Ah, So That’s What’s in My Wallet!

By Sahana Arya and Alana Alfeche

Credit cards are Capital One’s main physical product, and teams all over the company work to support this product whether it’s in the form of product development, software engineering, design, etc. For example, Alana is a data engineer working on rewards applications for external partners while Sahana works to support data scientists developing machine learning models used to derive insights from card customer calls. Like many others at Capital One, we know what needs to be done to support credit card initiatives, but we were curious about how physical credit cards actually work!

Our curiosity propelled us to dig deeper and learn more about this technology.  We were fascinated by what we learned about physical credit card technology and figured other software engineers would be interested in learning the same.

We compiled all of our research on EMV chip credit cards and shared it with our fellow Capital One associates during the company’s largest internal Software Engineering Conference (SECON). We were excited to see Software Engineers all over the company learning from our talk, which broke down EMV technology concepts into easily digestible components. Today, our Intro to EMV technology video is still the most-viewed and most-endorsed of all SECON 2020 videos.

Now, with this blog post, we wanted to take it one step further and share these concepts with the rest of the Software Engineering community.

TL;DR - Your wallet has a mini computer inside it running mini applications that securely process transactions during point-of-sale.

EMV stands for Europay, Mastercard, and Visa. These three international payment systems came together in 1999 to form the limited liability company named EMVCo. EMVCo is in charge of managing the EMV chip specification and supports the testing processes that help enable card-based payment products to work together seamlessly and securely worldwide.

An EMV card contains an embedded chip which is a fully operating computer system. It has memory and can perform small functions when powered by the terminal during point of sale. Unlike in a magnetic stripe card where the card is a simply a data store and the terminal performs all the necessary processing, during an EMV transaction, the chip processes the information and applies the rules that the issuing bank defined in the chip card.

While your card is in the chip-activated terminal it:

• Generates a one-time code for one-time use only.
• Provides alternative cardholder verification methods if the preferred verification is unavailable. For example, it allows cardholders to sign to complete a transaction for terminals that do not support PIN.
• Determines whether or not a transaction must go online for additional authorization.

Before we go further into EMV chip technology, let’s first talk about magnetic stripe technology. Magnetic stripes are a predecessor of EMV chips, so it’s helpful to understand how they work and some of the security concerns associated with these cards, which were later resolved by EMV chips.

Magnetic stripes contain data that identifies a card user and this information is embedded in iron particles in plastic film. The iron particles have magnetic properties, and when the card is swiped, the electronic reader processes the magnetic fields and matches them to the user’s account information.

The stripe itself contains three horizontally stacked tracks, and each track can hold a different amount and type of data (shown in the visualization below). Typically, credit cards use the first two tracks to obtain information, such as account number, cardholder name, expiration date, etc.

Because the data is static on a magnetic stripe, it’s easier to “lift” the information from the card than it is with EMV chips.  You may have heard about fraudsters using devices called “skimmers”, which are capable of skimming and copying the data on the stripe to create duplicate credit cards or access the user’s account online.

Also, magnetic stripe cards don’t have encryption. The card is simply a data store that is read by the payment terminal as-is. After the terminal reads the card, the terminal performs all the processing in collaboration with the issuer and/or payment system and the card is no longer involved in the rest of the process.

Now that we’ve gone over some of the security concerns associated with magnetic stripe cards, let’s talk about how EMV chips address these concerns.

 In an EMV chip the access and manipulation of the physical chip components is a complex task that requires expensive high-tech equipment. Unlike the static data on a magnetic stripe, the data on an EMV chip is constantly changing which makes it difficult to isolate and extract. Additionally, EMV chips have the benefit of built-in encryption. When the chip card is dipped, it establishes an encrypted connection with the terminal to enforce the transaction rules written on the chip. Both the card and the terminal then collaborate to determine the outcome of the transaction.

Imagine this - you’re in the checkout line at your nearest grocery store. Your cashier finishes scanning all your items and asks you whether you’re paying by cash or card. You decide on a card, the terminal lights up and presents instructions to insert your credit card. You orient the card with the metallic chip facing up and “dip-the-chip” into the terminal. Within a few seconds, the payment is approved!

But what actually happened within those few seconds? Well, below are the steps that took place during this point of sale transaction:

1. Terminal + EMV Chip Application Selection

• The terminal has a list of every EMV application that it’s configured to support.
• The terminal and chip “agree” on a common application so that the card can supply the correct data records for the transaction. In some cases, the cardholder might have to choose an application if there are multiple supported applications.

2. Read Application Data

• Terminal reads application data records from the card, which include PAN, expiration date, and other information used for transaction processing.

3. Data Authentication

• Online-only terminals are not required to support offline data authentication. With these terminals, the transaction is always sent online to the issuer for verification.
• All other terminals perform one of three offline data authentication methods depending on the capabilities of the card and the terminal (see table below):

Static Data Authentication (SDA)	Dynamic Data Authentication (DDA)	Combined DDA/Application Cryptogram Generation (CDA)
Validates a “static cryptogram” that was generated based on select card information and placed on the card during personalization. Note - this doesn’t prevent card “skimming”.	The chip and terminal each generate a “dynamic” cryptogram” which is unique to the transaction. The card is verified as authentic when these two dynamic cryptograms match.	Combines card authentication (using DDA) and transaction request to prevent attackers from intercepting and rerouting the approval decision to a different card.

4. Processing Restrictions

• Checks to confirm that the chip is allowed to do the requested transaction.
• Verifies the application compatibility between the chip and terminal.

5. Cardholder Verification Methods

• Signature
• Online PIN
• Offline Encrypted PIN
• Offline Plaintext PIN
• No Cardholder Verification Method (CVM) required

6. Terminal Risk Management

• The terminal performs several checks, such as floor limit, to determine whether the transaction needs to be processed online.

7. Terminal Action Analysis

• Based on the previous steps, the terminal then requests a result of offline approval, offline decline, or further online processing.

8. Card Action Analysis

• Based on the rules and limits defined by the card issuer, the chip will respond with a result of offline approval, offline decline, or further online processing.

9. Online Processing and Issuer Authentication

• Should the chip request further online processing, the terminal sends a request to the issuer for authorization and online card authentication.

10. Transaction Completed

• Finally, the transaction is completed and the card is removed.

When we started learning about EMV technology, we were fascinated by the complex, yet elegant design of the technology. Admittedly, the concepts were difficult for us to grasp at first, but as we continued our research and consulted internal subject matter experts about this technology, we were able to break down these concepts into understandable components that allowed us to solidify our understanding of Capital One’s main product. We hope that this breakdown of EMV chip technology helped provide insights into the fascinating technology powering 80.1% of worldwide credit card transactions today!

 

Header image is a Background photo created by jcomp - www.freepik.com