Beyond Cards and Terminals: Considerations for Testing Host-to-Host EMV Processing

• Generating and validating the cryptograms required for EMV
  For online EMV, there are four primary types of cryptograms:
  
  
  • The authorization request cryptogram (ARQC)
  • The authorization response cryptogram (ARPC)
  • The cryptogram used to encrypt the PIN (used only when processing the Issuer script for online PIN change)
  • The cryptogram used to generate the MAC (used only when MACing is required for Issuer script processing)
  
  Issuers need to test with an HSM (Host Security Module) that is capable of validating and generating the cryptograms required for EMV transactions.
  
  Acquirers and Switches/Gateways/Interchanges need to ensure the data used in EMV cryptograms is carefully collected and properly formatted, and that its continuity is maintained throughout the entire transaction flow. You must verify the data is unchanged and is populated into the correct fields.
  
  EMV testing should ensure your organization is capable of:
  
  
  • Cryptogram verification
  • MAC generation for Issuer script commands
  • Issuer script APD execution
  • PIN authorization
  
  In addition, your regression testing must verify that your magnetic stripe card processing is unaffected, confirming that you are still capable of tasks such as full message authentication, address verification, and CVV or CSC handling.
• Verifying message mapping
  Verifying message mapping means not only ensuring that you are correctly mapping EMV tags or EMV tokens in any messages you must forward, but also ensuring you are examining the correct tags and tokens in any messages you receive. In addition, Switches, Gateways, and Interchanges must be prepared, for ISO messages, to re-map some EMV tag values in EMV fields to specific ISO message fields. You must verify that the proper mapping is occurring for these types of tags.

Copyright © 1996-2012, Paragon Application Systems