Payment Application - EMV

Question

I'm developing a payment application for Android. I've read all four EMV books (version 4.3) which I used to implement the protocol for the communication with a terminal. I also bought the terminal simulator kit from Mastercard for testing my application.

With this simulator I'm able to read data from my real, physical debit card to get informations like the issuer public key certificate, etc. I put these informations into my application to "simulate" a card. But there is some data I don't receive through the terminal simulator like the Issuer Master Key for generating the Application Cryptogram.

So my question is if there is any possibility to get the missing data? Maybe it's online available? Or do I have to cooperate with an issuer bank? Sorry for this general question but I really appreciate every tip you have for me! Thank you!

score 2 · Accepted Answer · answered Sep 14 '18 at 03:37

2

Can I say that you are trying to create a NFC wallet on Android and trying to test it on a Simulator from MasterCard ?

Not everything can be taken out of the card or everyone would have started cloning and the market would have flooded with fake cards :)

Security of an EMV transaction is protected with a cryptogram. Every transaction carries a different cryptogram using a key. Check this and this.

But be it a Secure Element Wallet or HCE, Issuer Master Key is not loaded directly to the wallet. In case of Secure Element a Trusted Server connects to Wallet and shares the Card Key which is derived from Issuer Master Key and during a transaction, session key is generated from the card key using which Cryptogram will be generated. When it is HSE, you will mostly store only session keys as it is not as secure as SE. You can store a couple of session keys each one single use or one session key which could be used multiple times, - All depending on your implementation.

answered Sep 14 '18 at 03:37

Adarsh Nanu

2,133
1
13
18

Yes, you can say that. – Sabina Sep 16 '18 at 14:53
Did I answer your question? Or are there any missing pieces? – Adarsh Nanu Sep 16 '18 at 14:54
But for example it is said that SDA isn‘t as secure as DDAs and therefore it is possible to duplicate cards with SDA. – Sabina Sep 16 '18 at 14:55
So do you recommend a cooperation with a issuer because your opinion is that cards can‘t get duplicated? – Sabina Sep 16 '18 at 14:57
SDA can only ensure that the data is not altered after it has been issued. – Adarsh Nanu Sep 16 '18 at 14:58
So cards which use SDA can be duplicated? – Sabina Sep 16 '18 at 14:58
When a card is issued, there is a card issuer, who would validate the card, which in this context cryptogram. So yes. An issuer is involved. – Adarsh Nanu Sep 16 '18 at 15:00
I really appreciate your help! So, what is your recommendation for me? – Sabina Sep 16 '18 at 15:00
Unlike mag stripe cards, It's not easy to clone a chip card. If at all you acheive cloning, SDA cards are the easiest to be. – Adarsh Nanu Sep 16 '18 at 15:01
I only want to test my application through cloning. So when my application works then i want to ask different issuers for a cooperation. But when this way is not the best I would try to contact an issuer first – Sabina Sep 16 '18 at 15:03
Wallets do not work in isolation, you can build every functionality. But for you to create a cryptogram and someone to validate, there should be matching keys on both ends. – Adarsh Nanu Sep 16 '18 at 15:03
Cloning a card is illegal in the first place. There are agreed ways of developing mobile applications and wallets. Go by it, don't go for shortcuts. It's ofcourse a big effort but there is no gain without pain. – Adarsh Nanu Sep 16 '18 at 15:05
Ok, thank you very much for your help and for discussing with me about the problem. This helps a lot!! Thank you! – Sabina Sep 16 '18 at 15:06

score 2 · Answer 2 · answered Sep 17 '18 at 11:59

But there is some data I don't receive through the terminal simulator like the Issuer Master Key for generating the Application Cryptogram.

you can read only some data from the card like records personalized under AFL, sensitive information like Cryptogram key can never read from the card.

Real Process is like:-

1 - Card generate the cryptogram with using its AC key and will send cryptogram to HOST for validation,

2 - Host calculate the cryptogram with its key and it will succeed if both cryptogram match.

as you said you are using your live debit card, actually it's almost impossible to guess what AC key is reside in it.

hope it helps.

score 2 · Answer 3 · answered Sep 25 '18 at 19:47

The Issuer Master Keys is generated and kept in Issuer's host HSM. Each issued card is loaded with derived keys from Issuer Master Keys. Therefore, each card has its own derived keys. Since the keys are used for Application Cryptogram calculation and AC must be trusted, the keys can NEVER be read (if it can, the security of EMV is broken). For this reason, the Issuer will NOT share the Issuer Master Keys with anyone but only be kept in HSM!

Payment Application - EMV

3 Answers3