I stumbled upon this stackoverflow question : What encryption mechanism is used for EMV contactless transaction information ?
The answer is simple : none. The communication between an EMV card and a contactless reader is not encrypted. You can easily eavesdrop and record the exchanged APDUs, for example using the Fime SmartSpy contactless spy.
But that doesn’t mean you’ll be able to clone a card, or to perform transactions using the recorded dialog. Continue reading
When communicating with an EMV chip card, the card may reply to a command with error code SW1 SW2 = ’69 85′. In this post, we’ll analyze why this error code may be returned in response to the VERIFY command.
The VERIFY command “initiates in the ICC the comparison of the Transaction PIN Data sent in the data field of the command with the reference PIN data associated with the application”, as defined in EMV 4.3 book 3, section ‘6.5.12 VERIFY Command-Response APDUs‘. Status word ‘6985’ is defined as “Command not allowed” (“conditions of use not satisfied”), in EMV 4.3 book 3, section ‘6.3.5 Coding of the Status Bytes. This error code may be returned in several situations, here are a few common ones :
When communicating with an EMV chip card, the card may reply to a command with error code SW1 SW2 = ’69 85′. In this post, we’ll analyze why this error code may be returned in response to the GET PROCESSING OPTIONS (GPO) command.
The GPO command “initiates the transaction within the ICC“, as defined in EMV 4.3 book 3, section ‘6.5.8 GET PROCESSING OPTIONS Command-Response APDUs‘. Status word ‘6985’ is defined as “Command not allowed” (“conditions of use not satisfied”), in EMV 4.3 book 3, section ‘6.3.5 Coding of the Status Bytes. This often happens when the GPO command contains an invalid response to the card Processing Data Options List (PDOL). Continue reading
A few days ago, I stumbled upon an article from Jeremy Gumbley (CreditCall) titled “EMV in the cloud – A Vision For The Future Of Global EMV Adoption“. Jeremy’s point is that by moving to the cloud most of the logic which resides within a point of sales terminal, retailers could save a lot of money. These new “dummy” terminals would require less maintenance, less upgrades, and their manufacturers wouldn’t have to go as often through the certification process. He’s right, but he’s ignoring EMV contactless transactions which are hardly “cloud-compatible”. Continue reading