Input Data in ARPC Calculation</span></li>
<li><span style="background-color: white;">ARPC Calculation (the final encryption/ hashing step)</span></li>
</ol>
<br />
The major difference in ARPC is that firstly it's generated by the issuer alone, and secondly it usually <span style="background-color: white;">takes the ISO response code as part of the input data in step 3.</span><br />
<br /></div>Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com1tag:blogger.com,1999:blog-3106309360391724696.post-72793968179951334182012-01-15T00:30:00.000-08:002015-06-16T15:16:04.045-07:00What is ARQC?<div dir="ltr" style="text-align: left;" trbidi="on">
Each EMV transaction request is supposed to contain <b>ARQC</b>, which is a cryptogram generated from the transaction data. In the context of EMV, a cryptogram can be thought of as a digital signature on the financial transaction. A valid, verifiable cryptogram tells you two things:<br />
<br />
<ul style="text-align: left;">
<li>the financial message originated from the source that it claims to be from</li>
<li>the contents of the message have not been altered </li>
</ul>
<br />
There are two cryptograms used in EMV: ARQC (Authorisation Request Cryptogram) and ARPC (Authorisation Response Cryptogram). The first one, ARQC, is generated by the card (after taking some values from the terminal), and hence it's part of a request message. The second one, ARPC, is generated by the issuer and hence it's part of a response message.<br />
<br />
<h2>
Steps for ARQC Generation</h2>
There are four basic steps to ARQC generation:<br />
<ol style="text-align: left;">
<li>Card Key Derivation </li>
<li>Session Key Derivation </li>
<li>Preparation of Input Data in ARQC Calculation</li>
<li>Encryption/ Hashing (the final step that gives the ARQC)</li>
</ol>
<div>
Restating the above list, the first step is to derive the card key and then use the card key to derive a session key. In parallel, we need to prepare some data and then encrypt that data with the session key derived in the previous step.</div>
<div>
<br /></div>
Exact details vary from one chip program to another!<br />
<br />
<h3 style="text-align: left;">
Step 1 and 2: Card and Session Key Derivation</h3>
When a card is out in the field, it already contains Issuer Master Key. But to create an ARQC for a particular transaction, two new keys are required: the first key is called Card Key and the second key is called Session Key. Each EMV scheme (such as M/Chip and Visa) has its own algorithm for generation of the card key and/ or the session key. Some of these algorithms are standardized and part of the EMV specification while some others are proprietary with the vendor.<br />
<br />
The Card Key is unique to the card and the Session Key is unique to the transaction. It's Session Key which is used for the final encryption in step 4.<br />
<br />
<h3>
Step 3: Data Preparation</h3>
In parallel to the key derivation as described above, an important step of ARQC generation is “preparation of input data”, mentioned as point #3 in the list above. Once again, which EMV tags are concatenated to prepare this input data is EMV scheme specific.<br />
<br />
<h3 style="text-align: left;">
Step 4: ARQC Generation </h3>
Finally, once the Session Key and Input Data are ready, the Input Data is encrypted using the Session Key to give the ARQC.</div>
Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com30tag:blogger.com,1999:blog-3106309360391724696.post-46556447060320543482012-01-12T12:56:00.000-08:002012-07-03T13:59:35.316-07:00EMV Versions<div dir="ltr" style="text-align: left;" trbidi="on">
EMV got standardized in 1995. The first
widely used version was <span style="color: #38761d;">EMV 3.0</span> published in 1996, which is why its
popularly known as <span style="color: #38761d;">EMV '96</span>. Some modifications to the standard were
done in 1998, giving us <span style="color: #38761d;">EMV 3.1.1</span>.<br />
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Another version came out in Dec 2000.
Though the formal name was <span style="color: #38761d;">EMV 4.0</span>, it became popularly known as <span style="color: #38761d;">EMV
2000</span>. Finally, another version came out as <span style="color: #38761d;">EMV 4.1</span> in June 2007,
which fortunately didn't get its name altered.
</div>
<div style="margin-bottom: 0in;">
<br /></div>
<div style="margin-bottom: 0in;">
Minor improvements to EMV 4.1 resulted
in <span style="color: #38761d;">EMV 4.2</span> in Jun 2008, and further in <span style="color: #38761d;">EMV 4.3</span> which was published
very recently in Nov 2011.</div>
</div>Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com0tag:blogger.com,1999:blog-3106309360391724696.post-37162151350804701232012-01-10T13:56:00.000-08:002012-01-10T13:56:45.511-08:00EMV Schemes<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;">There are various EMV schemes out there. The term, EMV scheme, is normally used to refer to a concrete implementation of the EMV specification by a vendor. Another common term for the same is "chip card program."</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;">The most famous EMV schemes or chip programs are VSDC (Visa Smart Debit and Credit) by Visa and M/Chip by Mastercard. Other EMV schemes with good market penetration are AEIPS by American Express or AMEX, JCB (Japan Card Bureau), etc.</span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;">While at the terminal, a chip card can be identified by reading the "Application Identifier" (AID) on the chip, an online transaction message based on ISO-8583 doesn't contain the AID.</span></div>
</div>Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com0tag:blogger.com,1999:blog-3106309360391724696.post-35507665422218144902012-01-08T00:11:00.000-08:002012-07-03T14:00:56.230-07:00What is EMV?<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
EMV stands for Europay, Mastercard and Visa. It's the underlying technical standard which defines the Chip and PIN program. The standard defines the characteristics and behaviour of the card, the terminal (POS, ATMs as well as transactions carried over the Internet) and the issuer.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8MOn2cQYApScDrHekK4ZfpwHqQw4wtipYWCuX4dJaZTWpxMjMjcT38BBHKeNRBYU6d3rlsSkll1Q6r6y5YsPYuYvkUuJaBAfZDANPFcsIdhxmuoA5HsGeI04iwDpjDvGnFR_SU8f1khA/s1600/Smartcard3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="254" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8MOn2cQYApScDrHekK4ZfpwHqQw4wtipYWCuX4dJaZTWpxMjMjcT38BBHKeNRBYU6d3rlsSkll1Q6r6y5YsPYuYvkUuJaBAfZDANPFcsIdhxmuoA5HsGeI04iwDpjDvGnFR_SU8f1khA/s320/Smartcard3.png" width="320" /></a></div>
<br />
All cards which are compliant with the EMV standard carry a <b><span style="color: #38761d;">chip</span></b> (unlike the old cards which just had a magnetic stripe at their back) and usually require a PIN to authorize a transaction.<br />
<br />
EMV is supposed to be <span style="color: #38761d;"><b>secure</b></span>.[1] It safeguards customers and banks against various types of frauds that are possible with old style magnetics cards as well as PIN-less transactions. Plain old magnetic cards are extremely easy to duplicate; not so with EMV based cards.<br />
<br />
Unlike ISO-8583 (and other ISO standards), EMV is <b><span style="color: #38761d;">freely available</span></b> in the form of 4 books.[2]<br />
<br />
Future posts on this blog will dive into the details of the EMV standard. Most of the information presented here will be based on several years of practice in the field as well as freely available information on the Internet.<br />
<br />
<i>Please feel free to post your questions about the topic!</i></div>
<br />
<br />
<hr />
[1] It's said that <a href="http://www.thejaywalker.net/2010/12/chip-and-pin-aka-emv-hacked.html" target="_blank">Chip and PIN has been hacked</a>.<br />
<div>
[2] <a href="http://www.emvco.com/specifications.aspx" target="_blank">EMVCo Specs are freely available online</a>.<br />
<br />
Note: <a href="http://commons.wikimedia.org/wiki/File:Smartcard3.png" target="_blank">Smartcard image is from Wikimedia Commons</a> licensed under the <a href="http://creativecommons.org/licenses/by-sa/3.0/deed.en" target="_blank">Creative Commons Attribution-Share Alike 3.0 Unported</a> license.</div>
</div>Jaywalkerhttp://www.blogger.com/profile/03080970368450896690noreply@blogger.com1