Visa Smart Debit/ Credit Transaction Flow Overview

This is a Smart Card

MicroVisa Smart Processor Micro Processor Debit/Credit
Internet Access Loyalty ID (Govt., Health)

RAM CPU

EEPROM ROM Visa Magnetic Credit or Debit Stripe

VSDC in a Variety of Forms

Visa Smart Debit/Credit

-The VSDC Application-

VSDC Functionality
Magnetic Stripe Image Offline Data Authentication

Expanded Cardholder Verification

Offline Authorization Controls Online Card and Issuer Authentication Post Issuance Updates

Application Selection Read Card Data Mag. Stripe Image

Cardholder Data VerifiAuthentication cation

Terminal Functions

Card Action Analysis

Completion

-Transaction Flow-

The Magnetic Stripe Image (MSI)

Magnetic Magnetic Stripe Stripe Image (MSI)
(Track 1, Track 2 Data)
$ 36.98

Insert Chip Card Track 1 & Track Data into 2 Reader

(Service Code 2 or 6)

PAN

Cardholder Name
Expiration Date Service Code (begins with 2 or 6)

Chip POS

*Terminal PVV

only reads Mag-Stripe or Chip depending on its capabilities

CVV (iCVV (optional))

Different Applications, Different AIDs

Multi-application Smart Card

VSDC
AID
A0000000031010

Visa Cash
LAC

F4840000035210

Public Transit
J00469L222A051

Indonesian Air
H162D923861C2

AID for VSDC

AID

RID
(5 bytes)

PIX
(up to 11 bytes)

Suffix

A0 00 00 00 03

10 10

01

A0 00 00 00 03 20 10 = Visa Electron F8 40 00 00 03 52 10 = Visa Cash LAC

Terminal Identifies Mutual Applications

Terminal Applications 1. K2640089111420 A0000000031010 A0000000031010 2. A0000000036010 DF000030016099 Applications listed in 710P0H01888841 Issuers Priority Order A0000000036010 Card Applications 1. A0000000031010 2. A0000000036010 3. CDA00002107431 4. H162D923861C2

Please enter your choice:

1. VISA CREDIT?

2. VISA CASH?

Terminal reads VSDC Data from Card

Terminal selects VSDC application and reads Card Data

Read VSDC Records

Card Data: MSI, AIP, PK Cert.

Terminal also identifies the Static data to be used for Offline Data Authentication (SDA)

Card Supported Risk Management Functions

Terminal identifies mutually supported Risk Management functions using cards AIP Application Interchange Profile (AIP)
Byte 1: bit 7: 1 = Offline Static Data Authentication is supported bit 6: 1 = Offline Dynamic Data Authentication is supported bit 5: 1 = Cardholder Verification is supported bit 4: 1 = Terminal Risk Management is to be performed bit 3: 1 = Issuer Authentication is supported bits 2-1: RFU (Reserved for future use) Byte 2: RFU (00)
11

Offline Data Authentication

Purpose: To ensure the card data is authentic and has not been changed since the card was first personalized. The results of Offline Data Authentication play a role in later processing.

Application Selection Read Card Data Mag. Stripe Image

Data Cardholder AuthentiVerification cation

Terminal Functions

Card Action Analysis

Completion

Two Types of Offline Data Authentication

Two options
Static Data Authentication
non-skimming counterfeit protection similar to CVV

Dynamic Data Authentication

skimming counterfeit protection

Offline Data Authentication Benefits

Technically: Occurs Offline between card and terminal Uses RSA public key technology

Enables secure Offline transactions

Business Use: Expansion into new merchant segments Reduced authorization costs

Issuer Hashes Critical Card Data Elements

HASH ALGORITHM Card Data

SHA -1

(20 Bytes)

Hash Result

Recommended card data:

Application Effective Date Application Expiration Date PAN PAN sequence Number Application Usage Control CVM List

Issuer Action Codes (IACs)

Issuer Country Code Application Interchange Profile (AIP)

Issuer Signs the Hash Result with Private Key

S.A.D. RSA Algorithm
Hash Result

S.A.D. is Personalized onto Chip card

Hash Result
Issuers Private Key

SDA Requirements Overview

Certificate Authority

Static Data

Issuer

Hash Result
Issuer Private Key Issuer Public Key CA Private Key CA Public Key

Signed Static Application Data SAD

Issuer PK Certificate
Issuer PK Certificate

Acquirer

Static Data Authentication (SDA)

PK Certificate

Issuer Public Key

PKI 1 PKI 2 PKI 3

SAD

Hash Result
Hash Algorithm Indicator
other data elements

Terminals Hash Result

DDA Requirements Overview

Certification Authority

ICC

Issuer

ICC ICC Private Key Public Key

Issuer Issuer Private Key Public Key

CA CA Private Key Public Key

ICC PK Certificate

Issuer PK Certificate

Acquirer

Dynamic Data Authentication

Processing Restrictions

Issuer Country Code Card Expiry Date

Terminal Country Code Terminal Date

Terminal also checks Applications Effective Date and Usage Controls (i.e. Valid for Goods, Services, Cashback, ATM)

Cardholder Verification
Cardholder Verification is used to ensure the cardholder is legitimate and that the card is not lost or stolen

Application Selection Read Card Data Mag. Stripe Image

Data Cardholder AuthentiVerification cation

Terminal Functions

Card Action Analysis

Completion

Enhanced Cardholder Verification

Provides greater control over cardholder verification ability to tailor cardholder verification to environment Introduces Offline PIN secure cardholder validation No Member system changes to validate PIN offline Reduces lost/stolen fraud losses

VSDC PIN Processing

PIN Processing 1. Online PIN

2.
Online, DES encrypted PIN
ICC Public Key

Offline Plaintext PIN

Offline Enciphered PIN

3.

Offline, Plaintext Offline, PK PIN encrypted PIN

PIN

Reference PIN

ICC Private Key

Terminal Functions
Terminal Risk Management Terminal Action Analysis

Application Selection Read Card Data Mag. Stripe Image

Data Cardholder AuthentiVerification cation

Terminal Functions

Card Action Analysis

Completion

Terminal Risk Management

Prevents Fraud by going online with high value transactions periodically Three forms of Terminal Risk Management - Floor Limit Checking - Random Transaction Selection - Velocity Checking

Terminal Risk Management

The terminal performs supported risk management checks:

- account on terminal exception file?

- amount exceeds terminal floor limit? - transaction randomly selected to go online? - new card? - consecutive offline transactions? - merchant forced transaction online?

Terminal Action Analysis (Mandatory)

The terminal reviews the results of:
Offline Data Authentication Processing Restrictions

Terminal Risk Management

Cardholder Verification The results are checked against rules set in both the card and terminal to determine whether the transaction should be:

1. Approved Offline 2. Declined Offline 3. Sent Online for Authorization

Terminal Action Analysis

TVR TVR
Acquirer Rules loaded in terminal (Visa mandates certain settings)

Terminal Offline Data Auth. Processing Restrictions Verification

Cardholder Verification Results . Terminal Risk Mgmt

TVR

IAC IAC Action Fails: Go Online Codes IAC Decline

Offline Data Processing Terminal Risk Cardholder Issuer Authentication Restrictions Management Verification

Issuer Rules personalized onto card

Cant Go Online:

Terminal Action Analysis

TVR
Offline Data Auth. Processing Restrictions Cardholder Verification Terminal Risk Mgmt

CDOL Request TC Cryptogram Terminal Data used in creation of Cryptogram

Card Action Analysis

The cards risk management functions take into account three broad areas:
Activity Checking on Previous Transactions

New Card Checks Velocity Checks

Application Selection Read Card Data Mag. Stripe Image

Data Cardholder AuthentiVerification cation

Terminal Functions

Card Action Analysis

Completion

Indicators, Checks on Previous Transaction

1 1 1 1 1 1 1

0
Online Authorization
(Not Complete)

00
*SDA/DDA Failure

00
Issuer Authentication Failure

00
Issuer Script Failure

Issuer Auth. Performed and failed

Issuer Auth. Failure on last online Issuer SDA Failure Last Online Auth. not Script Processing transaction complete failed last transaction DDA Performed Failed

Bit 1

1
Byte 2

1
Byte 3

111
Byte 4

Byte 1

CVR

During Initiate Application processing bytes 2-4 are reset to all zeros

Using Counters and Velocity Checking

If New Card, Transmit Transaction Online

1 3 5 4 0 0 0 2 0 1 ATC

1 0 0 0 5 0 Last Online ATC

Lower Upper (Byte 1) ADA Consecutive Consecutive Offline Limit Offline Limit

1 2 0 3 PIN Try

3
PIN Try Limit

01453
Cumulative Total Transaction Amount

$50.00
Cumulative Total Transaction Application Amount Limit

1 3
Issuer Script Command

Bit 1

Try Velocity Unable to go Offline PIN blocked, PIN Exceeded Offline PIN New Card Limit Exceeded online checking counters Performed failed
8

111

11

PIN Try Limit Exceeded

1
Byte 4

Byte 1

Byte 2

CVR

Byte 3

Approve, Decline, or Go Online?

Transaction Sent Online Transaction Transaction Approved Declined Terminal: Card: Terminal: Card: Offline
Card Action Processing Card Responds Offline Data Terminal Risk Cardholder Analysis Restrictions Authentication Management Verification AAC ARQC -Prior Transactions? -International? -Floor Limit? -SDA? -Offline PIN? -New Card? -Expiry Date? -Random? Decline AAC x -DDA? -Velocity Checks? -Velocity Checks?
-Usage Controls?

TC

x x
Approve

Terminal AAC Decline Offline ARQC Go Online TC Approve Decline Go Online ARQC Requests Offline Data Authentication
Processing Restrictions Decline Go Online TC Cardholder Verification Terminal Risk Mgmt Card Action Analysis

Cryptogram Version 10
Data Element
Amount, Authorized

Terminal CDOL1 & 2

Input by Card

Amount, Other
AIP ATC CVR Terminal Country Code TVR Transaction Currency Code

V.I.P Field # 147 149 138 137 134.3 145 131

Transaction Date
Transaction Type Unpredictable Number

148 146 144 132

BASE/BASE POS Offline Approval

Acquirer BASE I
$52.95

VIP
BASE I

Issuer BASE I

Member Bank

TC 1 1
2 2

SMS Online

TC05

TC05
SMS Offline

TC

TC

BASE II

3 3

1.
2. 3.

Transaction is approved offline by chip. Transaction data including chip data and transaction certificate (TC) is sent to acquirer. Transaction has a response code of Y1 or Y3. Acquirer sends a TC05 clearing message with chip data and a Transaction Certificate to BASE II. Cryptogram checking is not done during clearing. BASE II forwards the TC05 to the issuer.

Online Processing
The Card and Terminal perform final processing to complete the transaction. An Issuer approved transaction may be converted to a decline based upon Issuer Authentication results and issuer-encoded parameters in the Card

Application Selection Read Card Data Mag. Stripe Image

Data Cardholder AuthentiVerification cation

Terminal Functions

Card Action Analysis

Completion

Online Processing Overview

Three components: (1) Online request processing

(2) Online response processing

(3) Issuer Authentication

Online Card and Issuer Authentication

Allows mutual validation
Issuer validates card card validates Issuer

Uses DES key technology Provides strongest protection against fraud

counter measure to skimming

VisaNet Authentication Services

Online Card Authentication

$52.95

Transaction Data (PAN, DKI (2), ARQC)

MDK MDK

Store Acquirer VisaNet Issuer

YES
MDK

No CAM Fails

CAM Passes

ARQC

PAN (field 2), PAN Seq. No (field 23) UDK

Triple DES Algorithm

.Cryptogram Data Elements ARQC

(3rd Bit Map)

UDK

Key derivation
Double length key (16 bytes): XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
PAN + PAN Seq.Nmbr. Double length key 3 DES (encipher, decipher, encipher) NOT(PAN + PAN Seq.Nmbr) Double length key

3 DES (encipher, decipher, encipher)

UDKA

UDKB

Derived key = UDKA + UDKB

Key derivation
Sample Data
PAN (Primary Account Number) : 40 00 00 00 00 00 00 10 PAN SEQ NUM : 01 PAN + PAN SEQ NUM (16 hex digits to the rigth):

40

00 00 00 00 00 00 10 01

NOT(PAN + PAN SEQ NUM):

FF FF FF FF FF FF EF FE

Key derivation
1st half of double length key
XX XX XX XX XX XX XX XX

PAN + PAN Seq.Nmbr

PAN + PAN Seq.Nmbr Double length key 3 DES (encipher, decipher, encipher)

DES
2nd half of double length key
XX XX XX XX XX XX XX XX

DES-1 1st half of double length key

XX XX XX XX XX XX XX XX

UDKA
Double length key (16 bytes): XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY

DES

UDKA

Key derivation
NOT (PAN + PAN Seq.Nmbr) 1st half of double length key
XX XX XX XX XX XX XX XX

NOT (PAN + PAN Seq.Nmbr) Double length key 3 DES (encipher, decipher, encipher)

DES
2nd half of double length key
XX XX XX XX XX XX XX XX

DES-1 1st half of double length key

XX XX XX XX XX XX XX XX

UDKB
Double length key (16 bytes): XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY

DES

UDKB

Key derivation
Claves de Longitud doble (16 bytes): XX XX XX XX XX XX XX XX YY YY YY YY YY YY YY YY
Clave de Transporte 1a Mitad clave a cifrar (de longitud doble) 3 DES (encipher, decipher, encipher) Clave de Transporte 2a Mitad clave a cifrar (de longitud doble) 3 DES (encipher, decipher, encipher)

1a. Mitad Clave Cifrada

2a. Mitad Clave Cifrada

1a Mitad Clave Cifrada + 2a Mitad Clave Cifrada

Issuer Authentication
$52.95

ARPC
Cryptogram
(3rd Bit Map)

UDK Triple DES Algorithm ARQC, Response Code (Field 139.2)

Store Acquirer VisaNet Issuer

YES Issuer Auth. Passes

No Issuer Auth. Fails

UDK Algorithm

ARPC Response Code (field 139) ARPC Triple DES

Card Changes Online Approval to a Decline

$52.95

*AIP indicates Issuer Auth. supported

AAC
ARPC
(Issuer Response)

ARPC
(Card Calculated)

If Issuer Authentication performed and failed, decline transaction

If Issuer Authentication is mandatory and no ARPC received, decline transaction

ADA

BASE/BASE POS Online Approval w/ Chip Decline

ARQC 1 ARPC 6 7 AAC
Acquirer
BASE I

VIP

$52.95

Member Bank

12 12

0100 ARQC 2 0110 ARPC 5 0400 * 8 8 0410 11 11

BASE I

0100 ARQC 0110 ARPC 4 4 0400 * 9 9 0410 10 10

3

Issuer
BASE I

SMS Online

TC48

TC48

SMS Offline

* 0400 may contain notice of issuer authentication failure and, if response contained issuer script, notifce of issuer script non-performance.

BASE II

13 13

Post-Issuance Updates
Allows Issuer to change limited information on card post-issuance Enhances risk management ability to block/unblock account update velocity controls Improves customer service change cardholder Offline PIN

Issuer Script Commands

Application Block Application Unblock Card Block PIN Change/Unblock Put Data Update Record

Post Issuance Updates

$52.95

ARPC, Response Code, Issuer Script (Field 142), MAC

Store Acquirer VisaNet Issuer

Terminal will display results after Issuer Script is processed

Questions?

51