Paragon Application Systems: EMV Planning for Acquirers

Industry Insights

View All Articles

Downloads

View as PDF Chip Card Implementation for Issuers

Share

Bookmark and Share

EMV Implementation for Issuers: 7 Decisions You Must Make Before Issuing Your First Chip Card

  1. Will we perform the steps needed for chip card authentication, or do we need to rely on a switch, network, or other party to perform it on our behalf?

    To perform chip card authentication, your institution must have an appropriate hardware security module (HSM), as well as the appropriate chip card authentication keys and cryptograms. Chip card authentication is too complex to discuss here at length1, but involves steps such as:

    • ARQC verification and ARPC generation – Verifying the authorization request cryptogram and generating the corresponding authorization response cryptogram.
    • TVR/CVR checks – Verifying the Terminal Verification Results (TVR) and Card Verification Results (CVR).
    • Fallback checks – Verifying transactions that were processed with a chip card at chip-capable device, but which were completed using a magnetic stripe (typically because of an inability to read the chip). These transactions “fall back” to use of the magnetic stripe to complete transaction processing, and can be indicative of fraud.
    • iCVV check – Checking the Card Verification Value contained on the card’s chip.
    • ROC check (POS only) –Verifying the Reason Online Code (ROC). The ROC indicates the reason that a POS transaction was forced to go online for authorization rather than being authorized offline at the device, that is, without sending the transaction request to the issuer or authorizer.

    If your organization is unable to perform chip card authentication, you may be able to negotiate with a network to perform authentication for you. In that case, all chip transactions destined for your institution must go through this network for authentication. Your organization must provide the appropriate keys and cryptograms to the entity that performing chip card authentication on your behalf. Your institution would need to discuss the requirements with the network and obtain any updated specifications from the network that explain how authentication will work.

  2. What functionality can we support for our chip cards that would still allow us to get them into the marketplace in a reasonable timeframe?

    Your organization’s EMV implementation may be regulated by card associations, network mandates, or even government legislation. If your organization can choose its own path, perhaps an ideal EMV implementation would include a chip card that conforms to EMV standards but does not allow offline PIN verification, offline authentication, offline authorization, PIN change at the ATM, or other issuer scripting. Limiting the functions and transactions supported means your cards would not need to contain the keys and programming to support those features.

 

 

iYou can find more information on EMV processing in the Paragon publication “Beyond Cards and Terminals: Considerations for Testing Hos-to-Host EMV Processing”.

 

Page 3 of 4 < Previous    Page 1 2 3 4     Next >

Copyright © 1996-2012, Paragon Application Systems