Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
As noted earlier, EMVCo took over the maintenance and development rights for the EMV Contactless Communication Protocol Specification developed by MasterCard. The EMVCo agenda includes the creation of a unified EMV Contactless Application, an analogue of the Common Payment Application for contact cards. This issue is being actively raised by large European banks. However, EMVCo is in no hurry to develop a standard for EMV Contactless Application. The reason, voiced by EMVCo, is the lack of experience in using contactless cards, which is necessary for the generalization and implementation of a standard for a single contactless application in the future. EMVCo conducts an internal discussion each year on the appropriateness of starting the development of this standard,
At the same time, the emergence of a standard for a single contactless application in the future is obvious. Therefore, EMVCo, anticipating the appearance of such a standard, developed the EMV Contactless Specifications for Payment Systems - Entry Point Specification (hereinafter we will call it Entry Point Specification for brevity), which solves a number of issues related to the implementation of EMV Contactless Application. In particular, the Entry Point Specification standard defines the procedure for a terminal to select a contactless application on a card in the case when a contactless application of a payment system can be implemented on a card either as a native application of this payment system (for example, MasterCard PayPass, VISA Contactless, JCB QUICPay, American Express ExpressPay), or as a future single EMV Contactless Application.
However, the scope of the Entry Point Specification is not limited to the selection of a contactless application. The standard defines a general scheme for the processing of a contactless card transaction on the terminal side (Entry Point) and dwells in some detail on the description of the procedures preceding the selection of an application. But first things first.
In accordance with the Entry Point Specification, the processing of an operation performed through a contactless interface consists of the following stages:
The below fig. 7.10 illustrates the steps in contactless transaction processing.
Let us dwell on the listed stages in more detail. At the first stage, the terminal's task is to determine / generate the operation parameters that are significant for processing a transaction. Among these parameters, two are required for support by any terminal that complies with the Entry Point Specification. These include the transaction size (Amount, Authorized) and the terminal random number (Unpredictable Number).
In addition, at this stage, a set of data and flags from the list below should be available to the terminal for each application identifier (AID) it supports:
Contactless Card
C-APCUs
R-APOUs
Terminal
SELECT PPSE
List of AIDs + kernel
SELECT AID
FCI
[6]
Protocol deactivation (user interface)
Rice. 7.10. Stages of processing a contactless transaction
Finally, if the terminal supports VISA applications, then the Terminal Transaction Qualifiers object must be available to the terminal for the corresponding AIDs of these applications, which is modified in the next step, the transaction preprocessing step.
At the second stage (preliminary processing of the transaction), the terminal, based on the data obtained in the previous stage, for each identifier of the supported application AID sets the values of the following internal flags of the terminal application:
For contactless VISA applications, the Contactless Application Not Allowed flag is set in any of the following cases:
• if bit 8 of byte 2 is 1, then the terminal requires an online operation (Online cryptogram required);
Above, we have already described the procedures for choosing MasterCard PayPass and VISA Contactless applications by the terminal. Below we will talk about the choice of an application in the case when, along with the native contactless applications of payment systems, the EMV Contactless Application application can be located on the card. In this case, if the EMV Contactless application
Application is recognized by the payment system as its alternative application, then the terminal served by the bank of this payment system must support both applications: native (for example, MasterCard PayPass or VISA Contactless) and EMV Contactless Application. At the same time, the kernel of the terminal application that supports the native application of the payment system on the card is called Legacy Kernel, and the kernel of the terminal application that ensures the operation of the EMV Contactless Application is called EMV Contactless Kernel.
The application selection problem is then posed as follows: which name of the card application directory (ADF Name) and the kernel of the terminal application for processing the card application should be selected to process the operation of the contactless card holder? The card (or rather its issuer through the data stored on the card) and the terminal are involved in obtaining an answer to this question.
To answer this question, recall that the application is selected using the PPSE directory, which is mandatory for a contactless card. If the terminal supports more than two AIDs, then the application selection starts with the SELECT command indicating DDF - the name of the PPSE directory (2PAY.SYS.DDF01). The FCI Template object (Tag '6F') of this directory, returned to the terminal in response to the SELECT command, has the form shown in table. 7.2. As it is easy to see in tab. 7.2, the Directory Entry composite object may contain a Contactless Application Capabilities Type data object (Tag '9F28'), the data field of which has the structure shown in Table 7.2. 7.7 and 7.8.
Having received the FCI Template object in response to the SELECT command, the terminal starts analyzing all Directory Entry objects present in it in order to build a list of combinations "AID of the card application - the name of the terminal application core". A combination is included in the list of combinations of the terminal if:
Tab. 7.7. Byte 1 of the Contactless Application Capabilities Type Object
Tab. 7.8. Byte 2 of the Contactless Application Capabilities Type Object
Byte 1 of the data fields of the Contactless Application Capabilities Type object are equal to 1 and the terminal supports both applications.
A combination in the list of combinations contains the following parameters:
After selecting a combination, the corresponding combination of the terminal application kernel is activated, to which the Entry Point application transfers control. The first command of the selected kernel of the terminal application is SELECT AID, where AID is the card application identifier from the selected combination.
The selection process is illustrated in the figure below. 7.11.
Contactless Card Terminal
t SELECT PPSE
List of AIDs + kernel
t SELECT AID
FCI
Rice. 7.11. Combination selection process
EMVCo pays attention to the implementation of the Entry Point Specification. Type Approval procedures have been prepared to certify terminals that support this specification.
At the same time, the emergence of a standard for a single contactless application in the future is obvious. Therefore, EMVCo, anticipating the appearance of such a standard, developed the EMV Contactless Specifications for Payment Systems - Entry Point Specification (hereinafter we will call it Entry Point Specification for brevity), which solves a number of issues related to the implementation of EMV Contactless Application. In particular, the Entry Point Specification standard defines the procedure for a terminal to select a contactless application on a card in the case when a contactless application of a payment system can be implemented on a card either as a native application of this payment system (for example, MasterCard PayPass, VISA Contactless, JCB QUICPay, American Express ExpressPay), or as a future single EMV Contactless Application.
However, the scope of the Entry Point Specification is not limited to the selection of a contactless application. The standard defines a general scheme for the processing of a contactless card transaction on the terminal side (Entry Point) and dwells in some detail on the description of the procedures preceding the selection of an application. But first things first.
In accordance with the Entry Point Specification, the processing of an operation performed through a contactless interface consists of the following stages:
- 1) determination of the processing parameters of the operation (pre-conditions);
- 2) preliminary transaction processing;
- 3) activation of the contactless interface;
- 4) selection by the terminal of the application on the card and the application kernel of the terminal working with the contactless card;
- 5) activation of the terminal application kernel (transferring the right to process the transaction to the application kernel);
- 6) transaction processing;
- 7) deactivation of the contactless interface.
The below fig. 7.10 illustrates the steps in contactless transaction processing.
Let us dwell on the listed stages in more detail. At the first stage, the terminal's task is to determine / generate the operation parameters that are significant for processing a transaction. Among these parameters, two are required for support by any terminal that complies with the Entry Point Specification. These include the transaction size (Amount, Authorized) and the terminal random number (Unpredictable Number).
In addition, at this stage, a set of data and flags from the list below should be available to the terminal for each application identifier (AID) it supports:
- Terminal Floor Limit (transactions exceeding or equal to the Terminal Floor Limit must be processed online);
- Terminal Contactless Floor Limit (contactless transactions exceeding or equal to the Terminal Contactless Floor Limit must be processed online);
- Terminal Contactless Transaction Limit (transactions, the size of which exceeds or is equal to the Terminal Contactless Transaction Limit, cannot be processed through the contactless interface);
- Terminal CVM Required Limit (transactions, the size of which exceeds or is equal to the Terminal CVM Required Limit, must be processed with the cardholder's verification);
- Status Check Support Flag;
- Zero Amount Allowed Flag.
Contactless Card
C-APCUs
R-APOUs
Terminal
SELECT PPSE
List of AIDs + kernel
SELECT AID
FCI
[6]
Protocol deactivation (user interface)
Rice. 7.10. Stages of processing a contactless transaction
Finally, if the terminal supports VISA applications, then the Terminal Transaction Qualifiers object must be available to the terminal for the corresponding AIDs of these applications, which is modified in the next step, the transaction preprocessing step.
At the second stage (preliminary processing of the transaction), the terminal, based on the data obtained in the previous stage, for each identifier of the supported application AID sets the values of the following internal flags of the terminal application:
- Terminal Contactless Floor Limit Exceeded (this flag is set in two cases:
- 1) if the Terminal Contactless Floor Limit parameter is present in the terminal configuration data for this AID and the size of the contactless transaction is greater than or equal to its value;
- 2) if the Terminal Contactless Floor Limit parameter is absent in the configuration for this AID, but the Terminal Floor Limit parameter is present and the size of the contactless transaction is greater than or equal to its value);
- Terminal Contactless Transaction Limit Exceeded (this flag is set if the Terminal Contactless Transaction Limit parameter is present in the terminal configuration data for this AID and the transaction size is greater than or equal to the Terminal Contactless Transaction Limit value);
- Terminal CVM Required Limit Exceeded (this flag is set if the CVM Required Limit parameter is present in the terminal configuration data for this AID and the transaction size is greater than or equal to the CVM Required Limit value);
- Status Check Requested (this flag is set if the Status Check Support Flag is present in the terminal configuration data for this AID, and the value of the transaction size is equal to one in the transaction currency);
- Zero Amount (this flag is set if the transaction size is 0).
For contactless VISA applications, the Contactless Application Not Allowed flag is set in any of the following cases:
- if the terminal is online-capable, the Zero Amount flag is set, and the Zero Amount Allowed Flag flag is not set;
- if the Zero Amount flag is set, and the terminal can process transactions only in offline mode;
- if the Terminal Contactless Transaction Limit Exceeded flag is set.
• if bit 8 of byte 2 is 1, then the terminal requires an online operation (Online cryptogram required);
- if bit 8 of byte 2 is 0, then the terminal does not require an online operation (Online cryptogram not required);
- if bit 7 of byte 2 is equal to 1, then the terminal requires the operation with the verification of the card holder (CVM required);
- if bit 7 of byte 2 is 0, then the terminal does not require verification of the cardholder when performing the operation (CVM not required).
- if the Terminal Contactless Transaction Limit Exceeded flag is set, then the Entry Point terminal application sets the value of bit 8 of Byte 2 to 1 (Online cryptogram required);
- if the Status Check Requested flag is set, the Entry Point terminal application sets the value of bit 8 of Byte 2 to 1 (Online cryptogram required). Thus, the purpose of the Status Check Requested flag is to provide the terminal with a mechanism to force the transaction to process online;
- if the Zero Amount Allowed Flag and Zero Amount flags are set, then the Entry Point terminal application sets the value of bit 8 of byte 2 to 1 (Online cryptogram required);
- If the Terminal CVM Required Limit Exceeded flag is set, the Entry Point terminal application sets bit 7 of Byte 2 to 1 (CVM required).
Above, we have already described the procedures for choosing MasterCard PayPass and VISA Contactless applications by the terminal. Below we will talk about the choice of an application in the case when, along with the native contactless applications of payment systems, the EMV Contactless Application application can be located on the card. In this case, if the EMV Contactless application
Application is recognized by the payment system as its alternative application, then the terminal served by the bank of this payment system must support both applications: native (for example, MasterCard PayPass or VISA Contactless) and EMV Contactless Application. At the same time, the kernel of the terminal application that supports the native application of the payment system on the card is called Legacy Kernel, and the kernel of the terminal application that ensures the operation of the EMV Contactless Application is called EMV Contactless Kernel.
The application selection problem is then posed as follows: which name of the card application directory (ADF Name) and the kernel of the terminal application for processing the card application should be selected to process the operation of the contactless card holder? The card (or rather its issuer through the data stored on the card) and the terminal are involved in obtaining an answer to this question.
To answer this question, recall that the application is selected using the PPSE directory, which is mandatory for a contactless card. If the terminal supports more than two AIDs, then the application selection starts with the SELECT command indicating DDF - the name of the PPSE directory (2PAY.SYS.DDF01). The FCI Template object (Tag '6F') of this directory, returned to the terminal in response to the SELECT command, has the form shown in table. 7.2. As it is easy to see in tab. 7.2, the Directory Entry composite object may contain a Contactless Application Capabilities Type data object (Tag '9F28'), the data field of which has the structure shown in Table 7.2. 7.7 and 7.8.
Having received the FCI Template object in response to the SELECT command, the terminal starts analyzing all Directory Entry objects present in it in order to build a list of combinations "AID of the card application - the name of the terminal application core". A combination is included in the list of combinations of the terminal if:
- ADF Name of the next Directory Entry object matches one of the AIDs supported by the terminal;
- the card application can be processed by some terminal kernel;
- the Contactless Application Not Allowed flag is not set for the AID of the card application.
Tab. 7.7. Byte 1 of the Contactless Application Capabilities Type Object
| B8 | B7 | B6 | B5 | B4 b3 | B2 | NS | The meaning of the bits |
| X | X | The fact of the presence of the application | |||||
| 0 | 0 | Application is not used | |||||
| 1 | 0 | EMV Contactless Application is present | |||||
| 0 | 1 | There is a native payment system application | |||||
| 1 | 1 | There is a native payment system application and EMV Contactless Application | |||||
| X | Processing Preference Indicator | ||||||
| 1 | EMV Contactless Kernel terminal application is preferred | ||||||
| 0 | A terminal application supporting the system's native application is preferred | ||||||
| X | X | X | X | X | Bits are reserved for future use |
Tab. 7.8. Byte 2 of the Contactless Application Capabilities Type Object
| B8 | B7 | B6 | B5 | B4 | B3 | B2 | NS | The meaning of the bits |
| X | X | X | X | X | X | X | X | The name of the terminal application associated with this application |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | Reserved for use |
| 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | Terminal app running with JCB's native card app |
| 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | Terminal application working with MasterCard PayPass |
| 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 | Terminal application working with VISA Contactless |
| 0 | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 4th terminal application |
| Another terminal application | ||||||||
| 1 | 1 | 1 | 1 | 1 | 1 | 1 | 0 | Terminal Application 254 |
| 1 | 1 | 1 | 1 | 1 | 1 | 1 | 1 | Reserved for future use |
Byte 1 of the data fields of the Contactless Application Capabilities Type object are equal to 1 and the terminal supports both applications.
A combination in the list of combinations contains the following parameters:
- ADF Name of the card application (AID);
- the name of the terminal kernel (terminal kernel), capable of processing the application with the AID;
- Application Priority Indicator (if present);
- Processing Preference Indicator (if present).
After selecting a combination, the corresponding combination of the terminal application kernel is activated, to which the Entry Point application transfers control. The first command of the selected kernel of the terminal application is SELECT AID, where AID is the card application identifier from the selected combination.
The selection process is illustrated in the figure below. 7.11.
Contactless Card Terminal
t SELECT PPSE
List of AIDs + kernel
t SELECT AID
FCI
Rice. 7.11. Combination selection process
EMVCo pays attention to the implementation of the Entry Point Specification. Type Approval procedures have been prepared to certify terminals that support this specification.
