Index_C
C
Candidate list, 115-16
building, directly, 119-21
building, from PSE, 118-19
building process, 115-16
C-APDU, 65-66, 67
EXTERNAL AUTHENTICATE command, 221
GENERATE AC command, 209
GET CHALLENGE command, 189
GET DATA command, 188
GET PROCESSING OPTIONS command, 153, 257, 345
INTERNAL AUTHENTICATE command, 170
READ RECORD command, 107
SELECT command, 104
VERIFY command, 190
CapReq, 331
CapRes, 332
CA public keys
elements, 129
terminal database of, 131
See also Public key certificates
Card acceptor, 14-15
Card applications
allocation tables for, 244
example, 244-45
mapping to triples, 243
set selection, 243-46
Card association
card products, 16
in clearing process, 48
defined, 15
types of, 16
Card authentication, 76
Card authentication method (CAM), 87
design criteria, 259-67
off-line dynamic, 259
off-line static, 259
on-line dynamic, 259-60
security considerations, 263-67
support resource needs, 260
types of, 259-60
Card file structure, 252
Cardholder
accounts database, 33
defined, 14
impersonation, 364
non- repudiation service, 303-4
registration, 316
Cardholder access devices, 295
EMV ¢ chip cards in, 340-41
threats, 299-300
Cardholder system
account selection request, 352
application list building, 344
application selection mechanism, 344-45
cardholder verification, 347-49
commonChip extension, 352-53
EMV ¢ card application hosting, 345
EMV ¢ chip card interaction, 353
GET PROCESSING OPTIONS command, 345
not receiving PRes message, 355
off-line PIN entry prompt, 348
on-line PIN entry prompt, 348
payment options, 342
PInitReq creation, 346
PInitRes reception , 346
PReq creation, 350-51
PRes message and, 355
read application data, 345
receiving PRes message, 355
terminal action analysis, 349-50
See also Chip e-commerce
Cardholder verification
with biometrics, 391-92
chip e-commerce, 347-49
common processing (terminal), 184-86
data objects in, 181-83
defined, 178-79
EMV ¢ debit/credit, 178-95
EMV ¢ methods , 179-81
impersonation vs., 27-29
mechanisms, 387-92
off-line PIN processing, 186-91
on-line PIN processing, 194-95
RSA digital envelope, 191-94
rules (CVRs), 181, 258
Cardholder Verification Method (CVM), 87
Code (CVM code), 181-82, 259
Condition Code (CVM Condition Code), 182, 258
design criteria, 267-70
enciphered PIN verified on-line, 267-68, 387-88
implementation requirements, 269-70
manual signature, 387
plaintext/enciphered PIN verification by ICC, 268, 388-89
support resources, 269
Cardholder Verification Method List (CVM List), 182-83, 258
definition policies, 270
guidelines, 270
Card products, 16
Card risk management (CRM), 273-86
components , 273-74
data, 278-83
external data objects, 278
financial accumulators and accumulator limit parameters, 281-83
input/output perspective, 274
internal data objects, 278
processing counters and counter limit parameters, 280-81
specification, 273
transaction flow tags, 279-80
See also CRM functions
CDOL1/CDOL2, 209-11
Certification authority, 313-15
algorithm, 315
illustrated , 315
root, 314
See also SET
Chip cards. See ICCs
Chip e-commerce
account/card selection, 342
application processing initiation, 345-46
application selection, 344-45
authorization request/response, 353-54
AuthReq, 353-54
AuthRes, 354
cardholder verification, 347-49
EMV ¢ application context, 342-46
EMV ¢ transaction profile, 342-44
PANData template, 351, 352
PReq, 350
purchase initialization, 346-47
purchase request and response, 350-53
terminal action analysis, 349-50
transaction completion, 355-56
transaction flow, 341
transaction processing, 340-56
Chip migration, 3-4, 53-90
business case for, 54-56
cost of, 55
revenue streams and, 56
Cipher block chaining mode (CBC), 401
Cipher feedback chaining mode (CFB), 401
Clearing
batch file, 48
card association and, 48
defined, 47
off-line, 42-43
on-line, 42, 44
Colluding attacks, 33-34
Command application protocol data unit. See C-APDU
Command/response format, 65-66
C-APDU, 65-66
interoperable payment application, 87
preestablished, 73-75
proprietary payment application, 73-75
R-APDU, 66
variable, 87
See also ICCs
CommonChip extension, 352-53
Common Electronic Purse Specification (CEPS), 371
Communications channel threats, 296-99
data modification, 297-98, 365
denial-of-service, 299, 365
impersonation, 298-99
interception, 364
physical penetration, 365-66
sniffing, 296-97
time coordinate, 365
wiretapping, 363-64
See also Remote card payment security; Threats
Confidentiality
data, 367
secure messaging for, 367
services (CS), 301
Consistency rules, 158-60
Consumer-to-consumer (C2C) payment, 1
Counterfeiting, 31-33, 54
defined, 31-32
embossed financial data, 32
track 3 and, 32
See also Threats
Counterfeit transactions, 233-34
acquirer in, 234
issuer in, 235
liability distribution, 234
Credit cards, 16-17
APR, 17
defined, 16-17
stolen, 28
See also Payment cards
CRM functions, 273, 274-78
categories, 275
DDA processing error, 276
definitions, 283-86
input values, 278
issuer authentication error, 276, 283-84
issuer script processing error, 277
on-line authorization not completed, 276
overspending in a period, 277, 284-86
overspending in consecutive off-line transactions, 277-78
PDOL processing error, 375
PIN try limit exceeded, 276
SDA processing error, 275
See also Card risk management (CRM)
Crypto check digits (CCD), 24
Cryptographic hash functions, 376-80
defined, 377
MAC, 379-80
proposed, 378
requirements, 377-78
See also Security mechanisms
Cryptographic primitives, 360-61
Cryptographic support
asymmetric, 87-90
symmetric, 76-80
Cycle begin parameter, 23
Cycle length parameter, 23
Implementing Electronic Card Payment Systems (Artech House Computer Security Series)
ISBN: 1580533051
EAN: 2147483647
EAN: 2147483647
Year: 2003
Pages: 131
Pages: 131
Authors: Cristian Radu