Payment Transaction Processing

The verification process for online PINs for both magnetic stripe card and EMV card transactions begins when a point-of-sale (POS) device or ATM encrypts the cardholder PIN block and sends the PIN block to the card issuer for authentication through the acquiring bank or processor. BCSS receives the encrypted PIN block, then sends the secret keys and security information to the HSM for decryption and use, so that the PIN and keys are never in the clear. The expected security code is compared to the one in the transaction. If the codes match, the transaction is authorized. CVV and CVC security codes are similarly sent from the POS to the acquirer or issuer for verification using cryptographic keys inside the HSM. The important thing is that the keys are securely stored and only available for use inside the secure execution engine of the HSM.

In an EMV transaction environment, the card initiates, at the POS terminal, a transaction authorization request called an application request cryptogram (ARQC) that incorporates transaction data encrypted using card-unique keys. The ARQC is sent by the terminal through the acquirer network to the issuer for verification and transaction authorization. At the issuer host system, the ARQC is verified by a BCSS and integrated HSM application which returns an authorization response cryptogram for that specific transaction. The response, called an ARPC, is sent back to the POS terminal and card.

Prime Factors’ Bank Card Security System (BCSS) plays an important role in the verification and authorization process for digital payment transactions. BCSS meets standards for security code verification and authorization established by the network brands including use of a hardware security module (HSM), as well as mutual authentication the Global Platform specifications. BCSS also supports all PIN management functions such as PIN translation, PIN selection, PIN bridging and PIN verification.

BCSS plays an important support role
in processing digital payment transactions:

 

Supports transaction switching, authorization, and payment credential management.
Performs dynamic CVV/CVC3 verification for contactless cards.
Facilitates credit, payment and debit card PIN translations and PIN change.
Verifies payment card security codes (CVV, CVC, CSC, etc.).
Verifies cryptograms (ARQCs) and generates responses (ARPCs) for authorizing EMV transactions.
Supports the generation of EMV secure messages (e.g., PIN unblock, payment credential updates).
Provides Mobile/Cloud-based cryptogram verification, refresh of wallet keys (e.g., Host Card Emulation).
Supports online user authentication based on Mastercard Chip Authentication Program and Visa DPA Dynamic Passcode Authentication.

The ability for BCSS to help manage Payment Hardware Security Modules (HSM) coupled with its robust payment key management functionality speeds up and simplifies the development and implementation of in-house payment authorizations systems.