Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 963
- Points
- 113
As noted above, MasterCard PayPass contactless cards can support the magnetic stripe fashion (MasterCard PayPass MagStripe) and the chip card fashion (MasterCard PayPass M / Chip).
The magnetic stripe mode is realized on contactless cards without a contact interface. The mod is described by the MasterCard PayPass MagStripe v.3.2 specification. The following are the main distinguishing features of the MasterCard PayPass MagStripe mod:
A transaction with a MasterCard PayPass MagStripe card is processed in real time, that is, it requires authorization from the issuer. After selecting the application (SELECT command), initializing the transaction (GET PROCESSING OPTIONS command without terminal data and transaction, since the PDOL object in the MasterCard specifications is empty), the terminal reads (using the READ RECORD commands) all the records specified in the AFL file and sends it to the card the COMPUTE CRYPTOGRAPHIC CHECKSUM command.
After receiving a response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command, the transaction processing on the card side is completed, and the card can be removed from the reader's working area. The terminal continues processing the transaction, constructing the data of the second track of the Track 2 magnetic stripe card. To do this, it inserts the CVC3 value in place of the CVC value in Track 2, and places the UN and PBX data in the Issuer Discretionary Data field of the contents of the second track of Track 2 card.
Then everything happens in the same way as in the case of processing a transaction with a card with a magnetic stripe: the terminal sends to the host of the serving bank the data on the operation, including the data of the magnetic stripe of the card. The only difference is that the magnetic stripe data is constructed by the terminal in the manner described above. During the transaction, the cardholder can be verified by signing the check or online PIN verification. Obviously, the lack of verification of the cardholder is allowed.
The MasterCard PayPass M / Chip fashion is determined by the specifications of MasterCard PayPass M / Chip v.1.3, MasterCard PayPass M / Chip Flex v.1.1 (starting from version M / Chip 4 R2, will be included in the M / Chip 4 standard). This mod optimizes the transaction processing process based on the EMV standard in order to minimize the execution time of the operation.
Features of the MasterCard PayPass M / Chip implementation are listed below.
The MasterCard PayPass M / Chip contactless card must simultaneously support contact and contactless mods. A contact mod is required in order to:
PayPass M / Chip uses CDA as a dynamic application authentication method (DDA does not apply); SDA static authentication method can be used.
The PIN Offline cardholder verification method is not used as a CVM, but the PIN Online methods and the cardholder's signature on the check can be used.
MasterCard PayPass M / Chip also supports MagStripe mode: it can handle both commands - GENERATE AC and COMPUTE CRYPTOGRAPHIC CHECKSUM. The terminal determines the card mode using bit 8 in the second byte of the contactless application AIP object data field. If this bit is 1, the card supports the PayPass M / Chip mod, and therefore the PayPass MagStripe mod. Otherwise (bit is 0) the card only supports PayPass MagStripe mode.
In turn, the terminal that supports the PayPass M / Chip fashion also supports the PayPass MagStripe fashion. Such a terminal uses the AIP data to generate either a GENERATE AC command for a PayPass M / Chip card, or a COMPUTE CRYPTOGRAPHIC CHECKSUM command for a PayPass MagStripe card. Conversely, a terminal that supports PayPass MagStripe is not required to support PayPass M / Chip.
Thus, the compatibility of PayPass MagStripe and PayPass M / Chip products is ensured by adhering to the principle that a card and terminal that support the PayPass M / Chip mode simultaneously support the PayPass MagStripe mode. An illustration of the compatibility of terminals and cards is shown in Fig. 7.9.
It should be noted that the AFL object for the non-contact mode may be different from the AFL object for the contact mode. In addition, it is advisable to make the appropriate settings in the Application Control object, indicating that the PIN Offline method is not supported by the card (deactivate the VERIFY command by setting the values of bits 3 and 4 of the first byte of the Application Control object to 0).
It should also be noted that before the M / Chip 4 R2 version, the contact and contactless M / Chip applications also share the card key to generate the cryptogram. This significantly complicates the use of different card numbers for contact and contactless applications, very
Rice. 7.9. PayPass M / Chip and PayPass MagStripe Compatibility
desirable from the point of view of improving the safety of operations. The fact is that, as mentioned earlier (clause 3.16.1), when withdrawing the card key, its number is used. Therefore, due to the presence of a common cryptogram generation key on the card, it is necessary either to use one card number for contact and contactless applications, or to upgrade the issuer's processing system so that when generating a card key in it, the card number corresponding to the contact mode is used.
When processing a transaction using a PayPass M / Chip card, the terminal command stream ends with the first GENERATE AC command. After the card forms a response to this command, the card-side transaction is completed.
When servicing the card in a terminal operating only in offline mode (offline-only-terminal), after selecting the application, initializing the operation and reading the data of the card application, the terminal immediately sends the GENERATE AC command to the card. The card forms a response to the GENERATE AC command and completes the operation. Thus, the card-side transaction is completed before the terminal authenticates the card application, checks Processing restrictions, verifies the cardholder, Terminal Risk Management procedures, and decides on how to complete the transaction on the terminal side (Terminal Action Analysis). All of the above procedures are performed after removing the card from the reader's area and only if when the card, as a result of performing its procedures of risk management (Card Risk Management), has made a decision (Card Action Analysis) on the successful completion of the transaction (in response to the GENERATE command, the AC card requests the TC cryptogram). The final result of the authorization of the transaction is determined as a result by the terminal based on the decision-making procedure it has performed.
When servicing the card in terminals that can work in online mode (online-terminal-terminal), all commands are executed in the same sequence as in a normal EMV transaction, with the exception of the following. Authentication of the card application is performed by the terminal after receiving a response to the GENERATE AC command (as in the case of an offline-only terminal, the card-side transaction is completed after it sends a response to the GENERATE AC command). In addition, the script processing procedure is not executed in the event of an online operation (more precisely, and cannot be performed due to the above).
Thus, in the second case, terminal risk management is performed before it generates the GENERATE AC command. In this case, after the end of the dialogue with the card, only application authentication is performed. It is clear that the terminal can authenticate the application after receiving a response to the GENERATE AC command, since the PayPass M / Chip standard uses one of two authentication methods - SDA or CDA.
Note that the change in the processing scheme for a standard EMV contact transaction in the case of a contactless card is aimed solely at reducing the time of the card-terminal dialogue.
Below are the meanings of the special fields of authorization and clearing messages of the MasterCard network. Banknet (CIS) messages must indicate that a contactless card transaction has been completed as follows:
• sub-element Subelement 1 (POS Terminal PAN Entry Mode) of data element DE 022 (POS Entry Mode) must be equal to 07 if information is read from a PayPass M / Chip card, and 91 if information is read from a PayPass MagStripe card;
the subelement Subelement 11 (POS Card Data Input Capability) of the DE 061 (POS Data) data element must be 3 if the terminal is of the PayPass M / Chip type, and 4 if the terminal is of the PayPass MagStripe type.
The following new item values appear in GCMS clearing messages:
The magnetic stripe mode is realized on contactless cards without a contact interface. The mod is described by the MasterCard PayPass MagStripe v.3.2 specification. The following are the main distinguishing features of the MasterCard PayPass MagStripe mod:
- the card stores Track 2 magnetic stripe data, and in the case of a credit card can store Track 1 data. However, for security reasons, which will be discussed below, it is not recommended to store the cardholder's name in the magnetic stripe data. This, in turn, means that it is not recommended to store Track 1 data, since it is in them that the name of the cardholder is stored, and this is the only fundamental difference between Track 1 and Track 2;
- the card can store a special data object Unpredictable Number Data Object (UDOL). By default, if there is no UDOL object on the map, the terminal considers that this object defines a single Unpredictable Number object (Tag '9F6A'), whose data field is 4 bytes long;
- the card supports the special COMPUTE CRYPTOGRAPHIC CHECKSUM command, the argument of which is the data defined in the UDOL object. As a result, the card using the 3DES algorithm and a secret key (the output of the session key is not used to speed up the transaction processing) calculates the dynamic value CVC3. The concatenation of UDOL and ATC data is used as an argument to the 3DES function. Thus, the value of the CVC3 value always depends on the UN and ATC objects (the standard provides for the possibility of using the static value of CVC3, but we will not dwell on this);
- the card can store the CVM List object, which includes one of two or both methods of cardholder verification - the signature of the check and online verification of the PIN-code.
A transaction with a MasterCard PayPass MagStripe card is processed in real time, that is, it requires authorization from the issuer. After selecting the application (SELECT command), initializing the transaction (GET PROCESSING OPTIONS command without terminal data and transaction, since the PDOL object in the MasterCard specifications is empty), the terminal reads (using the READ RECORD commands) all the records specified in the AFL file and sends it to the card the COMPUTE CRYPTOGRAPHIC CHECKSUM command.
After receiving a response to the COMPUTE CRYPTOGRAPHIC CHECKSUM command, the transaction processing on the card side is completed, and the card can be removed from the reader's working area. The terminal continues processing the transaction, constructing the data of the second track of the Track 2 magnetic stripe card. To do this, it inserts the CVC3 value in place of the CVC value in Track 2, and places the UN and PBX data in the Issuer Discretionary Data field of the contents of the second track of Track 2 card.
Then everything happens in the same way as in the case of processing a transaction with a card with a magnetic stripe: the terminal sends to the host of the serving bank the data on the operation, including the data of the magnetic stripe of the card. The only difference is that the magnetic stripe data is constructed by the terminal in the manner described above. During the transaction, the cardholder can be verified by signing the check or online PIN verification. Obviously, the lack of verification of the cardholder is allowed.
The MasterCard PayPass M / Chip fashion is determined by the specifications of MasterCard PayPass M / Chip v.1.3, MasterCard PayPass M / Chip Flex v.1.1 (starting from version M / Chip 4 R2, will be included in the M / Chip 4 standard). This mod optimizes the transaction processing process based on the EMV standard in order to minimize the execution time of the operation.
Features of the MasterCard PayPass M / Chip implementation are listed below.
The MasterCard PayPass M / Chip contactless card must simultaneously support contact and contactless mods. A contact mod is required in order to:
- the card could be accepted in terminals that do not work with contactless cards;
- the card had the opportunity to be serviced through the contact interface, if the conditions for the operation through the contactless interface are not met (for example, the transaction size is too large);
- it was possible to reset the offline counters of the contactless application using the script processing procedure via the contact interface: offline counters are common for the contact and contactless modes;
- simplify the procedure for personalizing the card using the contact interface.
PayPass M / Chip uses CDA as a dynamic application authentication method (DDA does not apply); SDA static authentication method can be used.
The PIN Offline cardholder verification method is not used as a CVM, but the PIN Online methods and the cardholder's signature on the check can be used.
MasterCard PayPass M / Chip also supports MagStripe mode: it can handle both commands - GENERATE AC and COMPUTE CRYPTOGRAPHIC CHECKSUM. The terminal determines the card mode using bit 8 in the second byte of the contactless application AIP object data field. If this bit is 1, the card supports the PayPass M / Chip mod, and therefore the PayPass MagStripe mod. Otherwise (bit is 0) the card only supports PayPass MagStripe mode.
In turn, the terminal that supports the PayPass M / Chip fashion also supports the PayPass MagStripe fashion. Such a terminal uses the AIP data to generate either a GENERATE AC command for a PayPass M / Chip card, or a COMPUTE CRYPTOGRAPHIC CHECKSUM command for a PayPass MagStripe card. Conversely, a terminal that supports PayPass MagStripe is not required to support PayPass M / Chip.
Thus, the compatibility of PayPass MagStripe and PayPass M / Chip products is ensured by adhering to the principle that a card and terminal that support the PayPass M / Chip mode simultaneously support the PayPass MagStripe mode. An illustration of the compatibility of terminals and cards is shown in Fig. 7.9.
It should be noted that the AFL object for the non-contact mode may be different from the AFL object for the contact mode. In addition, it is advisable to make the appropriate settings in the Application Control object, indicating that the PIN Offline method is not supported by the card (deactivate the VERIFY command by setting the values of bits 3 and 4 of the first byte of the Application Control object to 0).
It should also be noted that before the M / Chip 4 R2 version, the contact and contactless M / Chip applications also share the card key to generate the cryptogram. This significantly complicates the use of different card numbers for contact and contactless applications, very
Rice. 7.9. PayPass M / Chip and PayPass MagStripe Compatibility
desirable from the point of view of improving the safety of operations. The fact is that, as mentioned earlier (clause 3.16.1), when withdrawing the card key, its number is used. Therefore, due to the presence of a common cryptogram generation key on the card, it is necessary either to use one card number for contact and contactless applications, or to upgrade the issuer's processing system so that when generating a card key in it, the card number corresponding to the contact mode is used.
When processing a transaction using a PayPass M / Chip card, the terminal command stream ends with the first GENERATE AC command. After the card forms a response to this command, the card-side transaction is completed.
When servicing the card in a terminal operating only in offline mode (offline-only-terminal), after selecting the application, initializing the operation and reading the data of the card application, the terminal immediately sends the GENERATE AC command to the card. The card forms a response to the GENERATE AC command and completes the operation. Thus, the card-side transaction is completed before the terminal authenticates the card application, checks Processing restrictions, verifies the cardholder, Terminal Risk Management procedures, and decides on how to complete the transaction on the terminal side (Terminal Action Analysis). All of the above procedures are performed after removing the card from the reader's area and only if when the card, as a result of performing its procedures of risk management (Card Risk Management), has made a decision (Card Action Analysis) on the successful completion of the transaction (in response to the GENERATE command, the AC card requests the TC cryptogram). The final result of the authorization of the transaction is determined as a result by the terminal based on the decision-making procedure it has performed.
When servicing the card in terminals that can work in online mode (online-terminal-terminal), all commands are executed in the same sequence as in a normal EMV transaction, with the exception of the following. Authentication of the card application is performed by the terminal after receiving a response to the GENERATE AC command (as in the case of an offline-only terminal, the card-side transaction is completed after it sends a response to the GENERATE AC command). In addition, the script processing procedure is not executed in the event of an online operation (more precisely, and cannot be performed due to the above).
Thus, in the second case, terminal risk management is performed before it generates the GENERATE AC command. In this case, after the end of the dialogue with the card, only application authentication is performed. It is clear that the terminal can authenticate the application after receiving a response to the GENERATE AC command, since the PayPass M / Chip standard uses one of two authentication methods - SDA or CDA.
Note that the change in the processing scheme for a standard EMV contact transaction in the case of a contactless card is aimed solely at reducing the time of the card-terminal dialogue.
Below are the meanings of the special fields of authorization and clearing messages of the MasterCard network. Banknet (CIS) messages must indicate that a contactless card transaction has been completed as follows:
• sub-element Subelement 1 (POS Terminal PAN Entry Mode) of data element DE 022 (POS Entry Mode) must be equal to 07 if information is read from a PayPass M / Chip card, and 91 if information is read from a PayPass MagStripe card;
the subelement Subelement 11 (POS Card Data Input Capability) of the DE 061 (POS Data) data element must be 3 if the terminal is of the PayPass M / Chip type, and 4 if the terminal is of the PayPass MagStripe type.
The following new item values appear in GCMS clearing messages:
- Subelement 1 (POS card data input capabilities) subelement of DE 022 (POS Entry Mode) shall be M if the terminal supports PAN reading via the PayPass M / Chip interface, and A if the terminal supports PAN reading only from the PayPass MagStripe card;
- Subelement 7 (card data input mode) subelement of DE 022 (POS Entry Mode) data element must be M if the terminal reads the PAN via the PayPass M / Chip interface, and A if the PAN is read from the PayPass MagStripe card.
