Comparing Chip Card and Magnetic Stripe Card Transaction Flows

    1. Next, the card and the terminal must determine if they have at least one Application ID in common.

      The chip card will be programmed with one or more Application IDs, which indicate the particular networks, programs, or applications the card supports (for example, PLUS®2 or Cirrus®2). Similarly, each chip-capable device must be configured to support one or more Application IDs, depending on the acquirer agreements. If they don't, there are usually rules that must be followed to determine if the transaction can proceed or not.

    2. Assuming there is a match with at least one Application ID, the chip card creates a request cryptogram.

      The cryptogram is a collection of several pieces of data related to the card and the transaction that is encrypted under a special key stored in the card.

  1. This request cryptogram, along with other EMV-related information from the card and the terminal, is sent to the acquirer.
  2. Then, the request cryptogram is sent to the issuer.
  3. The issuer verifies the request cryptogram and optionally generates a response cryptogram.

    By verifying the cryptogram, the issuer is assured that the transaction came from the chip card (and was not fraudulently introduced into the transaction request path).

    If the request cryptogram is verified successfully, the issuer may optionally generate a response cryptogram.

    (The issuer can also send a command back to the chip card as part of the transaction response that will update some specific fields within the chip.)

  4. The response cryptogram is passed in the response that goes back to the acquirer.
  5. Then, the response cryptogram is passed in the response to the device.
  6. At this point, the device has to once again communicate with the chip card, because the card will try to verify the response cryptogram. By doing so, the chip card can be assured that the response came from the issuer, and was not fraudulently introduced into the transaction response path.

There are other steps involved in the card-device interaction, but the previous steps illustrate the basic transaction flow. (Interested in a more technical discussion of chip card transaction flow? See Beyond Cards and Terminals: Considerations for Testing Host-to-Host EMV Processing.)

2PLUS Network is a registered trademark of Visa International. Cirrus is a registered trademark of MasterCard Worldwide.