EMV 4.2c Updates

Posted on: November 4th, 2010 by level_admin No Comments

From November 1st 2010, the new EMVCo 4.2c test cases have come into effect. These contain new and updated tests for all the EMV specification changes that have been introduced by EMVCo bulletins over the past year, covering the following topics:

EMVCo Specification Bulletin 75

This bulletin clarifies how the terminal should populate the Application Identifier (AID) – terminal field during a transaction. This has particular significance for cards that use partial AID matching (where the AID on the card is longer than that on the terminal, for example if the card has specific domestic functionality) where the value that should be set was ambiguously defined.

EMVCo Specification Bulletin 76

This bulletin clarifies that terminals are permitted to use a proprietary means of language selection, rather than having to use the EMV defined language selection method. With the EMV method, it is only possible to select the language after the terminal has started to process the card, but this is unsuitable for devices that require additional cardholder interaction prior to inserting their card (for example, when purchasing a transport ticket at an unattended device it is necessary to select the required ticket before staring the payment).

In addition, the bulletin clarifies how devices should perform language selection when they support multiple languages but do not have a means of allowing the cardholder to choose a preferred language.

EMVCo Specification Bulletin 78

This bulletin removes the need for terminals to support the ability to process nested directories of applications on a card when creating the candidate list of mutually supported applications. This complex directory structure has generally not been used by cards (except in EMVCo certification test cases) and because EMVCo had concerns about the potential for interoperability issues with this functionality they have decided to remove the need to support it. Terminals are now permitted to ignore the nested directory entries but may optionally process them (although any such processing is now “outside the scope of EMV”).

EMVCo Specification Bulletin 79

EMVCo have now clarified that all attended terminals must request entry of the transaction amount (and cash-back amount, if cash-back is supported by the device) prior to issuing the Get Processing Options command, if the card requests either of these 2 data fields (although unattended devices are not subject to this requirement).

In the case of cash-back this is actually a rather strange requirement in EMV and is counter-intuitive, as at that stage the card will not yet have supplied the Application Usage Control (AUC) field that indicates if the card supports cash-back transactions. Therefore a terminal could potentially offer the customer the option of cash-back and then have to decline the whole transaction if the card subsequently indicates that it does not support cash-back!

EMVCo Specification Bulletin 82

This bulletin contains a number of un-related changes to the EMV specifications.

The most significant of these is that offline capable terminals are now required to perform Terminal Risk Management (e.g. checking of the transaction amount against floor limits to decide if online authorisation is required) for every transaction, irrespective of whether the card requests it. This corrects a long-running anomaly between EMVCo and the major card schemes, as the card schemes have mandated this behaviour but it has only been optional in EMV, meaning that terminals could be fully EMV-compliant but could not be used in the real-world.

Another interesting change is that EMVCo now recommend that all terminals which support offline cryptographic processing should also support certificate revocation lists. If any of the certificates used by EMV cards become compromised, these lists allow that certificate to be revoked on terminals to prevent fraudsters from exploiting the vulnerability.

CreditCall’s family of EMV Kernels are maintained to the very latest EMV Level 2 and industry standards, so you can be certain that they provide the best EMV solutions both now and in the future. Check out the EmvX website for further details of these EMV Level 2 Kernels.

Tags: , , , ,