2

I am working with the MasterCard credit card, and I have a question about the exact steps which I need to take to perform the CDA authentication.

If I understood the procedure correctly, I should first send the GENERATE AC command followed by an EXTERNAL AUTHENTICATE?

My GENERATE AC command looks like:

80 AE 40 00 42 00 00 00 00 01 00 00 00 00 00 00 00 01 91 00 00 00 00 00 01 91 01 01 01 00 01 02 03 04 12 01 02 01 02 03 04 05 06 07 08 00 01 02 12 04 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

And the response (RESPONSE) I get from the card looks like:

77 29

9F 27 01 80

9F 36 02 00 5C

9F 26 08 AE 7D 66 E4 50 15 D5 A4 (Application Cryptogram)

9F 10 12 02 10 A0 00 00 2A 08 00 01 02 00 00 00 00 00 00 00 FF

90 00

In the next step, I am triggering 'EXTERNAL AUTHENTICATE' with the command:

00 82 00 00 AE 7D 66 E4 50 15 D5 A4 02 10 A0 00 00 2A 08 00

The response I get after that is a 2 Byte array [109, 0], that is 6D. Does this mean that I'm doing something wrong?

Any advice would be appreciated.

Community
  • 1
  • 1
magic
  • 229
  • 3
  • 6
  • 11

5 Answers5

2

In the First Generate AC Command you sent byte P1 = "40" trying to complete transaction with TC cryptogram. But the card decided to force you to go online with ARQC cryptogram. In the card reply Tag 0x9F27 point to cryptogram type and ARQC cryptogram value in the Tag 0x9F26.

- TLVs:  # EMV, Tag + Length + Value (TLV) series
 - x77:  # EMV, Template, Response Message Format 2
    tag: "77"
    len: "29" #   // 41
  - val:  # Template, Response Message Format 2.
   - x9F27:  # EMV, Cryptogram Information Data (CID)
      tag: "9F27"
      len: "01" #   // 1
      val: "80" # Cryptogram Information Data (CID).
      # 10______ - bits 8-7, ARQC
      # _____000 - bits 3-1 (Reason/Advice/Referral Code), No information given
   - x9F36:  # EMV, Application Transaction Counter (ATC)
      tag: "9F36"
      len: "02" #   // 2
      val: "005C" # Application Transaction Counter (ATC).  // 92
   - x9F26:  # EMV, Cryptogram, Application
      tag: "9F26"
      len: "08" #   // 8
      val: "AE7D66E45015D5A4" # Cryptogram, Application.
   - x9F10:  # EMV, Issuer Application Data (IAD)
      tag: "9F10"
      len: "12" #   // 18
      val: "0210A000002A0800010200000000000000FF" # Issuer Application Data (IAD).

You tries to execute External Authenticate without using correct Issuer Authentication Data (Tag 0x91). In real world your terminal should take it online from the Authorisation host. In test environment you may calculate this Tag value yourself (if you know the algorithms and some card data, keys required for ARPC calculation). Also, as noticed before, you forgot to put Lc byte with length in APDU Command.

It could be a case when online ARQC cryptogram validation is not possible (offline capable terminals, link broken, etc). In this case your terminal should execute Second Generate AC asking again complette transaction with TC cryptogram and using Authorization Response Code (Tag 0x8A) specific for offline transaction completion.

Also keep in mind that there are 4 CDA modes which can be supported by EMV terminal kernels and your application.

Please follow the transaction flows defined in EMV specifications represented at EMVCo site.

iso8583.info support
  • 2,130
  • 14
  • 18
  • Okay, so I sent First Generate AC, and card replied with ARQC. So I need to send Second Generate AC? Not EXTERNAL AUTHENTICATE? What is Authorization Response Code (Tag 0x8A) in that case? – magic Mar 15 '16 at 14:41
1

You are asking the card to generate a TC first. Card does risk management and returns you back with an ARQC. ARQC has to be verified by the issuer, so you send the ARQC with all the necessary data to Issuer. If the terminal is capable to send the data to host { Issuer verifies the ARQC and generates an ARPC - Tag 91 ( ARC is used in generation - Tag 8A). ARPC is send back to terminal. Terminal is to do now External Authenticate( 91[len][data]81[len][date] ) This should either give you either 9000 or 6300 In case it is 9000, you ask the card to generate a TC in Second Gen AC
} else if the terminal is not able to go online and TAC and IAC Defaults allows offline, { you ask the card to generate a TC in Second Gen AC } else if the terminal is not able to go online and TAC and IAC Defaults does not allow offline, { you ask the card to generate a AAC in Second Gen AC } Transaction ends.

Hope this clarifies

Adarsh Nanu
  • 2,133
  • 1
  • 13
  • 18
1

MasterCard doesn't support 'EXTERNAL AUTHENTICATE' command in USER phase. Thats why card response 6D00 ('Instruction code not supported or invalid'). You should perform second Generate AC with issuer authentication data.

Alexander Vgn
  • 470
  • 2
  • 8
0

6D00 means 'Instruction code not supported or invalid'

77 29 9F 27 01 80 When cryptogram information date is 80, it means the 4th bit is on. correct ? which mean it is not an ARQC, but it is 'Advise Required'. May be that is the reason ?

Instead of posting raw hex dump, it would be a better if you could split the message by components.

Adarsh Nanu
  • 2,133
  • 1
  • 13
  • 18
0

The EMV standards cover this in Part 3: http://emvco.com/specifications.aspx?id=223

If the ICC responds with an ARQC, the terminal attempts to go online, sending an authorisation request message to the issuer. Included in the authorisation request message is the ARQC for online card authentication.

So the card you have may be configured for “online” only transactions, or the test transaction amount is over the floor limit set on the card.

check the CVM list (i think tag 8E is in the 2 1 record) returned by the card. http://www.openscdp.org/scripts/tutorial/emv/cardholderverification.html

And this should tell you what the floor limits are and what CVM modes the card uses.

Also - try a few different test cards - i find it handy to try multiple different cards when testing my code.

Peter Fillmore
  • 1