Issuing

issuing focuses on issuing payment cards and provisioning mobile payment tokens the following sections cover these issuing topics pin and offset generation emv key generation and derivation mobile payment token issuance cvv generation pin and offset generation for both pin generation methods described in this section, the issuing bank associates pins with an algorithm based on a 3des encryption key, referred to as a pin verification key (pvk) a pin, generated based on the customer's account or card number and the pin verification key, is called the natural pin in the past, issuers did not allow customers to select their pin instead, the bank would send the natural pin to customers in the mail and force them to use the designated pin now, most banks allow customers to select their own pin this is done by taking the pin verification key, customer account number, and the chosen pin, then sending that to an hsm to compare the natural pin against the customer selected pin and determine the difference the difference is referred to as the pin verification value for the visa pvv method and the offset for the ibm 3624 method visa pvv the visa pvv algorithm performs a multiple encipherment of a value, called the transformed security parameter (tsp), and an extraction of a 4 digit pvv from the ciphertext you can use the gvww excrypt command to generate a random visa working key for use in the visa network ibm 3624 (offsets) the ibm 3624 algorithm generates an n digit pin based on account or person related validation data the assigned pin length parameter specifies the length of the generated pin you can use the goff excrypt command to generate a pin offset for use in the ibm 3624 network common pin and offset generation commands this section contains pin and offset generation commands for excrypt, standard, and international command sets excrypt command description gnof generate new offset gofc generate offset of clear pin goff generate pin offset value gpin generate pin (diebold method) gpin generate pin (ibm 3624 method) gpin generate pin (visa method) standard command description 34 generate clear pin and offset 386 generate mac (dukpt) 38c derive dukpt initial pin encryption key 3d generate ibm 3624 offset 3fa generate pin and pvv international command description bk generate ibm 3624 pin offset de generate ibm pin offset dg generate visa pin verification value (pvv) ee derive pin using the ibm method fw generate visa pin verification value (of a customer selected pin) ja generate random pin emv key generation and derivation europay, mastercard, and visa created the emv standard, a payment method based on a technical standard for smart payment cards, payment terminals, and atms that can accept them emv cards are smart cards, also called chip cards, which store their data on integrated circuit chips (iccs), in addition to magnetic stripes for backward compatibility these include cards that you physically insert (or dip) into a reader and contactless cards that can be read over a short distance using near field communication technology payment cards that comply with the emv standard are often called chip and pin or chip and signature cards, depending on the authentication methods employed by the card issuer, such as a personal identification number (pin) or digital signature outside the united states, the chip and pin process is more common it requires a secret four digit pin code known only by the cardholder to validate the emv payment, making it significantly more secure in the u s , companies have opted for issuing chip and signature cards, weighing the risk of fraudulent transactions against the desire to make the purchasing process as seamless as possible for consumers common emv key generation and derivation commands this section contains emv key generation and derivation commands for excrypt, standard, and international command sets excrypt command description emvg generate master key emvk derive key from vendor master key and derivation data emvm generate/verify mac gciv generate a cvc iv gdac generate a data authenticode code (dac) gdcv generate dcvc3 gemc generate emv icc certificate gemq generate emv issuer csr gidn generate an icc dynamic number (idn) gopc generate offset and emv pin change gvdc generate a dynamic cvv ofpc perform emv pin change using offset ssad sign static authentication data with issuer private key standard command description 352 emv message authentication code (mac) generation 354 generate smart card master key 368 create limited use key (luk) international command description ke generate an emv issuer csr ki derive icc key and encrypt under kek ko generate an emv icc certificate and sign with issuer private key ku generate secure message with integrity and optional confidentiality mobile payment token issuance the pay brands (such as google pay, apple pay, samsung pay, and so on) govern mobile payment tokens to issue mobile payment tokens to a device, the card issuer (such as wells fargo, chase, bank of america, and so on) must have a relationship with the particular pay brand to which it plans to issue the mobile payment token each pay brand has specific data structures and encryption methods required to communicate a token to a device, so the card issuer must support those methods for it to work common mobile payment token issuance commands this section contains mobile payment token issuance commands for the excrypt command set excrypt command description ghmc generate hce mobile cryptogram ghmd generate hce magstripe verification value ghmk generate hce mobile keys the standard and international command sets do not support mobile payment token issuance card verification value generation a card verification value (cvv) is similar to a pin, except it is not a secret value a cvv is generated based on a card verification key (cvk) so the cvk is the base key, and the cvv value is based on that key and the customer account or card number originally, cvv validated that a user has the original card and not a cloned card we have cvv generation and verification but not translation because it is not encrypted between the hops common cvv generation commands this section contains cvv generation commands for excrypt, standard, and international command sets excrypt command description caav calculate account holder authentication value gcav generate cavv gcav generate american express (amex) csc value gcvc generate cvc and cvc2 gcvv generate cvv/cvc value gddc generate discover dynamic cvv gvdc generate dynamic cvv gidn generate icc dynamic number (idn) standard command description 35b generate american express (amex) csc value 5d generate card verification value (cvv) international command description cw generate visa card verification value (cvv) ry generate random csck ry (mode 3) generate card security codes for csck