Card Dump Structure: Analysis of Track1, Track2, Track3 Fields and Their Meaning for EMV Transactions

[Professor]

Abstract: A technical yet accessible explanation of the data structure on the magnetic stripe and in the card chip. The purpose of the different tracks, the Service Code, PAN, and Expiry Date are discussed. Emphasis is placed on why static Track 1/2 data was vulnerable to skimming and how the EMV chip (with dynamic data) solves this problem.

Introduction: Your Card's Magnetic Record​

Every time you swipe a magnetic stripe bank card through a terminal, a silent miracle of data transfer occurs. This brown strip conceals not just a string of numbers, but a complexly structured digital message, recorded according to strict standards. This message — the "card dump" — has long been the foundation of payment systems, but also their Achilles' heel.

Understanding its structure is key to understanding the evolution of payment security. We'll embark on a brief, yet fascinating, journey through the magnetic stripe's "tracks" to understand what exactly skimmers stole and why the modern chip has become an insurmountable barrier to such theft. This knowledge isn't for repetition, but rather for a deep respect for the engineering that protects our funds.

Chapter 1. Physics and Logic: How the Magnetic Stripe Works​

The magnetic stripe on the back of the card is a storage medium similar to an audio cassette tape, but miniaturized. It contains three parallel "tracks" onto which data is recorded as magnetized areas. Each track has its own format and capacity:

• Track 1 (IATA — International Air Transport Association): The most informative track. It can contain up to 79 alphanumeric characters. In addition to the card number, the cardholder's name is stored here.
• Track 2 (ABA — American Bankers Association): The primary track for financial transactions. Contains up to 40 numeric characters. This is the track most often read by ATMs and payment terminals.
• Track 3 (THRIFT or "other"): Rarely used in modern payment systems. Originally intended for storing data on limits, PIN updates, etc. It has a capacity of up to 107 numeric characters.

The most important principle: The data on the magnetic stripe is static. It does not change from transaction to transaction. This was the root of the problem.

Chapter 2. Detailed Analysis: What's in Each Track?​

Let's "read" a typical dump, understanding the meaning of each field.

Track 1 (Example format):​

%B1234567890123456^DOE/JOHN^2512101000000000000000000000000?

• %B — Start Sentinel. Indicates the start of Track 1 data.
• 1234567890123456 — PAN (Primary Account Number). This is your card number.
• ^ — Field Separator.
• DOE/JOHN — Cardholder's name (Last Name / First Name).
• ^ is another separator.
• 2512 — Expiry Date in YYMM format. Here: December 2025.
• 101 — Service Code. A critical three-digit field:
  • First digit: Inter-industry standard (1 – international, 5 – only for ATMs/terminals).
  • Second digit: Acceptable authorization methods (0 – magnetic stripe, 2 – chip, 6 – chip and stripe).
  • Third digit: PIN requirements and services (0 – no restrictions, 1 – online verification only, 2 – contact chip).
• 000...000 — Dispersion data (PVV, PIN Verification Value, etc.) and End Sentinel (?).

Track 2 (Example format):​

;1234567890123456=251210100000000?

• ; — Start Sentinel for Track 2.
• 1234567890123456= — PAN and separator.
• 2512 — Expiry Date (YYMM).
• 101 — Service Code (similar to Track 1).
• 000...000? — Dispersion data and End Sentinel.

The main difference between Track 2 and Track 1 is the absence of a holder name and a purely digital format, which makes it more compact and reliable to read.

Track 3:​

Historically, it was used to store balances, withdrawal limits, and transaction counters in offline mode (for example, in early payphones). In modern cards of international payment systems (Visa, Mastercard), it is rarely used for payments, as its support is not mandatory.

Chapter 3. The Achilles Heel: Why Static Data Has Become a Curse​

Here's how a classic skimming scheme worked, based on an understanding of this structure:

1. Theft: A criminal installs a skimmer on an ATM. The device reads all static data from Track 1 and/or Track 2 : PAN, expiration date, cardholder name, and Service Code.
2. Copying: This data is written onto a blank plastic blank with a magnetic strip.
3. Usage: A counterfeit card with identical data is presented for payment at terminals that don't require a chip or PIN (for example, in some online transactions or on older terminals). Since the data is byte-for-byte identical to the original, the system cannot distinguish it from the counterfeit.

The Service Code played a dangerous role here. If the original card had a code that only allowed chip transactions (2xx), and the terminal ignored it, the fraudster could use a copy of the magnetic stripe.

The crux of the problem: the magnetic stripe is like a passport that cannot be altered. A stolen passport grants all the rights of the original.

Chapter 4. The EMV Era: How the Chip Rewrote the Rules of the Game​

EMV (Europay, Mastercard, Visa) technology, or chip card, has revolutionized the paradigm by shifting from “static data” to “dynamic cryptographic proof.”

What is an EMV chip?​

This isn't memory, but a microcomputer with a secure operating system and a cryptographic coprocessor. It doesn't store data for easy copying, but instead calculates a unique response to each request.

Key components of an EMV transaction:​

1. Static Data Authentication (SDA): An obsolete method. Verifies that the chip data (PAN, expiration date, etc.) is signed by the issuing bank and has not been modified. Vulnerable to a "blurring" attack (copying unmodified data).
2. Dynamic Data Authentication (DDA): The chip contains a private key known only to it and the bank. The terminal sends it a random number ( Unpredictable Number, or UN). The chip uses its key to sign this number and create a unique signature for the transaction ( Signed Dynamic Application Data, or SDAD). Stolen data is useless for the next transaction, as the UN will be different.
3. Combined DDA + Application Cryptogram Generation (CDA): The most secure method. Dynamic authentication is combined with cryptogram generation (ARQC for online transactions, TC for offline confirmation), which is also unique for each transaction.
4. Chip-verified PIN (Offline PIN): The PIN is not sent to the bank, but is verified by the chip itself, which prevents it from being intercepted on the network.

Why is traditional EMV chip skimming impossible?​

• No static data to copy: Key transaction data (cryptogram, signature) is generated on the fly and is never repeated.
• The private key is not removable: It is physically protected inside the chip and cannot be read.
• Even if you copy the entire chip memory dump (which is extremely difficult), this will only produce a static copy, useless for the next payment, since the terminal will request a new, unique signature.

Chapter 5. The Legacy of Tracks in the Modern World​

The magnetic stripe and its structure haven't disappeared. They play an important role:

• Backup channel: If the chip fails, the terminal can read the magnetic stripe (often requiring a PIN).
• Compatibility: Ensures operation in regions with outdated infrastructure.
• Chip data: Some static data from the magnetic stripe (PAN, term) is also stored in the chip memory and is used as part of the input data for cryptographic calculations.

However, the decisive factor now isn't the dump itself, but what the chip can do with it. An EMV-enabled terminal will always prioritize dynamic authentication via the chip over static data from the stripe.

Conclusion: From a Vulnerable Imprint to a Protected Dialogue​

The evolution from the magnetic stripe to the EMV chip is the story of the transition from "who are you?" (static ID verification) to "prove that you are you here and now" (real-time cryptographic proof).

Understanding the structure of Track 1, Track 2, and Track 3 gives us a clear picture:

1. There was a problem: Static data = eternal value for a thief.
2. A solution has emerged: Dynamic cryptography = value that exists for a fraction of a second and only for one operation.

Today, when you insert a chip card into a terminal, you initiate a complex, secure dialogue between your personal microcomputer and the bank. The magnetic stripe remains a mere memory of this technology — a quiet reminder of how engineering turned vulnerability into strength, protecting our funds in the digital age. Understanding this process is not only fascinating but also gives confidence in the reliability of the technologies we use every day.