Br ian Summerhayes
Managing Director
Barnes Internat ional
© 2014 BARNES INTERNATIONAL LIMITED 1
Achieving 100% Personalization Quality Control
ICMA Manufacturing and Personalization Expo 2014
Agenda
Introducing Barnes
Card Certification Testing
Payment Application Personalization Validation
Personalization 100% Quality Control
© 2014 BARNES INTERNATIONAL LIMITED 2
Barnes International Ltd
© 2014 BARNES INTERNATIONAL LIMITED
22 year heritage
Leading international supplier of chip and magnetic stripe card test equipment
Specialist UK company – Offices in US: PA and CA
Installations worldwide (80+ countries)
Mission: to make complex labour intensive card tests simple and ensure excellent personalization quality control
3
Payment Application Personalization Validation
© 2014 BARNES INTERNATIONAL LIMITED 4
Certification and QC Testing
© 2014 BARNES INTERNATIONAL LIMITED 5
QC tools used by all leading card and ticket developers, manufacturers, personalizers and issuers for:
Technical developmentFailure analysisCompliance verification and Laboratory CertificationManufacturing quality assurance
Enable issuers to provide proven and certified cards and tickets to their customers
Cards require testing during development and production QC
Pre-certification testing required in order to pass card certification. Certification tools include
MasterCard CPV and FIME F-CPV test tools used by MasterCard for card certification
Visa GPR and VPA tools used by Visa Inc. for card certification
Amex card test scripts Discover and Diners D-PAS test scripts All these tools are available to Issuers to carry out
pre-certification testing of cards before submission to the certification laboratory
Card Certification Testing
© 2014 BARNES INTERNATIONAL LIMITED 6
Payment Scheme Card Certification
© 2014 BARNES INTERNATIONAL LIMITED 7
American Express
Discover/ D-PAS
MasterCard
Visa
MasterCard Personalization Validation (CPV)
CPV process Launched in 2008 2013 – Version 6.2 MasterCard Personalization Validation Tool – Release 2013 Requirements v6.2 June
2013 M/Chip Requirements 03 October 2013 M/Chip Personalization Data Specifications and Profiles 28 June 2013 PayPass – M/Chip Requirements 28 June 2013 PayPass Personalization Data Specifications, Version 1.8 – April 2013 M/Chip Card Personalization Standard Profiles 28 June 2013 M/Chip Card Personalization U.S. Market Standard Profiles 28 June 2013
Test Specifications
Accredited Laboratories
© 2014 BARNES INTERNATIONAL LIMITED 8
Qualified Test Tools
MasterCard CPV Certification
© 2014 BARNES INTERNATIONAL LIMITED 9
Visa Global Personalization Validation (GPR)
Visa Laboratories
© 2014 BARNES INTERNATIONAL LIMITED 10
Qualified Test Tools
US PR Test Specifications U.S. Personalization Validation Requirements – Test Cases v1.0 Jan 2014 (DRAFT)
Products Visa DB/CR, Electron, DPA, Plus, Interlink, US Common Debit
Specifications VIS 1.4.1, 1.5.x VCPS 2.0.2, 2.1.x VMCPS 1.4.x
Applets VSDC 2.7.1, 2.8.x and VMPA v.1.4.x Applets
VSDC Personalization Requirements for U.S. Implementations Version 3 Oct 2013
Visa GPR Certification
© 2014 BARNES INTERNATIONAL LIMITED 11
Other Schemes
© 2014 BARNES INTERNATIONAL LIMITED 12
American Express
Discover
Payment Scheme Testing
© 2014 BARNES INTERNATIONAL LIMITED 13
EMV + Amex, Discover/ D-PAS, MasterCard, Visa + National Specs, e.g. JCB, RuPay, SPAN, PBOC and Union Pay
Payment Scheme Standards – Data validation required
MasterCard CPV Certification: CPV Visa Global Personalization Requirements: US PR
Payment Scheme Certification Tools
Card Certification Laboratories
Card Quality Control in Production
Personalization Quality Control Testing
© 2014 BARNES INTERNATIONAL LIMITED 14
Card Personalization
© 2014 BARNES INTERNATIONAL LIMITED 15
Personalization is the process of writing data fields to the chip card and the magnetic stripe
Some of the data fields will be standard across all products e.g. Issuer Country Code
Some of the data fields will be unique to the cardholder e.g. Account Number (PAN) and cardholder name
The following slides examine some of the many personalization issues that we have personally experienced
Personalization Quality Control – Why?
© 2014 BARNES INTERNATIONAL LIMITED 16
Chip cards have far more complicated coding compared with a simple magnetic stripe
Chip cards have far more information inside them compared with a magnetic stripe
Dual interface cards are also complex to code with shared parameters
• Magnetic Stripe vs Chip Data
• Correct Keys • Validation vs
Payments Scheme
• Issuer/ Card Tag values
Personalization Test Example 1
© 2014 BARNES INTERNATIONAL LIMITED 17
Magnetic Stripe Only
Data on Track 1 & 2 missing
Transposition of Data Across Cards
© 2014 BARNES INTERNATIONAL LIMITED 18
Transposition of data:
Mrs Smith name inside the chip card and Mr Jones name on the magnetic stripe
Result of manufacturing hiccupCan be detected easily by performing quality control on
personalised cards (First, Middle and Last cards)
Now seeing fraudulent cards – where data on chip is totally different to that on magnetic stripe.
Occurs post issuance easily proven with a test tool
Cryptographic Errors
© 2014 BARNES INTERNATIONAL LIMITED 19
Numerous cryptographic errors on cards
DES Keys incorrect resulting in transaction cryptogram failure and/or script processing failure
SDA/DDA/CDA test DES Keys can easily be checked as part of QC
Even live DES keys can be checked if QC equipment connected to HSM
Formatting Errors
© 2014 BARNES INTERNATIONAL LIMITED 20
Formatting errors more difficult to detect. Examples include:
Incorrectly formatted account number, if number of digits is odd, pad with only a single “F” and not multiple “F”s12345 67891 234F ✔12345 67891 234FF FFFFF ✘
Production Issues
© 2014 BARNES INTERNATIONAL LIMITED 21
UK country code on cards issued abroad
Personalization preparation was outsourced to the UK and the data file exported back to another country for card productionIf it is a chip card issued to (say) a US customer inside the US
then the Issuer Country Code should be US irrespective of where the personalization data is created
Ongoing Quality Control
© 2014 BARNES INTERNATIONAL LIMITED 22
Fully personalised chip cards should be sent to the appropriate Scheme prior to issue for certification – a very sensible and valuable practice.
Errors on certified cards do happen
all errors in this section have been seen on live cardsconsider how many possible negative errors could be introduced –
hundreds of thousands of possible coding combinations - difficult to check all
certification processes and quality control tools constantly enhanced and improved
Personalization QC
© 2014 BARNES INTERNATIONAL LIMITED 23
Quality Control of the cards in manufacturing and during personalization is essentialChip cards – much more to go wrongChip cards are far more expensive than magnetic stripe and thus are costly
to reissueReputational/customer service impact can result in substantial lost revenue
Offline or Inline Quality Control of the cards during personalizationOfflineSingle Card tests with Batch Testing
InlineEnables 100% testing
Offline QC Testing Card Personalization Validation Testing Tool
Data Read OnlyMag Stripe + Contact Chip + Contactless Chip
Interpret s. EMV and payment schemes No validation
Data Explorer
Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation
Identifies incorrect data
Contact and Contactless chip validation testsMultiple Application data validation -single card insertionMulti-level user interface for Production, QA & Bank personnel with complete analysis
facilities for Experts
Validation – Standard Card Perso Tool (“CPT”)
All the features of a CPT, PLUS: Test Script development Issuer scripts and Cryptography
Host Simulation + HSM interface (e.g. with Thales 9000 and Safenet)
Test Development – Card Analysis Tool
24© 2014 BARNES INTERNATIONAL LIMITED
Validation Test Report
1. Summary of Test
2. Individual Fail/ Observations with Explanatory Annotations
3. Refers to Applicable Specification
4. List of all Tests
© 2014 BARNES INTERNATIONAL LIMITED 25
3
4
2
1
Offline QC Testing Architecture
© 2008-2014 BARNES INTERNATIONAL LIMITED 26
CPT GUICard Reader Interface
Certification Test Scripts and Scenarios
QC Test Scripts and Scenarios
Bespoke Scripts & Scenarios
CPT Test Engine
Card Reader(s)Contact/ DI
Inline QC Testing Architecture
© 2008-2014 BARNES INTERNATIONAL LIMITED 27
CPT with GUI
QC Test Scripts and Scenarios
Bespoke Scripts & Scenarios
CPT Test Engine
Perso Machine Interface ModuleCard Perso Machine
Inline QC Testing Card Personalization Validation
Machinery Manufacturer QC module(s) to collect dataMagnetic Stripe Contact and Contactless Chip Data Printed/ Embossed Data
Data Collection: Machine Modules
Validates data to EMV and payment scheme requirements Confirms chip, Mag-stripe and embossing correlation (depending on machine modules)
Identifies incorrect data or keys
Contact and Contactless chip validation testsMultiple Application data validation
Validation: CPT Test Engine
Good / Bad card result Bad card reject Test Result recorded – for audit purposes
Test Results can be saved
Reporting: Machine interface + CPT Report
28© 2014 BARNES INTERNATIONAL LIMITED
Data sent to card during Personalization
© 2014 BARNES INTERNATIONAL LIMITED 29
Data Elements
Magnetic StripeContact Chip DataContactless Chip Data (if DI or CL card)Cryptographic KeysEmbossing on card facePrinting, including CVV on reverse
For 100% QC All Data Elements should be Validated
Magnetic Stripe QC
© 2014 BARNES INTERNATIONAL LIMITED 30
Magnetic Stripe – standard QC
Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent to Perso Machine ControllerValidation vs input file
Drawback: System assumes data sent in Perso file was valid
Magnetic Stripe – QC data validated by a CPT
Collected by Magnetic Stripe read headReads all 3 tracksMagnetic stripe data sent via to Perso Machine Controller to CPTCorrelation vs ISO data rulesValidation vs input file & or against Magnetic Stipe equivalent data in ChipValidation of iCVV/ Chip CVC/ iCSC/ Chip CAV
Contact Chip QC
© 2014 BARNES INTERNATIONAL LIMITED 31
Contact Chip Data – standard QC
Chip ATR activated and read by Contact couplerATR sent to Perso Machine ControllerConfirms that chip is working
Drawback: Unable to fully validate personalised data
Contact Chip Data – QC data validated by a CPT
ATR activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Chip Data Validation vs Mag Stripe & Contactless ChipValidation that correct Keys were put onto the card
Contactless Chip QC
© 2014 BARNES INTERNATIONAL LIMITED 32
Contact Chip Data – standard QC
Chip ATS activated and read by Contactless couplerATS read and sent to Perso Machine ControllerConfirms that contactless chip is working
Drawback: Unable to fully validate personalised data
Contactless Chip Data – QC data validated by a CPT
ATS activated and APDUs sent to the chip by Contact couplerAPDU responses data sent via to Perso Machine Controller to a CPTCorrelation vs EMV, Payment Scheme Application rulesValidation of Tag values against test Scenario values (Issuer / card)Contactless Chip Data Validation vs Mag Stripe & Contact ChipValidation that correct Keys were put into the contactless chip
Embossing Verification
© 2014 BARNES INTERNATIONAL LIMITED 33
Embossing – standard QC
Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent to Perso Machine Controller Validation vs input file
Drawback: No validation against Mag Stripe or Chip cardholder data, issue and expiry dates
Embossing – QC data validated by CPT Camera recognition checks character impression on spent topping foil Uses OCR recognition to recreate embossing data Embossing sent via to Perso Machine Controller to CPT Validation vs Data personalised in Magnetic Stripe and Chip
Advantage: This is superior to an offline CPT where operator checks embossing against screen image
Card Stock Verification
© 2014 BARNES INTERNATIONAL LIMITED 34
Card Stock verification – standard QC
Vision system captures image of front and back of card including stock reference Images sent to Perso Machine Controller Validation vs images of correct card stock for the card batch
Drawback: Validation separate from the rest of card validation test
Card Stock verification – QC data validated by a Card Perso Tool Vision system captures image of front and back of card including stock reference Images sent via Perso Machine Controller to a Card Perso Tool (CPT) Card stock reference recorded in card validation file
PersoMachine Controller
EMV Card Perso Process
© 2008-2014 BARNES INTERNATIONAL LIMITED 35
PersoData File
Mag-Stripe Encode Emboss Chip Perso
Finished Card
Blank Card
Card Movement Perso Data Flow
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
Audit Log
Audit Data Flow
Offline CPT
PersoMachine Controller
Inline QC Testing – Offline EMV Data Validation
© 2008-2014 BARNES INTERNATIONAL LIMITED 36
PersoData File
Mag-Stripe Read
Mag-Stripe Encode Emboss Chip Perso
Reject Bin
Test StationFinished Card
Blank Card
Card Movement Perso Data Flow
Chip Read Camera Image Gate
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
Audit Log
QC Data Flow
Offline CPT
PersoMachine Controller
Inline Testing – 100% EMV Validation QC
© 2008-2014 BARNES INTERNATIONAL LIMITED 37
PersoData File
Mag-Stripe Read
Mag-Stripe Encode Emboss Chip Perso
Reject Bin
Test Station with inline CPT
moduleFinished Card
Blank Card
Card Movement Perso Data Flow
Chip Read Camera Image Gate
CryptoKeys
Chip TAG
ValuesEmboss
DataMag
Stripe Data
QC Management
Audit LogOffline CPT
Test Scenarios
QC Data Flow
Inline Testing
© 2008-2014 BARNES INTERNATIONAL LIMITED 38
Data loaded into card using “Store Data” APDUs, data is organised in Data Group Indicators (DGIs)
Differences in techniques and formats depending on the card stock and operating system
Data extracted from card using EMV defined APDUs, data is organised by files and records
All cards must present the same interface to the terminal, regardless of internal organisation
Benefits of Inline QC
100% of Cards Tested in Real Time
Efficient use of Human Resources
Inline QC can work 24/7 and does not get tired or distracted No extra time & no extra QC staff required Faster ROI
No Human Intervention – better Data Security
Full Data Validation
EMV and Payment Scheme rules, TAG Values and Keys
Source: Datacard 39© 2014 BARNES INTERNATIONAL LIMITED
Br ian Summerhayes
bsummerhayes@barnestest .com
www.barnestest .com
b a r n es - inter n at ion a l - l td @ ba r nes_ test
© 2014 BARNES INTERNATIONAL LIMITED 40
100% Personalization Quality Control
Thank you for your attention
Top Related