Preview only show first 10 pages with watermark. For full document please download

Personalisation Quality Control Of Emv Cards

   EMBED

Share

Transcript

Personalisation Quality Control of EMV Cards ICMA EuroForum Munich, October 2014 Br i a n S u m m e rhayes M a n aging D i rec tor Ba r n es I nte r n at ional © 2014 BARNES INTERNATIONAL LIMITED 1 Agenda Payment Application Personalisation Quality Control Offline Card Personalisation Validation Testing QC Inline QC + Offline Card Personalisation Validation Testing QC 100% Inline QC with Card Personalisation Testing Validation QC © 2014 BARNES INTERNATIONAL LIMITED 2 Personalisation Quality Control Testing © 2014 BARNES INTERNATIONAL LIMITED 3 Personalisation Quality Control – Why? Chip cards have far more information inside them compared with a magnetic stripe Chip cards have far more complicated coding compared with a simple magnetic stripe Dual interface cards are also complex to code with shared parameters © 2014 BARNES INTERNATIONAL LIMITED • Magnetic Stripe vs Chip Data • Correct Keys • Validation vs Payments Scheme • Issuer/ Card Tag values 4 Data sent to card during personalisation Data Elements Magnetic Stripe Contact Chip Data Contactless Chip Data (if DI or CL card) Cryptographic Keys Embossing on card face Printing, including CVV on reverse © 2014 BARNES INTERNATIONAL LIMITED 5 Card Personalisation Some of the data fields should be standard across all products e.g. Issuer Country Code Most of the data fields are particular to one type of card template for each issuer, e.g. CVM List Some of the data fields will be unique to the cardholder e.g. Account Number (PAN) and cardholder name © 2014 BARNES INTERNATIONAL LIMITED 6 Potential Personalisation Errors Data errors  Magnetic Stripe encoding errors  Cardholder data Transposition errors  Cryptographic Errors  Formatting Errors  Incorrect Perso Data, e.g. Country / Currency code missmatch Specification errors © 2014 BARNES INTERNATIONAL LIMITED 7 Personalisation QC Quality Control of the cards in manufacturing and during personalisation is essential  Chip cards – many data Tags any one of which could be incorrectly set up  Chip cards are far more expensive than magnetic stripe and thus are costly to reissue  Reputation/customer service impact can result in substantial lost revenue Offline or Inline Quality Control of the cards during personalisation  Offline  Single Card tests with Batch Testing  Inline  Enables 100% testing © 2014 BARNES INTERNATIONAL LIMITED 8 EMV Card Perso with Offline QC Perso Data File Audit Log Offline CPT Blank Card Mag Stripe Data Emboss Data Chip TAG Values Crypto Keys Perso Machine Controller Finished Card Mag-Stripe Encode Audit Data Flow © 2008-2014 BARNES INTERNATIONAL LIMITED Card Movement Emboss Chip Perso Perso Data Flow 9 Offline Perso QC Testing Card Personalisation Validation Testing Tool Validation – Standard Card Perso Tool (“CPT”)  Validates data to EMV and payment scheme requirements  Confirms chip, Mag-stripe and embossing correlation  Identifies incorrect data  Contact and Contactless chip validation tests  Multiple Application data validation -single card insertion  Multi-level user interface for Production, QA & Bank personnel with complete analysis facilities for Experts Test Development + Card Validation  All the features of a CPT, PLUS:  Test Script development  Issuer scripts and Cryptography  Host Simulation + HSM interface (e.g. with Thales 8000/9000 and Safenet) © 2014 BARNES INTERNATIONAL LIMITED 10 Validation Test Report 1. Summary of Test 2. Individual Fail/ Observations with Explanatory Annotations 1 3. Refers to Applicable Specification 4. List of all Tags Tested & Result 2 3 4 © 2014 BARNES INTERNATIONAL LIMITED 11 Offline QC Testing Architecture CPT GUI Card Reader(s) Contact/ CL/ DI Card Reader Interface CPT Test Engine QC Test Scripts and Scenarios Certification Test Scripts and Scenarios MC CPV/ Visa GPR etc © 2008-2014 BARNES INTERNATIONAL LIMITED Bespoke Scripts & Scenarios 12 Inline QC Testing – Offline EMV Data Validation Audit Log Perso Data File Offline CPT Blank Card Mag Stripe Data Test Station Finished Card Gate Reject Bin Camera Image Chip Read Emboss Data Chip TAG Values Crypto Keys Perso Machine Controller Mag-Stripe Read Mag-Stripe Encode Card Movement QC Data Flow © 2008-2014 BARNES INTERNATIONAL LIMITED Emboss Chip Perso Perso Data Flow 13 Magnetic Stripe QC Magnetic Stripe – standard inline QC  Collected by Magnetic Stripe read head  Reads all 3 tracks  Magnetic stripe data sent to Perso Machine Controller  Validation vs input file  Drawback: System assumes data sent in Perso file was valid Magnetic Stripe – QC data validated by inline Card Perso Tool  Collected by Magnetic Stripe read head  Reads all 3 tracks  Magnetic stripe data sent via Perso Machine Controller to CPT  Correlation vs ISO data rules  Validation vs input file &/or against Magnetic Stipe equivalent data in Chip  Validation of iCVV/ Chip CVC/ iCSC/ Chip CAV © 2014 BARNES INTERNATIONAL LIMITED 14 Contact Chip QC Contact Chip Data – standard inline QC  Chip ATR activated and read by Contact coupler  ATR sent to Perso Machine Controller  Confirms that chip is working  Drawback: Unable to fully validate personalised data Contact Chip Data – QC data validated by inline Card Perso Tool  ATR activated and APDUs sent to the chip by Contact coupler  APDU responses data sent via Perso Machine Controller to CPT  Correlation vs EMV, Payment Scheme Application rules  Validation of Tag values against test Scenario values (Issuer / card)  Chip Data Validation vs Mag Stripe & Contactless Chip  Validation that correct Keys were put onto the card © 2014 BARNES INTERNATIONAL LIMITED 15 Contactless Chip QC Contactless Chip Data – standard inline QC  Chip ATS activated and read by Contactless coupler  ATS read and sent to Perso Machine Controller  Confirms that contactless chip is working  Drawback: Unable to fully validate personalised data Contactless Chip Data – QC data validated by inline Card Perso Tool  ATS activated and APDUs sent to the chip by Contact coupler  APDU responses data sent via to Perso Machine Controller to a CPT  Correlation vs EMV, Payment Scheme Application rules  Validation of Tag values against test Scenario values (Issuer / card)  Contactless Chip Data Validation vs Mag Stripe & Contact Chip  Validation that correct Keys were put into the contactless chip © 2014 BARNES INTERNATIONAL LIMITED 16 Embossing Verification Embossing – standard inline QC  Camera recognition checks character impression on spent topping foil  Uses OCR recognition to recreate embossing data  Embossing sent to Perso Machine Controller  Validation vs input file  Drawback: No validation against Mag Stripe or Chip cardholder data, issue and expiry dates Embossing – QC data validated by inline Card Perso Tool  Camera recognition checks character impression on spent topping foil  Uses OCR recognition to recreate embossing data  Embossing sent via Perso Machine Controller to CPT  Validation vs Data personalised in Magnetic Stripe and Chip  Advantage: This is superior to an offline CPT where operator checks embossing against screen image © 2014 BARNES INTERNATIONAL LIMITED 17 Card Stock Verification Card Stock verification – standard inline QC  Vision system captures image of front and back of card including stock reference  Images sent to Perso Machine Controller  Validation vs images of correct card stock for the card batch  Drawback: Validation separate from the rest of card validation test Card Stock verification – QC data validated by inline Card Perso Tool  Vision system captures image of front and back of card including stock reference  Images sent via Perso Machine Controller to a Card Perso Tool (CPT)  Card stock reference recorded in card validation file © 2014 BARNES INTERNATIONAL LIMITED 18 Potential for 100% Data QC Data – read by Mag Reader/ Chip Couplers Magnetic Stripe Contact Chip Data Contactless Chip Data (if DI or CL card) Cryptographic Keys Data – read by Camera Embossing on card face Printing, including card stock ID and CVV on reverse For 100% QC All Data Elements should be Validated © 2014 BARNES INTERNATIONAL LIMITED 19 Inline QC Testing Architecture Offline CPT with GUI Card Perso Machine Perso Machine Interface Module Scenario creation Failure investigation CPT Test Engine Bespoke Scripts & Scenarios QC Test Scripts and Scenarios © 2008-2014 BARNES INTERNATIONAL LIMITED 20 Inline QC Testing with Card Personalisation Validation Data Collection: Machine Modules  Machinery Manufacturer QC module(s) to collect data  Magnetic Stripe  Contact and Contactless Chip Data  Printed/ Embossed Data Validation: CPT Test Engine  Validates data to EMV and payment scheme requirements  Confirms chip, Mag-stripe and embossing correlation (depending on machine modules)  Identifies incorrect data or keys  Contact and Contactless chip validation tests  Multiple Application data validation Reporting: Machine interface + CPT Report  Good / Bad card result  Bad card reject  Test Result recorded – for audit purposes  Test Results can be saved © 2014 BARNES INTERNATIONAL LIMITED 21 Inline Testing – 100% EMV Validation QC Offline CPT Test Scenarios Audit Log Perso Data File Blank Card Test Station with inline CPT module Finished Card Gate Camera Image Chip Read Mag Stripe Data Emboss Data Chip TAG Values Crypto Keys Perso Machine Controller Mag-Stripe Read Mag-Stripe Encode Emboss Chip Perso Offline CPT Reject Bin QC Data Flow QC Management © 2008-2014 BARNES INTERNATIONAL LIMITED Card Movement Perso Data Flow 22 Inline Testing Data loaded into card using “Store Data” APDUs, data is organised in Data Group Indicators (DGIs) Differences in techniques and formats depending on the card stock and operating system Data extracted from card using EMV defined APDUs, data is organised by files and records All cards must present the same interface to the terminal, regardless of internal organisation © 2008-2014 BARNES INTERNATIONAL LIMITED 23 Benefits of 100% Inline QC 100% of Cards Tested in Real Time Full Data Validation  EMV and Payment Scheme rules, TAG Values and Keys Efficient use of Human Resources  Inline QC can work 24/7 and does not get tired or distracted  No extra time & no extra QC staff required  Faster ROI No Human Intervention – better Data Security © 2014 BARNES INTERNATIONAL LIMITED Source: Datacard 24 100% Personalisation Quality Control Thank you for your attention – Questions B r i a n S u m m e r h aye s b s u m m e r h aye s @ b a r n e ste st . co m w w w. b a r n e ste st . co m b a r n e s - i n t e r n a t i o n a l - l td @ b a r n e s _ te st © 2014 BARNES INTERNATIONAL LIMITED 25