Upload File

personalisation quality control of emv cards

25
Brian Summerhayes Managing Director Barnes International © 2014 BARNES INTERNATIONAL LIMITED 1 Personalisation Quality Control of EMV Cards ICMA EuroForum Munich, October 2014

Upload: others

Post on 25-Dec-2021

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Personalisation Quality Control of EMV Cards

Br ian Summerhayes

Managing Director

Barnes Internat ional

© 2014 BARNES INTERNATIONAL LIMITED 1

Personalisation Quality Control of EMV Cards

ICMA EuroForum

Munich, October 2014

Page 2: Personalisation Quality Control of EMV Cards

Agenda

Payment Application Personalisation Quality Control

Offline Card Personalisation Validation Testing QC

Inline QC + Offline Card Personalisation Validation Testing QC

100% Inline QC with Card Personalisation Testing Validation QC

© 2014 BARNES INTERNATIONAL LIMITED 2

Page 3: Personalisation Quality Control of EMV Cards

Personalisation Quality Control Testing

© 2014 BARNES INTERNATIONAL LIMITED 3

Page 4: Personalisation Quality Control of EMV Cards

Personalisation Quality Control – Why?

© 2014 BARNES INTERNATIONAL LIMITED 4

Chip cards have far more complicated coding compared with a simple magnetic stripe

Chip cards have far more information inside them compared with a magnetic stripe

Dual interface cards are also complex to code with shared parameters

• Magnetic Stripe vs Chip Data

• Correct Keys • Validation vs

Payments Scheme

• Issuer/ Card Tag values

Page 5: Personalisation Quality Control of EMV Cards

Data sent to card during personalisation

© 2014 BARNES INTERNATIONAL LIMITED 5

Data Elements

Magnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic KeysEmbossing on card facePrinting, including CVV on reverse

Page 6: Personalisation Quality Control of EMV Cards

Card Personalisation

© 2014 BARNES INTERNATIONAL LIMITED 6

Most of the data fields are particular to one type of card template for each issuer, e.g. CVM List

Some of the data fields will be unique to the cardholder e.g. Account Number (PAN) and cardholder name

Some of the data fields should be standard across all products e.g. Issuer Country Code

Page 7: Personalisation Quality Control of EMV Cards

Potential Personalisation Errors

© 2014 BARNES INTERNATIONAL LIMITED 7

Data errors

Magnetic Stripe encoding errorsCardholder data Transposition errorsCryptographic ErrorsFormatting Errors Incorrect Perso Data, e.g. Country / Currency code missmatch

Specification errors

Page 8: Personalisation Quality Control of EMV Cards

Personalisation QC

© 2014 BARNES INTERNATIONAL LIMITED 8

Quality Control of the cards in manufacturing and during personalisation is essentialChip cards – many data Tags any one of which could be incorrectly set upChip cards are far more expensive than magnetic stripe and thus are costly

to reissueReputation/customer service impact can result in substantial lost revenue

Offline or Inline Quality Control of the cards during personalisationOfflineSingle Card tests with Batch Testing

InlineEnables 100% testing

Page 9: Personalisation Quality Control of EMV Cards

PersoMachine Controller

EMV Card Perso with Offline QC

© 2008-2014 BARNES INTERNATIONAL LIMITED 9

PersoData File

Mag-Stripe Encode Emboss Chip Perso

Finished Card

Blank Card

Card Movement Perso Data Flow

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

Audit Log

Audit Data Flow

Offline CPT

Page 10: Personalisation Quality Control of EMV Cards

Offline Perso QC Testing Card Personalisation Validation Testing Tool

Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation Identifies incorrect data Contact and Contactless chip validation testsMultiple Application data validation -single card insertionMulti-level user interface for Production, QA & Bank personnel with complete analysis

facilities for Experts

Validation – Standard Card Perso Tool (“CPT”)

All the features of a CPT, PLUS: Test Script development Issuer scripts and Cryptography

Host Simulation + HSM interface (e.g. with Thales 8000/9000 and Safenet)

Test Development + Card Validation

10© 2014 BARNES INTERNATIONAL LIMITED

Page 11: Personalisation Quality Control of EMV Cards

Validation Test Report

1. Summary of Test

2. Individual Fail/ Observations with Explanatory Annotations

3. Refers to Applicable Specification

4. List of all Tags Tested & Result

© 2014 BARNES INTERNATIONAL LIMITED 11

3

4

2

1

Page 12: Personalisation Quality Control of EMV Cards

Offline QC Testing Architecture

© 2008-2014 BARNES INTERNATIONAL LIMITED 12

CPT GUI

Card Reader Interface

Certification Test Scripts and Scenarios

MC CPV/ Visa GPR etc

QC Test Scripts and Scenarios

Bespoke Scripts & Scenarios

CPT Test Engine

Card Reader(s)Contact/ CL/ DI

Page 13: Personalisation Quality Control of EMV Cards

PersoMachine Controller

Inline QC Testing – Offline EMV Data Validation

© 2008-2014 BARNES INTERNATIONAL LIMITED 13

PersoData File

Mag-Stripe Read

Mag-Stripe Encode Emboss Chip Perso

Reject Bin

Test StationFinished Card

Blank Card

Card Movement Perso Data Flow

Chip Read Camera Image Gate

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

Audit Log

QC Data Flow

Offline CPT

Page 14: Personalisation Quality Control of EMV Cards

Magnetic Stripe QC

© 2014 BARNES INTERNATIONAL LIMITED 14

Magnetic Stripe – standard inline QC

Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent to Perso Machine ControllerValidation vs input file

Drawback: System assumes data sent in Perso file was valid

Magnetic Stripe – QC data validated by inline Card Perso Tool

Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent via Perso Machine Controller to CPTCorrelation vs ISO data rulesValidation vs input file &/or against Magnetic Stipe equivalent data in ChipValidation of iCVV/ Chip CVC/ iCSC/ Chip CAV

Page 15: Personalisation Quality Control of EMV Cards

Contact Chip QC

© 2014 BARNES INTERNATIONAL LIMITED 15

Contact Chip Data – standard inline QC

Chip ATR activated and read by Contact couplerATR sent to Perso Machine ControllerConfirms that chip is working

Drawback: Unable to fully validate personalised data

Contact Chip Data – QC data validated by inline Card Perso Tool

ATR activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via Perso Machine Controller to CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Chip Data Validation vs Mag Stripe & Contactless ChipValidation that correct Keys were put onto the card

Page 16: Personalisation Quality Control of EMV Cards

Contactless Chip QC

© 2014 BARNES INTERNATIONAL LIMITED 16

Contactless Chip Data – standard inline QC

Chip ATS activated and read by Contactless couplerATS read and sent to Perso Machine ControllerConfirms that contactless chip is working

Drawback: Unable to fully validate personalised data

Contactless Chip Data – QC data validated by inline Card PersoToolATS activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to a CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Contactless Chip Data Validation vs Mag Stripe & Contact ChipValidation that correct Keys were put into the contactless chip

Page 17: Personalisation Quality Control of EMV Cards

Embossing Verification

© 2014 BARNES INTERNATIONAL LIMITED 17

Embossing – standard inline QC

Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent to Perso Machine Controller Validation vs input file

Drawback: No validation against Mag Stripe or Chip cardholder data, issue and expiry dates

Embossing – QC data validated by inline Card Perso Tool Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent via Perso Machine Controller to CPT Validation vs Data personalised in Magnetic Stripe and Chip

Advantage: This is superior to an offline CPT where operator checks embossing against screen image

Page 18: Personalisation Quality Control of EMV Cards

Card Stock Verification

© 2014 BARNES INTERNATIONAL LIMITED 18

Card Stock verification – standard inline QC

Vision system captures image of front and back of card including stock reference Images sent to Perso Machine Controller Validation vs images of correct card stock for the card batch

Drawback: Validation separate from the rest of card validation test

Card Stock verification – QC data validated by inline Card PersoTool Vision system captures image of front and back of card including stock reference Images sent via Perso Machine Controller to a Card Perso Tool (CPT) Card stock reference recorded in card validation file

Page 19: Personalisation Quality Control of EMV Cards

Potential for 100% Data QC

© 2014 BARNES INTERNATIONAL LIMITED 19

Data – read by Mag Reader/ Chip CouplersMagnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic Keys

Data – read by CameraEmbossing on card facePrinting, including card stock ID and CVV on reverse

For 100% QC All Data Elements should be Validated

Page 20: Personalisation Quality Control of EMV Cards

Inline QC Testing Architecture

© 2008-2014 BARNES INTERNATIONAL LIMITED 20

Offline CPT with GUI

Scenario creationFailure investigation

QC Test Scripts and Scenarios

Bespoke Scripts & Scenarios

CPT Test Engine

Perso Machine Interface Module

Card Perso Machine

Page 21: Personalisation Quality Control of EMV Cards

Inline QC Testing with Card Personalisation Validation

Machinery Manufacturer QC module(s) to collect dataMagnetic Stripe Contact and Contactless Chip Data Printed/ Embossed Data

Data Collection: Machine Modules

Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation (depending on machine modules)

Identifies incorrect data or keys

Contact and Contactless chip validation testsMultiple Application data validation

Validation: CPT Test Engine

Good / Bad card result Bad card reject Test Result recorded – for audit purposes

Test Results can be saved

Reporting: Machine interface + CPT Report

21© 2014 BARNES INTERNATIONAL LIMITED

Page 22: Personalisation Quality Control of EMV Cards

PersoMachine Controller

Inline Testing – 100% EMV Validation QC

© 2008-2014 BARNES INTERNATIONAL LIMITED 22

PersoData File

Mag-Stripe Read

Mag-Stripe Encode Emboss Chip Perso

Reject Bin

Test Station with inline CPT

moduleFinished Card

Blank Card

Card Movement Perso Data Flow

Chip Read Camera Image Gate

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

QC Management

Audit LogOffline CPT

Test Scenarios

QC Data Flow

Offline CPT

Page 23: Personalisation Quality Control of EMV Cards

Inline Testing

© 2008-2014 BARNES INTERNATIONAL LIMITED 23

Data loaded into card using “Store Data” APDUs, data is organised in Data Group Indicators (DGIs)

Differences in techniques and formats depending on the card stock and operating system

Data extracted from card using EMV defined APDUs, data is organised by files and records

All cards must present the same interface to the terminal, regardless of internal organisation

Page 24: Personalisation Quality Control of EMV Cards

Benefits of 100% Inline QC

100% of Cards Tested in Real Time

Efficient use of Human Resources

Inline QC can work 24/7 and does not get tired or distracted No extra time & no extra QC staff required Faster ROI

No Human Intervention – better Data Security

Full Data Validation

EMV and Payment Scheme rules, TAG Values and Keys

Source: Datacard 24© 2014 BARNES INTERNATIONAL LIMITED

Page 25: Personalisation Quality Control of EMV Cards

Br ian Summerhayes

bsummerhayes@barnestest .com

www.barnestest .com

b a r n es - inter n at ion a l - l td @ ba r nes_ test

© 2014 BARNES INTERNATIONAL LIMITED 25

100% Personalisation Quality Control

Thank you for your attention – Questions


B2 PROCESSING SOLUTIONS EMV Test Cards Sets PINPAD … · EMV Test Cards Sets B2 Processing Solutions (B2) now offers a series of PINPad Drivers which can be easily integrated into

Banking Cards And Emv

Cloning Credit Cards: A combined pre-play and downgrade attack on EMV ... · Cloning Credit Cards: A combined pre-play and downgrade attack on EMV Contactless Michael Roland, Josef

EMV Technology & smart cards

EMV Cards Trivium - crypto.hyperlink.czcrypto.hyperlink.cz/files/emv_side_channels_v1.pdfEMV Cards Trivium Fast Way to Side ... If a particular out-of-EMV topic is presented, we are

Formal models of banking cards for free! · Formal models of banking cards for free! ... • EMV is not a protocol but a EMV is not a protocol , ... • SDA, DDA, CDA

EMV Credit Cards - Accounts Payable · America and Asia. ... • Merchant Pushback ... • Check the card reader to ensure it currently accepts EMV cards – If not, you can use the

Unleashing EMV Cards - HYPERLINKcrypto.hyperlink.cz/files/EMV_unleashed_rosa_v1.pdfUnleashing EMV Cards For Security Research ... EMV is a Europay-MasterCard-VISA general chip

EMV CARDS - ISU Credit Union€¦ · EMV CARDS FREQUENTLY ASKED QUESTIONS EMV CARDS WHAT IS AN EMV CHIPPED CARD? EMV, which stands for Europay, MasterCard and Visa, is a global standard

Card Personalisation EMV Perso Validation - aras.md

Chip and Skim: cloning EMV cards with the pre-play attack

DEPLOYMENT GUIDE - EMV Cards, Dual Interface Cards ... · initial conversation with your card provider to the actual issuance of your first EMV card. Most of the steps below happen

Indian Overseas Bank - iob.in · indian overseas bank request for proposal for supply, printing and personalisation of contact/contactless emv chip cards (debit / credit / prepaid)

Contactless Payment Cards: Vulnerabilities, Attacks, and ... · Agenda PART 1: Theory on RFID and NFC PART 2: EMV PART 3: EMV Contactless cards PART 4: Solutions, Conclusions, and

EMV Chip Cards Not as Scary as it Used to be - Visa...EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards

Attacks in EMV Contactless Cards with Android OTS ... - · PDF fileRelay Attacks in EMV Contactless Cards with Android OTS Devices Jose Vila´ y, Ricardo J. Rodr´ıguez z [email protected],

1-70964-Are You Ready for EMV Cards

Understand the Business Impact of EMV Chip Cards · EMV transactions (over 85 percent in Canada, Mexico and the Caribbean), only 0.12 percent in the U.S. were EMV transactions as

What’s an EMV chip card?EMV chip cards do everything magnetic stripe cards do but even more securely; plus, you are still protected from fraud by Visa’s Zero Liability policy*

Accepting EMV Chip Cards at the Fuel Pump · 9/20/2017  · Overview of EMV. 18 EMV What is it? •EMV is a global standard for terminals and chip cards and devices (debit, credit,

EMV Chip Cards are Coming - Premier America · The EMV Chip Cards will o˜ er members a new layer of protection against fraud. Your EMV Chip Card will have a traditional magnetic

EMV Chip Cards Not as Scary as it Used to be · EMV Migration- Not as Scary as it Used to Be Visa Public 8 U.S. EMV chip migration status as of Sept. 2016 Sources: Current cards based

Chip and Skim: cloning EMV cards with the pre-play attack · Chip and Skim: cloning EMV cards with the pre-play attack Mike Bond, Omar Choudary, Steven J. Murdoch, Sergei Skorobogatov,

The Migration of EMV Chip Technology - …...to EMV chip technology for debit and credit payments. According to EMVCo, approximately 1.62 billion EMV payment cards are in circulation

Speed up the launch KEY BENEFITS of your EMV cards and

Fraud Reduction on EMV Payment Cards by the …infonomics-society.org/wp-content/uploads/ijicr/published-papers/... · Fraud Reduction on EMV Payment Cards by the Implementation of

Euronet’s EMV Chip Solutionseuronetsoftware.com/assets/files/Euronet_EMV_Chip_Solutions...moving the market toward EMV ® chip solutions. EMV chip-based payment cards contain an

Dutch EMV-cards and Internet Banking - ru.nl

OT PRODUCTS AND SOLUTIONS EMV-IN-A-BOX - …€¦ · cards to EMV chip cards, EMV-In-A-Box also addresses issuers willing ... with an EMV card where their magnetic stripe card was

A Guide to EMV Chip Technology - Home - EMVCo · PDF file... EMV chip cards used for credit and debit ... A Guide to EMV Chip Technology Version 2.0 ... EMV ’96 Integrated Circuit

Driving eMV migration in the usa - Payments Cards & Mobile

Card Designs for EMV Chip Cards Minimize Cost and ... · infrastructure to support your migration from magnetic stripe cards to EMV chip cards and are ready to help you make decisions

Chip Cards: EMV Updates for Parking

EMV Security for Bank Cards

Emv-cards and Internet Banking - Michael Schouwenaar