Static Data Authentication (SDA) - Read Application Data

Read Application Data

6.3 Static Data Authentication (SDA)

During SDA processing, the terminal uses RSA public key verification technology to validate that key data elements on the card have not been altered since card personalization.

6.3.1 Card Data

The terminal uses the card data elements described in Table 6–2 in SDA processing or in processing related to SDA processing. Appendix A, Card and Issuer Data Element Tables, contains detailed descriptions of the card data elements and their usage.

Table 6–2: Card Data Used in SDA (1 of 2)

Data Element Description

Certificate Authority Public Key Index (PKI)

Provided by the CA with the Issuer PK Certificate. It identifies the payment scheme public key in the terminal to use for verifying the Issuer PK Certificate. Issuer Public Key Certificate The certificate containing the Issuer Public Key that has been signed with the Visa

CA Private Key. This certificate is described in the Issuer Public/Private Keys section of this chapter.

Issuer Public Key Exponent The exponent used in the RSA algorithm to recover the Issuer PK Certificate. The Issuer Public Key exponent shall be 3 or 216+ 1.

Issuer Public Key Remainder The portion, if any, of the Issuer Public Key that does not fit into the Issuer PK Certificate.

Registered Application Identifier (RID) portion of the Application Identifier (AID)

The RID is registered with International Organisation for Standardisation (ISO) and identifies the payment scheme specific list of public keys that is stored in the terminal. Visa’s RID is “A000000003”.

Signed Static Application Data (SAD)

A signature used in the validation of the card’s static data. The SAD is signed with the Issuer Private Key and is placed on the card during the personalization process. The format of the SAD is shown in the EMV 4.0, Book 2, Table 5. The format of the data elements to be hashed are in the same EMV document in Table 2. The following data elements are recommended for inclusion in the signature generation:

● _{Application Interchange Profile if either method of DDA is supported} ● _{Application Effective Date}

● _{Application Expiration Date} ● _{Application PAN}

● _{Application PAN Sequence Number} ● _{Application Usage Control}

● _{Cardholder Verification Method (CVM) List} ● _{Issuer Action Code—Default}

● _{Issuer Action Code—Denial} ● _{Issuer Action Code—Online} ● _{Issuer Country Code (“5F28”)}

If the signed data is not unique within the application, multiple SADs must be supported. An example of when this data might not be unique is when a card has different CVM Lists for domestic and international transactions and the CVM List is used in the signature. See Chapter 4, Initiate Application Processing, for an explanation of the Geographic Restrictions check and how different data can be specified.

If the card supports the ability to change any of the signed data elements after the card has been issued to the cardholder, the capability to change the SAD shall also be supported.

SDA Tag List Contains the tag of the Application Interchange Profile (AIP) if it is to be signed. Tags other than the tag of the AIP shall not be present in the SDA Tag List. The AIP is recommended for inclusion in the SDA Tag List if either method of DDA is supported.

Table 6–2: Card Data Used in SDA (2 of 2)

Visa Integrated Circuit Card Card Specification, Version 1.4.0

6.3 Static Data Authentication (SDA)

The card uses the data element described in Table 6–3 in processing related to SDA.

6.3.2 Terminal Data

The card uses no terminal data during SDA.

6.3.3 Commands

No commands are utilized in SDA processing.

6.3.4 Processing

The card performs no processing during SDA.

During SDA, the terminal uses RSA public key verification technology to recover and validate the Issuer Public Key and to validate the SAD from the card. The terminal’s SDA processing steps are described in more detail in the Terminal volume of this document and in the EMV 4.0, Book 2, Chapter 5, and are summarized below:

1. Retrieval of the CA Public Key

The terminal uses the PKI and the RID from the card to determine which Visa CA Public Key to use.

2. Retrieval of the Issuer Public Key

The terminal uses the Visa CA Public Key to unlock the Issuer PK Certificate and recover the Issuer Public Key.

Table 6–3: Offline Data Authentication—SDA Related Card Data

Data Element Description

Card Verification Results (CVR) Contains an indicator that is set during Card Action Analysis of subsequent transactions showing that SDA failed on a previous offline-declined transaction. SDA Failure Indicator If SDA fails and the transaction is declined offline, this indicator is set during Card

Action Analysis. It is reset during Completion of a subsequent online transaction based upon Issuer Authentication conditions.

3. Verification of Signed Static Application Data

a. Recover hash value—The terminal uses the Issuer Public Key to verify the SAD to obtain the hash of the signed data elements. This hash was generated for card personalization by concatenating key data elements and using a hashing algorithm to convert them into a single data element.

b. Calculate hash value—The terminal calculates a hash value using data elements which were previously read in the clear from the card and designated in the Application File Locator (AFL) and Static Data Authentication Tag List.

c. Compare hash values—The terminal verifies that the hash recovered from the signature matches the hash calculated from the cleartext card data.

If all of the SDA steps are successful, SDA has passed.

In document Visa Integrated Circuit Card Specification (Page 81-84)