reading EMV card using PPSE and not PSE

Question

I'm trying to read the data off a contactless Visa Paywave card.

For the Paywave, I have to submit a SELECT using PPSE (2PAY.SYS.DDF01) instead of PSE (1PAY.SYS.DDF01).

The EMV book 1, section 11.3.4, table 43 only describes how to interpret the response for a successful SELECT command using PSE. Does anyone know or can refer me to a source that shows how to process the data returned from a successful SELECT command using PPSE?

Here's my request APDU:

00A404000e325041592e5359532e444446303100

Here's the response:

6F2F840E325041592E5359532E4444463031A51DBF0C1A61184F07A0000000031010500A564953412044454249548701019000

I understand tag 84 , tag 85 , tag BF0C from the response. According to the examples for reading PSE, I should be able to just send GET PROCESSION OPTIONS (to get the AIP and AFL) with PDOL = null after this successful response as follows: 80A80000830000 .

But request 80A80000830000 returns error code 6985 - Command not allowed; conditions of use not satisfied.

I also tried reading all the files after successfully selecting the PPSE by traversing through every single SFI (0-30) and every single record (0-16) of each SFI. Yes, I also did the 3 bit shift and bitwise-OR the SFI with 0x4 . But I got no data.

I'm stuck, any help that would point me into getting some info from my Paywave card would be appreciated!

Answer 1

Have you tried this tool from EMVLAB http://www.emvlab.org/emvtags/

Using that tool,

http://www.emvlab.org/tlvutils/?data=6F2F840E325041592E5359532E4444463031A51DBF0C1A61184F07A0000000031010500A564953412044454249548701019000

Answer 2

You seem to have the flow mixed up a bit, you want to:

• Send 1PAY or 2PAY, it doesn't actually matter for all of the cards I've tested. This will return a list of the AIDs available on the card. Alternately you can just select an AID straight away if you know it's there but good practice would be to check first.

• Get the list of AIDs returned in response to 1PAY/2PAY, in PayWave's case this will probably be A0000000031010 if you sent 2PAY but you may get more if you send 1PAY.

• Select one of the AIDs sent back (or one you already know is on there).

• Then loop through the SFIs and records sending the Read Records command to get the data.

You don't have to send Get Processing Options before sending the Read Records command even though that's now a normal transaction flow goes.

Answer 3

I think the information you're looking for is available from this VISA website . But only if you're a registered and/or licensed partner of VISA.

EDIT: Looking at the resulting TLV struct under BF0C :

tag=0xBF0C, length=0x1A
    tag=0x61, length=0x18
        tag=0x4F, length=0x07, value=0xA0000000031010 // looks like an AID to me
        tag=0x50, length=0x0A, value="VISA DEBIT"
        tag=0x87, length=0x01, value=0x01

I would guess that you need to first select A0000000031010 before getting the processing options.

Answer 4

I was selecting application 2PAY.SYS.DDF01. when I should have been selecting AID = 0xA0000000031010. It looks like there's no records under application 2PAY.SYS.DDF01.

But there was 1 record under application 0xA0000000031010. After I got this application, I performed a READ RECORD, and the first record gave me the PAN and all the credit card info I wanted.

Thanks everyone for chiming in.

Answer 5

If you are interested in this for MasterCard as well, you can use triangle.io's API to do this. It's free and reads MasterCard and Visa contactless cards for you which is what you seem to want.

Note that reading all the files directly off of the card, while it will give you the data you want, is not really following the EMV data flow. After application selection, you should perform the "get processing options" and then build the PDOLs and the rest of the magic.

http://www.triangle.io

Disclaimer: I work for triangle.io

Answer 6

2PAY.SYS.DDF01 is for contactless (eg NFC ) cards, while 1PAY.SYS.DDF01 is for contact cards.

1. After successfully (SW1 SW2 = 90 00) reading a PSE, you should only search for the SFI (tag 88) which is a mandatory field in the FCI template returned.

2. With the SFI as your start index, your would have to read the records starting from the start index until you get a 6A83 (RECORD_NOT_FOUND). Eg if your SFI is 1, you would do a readRecord with record_number=1. That would probably be successful. Then you increament record_number to 2 and do readRecord again. The increament to 3 .... Repeat it until you get 6A83 as your status.

3. The records read would be ADFs (at least 1). Then your would have to compare the read ADF Names with what your terminal support and also based on the ASI (Application Selection Indicator). At the end you would have a list of possible ADFs (Candidate list)

All the above steps (1-3) are documented in chapter 12.3.2 Book1 v4.3 of the EMV spec.

You would have to make a final selection (Chapter 12.4 Book1)

Read the spec book 1 chapter 12.3 - 12.4 for all the detailed steps.