MTIP Contactless Test MP11 Fails on CVM Results

1
votes

I'm having a problem with an EMV MTIP contactless test and I don't understand why. The transaction is being accepted, but my test tool is displaying some failures around the cardholder verification and the CVM used (or not used).

The issues are:

  1. TVR Byte 3, bit 8, expecting 0, Received 1 (cardholder verification was not successful)

  2. CVM Results are equal to 3F0001, 5F0302/0 were expected

My understanding of this is both of these are saying no CVM occurred, although it should have. I don't understand why, as the amount of 3000 is above the CVM required limit. I have my terminal capabilities for contactless set to 60 B8 C8, which indicated support for:

  • Plaintext on ICC
  • Signature
  • Enciphered PIN Offline
  • No CVM Required

As I see it, 5F0302 would indicate the successful use of No CVM Required, where as 3F0001 indicates that CVM verification failed.

Can anyone shed some light on why this would happen, and if I'm doing something wrong?

A full log of the transaction is too big to include in the post, but can be found here: Pastebin Transaction Log

Edit 1: I'm fairly certain I'm loading the correct CAPK's. They're being loaded from an XML file as per the terminal vendor's example, with the following values:

<tag id="E2">
    <tag id="DFC316">A000000004</tag>
    <tag id="9F22">EF</tag>
    <tag id="DFC317">A191CB87473F29349B5D60A88B3EAEE0973AA6F1A082F358D849FDDFF9C091F899EDA9792CAF09EF28F5D22404B88A2293EEBBC1949C43BEA4D60CFD879A1539544E09E0F09F60F065B2BF2A13ECC705F3D468B9D33AE77AD9D3F19CA40F23DCF5EB7C04DC8F69EBA565B1EBCB4686CD274785530FF6F6E9EE43AA43FDB02CE00DAEC15C7B8FD6A9B394BABA419D3F6DC85E16569BE8E76989688EFEA2DF22FF7D35C043338DEAA982A02B866DE5328519EBBCD6F03CDD686673847F84DB651AB86C28CF1462562C577B853564A290C8556D818531268D25CC98A4CC6A0BDFFFDA2DCCA3A94C998559E307FDDF915006D9A987B07DDAEB3B</tag>
    <tag id="DFC318">03</tag>
    <tag id="DFC31A">21766EBB0EE122AFB65D7845B73DB46BAB65427A</tag>
</tag>
<tag id="E2">
    <tag id="DFC316">A000000004</tag>
    <tag id="9F22">F1</tag>
    <tag id="DFC317">A0DCF4BDE19C3546B4B6F0414D174DDE294AABBB828C5A834D73AAE27C99B0B053A90278007239B6459FF0BBCD7B4B9C6C50AC02CE91368DA1BD21AAEADBC65347337D89B68F5C99A09D05BE02DD1F8C5BA20E2F13FB2A27C41D3F85CAD5CF6668E75851EC66EDBF98851FD4E42C44C1D59F5984703B27D5B9F21B8FA0D93279FBBF69E090642909C9EA27F898959541AA6757F5F624104F6E1D3A9532F2A6E51515AEAD1B43B3D7835088A2FAFA7BE7</tag>
    <tag id="DFC318">03</tag>
    <tag id="DFC31A">D8E68DA167AB5A85D8C3D55ECB9B0517A1A5B4BB</tag>
</tag>
<tag id="E2">
    <tag id="DFC316">A000000004</tag>
    <tag id="9F22">FA</tag>
    <tag id="DFC317">A90FCD55AA2D5D9963E35ED0F440177699832F49C6BAB15CDAE5794BE93F934D4462D5D12762E48C38BA83D8445DEAA74195A301A102B2F114EADA0D180EE5E7A5C73E0C4E11F67A43DDAB5D55683B1474CC0627F44B8D3088A492FFAADAD4F42422D0E7013536C3C49AD3D0FAE96459B0F6B1B6056538A3D6D44640F94467B108867DEC40FAAECD740C00E2B7A8852D</tag>
    <tag id="DFC318">03</tag>
    <tag id="DFC31A">5BED4068D96EA16D2D77E03D6036FC7A160EA99C</tag>
</tag>

Edit 2: The Terminal Risk Managment Data in use is 0CB4000000000000, which shows support for:

  • Contactless
    • No CVM required
    • On Device CVM
  • Contact
    • Plaintext PIN
    • Signature
    • Enciphered Offline
    • On Device CVM

Edit 3: The terminal type as set in 9F35 is 22 = Attended, Offline with Online Capability

Edit 4: The TAC for Denial is all zeros. The TAC for Default and Online is FC50808800, indicating:

  • Offline data authentication was not performed
  • SDA failed
  • ICC data missing
  • Card appears on the terminal exception file
  • DDA failed
  • Combined DDA/AC generation failed
  • Expired application
  • Requested service not allowed for card product
  • Cardholder verification not successful
  • Transaction exceeds floor limit
  • Merchant forced transaction online
1
testingsmartcardemvmastercard
In your Terminal Risk Management tag 0x9F1D in Byte 1 allowed only NoCVM and On mobile device CVM. No Signature or Online PIN. Which CVM capability you configured for CVM Required, when amount above CVM Required limit? I would expect to use NoCVM capability for CVM Required amounts or increase CVM Required limit to Contactless transaction limit to have always NoCVM. - iso8583.info support
If I understand you correctly, the second option is what I have implemented. The CVM Required Limit and Transaction Limit (No CDCVM) are both equal to 3000 - raydowe

1 Answers

3
votes
  • TVR Byte 1 bit 8 = 1 - Offline data authentication was not performed
  • TVR Byte 3 bit 8 = 1 - Cardholder verification was not successful

This show that your terminal have no required Certification Authority Public Keys (CAPK) loaded for Offline data authentication. Load correct test Public Keys with indexes 0xEF, 0xF1, 0xFA. These keys used for both contact and contactless M-TIP cards.

You did not mention your MasterCard contactless tag 0x9F1D value - The Terminal Risk Management Data.

You did not mention your Terminal MasterCard/Maestro Online, Denial, and Default TACs.

You did not mention your Terminal Type. Attended/Unattended. Maestro should have specific implementation for unattended environment regarding NoCVM.

Terminal Capabilities Tag 0x9F33 you noticed usually replaced by your terminal brand Contactless Kernel initialization settings/tags. I see SDA enabled in your case. According PayPass M/Chip Requirements - "Newly deployed PayPass terminals do not support SDA, and are not configured to support SDA." SDA is a weak authentication.

In the terminal Contactless Kernel you should have configured different CVM capabilities for transaction amounts below CVM Required Limit (NoCVM) and above CVM Required Limits. Because of Market requirements Online PIN might not be supported, Signature should not be supported for Unattended terminals, so, only NoCVM can be used in this case for amounts above CVM required limit. Plus specific implementation for Maestro processing.

I would suggest to look into MasterCard PayPass—M/Chip Requirements and open another interesting items about the MasterCard/Maestro contactless cards processing.