Managing payment applications and their attributes is a fundamental aspect of issuing EMV cards. A card is no longer just a plastic token, but is a container for one or more payment applications, together with their account and personal information, risk and other parameters, and security settings. With card and application lifecycle management, issuers can issue cards and then manage risk and card data – including PIN – by maintaining on-chip settings remotely.
Click here to jump to Aconite Technology Banking Solutions.
Account and Personal Information
The first payment cards, introduced in the 1950s, were printed only with basic information to link them to an account and cardholder:
- Cardholder Name
- Card Number (now Primary Account Number or PAN)
- Expiry Date.
Over time, as usage – and fraud – increased, additional features were added: embossing on plastic for paper-based acceptance, magnetic stripes for electronic acceptance, security codes (e.g. CVV2) for card-not-present acceptance, holograms to deter counterfeiting, and not least, microprocessors (chips), supporting sophisticated card, cardholder and transaction authentication technologies.
Cards today are personalized with all these features, but the major challenge facing card issuers migrating to EMV is the creation of the data for injection into the chip, to personalize the payment application(s) with account, personal, risk and security settings.
Risk and Application Parameters
In many territories, all transactions are authorized by being sent online to the card issuer or their processor, but EMV also gives issuers the option of delegating some aspects of authorization decisioning and risk management from the issuer or processor's back office to the chip itself.
In environments where transactions can be performed offline, i.e. without contacting the issuer system each time, authorization against limits on the cumulative number (e.g. 5) and value (e.g. $100) of consecutive offline transactions, along with verification of a PIN, can take place in the chip itself. If these thresholds are exceeded, the chip forces the transaction online for the issuer to authorize.
These behaviours are controlled by risk management and application parameters, initially set within the chip at personalization time, but capable of being modified in the field in response to changes in an account or cardholder's risk profile. To take advantage of these features, the issuer's authorization system needs the capability to send EMV scripts to a card to update these settings in regular authorization response messages.
Multiple Applications and AIDs
EMV chip cards may support one or more payment applications, depending on branding and the acceptance environments in which they can be used. For debit cards in particular, there may be both international and domestic payment brands on the card, which is common in Europe, with the domestic brand taking precedence locally, or there may a common payment application serving many debit networks together with an international application, as has been implemented in the US. The decision on which application to select for a transaction is made by the POS device or ATM, based on a list (in order of preference) of supported Application Identifiers, or AIDs, held in the device.
Click here to jump to Aconite Technology's Card Issuance product page.