How a debit/credit card works ?

I am very sure that each one of you reading this post have a debit or credit card, and some times you might have wondered how it works ? What happens when you swipe the card or how does contactless tapping works? Why there is a chip in my card ? With this post I will try to answer all the basic questions pertaining to credit/debit cards.

• What is a debit/credit card ?
• How it is manufactured ?
• How it works ?
• Contact Card payments
• Contactless Card payments
• EMV based Contactless Mobile payments
• EMV based Tokenization

What is a debit/credit card ?

A credit/debit card is a payment card issued to an individual (called cardholder) to enable cardholder to pay a merchant. Such cards are usually issued by banks.

Credit cards have been in existence since 1930s, back then they were used in very crude form using military dogtags. In September 1958, Bank of America launched the BankAmericard in Fresno, California, which would become the first successful recognizably modern credit card.

Payment cards come in two versions

1. Magstripe based cards

Such cards store data on magnetic stripe. Every time you swipe them on a terminal/reader it reads the information stored in the stripe and conveys it to payment network and payment goes through.

2. Chip & Pin based cards aka Smart cards

In smart cards instead of magnetic stripe the information is stored on a chip. As with all technology specifications, smart cards manufacturing and development is bound by technical specifications.

Smart cards follow EMVCo (Europay, Mastercard, Visa) specification.EMV is a payment technology standard for debit and credit card transactions. It provides transaction security features, reduces the risk of card-present fraud, and provides other application capabilities that aren’t available with magnetic stripe cards.

There are two major benefits of smart-card-based credit card payment systems:

• improved security (with associated fraud reduction),
• the possibility for finer control of “offline” credit-card transaction approvals.
• One of the original goals of EMV was to provide for multiple applications on a card: for a credit and debit card application or an e-purse. So if you reside in Singapore and use DBS card, then your DBS debit card has an application for Contact payments, Contactless payments, ERP payments and EZlink payments.

How it is manufactured ?

Manufacturing of a smart card is a long process. The standard size is defined by ISO-7810 specifications.

The size of credit cards is 85.60 × 53.98 mm (3.370 ×2.125 in) and rounded corners with a radius of 2.88–3.48 mm, in accordance with ISO/IEC 7810#ID-1, the same size as ATM cards and other payment cards, such as debit cards. All card sizes have a thickness of 0.76 mm (1/32 in).

The whole magic(aka secret sauce) of smart card lies in the ICC chip. The chip contains a java/multos/.net based operating systems, where all the algorithms and cardholder data are stored. It also has a firmware which manages

• On-card storage
• Authentication
• Encryption

How it works ?

There are two parts one is Operating System for the smart card and then you develop independent applications on top of that OS. There are primarily three types of smart cards (1) Java based (2) MULTOS based (3) Windows based

For JAVA card applications are written in java and are called Java applets. Each application is loaded individually onto card. So there can be one payment application from your bank and there can be another application for your metro travel. For eg. in Singapore we have Bank cards which doubles up as a MRT card. It has one bank application and another EZlink appplication.

Card application development

Card application development process follows specifications from EMVco. Every time you swipe your smart card, there are series of EMVCo commands that happen in certain sequence. Typical EMV steps is shown below:

EMVCo Commands

These commands shown above are exchanged between terminal and the card. Terminal(T) is the one sending commands and card(C) is sending response for each commands.

The whole process can be broken in 3 parts

1. Initialization : selecting relevant application on card
2. Transaction analysis : running security process to validate correct card/terminal/data being exchanged
3. Decision : Approve/reject the transaction

Initialization

http://www.cs.ru.nl/~erikpoll/papers/EMVtechreport.pdf

1. Terminal will send SELECT COMMAND to CARD
2. Card returns FCI, and terminal identifies whether it supports the application present in card.
3. Terminal selects Application by PSE, by reading DIR(directory information), DIR provides list of entries (AIDS).
4. Next terminal will send GPO COMMAND with PDOL , and card returns AIP and AFL.

• AIP contains info about what card supports (eg SDA/DDA/CDA)
• AFL contains list of files and records for the selected application

5. Terminal send READ RECORD COMMAND to the CARD. Terminal will read following data

• Primary account number
• CDOL1, CDOL2 (data objects related to card risk management)
• Issuer PKI certificate
• CVM list (card verification methods)

Transaction analysis and Security checks :

After this SELECT , GPO and READ RECORD COMMAND, we enter into the security domain where by

• Offline data authentication is performed
• Cardholder verification is done

For offline data authentication following things are checked :

• Data Integrity : data read by terminal is not tampered
• Data Authentication : Card presented is a genuine card.

For cardholder verification following options are available : (this is where you as a consumer enter PIN before making transaction)

1. No signature
2. Plain text pin
3. Enciphered pin
4. Signature

Decision

In the final step of an EMV session, after the optional card authentication and card holder verification, the actual transaction is performed. Transactions can be offline or online. . The terminal chooses which it wants to use, but the card may refuse to do a transaction offline and force the terminal to do an online transaction instead.

For a transaction the card generates one or two cryptograms: one in the case of an offline transaction, and two in the case of an online transaction.

• In an offline transaction the card provides a proof to the terminal that a transaction took place by means of a Transaction Certificate (TC), which the terminal sends to the issuer later.
• In an online transaction the card first provides an Authorisation Request Cryptogram (ARQC) which the terminal forwards to the issuer for approval. If the card receives approval, the card then provides a Transaction Certificate (TC) as proof that the transaction has been completed.

In both on- and offline transactions the card can also choose to refuse or abort the transaction, in which case an Application Authentication Cryptogram (AAC) is provided instead of TC or ARQC

Contact Transactions

Every time you insert a card into the payment terminal or do that swipe across the terminal, the transaction is categorized as a contact transaction. Set of EMV commands described in previous sections happen.

Contactless Transactions

While card payments started with contact cards where contact between chip and terminal was a necessity, with contactless cards there is no need for electrical connection card and terminal for energy/data transfer. Contactless payments work on inductive coupling principle.

Contactless transactions are faster than contact, and these days are very common eg mastercard paypass and VISA paywave.

EMVCo has come up with its own specifications for contactless payments, and usually vendors are free to come up with their own specifications. So VISA and Mastercard have their own contactless payments specs. Still the core remains same, and set of commands are similar to contact with some variations.

Contactless Mobile Transactions

With advent of mobile age now we can use our mobile phones to do contactless payments. As with all card based payments the core of payment processing still happens based on EMVCo commands with variations in terms of following : [5]

• How a card is digitized in your mobile wallet/app
• Security implementations

Your mobile phone will need a NFC chip , as well as an app for processing payment tied to a bank and payment provider such as Visa or Mastercard.

Typical architecture for contactless mobile payment is shown below. Your mobile app is USER INTERFACE and NFC acts as a contactless module.

EMV based Tokenization

Payment transactions are more secure due to the concept of Payment Tokenization. The Payment Tokenization Specification provides an inter operable Technical Framework that will benefit Acquirers, Merchants, Card Issuers, and Cardholders. This Technical Framework describes a global Payment Tokenization ecosystem that overlays and inter operates with existing payment ecosystems to support digital commerce and new methods of payment. [6]

Links

1. ISO 7816 (contact)https://en.wikipedia.org/wiki/ISO/IEC_7816
2. ISO-14443 (contactless)https://en.wikipedia.org/wiki/ISO/IEC_14443
3. EMVCo https://en.wikipedia.org/wiki/EMV
4. EMVCo Specification https://www.emvco.com
5. Mobile payments guide https://squareup.com/guides/mobile-payments
6. Payment tokenisation https://www.emvco.com/emv-technologies/payment-tokenisation/
7. Tokenization explained https://www.ul-ts.com/offerings/knowledge-sharing/white-papers/featured-white-papers/tokenization-explained/c-39/c-2004/p-1622
8. EMV in a nutshell — a research paper