Italics represent cross-references within the list below.
AAC – Application Authentication Cryptogram. A cryptogram generated by the EMV application when a transaction is to be declined off-line or when a ‘decline’ response to an on-line authorization is successfully processed by the application.
ADA – Application Default Action. Settings in an EMV card which determine the card’s reaction to conditions encountered during a transaction, such as ARPC validation failing.
AIP – Application Interchange Profile. A set of flags held in the EMV application that define which EMV features the card supports, e.g. DDA is supported, CVM is supported.
Alice – represents entity A in the Alice-Bob-Eve explanation of Asymmetric Cryptography.
AID – Application IDentifier; allocated by ISO (International Standards Organization) to identify individual applications on an ISO-compliant chip card. In EMV, AIDs identify the payment application(s) present on the card which may be selected by the POS or ATM device, e.g. Visa Credit, MasterCard Debit.
ARPC – Authorization Response Cryptogram. A cryptogram generated by the issuer host system and returned in the response to an authorisation request. Verifies to the card that the authorisation response was sent by the true issuer host and that the Authorization Response Code has not been altered. See the ETM product page for more information.
ARQC – Authorization Request Cryptogram. A cryptogram generated by the EMV application when it has determined that the transaction should be authorized online. Contains card and transaction data encrypted under the card’s unique DES key or, in a full EMV implementation, under a session key derived from the card’s unique key and the ATC. Aconite Technology's EMV Transaction Manager (ETM) supports ARQC validation and ARPC generation. See the ETM product page for more information.
Asymmetric Cryptography – a means of encrypting information using pairs of keys, usually designated 'Public', which may be openly shared, and 'Private', which is kept secret by the key owner. Information encrypted with one of the pair – the Public Key – can be sent over an insecure connection but can only be decrypted by the recipient using the Private Key. Also used in reverse for signing data to generate a Certificate to guarantee authenticity and, depending on what is signed, integrity. The RSA algorithm is used within EMV for ODA (Offline Data Authentication), a form of CAM (Card Authentication Method); see SDA, DDA and CDA below.
ATC – Application Transaction Counter. A value held in the EMV application which is incremented each time the application initiates a transaction. Can be used to detect a cloned card, where the issuer host tracks its value. Also used in the derivation of session keys for CAM, Script MAC and script encipherment. Aconite Technology's EMV Transaction Manager (ETM) provides clone and replay detection based on ATC checking – see the ETM product page for more information.
Bob – represents entity B in the Alice-Bob-Eve explanation of Asymmetric Cryptography.
BIN – Bank Identification Number - usually the first 6 digits of a PAN (the 'card number'). BIN extension (i.e. more than six digits) and BIN ranges (i.e. sub categories under BIN) may also be used to group card products at the issuer (card issuing bank).
CA – Certification Authority: an entity at the top of a Public Key Infrastructure (PKI) that certifies the authenticity of entities in the layer below by signing data that they submit. In EMV the role of CA is usually taken by the card payment scheme, to which issuers submit their RSA Public Keys for signing with the Scheme Private Key to create certificates that are then used in Offline Data Authentication (ODA). Aconite Technology's Payment Application Manager (PAM) works with card payment scheme CAs to request and process certificates – see the PAM product page for more information.
CAM – Card Authentication Method. Techniques for proving that the card is not cloned or counterfeit. On-line (using ARQC/ARPC) and off-line (using SDA/DDA/CDA) methods are supported by EMV.
CDA – Combined Data Authentication. Performs DDA combined with ARQC generation to provide a higher level of assurance that the card is genuine. Will only be performed if both card and terminal support it, otherwise DDA is performed.
Certificate – A cryptogram containing data (e.g. a key) that has been ‘signed’ by a Certification Authority (CA) or another entity within the PKI. Its successful decryption and use verifies that the originator of the data has a bona fide relationship with the CA.
Cryptogram – a block of encrypted data used in EMV as a digital signature to guarantee the authenticity of a card used in a transaction and the integrity of the captured transaction data, and to provide non-repudiation of a transaction (e.g. the card was present and the PIN was entered).
CVM – Cardholder Verification Method. Often a POS terminal at the merchant will prompt the merchant and/or cardholder for additional entry or action. These can include requesting the cardholder to enter a PIN, to enter a ZIP code (mainly in the US), provide a signature (which the merchant can validate by comparing to the back of the card). See CVM List below.
CVM List – a list created in an EMV card during personalization that defines, in order of preference, the card holder verification methods that the card supports. During a transaction the card and POS or ATM device negotiate the method that will be used by comparing the card's CVM List with a similar list held in the device. The highest match in both lists will be used. The CVM List of a typical EMV card that supports Offline PIN could be: Offline PIN, Online PIN, Signature, No CVM. At a POS device that supports Offline PIN, that will be used, but at an ATM (which would not support Offline PIN), Online PIN will be used. Some devices, e.g. vending machines and road toll barriers, do not support any CVMs, and so card and device fall back to 'No CVM'. Note that the default for contactless cards is No CVM, although a PIN or signature can be requested in some circumstances. CVM List is one of the personalization parameters used by Aconite Technology's Payment Application Manager (PAM) when creating the data for card issuance – see the PAM product page for more information.
CVR – Card Verification Results. An issuer-proprietary table of flags set by the EMV application and used during Card Action Analysis to determine the transaction outcome over and above that decided by the terminal during Terminal Action Analysis of the TVR, e.g. script processing failed during a previous transaction. Aconite Technology's EMV Transaction Manager (ETM) provides analysis of CVRs during EMV authorization processing – see the ETM product page for more information.
DDA – Dynamic Data Authentication. A type of off-line CAM where data from the card, terminal and transaction is encrypted by the card using a private RSA key. If the terminal can decrypt the data using the corresponding public key recovered from the card using a scheme public key held in the terminal, then the card must be genuine. Also proves that the card issuer was certified by the card scheme.
EFT – Electronic Funds Transfer. Generic term for payment transactions completed electronically.
EMV – Europay, MasterCard, VISA. The set of standards developed by these organizations for payment transactions using chip cards. Europay was absorbed into MasterCard in the 1990s but their staff and headquarters in Belgium were retained and renamed as the ‘MasterCard Chip Centre’. The EMV standards are now owned and maintained by EMVCo, a consortium of American Express, Discover, JCB, MasterCard, [China] Union Pay and Visa.
Eve – represents entity E in the Alice-Bob-Eve explanation of Asymmetric Cryptography. Eve was chosen from 'eavesdropper', and may carry malicious intent.
HSM – Hardware (or Host) Security Module. A dedicated, secure cryptographic processor used in card personalization, transaction authorization and PIN processing. Aconite Technology products make extensive use of HSMs during their operation and can support a range of HSM vendors – see our Product pages from the main menu for more information.
ICC – Integrated Circuit Card aka Smart Card; originally a plastic card containing a chip, now used generically for the chip itself irrespective of the device that carries it. The term appears in the names of many standards and specifications, e.g. VIS – the Visa ICC Specification.
IVR – Interactive Voice Response (system) – an automated phone system. More info on Wikipedia. Can be used as a PIN capture and delivery channel by Aconite Technology's PIN Manager – see the PIN Manager product page for more information.
MAC – Message Authentication Code. In the EMV context, a digital signature that verifies that data contained in an EMV script has not been tampered with. Aconite Technology's EMV Transaction Manager (ETM) generates EMV scripts during EMV authorization processing – see the ETM product page for more information.
M/Chip – MasterCard Chip; the specification that defines the requirements for contact and contactless (PayPass) EMV payment applications provided by MasterCard. See card issuance and transaction authorization for Aconite Technology products that support this.
ODA – Offline Data Authentication; a form of CAM (see above) used by POS terminals to verify the authenticity of EMV cards used in transactions (see DDA and CDA), or at least to guarantee that critical card data has not been altered (SDA). Implemented within a PKI controlled by the card payment scheme under which the card is issued.
PAN – Primary Account Number; the long number of between 16 and 19 digits usually printed or embossed on the face of a payment card, encoded in the magnetic stripe and personalized into the chip of an EMV card.
PAN Sequence Number – an index that allows an issuer to distinguish EMV cards that have the same PAN, e.g. a renewed card. Necessary to ensure uniqueness of the card-level keys used for cryptogram generation.
PCI – Payment Card Industry [Security Standards Council] – the body that sets security standards for software application development and operation, and the processes and procedures applicable to card issuing and transaction acquiring companies and the vendors that supply products or services to them. Their aim is to prevent compromise of personal and account-related data through either negligence or criminal attack. Aconite Technology products are fully compliant with PCI requirements and where applicable, are formally PCI certified.
Personalization – the process of adding data to an EMV application in a card that allows it to be used in transactions. The data includes card/account and cardholder information (PII), cryptographic keys and certificates, optionally an EMV Offline PIN and other parameters to control the behavior of the card. Aconite Technology's Payment Application Manager (PAM) creates personalization data from card requests according to pre-defined product profiles – see the PAM product page for more information.
PII – Personally Identifiable Information. A term used to classify information which relates to a person or their payment cards.
PIN – Personal Identification Number; a secret number of between 4 and 12 digits known only to the cardholder and the card issuer. Used to verify the identity of the cardholder when performing a transaction at a device (POS or ATM) that supports PIN. Implemented in EMV as Online PIN, which is verified in the card issuer host system, and Offline PIN, which is verified by the card itself after being entered at a POS terminal. EMV cards usually support Online PIN for ATM transactions, and for POS transactions in some territories, and may additionally support Offline PIN for use at POS where it is supported (e.g. Europe, South Africa). Aconite Technology's PIN Manager is a comprehensive solution for handling all PIN lifecycle events, including ePIN capture and distribution – see the PIN Manager product page for more information.
PKI – Public Key Infrastructure; a hierarchy of trust controlled by a CA (Certification Authority) in which each layer certifies the authenticity of the layer below – you can think of it as a 'Pyramid of Trust'™. In EMV, PKIs controlled by the card payment schemes (e.g. Visa, MasterCard, Discover) are used to implement Offline Data Authentication (ODA) – the scheme certifies the issuers and the issuers certify their cards. Each card payment scheme operates its own PKI.
POS – Point Of Sale; a generic term for a physical card payment terminal installed in a merchant.
RSA – Rivest, Shamir and Adleman, an asymmetric cryptography algorithm named after its developers and the founders of the company (RSA Security LLC, now owned by Dell Technologies) that brought it to market. Used in EMV for ODA. It's rumored that asymmetric cryptography was invented by the British Secret Intelligence Service some years before R, S and A developed their version, but was not published to protect its use in covert communications.
[EMV] Script – A block of data containing one or more card commands that a card issuer can return to the card in an authorization response message. The POS terminal passes the commands to the card for processing. Can be used to block the card or application, to update files or data stored in the EMV application and for offline PIN management (change or unblock). A MAC verifies that the data has not been altered, and sensitive data (e.g. new PIN) is encrypted. Aconite Technology's EMV Transaction Manager (ETM) is an advanced EMV script generation and management engine – see the ETM product page for more information.
SDA – Static Data Authentication. A form of offline CAM that verifies that critical data stored in the EMV application has not been tampered with since the card was issued. Mostly superseded by DDA and CDA which also prevent cloning and counterfeiting.
Symmetric Cryptography – a means of encrypting and decrypting information using an algorithm in conjunction with a key known only to the originator and recipient. Relies for its effectiveness on keeping the key secret. EMV uses the Data Encryption Standard (DES), now implemented as Triple DES using double length keys, to create and verify cryptograms (see ARQC, ARPC, TC and AAC). Also used for EMV Script MAC generation and data (e.g. a new PIN) encryption.
TC – Transaction Certificate. A cryptogram generated by the EMV application when a transaction is approved offline or when an ‘approve’ response to an online authorization request is successfully processed by the application. If captured, and for offline-approved transactions, the TC is supplied in the Clearing data and can be used to verify that the genuine card was used for a transaction.
TVR – Terminal Verification Results. A table of flags set by the terminal during Terminal Risk Analysis that reflect the status of the transaction, e.g. card appears on hot card file, PIN required but not entered, SDA was successful. Used in Terminal Action Analysis to determine the terminal’s preference for the outcome of the transaction, i.e. approve, go online or decline. Aconite Technology's EMV Transaction Manager (ETM) provides analysis of TVRs during EMV authorization processing – see the ETM product page for more information.
VCPS – Visa Contactless Payment Specification. The contactless equivalent of VIS on which Visa payWave apps are based.
VIS – Visa ICC Specification, defining the requirements for EMV payment applications provided by VISA. See card issuance and transaction authorization for Aconite Technology products that support this.
VSDC – Visa Smart Debit/Credit. The generic name for Visa EMV applications that conform to the VIS specification (see above).