Contents -- Acknowledgments xv -- 1 Introduction 1 -- Part I: Magnetic stripe debit and credit cards 3 -- Part II: Chip migration with EMV 3 -- Part III: Remote debit and credit with EMV 5 -- Part 1 Magnetic Stripe Debit and Credit Cards 7 -- 2 Payment Card Processing 9 -- 2.1 Payment card processing at a glance 10 -- 2.2 Roles involved in payment card processing 13 -- 2.3 Payment card brands 15 -- 2.4 Credit and debit payment cards 16 -- 2.5 Focusing on the magnetic stripe card 17 -- 2.6 Threats and security protections 24 -- 2.7 Processing at the point of service 34 -- 2.8 Payment network and interchange messages 37 -- 2.9 On-line authorization 45 -- 2.10 Clearing and settlement 47 -- Part 2 Chip Migration with EMV 51 -- 3 Chip Migration 53 -- 3.1 A business case for chip migration 54 -- 3.2 An overview of the chip card technology 56 -- 3.3 Proprietary payment application 69 -- 3.4 Interoperable payment application 80 -- 4 EMV Compliant Data Organization 91 -- 4.1 Organization of the EMV specifications 92 -- 4.2 EMV data elements 96 -- 4.3 EMV file system 99 -- 4.4 EMV application selection 115 -- 5 EMV Certificates 125 -- 5.1 Certification mechanism and algorithm 125 -- 5.2 Public key certificate for RSA scheme 126 -- 5.3 Entities and certifiers 127 -- 5.4 Entity public key remainder 129 -- 5.5 EMV certification chains 129 -- 5.6 Issuing EMV public key certificates 132 -- 5.7 Verifying EMV public key certificates 136 -- 5.8 Issuing signed static application data 140 -- 5.9 Verifying the Signed Static Application Data 144 -- 6 Debit and Credit with EMV 147 -- 6.1 Overview of the EMV debit/credit transaction 148 -- 6.2 Initiate application processing 152 -- 6.3 Read application data 156 -- 6.4 Off-line data authentication 160 -- 6.5 Processing restrictions 174 -- 6.6 Cardholder verification 178 -- 6.7 Terminal risk management 195.

6.8 Terminal action analysis 201 -- 6.9 On-line processing and issuer authentication 217 -- 6.10 Issuer scripts 222 -- 7 EMV Chip Migration Issues 227 -- 7.1 EMV regulatory framework 228 -- 7.2 Deriving ICC specifications by issuers 236 -- 7.3 Selection criteria of the ICC architecture 239 -- 7.4 Multiapplication ICC 242 -- 7.5 Issuer's business case 253 -- 7.6 Adaptive initiate application processing 255 -- 7.7 Design criteria for CAM selection 259 -- 7.8 Design criteria for CVM 267 -- 7.9 Processing restrictions 271 -- 7.10 Card risk management 273 -- Part 3 Remote Debit and Credit with EMV 289 -- 8 Remote Card Payments and EMV 291 -- 8.1 A model for remote card payments 293 -- 8.2 Security aspects of remote card payments 295 -- 8.3 Remote payment method based on TLS 306 -- 8.4 SET-based solutions 310 -- 8.5 TLS versus SET or wallet servers and EMV cards 332 -- 8.6 Transaction processing for chip e-commerce 340 -- Appendix A: Security Framework 359 -- Appendix B: Generic Security Threats 363 -- Appendix C: Security Services 367 -- C.1 Service description 367 -- C.2 Realization of security services 370 -- Appendix D: Security Mechanisms 373 -- D.1 Encryption 373 -- D.2 Cryptographic hash functions 376 -- D.3 Digital signature schemes 380 -- D.4 Public key certificates 384 -- D.5 Cardholder verification mechanisms 387 -- D.6 SDA mechanisms 392 -- D.7 DDA mechanisms 394 -- Appendix E: Block Ciphers 399 -- E.1 Definition and parameters 399 -- E.2 Modes of operation 400 -- E.3 DES, Triple-DES, and AES 402 -- E.4 MAC using a 64 bit-length block cipher 404 -- E.5 Key derivation 405 -- Appendix F: RSA Encryption and Signature Scheme 407 -- F.1 Key generation 407 -- F.2 Public and secret RSA operations 409 -- F.3 Digital signature giving message recovery 410 -- F.4 Digital signature and encryption with PKCS#1 414.

Appendix G: E-Commerce and M-Commerce Related Technologies 419 -- G.1 E-commerce and m-commerce 419 -- G.2 SIM, STK, SMS, and WAP 420 -- G.3 Access devices for remote card payments 421 -- G.4 WAP protocol suite compared to Internet 426.