I work on card payment applications and terminal technologies, and today I would like to talk about extending the validity period of bank cards.
Many of us use several chip plastic cards, which on average have a validity period of 3-5 years. This limit is set by the issuing bank and is determined by the expiration date of the chip, security considerations and physical wear and tear of the card itself. Among other things, reissue dates may be calculated to take into account upcoming marketing/design changes in the issuing bank's name, as well as promotions and payment technology updates.
Disclaimer
It is possible to extend the validity of the card, or you can even create a conditionally unlimited virtual card. The only thing left to do is to implement this together with our colleagues from banks. So, let's begin!
In addition, the card’s expiration date is recorded in the payment application in a special data object Application Expiration Date (5F24) , presented as a TLV structure:
The date from which the application can be used is recorded in the Application Effective Date (5F25) data object:
To conduct an online transaction, the issuing bank can ignore the Application Expiration Date (5F24) and Application Effective Date (5F25) checks and, despite the expired card, approve the payment. But for transport projects and offline purchases, the Offline Data Authentication (ODA) procedure is required - card verification using asymmetric cryptography (RSA).
The offline application authentication procedure is a key element of the security of transactions performed using the card.
The Application Expiration Date (5F24) and Application Effective Date (5F25) data participate in the hash function input that is signed by the issuer when generating the card certificate. They are encrypted with the issuer's private key. When checking the authenticity of the card, the terminal decrypts the data, then, based on the read information, it calculates the hash function and checks it with the value obtained from the certificate.
Card public key data for signature by the issuer, participating in the hash function:
The card always contains the issuer's certificate and the card's certificate. We have figured out online transactions: you can perform such operations with an expired card. But this will not work with transport projects and offline purchases. For such operations the following conditions must be met:
Moreover, Application Expiration Date (5F24) participates in the card's public key data for signature by the issuer (hash function input) when generating the certificate.
If we consider updating the card's validity period in a simplified form, then to update the information you will first need to read all the data, prepare new values and update them in the context of the script processing procedure.
To update the card's validity period, you must take the following steps:
1. Read all card records that store the data necessary for processing transactions using the READ RECORD command;
2. From the records, collect all data elements that directly or indirectly contain an expiration date, namely:
4. Use the issuer certificate (90 and 92) requested from the payment system and reassemble the card certificate (9F46 and 9F48) with a new validity period, taking into account the condition:
5. Consider that the updated information may be included in the card's public key data for signature by the issuer (hash function input);
Important!
The data for the certificate must be encrypted with the issuer's private key. This key can be the same one that was used to personalize the card, or it can be new. But it can only be stored by the issuer and cannot be transferred to a third party.
6. Generate new data for records;
7. To update data, it is necessary to carry out a transaction that includes a script processing procedure. UPDATE RECORD - updating required records;
Important!
In order for the record data to fit correctly into the command, the key sizes must be selected correctly. Depending on their size, new elements may appear or disappear - Tag 92, Tag 9F48, Tag 9F2F.
8. To reduce risks, the correctness of ODA (DDA, CDA) and Enciphered PIN execution by the terminal is checked.
Many of us use several chip plastic cards, which on average have a validity period of 3-5 years. This limit is set by the issuing bank and is determined by the expiration date of the chip, security considerations and physical wear and tear of the card itself. Among other things, reissue dates may be calculated to take into account upcoming marketing/design changes in the issuing bank's name, as well as promotions and payment technology updates.
How to extend the validity of the card or make it unlimited?
It's no secret that international payment systems have stopped servicing cards of Russian banks. In response to this, banks either extended the validity period of already issued cards or even declared them unlimited. Now the cards can be used even until the plastic wears out. Let's figure out how this was done and how to make purchases with expired cards.Disclaimer
It is possible to extend the validity of the card, or you can even create a conditionally unlimited virtual card. The only thing left to do is to implement this together with our colleagues from banks. So, let's begin!
What factors influence the validity period of the card?
- Chip shelf life - the chip itself has its own service life, after which the chip manufacturer is not responsible for its operation;
- Physical wear and tear of the card itself - the card user constantly takes it out of his wallet, inserts it into terminals, both the plastic itself and the contact pads wear out, as well as the built-in antenna for contactless payments when the card is bent;
- Control over issuance - the issuer can control the issuance of cards, for example, during a planned rebranding, or not re-issue cards that have not been used for a long time.
Where is the card expiration date?
On the card itself. During its manufacture, the validity period is applied using embossing. This is the process of mechanically extruding information onto the front side of a plastic card. The validity period of the card is a mandatory element of embossing on physical media.In addition, the card’s expiration date is recorded in the payment application in a special data object Application Expiration Date (5F24) , presented as a TLV structure:
Tag | 5F24 |
Length | 3 |
Format | n 6 (YYMMDD) |
The date from which the application can be used is recorded in the Application Effective Date (5F25) data object:
Tag | 5F25 |
Length | 3 |
Format | n 6 (YYMMDD) |
How are validity period and payment by card related?
When paying with a bank card according to the classic scenario, the transaction data comes from the card to the terminal, then to the host of the acquiring bank (i.e. serving the point of sale), then to the payment system and at the very last stage to the issuing bank (i.e. card issuer) for authorization.To conduct an online transaction, the issuing bank can ignore the Application Expiration Date (5F24) and Application Effective Date (5F25) checks and, despite the expired card, approve the payment. But for transport projects and offline purchases, the Offline Data Authentication (ODA) procedure is required - card verification using asymmetric cryptography (RSA).
The offline application authentication procedure is a key element of the security of transactions performed using the card.
The Application Expiration Date (5F24) and Application Effective Date (5F25) data participate in the hash function input that is signed by the issuer when generating the card certificate. They are encrypted with the issuer's private key. When checking the authenticity of the card, the terminal decrypts the data, then, based on the read information, it calculates the hash function and checks it with the value obtained from the certificate.
Card public key data for signature by the issuer, participating in the hash function:
Field name | Length, bytes | Description | Format |
Certificate Format | 1 | 04'h | b |
PAN | 10 | PAN card number supplemented on the right with 'F'h | cn 20 |
... | ... | ... | ... |
Static Data to be Authenticated | Variable | Critical data whose integrity is guaranteed. The object consists of 2 data blocks in a strictly defined order: 1. Internal objects of the 'Signed Application Tags' ('BF61') element if 'Signed Application Tags' is present in the application. 2. Records referenced by the 4th bytes of the AFL (see EMV Book 3 v4.3, section 10.2). | b |
The card always contains the issuer's certificate and the card's certificate. We have figured out online transactions: you can perform such operations with an expired card. But this will not work with transport projects and offline purchases. For such operations the following conditions must be met:
- The validity period of the application must be the same as the validity period of the card certificate;
- The card's validity period must not exceed the validity period of the issuer's certificate;
- The validity period of the issuer's certificate must not exceed the validity period of the payment system key.
CA ExpDate > ISS ExpDate > ICC ExpDate = CARD ExpDate |
How can I extend the validity period of my card?
At first glance, this problem can be solved by updating the Application Expiration Date (5F24) and Application Effective Date (5F25) in the card entries. But everything is not so simple, because the card’s validity period is also present in the Track 2 Equivalent Data element (57) in the YYMM format.Moreover, Application Expiration Date (5F24) participates in the card's public key data for signature by the issuer (hash function input) when generating the certificate.
If we consider updating the card's validity period in a simplified form, then to update the information you will first need to read all the data, prepare new values and update them in the context of the script processing procedure.
To update the card's validity period, you must take the following steps:
1. Read all card records that store the data necessary for processing transactions using the READ RECORD command;
2. From the records, collect all data elements that directly or indirectly contain an expiration date, namely:
- Application Expiration Date (5F24) - Application expiration date;
- Application Effective Date (5F25) - Date from which the application can be used;
- Track 2 Equivalent Data (57) - Magnetic stripe data;
- Issuer Public Key Certificate (90) - Issuer's public key certificate;
- Issuer Public Key Remainder (92) - Low bytes of the Issuer's public key module that did not fit in the certificate;
- Issuer Public Key Exponent (9F32) - Exponent of the Issuer's public key;
- ICC Public Key Certificate (9F46) - Card public key certificate;
- ICC Public Key Remainder (9F48) - Low bytes of the card’s public key module that did not fit in the certificate;
- Certification Authority Public Key Index (8F) - key index of the payment system Certification Authority;
- ICC PIN Encipherment Public Key Certificate (9F2D) - Card public key certificate for PIN encryption;
- ICC PIN Encipherment Public Key Remainder (9F2F) - Low bytes of the card's public key module for PIN encryption that did not fit in the certificate;
4. Use the issuer certificate (90 and 92) requested from the payment system and reassemble the card certificate (9F46 and 9F48) with a new validity period, taking into account the condition:
CA ExpDate > ISS ExpDate > ICC ExpDate = CARD ExpDat |
Important!
The data for the certificate must be encrypted with the issuer's private key. This key can be the same one that was used to personalize the card, or it can be new. But it can only be stored by the issuer and cannot be transferred to a third party.
6. Generate new data for records;
7. To update data, it is necessary to carry out a transaction that includes a script processing procedure. UPDATE RECORD - updating required records;
Important!
In order for the record data to fit correctly into the command, the key sizes must be selected correctly. Depending on their size, new elements may appear or disappear - Tag 92, Tag 9F48, Tag 9F2F.
8. To reduce risks, the correctness of ODA (DDA, CDA) and Enciphered PIN execution by the terminal is checked.
Is it possible to make a bank card unlimited?
Unfortunately, it is not possible to make a card permanent on physical media due to a number of reasons:- The card's expiration date is indicated by 3 bytes in the YYMMDD format, where the first byte sets the year after which the card will expire. The years range from 00-49 is interpreted as 2000-2049, 50-99 as 1950-1999. Those. the card cannot have an expiration date exceeding 2049;
- The situation is similar with certificates, only the date format is presented as YYMM;
- The lifetime is also determined by the ATC transaction counter, which consists of 2 bytes. When the maximum value is reached, namely 65535, the card is blocked and does not process transactions;
- Do not forget to take into account the physical wear and tear of the card material and the lifespan of the chip built into the card.
