5

Trying to read a debit card number using standard EMV protocol on a card that supports NFC Interac Flash.

Here is my transaction sequence:

Request1: 00A404000E325041592E5359532E444446303100 (Select 2PAY.SYS.DDF01 to get PSE directory)

Response1: 6F2C840E325041592E5359532E4444463031A51ABF0C1761154F07A00000027710105007496E74657261638701019000 (AID A0000002771010 found, Interac)

Request2: 00A4040007A000000277101000 (Select AID A0000002771010)

Response2: 6F348407A0000002771010A5295007496E74657261638701015F2D02656E9F38159F59039F5A019F02069F1A025F2A029F37049F58016285 (Selected AID, response include PDOL, see image below.

https://i.stack.imgur.com/c9FjM.png

Request3: 80A800001583130000990000000000000001240124000001230000 (Get processing option, based on structure above)

Response3: 6985 (Command not allowed; conditions of use not satisfied.)

I am unable to get pass the 6985 error; after 2 days of spec reading and trial-and-error.

Any hints / thoughts / successful example in reading card number from a Debit Card (Interac)? Card being tested is a TD Debit Card with Interac Flash contactless function.

Thanks a lot!

--- Note: I was able to read card number from Visa and MasterCard without GET PROCESSING OPTION. But since I kept getting 6985 without GPO, I try to do it, but failed. I don't really need to do GPO, just need to get card number and expiration date. ---

Billy
  • 437
  • 1
  • 6
  • 13

2 Answers2

7

The "Dual Interface Reader/Terminal Specification for Interac Direct Payment" version 1.4 indicates that the card should respond with SW1 SW2 = 6985 when the internal Application Transaction Counter (ATC) reaches its maximum value :

3.2.6 GET PROCESSING OPTIONS command

... If ATC reaches its maximum value (‘FFFF’), the card response to GET PROCESSING OPTION is SW1SW2 = ’69 85’.

However, the card probably rejects the GET PROCESSING OPTIONS (GPO) command because of an invalid response to its requested PDOL. Here's a comparison of the values sent in your GPO command with the ones in a valid Interac Flash transaction :

TAG  LEN MEANING                                YOUR SAMPLE    VALID SAMPLE
9F59 03  Terminal Transaction Information       000099         C08000
9F5A 01  Terminal transaction Type              00             00               
9F02 06  amount, authorised                     000000000000   000000001000
9F1A 02  Terminal country code                  0124           0124
5F2A 02  Transaction currency code              0124           0124
9F37 04  Unpredictable number                   00000123       823DDE7A 
9F58 01  Merchant Type Indicator                00             01

You'll notice that :

  1. The Terminal Transaction Information seems invalid. It should be set according to your reader capabilities.
  2. The amount may not be supported by the card : you're trying to do a 0$ purchase.
  3. The merchant type indicator is invalid (valid values range from 01 to 05)

Once you'll have corrected these values, the card will most likely accept the GPO command, and you'll be able to read the PAN using the READ RECORD commands.

Hope this helps.

Below is an example of an accepted InteracFlash purchase, up to the accepted GPO command. PCD identifies the commands sent by the contactless reader/terminal, PICC identifies the responses from the InteracFlash card :

PCD     Select File
PCD         CLA: 00
PCD         INS: A4
PCD         P1: 04
PCD         P2: 00
PCD         Lc: 0E
PCD         Data: 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31
PCD         Le: 00
PICC    Successful
PICC        Data (46 bytes)
PICC            Tag 6F:FCI Template
PICC            Length:2C
PICC            Value :84 0E 32 50 41 59 2E 53 59 53 2E 44 44 46 30 31 
        A5 1A BF 0C 17 61 15 4F 07 A0 00 00 02 77 10 10 
        87 01 01 50 07 49 4E 54 45 52 41 43
PICC                Tag 84:Dedicated File (DF) Name
PICC                Length:0E
PICC                Value :32 50 41 59 2E 53 59 53 2E 44 44 46 30 31
PICC                Tag A5:FCI Proprietary Template
PICC                Length:1A
PICC                Value :BF 0C 17 61 15 4F 07 A0 00 00 02 77 10 10 87 01 
        01 50 07 49 4E 54 45 52 41 43
PICC                    Tag BF0C:FCI Discretionary Data
PICC                    Length:17
PICC                    Value :61 15 4F 07 A0 00 00 02 77 10 10 87 01 01 50 07 
        49 4E 54 45 52 41 43
PICC                        Tag 61:Application Template
PICC                        Length:15
PICC                        Value :4F 07 A0 00 00 02 77 10 10 87 01 01 50 07 49 4E 
        54 45 52 41 43
PICC                            Tag 4F:Application Identifier
PICC                            Length:07
PICC                            Value :A0 00 00 02 77 10 10
PICC                            Tag 87:Application Priority Indicator
PICC                            Length:01
PICC                            Value :01
PICC                            Tag 50:Application Label
PICC                            Length:07
PICC                            Value :49 4E 54 45 52 41 43
PICC                            ASCII Value:INTERAC
PICC            SW1 SW2: 90 00
PCD     Select File
PCD         CLA: 00
PCD         INS: A4
PCD         P1: 04
PCD         P2: 00
PCD         Lc: 07
PCD         Data: A0 00 00 02 77 10 10
PCD         Le: 00
PICC    Successful
PICC        Data (62 bytes)
PICC            Tag 6F:FCI Template
PICC            Length:3C
PICC            Value :84 07 A0 00 00 02 77 10 10 A5 31 50 07 49 4E 54 
        45 52 41 43 87 01 01 9F 38 15 9F 59 03 9F 5A 01 
        9F 02 06 9F 1A 02 5F 2A 02 9F 37 04 9F 58 01 5F 
        2D 02 65 6E BF 0C 05 9F 4D 02 0B 14
PICC                Tag 84:Dedicated File (DF) Name
PICC                Length:07
PICC                Value :A0 00 00 02 77 10 10
PICC                Tag A5:FCI Proprietary Template
PICC                Length:31
PICC                Value :50 07 49 4E 54 45 52 41 43 87 01 01 9F 38 15 9F 
        59 03 9F 5A 01 9F 02 06 9F 1A 02 5F 2A 02 9F 37 
        04 9F 58 01 5F 2D 02 65 6E BF 0C 05 9F 4D 02 0B 
        14
PICC                    Tag 50:Application Label
PICC                    Length:07
PICC                    Value :49 4E 54 45 52 41 43
PICC                    ASCII Value:INTERAC
PICC                    Tag 87:Application Priority Indicator
PICC                    Length:01
PICC                    Value :01
PICC                    Tag 9F38:Processing Options Data Object List (PDOL)
PICC                    Length:15
PICC                    Value :9F 59 03 9F 5A 01 9F 02 06 9F 1A 02 5F 2A 02 9F 
        37 04 9F 58 01
PICC                        Tag 9F59:Terminal Transaction Information
PICC                        Length:03
PICC                        Tag 9F5A:Terminal transaction Type
PICC                        Length:01
PICC                        Tag 9F02:Amount, Authorized (Numeric)
PICC                        Length:06
PICC                        Tag 9F1A:Terminal Country Code
PICC                        Length:02
PICC                        Tag 5F2A:Transaction Currency Code
PICC                        Length:02
PICC                        Tag 9F37:Unpredictable Number
PICC                        Length:04
PICC                        Tag 9F58:Merchant Type Indicator
PICC                        Length:01
PICC                    Tag 5F2D:Language Preference
PICC                    Length:02
PICC                    Value :65 6E
PICC                    ASCII Value:en
PICC                    Tag BF0C:FCI Discretionary Data
PICC                    Length:05
PICC                    Value :9F 4D 02 0B 14
PICC                        Tag 9F4D:Log Entry
PICC                        Length:02
PICC                        Value :0B 14
PICC            SW1 SW2: 90 00
PCD     Get Processing Options
PCD         CLA: 80
PCD         INS: A8
PCD         P1: 00
PCD         P2: 00
PCD         Lc: 15
PCD         Data: 83 13 C0 80 00 00 00 00 00 00 10 00 01 24 01 24 
        82 3D DE 7A 01
PCD         Le: 00
PICC    Successful
PICC        Data (23 bytes)
PICC            Tag 77:Response Message Template Format 2
PICC            Length:15
PICC            Value :82 02 18 00 94 08 08 01 01 00 10 01 02 00 9F 63 
        04 00 10 00 00
PICC                Tag 82:Application Interchange Profile
PICC                Length:02
PICC                Value :18 00
PICC                Tag 94:Application File Locator (AFL)
PICC                Length:08
PICC                Value :08 01 01 00 10 01 02 00
PICC                Tag 9F63:Card Transaction Information
PICC                Length:04
PICC                Value :00 10 00 00
PICC            SW1 SW2: 90 00
...
Nicolas Riousset
  • 3,447
  • 1
  • 22
  • 25
  • thanks so much for detailed response. I will test the adjustments tonight and report back to the group! – Billy Mar 25 '14 at 10:53
  • tried a new request #3 based on your suggested values: 80A80000158313C080000000000000100001240124823DDE7A0100 and it still returns 6985. I looked up 9F59 and 9F58 in the EMV spec and it seems to have different meanings (Consecutive Transaction Counter Upper Limit (CTCUL) and Consecutive Transaction Counter Limit (CTCL) respectively). Different from yours (assuming it's a special meaning assigned by Interac)? Any thoughts? thanks so much! – Billy Mar 26 '14 at 00:35
  • You're right, 9F59 and 9F58 have a different meaning in the Interac Specification, different from the one in the EMV spec. Interac specification is not public, do you have access to it ? – Nicolas Riousset Mar 26 '14 at 13:50
  • I do not have access to it... would you know who I can speak with to gain access? thanks! – Billy Mar 26 '14 at 20:41
  • Sorry, the document was provided to me by my company, and since it's flagged as confidential, I can't just upload a copy. I guess you would have to contact the Interac Association to get a copy. Good luck. – Nicolas Riousset Mar 27 '14 at 20:06
  • No problem... appreciate all your help here! In the mean time, if you have additional hints on why 6985 is still showing up on my message sequence, it would be great! – Billy Mar 30 '14 at 02:55
  • An example message exchanges including GPO would be very helpful too. – Billy Mar 30 '14 at 19:15
  • I've updated my response to include a successful InteracFlash purchase dialog, up to the GPO response. You'll find the full dialog here : http://nicolas.riousset.com/example-of-an-emv-dialog-for-an-interacflash-transaction/ – Nicolas Riousset Mar 31 '14 at 13:42
  • I managed to get through the GPO using your instructions after replacing my malfunctioning TD debit card. Just one more step, then I would be there. Here is the result of GPO request/response and then getting a 6985 on a READ RECORD. `80A80000158313C080000000000000100001240124823DDE7A0100 (GPO request) 7711820218009404100102009F6304001000009000 (GPO response, success!) 00B2010C00 (READ RECORD) 6985 (failed)` Any hints? My GPO has a different response compared to yours. – Billy Apr 02 '14 at 00:08
  • Finally... My AFL is different from yours and I need to READ RECORD using this request `00B2011400` based on the SFI encoding instructions here [link](http://www.openscdp.org/scripts/tutorial/emv/reademv.html) – Billy Apr 02 '14 at 00:42
  • Great, so you eventually go it working ? Glad for you ! – Nicolas Riousset Apr 02 '14 at 18:01
3

Here is the whole working flow, with GPO and READ RECORD instructions.

Request1: 00A404000E325041592E5359532E444446303100
Response1: 6F2C840E325041592E5359532E4444463031A51ABF0C1761154F07A00000027710105007496E74657261638701019000

Request2: 00A4040007A000000277101000  (SELECT)
Response2: 6F348407A0000002771010A5295007496E74657261638701015F2D02656E9F38159F59039F5A019F02069F1A025F2A029F37049F58019000

Request3: 80A80000158313C080000000000000100001240124823DDE7A0100 (GPO)
Response3: 7711820218009404100102009F6304001000009000

Request4: 00B2011400 (READ RECORD)
Response4: 70615A08XXXXXXXXXXXXXXXXX5F3401015F24031711308E0C0000000000000000010302038C159F02069F03069F1A0295055F2A029A039C019F37048D09910A8A0295059F37049F0D05FCF8FCF8F09F0E0500100000009F0F05FCF8FCF8F09F070229009000

Thanks to Nicolas Riousset. My problems included incorrect PDOL response, a dead EMV card and finally in the READ RECORD, I need to read record 2 to pick up the track data. (not record 1)

Billy
  • 437
  • 1
  • 6
  • 13