3
votes

Say I want to read public elements of EMV card. I will list some steps which I think are involved.

1. First, select application
   In order to select application we must: 
   (1) find out AID  of application using PSE (if present)
   (2) Try existing AID list.

Now, imagine I successfully selected application using one of the two methods above.

My question is: What steps I must undertake further to read the public elements of EMV card? More precisely: Do I need to provide card with PDOL and get AIP and AFL (http://www.openscdp.org/scripts/tutorial/emv/initiateapplicationprocess.html) using GET PROCESSING OPTIONS and then read out the records?

Or after selecting application like I mentioned initially, I can directly proceed with something like this (reading out records): link to source?

2

2 Answers

4
votes

The EMV specifications for payment systems are publicly available at http://www.emvco.com/. These specifications contain details processes and flows how EMV compliant payment terminsal can read that data from a card, so you could simply implement the relevant parts of these specifications.

To summarize, what you would typically do to get the static data stored on the card:

  1. Find the application (as you indicated).
  2. Select the application by its AID.
  3. Read the data files using READ RECORD commands (usually the first few records of the first few files contain the interesting data). On the cards I tried so far, there is no requirement to issue a GET PROCESSING OPTIONS command first, but you can only get a list of actual files/records relevant to transactions by issuing the GPO command and evaluationg the AFL sent by the card. But you can still use a brute-force approch to find the records relevant to you.
  4. Read the data elements using GET DATA commands (of course you need to know what data elements you are looking for).
2
votes

Just to add to Michel's excellent answer:-

  • You don't need to select PSE or PPSE before selecting the AID of the payment application but by doing so you should get a list of payment apps present on the card. You can safely skip this step if you want.
  • GET DATA can indeed read the data mentioned by Nicolas Riousset as well as a whole lot of proprietary data from either Visa and MasterCard. You would need a Visa or MC spec to know those tags for the proprietary data.
  • GPO to read AFL and AIP is not necessary but if you don't use this you need to use brute force and check all SFI and records. Wouldn't AFL be easier? The PDOL doesn't need to provide real data to the card - just supply the tag requested by the card with a '00' bytes value of the requested length.