ABCs of EMV

The ABCs of EMV: Glossary of Terms

-A-

Acquirer Device Validation Toolkit (ADVT)
A set of test card and test scenarios designed to ensure that chip reading devices are configured in accordance with Visa requirements and are capable of successfully processing specific card personalization attributes. Processors use this tool to certify ATM kernels.

Advanced Encryption Standard (AES)
Approved symmetric cryptographic algorithm that is commonly used to encrypt and decrypt data.

Application
The application is the payment software installed on the chip that runs the EMV authentication process.

Application Authentication Cryptogram (AAC)
Application Cryptogram generated by the integrated chip card (ICC) when declining a transaction offline.

Application Cryptogram (AC)
Cryptogram generated by the ICC in response to a GENERATE AC command from the chip-enabled terminal; there are three possible cryptograms that can be generated by the ICC: AAC, ARQC or TC.

Application Identifier (AID)
An identifier on the EMV card used to identify each of the available applications that are stored on the EMV card. Acquirers will use the AID to determine which applications on the card that they also support. EMV Cards may have many AIDs stored on the card and the terminals may support multiple network AIDs and applications. AIDs can be specific to a network or be common among different networks. Visa debit cards require the Visa AID and the Visa U.S. Common AID.  We anticipate that MasterCard will be similar. Any networks participating in the Common U.S. AID will be able to have transactions routed to them. CO-OP has signed a license agreement to use the common AID but you will want to check with your other networks as well.

Application Interchange Profile (AIP)
Identifies the capabilities of the ICC to support specific functions for an application, e.g. offline authentication, cardholder verification, issuer authentication

Application Priority Indicator (API)
For each application on the ICC, this field indicates whether the application can be automatically selected (without confirmation by the cardholder) and the priority of that application compared to the other applications in the ICC; the priority of each application in the ICC is mandated by the networks who own the application.

Application Selection Indicator (ASI)
For each AID supported by the chip-enabled terminal, this field indicates whether the AID must match the AID in the ICC exactly, including the length of the AID, or whether the AID in the ICC only has to match up to the length of the AID in the terminal.

Application Transaction Counter (ATC)
An automated sequential counter on the card that provides a reference to each transaction. A duplicate or large jump in ATC values may indicate data copying or other fraud.

Authorization Request Cryptogram (ARQC)
A cryptogram that is generated by the card and is used for Online Card Authentication. The ARQC is the data encrypted from the card, terminal and transaction and sent to the issuer in the request message. The issuer processor validates the encrypted data to authenticate the card and ensure that the card was not counterfeited.

Authorization Response Code (ARC)
Indicates the result of the authorization decision (approved, declined, referral); typically one of the data elements used when calculating the ARPC.

Authorization Response Cryptogram (ARPC)
Cryptogram generated by the issuer processor in response to an ARQC; used by the ICC to verify that the response came from the actual issuer.

-C-

Card Authentication Method (CAM)
CAM is the method used by the terminal and/or issuer processor system to determine that the card being used is not counterfeit.

Card Personalization Validation (CPV)
Testing to verify that the chip and personalization are compliant with levels of service, acceptance, interoperability, performance, and security requirements defined by the networks.

Cardholder Verification Method (CVM)
CVM is the method used to verify that the card being used belongs to the cardholder. EMV supports four CVMs: 1. Signature 2. Online PIN 3. Offline PIN 4. No CVM.

Cardholder Verification Method Results (CVR)
Indicates the results of the last CVM performed.

Certificate Authority (CA)
A trusted administrator that issues and revokes certificates and is willing to vouch for the ID of those who receive certificates and their relationship with a given key. This is only applicable when using offline processing or offline PIN.

Chip & PIN
A common term for an EMV issued card.

Chip Compliance Reporting Tool (CCRT)
Visa tool used by acquirers to submit validation results. This is the only accepted method permissible for the submission of ADVT or qVSDCDM validation results

Combined Dynamic Data Authentication/Application Cryptogram  (CDA)
A method of offline data authentication performed between the ICC and the chip-enabled terminal using dynamic data; an additional cryptogram is generated by the ICC for the purpose of non-repudiation.

Contact Chip Card
A chip embedded into a card that uses a set of contact points on the card to communicate with the terminal hardware. The terminal hardware requires contact with the card in order to communicate with the chip on the card.

Contactless Chip Card
A specific kind of chip that uses near field communication (NFC) to communicate with terminal hardware in an ATM or at a merchant site. It can also refer to software that would be loaded into the memory of a contactless chip card. Because the communication with a terminal or device is different between Contact and Contactless the two forms of chips typically have different software applications to run the hardware. 

Contactless Payments
Transactions that require no contact between the card and the payment terminal. In a contactless transaction, the cardholder passes the contactless card, device or mobile phone in close range (less than 2-4 inches) to the payment terminal. The payment information is communicated wirelessly via radio frequency.

Cryptogram
The end result of the encryption process. Data entered into an algorithm is encrypted, producing the cryptogram. Commonly used cryptograms are Authorization Request Cryptogram (ARQC), Authorization Response Cryptogram (ARPC), Transaction Certificate (TC), and Application Authorization Cryptogram (AAC).

Cryptogram Information Data (CID)
Indicates the type of cryptogram (TC, ARQC, or AAC) and the actions to be performed by the terminal.

-D-

Data Encryption Standard (DES)
A cryptographic algorithm in which two users share the same secret key and is used in transactions for various functions, such as Online Card Authentication.

Dual Interface Chip Card
A card that has a single chip and two interfaces - usually a contact interface and a contactless interface. A chip with two interfaces accesses the same application and its associated data from either the contact or the contactless interface.

Dynamic Data Authentication (DDA)
A method of offline data authentication performed between the card and the chip-enabled terminal using dynamic data; the cryptogram generated by the card provides security against counterfeiting.

-E-

EMV
Specifications developed by Europay, MasterCard and Visa that ensure EMV cards and terminals operate successfully together.

EMV Application
An EMVco approved application that conforms to the security and communications standards set by EMVco.

EMV Tags
A Tag is a label defined by EMV use in card processing; as an example the Application PAN has a TAG = 5A.

EMV Terminal
An ATM or point of sale device that is able to process EMV transactions.

EMVco
The EMV organization that sets the standards for security, communication and formatting of EMV cards.

-F-

Fallback
When an EMV transaction is processed via magnetic stripe at an EMV terminal. The fallback can be as a result of a malfunctioning chip, terminal reader or due to a counterfeit card.

-I-

Instant Issuance
In branch hardware that is used to issue debit, credit and pre-paid cards to members that open new accounts, request new account services, or request new cards.

Integrated Circuit Card (ICC)
A card with embedded integrated circuits; also known as a smart card or chip card.

International Organization for Standards a.k.a. International Standards Organization (ISO)
International standards-setting body.

Issuer Action Code - Default (IAC)
Settings in the card that specify the issuer's conditions under which a transaction would be rejected if it might have been approved online, but the chip-enabled terminal is unable to process the transaction online.

Issuer Application Data (IAD)
Proprietary application data transmitted to the issuer in an online transaction; must contain, at a minimum, the EMV Tags that were used to calculate the ARQC.

-L-

Liability Shift
The rules associated with determining which party has fraud liability for a particular transaction or situation. Each card association (MasterCard, Visa, etc.) defines the rules around their liability structure.

-M-

Message Authentication Code (MAC)
Short piece of data used to verify that the contents of a message have not changed from when it was created by the sender until it was received by the recipient.

Multi-application Card
Multiple applications loaded onto a single EMV card. Applications could be used for multiple payment networks, loyalty, identification, etc.

-N-

Near Field Communications (NFC)
A standards-based wireless communication technology that allows data to be exchanged between devices that are a few centimeters apart. NFC-enabled mobile phones and contactless chip cards incorporate chips which allow the phones to securely store the payment application and consumer account information.

-O-

Offline Authorization
Offline Authorizations use issuer-defined risk parameters embedded in the card to determine whether the transaction can be authorized without going online to the issuer processor system.
The three forms of offline data authentication are SDA, DDA & CDA. Offline authorization is not currently supported in the United States.

Offline-Only Terminal
A terminal that isn't capable of sending an online authorization requests. All transactions are approved offline using the card and terminal only. Examples could include metro or train stations.

Offline PIN
In an EMV transaction, Offline PIN is the process of comparing the PIN entered by the cardholder with the PIN stored on the EMV card without going online to the issuer processor for comparison. Only the result of the comparison is passed to the issuer host system. Offline PIN is not currently supported on debit cards in the United States.

Online Authorization
Authorizing or declining a payment transaction by sending transaction information to the issuer processor and requesting a response.

Online Card Authentication
The validation of an EMV card by the issuer during online authorization to protect against data manipulation and skimming.

Online EMV
Requires all transactions, authentications and authorizations to occur in real time by sending requests and responses online.

Online Issuer Identification
Validation of the issuer by the card to ensure the integrity of the issuer.

Online PIN
The process of comparing the PIN entered by the cardholder with the PIN stored on the issuer host system.

Operating System
The software loaded onto the chip that provides communication between the hardware components of the chip with any software that is loaded into memory. There are 3 flavors of operating systems commonly available for EMV cards: Native, Java and Multos.

-P-

Primary Account Number (PAN)
Unique number used to identify a card; the PAN associated with a specific ICC application is known as the Application PAN.

Payment Card Industry Data Security Standard (PCI DSS)
A framework developed by the Payment Card Industry Security Standards Council for card data security - including prevention, detection and appropriate reaction to security incidents.

Personalization (often called Perso)
Process by which the data specific to the issuer and cardholder are added to the magnetic stripe or chip of a card, such as card number, name etc.

PIN
Personal Identification Number: a secret code or number that an individual memorizes and uses to authenticate his or her identity.

Private Key
The secret component of an encryption process. The private key is always kept secret by its owner. It may be used to digitally sign messages for authentication purposes.

Public Key
The public component of an encryption process, often accompanied by a certificate to prove origin. The public key is usually publicly exposed and available to users.

Public Key Infrastructure (PKI)
Cryptographic technique which enables users to securely communicate over an insecure connection, and reliably verify the identity of the other party.

-Q-

Quick Visa Smart Debit/Credit device Mode (qVSDC-DM)
Visa tool used by acquirers to complete the product approval self-testing requirements for Visa payWave.

-R-

Radio Frequency Identification (RFID)
The method of communication utilizing a radio frequency to conduct a transaction with a contactless card using Near Field Communications protocols.

-S-

Static Data Authentication (SDA)
An authentication technique used in EMV transactions that uses a cryptogram with a static public key certificate and static data elements; the same data is used at the start of every transaction.

-T-

TAG (EMV)
A Tag is a label defined by EMV use in card processing; as an example the Application PAN has a TAG = 5A.

Terminal Action Code - Default (TAC)
Settings in the terminal that specify the acquirer's conditions under which a transaction would be rejected if it might have been approved online, but the chip-enabled terminal is unable to process the transaction online.

 

RELATED CONTENT

ATM
CREDIT
DEBIT