Lesson 2.1: Chip cards

Hello and welcome to the second chapter of our course on the fundamentals of card payment This chapter is called the technology, and we are going to run an overview of the different technologies involved

In this first lesson, we are going to talk about chip cards Before we talk about chip cards, let's discuss payment cards in general If a payment card contains a chip, the chip will clearly be visible If the payment card supports contactless payment, it will typically display the contactless logo somewhere on the card Cards generally show the logo or name of the card issuer

A card will also show the name of the payment network that it can be used with We are talking about Visa, MasterCard, American Express and so on All payment cards have a card number, or PAN, for primary account number showing on the card In most cases, the card number is embossed, so that it shows in 3D on the card This is so that the merchant can take a physical impression of the card information, which is a very outdated method

We will cover how this card number is constructed in the next chapter Cards also contain an expiry date, which nowadays is typically three or four years after the card is issued The expiry date is also typically embossed on the cards The reason why an expiry date is needed is mostly because of the size of cryptographic keys that are used In essence, you would want the lifespan of a card to be shorter than the time it takes to run a brute force attack on its keys

Payment cards also display the cardholder name, also typically embossed And there are a number of anti counterfeiting features, the most visible of them being a hologram provided by the payment network So that's for the front side On the back side, payment cards typically have a magnetic stripe It can contain up to three information tracks, although, with payment cards, this is typically limited to 2

The information that is magnetically encoded contains the card number, expiry date, some verification numbers, and sometimes the cardholder name Most cards also contain a signature box, where the cardholder is supposed to write his or her signature upon receiving the card But signature is rapidly becoming an outdated method of verification Most cards also contain a check digit, technically known as CVV2, for card verification value two This number is used for transactions where the card is not present, these days, mostly online

This number comes from a cryptographic computation based on the card number, the expiry date, and a key that only the card issuer knows Let's now turn our focus on chip cards When you work in the card payment space, you will essentially be confronted with two types of cards Live cards, which have been issued by issuers to be used for actual payment This is the kind of cards that you probably have in your wallet

It contains a unique card number, which points to your account, and it's secured with keys only known to your card issuer There are also test cards, which are used for testing, certification and training Those cards have generic card numbers, that do not point to any account, and they are secured with published keys Those cards only work on payment terminals and ATMs that are set up in test mode, so you cannot use them to make real purchases You can buy those from companies like Merchant Testcards

The actual chip on a card is a security-hardened microchip It has many security features that other microchips do not have, such as a shield to prevent physical attacks, and software countermeasures to prevent hacking The chip itself is very small, it measures about 1 square millimeter And it is hidden under the gold coating The position of the pins on a card is specified by ISO 7816

This ensures global interoperability Because, if you think about it, whenever you insert a chip card inside a payment terminal, all the pins need to be at the same place, otherwise, the card could not be powered up The diagram on the screen shows the required positions of the pins But the specification is a lot more precise than this diagram All the international payment networks' cards are compatible with a global standard called EMV

At a very low level, EMV is based on ISO 7816 7816 Describes how chip cards work at the electronic level It also describes some of the basic software functions that are common to all chip cards, including SIM cards, access cards, and so on One layer above ISO 7816 is EMV Level 1 Level 1 could be called the packet level

Above Level 1 is Level 2 EMV Level 2 is the application level The main purpose of this application level is to ensure interoperability between the various payment networks Each and every payment chip card is compatible with EMV Level 2 Which means that any payment terminal in the world can operate any payment chip card in the world, regardless of the payments network it belongs to

At the very top of the pyramid is what we could call the payments network specific level This level, which does not remove anything in terms of interoperability, allows each payment network to have a differentiated application, and in effect, allows it to manage risk in their own way, and to offer their own features to their customers Let us a have quick view at contactless chips Where contact chips are compliant with ISO 7816, a contactless card is compliant with ISO 14443 And if a card is dual interface, like many are nowadays, it is actually compliant with both standards

If we were to look closely at a contactless card, we would see that there has an antenna inside A bit like your mobile phone has an antenna that runs around the screen for Wi-Fi A contactless card has a wire running around its edges to act as an antenna With some cards, you can actually see it by transparency if you look at it with a bright light in the background It is also why, if you bend a card, usually by leaving it in your pocket, the contact chip will still work, but it will not respond to contactless any more

Simply because the antenna is broken So, the way contactless works is by having the payment terminal act as a transmitter And the chip card act as a receiver The terminal will generate a magnetic field that the chip card will catch thanks to its antenna The field is converted into electricity, and serves to power up the chip card

At the same time as it is used to transmit information This is all part of ISO 14443 Similarly to many computer chips, a chip card contains: Processing units, and we mean to use the plural here Because, nowadays, they all have cryptographic units on top of the regular processing unit It also contains working memory: RAM

Storage memory, which used to be EEPROM, and now is mostly FLASH memory And software programs, and it is the software that makes a chip card a payment card So, effectively, when a chip card is powered up, its software program starts It isn't too dissimilar from a computer or a mobile phone Just like any modern system, a chip card contains several software layers

At the very low level, there is an input/output block This is how all cards communicate with the world Also at the very low-level, there are other hardware functions that need to be managed Above this, it is customary to have a hardware abstraction layer Payment chip cards mostly come in two flavours: closed platform and open platform

With open platform, the card issuer or a partner can load other types of applications on a card, like a loyalty application This would typically be coded in Javacard and run on a virtual machine, but there also other technologies Payment cards always at least contain a payment application, such as a VISA or MasterCard application But they can also contain dedicated ATM applications for specific ATM networks Or a secondary payment application

For example, a Debit application Or an electronic purse Or a loyalty application For instance to store vouchers or loyalty points Or any kind of application that the card issuer wants their customers to benefit from

If we go back to our internal picture of how software is stacked inside a chip And we forget all about the hardware management side A chip card contains a file system This is not too dissimilar to the kind of file system you are accustomed to with your computer At the very bottom a is root folder

If you are a Windows user, you might think about it as your C: drive Inside that root folder, each application on the chip card can be seen as a sub folder In this example, the card has a main payment application This could be a VISA or MasterCard or American Express or Discover application, or any other payment application Sitting next to this one, the card has an ATM application

And, sitting at the same level, our card example also has other applications, like loyalty Now let's focus only on the main payment application When an application is running on a chip card, it also contains files and folders Some of them are visible from the outside And some are kept hidden, only used for internal processing

In general, payment applications will contain keys, which obviously have to stay hidden Most payment applications also contain an offline PIN code, which is also for internal use only They also always contain internal data, such as: Application data, that dictate how the application is supposed to run Issuer data, mostly security related items so that the card issuer can adjust the level of security And cardholder data, to identify the cardholder

And finally, payment applications contain external data Those are pieces of information that payment terminals will be instructed to read from the card They are structured in the form of files and records Most cards contain several files, and each file may contain several records So, in effect, when a terminal chooses to run an application on a chip card, two things happen

The first one is that the card runs a piece of code that allows it to provide responses to terminal requests in a manner that that is compliant with what the payment network is expecting And the second one, is that it opens a folder on the chip card, making only the pieces of information listed under the folder available at that time Before we conclude this video, let us have a quick look at how a chip card processes PIN verification One of the major differences between chip cards and swipe cards is the ability to verify the cardholder PIN at the point of sale This operation is called offline PIN verification

As opposed to online PIN verification where the PIN is securely sent to the card issuer for verification With offline PIN verification, the card is injected with a PIN code during card personalization The PIN code can be changed, usually at an ATM The card contains an internal counter, named "PIN Try Counter", or PTC, to limit the number of retries This is usually set to 3

The "PIN Try Counter" is stored in persistent memory, so the value stays if the card is removed When the "PIN Try Counter" reaches zero, offline PIN verification can no longer be performed Offline PIN verification is optional It is a feature that can be activated by the card issuer This concludes the first lesson in this chapter

Thank you for watching it!