The present invention relates to dynamic authentication of a user device using emulated mag stripe wireless transmission, and in particular to smart phones or similar devices with transaction applications.
Credit, debit and other payment cards in the US are now issuing with both an embedded chip and a mag stripe. Smart phones and other devices can have the chip and/or an emulated mag stripe. Cards with a mag stripe and a chip use a service code (2xx) that indicates there is also chip capability. There are, and will be for many years, various types of Point of Sale (POS) terminals. The main ones are as follows.
Legacy Mag Stripe Terminal.
With legacy mag stripe card readers, there is no ability to switch to using the more secure chip for a transaction, even though the card or phone has such capability. Thus, the mag stripe or emulated mag stripe is processed as an ordinary mag stripe transaction. It would be desirable to make use of the dynamic authentication capabilities of a chip on legacy mag stripe readers.
Combination Chip Card and Swipe Terminals.
When the user swipes the mag stripe in a Point of Sale (POS) reader with both, the reader detects a 3-digit service code (xxx). If the service code is 1xx, that indicates a mag stripe only card, and the card is processed accordingly. If the service code is 2xx, that indicates the card has chip capabilities. If the card has been swiped as a mag stripe, and a 2xx service code is detected, the reader will display a prompt to the user to insert the card so the chip can be read, which is a more secure transaction.
Contactless Terminal.
A contactless terminal works with smart phones and other devices with wireless Near Field Communication (NFC) and chip capability. They may or may not support mag stripes, and thus support mag stripe emulation. The terminal is constantly transmitting, and a phone with a payment application will detect this transmission and respond to begin a transaction.
In typical payment systems using a smart phone or similar device, a consumer enrolls with a mobile app running on a user's mobile device (e.g., cell phone, tablet computer, etc.). The enrollment process involves the user supplying a user's card information and user information. The user information can be used to create a mobile wallet. The card information can be used to communicate with the user's bank/financial institution associated with the card (card Issuer). Such a communication can involve one or more rounds of message exchanges for purposes of identification and verification. Further, the communication can also include exchange of digital tokens for authentication. When the consumer performs a transaction at a point of sale, the transaction can be NFC-based or alternately, a non-NFC-based transaction. A non-NFC-based transaction, for example, can be a magnetic stripe transmission.
Samsung's “Samsung Pay” service works with many existing magnetic strip payment terminals (except, for example, those that require detecting an actual card in the slot). If a terminal doesn't have NFC contactless capability, then using Samsung Pay service, it can leverage a Mobile Secure Transmission (MST) transaction, which emulates a swipe transaction through the swipe reader on the terminal. That's an alternative way to make a contactless transaction at a traditional magnetic stripe reader which allows a card is to be dipped in/swiped inside a slot. Apple Pay® and Google's Android Pay™, on the other hand, use contactless NFC technology. In addition to MST, Samsung Pay™ also provides NFC-based transactions with POS terminals that are NFC-capable. Both Samsung Pay and Apple Pay leverage the power of tokenization, in which a user's card details are “provisioned” onto a smart device (without the card details being actually stored on the phone) and at no point is that card information given to the merchant as part of the transaction.
Android Pay generates a 16 digit token (same length as a card number) in the cloud, and transmits it to the phone, which then provides it to the POS. Samsung Pay uses either NFC or mag stripe emulation—Magnetic Secure Transmission (MST), and thus can work with legacy readers. A 16 digit token is provided, similar to Android Pay. A fingerprint or PIN is required to use the payment application. In spite of the extra security provided by Samsung Pay, the legacy card reader thinks it is a mag stripe, and the receiving banking network treats it like a mag stripe. This means, under new regulations adopted in October 2015, the merchant is liable for fraudulent card use, since the merchant hasn't upgraded to a chip-reader POS.
More details are useful to understand the invention. The stripe on the back of a credit/debit card is a magnetic stripe, often called a magstripe. The magstripe is made up of tiny iron-based magnetic particles in a plastic-like film. Each particle is typically a tiny bar magnet about 20-millionths of an inch long. The magstripe can be “written” because the tiny bar magnets can be magnetized in either a north or a south pole direction. There are three tracks on the magstripe. A magstripe reader can understand the information on the three-track stripe. Each track is about one-tenth of an inch wide. The ISO/IEC standard 7811, which is used by banks, specifies: 1) Track one is 210 bits per inch (bpi), and holds 79 6-bit plus parity bit read-only characters, 2) Track two is 75 bpi, and holds 40 4-bit plus parity bit characters, and 3) Track three is 210 bpi, and holds 107 4-bit plus parity bit characters. Credit card issuers typically use only tracks one and two for transactions. Track three is a read/write track (which includes an encrypted PIN, country code, currency units and amount authorized), but its usage is not standardized among banks.
The format for track two, developed by the banking industry, is as follows:
Start sentinel—one character
Primary account number—up to 19 characters
Separator—one character
Expiration date or separator—four characters or one character
Service Code—three characters
Card Discretionary data—enough characters to fill out maximum record length (40 characters total)
LRC—one character
The Card Discretionary data can include PIN data, CVV data, and additional discretionary data. A chip card includes data that is similar to a magnetic stripe card, typically referred to as Track 2 and Track 1 equivalent data. In particular, the layout for chip Track 1 and Track 2 equivalent magnetic stripe data is similar to that of a magstripe card, with one notable difference, the replacement of some of the data fields (the issuer discretionary data) with dynamically introduced values. The chip on the card allows calculation of a dynamic card verification value (dCVV) based on a card-unique derived key and a simple application transaction counter (ATC) and potentially data from the terminal, whenever possible or applicable. The dynamic card verification value is passed in the track 1 or track 2 equivalent data in the issuer discretionary data field and sometime even in the same location that was used for the original card verification value. The application transaction counter (ATC) is also inserted in the area reserved on the track layout for issuer discretionary data. The dynamic card verification value enhances the security of the transaction versus the static card verification value/code or card ID (CVV/CVC/CID) used in magnetic stripe transactions. The use of dynamic data in the transaction prevents replay attacks (no transaction can be done twice) and card cloning or skimming (the card key never leaves the protection of the smart card memory).
Traditionally, in a contactless mode, there can be two modes of operation, a Mag Stripe Data (MSD) mode and an EMV mode1. In the MSD mode, following the interaction between the payment instrument and the terminal, the transaction is processed using the existing and legacy magstripe rail including the delivery of the track 1 data as a core part of the authorization request. Although the MSD mode is not the most secure mode, it nevertheless has a great benefit of easier implementation and could be deployed with minimal changes on the merchant and the acquirer infrastructure. The MSD mode currently exists for most of the payment networks implementation including Amex, Discover, MasterCard, Visa, JCB and Union Pay. 1EMV (Europay MasterCard Visa), is a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV cards are smart cards (also called chip cards or IC cards) which store their data on integrated circuits rather than magnetic stripes, although many EMV cards also have stripes for backward compatibility.
In the EMV mode, the chip solution uses additional data elements including data from the terminal to calculate cryptographic values (cryptograms) that are intended to protect and secure the transaction but nevertheless require the development of a new path to deliver the additional data. It is for that reason that the EMV implementation requires more significant changes on the merchant and the acquirer infrastructure to support the EMV mode. The MSD mode uses what is usually being referred to as the dCVV (dynamic Card Verification Value) while the EMV mode uses the notion of the Cryptogram. The majority or the contactless infrastructure deployed in the US is based on the MSD mode and hence as the U.S. migrates to EMV, the payments infrastructure will need to continue to support contactless MSD for some period of time to allow acceptance of existing contactless cards and devices, while adding support for contactless EMV. Generally speaking, contactless EMV cards are also known as chip cards.
A POS terminal is equipped with a magnetic stripe interface and a chip interface supporting contact or contactless. According to preferred standards in the financial industry, a party that does not provide chip support takes liability for any resulting card-present counterfeit fraud losses. If both parties do not support chip, existing rules apply, i.e. the liability is on the issuer. Thus, for example, if an issuer of a card provides chip support, but a merchant doesn't provide chip support, then the merchant takes liability. A merchant is required to comply with the rules of the financial industry, and thus there is some incentive for the issuer to move the liability of a transaction to a merchant.
The difference is between chip cards and magnetic stripe cards as far as track data goes is the difference in the Service Code of these two types of cards. The Service Code is a 3 digit number. In particular, the Service Code for a chip-enabled card starts with a 2 indicating to the terminal reading the magnetic stripe that the card is chip-enabled and should be treated accordingly if the terminal is able to support the chip rules. For magstripe only cards, the Service Code starts with a 1.
The Service Code can thus be represented as 1XX or 2XX. If a service code of 1XX is detected, the data will be forwarded as mag stripe data, which has a lower level of security. If a 2XX code is detected by a POS that supports a chip reader, additional data can be read to improve the security of the data.
The 2XX Service Code thus indicates a more secure transaction because either a secure element is present (Apple phones) or the phone receives keys from a server and has other restraints to make the transmission more secure (Android, Samsung phones). A secure element (SE) is a tamper resistant Smart Card chip that facilitates the secure storage and transaction of payment and other sensitive credentials, e.g., a secure element stores tokens, keys, and chip data. A secure element card can be used in both a contactless and a contact mode. A secure element utilizes uniquely-derived cryptographic keys for providing security to transactions. A secure element can be included within a debit or credit card. In some scenarios, a secure element can also be included within a mobile phone, e.g., as a part of a NFC stack inside a mobile phone. In some other elements, a secure element can be included within a chip card. Thus, a payment device can be any electronic device with an embedded chip, e.g., a chip card, a tablet, a watch, a wearable electronic device, a mobile phone, etc.
HCE (Host Card Emulation), enables NFC devices to perform contactless transactions in card emulation mode without a secure element. The payment credentials and payment application are stored, like other applications, on the phone but not in a secure element. HCE allows the NFC controller to route communication from the contactless reader or POS terminal to an HCE service on the mobile device's host CPU. In HCE, the payments application resides on the phone's operating system and interacts with the cloud system and the NFC controller directly. There is no need for a card issuer to use SIM or other secure element for making contactless NFC mobile payments.
MST (Magnetic Secure Transmission) generates an alternating current through an inductive loop of changing magnetic fields. The signal received from the device emulates the same magnetic field change as a magnetic stripe card when swiped across the same read head. In order to keep the transaction secure, MST only exists during the transmission process. MST does not require merchants to make changes to their existing payment systems.