0

I am developing an android payment application which is emv compatible. In this application con-tactless card acceptance has been integrated, how ever for the certification purposes it is required to determine the CVM applied on the transaction. for a con-tactless transaction how do we determine the CVM method applied for the transaction ? for example if the transaction amount is above the CVM limit and the user entered online pin, at the end I want to determine that ,the user has entered online PIN

harshana
  • 1
  • 1
  • 2
  • It's unclear what is your environment. If you are developing the app, how is it that you don't know the method that *was* performed? What component is reading the card and where does the user enter PIN? Is it a separate device? – Michal Gluchowski Sep 13 '19 at 09:43
  • thank you for the anwer micheal. the applied cvm method is determined and depends on many variables. its not desirable to determine by the application. as emvco kernal states that task tied within the scope of kernel. once its determined the cvm it should out put the result – harshana Sep 13 '19 at 12:52
  • to be clear, it is possible to to program the algorithm analyzing the tags. 9f66,9f6c and 82 tags. but this is not necessary and would create false decisions since certain tags are specific to certain card issuers. – harshana Sep 13 '19 at 12:54
  • yes, exactly - this is normally kernel task. Is your application using the card reader and containing the kernel or is it in external component? Doesn't the kernel you use inform you about the CVM to be performed? – Michal Gluchowski Sep 13 '19 at 13:15
  • Thank you for your reply micheal, The reader has a certified kernal, everything is fine for contact card But for the con tactless cards the kernal doesn't, actually the correct CVM is applied by the kernal, but the kernal doesn't expose a method to the user application to identify the CVM which has already been applied.. since the kernal is a very complicated part even the vendor support team is bit confused about it, finally i decided to write the algorithm for this in user application analyzing the above said tags. – harshana Sep 14 '19 at 02:27
  • OK. That is a bit unusual for the reader not to expose the CVM method. Unfortunately, it will be different things you should check for different specs. For MC M/Chip try CVMR as it should indicate the method. For MC magstripe you will need to do it manually based on CVM limit and select method yourself (preferably based on Service Code). For qVSDC, CTQ would be the most convenient but when it is not available there is a predefined order of CVM selection that you will find in the documentation. – Michal Gluchowski Sep 16 '19 at 04:34

2 Answers2

1

If you have "lame" EMV kernel which don't provide CVM output for CTLS then your only option is to parse it from transaction output. Unfortunately every card issuer using their specific way of "handling" CVM output.

Step 1

Determine card issuer and card type. Use AID (tag 4F) to do it.

Step 2

Visa and UnionPay EMV - you need to parse tag 9F6C - Card Transaction Qualifiers where Byte 1 bit 8 set to 1 means Online PIN. Byte 1 bit 7 set to 1 means Signature.

JCB EMV - (JCB have 2 other modes but it's not in use in my region. Possibly it's already deprecated for whole world.) you need to parse tag 9F50 - Cardholder verification status where 00 means No CVM. 10 means Signature. 20 means Online PIN.

MasterCard EMV - (MasterCard have also MSR mode but it's not in use in my region) you need to parse tag 9F34 - CVM Results. This is same tag as for contact transactions so just check and follow contact EMV book rules.

MasterCard Mobile - I'm not 100% sure but it has to be same as for MasterCard EMV.

Amex EMV - parse tag 95 - Terminal Verification Result. When Byte 3 bit 3 is set to 1 then CVM is Online PIN else No CVM.

Amex Mobile - parse tag 9F71 - Mobile CVM Results. Check corresponding EMV Contactless book for specs.

For other issuers you have to check corresponding EMV Contactless books.

Robert
  • 96
  • 1
  • 5
0

There is no update from terminal to mobile app on the used CVM during tap. If using a a mobile wallet( with Wallet providers Visa and MasterCard ) you will get a notification from MDES/VTS after transaction completion, in which you can see(give a try ) whether the CVM used is present along with the transaction Approved/Declined status. If that too is not available, the only way left behind is to get it from the issuer system.

Adarsh Nanu
  • 2,133
  • 1
  • 13
  • 18
  • Dear Adarsh Thank you very much for your comment, this is not a mobile application . this is android terminal application. the terminal application is developed using android. – harshana Sep 17 '19 at 03:23