VISA Contactless

Tomcat

Tomcat

Professional
Messages
2,689
Reaction score
963
Points
113
The VISA Contactless Payment Specification (the latest version 2.0.2 is supported since the VSDC 2.7 applet) considers three possible contactless card profiles (instead of the MasterCard term "mode", VISA uses the term "profile", which will be used in the text of this book when describing contactless VISA cards):
  • MSD (Magnetic Stripe Data) - a profile that is analogous to MasterCard PayPass MagStripe and is used in the infrastructure for accepting cards with a magnetic stripe;
  • qVSDC (quick VSDC) - a profile that implements the basic security mechanisms adopted in the EMV standard, but in an updated form in order to minimize the processing time of a transaction (supported since the VSDC 2.6 applet);
  • full VSDC (or Contactless VSDC) - a profile that implements the VSDC standard through the T = CL contactless interface using the PPSE directory to select an application.

The following restrictions are imposed on the VISA Contactless card and terminal:
  • any VISA Contactless card must support the qVSDC and MSD profiles;
  • any VISA Contactless terminal (terminal accepting contactless cards) supports either qVSDC or MSD;
  • VISA Contactless terminal can support qVSDC and MSD profiles simultaneously;
  • full VSDC profile support is an option both for the card (in VSDC 2.6 and later applets) and for the terminal.
Since any VISA Contactless card supports the qVSDC and MSD profiles, and each terminal supports either qVSDC or MSD, this ensures that any VISA Contactless card can be accepted at any VISA Contactless terminal. This is illustrated in the table below. 7.3.

Tab. 7.3. Card and Terminal Application Compatibility

Profiles supported by the cardTerminal Supported ProfilesProfile to select for processing the operation
MSD and qVSDCMSDMSD
MSD and qVSDCqVSDCqVSDC

When choosing a card profile during an operation, the terminal is guided by the following rule:
  • the qVSDC profile takes precedence over the MSD profile;
  • full EMV profile takes precedence over qVSDC and MSD profiles.
As a result, the choice of a profile for performing a contactless operation is determined by the table below. 7.4.

Tab. 7.4. Selecting a card profile when performing a contactless operation

Contactless readerContactless card
MSD and qVSDC profilesMSD, qVSDC and full VSDC profiles
MSDMSDMSD
qVSDCqVSDCqVSDC
MSD and qVSDCqVSDCqVSDC
MSD, qVSDC, full VSDCqVSDCfull VSDC
MSD and full VSDCMSDfull VSDC
qVSDC and full VSDCqVSDCfull VSDC

General VISA requirements for contactless payments, cards and readers can be supplemented by the following provisions:
  • the time of dialogue between the card and the terminal when performing contactless operations on MSD and qVSDC cards should not exceed 500 ms;
  • Cards capable of working offline (qVSDC and full VSDC profile cards) must support the DDA method;
  • terminals that accept offline qVSDC and full VSDC profile cards must support SDA and DDA methods.
MSD's profile is pretty much similar to the MasterCard PayPass MagStripe mod. With the MSD profile, contactless payments are made online, and a request is sent to the issuer for authorization containing the magnetic stripe data (Track 2 Equivalent Data), which replaces the iCW value (the static CW value stored in Track 2 Equivalent Data) with the value of the dynamic CW (dCW). The dCW value is calculated according to the same algorithm as the CW value, with the only difference that the value of the ATC transaction counter (Tag '9F36') is used as an argument to the function, and not the card number, its validity period and the service code, as in the case magnetic stripe cards.

In the future, it is planned to replace the dCW value with a version 17 cryptogram, which is a signature of such transaction details as a random terminal number, a PBX transaction counter, a transaction size and an Issuer Application Data (IAD) object containing a CVR and CVN (Cryptogram Version Number) object. Thus, the version 17 cryptogram is an abbreviated version of the version 10 cryptogram widely used in VISA.

An MSD profile VISA Contactless card transaction is processed as follows. After selecting the application, the terminal informs the card about its capabilities to support VISA Contactless profiles. This information is provided through the data sent to the card in the GET PROCESSING OPTIONS command (the PDOL object in VISA, unlike MasterCard, is not empty).

Upon receipt of the GET PROCESSING OPTIONS command, the card determines that the operation will be performed using the MSD profile, and captures this fact by setting the corresponding value of bit 8 of the second byte of the AIP object. The card then calculates the dCW value and inserts it and the ATC value into Track 2 Equivalent Data. Thus, the VISA Contactless terminal (in contrast to the MasterCard case) does not need to do anything with the Track 2 Equivalent Data read from the card, except to include them in an authorization request sent to the host of the serving bank.

After receiving a response to the GET PROCESSING OPTIONS command, the terminal sends the READ RECORD commands to the card, with the help of which it reads the Track 2 Equivalent Data object generated by the card, as well as some other data (for example, Track 1 Discretionary Data (Tag'9FlF)). After that, the processing of the transaction on the card side is completed. The terminal generates an authorization request and sends it to the host of the serving bank, as it does in the case of processing a magnetic stripe card.

As in the case of MasterCard PayPass MagStripe, the following methods of cardholder verification are allowed when processing a VISA MSD card transaction: signature on the terminal receipt and PIN Online. When performing a contactless transaction, the cardholder may not be verified.

Let us now dwell on the qVSDC profile, which VISA pays special attention to as a contactless application for markets with a developed infrastructure for servicing microprocessor cards. The following are the main characteristics of the qVSDC protocol.

A contactless transaction made with a VISA Contactless card using the qVSDC profile can be authorized both online and offline.

Before the transaction starts (before the card is in the reader's working area), the contactless terminal performs Preliminary Transaction Processing. The terminal checks whether the size of the contactless transaction does not exceed the following terminal limits:
  • Terminal Contactless Transaction Limit. If the limit is exceeded, the transaction cannot be processed through the contactless interface and must be processed in a different way;
  • Terminal Floor Limit. If the limit is exceeded, the transaction must be processed in the online authorization mode;
  • Terminal CVM limit. If the limit is exceeded, the transaction must be processed with mandatory verification of the cardholder.
After the completion of preliminary processing, the terminal invites the holder of the contactless card to bring the card to the reader (place the card in the working area of the reader). Next, the terminal selects the qVSDC application and, in the application initialization command GET PROCESSING OPTIONS, informs the card about the preprocessing results. The preprocessing results are contained in the TTQ (Terminal Transaction Qualifiers, Tag '9F66') object, which is a required element of the PDOL object in the FCI Template of the qVSDC contactless application.

The TTQ data object received from the terminal informs the card with the following information:
  • does the terminal support profiles MSD, qVSDC, full contactless VSDC, contact VSDC;
  • whether the reader is offline-only or online-capable;
  • whether the terminal supports signature, PIN Online, both, or does not support any method of cardholder verification;
  • the reader's decision on the need to verify the cardholder when processing a transaction;
  • the reader's decision on the need to process the transaction online.
In addition to the TTQ object, the terminal sends to the card in the GET PROCESSING OPTIONS command at least the transaction size and a random number generated by the terminal (Unpredictable Number).

Most of the work is done by the qVSDC card during the processing of the GET PROCESSING OPTIONS command. At this time, the card performs risk management procedures, calculates a cryptogram and, in the case of an offline operation, generates a dynamic signature value.

When performing risk management procedures, the card determines:
  • whether the transaction is international or domestic;
  • whether verification of the cardholder is required;
  • whether the card is new;
  • whether online processing of the transaction is required;
  • whether the card prefers to process the transaction using the contact VSDC application over the online transaction using the qVSDC application, and if the transaction is offline, checks the contactless application counters shared with the VSDC application:
  • counter of the number of international transactions, if the transaction is international;
• VLP (VISA Low-value Payment), or VLP and CTTA (Cumulative Total Transaction Amount), or VLP or CTTA in case the transaction is in-country.

Then the card analyzes the results of the risk management procedure and transfers its decisions to the terminal in the Card Transaction Qualifiers '9FC6' data object contained in the response to the GET PROCESSING OPTIONS command. The Card Transaction Qualifiers object determines the need for:
  • verification of the cardholder using the PIN Online method;
  • verification of the cardholder using the cardholder's signature;
  • processing the transaction in real time if the dynamic authentication of the qVSDC application has failed and the reader can work online;
  • termination of processing the operation if dynamic authentication of the qVSDC application has failed and the reader supports work with the VDSC application through the contact interface.
The Card Transaction Qualifiers object is generated using the results of the risk management procedure and the Card Additional Process object (Tag '9F68'), which plays the role of an Application Default Action (ADA) object for the qVSDC application in the VSDC application.

To generate a dynamic signature, VISA recommends using the Fast DDA (fDDA) method, which uses the Chinese Remainder Theorem (CRT) to compute the signature using the RSA algorithm. As explained earlier, the Chinese Remainder Theorem reduces the signature computation time by about 4 times. The signature is generated by the card only after the terminal and the card have agreed to perform the operation offline. For online transactions, dynamic authentication of the card application is not performed. Note that the SDA method can be used to authenticate the qVSDC card data.

VISA recommends that the size of the RSA key modulus used for dynamic authentication should not exceed 1024 bits. The experiment shows that for a processor with a clock frequency of 8 MHz, an RSA operation with a 1024 bit key on a long key without using a CRT takes 750 ms, with a CRT it takes about 200 ms. The gain in time for calculating the signature is obvious.

The qVSDC profile uses either version 10 or 17 cryptograms (an abbreviated version of version 10 cryptogram).

If the terminal and the card decide that the qVSDC card operation should be authorized online, the card-side operation ends with a response to the GET PROCESSING OPTIONS command. In this case, dynamic authentication of the card application is not performed and the AFL object is not returned to the terminal: the terminal does not need any additional card data to proceed with the transaction.

If the card and the terminal decide that the transaction should be authorized offline, the card returns an AFL object to the terminal and the terminal uses READ RECORD commands to read the data needed to authenticate the qVSDC application offline.

As a result, in response to the GET PROCESSING OPTIONS command, the card returns to the terminal the data shown in Table. 7.5.

In Table 7.5, the plus sign indicates the data returned to the terminal in response to the GET PROCESSING OPTIONS command, depending on the type of cryptogram generated by the card.

After completing the processing of the transaction by the card, the terminal authenticates the card application, checks the card expiration value and the list of blocked cards (Terminal exception file). If, as a result of these checks, the card and the terminal decide to approve the operation offline, then this is what happens. If either the card or the terminal thinks

Tab. 7.5. Response data to GET PROCESSING OPTIONS command

TagData object nameCryptogram type
AASARQCTS
'82'AIP+++
'94'AFL+
'9F36'ATC+++
'57'Track 2 Equivalent Data+++
'9F10'Issuer Application Data+++
'9F26'Application Cryptogram+++
'5F34'PAN Sequence Number+++
'9F4B'Signed Dynamic Application Data+
'9F6C'Card Transaction Qualifiers+++
'9F5D'Available Offline Spending Amount
(for printing or displaying on a terminal screen)		+++
'5F20'Cardholder Name++

that the transaction needs to be rejected, it is rejected. The transaction can also be sent for authorization to the issuer, or the card can use the contact VSDC application to process the transaction if the Terminal Contactless Transaction Limit is exceeded and the contact VSDC application is supported by the card.

Thus, the qVSDC profile can significantly reduce the transaction processing time due to:
  • use of preliminary processing of the transaction by the terminal;
  • completion of the dialogue between the card and the terminal, either immediately after the response to the GET PROCESSING OPTIONS command in case of online authorization, or after the completion of the GET PROCESSING OPTIONS command processing and subsequent reading of the data required to perform offline authentication in the case of an offline operation;
  • application of the Fast DDA algorithm and restrictions on the size of the RSA key modulus (no more than 1024 bits);
  • calculation of a dynamic signature by a card only in the case of offline processing of the transaction.
In conclusion, let's take a very short look at the full VSDC profile. Terminals that support this profile must be equipped with special card holders to ensure that the card remains in the reader's working area for a long time (time sufficient to authorize a contactless transaction in real time). In this case, the transaction is processed in exactly the same way as in the case of using the VSDC application through the contact interface: the transaction can be served online or offline, script processing and authentication by the application of the card of its issuer can be used, offline counters are reset after successful authorization of the online transaction etc. It is also possible to reset the VLP Available Fund value. To do this, it is sufficient to set bit 5 of Byte 3 of the ADA object to 1.

At the same time, there are limitations on the functionality of the full VSDC application. Cardholder verification using the method

PIN Offline is only possible if the PIN-code is encrypted when it is transferred to the card (Enciphered PIN Offline).

The table below. 7.6. demonstrates a comparison of VISA Contactless card profiles.

Tab. 7.6. Comparison of VISA Contactless card profiles

Main criteriaMSDqVSDCfull VSDC
Fast transactions (<500ms)++-
Online counterfeiting protection+++
Anti-counterfeiting in offline mode-++
Control of offline meters-++
Offline PIN--+

Below are the values of the special fields of authorization and clearing messages used for contactless payments in the VISA network:
  • special POS Entry Mode values are used: for MSD the field is 91, for qVSDC and full VSDC - 07;
  • The Terminal Capability / POS Entry Capability field, depending on the capabilities of the terminal and the requirements of a particular market, can take values 2, 5 and 8.
Concluding the review of contactless technologies of the VISA system, it is necessary to mention the VISA Wave cards, with which the payment system began its contactless payment projects in the countries of the Asia-Pacific region. This technology is being phased out and is presented here due to its widespread market presence and only to give the reader an idea that it has little to do with the officially recognized VISA contactless card profiles described above.

VISA Wave cards are dual interface cards. They can be used both online (Malaysia) and offline (Taiwan). The PIN is not used for cardholder verification.

Processing a VISA Wave card transaction exactly repeats the processing of a VSDC card transaction via a contact interface, up to the processing of the INTERNAL AUTHENTICATE command (all VISA Wave cards support DDA). After processing this command, the card-side transaction ends. Next, the terminal verifies the dynamic signature of the card received in response to the INTERNAL AUTHENTICATE command, and, depending on the result of the verification, continues processing the transaction through the magnetic card acceptance infrastructure.
 
You must log in or register to reply here.

Similar threads

Mutt
Technical details of EMV ARQC generation
Replies
0
Views
146
Mutt
Mutt
Mutt
Specific EMV APDU commands (e.g., GENERATE AC structure)
Replies
0
Views
150
Mutt
Mutt
chushpan
How POS terminal works
Replies
0
Views
449
chushpan
chushpan
chushpan
How smart cards works
Replies
1
Views
471
Man
Man
chushpan
How EMV chip technology works
Replies
2
Views
590
Cloned Boy
Cloned Boy
Back
Top