Download - Achieving 100% Personalization Quality Controlicma.com/wp-content/uploads/2014/04/Brian-Summer...Technical development Failure analysis ... M/Chip Personalization Data Specifications

Br ian Summerhayes

Managing Director

Barnes Internat ional

© 2014 BARNES INTERNATIONAL LIMITED 1

Achieving 100% Personalization Quality Control

ICMA Manufacturing and Personalization Expo 2014

Agenda

Introducing Barnes

Card Certification Testing

Payment Application Personalization Validation

Personalization 100% Quality Control


Barnes International Ltd

© 2014 BARNES INTERNATIONAL LIMITED

22 year heritage

Leading international supplier of chip and magnetic stripe card test equipment

Specialist UK company – Offices in US: PA and CA

Installations worldwide (80+ countries)

Mission: to make complex labour intensive card tests simple and ensure excellent personalization quality control

3

Payment Application Personalization Validation


Certification and QC Testing


QC tools used by all leading card and ticket developers, manufacturers, personalizers and issuers for:

Technical developmentFailure analysisCompliance verification and Laboratory CertificationManufacturing quality assurance

Enable issuers to provide proven and certified cards and tickets to their customers

Cards require testing during development and production QC

Pre-certification testing required in order to pass card certification. Certification tools include

MasterCard CPV and FIME F-CPV test tools used by MasterCard for card certification

Visa GPR and VPA tools used by Visa Inc. for card certification

Amex card test scripts Discover and Diners D-PAS test scripts All these tools are available to Issuers to carry out

pre-certification testing of cards before submission to the certification laboratory

Card Certification Testing


Payment Scheme Card Certification


American Express

Discover/ D-PAS

MasterCard

Visa

MasterCard Personalization Validation (CPV)

CPV process Launched in 2008 2013 – Version 6.2 MasterCard Personalization Validation Tool – Release 2013 Requirements v6.2 June

2013 M/Chip Requirements 03 October 2013 M/Chip Personalization Data Specifications and Profiles 28 June 2013 PayPass – M/Chip Requirements 28 June 2013 PayPass Personalization Data Specifications, Version 1.8 – April 2013 M/Chip Card Personalization Standard Profiles 28 June 2013 M/Chip Card Personalization U.S. Market Standard Profiles 28 June 2013

Test Specifications

Accredited Laboratories


Qualified Test Tools

MasterCard CPV Certification


Visa Global Personalization Validation (GPR)

Visa Laboratories


Qualified Test Tools

US PR Test Specifications U.S. Personalization Validation Requirements – Test Cases v1.0 Jan 2014 (DRAFT)

Products Visa DB/CR, Electron, DPA, Plus, Interlink, US Common Debit

Specifications VIS 1.4.1, 1.5.x VCPS 2.0.2, 2.1.x VMCPS 1.4.x

Applets VSDC 2.7.1, 2.8.x and VMPA v.1.4.x Applets

VSDC Personalization Requirements for U.S. Implementations Version 3 Oct 2013

Visa GPR Certification


Other Schemes


American Express

Discover

Payment Scheme Testing


EMV + Amex, Discover/ D-PAS, MasterCard, Visa + National Specs, e.g. JCB, RuPay, SPAN, PBOC and Union Pay

Payment Scheme Standards – Data validation required

MasterCard CPV Certification: CPV Visa Global Personalization Requirements: US PR

Payment Scheme Certification Tools

Card Certification Laboratories

Card Quality Control in Production

Personalization Quality Control Testing


Card Personalization


Personalization is the process of writing data fields to the chip card and the magnetic stripe

Some of the data fields will be standard across all products e.g. Issuer Country Code

Some of the data fields will be unique to the cardholder e.g. Account Number (PAN) and cardholder name

The following slides examine some of the many personalization issues that we have personally experienced

Personalization Quality Control – Why?


Chip cards have far more complicated coding compared with a simple magnetic stripe

Chip cards have far more information inside them compared with a magnetic stripe

Dual interface cards are also complex to code with shared parameters

• Magnetic Stripe vs Chip Data

• Correct Keys • Validation vs

Payments Scheme

• Issuer/ Card Tag values

Personalization Test Example 1


Magnetic Stripe Only

Data on Track 1 & 2 missing

Transposition of Data Across Cards


Transposition of data:

Mrs Smith name inside the chip card and Mr Jones name on the magnetic stripe

Result of manufacturing hiccupCan be detected easily by performing quality control on

personalised cards (First, Middle and Last cards)

Now seeing fraudulent cards – where data on chip is totally different to that on magnetic stripe.

Occurs post issuance easily proven with a test tool

Cryptographic Errors


Numerous cryptographic errors on cards

DES Keys incorrect resulting in transaction cryptogram failure and/or script processing failure

SDA/DDA/CDA test DES Keys can easily be checked as part of QC

Even live DES keys can be checked if QC equipment connected to HSM

Formatting Errors


Formatting errors more difficult to detect. Examples include:

Incorrectly formatted account number, if number of digits is odd, pad with only a single “F” and not multiple “F”s12345 67891 234F ✔12345 67891 234FF FFFFF ✘

Production Issues


UK country code on cards issued abroad

Personalization preparation was outsourced to the UK and the data file exported back to another country for card productionIf it is a chip card issued to (say) a US customer inside the US

then the Issuer Country Code should be US irrespective of where the personalization data is created

Ongoing Quality Control


Fully personalised chip cards should be sent to the appropriate Scheme prior to issue for certification – a very sensible and valuable practice.

Errors on certified cards do happen

all errors in this section have been seen on live cardsconsider how many possible negative errors could be introduced –

hundreds of thousands of possible coding combinations - difficult to check all

certification processes and quality control tools constantly enhanced and improved

Personalization QC


Quality Control of the cards in manufacturing and during personalization is essentialChip cards – much more to go wrongChip cards are far more expensive than magnetic stripe and thus are costly

to reissueReputational/customer service impact can result in substantial lost revenue

Offline or Inline Quality Control of the cards during personalizationOfflineSingle Card tests with Batch Testing

InlineEnables 100% testing

Offline QC Testing Card Personalization Validation Testing Tool

Data Read OnlyMag Stripe + Contact Chip + Contactless Chip

Interpret s. EMV and payment schemes No validation

Data Explorer

Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation

Identifies incorrect data

Contact and Contactless chip validation testsMultiple Application data validation -single card insertionMulti-level user interface for Production, QA & Bank personnel with complete analysis

facilities for Experts

Validation – Standard Card Perso Tool (“CPT”)

All the features of a CPT, PLUS: Test Script development Issuer scripts and Cryptography

Host Simulation + HSM interface (e.g. with Thales 9000 and Safenet)

Test Development – Card Analysis Tool

24© 2014 BARNES INTERNATIONAL LIMITED

Validation Test Report

1. Summary of Test

2. Individual Fail/ Observations with Explanatory Annotations

3. Refers to Applicable Specification

4. List of all Tests


3

4

2

1

Offline QC Testing Architecture

© 2008-2014 BARNES INTERNATIONAL LIMITED 26

CPT GUICard Reader Interface

Certification Test Scripts and Scenarios

QC Test Scripts and Scenarios

Bespoke Scripts & Scenarios

CPT Test Engine

Card Reader(s)Contact/ DI

Inline QC Testing Architecture


CPT with GUI

QC Test Scripts and Scenarios

Bespoke Scripts & Scenarios

CPT Test Engine

Perso Machine Interface ModuleCard Perso Machine

Inline QC Testing Card Personalization Validation

Machinery Manufacturer QC module(s) to collect dataMagnetic Stripe Contact and Contactless Chip Data Printed/ Embossed Data

Data Collection: Machine Modules

Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation (depending on machine modules)

Identifies incorrect data or keys

Contact and Contactless chip validation testsMultiple Application data validation

Validation: CPT Test Engine

Good / Bad card result Bad card reject Test Result recorded – for audit purposes

Test Results can be saved

Reporting: Machine interface + CPT Report

28© 2014 BARNES INTERNATIONAL LIMITED

Data sent to card during Personalization


Data Elements

Magnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic KeysEmbossing on card facePrinting, including CVV on reverse

For 100% QC All Data Elements should be Validated

Magnetic Stripe QC


Magnetic Stripe – standard QC

Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent to Perso Machine ControllerValidation vs input file

Drawback: System assumes data sent in Perso file was valid

Magnetic Stripe – QC data validated by a CPT

Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent via to Perso Machine Controller to CPTCorrelation vs ISO data rulesValidation vs input file & or against Magnetic Stipe equivalent data in ChipValidation of iCVV/ Chip CVC/ iCSC/ Chip CAV

Contact Chip QC


Contact Chip Data – standard QC

Chip ATR activated and read by Contact couplerATR sent to Perso Machine ControllerConfirms that chip is working

Drawback: Unable to fully validate personalised data

Contact Chip Data – QC data validated by a CPT

ATR activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Chip Data Validation vs Mag Stripe & Contactless ChipValidation that correct Keys were put onto the card

Contactless Chip QC


Contact Chip Data – standard QC

Chip ATS activated and read by Contactless couplerATS read and sent to Perso Machine ControllerConfirms that contactless chip is working

Drawback: Unable to fully validate personalised data

Contactless Chip Data – QC data validated by a CPT

ATS activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to a CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Contactless Chip Data Validation vs Mag Stripe & Contact ChipValidation that correct Keys were put into the contactless chip

Embossing Verification


Embossing – standard QC

Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent to Perso Machine Controller Validation vs input file

Drawback: No validation against Mag Stripe or Chip cardholder data, issue and expiry dates

Embossing – QC data validated by CPT Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent via to Perso Machine Controller to CPT Validation vs Data personalised in Magnetic Stripe and Chip

Advantage: This is superior to an offline CPT where operator checks embossing against screen image

Card Stock Verification


Card Stock verification – standard QC

Vision system captures image of front and back of card including stock reference Images sent to Perso Machine Controller Validation vs images of correct card stock for the card batch

Drawback: Validation separate from the rest of card validation test

Card Stock verification – QC data validated by a Card Perso Tool Vision system captures image of front and back of card including stock reference Images sent via Perso Machine Controller to a Card Perso Tool (CPT) Card stock reference recorded in card validation file

PersoMachine Controller

EMV Card Perso Process


PersoData File

Mag-Stripe Encode Emboss Chip Perso

Finished Card

Blank Card

Card Movement Perso Data Flow

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

Audit Log

Audit Data Flow

Offline CPT


Inline QC Testing – Offline EMV Data Validation


PersoData File

Mag-Stripe Read


Reject Bin

Test StationFinished Card

Blank Card


Chip Read Camera Image Gate

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

Audit Log

QC Data Flow

Offline CPT


Inline Testing – 100% EMV Validation QC


PersoData File

Mag-Stripe Read


Reject Bin

Test Station with inline CPT

moduleFinished Card

Blank Card


Chip Read Camera Image Gate

CryptoKeys

Chip TAG

ValuesEmboss

DataMag

Stripe Data

QC Management

Audit LogOffline CPT

Test Scenarios

QC Data Flow

Inline Testing


Data loaded into card using “Store Data” APDUs, data is organised in Data Group Indicators (DGIs)

Differences in techniques and formats depending on the card stock and operating system

Data extracted from card using EMV defined APDUs, data is organised by files and records

All cards must present the same interface to the terminal, regardless of internal organisation

Benefits of Inline QC

100% of Cards Tested in Real Time

Efficient use of Human Resources

Inline QC can work 24/7 and does not get tired or distracted No extra time & no extra QC staff required Faster ROI

No Human Intervention – better Data Security

Full Data Validation

EMV and Payment Scheme rules, TAG Values and Keys

Source: Datacard 39© 2014 BARNES INTERNATIONAL LIMITED

Br ian Summerhayes

bsummerhayes@barnestest .com

www.barnestest .com

b a r n es - inter n at ion a l - l td @ ba r nes_ test


100% Personalization Quality Control

Thank you for your attention