Acquiring: EMV Transaction Flow. Part 2: PSE and AID, Candidate List and Application Selection

Introduction

We would like to bring to your attention the next part of the series about the «EMV Transaction flow», where we will describe the first two stages of interaction between a card and a device, namely building the candidate list and selection of the application with which the further exchange will be performed. We will address two interfaces, namely the classical contact chip and the contactless chip. We will also describe the objects of the card’s applications and the configurations of the device that are engaged in the exchange.

Contact chip, ATR

As already said in the previous articles, a contact chip transaction is carried out within the ISO 7816 protocol and starts with the ATR (Answer To Reset). Bluntly, the ATR is a step where a card «declares» that it is ready for exchange. During this process, approval of a version of subprotocol (T=0 or T=1) takes place. Those concerned with the detailed description of T=0 and T=1 can find it in the first part of the EMV Book.

Contactless chip, RATS

In case of exchange according to the ISO 1443 protocol, the same function is performed by sending the RATS (Request for Answer To Select) by the reader, to which the card responds with the ATS (Answer To Select). You can find a detailed description in Book D.

Building the Candidate List

«The Candidate List» is the list of the card applications that a terminal supports. There are two methods to build the candidate list: using the PSE and using the PSA (i.e., an AID, which will be told about hereafter). As a rule, all modern devices support both these methods.

1. PSE (Payment System Environment) is a directory on the card commonly named «1PAY.SYS.DDF01» in the case a contact chip; and «2PAY.SYS.DDF01», indicative of a contactless chip. Building the Candidate List using the PSE is called «Indirect» or «Implicit» Application Selection. The terminal sends the APDU-request (namely, the SELECT command) with that name, to the card.

For example:

Select (1PAY.SYS.DDF01)
Cla: 00
Ins: A4
P1: 04
P2: 00
Lc: 0E
Data: 315041592E5359532E4444463031
Application: 1PAY.SYS.DDF01
Le: 00

If the directory is present on the card, the card will send back SW1/SW2 = 9000 (ОК), and will also send the parameters for further exchange (it will be told about hereafter).

If the directory is missing on the card, in the APDU-R SW1/SW2 will be = 6A82 (File not found). Note that in most cases «1PAY.SYS.DDF01» is missing on the contact chip cards. However, «2PAY.SYS.DDF01» is always present on a contactless chip, so the selection of the applications using the contactless interface will be always performed through the PSE.

2. PSA is the Payment System Application. It is also known as the AID (Application Identifier), i.e., a specific card’s application identifier. Since the AID is one of the key exchange elements, we will tell about it in more detail.

AID consists of two parts: RID and PIX.

RID is the Registered Application Provider Identifier (Do not be confused by the fact that there is no correlation between the acronym and its definition. Such cases are common enough when it comes to EMV). RID unambiguously identifies a specific PS of one or another issuer of a specific card product.

PIX is the Proprietary Application Identifier Extension. In other words, it is the business code of the card product.

For example, the AID of the Mastercard PS: A0000000041010, where RID = A000000004; PIX = 1010. I.e., the identifier belongs to the Mastercard product, Mastercard PS. Or, the AID of the Mastercard PS is A0000000043060, where RID = A000000004; PIX = 3060. I.e., the identifier belongs to the Maestro product, Mastercard PS. The AID’s of all payment systems are based on the same principle.

On the card, the AID can be located in tag 4F (AID itself) or 84 (Dedicated File (DF) Name). Minimum length of AID = 5 bytes, the maximum length = 16 bytes. That means, in particular, that the maximum number of characters in the AID, that the software of the device (POS, АТМ, or other) has to be able to process, is 32.

In turn, the list of all supported AID’s is stored in the device’s configuration. It is one of the things that determine the capability of its work with one or another card. The selection of an application through the List of AID`s consists in sending of a request (SELECT command) from a device to a card indicating a specific AID in the «Data» field.

An example of APDU-C:

Term: Select (Mastercard)
Cla: 00
P1: 04
P2: 00
Lc: 07
Data: A0000000041010
Application: Masterсard
Le: 00

If the AID requested by the device is missing, the card will send back the APDU-R, where SW1/SW2 will be = 6A82 (File not found), following which a POS or an ATM has to send the next one from the list of AID’s , etc., until the approval is performed or until the list of AID’s becomes empty. Consequently, if the AID of the card in question is missing in the device’s configuration, the exchange will be terminated.

Final Selection: Partial Selection и Application.

Select Partial Selection or Partial Name Matching is a device’s capability to support the work with the so-called «Extended» AID`s. The functionality is mandatory for all PS’s, and it involves the following. Assume that a standard length of an AID of Mastercard is 7 bytes: A0000000041010. In some cases, however, if there are several applications on the card, the AID can be like this: A00000000410101. I.e., the suffix «1» adds to the standard length. Besides, a POS or an ATM should be able to process an extended AID after having analyzed the number of applications sent back in the APDU-R. If the number of card applications (or «applets») is more than one (which is a highly probable situation), there are two scenarios of exchange.

1. In the case of a contact chip, a device can launch the Cardholder Selection procedure, i.e., the manual selection of an application by the cardholder. In this case, a list of all the supported applications generated by the device by translation of the text equivalent of tag 50 (Application Label) will be shown on the display of the POS or the ATM.

We should mention some details related to that procedure. The first detail is that, according to the requirements of the NSPK (Russian National Payment Card System), if a card includes two or more AID’s of Mir card and AID’s of a card belonging to any other PS, the Application Select procedure has to be performed only between the AID’s of Mir. In other words, if there are applets of MIR Debit, MIR Credit and Visa on the card, the device will only display MIR Debit and MIR Credit. Indeed, this requirement is only true within the Russian Federation.

The next detail is that, although some PS’s require mandatory performance of this procedure, not all devices support the Cardholder Selection functionality. Because of that, the selection of the application will be performed in accordance with algorithm 2, which is in general also an application selection indicative of a contactless chip.

2. The device verifies the value of tag 87 (Application Priority Indicator) for each applet and selects the one with the least value of tag 87 and, consequently, with the highest priority. Suppose that the card sent back the following scheme in the APDU-R (only the elements that are relevant to the procedure are shown):

  • Tag 84: Dedicated File (DF) Name: A00000000410101
  • Tag 87: Application Priority Indicator: 02
  • Tag 84: Dedicated File (DF) Name: A00000000410102
  • Tag 87: Application Priority Indicator: 01

In this case, the application A00000000410102 will be automatically selected, because its tag 87 value = 01.

Again, this method is the only one possible in the case of exchange through the contactless interface.

In conclusion, let us list all APDU-C requests that a device sends to a card during the Building the Candidate List and the Application Selection.

ICC Contact:

  1. ATR
  2. Select (1PAY.SYS.DDF01), an attempt of selection through the PSE. In case of denial:
  3. Select (AID), selection through the PSA. If there is only one applet, the procedure is finished, moving to the next step. If there are two applets:
  4. Manual or automatic application select.

ICC Contactless:

  1. RATS
  2. Select (2PAY.SYS.DDF01), selection through the PSE. If there are two applets:
  3. 3. Automatic Application select.

This is the first stage of the EMV transaction. Indeed, only the key features of the exchange are specified, and there are far more details. However, we did our best to save you the trouble of the many technical details, and to stick with the basics.

See you next time!