I'm am currently working on a POS web app, where we use the credit card swipe functionality. I'm planning to use the card reader:
MagTek 21073062 Dynamag Magnesafe Triple Track Magnetic Stripe Swipe Reader with 6' USB Interface Cable, 5V, Black
I tried out swiping the credit card and get my final card data as follows:
"%B4111111111111111^FIRST/LAST^1010000000000000000000000000000?;4111111111111111=11111111111111119080000000000000000?|0600|F8861EC73F7BD2790D4EE2DBB7935B039DE9653DE90D240C1257E225FBB987837B779D29246D9D516A94FE9F770396FE6AD2A5F3312108DF35BB512F4BA22A84FF3BB6CDFC008024|669078686F127D2A0660BBBE6C7BD3F708ED1B42216F41E37F3DCF59DB02C77452337456C9F5141D||61403000|190894CFA8A9E46A350C2E758DC1D83A798980BF5319298583E13DC98C62272C8C732D07B2713B1FACE8DBF6CE16B57C94360610CD6FFE46|B2E15B9061015AA|789A6E205C421D40|9011080B2E15B9004018|1CA3||1000"
Data interpreted to according to Financial Cards
The card number according the response above, the card number is "4111111111111111"(for representation purpose). The problem is the number in the response is not correct. The first 6 digits and the last 4 digits seems to be fine, but the digits(6 in this case) in the middle seems to be incorrect(does not match with the swiped card). This happens to all the cards I swipe. Tried the same card multiple times(to check if hardware problem) , still the same result.
Any help on this issue will be appreciated.Thanks in advance.
Related
I have card numbers in format like 123456xxxxxx7890. How can i test if it's regular card or any other service like ApplePay/GooglePay/etc?
Just boolean answer yes/no is more than enough for my needs. Is there any logic? Or database?
I've tried to look up at binlist.net service but it doesn't detect it unfortunately (shows wrong banks for 10 card IINs that i have).
we will never know if the card is regular card or applepay /google pay card
applepay/gpay generates a unique card number for each original card and we cannot obtain the original card details from it
I'm trying to detect whether a contactless enabled smartcard or a mobile device equipped with ApplePay, Google Pay, or Samsung Pay was used for a contactless EMV transaction.
I have been researching via the EMV books, and there seems to be a tag 9F6E provides this sort of data:
EMV Book 3 - VISA
EMV Book 4 - MasterCard
Questions:
VISA provides a 4 byte value in the field 9F6E, but I can't find a list of possible values and their meanings anywhere. The EMV book says "out of scope". Is there anyway to reliably convert this to a known form factor?
MasterCard provides data 2 bytes for the form factor, but I'm seeing values that I don't undestand (32 31 ascii = 21). Is there a list of values and meanings somewhere for these?
Is there an easy way to understand if CDCVM has been used for a given contactless transaction, so that I could separate contactless transactions from contactless with CDCVM transactions?
Google Pay is using cloud-based payments while Apple is using an embedded secure element. You can find this tag on 9F6E form factor on Visa. However, it might be different for Master Card or Amex.
To fix this correctly, you might want to check the EMV tag 9F19 which returns to the token requestor ID. Check EMV payment tokenization for this spec. Token requestor ID looks like this:
MasterCard
50110030273 – APPLE_PAY
50120834693 – ANDROID_PAY
50139059239 – SAMSUNG_PAY
Visa
40010030273 – APPLE_PAY
40010075001 – ANDROID_PAY
40010043095 – SAMSUNG_PAY
40010075196 – MICROSOFT_PAY
40010075338 – VISA_CHECKOUT
40010075449 – FACEBOOK
40010075839 – NETFLIX
40010077056 – FITBIT_PAY
40010069887 – GARMIN_PAY
Refer the below documents. You will require Visa Online and MasterCard connect access to get these.
VCPS_2.2 Spec
M/ChipRequirements For Contact and Contactless Spec
check in CVM and CVR inside 9F10
I believe it is also possible to detect if the transaction was performed by a mobile device by using tag 0x82 (Application Interchange Profile). I believe this is a better approach because it will be the same regardless of card brand (as long as the card brand in question followed EMVCo's spec correctly.
Here is a link to EMV Co Contactless Book.
https://www.emvco.com/wp-content/uploads/2017/05/C-4_Kernel_4_v2.6_20160512101635327.pdf
Screenshot Of Desired Table
Check Bit 7 (second most significant bit) of Byte 2 (Rightmost Byte). If it is 1 it came from a mobile device. The Application Interchange profile will always be 2 Bytes.
When the card is generating arqc algorithm, does card number play any role ? In other words: having 2 brand new cards with ATC set to 0 and having the same CDOL, will they generate the same arqc ?
Card number and ATC are involved in session key generation. So every card will generate a different cryptogram.
Since I am not sure whether you are referring to the same card number (Assuming you were able to clone a card :) Still the cryptogram generated will be different for your first try for your both cards . If you look for CDOL, you can see an element unpredictable number( which is generated by terminal ). This is a 4 byte numeric field and chance of getting this generated same twice is very rare. Even in case where unpredictable number is same, still you need all other elements in CDOL same (amount, currency, country date atc etc) to get the same cryptogram. To block even this rare possibility issuers maintain the last used ATC for each card that it will not accept any ATC same or less. Hope it is clear.
Based on what data does a POS terminal decide if it needs to generate a ISO 8583 100 (Authorization Request) message or a ISO 8583 200 (Acquirer Financial Request) message.
Also how does POS decide if it needs to prompt the user to enter his card PIN or not.
Any reference to documents on ISO 8583 message generation at the POS will be very useful.
Thanks
A 200 message is what ISO 8583 calls a Financial Message. It is used to transfer funds into or out of a cardholder's account.
A 100 message is what ISO 8583 calls an Authorization Message. It is used to check that the card holder's account has enough funds to cover the amount of the transaction and to reserve that amount (and sometimes a little more) for a certain period of time. It does not actually take any funds from the account. At a later time, a 200 (actually a 220) message can be sent to take the money from the account).
100 message are usually used in situations where the transaction amount is not known at the time or where the delivery of the good or service is not immediate.
So for example, when you check into a hotel, the hotel wants to know that your account has enough funds to cover your expected stay (and maybe a little extra in case you order room service or use some other service), so a 100 message might be sent when you check in, and then at checkout time, a 220 message is sent to actually transfer the funds from your account.
See the "Message Class", "Message Function" and the "Examples" sections of this Wikipedia entry on ISO 8583.
As far as, "how does the Point of Sale (POS) device decide if it needs to prompt the user to enter his card PIN or not", there is no one answer that works in all situations, for all merchants, and in all countries.
For example, in some cases, PIN entry is required for all debit cards but not allowed for any credit cards. In these cases, the POS device needs to know whether the card being used is a debit card or a credit card. It can either ask the operator or it can attempt to use the card number and/or mag stripe to determine this. A table of account numbers or Account BIN numbers (the first few digits or the account number) can be stored in the POS and used to identify the type of card (sometimes). see Bank Card Number).
Sometimes just knowing whether a card is credit or debit is not enough, there are cards that can be used as either, there are debit card that can used without a PIN, and there are credit cards that allow/require PIN entry.
Both credit card terminal and credit card have a list of preferred customer verification methods, the most common ones being 'signature', 'PIN', and 'identification'.
The terminal then takes the verification method that is ranked highest by the card and supported by the terminal.
This is a question purely to satisfy my own curiosity.
Here in Norway it's common for netbanks to use a calculator-like (physical) dongle that all account holders have. You type your personal pin in the dongle and it generates an eight-digit code you can use to login online. The device itself is not connected to the net.
Anyone knows how this system works?
My best guess is that each dongle has a pregenerated sequence of numbers stored. So the login process will fail if you type an already used number or a number that is too far into the future. It probably also relies on an internal clock to generate the numbers. So far none of my programmer peers have been able to answer this question.
[Edit]
In particular I'm curious about how it's done here in Norway.
Take a look here: http://en.wikipedia.org/wiki/Security_token. If you are interested in the algorithms, these might be interesting: http://en.wikipedia.org/wiki/Hash_chain and http://en.wikipedia.org/wiki/HMAC.
TOKENs have very accurate real-time clock, and it is synced with same clock on the auth server. Real time is used as a seed along with your private key and your unique number is generated and verified on the server, that has all the required data.
One major one-time password system is Chip and PIN, in which bank cards are inserted into special, standalone card readers that accept a PIN and output another number as you describe. It is widely deployed in the UK.
Each bank card is a smart card. The card's circuitry is what checks the PIN and generates the one-time password. Cryptographic algorithms that such cards can use include DES, 3DES (Triple DES), RSA, and SHA1.
I recently went overseas and used the dongle there with no problems.
It is a sealed battery powered dongle. One pushes the button and a code number appears.
The only way it could work is that it is time synchronised to the bank.The number that is recruited only lasts for a minute if that.
A random number generator is used to create the stream of numbers recorded in the memory of the device.
It therefore becomes unique for the user and only the bank 'knows' what that random number generator produced for that particular user and dongle.
So there can only be one next number .
If the user makes a mistake, the bank 'knows' they are genuine because the next try is the next sequential number that is in the memory.
If the dongle is stolen the thief also has to have the other login details to reach the account.