M/Chip Advance V1.1 Personalization Guide

Transcription

1 M/Chip Advance V1.1 Personalization Guide v01.71 (November, 2017) All copyrights are reserved by KONA I Co., Ltd. This manual can be revised without any notification. Unauthorized copying is strictly prohibited by KONA I Co., Ltd without a written consent. Copyright KONA I Co., Ltd. 2017

2 Table of Contents 1. M/CHIP ADVANCE GENERAL REFERENCE DOCUMENT REVISED HISTORY MAIN FUNCTIONS Protocol Applet Selection Secure Channel Protocol Data Authentication Session key Derivation RSA Capabilities Script Processing Implementation specific limit Memory requirement (*) Multiple Instance M/CHIP ADVANCE PERSONALIZATION SUPPORTING DGI INSTALL PARAMETER PRE-PERSONALIZATION PERSONALIZATION Procedure Special Features Personalization Log M/CHIP ADVANCE DATA DICTIONARY DGI A File Control Information DGI A Accumulator 1 Currency Code Accumulator 1 Currency Conversion Table Accumulator 1 Lower Limit Accumulator 1 Upper Limit Accumulator 2 Currency Code i

3 Accumulator 2 Lower Limit Accumulator 2 Upper Limit Additional Check Table CDOL1 Related Data Length Counter 1 Lower Limit Counter 1 Upper Limit Counter 2 Lower Limit Counter 2 Upper Limit CRM Country Code Cryptogram Version Number V2.x Default ARPC Response Code Interface Enabling Switch MTA Currency Code Number Of Days Off Line Limit DGI A Accumulator 1 Control (Contact) Accumulator 1 CVR Dependency Data (Contact) Accumulator 2 Control (Contact) Accumulator 2 CVR Dependency Data (Contact) Application Control (Contact) Card Issuer Action Code (Contact) Decline Card Issuer Action Code (Contact) Default Card Issuer Action Code (Contact) Online Counter 1 Control (Contact) Counter 1 CVR Dependency Data (Contact) Counter 2 Control (Contact) Counter 2 CVR Dependency Data (Contact) CVR Issuer Discretionary Data (Contact) Interface Identifier (Contact) MTA CVM (Contact) MTA NoCVM (Contact) Read Record Filter (Contact) DGI A Accumulator 1 Control (Contactless) Accumulator 1 CVR Dependency Data (Contactless) Accumulator 2 Control (Contactless) ii

4 Accumulator 2 CVR Dependency Data (Contactless) Application Control (Contactless) Card Issuer Action Code (Contactless) Decline Card Issuer Action Code (Contactless) Default Card Issuer Action Code (Contactless) Online Counter 1 Control (Contactless) Counter 1 CVR Dependency Data (Contactless) Counter 2 Control (Contactless) Counter 2 CVR Dependency Data (Contactless) CVR Issuer Discretionary Data (Contactless) Interface Identifier (Contactless) MTA CVM (Contactless) MTA NoCVM (Contactless) Read Record Filter (Contactless) DGI B IVCVC3(Track1) (Contact) IVCVC3(Track2) (Contact) DGI B IVCVC3(Track1) (Contactless) IVCVC3(Track2) (Contactless) DGI B Log Data Table Log Format DGI A Application Interchange Profile (Contact) Application File Locator (Contact) DGI B Application Interchange Profile (Contactless) Application File Locator (Contactless) DGI A Application Transaction Counter Limit Previous Transaction History DGI A AC Session Key Counter Limit (Contact) Key Derivation Index (Contact) SMI Session Key Counter Limit (Contact) iii

5 3.12. DGI A AC Session Key Counter Limit (Contactless) Key Derivation Index (Contactless) SMI Session Key Counter Limit (Contactless) DGI A PIN Decipherments Error Counter Limit DGI A Application Life Cycle Data DGI A00E DS management Control DS Number Of Slots DSPK DGI B011 ~ B01A Protected Data Envelope 1 (to 5) Unprotected Data Envelope 1 (to 5) DGI 0E01 ~ 0E0X DGI AC Master Key (Contact) SM for Integrity (SMI) Master Key (Contact) SM for Confidentiality (SMC) Master Key (Contact) DGI AC Master Key (Contactless) SM for Integrity (SMI) Master Key (Contactless) SM for Confidentiality (SMC) Master Key (Contactless) DGI A ICC Dynamic Number Master Key (Contact) DGI A ICC Dynamic Number Master Key (Contactless) DGI KDCVC3 (Contact) DGI KDCVC3 (Contactless) iv

6 1. M/CHIP ADVANCE 1.1. General KONA i M/CHIP ADVANCE is designed based on Java card version and Global Platform 2.1.1, EMV CPS 1.1. This documentation describes personalization of M/CHIP ADVANCE Reference Document M/Chip Advance Card Application Specification Payment & Data Storage Version 1.1, November 2009 M/Chip Advance Common Personalization Specification Version 1.0, February 2010 EMV v4.2 BOOK 1 3 EMV Common Personalization Specifications MChip_Advance_data_sharing_personalization_v1.0 1

7 1.3. Revised History Version Date Chapter modified Modification New draft AID information , 3.18, Multiple Instance functions for sharing Accumulator and Counter added. - Personalization Log updated - Data dictionary chapter added. DGI 8000, 8001 CT/CL change To change the M/Chip Advance specification version Install parameter modified , RSA key length modified - RSA CRT key description modified v All - Enhanced RSA-CRT private key description - Corrected typing errors 2

8 1.4. Main Functions Protocol T=0, T=1 T=CL Applet Selection AID Partial AID Next AID select Secure Channel Protocol SCP 02 with implementation option Data Authentication Static Data Authentication(SDA) Dynamic Data Authentication(DDA) Combined DDA(CDA) Session key Derivation The MasterCard Proprietary SKD1 method The EMV CSK method RSA Capabilities Maximum RSA Certificate length for SDA 248 bytes Maximum RSA Certificate length for DDA 248 bytes Odd RSA key length supported No (Maximum RSA length depends on the Kona platform.) Script Processing Put data Update Record Application block, unblock PIN change, unblock 3

9 Implementation specific limit Maximum numbers of record in the Log file 10 Maximum numbers of Data storage record 15 (0x0F) AFL maximum size 255 bytes Memory requirement (*) M/CHIP ADVANCE Load 33,739 Install 1,383 Personalization 5,988 Total(bytes) 41,110 (*) It could be changed according to its applet version and personalization procedure Multiple Instance Multiple Instance : supported Shared PIN : supported Shared Accumulator/Counter : supported 4

10 2. M/CHIP ADVANCE Personalization On this chapter, it describes the basic information of personalization for M/Chip Advance Supporting DGI This chapter explains the M/Chip Advance s Data Group Identifier and which data should be included in each DGIs. Customer should notice that there are some DGIs should be personalized correctly following the Fixed length and value only structure, not TLV Personalization Log in this document explains how to form the DGIs correctly for each data. DGI (*) A001 FCI Value A002 Accumulator 1 Currency Code Accumulator 1 Currency Conversion Table Accumulator 1 Lower Limit Accumulator 1 Upper Limit Accumulator 2 Currency Code Accumulator 2 Currency Conversion Table Accumulator 2 Lower Limit Accumulator 2 Upper Limit Additional Check Table CDOL1 Related Data Length Counter 1 Lower Limit Counter 1 Upper Limit Counter 2 Lower Limit Counter 2 Upper Limit CRM Country Code Cryptogram Version Number V2.x Default ARPC Response Code Interface Enabling Switch MTA Currency Code Number Of Days Off Line Limit A012 (Contact) A022 (Contactless) B010 (Contact) B023 (Contactless) B002 A005 (Contact) B005 (Contactless) A007 Accumulator 1 Control Accumulator 1 CVR Dependency Data Accumulator 2 Control Accumulator 2 CVR Dependency Data Application Control Card Issuer Action Code - Decline Card Issuer Action Code - Default Card Issuer Action Code - Online Counter 1 Control Counter 1 CVR Dependency Data Counter 2 Control Counter 2 CVR Dependency Data CVR Issuer Discretionary Data Interface Identifier MTA CVM MTA NoCVM Read Record Filter Accumulator 1 Control Accumulator 1 CVR Dependency Data Accumulator 2 Control Accumulator 2 CVR Dependency Data Application Control Card Issuer Action Code - Decline Card Issuer Action Code - Default Card Issuer Action Code - Online Counter 1 Control Counter 1 CVR Dependency Data Counter 2 Control Counter 2 CVR Dependency Data CVR Issuer Discretionary Data Interface Identifier MTA CVM MTA NoCVM Read Record Filter IVCVC3(Track1) IVCVC3(Track2) IVCVC3(Track1) IVCVC3(Track2) Log Data Table Log Format AIP AFL AIP AFL ATC Limit PTH A017 (Contact) AC Session Key Counter Limit Key Derivation Index SMI Session Key Counter Limit A027 (Contactless) AC Session Key Counter Limit Key Derivation Index SMI Session Key Counter Limit A008 PIN Decipherments Error Counter Limit A009 A00E Application Life Cycle Data DS management Control DS Number Of Slots DSPK B011 ~ B015 Protected Data Envelope x (x = 1 to 5) 5

11 B016 ~ B01A Unprotected Data Envelope x (x = 1 to 5) 0E01 ~ 0E0F Data Storage record x (x = 1..5 or more) 8000 (Contact) AC Master Key SM for Integrity Master Key SM for Confidentiality Master Key 8001 (Contactless) AC Master Key SM for Integrity Master Key SM for Confidentiality Master Key A006 (Contact) A016 (Contactless) ICC Dynamic Number Master Key ICC Dynamic Number Master Key 8010 Referenced PIN 8400 (Contact) KDCVC (Contactless) KDCVC Pin Try Counter and Pin Try Limit(Max 15) 8201* ICC Private Key RSA-CRT constant q -1 mod p 8202* ICC Private Key RSA-CRT constant d mod (p 1) 8203* ICC Private Key RSA-CRT constant d mod (q 1) 8204* ICC Private Key RSA-CRT constant prime factor p 8205* ICC Private Key RSA-CRT constant prime factor q 8301* ICC PIN Encipherment Private Key RSA-CRT constant q -1 mod p 8302* ICC PIN Encipherment Private Key RSA-CRT constant d mod (p 1) 8303* ICC PIN Encipherment Private Key RSA-CRT constant d mod (q 1) 8304* ICC PIN Encipherment Private Key RSA-CRT constant prime factor p 8305* ICC PIN Encipherment Private Key RSA-CRT constant prime factor q * Customer CANNOT change the DGI (Left column in the table) to other specific value. DGI 8201~8205, 8301~8305* : If p and q are not inputted properly, personalization can succeed but transaction can be aborted. 6

12 2.2. Install parameter KONA i s M/Chip Advance applet supports below Multiple instance functionalities and RSA enable/disable switch, so the Customer can change the bit set of Install parameter value to customize the applet up to the customer s need and correct use. Package AID A Value Modulus AID A Instance AID(General) A (MasterCard) A (Maestro) parameter Value(hex) Description C9 00 C9 01 C9 07 empty XY ZZZZZZZZZZZZZZ Enable Dual-interface, RSA, PIN Sharing, and Accumulator and Counter Sharing. X : 0x8Y Contact only X : 0x4Y PIN sharing not support X : 0x2Y RSA not support X : 0x1Y Accumulator sharing not support Y : 0xXY record No for data storage Multi-application for data sharing Refer to MChip_Advance_data_sharing_personalization_v1.0 Example1) RSA not support and data storage record No is 5 - C Example2) Contact only - C

13 2.3. Pre-personalization KONA i M/CHIP ADVANCE does not require pre-personalization process Personalization Procedure 1. Select M/CHIP ADVANCE 2. Initialize update, External authentication(security level 00) 3. STORE DATA SFI record 4. STORE DATA DGI record 5. End personalization Special Features When the initial authorization, set 00 as security level. The value of P2 for STORE DATA commands should be set as the sequential number. It starts with 00 and should increment one by one following the previous Store Data command. If the previous STORE DATA command didn t finished correctly (SW!= 9000 ), the following Store Data commands will be resulted The left-most bit of P1 parameter for the LAST STORE DATA Command should be set to 1. (eg. 80E280.. for common STORE DATA command or 80E2E0.. for the Last STORE DATA command) The APDU command data should start with SFI or DGI. The last STORE DATA should be issued to finish the personalization process, and it occurs the life cycle of applet instance changed to Personalized status (It means ready to use). There are some data should be encrypted using the session Key, and issuer should set the second left-most bit of P1 for Store Data command to 1. (eg. 80E260.. for common STORE DATA command or 80E2E0.. for the Last STORE DATA command) During the personalization, [0x84] class byte of APDU command is also supported for secure messaging. (MAC, Encrypted MAC) During the personalization using [0x84] class byte, total length of APDU data SHOULD NOT over the 0xFF. During the personalization, if the PIN referenced data was following the ISO

14 format 1, the PIN data format will be changed to ISO-9654 format 2 and it will be stored changed format in the m/chip applet. However the PIN data which is following ISO format 2 just be stored in the applet using its own format. If the customer needs to create the multiple instances, the shared PIN or shared Accumulator and Counter functionalities can be supported using the Install parameter setting. If the product doesn t need to support RSA functions (Supports only SDA), the customer can set the install parameter value for it to do not support RSA functionality Personalization Log This below personalization log data is for personalize the M/Chip Advance Profile 1H. [Select M/CHIP ADVANCE] 00A A [Initialize update] C FF A316934E88F369F5D [External authentication] FAA9C9E31DD08A1A7A49908A6B058F93 [Store data SFI 1 record 1] TLV format 80E200007A F6C F F E0E E202F5E F F E9F66020E709F6B D F9F [Store data SFI 2 record 1] TLV format 80E200013D02013A70385F F F0702FF005A F0D05F F0E F0F05F86064F8005F [Store data SFI 2 record 2] TLV format 80E C279F02069F03069F1A F2A029A039C019F37049F35019F 45029F4C089F34039F21039F7C148D12910A8A F37049F4C089F02069F03068E E F03 [Store data SFI 2 record 3] TLV format 9

15 80E F F D F5B0CDF6008DF6108DF6201DF63A09F51039F3704 [Store data SFI 2 record 4] TLV format 80E F [Store data SFI 3 record 1] TLV format 80E200052E03012B70298F01F492246E8042D075DDC54E51300D03E44EBFF7140C0556B3 9CA0D78B A12365F40FA547 [Store data SFI 3 record 2] TLV format 80E20006B90302B67081B39081B005098E4A0109D8CF39DFCB6BFC7282FD5D7A361B6DC 1AD68F56CE08AA6F6D66799C35A4D010B89B59DFB1D08AD71618C52DBB153E189DAE4 E1E85B98946ACF3E163257E57E5D3FE13F50AEE650CA44A1B2C083EBDBCA51DD328CE 9F1D3DB6E3443A9783F3FAAEA8C110F1E066DD7858AF4D98CC5FB7EBF6883C4A1707CD DDD596777EA3AC672D2897BC572B BF28E21A4E FC9284A2344F3FF017 AD83FDC84F9D81948AE [Store data SFI 3 record 3] TLV format 80E200073E03033B70399F F482AAE83BF5BB436738AC650AC991DB606E566 44E9CCFC6A D7D425C5FBF474799E09F79E31472FBF39F49039F3704 [Store data SFI 3 record 4] TLV format 80E F2E F2F2AC5C9852EDB8C522912F3D49EADDDEF F73C DD A8BD86FEAB16F3191E15287B [Store data SFI 3 record 5] TLV format 80E20009BA0305B77081B49F2D81B0146FE7A06FE8C745EA2EE1DB2F AB7FE38E E4BB4888B69B7DD47166AA5E622564FC4B0ADD7AB36B0C66027CE75FFD86EF21172D A947BC27A E6559B D3E60EBED06B1C4AAEA8EFB C CA6B105A2C4541D805D4F4676ACBAE8B3861B191A841DA33592B6E2E1C50C41F AC99B7F8C7D3F57358FB98C3EEEE5F2413B45DEF4166D77C9A60D E832 5A C420DD6D50347F5 [Store data SFI 4 record 1] - TLV 80E2000A F [Store data SFI 4 record 2] - TLV 10

16 80E2000BB90402B67081B39381B03FF1243F0246FAFFAB8C7D97D425E49370FDB EC6BFCA0DD065EA3C9FD70F395CD63D207C2EBF1961EB2D625C960D904622BE5257A6 094A2E223A A0B47AA5BC39BCCB9AF7338FD36904F50818D16F02E9F67C421A7 683F925F17397C1F1DCFAAB1D82F1E941BE4E97ABF82C A90A4C5E C0 8C6C3D721ECDE2DCD6A8078BD4FD637FAE B607090EC7527ACFDEAAC613B 424C5794C596EF7A782B470A1817 [Store data SFI 4 record 3] - TLV 80E2000CBA0403B77081B49F4681B064ED7F7ED9A334FBF05642A154FAC90DF43D5C36E D3C B624A074E409ED2FCCB10726E84008F0E09B334FE C585383B8D08 C8D5ADA559E5BC85F AC05FFCCC8F D0B52D04940BCF4F749DB676A 8024F403D7BB5D4DD3469A84CB4BEE3832BE1998D2B92CF8B3FB46DF1584D124E39B38 DCAEC05988CB3383E590A766AB2B8BA13DF0248E96882F5BB1D09E CE67EA6 841FFE4A450A80C1BD0E15359E5D7 [Store data SFI 5 record 1] - TLV 80E2000D F [Store data SFI 5 record 2] - TLV 80E2000EB90502B67081B39381B03FF1243F0246FAFFAB8C7D97D425E49370FDB EC6BFCA0DD065EA3C9FD70F395CD63D207C2EBF1961EB2D625C960D904622BE5257A6 094A2E223A A0B47AA5BC39BCCB9AF7338FD36904F50818D16F02E9F67C421A7 683F925F17397C1F1DCFAAB1D82F1E941BE4E97ABF82C A90A4C5E C0 8C6C3D721ECDE2DCD6A8078BD4FD637FAE B607090EC7527ACFDEAAC613B 424C5794C596EF7A782B470A1817 [Store data SFI 5 record 3] - TLV 80E2000FBA0503B77081B49F4681B064ED7F7ED9A334FBF05642A154FAC90DF43D5C36E D3C B624A074E409ED2FCCB10726E84008F0E09B334FE C585383B8D08 C8D5ADA559E5BC85F AC05FFCCC8F D0B52D04940BCF4F749DB676A 8024F403D7BB5D4DD3469A84CB4BEE3832BE1998D2B92CF8B3FB46DF1584D124E39B38 DCAEC05988CB3383E590A766AB2B8BA13DF0248E96882F5BB1D09E CE67EA6 841FFE4A450A80C1BD0E15359E5D7 [Store data SFI 6 record 1] - TLV 80E E700C5F [Store data DGI 8010] Encrypted Referenced PIN 11

17 80E260110B A [Store data DGI A008] PIN Decipherments Error Counter Limit (TLV) 80E A00802FF00 [Store data DGI A00E] DS management Control, DS Number Of Slots, DSPK (Value only) 80E A00E0E C1 05 6C1A42B40000B400001E1A02 [Store data DGI 8000] Encrypted AC, SMI, SMC Keys for Contact 80E CC12633C1E1B300A80480B690C40ACF14E38A7FCC7ED889D74A8D F800D884E138E2D1C9B95C10B572F29D6245 [Store data DGI A006] Encrypted IDN_MK Key for Contact 80E A D1E5A56B7CE0A43AAB2646DBF [Store data DGI A006] Encrypted KDCVC3 Key for Contact 80E F7D1DA18648C D5C4AB9 [Store data DGI A006] AC Session Key Counter Limit, Key Derivation Index, SMI Session Key Counter Limit (Value only) 80E A01705 FFF0 11 FF00 [Store data DGI 8000] Encrypted AC, SMI, SMC Keys for Contactless 80E B4ABEEECC9ED176853EF4F614A3EB76F3D496C8FFB342D91D4F09 E5D6E6BD0B99AFD3879A8B88269B7CA14D978E76C [Store data DGI A016] Encrypted IDN_MK Key for Contactless 80E A016104E2E9C908F2C3D C754629E C [Store data DGI 8401] Encrypted KDCVC3 Key for Contactless 80E2601A AB6D2930B3F74CB7B593F7EA8C32AEAD [Store data DGI A027] AC Session Key Counter Limit, Key Derivation Index, SMI Session Key Counter Limit (Value only) 80E2001B08A02705 FFF0 22 FF00 [Store data DGI A001] FCI 80E2001C41A0013E6F3C8407A A531500A4D F

18 F5C089F4005BF0C199F5E0B F5D F4D020B0A [Store data DGI A002] Customization data which has FIXED length (Shared data for each CT and CL interface) 80E2001D72A0026F A0402FFFFFFFF FFFFFFFFFFFFFF 42 FFFFFFFF FFFF (Above APDU command seems like has some spaces in here, but you should regarding it as just a simple APDU command. And each data are matched consecutively which is described in the 2.1. Supporting DGI of this document.) [Store data DGI B011] - Protected Data Envelope 1 (up to 0x70) 80E2001E43B [Store data DGI B012] - Protected Data Envelope 2 (up to 0x70) 80E2001F43B [Store data DGI B013] - Protected Data Envelope 3 (up to 0x70) 80E B [Store data DGI B014] - Protected Data Envelope 4 (up to 0x70) 80E B [Store data DGI B015] - Protected Data Envelope 5 (up to 0x70) 80E B [Store data DGI B016] - Unprotected Data Envelope 1 (up to 0x70) 80E B [Store data DGI B017] - Protected Data Envelope 2 (up to 0x70) 80E B

19 [Store data DGI B018] - Protected Data Envelope 3 (up to 0x70) 80E B [Store data DGI B019] - Protected Data Envelope 4 (up to 0x70) 80E B [Store data DGI B01A] - Protected Data Envelope 5 (up to 0x70) 80E B01A [Store data DGI 0E01] Data Storage Record # 1 80E20028D30E01D0E581CDDF DF020100DF DF040100DF DF0681A [Store data DGI 0E02] Data Storage Record # 2 80E20029D30E02D0E581CDDF DF020100DF DF040100DF DF0681A [Store data DGI 0E03] Data Storage Record # 3 80E2002AD30E03D0E581CDDF DF020100DF DF040100DF DF0681A

20 [Store data DGI 0E04] Data Storage Record # 4 80E2002BD30E04D0E581CDDF DF020100DF DF040100DF DF0681A [Store data DGI 0E05] Data Storage Record # 5 80E2002CD30E05D0E581CDDF DF020100DF DF040100DF DF0681A [Store data DGI A012] Customization data which has FIXED length (for Contact) 80E2002D34A01231 C C C064098E10C D C FF00 (Above APDU command seems like has some spaces in here, but you should regarding it as just a simple APDU command. And each data are matched consecutively which is described in the 2.1. Supporting DGI of this document.) [Store data DGI A022] Customization data which has FIXED length (for Contactless) 80E2002E38A02235 C C C064098E10C D C FF003001FF00 (Above APDU command seems like has some spaces in here, but you should regarding it as just a simple APDU command. And each data are matched consecutively which is described in the 2.1. Supporting DGI of this document.) [Store data DGI 8201] Encrypted ICC RSA p-1 mod q 80E2602F D5D8EF7322F E258FC679F865DCBAC916B12F91FEEA5 DCCD8B9ED2AD629A585BD80DC9B0FE1F3E2235C39BAA258F3B8F014658E87C3DE8D1F 86AC08A5DC00E83472DDEA4D0FA4033F7091F32BE727FA1BA33A2A [Store data DGI 8202] Encrypted ICC RSA d mod (p - 1) 80E EB94278D3FD28E9C8B15493A642AE499C3F695A0A4B96F1A57892FD E568D686E23DA5F283CCB0DCF1B56EB0EF3D5F63E B86AE0BFD78FD22C75B360 BFC EAEAEFDF E68737E529F6C5EE591EF108A2A

21 [Store data DGI 8203] Encrypted ICC RSA d mod (q - 1) 80E B5FD4780A0C47DFB92E7EDE365E5A88D4E77C3E9F231F5641C E0E81154D E9C0FDB9E6736E28DDF80DDD6C5D6B8458BEE7C25D922D8ABB DBD E763E6A6801FED AC35E70F6159EF2C72A2A [Store data DGI 8204] Encrypted ICC RSA prime factor p 80E AD61924AA7ACADA C224291FB1304C9DD963DAF8C0BD7A F60C6ACF2E19FEB9AB4DFABED89EBAABDFE3521DED8D27D5882B1D9F A51362 BE2BB6287F8A12A4A1FF53364C3299D55E0F38EFD29AA976D8C2A2A [Store data DGI 8205] Encrypted ICC RSA prime factor q 80E D8BB0F6445EC3198ACBB174BCE24A26905D8AC76E5DB32073BAC561 1A64DB03F3A6367BFAE7CC878A68D1EB35DBB8D4A E681A6DC09F0270ACB D12A8D35357FEB5C5E061347B26D0F2AA65596C4F7288BDA2A [Store data DGI 8301] Encrypted PIN RSA p-1 mod q 80E A9D76DFF5B7D51E893853AA597BB0EA2A5EE2398F30CEF14C3E C8296EF8A BB70482A5A9070ED866BB4F31EBAEDEDAE87B18090BE638D AA926FF67BBC85A7C8F882227F4AA1CBED3CD0AE27BDF6763D6A2A [Store data DGI 8302] Encrypted PIN RSA d mod (p - 1) 80E B800338C4106FDDFCED0FCBA821BDDA897BEA0DB42B74ED5592D8D 4A1933C112A30AF6619BCA04F90980A7CDF42C6AF F2FFEC53FCB01FE45A7EF59 2FACCEE1644CF532CA0EAC8A393837AE5F8A496DDFFD8A3E246A2A [Store data DGI 8303] Encrypted PIN RSA d mod (q - 1) 80E E7A D96D207A078ADAB24ABAA35EFC9A6454CB6AAAF35 060C490C64A6C8C5FFCF7B7C16D76F007D22C3DC6DA74FE1D6EC1CAD05F7ED322E262 9AE583EC179D2548FD6D995DD7DF20BF1F5ADEFB6BE1F08190E5A2A [Store data DGI 8304] Encrypted PIN RSA prime factor p 80E B417E96F678EC9B FBD0B7BDD04428A98E831FD CE189C22FEA157FDED214043F37CECFEDBAB FA1BFEEAC87E4835EBCC0 E3E81366FD3B645E61A59CAB21668FECBFD6335A95BE A2A [Store data DGI 8305] Encrypted PIN RSA prime factor q 80E D0E1BBEBAFEDC0C8006A CBF64BF567925A9175EB6736E5B 17E9820AEEF0EB5A8CDE2EA745034B51495D80FA07C60E71D4B1E5E2D5894A1A8EFFF5 16

22 9167C1457CBCB977D D21FE58944A976E2A61FAEA2A [Store data DGI 9010] PTC, PTL 80E [Store data DGI A007] ATC limit, PTH 80E2003A06A00703 FFFF 00 [Store data DGI A009] Application Life cycle data 80E2003B33A A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3 B4C1C2C3C4C5C6C7C8C9CACBCCCDCECFD0D1D2D3D4 [Store data DGI B002] Log data table, Log format 80E2003C26B FFFFFFFFFFFFFFFF 9F27019F02065F2A029A039F36029F5206DF3E019F21039F7C14 C (Above APDU command seems like has some spaces in here, but you should regarding it as just a simple APDU command. And each data are matched consecutively which is described in the 2.1. Supporting DGI of this document.) [Store data DGI B010] ICVC3 Track 1, 2 (for Contact) 80E2003D07B FEE 7298 [Store data DGI B023] ICVC3 Track 1, 2 (for Contactless) 80E2003E07B02304 CAA0 EB2A [Store data DGI A005] AIP, AFL (for Contact) 80E2003F19A [Store data DGI B005] AIP, AFL (for Contactless) // END PERSO 80E B

23 3. M/CHIP ADVANCE Data Dictionary The data in each record must be personalized according to defined order and length DGI A File Control Information Tag: '6F' Length: Variable, bytes Description: The application does not interpret the FCI. It simply returns it in the response to the select signal. The issuer must personalize the FCI compliant with [EMV] DGI A002 DGI A002 includes the data could be used or share between both interface Contact and Contactless. Each data in this DGI A002 could be read using GET DATA command or updated using PUT DATA command after the Personalization process. The data in each record must be personalized using VALUE only according to defined order and length without [TLV - TAG] value and [TLV - LENGTH] value Accumulator 1 Currency Code Tag: 'C9' Length: 2 Format: n3 Description: Indicates the currency code of Accumulator Accumulator 1 Currency Conversion Table Tag: 'D1' Length: 25 Description: Holds a table of currency conversion values in order to convert the transaction amount from the transaction currency to the currency of Accumulator 1. If the currency code of the transaction amount = Conversion Code i and Conversion Exponent i[8] = 0b, then the 18

24 transaction amount in the currency of Accumulator 1 is defined by transaction amount * Conversion Rate i * (10 to the power Conversion Exponent i[7 : 1]). If the currency code of the transaction amount = Conversion Code i and Conversion Exponent i[8] = 1b, then the transaction amount in the currency of Accumulator 1 is defined by transaction amount * Conversion Rate i / (10 to the power Conversion Exponent i[7 : 1]). Byte 1-2 Conversion Code 1 Byte 3-4 Conversion Rate 1 Byte 5 Conversion Exponent 1 Byte 6-7 Conversion Code 2 Byte 8-9 Conversion Rate 2 Byte 10 Conversion Exponent 2 Byte Conversion Code 3 Byte Conversion Rate 3 Byte 15 Conversion Exponent 3 Byte Conversion Code 4 Byte Conversion Rate 4 Byte 20 Conversion Exponent Accumulator 1 Lower Limit Tag: 'CA' Length: 6 Format: n12 Description: Accumulator 1 Amount and Accumulator 1 Amount Temp are checked against this 19

25 limit and if they are greater, the relevant CVR bit is set Accumulator 1 Upper Limit Tag: 'CB' Length: 6 Format: n12 Description: Accumulator 1 Amount and Accumulator 1 Amount Temp are checked against this limit and if they are greater, the relevant CVR bit is set Accumulator 2 Currency Code Tag: 'DF16' Length: 2 Format: n3 Description: Indicates the currency code of Accumulator Accumulator 2 Lower Limit Tag: 'DF18' Length: 6 Format: n12 Description: Accumulator 2 Amount and Accumulator 2 Amount Temp are checked against this value and if they are greater, the relevant CVR bit is set Accumulator 2 Upper Limit Tag: 'DF19' Length: 6 Format: n12 Description: Accumulator 2 Amount and Accumulator 2 Amount Temp are checked against this value and if they are greater, the relevant CVR bit is set Additional Check Table Tag: 'D3' Length: 18 20

26 Description: Contains values that are compared to values given by the terminal in CDOL1 Related Data. The result of the comparison is reflected in the decision-making part of the Card Verification Results. The check with the Additional CheckTable is only performed if activated by the Application Control. Byte 1 Position In CDOL1 Related Data Byte 2 Length In CDOL1 Related Data Byte 3 Number Of Entries CDOL1 Related Data Length Tag: 'C7' Length: 1 Description: Length of CDOL1 Related Data. If no extension to CDOL1 Related Data is used, CDOL1 Related Data Length value is '42'. M/Chip Advance allows the extension of this value by at least ten bytes. The maximum value is implementation specific. The personalization value for CDOL1 Related Data Length must be consistent with the personalization value for CDOL Counter 1 Lower Limit Tag: '9F14' Length: 1 Description: If the Counter 1 Number or Counter 1 Number Temp have exceeded this limit, the relevant CVR bit is set Counter 1 Upper Limit Tag: '9F23' Length: 1 21

27 Description: If the Counter 1 Number or Counter 1 Number Temp have exceeded this limit, the relevant CVR bit is set Counter 2 Lower Limit Tag: 'DF1F' Length: 1 Description: If the Counter 2 Number or Counter 2 Number Temp have exceeded this limit, the relevant CVR bit is set Counter 2 Upper Limit Tag: 'DF21' Length: 1 Description: If the Counter 2 Number or Counter 2 Number Temp have exceeded this limit, the relevant CVR bit is set CRM Country Code Tag: 'C8' Length: 2 Format: n3 Description: The CRM Country Code is used to differentiate between domestic transactions (when the CRM Country Code matches the Terminal Country Code) and international transactions (when the CRM Country Code does not match the Terminal Country Code). This may impact CRM, depending on the Card Issuer Action Codes settings Cryptogram Version Number V2.x Tag: Length: 1 Description: Holds the Cryptogram Version Number if V2.05 or V2.1/V2.2 issuer host backward compatibility is used. 22

28 Default ARPC Response Code Tag: 'D6' Length: 2 Description: The Default ARPC Response Code replaces the ARPC Response Code, if: - Issuer Authentication Data is not present in an online transaction, and - The Accept Online Transactions Without ARPC bit in the Application Control is set, and - The transaction is approved by the terminal and issuer (i.e. Authorization Response Code < > 'Y3' or 'Z3' and the terminal requests a TC). Byte 1 b8 Accumulator 1 Not Eligible b7 Counter 1 Not Eligible b6 Accumulator 2 Not Eligible b5 Counter 2 Not Eligible b4-1 RFU Byte 2 b8-6 RFU b5 Approve Online Transaction b4 RFU b3 Set Go Online On Next Transaction b2-1 Update Counters 00: Do Not Update Offline Counters 01: Set Counters To Upper Offline Limits 10: Reset Counters To Zero 11: Add Transaction To Counter Interface Enabling Switch Tag: 'DF30' Length: 1 Description: Contains flags that indicate if an interface is enabled. Byte 1 b8-3 RFU b2-1 Interfaces Status 00: RFU 01: Contactless Interface Disabled 23

29 10: Contact Interface Disabled 11: Contact And Contactless Interfaces Enabled MTA Currency Code Tag: 'DF24' Length: 2 Format: n3 Description: The transaction currency code for which maximum transaction amount check is to be applied Number Of Days Off Line Limit Tag: 'DF27' Length: 2 Description: The maximum number of days that the application can perform transactions off-line. If the limit is exceeded, the relevant bit in the CVR is set DGI A012 DGI A012 includes the data used in Contact Interface, and they could not be used or share between Contact and Contactless interface. Each data in this DGI A012 could be read using GET DATA command or updated using PUT DATA command after the Personalization process. The data in each record must be personalized using VALUE only according to defined order and length without [TLV - TAG] value and [TLV - LENGTH] value Accumulator 1 Control (Contact) Tag: 'DF11' Length: 1 Description: Holds configuration information that controls the use and operation of Accumulator 1 when the contact interface is active. Byte 1 b8-7 Accumulation Mode 00: Never 24

30 01: Accumulate CVM transactions 10: Accumulate NoCVM transactions 11: Always b6 Use CVR Dependency b5 RFU b4 Offline PIN Reset` b3 Show b2-1 Include In Issuer Application Data 00: Do Not Include 01: Include Accumulator As Value 10: Include As Balance 11: RFU Accumulator 1 CVR Dependency Data (Contact) Tag: 'DF28' Length: 3 Description: Contains CVR comparison data to determine if Accumulator 1 becomes active if a given CVR pattern occurs when the contact interface is active. If (Condition Mask AND CVR [Input Byte Number]) = Comparison Value then the condition is satisfied for the use of Accumulator 1. Byte 1 Input Byte Number Byte 2 Condition Mask Byte 3 Comparison Value Accumulator 2 Control (Contact) Tag: 'DF14' Length: 1 Description: Holds configuration information that controls the use and operation of Accumulator 2 when the contact interface is active. Byte 1 b8-7 Accumulation Mode 00: Never 01: Accumulate CVM transactions 25

31 10: Accumulate NoCVM transactions 11: Always b6 Use CVR Dependency b5 RFU b4 Offline PIN Reset` b3 Show b2-1 Include In Issuer Application Data 00: Do Not Include 01: Include Accumulator As Value 10: Include As Balance 11: RFU Accumulator 2 CVR Dependency Data (Contact) Tag: 'DF2A' Length: 3 Description: Contains CVR comparison data to determine if Accumulator 2 becomes active if a given CVR pattern occurs when the contact interface is active. If (Condition Mask AND CVR [Input Byte Number]) = Comparison Value then the condition is satisfied for the use of Accumulator 2. Byte 1 Input Byte Number Byte 2 Condition Mask Byte 3 Comparison Value Application Control (Contact) Tag: 'D5' Length: 6 Description: The Application Control (Contact) activates or de-activates functions in the application when the contact interface is active. This activation or de-activation is dynamic. The Application Control (Contact) can be modified with a PUT DATA command during the application lifetime, and, in such a case, the behavior of the application is modified. The PUT DATA command applied to the Application Control (Contact) may be used to switch from one session key derivation method to the other. In this case, the switch applies immediately for subsequent script commands. 26

32 Byte1 b8 b7 b6 b5 b4 b3 b2 b1 Accept Online Transactions Without ARPC Skip CIAC-Default On CAT3 RFU Key For Offline Encrypted PIN Verification 0: DDA Key 1: Dedicated Key Offline Encrypted PIN Verification Offline Plaintext PIN Verification Session Key Derivation 0: MasterCard Proprietary SKD 1: EMV CSK Encrypt Offline Counters Byte2 b8-4 RFU b3 Additional Check Table b2 Allow Retrieval Of Balance b1 Include Counters In AC Byte3 b8-7 Compute Cryptographic Checksum 00: RFU 01: Compute Cryptographic Checksum Supported 10: Compute Cryptographic Checksum Not Supported 11: RFU b6-1 RFU Byte 4 b8 b7 b6 b5 b4 b3 b2 b1 Include Transaction In CRM If ARQC Is Requested Use CIAC-online To Decide On ARQC Request Generate Only TC Or AAC On TC Request MTA Check Maximum Number Of Days Offline Check RFU Plaintext Offline Change PIN Encrypted Offline Change PIN Byte 5 b8 AAC Logging b7 TC Logging b6 ARQC Pre-logging b5 Include Last Online ATC in IAD b4-2 Issuer Host Backwards Compatibility 000: No Host Backwards Compatibility 001: V2.1/V2.2 Host Backwards Compatibility 010: V2.05 Host Backwards Compatibility 011: V1.1/V1.3 Host Backwards Compatibility 1xx: RFU b1 Partial Authorization 27

33 Byte 6 b8 Enable Alternate Interface After First Gen AC b7-5 RFU b4 Torn Transaction Recovery b3 MAS4C Processing Flow b2 Reset Script Counter With Online Response b1 RFU Card Issuer Action Code (Contact) Decline Tag: 'C3' Length: 3 Description: The Card Issuer Action Codes (Contact) are compared to the decisional part of the Card Verification Results to take decisions when the contact interface is active. Card Issuer Action Code (Contact) Decline is used to set the situations when a contact transaction is always declined at the first GENERATE AC. Byte 1 b8 b7 b6 b5 b4 b3 b2 b1 Last Online Transaction Not Completed Unable To Go Online Indicated Offline PIN Verification Not Performed Offline PIN Verification Failed PTL Exceeded International Transaction Domestic Transaction Terminal Erroneously Considers Offline PIN OK Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Lower Consecutive Counter 1 Limit Exceeded Upper Consecutive Counter 1 Limit Exceeded Lower Cumulative Accumulator 1 Limit Exceeded Upper Cumulative Accumulator 1 Limit Exceeded Go Online On Next Transaction Was Set Issuer Authentication Failed Script Received Script Failed Byte 3 b8 b7 b6 b5 b4 b3 b2 Lower Consecutive Counter 2 Limit Exceeded Upper Consecutive Counter 2 Limit Exceeded Lower Cumulative Accumulator 2 Limit Exceeded Upper Cumulative Accumulator 2 Limit Exceeded MTA Limit Exceeded Number Of Days Offline Limit Exceeded Match Found In Additional Check Table 28

34 b1 No Match Found In Additional Check Table Card Issuer Action Code (Contact) Default Tag: 'C4' Length: 3 Description: The Card Issuer Action Codes (Contact) are compared to the decisional part of the Card Verification Results to take decisions when the contact interface is active. Card Issuer Action Code (Contact) Default is used to set the situations when a contact transaction is declined if the terminal is not online capable, or if a connection to the issuer is not possible. Byte 1 b8 b7 b6 b5 b4 b3 b2 b1 Last Online Transaction Not Completed Unable To Go Online Indicated Offline PIN Verification Not Performed Offline PIN Verification Failed PTL Exceeded International Transaction Domestic Transaction Terminal Erroneously Considers Offline PIN OK Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Lower Consecutive Counter 1 Limit Exceeded Upper Consecutive Counter 1 Limit Exceeded Lower Cumulative Accumulator 1 Limit Exceeded Upper Cumulative Accumulator 1 Limit Exceeded Go Online On Next Transaction Was Set Issuer Authentication Failed Script Received Script Failed Byte 3 b8 b7 b6 b5 b4 b3 b2 b1 Lower Consecutive Counter 2 Limit Exceeded Upper Consecutive Counter 2 Limit Exceeded Lower Cumulative Accumulator 2 Limit Exceeded Upper Cumulative Accumulator 2 Limit Exceeded MTA Limit Exceeded Number Of Days Offline Limit Exceeded Match Found In Additional Check Table No Match Found In Additional Check Table Card Issuer Action Code (Contact) Online Tag: 'C5' Length: 3 29

35 Description: The Card Issuer Action Codes (Contact) are compared to the decisional part of the Card Verification Results to take decisions when the contact interface is active. Card Issuer Action Code (Contact) Online is used to set the situations when a contact transaction goes online if the terminal is online capable. If the option 'Use CIAC-online To Decide On ARQC Request' is used, then the Card Issuer Action Codes (Contact) Online is also used to decline an online request over the contact interface. Byte 1 b8 b7 b6 b5 b4 b3 b2 b1 Last Online Transaction Not Completed Unable To Go Online Indicated Offline PIN Verification Not Performed Offline PIN Verification Failed PTL Exceeded International Transaction Domestic Transaction Terminal Erroneously Considers Offline PIN OK Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Lower Consecutive Counter 1 Limit Exceeded Upper Consecutive Counter 1 Limit Exceeded Lower Cumulative Accumulator 1 Limit Exceeded Upper Cumulative Accumulator 1 Limit Exceeded Go Online On Next Transaction Was Set Issuer Authentication Failed Script Received Script Failed Byte 3 b8 Lower Consecutive Counter 2 Limit Exceeded b7 Upper Consecutive Counter 2 Limit Exceeded b6 Lower Cumulative Accumulator 2 Limit Exceeded b5 Upper Cumulative Accumulator 2 Limit Exceeded b4 MTA Limit Exceeded b3 Number Of Days Offline Limit Exceeded b2 Match Found In Additional Check Table b1 No Match Found In Additional Check Table Counter 1 Control (Contact) Tag: 'DF1A' Length: 1 Description: Holds configuration information that controls the use and operation of Counter 1 30

36 when the contact interface is active. Byte 1 b8-7 Counting Mode 00: Never 01: Count CVM transactions 10: Count NoCVM transactions 11: Always b6 Use CVR Dependency b5 Count Even When Cumulated b4 Offline PIN Reset` b3 Show b2-1 Include In Issuer Application Data 00: Do Not Include 01: Include Accumulator As Value 10: Include As Balance 11: RFU Counter 1 CVR Dependency Data (Contact) Tag: 'DF2C' Length: 3 Description: Contains CVR comparison data to determine if Counter 1 becomes active if a given CVR pattern occurs when the contact interface is active. If (Condition Mask AND CVR [Input Byte Number]) = Comparison Value then the condition is satisfied for the use of Counter 1. Byte 1 Input Byte Number Byte 2 Condition Mask Byte 3 Comparison Value Counter 2 Control (Contact) Tag: 'DF1D' Length: 1 Description: Holds configuration information that controls the use and operation of Counter 2 when the contact interface is active. 31

37 Byte 1 b8-7 Counting Mode 00: Never 01: Count CVM transactions 10: Count NoCVM transactions 11: Always b6 Use CVR Dependency b5 Count Even When Cumulated b4 Offline PIN Reset` b3 Show b2-1 Include In Issuer Application Data 00: Do Not Include 01: Include Accumulator As Value 10: Include As Balance 11: RFU Counter 2 CVR Dependency Data (Contact) Tag: 'DF2E' Length: 3 Description: Contains CVR comparison data to determine if Counter 2 becomes active if a given CVR pattern occurs when the contact interface is active. If (Condition Mask AND CVR [Input Byte Number]) = Comparison Value then the condition is satisfied for the use of Counter 2. Byte 1 Input Byte Number Byte 2 Condition Mask Byte 3 Comparison Value CVR Issuer Discretionary Data (Contact) Tag: 'DF3C' Length: 1 Description: Issuer discretionary data object of which the two least significant bits are copied in the Card Verification Results when the contact interface is active. Byte 1 b8-3 RFU 32

38 b2-1 Issuer Discretionary Interface Identifier (Contact) Tag: 'DF3E' Length: 1 Description: Identifies the contact interface in the Transaction Log MTA CVM (Contact) Tag: 'DF22' Length: 6 Format: n12 Description: The maximum transaction amount for contact CVM transactions. When the transaction amount is greater than MTA CVM (Contact), the relevant bit in the CVR is set MTA NoCVM (Contact) Tag: 'DF25' Length: 6 Format: n12 Description: The maximum transaction amount for contact no CVM transactions. When the transaction amount is greater than MTA NoCVM (Contact), the relevant bit in the CVR is set Read Record Filter (Contact) Tag: 'DF3F' Length: Variable Description: Read Record Filter used to prevent reading records when the contact interface is active. It is coded like an Application File Locator. Records identified in the Read Record Filter cannot be read with the READ RECORD command. Refer to [EMV] for a description of the Application File Locator coding. A memory space of at least 32 bytes must be available for the Read Record Filter (Contact). 33

39 3.4. DGI A022 DGI A022 includes the data used in Contactless Interface, and they could not be used or share between Contact and Contactless interface. Each data in this DGI A022 could be read using GET DATA command or updated using PUT DATA command after the Personalization process. The data in each record must be personalized using VALUE only according to defined order and length without [TLV - TAG] value and [TLV - LENGTH] value Accumulator 1 Control (Contactless) Tag: 'DF12' Length: 1 Description: Holds configuration information that controls the use and operation of Accumulator 1 when the contactless interface is active. Byte 1 b8-7 Accumulation Mode 00: Never 01: Accumulate CVM transactions 10: Accumulate NoCVM transactions 11: Always b6 Use CVR Dependency b5 RFU b4 Offline PIN Reset` b3 Show b2-1 Include In Issuer Application Data 00: Do Not Include 01: Include Accumulator As Value 10: Include As Balance 11: RFU Accumulator 1 CVR Dependency Data (Contactless) Tag: 'DF29' Length: 3 Description: Contains CVR comparison data to determine if Accumulator 1 becomes active if a given CVR pattern occurs when the contactless interface is active. If (Condition Mask AND CVR [Input Byte Number]) = Comparison Value then the condition is satisfied for the use of Accumulator 1. Byte 1 34