Overview#A listing of EMV terms that we have discovered.
- Acquiring Processor - Entities that process transactions on behalf of Acquirers by connecting merchant transactions to Payment Networks.
- Application Authentication Cryptogram] (AAC)
- Application Cryptogram
- Authorization Controls offline Risk Parameters. Information programmed into the chip application enabling the card to act on the issuer’s behalf at the point of transaction. These controls aid issuers in managing their below-floor limit exposure to fraud and credit losses. They may be tailored to the risk level of individual cardholders or groups of cardholders.
- Application A computer program and associated data that reside on an integrated circuit chip and satisfy a business or risk management function; i.e., a set of defined parameters, for transaction processing. Examples of
- AID Application Identifier Defined within ISO 7816. - A data label that differentiates payment systems and products. The card issuer uses the data label to identify an application on the card or terminal. Cards and terminals use AIDs to determine which applications are mutually supported, as both the card and the terminal must support the same AID to initiate a transaction. Both cards and terminals may support multiple AIDs. An AID consists of two components, an RID (alpha and numeric) and a PIX (numeric only).
- ATC Application Transaction Counter - A counter, maintained by the chip card application (incremented by the chip), that provides a sequential reference to each transaction. A duplicate ATC, a decrease in ATC or a large jump in ATC values may indicate data copying or other fraud to the issuer.
- ARPC Authorization Response Cryptogram - A Cryptogram used for a process called Online Issuer Authentication. This Cryptogram is the result of the Authorization Request Cryptogram (ARQC) and the issuer’s authorization response encrypted by a DES key. It is sent to the card in the authorization response. The card validates the ARPC to ensure that it is communicating with the valid issuer.
- ARQC Authorization Request Cryptogram - A Cryptogram used for a process called Online Card Authentication. This Cryptogram is generated by the card for transactions requiring online authorization. It is the result of card, terminal, and transaction data encrypted by a DES key. It is sent to the issuer in the authorization or full financial request. The issuer validates the ARQC to ensure that the card is authentic and card data was not copied from a skimmed card.
- CAM Card Authentication Method - Also known as: Online Card Authentication or Card Authentication. In the context of a payment transaction, the method used by the terminal and/or issuer host system to determine that the payment card being used is not counterfeit.
- Card Manufacturer - Entity which converts raw materials into payment chip cards on behalf of the Issuer; includes application loading, quality testing, and distribution to a personalization bureau.
- Card Security Code
- Card Sequence Number
- CVR Card Verification Results - The chip card internal registers that store information concerning the chip card functions performed during a payment transaction. The major chip card functions reflected in these registers are the PIN verification, the card risk management checks and the status of the previous transaction.
- End product user - One who possesses a payment card. Customer to whom the card is issued.
- Cardholder Verification Method or CVM
- CA Certificate Authority
- CAPK Certificate Authority Public Key - In order to support data Authentication or Offline Enciphered PIN, the terminal must store one or more Certificate Authority's Public Keys for each RID. When required, the card will supply a CAPK index which is used to identify which of these keys should be used for that transaction.
- Chip Card
- Chip Card Security Code
- CDA Combined DDA-Application Cryptogram Generation - An authentication technique used in offline chip transactions that combines DDA functionality with the application Cryptogram used by the issuer to authenticate the card. The application Cryptogram is used to assure that the data in the transaction maintain integrity even after the transaction is completed.
- Contact Chip Card
- Contactless Chip Card
- MSD - Contactless Magnetic Stripe Data - An approach for implementing Contactless Payments. With contactless MSD, the message layout for Track 1 and Track 2 magnetic stripe data remains intact, with one notable difference. The chip on the card allows for the calculation of a dynamic card verification value DCVV based on a card-unique key and a simple application transaction counter ATC. The dynamic card verification value is passed in the message in the same field that was used for the original card verification value. The ATC is passed in the area reserved on the track layout for issuer discretionary data.
- Contactless Payments
- Dual Interface Chip Card
- DDA or Dynamic Authentication Data - Information that is used during a transaction to verify the card or the cardholder participating in the transaction and that changes from transaction to transaction.
- DDA Dynamic Data Authentication - An authentication technique used in offline chip transactions that calculates a Cryptogram for each transaction that is unique to the specific card and transaction. DDA protects against card skimming and counterfeiting.
- Dynamic Card Security Code A security code which changes for each transaction, replacing the static magnetic stripe-based card security code for a contactless transaction.
- EEPROM Also known as: Electronically Erasable Programmable Read-Only Memory
- E2 - Memory that can be erased and reused, but does not require electrical power to maintain data. It is used to store information that will change, such as transaction counters or cardholder unique data like the account number. It is possible to load new data elements and applications into EEPROM after a card has been issued. Generally, after personalization and issuance few application data could be updated. This is linked to card security requirements.
- EMV Migration Forum - The EMV Migration Forum is an independent, cross-industry body created by the Smart Card Alliance to address issues that require broad cooperation and coordination across many constituents in the payments
- EMV Compliant - Cards and terminals that meet security, interoperability, and functionality requirements outlined by EMVCo.
- EMV tags - Values involved in an EMV transaction (which result from the Issuer’s implementation choices) are transported and identified by a tag which defines the meaning of the value, the format and the length.
- EMV Terminal -Point of sale device or ATM that is able to process chip transactions. Also known as:
- Chip Terminal
- EMV ATM Terminal
- EMV POS Terminal
- Chip/EMV Card Reader
- Chip Reader
- Enciphered PIN
- HSM Hardware Security Module
- Hybrid Card
- Independent Sales Organizations (ISO) Also known as:
- Industry Organization - An association of organizations or entity which facilitates industry-wide communication around the U.S. EMV migration including:
- Stakeholder communication
- Government advocacy
- Industry conferences and networking
- ISO International Standards Organization A global institution that maintains over 13,000 international standards for business, government and society.
- Issuer Bank
- IAC Issuer Action Codes - Codes placed on the card by the issuer during card personalization. These codes indicate the issuer’s preferences for approving transactions offline, declining transactions offline, and sending transactions online to the issuer based on the risk management performed.
- Issuer Script A process by which an issuer can update securely the contents digitally stored on chip cards without reissuing the cards. Examples of issuer scripts include blocking and unblocking an account, blocking the entire card, changing the cardholder’s PIN, and changing the cardholder’s Authorization Controls.
- ISO 7816
Issuing Processor #An entity that facilitates card issuance activities on behalf of an issuer such as process payment transactions, card enrollment, preparing and sending the card personalization information to the card vendor, and maintaining the cardholder database. The issuer processor may provide only card issuing activities or may provide other ancillary services as well (e.g., web front-end administrative and cardholder account management applications, customer service, settlement and clearing, chargeback processing)
- ISO 7816
- ISO 14443
- ISO 18092
- Kernel - The set of functions required to be present on every terminal or card reader implementing a specific interpreter. The kernel contains device drivers, interface routines, security and control functions, and the software for translating from the virtual machine language to the language used by the real machine. In other words, the kernel is the implementation of the virtual machine on a specific real machine.
- Liability Shift
- Magnetic Stripe Card
- Multi-Application Card
- Multi-function Card
- NFC Near Field Communication
Near field communication (NFC) is a set of standards for smartphones and similar devices used to establish communication with each other by touching them together or bringing them close.
Offline PIN#The PIN stored on the chip card (versus a PIN stored at the host). In a chip transaction using offline PIN, the PIN entered at the terminal is compared with the PIN stored securely on the chip card without going online to the issuer host for the comparison. Only the result of the comparison is passed to the issuer host system. Two types of offline PIN are enciphered and plaintext. ARQC (Authorization Request Cryptogram).
Online Issuer Authentication#Validation of the issuer by the card to ensure the integrity of the issuer. Also known as Issuer Authentication and Host Authentication. See also ARPC (Authorization Response Cryptogram).
Online PIN#In a chip transaction, the process of comparing the cardholder's entered PIN with the PIN stored on the issuer host system. The PIN is encrypted by the POS terminal PIN pad before being passed to the acquirer system.
The PIN is then decrypted and re-encrypted as it passes between each party on its way to the issuer.
This is supported today with mag-stripe.
Personalization#Process by which the elements specific to the issuer and cardholder are added to the plastic card, magnetic stripe and/or chip.
Personalization Bureau#An entity which provides some of the following personalization services to issuers:
- Data preparation (can also be done by issuing bank)
- Configuration set-up
- Fulfillment of personalized chip card, with all paper inserts; preparation for mailing to customer
- Define card profile, including risk parameters (with issuing bank’s approval)
- Receive and manage card records and keys to form a personalization record
- Generate personalization script
A secret code or number that an individual memorizes and uses to authenticate his or her identity for card use.
PIX#Also known as: • Proprietary Application Identifier Extension The last four digits of the Application ID
Plaintext PIN#Offline PIN processing in which the PIN entered by the cardholder is sent unencrypted, in plaintext, from the PIN pad to the chip card for verification.
POS/ATM Terminal Manufacturers/ Suppliers#An entity which manufactures and supplies POS/ATM terminals to POS/ATM terminal operators/owners
POS/ATM Terminal Operators/Owners#An entity which drives or operates some or all parts of payments through terminals or ATMs. Examples: • Acquirer • IAD (Independent ATM Deployer) • ISO (Independent Selling Organization) • Merchant • VARs (Value Added Resellers)© 2013 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners.
Public Key Cryptography#An Encryption method that is used to verify an identity or to encrypt data or messages. It consists of two keys, one Public Key and one Private Key. The Public Key is in the public domain and available to all users and the Private Key is kept secret. Public Key cryptography may also be used to verify digital signatures to authenticate the message sender. Public Key Cryptography requires a Public Key Infrastructure to be secure and effective. Certificate-based Public Key Cryptography.
Regional Debit Network#Organization which defines specifications and rules for a debit-only payment network, routes debit transactions between issuers and acquirers, merchants and ATMs, and ensures security and interoperability.
A debit network supports debit transactions (withdrawals, balance inquiries, transfers, and cash advances).
RID (Registered Application Provider identifier)#The first part of the Application ID, starting with a letter and containing nine numbers, used to identify a payment system (card scheme) or network, e.g., MasterCard, Visa, Interac.
SAM (Secure Application Module)#A logical device used to provide security for insecure environments. It is protected against tampering and stores secret and/or critical information. SAMs are often inserted into point-of- sale terminals to store keys, especially for chip card applications.
Standards Body#An entity which ensures physical and logical global interoperability of contact and contactless capable devices and systems: e.g., cards, mobile devices, POS systems, ATMs, acquiring networks, issuer host systems.
Entity which creates standards for all companies to work well together.Cryptogram using a static public key certificate and static data elements. With SDA, the data used for authentication is static—the same data is used at the start of every transaction. Private Key Cryptography. In a Symmetric Key Cryptography, the same secret key is used to perform both the cryptographic operation and its inverse (for example to encrypt and decrypt, or to create a message authentication code and to verify the code).
The secret key is shared between the sender and the receiver or the card and the issuer.Cryptogram generated by the card at the end of all offline and online approved transactions. The Cryptogram is the result of card, terminal, and transaction data encrypted by a DES key. The TC provides information about the actual steps and processes executed by the card, terminal, and merchant during a given transaction and can be used during dispute processing. DES, in which the procedure for encryption is the same but repeated three times.
First, the DES key is broken into three sub keys. Then the data is encrypted with the first key, decrypted with the second key and encrypted again with the third key.
Triple DES offers much stronger encryption than DES.