Visa Smart Debit/Credit

Certification Authority
Service Description
Version 2.3

June 2008

Visa Internal Use Only

Contents

Contents

1 Introduction 1-1

2 VSDC Public Key Hierarchy 2-1

2.1 Keys and Certificates 2-1
2.2 Data Authentication 2-2
2.2.1 Static Data Authentication 2-3
2.2.2 Dynamic Data Authentication 2-4
2.3 Offline PIN Encipherment 2-6

3 Certificate Services 3-1

3.1 Parties Involved 3-1
3.1.1 Visa Encryption Standards & Technology 3-2
3.1.2 Visa Regions 3-2
3.1.3 VSDC Issuer 3-2
3.1.4 VSDC Acquirer 3-3
3.1.5 Third-Party Processor 3-4
3.2 Process Summary 3-4
3.2.1 Registration 3-4
3.2.2 Issuer Public Key Certificate Requests 3-5
3.2.3 Distributing the VSDC Public Keys 3-5
3.2.4 Incident Response and Disaster Recovery 3-6

Figures
Figure 2-1 Cryptographic Keys and Certificates for SDA 2-1
Figure 2-2 Cryptographic Keys and Certificates for DDA, CDA, and
Offline Enciphered PIN 2-2
Figure 2-3 Static Data Authentication 2-4
Figure 2-4 Dynamic Data Authentication 2-5
Figure 2-5 Offline PIN Encipherment 2-6

Tables
Table A-1 VSDC CA Reference Materials A-1
Table B-1 Terminology and Definitions B-1
Table B-2 Notation B-4

June 2008 Visa Internal Use Only i

Introduction

1 Introduction
To maintain global card payment interoperability, EMVCo, an association of Visa,
MasterCard, and JCB, developed a standard, EMV Integrated Circuit Card
Specifications for Payment Systems; the current version is 4.1 (in this document referred
to as “the EMV 4.1 standard”). The EMV™ standard covers the terminal as well as the
card side of card transactions using chip cards (Integrated Circuit Cards referred to as
ICC). Because the EMV standard is updated periodically, please ensure that you have
the most recent version by checking the EMVCo website, www.emvco.com. Please be
sure to check for Bulletins, also on the EMVCo website, which may clarify or update the
EMV standard.
NOTE: In this document, terminal refers to any offline-capable device.

The EMV standard calls for the use of symmetric keys for online authentication and for
use of Public Key technology for offline authentication and, optionally, for offline PIN
encipherment. The EMV Public Key system uses a hierarchy of keys, with a payment
system certification authority key pair at the top tier, an issuer key pair at the second tier,
and ICC keys as the third and lowest tier. Each payment system is responsible for
maintaining the certification authority public keys of its own Public Key hierarchy, in
support of the EMV Public Key infrastructure.

Terminals globally have the certification authority Public Keys of the payment systems
loaded and use them for offline authentication and offline PIN encipherment. The
payment systems use certification authority their keys to certify the second tier Public
Keys, namely the Public Keys of the issuers of the respective payment systems.

To maintain Visa’s certification authority keys and to perform the required certification
services, Visa operates the Visa Smart Debit/Credit (VSDC) Certification Authority (CA).

The VSDC CA is responsible for the management of the VSDC CA key pairs and for the
certification of VSDC issuers’ public keys.

This document describes the services offered by Visa to issuers to enroll them and issue
them their Issuer Public Key (IPK) Certificates. It describes the parties involved and the
process for certificate issuance to issuers.

June 2008 Visa Internal Use Only 1-1

VSDC Public Key Hierarchy
Keys and Certificates

2 VSDC Public Key Hierarchy

This section describes the three areas of VSDC that use the VSDC Public Key
Hierarchy: Static Data Authentication, Dynamic Data Authentication (DDA and CDA),
and Offline Enciphered PIN.

2.1 Keys and Certificates

In the VSDC Public Key Hierarchy, Visa distributes the CA Public Keys to acquirers,
which load them into their terminals. The terminal uses the CA Public Key to recover the
IPK from the card's IPK Certificate.

The VSDC CA generates the IPK Certificates for issuers. This process involves the
issuer generating an IPK pair. The issuer stores the Issuer Private Key securely and
sends the IPK to the VSDC CA which signs the IPK with the VSDC CA Private Key to
create the IPK Certificate. This certificate is sent to the issuer.

The issuer personalizes its SDA cards with the IPK Certificate received from the CA and
a signature of the static data from the card, which is called the Signed Static Application
Data (SSAD). (Please see Section 2.2.1, Static Data Authentication.)

Figure 2-1 shows the relationship between cryptographic keys and certificates for SDA.

Figure 2-1 Cryptographic Keys and Certificates for SDA

June 2008 Visa Internal Use Only 2-1

Visa Smart Debit/Credit Certification Authority Service Description

Issuers of cards supporting DDA, CDA, or Offline Enciphered PIN obtain an

IPK Certificate from the VSDC CA using the same procedures used for SDA.

During card personalization, the issuer generates an ICC Public Key pair for each card
and signs the ICC Public Key and static application data with the Issuer Private Key to
generate an ICC Public Key Certificate. The issuer personalizes its cards with the IPK
Certificate received from the CA, the ICC Public Key Certificate, and the secret ICC
Private Key which is stored in a secure confidential location on the card.

Figure 2-2 shows the relationship between cryptographic keys and certificates for DDA,
CDA, and Offline Enciphered PIN.
Issuer Certification Authority Acquirer
Distributed to Acquirer
Private Key Public Key Private Key Public Key Private Key Public Key (Resides in Terminal)
(ICC) Static (ICC) (Issuer) (Issuer) (CA) (CA)
S IC application PIC SI PI S CA PCA
data

ICC PK
Issuer PK Issuer PK
Certificate Certificate
Certificate

IC Card IC Terminal

Issuer & ICC PK Certificates and dynamic signature

Card provides to Terminal: Terminal:

Issuer PK Certificate (PI certified by the SCA)
ICC PK Certificate (PIC and static
application data certified by SI)
Card and terminal dynamic data with digital
signature
Uses PCA to verify that the Issuer’s PI was certified by the CA
Uses PI to verify that the Card’s PIC and static
application data were certified by the Issuer
Uses PIC to verify the digital signature of the card
dynamic data

Figure 2-2 Cryptographic Keys and Certificates for DDA, CDA, and Offline
Enciphered PIN

2.2 Data Authentication

The EMV standard supports two kinds of data authentication:
• Static Data Authentication (SDA)
• Dynamic Data Authentication (DDA and CDA)

Offline-capable terminals must support both SDA and DDA, whereas offline-capable ICC
cards must support either one or the other or both. CDA support is optional in cards and
terminals. Card issuers decide which offline data authentication methods their
customers' cards should support. During a transaction, the ICC lets the terminal know
whether it supports SDA, DDA, or CDA, and the terminal operates accordingly.

2-2 Visa Internal Use Only June 2008

VSDC Public Key Hierarchy
Data Authentication

For SDA, the ICC card passes its IPK Certificate and the signature of static data to the
terminal for validation. The card itself does no public key cryptography so cards that
support only SDA are not required to support RSA. SDA provides data integrity because
the issuer has digitally signed important data on the ICC, which the terminal
authenticates.

DDA provides additional benefits compared to SDA in that it allows the terminal to verify
the authenticity of the ICC. In a DDA transaction, the ICC creates a unique digital
signature for each transaction, using the Rivest, Shamir, Adleman (RSA) algorithm. The
terminal checks that this dynamic signature is valid and, therefore, that the card is
genuine. Because the ICC needs to be able to perform RSA cryptography to generate
this dynamic signature, DDA cards normally cost more than SDA cards.

2.2.1 Static Data Authentication

When preparing an SDA card for a cardholder, the issuer digitally signs important static
data fields, creating what is known as the SSAD. The card is personalized with this
SSAD, the IPK Certificate, and the Public Key Index that designates which VSDC CA
Public Key is to be used to recover the IPK.

In an SDA transaction, the terminal reads and verifies the SSAD using the IPK that the
terminal recovered from the IPK Certificate. This verifies the integrity of the data coming
from the card—that is, that the data is unchanged from when the issuer signed it during
card personalization. The static data that is signed may, for example, include:
• Cardholder Verification Method (CVM) List which indicates how cardholders should
verify their identity at the time of transaction (e.g., signature, PIN)
• Primary Account Number (PAN)
• Card Effective Date
• Card Expiry Date
• Application Interchange Profile, which indicates if the ICC supports SDA, DDA,
Offline Enciphered PIN, etc.

The ICC does not have to support any cryptography to perform SDA because the static
data is signed by the issuer during card personalization and is merely read from the ICC
by the terminal for terminal validation.

The protection against skimming (copying) offered by SDA does not leverage the
cryptographic potential of chip. The issuer performs the digital signing that creates the
SSAD before the card is issued. The SSAD and the signed static data can be skimmed
from a valid card and put it on another ICC.

June 2008 Visa Internal Use Only 2-3

Visa Smart Debit/Credit Certification Authority Service Description

Notice, however, that the SSAD itself is protected against alteration because the issuer
has signed it. Only parties that have access to the issuer’s Private Key can create such
a signature.

The way that the terminal verifies the signature is illustrated in Figure 2-3.

Visa CA
Public Key
Issuer Public Key
Certificate
Signed Application PbVisa
Data. E.g. IIN
- AIP Expiry Date
- Effective Date Serial Number
- Expiry Date
- PAN PbIssuer
CA
- CVM
IS

Figure 2-3 Static Data Authentication

The terminal uses the VSDC CA Public Key to:
• Recover the IPK from the IPK Certificate using the VSDC CA Public Key designated
by the Public Key Index
• Recover a hash of the static signed application data from the static signature (SSAD)
by using the IPK.
• Validate the recovered hash against a hash of the static data read from the card.

The terminal's validation of SSAD signature against the actual data assures that the data
has not been changed since the issuer signed it during personalization.

2.2.2 Dynamic Data Authentication

When preparing a DDA card for a cardholder, the issuer does the following:
• Uses a card that supports RSA signature generation.
• Personalizes the ICC with:
– the IPK Certificate that was provided by the VSDC CA and contains the IPK
signed with the VSDC CA Private Key.
– the Public Key Index that designates which VSDC CA Public Key is to be used to
recover the IPK
– the card's own asymmetric (RSA) key pair, consisting of an ICC Public Key
Certificate that contains the ICC Public Key that the issuer signed with the Issuer
Private Key during personalization and the ICC Private Key that is held in secure,
confidential storage on the ICC. The ICC Public Key Certificate also contains a
hash of the static data from the card.

2-4 Visa Internal Use Only June 2008

VSDC Public Key Hierarchy
Data Authentication

During a DDA transaction, the terminal requests a dynamic signature using the
INTERNAL AUTHENTICATE command that includes an Unpredictable Number from the
terminal. The ICC uses its ICC Private Key to sign the Unpredictable Number and
dynamic data from the card and sends this dynamic signature back to the terminal. The
terminal also reads the ICC’s Public Key certificate, signed by the issuer, and the
issuer’s Public Key certificate, signed by the VSDC CA Private Key.

Figure 2-4 illustrates the process.

Terminal
Dynamic
Data

ICC Public Key Issuer Public Key

Certificate Certificate
ICC Pb Visa
Dynamic
PAN IIN
Data
Expiry D ate Expiry Date
Serial Num ber Serial Num ber
Terminal SAD
Dynamic Pb ICC Pb Issuer
Data IS CA
ICC

Figure 2-4 Dynamic Data Authentication

The terminal uses the VSDC CA Public Key to:

• recover the IPK from the IPK Certificate.

The terminal then uses the IPK to:

• recover the ICC Public Key from the ICC Public Key Certificate using the IPK
recovered above.
• verify the hash of the static data that was signed with the ICC Public Key certificate.

The terminal then uses the ICC Public Key to:

• recover the dynamic signature returned in the INTERNAL AUTHENTICATE
response using the ICC Public Key recovered above.
• Check that the Unpredictable Number from the dynamic signature matches the
number sent in the INTERNAL AUTHENTICATE command.

Successful DDA provides assurance that the card is genuine and not counterfeit. The
assurance is created by following a chain of trust from the VSDC CA key through the
integrity of the keys stored in the terminal, through the issuer and ICC Public Key
certificates to the security of the Private Key store of any ICC with a key pair certified by
a legitimate issuer.
June 2008 Visa Internal Use Only 2-5
Visa Smart Debit/Credit Certification Authority Service Description

2.3 Offline PIN Encipherment

An issuer can choose to have its ICC cards support Offline Enciphered PIN. With Offline
Enciphered PIN, the terminal uses an RSA ICC public key to encipher the cardholder-
entered PIN prior to passing this PIN to the card. The card deciphers the enciphered PIN
with its ICC private key and checks it against a Reference PIN, which is stored secretly
on the card. Offline Enciphered PIN prevents a fraudster from tapping the card-terminal
interface to discover the cardholder's PIN. ICCs supporting Offline Enciphered PIN must
support RSA. If both the card and terminal support Offline Enciphered PIN, it will be
performed according to rules in the card's CVM List.

During Offline PIN encipherment, the ICC supplies the terminal with the public key
certificate for its PIN encipherment key which may be the same key used for DDA
signatures or may a separate key used only for PIN encipherment. This ICC public key is
recovered using the same hierarchy of CA and Issuer public keys used for recovery of
the DDA key. The terminal encrypts the cardholder-entered PIN with the ICC public key
and sends the enciphered PIN to the ICC for verification. The ICC uses its
corresponding ICC private key to decrypt the enciphered PIN. It verifies the decrypted
PIN against the card's secret Reference PIN.

Figure 2-5 illustrates the process.

PIN

PbICC
PIN

PbVisa
PAN IIN
Expiry Date Expiry Date
Serial Number Serial Number
SAD
PbICC PbIssuer
IS CA

Figure 2-5 Offline PIN Encipherment

2-6 Visa Internal Use Only June 2008

Certificate Services
Parties Involved

3 Certificate Services
This section describes how the VSDC CA fits into the VSDC Public Key Hierarchy. It
describes the participants and processes involved in establishing the infrastructure
needed to support the functionality required by EMV.

3.1 Parties Involved

In the VSDC Public Key Hierarchy, Visa distributes the CA Public Keys to acquirers who
load them into their terminals. The terminal uses the CA Public Key to recover the IPK
from the card's IPK Certificate.

The VSDC CA issues IPK Certificates to issuers, using the Visa regions as registration
authorities. This process involves the issuer generating one or more IPK pairs. The
issuer stores its Issuer Private Key securely and sends the IPK to their Visa registration
authority who vets the request. If the registration authority approves the request, it
forwards the IPK to the VSDC CA. The issuer receives back an IPK Certificate for each
VSDC CA key used for signing certificates.

If the issuer's cards support SDA, the issuer must personalize its cards with one of the
IPK Certificates received from the CA, the Public Key Index, and a signature of the static
application data from the card.

During personalization of cards supporting DDA, CDA, or Offline Enciphered PIN, the
issuer generates a unique ICC Public Key pair for each card. The ICC Public Key and
static application data are signed with the Issuer Private Key to generate an ICC Public
Key Certificate. The issuer personalizes the cards with the IPK Certificate received from
the CA, the Public Key Index, the card's ICC Public Key Certificate, and the card's secret
ICC Private Key which is stored in a secure confidential location on the card.

In summary, the participants in this infrastructure are:

• the VSDC CA
• Each Visa region (Visa Asia Pacific, Visa Canada, Visa CEMEA, Visa Europe,
Visa Latin America and the Caribbean, and Visa USA) acting as the registration
authority
• VSDC issuers
• VSDC acquirers
• Possibly third parties acting for issuers or acquirers
• Cardholders and their ICCs

June 2008 Visa Internal Use Only 3-1

Visa Smart Debit/Credit Certification Authority Service Description

The following subsections will describe the participants and their roles and obligations in
more detail.

3.1.1 Visa Encryption Standards & Technology

Visa Encryption Standards & Technology operates the VSDC CA in a high-security
facility.

Because the VSDC CA public key pairs form the root of the trust that the entire VSDC
Public Key Hierarchy relies on, the integrity, security, and availability of the VSDC CA is
critical.

An important function of the VSDC CA, in addition to maintaining integrity, security, and
availability, is to ensure that only requests received from authorized regional contacts
are serviced. Visa uses secure (signed and encrypted) e-mail and a number of additional
operational measures to accomplish this.

3.1.2 Visa Regions

Each Visa region receives certificate requests from its issuers.

It is extremely important that:

• regions ensure that every request comes from either a third party authorized by the
issuer or an authorized party at a genuine issuer
• communication between the region and the VSDC CA cannot be compromised by
somebody posing as a legitimate regional submitter of certificate requests.

The region also receives the processed requests (that is, the IPK Certificates) back from
the VSDC CA and, in turn, forwards them to the relevant issuer.

3.1.3 VSDC Issuer

The VSDC issuer must create its certificate requests and forward them to a Visa region.
Issuers will receive the response back, that is, the IPK Certificates, and use both their
Private Key and their IPK Certificate in data preparation as they produce ICCs. The
Issuer Private Key is used to sign Static Application Data which is different for each ICC.
The SSAD must then be stored on the ICC, together with the IPK Certificate, so that a
terminal can read them from the ICC for validation.

3-2 Visa Internal Use Only June 2008

Certificate Services
Parties Involved

For DDA-capable ICCs, the issuer must also generate an ICC Public Key pair for each
ICC. It must then certify the ICC Public Key with the Issuer Private Key and store both
the resulting ICC Public Key Certificate and the IPK Certificate on the ICC, so that a
terminal can read them from the ICC. The ICC Private Key must also be stored securely
on the ICC.

It is extremely important that issuers practice sound key management and ensure the
security of their Issuer and ICC private keys. Anybody with access to the Issuer Private
Key can manufacture EMV ICCs that work for offline transactions. The sound key
management must extend from the creation of the IPK pair, through the process of
requesting issuer certificates, to use of the Issuer Private Key for signing Static
Application Data and creating ICC Public Key certificates, through the final
decommissioning of the key pair. ICC Private Keys must be encrypted from the time they
are generated until they are stored securely on the card. ICC Private Keys must not be
stored outside the card after card personalization.

For the same reason, it is extremely important that the issuer ensures that unauthorized
individuals, either within or outside the issuer’s organization, cannot abuse the process
for requesting issuer certificates from the region. The Visa region and the issuer must
work together to establish a secure mode of communication for this purpose, and this
link must effectively authenticate the communicating parties.

3.1.4 VSDC Acquirer

The VSDC acquirers must ensure that the correct VSDC CA Public Keys are loaded into
their EMV terminal population.

This means that the acquirer must ensure that:

• There are no unauthorized Public Keys in the terminal.
• All the active Visa Public Keys are in the terminal.

If a terminal contained an unauthorized Public Key, then SDA or DDA transactions would
pass with ICCs that were created using the unauthorized Private Key corresponding to
the unauthorized Public Key in the terminal. The owner of that unauthorized Private Key
could thus generate an issuer certificate that would look valid to the terminal, with any
desired expiration date, and use this certificate, in turn, to create SDA- or DDA-capable
ICCs with any desired SSAD.

It is, therefore, extremely important that the acquirer and the merchant ensure that only
genuine Visa Public Keys are loaded into the terminal and that the keys, when they
expire, are removed from all terminals as quickly as possible.

June 2008 Visa Internal Use Only 3-3

Visa Smart Debit/Credit Certification Authority Service Description

Of particular concern are Visa or other test keys that might remain in the terminal after
the terminal has been put into production. Test private keys are not usually managed at
the same level of security as are production private keys, and there is considerable risk
that fake cards could be produced using such keys. For this reason, it is very important
that acquirers ensure that no test keys remain in the terminals when they are put into
production.

Considering the second case, if a terminal does not contain one of the active Visa Public
Keys, then no Visa ICC with an issuer certificate generated with the Visa Private Key
corresponding to the missing Visa Public Key would be able to pass SDA, DDA, CDA, or
Offline Enciphered PIN. The terminal would not find the VSDC CA Public Key when
performing the verification tasks outlined in Sections 2.1.1 and 2.1.2.

3.1.5 Third-Party Processor

The issuer or the acquirer may choose to use third-party processors for particular parts
of their operations, such as ICC personalization or terminal management. In such cases,
the responsibility for security still rests with the issuer or acquirer, and it is their
obligation to ensure that the third parties they use adhere to the requirements and best
practices that ensure a sound and secure operation of the VSDC Public Key Hierarchy.

3.2 Process Summary

This section outlines the processes involving the VSDC CA. It covers the regular
processes such as registering issuers, issuing them certificates, and distributing the
VSDC CA Public Keys to acquirers, in addition to incident response and disaster
recovery.

3.2.1 Registration
To ensure that Visa is able to verify that an issuer is legitimate and represented by
authorized individuals, an initial face-to-face meeting between the issuer and Visa is
required. The face-to-face meeting will be arranged between the issuer and a local or
Visa representative.

In this registration meeting, Visa and the issuer exchange information that will later allow
them to communicate in a trusted fashion with individuals whom they know are
authorized. The information includes telephone numbers, names, fax numbers, etc.; the
meeting can also be used to facilitate subsequent electronic submission of certificate
requests. In this case, the issuer and Visa will exchange digital certificates that are later
used for mutual authentication.

3-4 Visa Internal Use Only June 2008

Certificate Services
Process Summary

3.2.2 Issuer Public Key Certificate Requests

When issuers have generated their Public Key pairs, they submit the Public Keys for
certification by the VSDC CA. They do this by submitting a request to their Visa region.
The Visa region vets the request and makes sure that it comes from an authorized
individual and from a legitimate issuer. Having vetted the request, the Visa region
forwards the request to the VSDC CA for processing.

The VSDC CA has scheduled weekly ceremonies where it generates IPK Certificates by
signing the submitted IPKs with the relevant VSDC CA Private Keys. After processing,
the VSDC CA returns the IPK Certificates to the region where the request originated.

To enhance security, the IPK Certificates are forwarded to different individuals from the
region than those who submitted the request.

The Visa region then forwards the IPK Certificates to the requesting issuer. Visa
recommends that different individuals at the issuer (or third party) handle the outgoing
requests for IPK certificates from those who handle the incoming responses.

3.2.3 Distributing the VSDC CA Public Keys

From time to time, Visa, in coordination with other EMVCo payment systems, will
introduce new CA public key pairs into the Public Key Hierarchy. This may be in
response to specific advances in cryptographic research.

In the same way, older VSDC CA public keys are revoked; that is, Visa stops creating
issuer certificates with them. The revoked CA key is removed from all terminals globally
when all the issuer certificates created with that CA key have expired.

To introduce a new CA key into the global population of VSDC terminals is a large
undertaking, with implications for the entire population of terminals and issuer and
acquirer back-office systems. It is an event that should be coordinated carefully. Under
normal circumstances, Visa will notify acquirers several years ahead of the deadline for
introducing or removing the new key and will work with the Visa regions and their
acquirers to accomplish and audit the introduction or removal of CA keys.

As mentioned in Section 3.1.4, VSDC Acquirer, the integrity of the VSDC CA keys in
terminals is very important, and Visa audits the proper removal and introduction of CA
keys by extensive spot checks to ensure that the terminal population contains the correct
keys. Further, transaction related data is constantly monitored to detect any issues or
anomalies with individual terminals or card segments.

June 2008 Visa Internal Use Only 3-5

Visa Smart Debit/Credit Certification Authority Service Description

3.2.4 Incident Response and Disaster Recovery

Visa, together with the other participants in the VSDC Public Key Hierarchy, makes
every effort to ensure that the operation of the VSDC CA smoothly and securely. One
aspect of this is to adequately take into account any incidents, adverse events, threats,
and disasters that might occur and effect the system.

This means that each region, as well as the VSDC CA, must implement incident
response plans and disaster recovery plans. The VSDC CA disaster recovery plan
involves a second site, which can take over operations within 2 to 3 days, in case the
current CA facilities and personnel are rendered unavailable.

3-6 Visa Internal Use Only June 2008

Appendix A Reference Materials

Appendix A Reference Materials

The VSDC CA documents incorporate information drawn from a number of other
sources. The following table lists the available reference materials. Your Visa
representative can provide you with information about how to obtain copies.

Table A-1 VSDC CA Reference Materials

VSDC CA
Title and Description
Document
CertChecker User’s Guide VSDC CA
Provides step-by-step instructions for the installation and operation of CertChecker Regional
version 2.4. CertChecker is used to validate issuer input files and issuer certificate Procedures for
files. Member
Production
Certificates
EMV Integrated Circuit Card Specifications for Payment Systems Version 4.1 VSDC CA
Provides specifications developed by EMVCo for chip-based payment processing. Regional
Individual volumes include: Procedures for
Member
Book 1, Application Independent ICC to Terminal Interface Requirements Production
Book 2, Security and Key Management Certificates
Book 3, Application Specification VSDC CA
Book 4, Cardholder, Attendant, and Acquirer Interface Requirements Service
Description
These documents are available on the EMVCo website at www.emvco.com. Because
the EMV specifications are updated periodically, please ensure that you have the most VSDC CA
recent version by checking with your Visa representative or the EMVCo website. User’s Guide
EMV Issuer and Application Security Guidelines VSDC CA
Provides guidance to issuers on maintaining the security of account information, Regional
cryptographic keys, and other proprietary data. Procedures for
Member
Production
Certificates
VSDC CA
User’s Guide
Secure E-mail With External Parties, Inovant Series, version 1.0, June 1, 2001 VSDC CA
This document is designed to be a reference to assist in setting up secure e-mail Regional
(S/MIME) between external parties. S/MIME allows two parties to communicate over Procedures for
an insecure network in a secure manner. Member
Production
Available at: Certificates
insite/global/iso/resources/references/docs/secure%20email%20with%20external%20p
arties.doc VSDC CA
User’s Guide

June 2008 Visa Internal Use Only A-1

Visa Smart Debit/Credit Certification Authority Service Description

VSDC CA
Title and Description
Document
Visa Integrated Circuit Card Specifications (VIS) VSDC CA
The companion specification to the EMV specification that provides additional details Regional
about the chip card-to-device interfaces for Visa debit and credit programs. Individual Procedures for
volumes include: Member
Production
• Application Overview Certificates
• Card Specification VSDC CA
Members should contact their Visa representatives to obtain a copy of VIS. Vendors User’s Guide
need to contact partnernetwork@visa.com to obtain a license for access to VIS.
VSDC Certification Authority Procedures for Test Certificates
Describes the procedures to obtain a VSDC CA Test Certificate, including
requirements, guidelines, and sample Work Order forms.
VSDC Certification Authority Regional Procedures for Member Production Certificates VSDC CA
Provides a description of the interface from a regional perspective between the Procedures for
Member and the VSDC CA; details the process for requesting IPK Certificates. Please Test
contact your Visa representative for the current version. Certificates
VSDC Certification Authority Technical Requirements VSDC CA
Describes the interface formats and media requirements for data exchanged between Procedures for
a VSDC Member and the VSDC CA relating to first-time issuer registration, certification Test
request and response, and distribution and migration of the VSDC CA Public Keys. Certificates
Please contact your Visa representative for the current version. VSDC CA
Regional
Procedures for
Member
Production
Certificates
VSDC CA
User’s Guide
VSDC Certification Authority User’s Guide VSDC CA
Provides information on the procedures and formats used to request and exchange Procedures for
Public Keys and the VSDC CA. Please contact your Visa representative for the current Test
version. Certificates
VSDC CA
Regional
Procedures for
Member
Production
Certificates

A-2 Visa Internal Use Only June 2008

Appendix A Reference Materials

VSDC CA
Title and Description
Document
VSDC Member Implementation Guide for Acquirers VSDC CA
Designed to serve as the main handbook for acquirers the implementation, User’s Guide
certification, and activation of a VSDC program.
Please contact your Visa representative for the current version.
VSDC Member Implementation Guide for Issuers VSDC CA
Designed to serve as the main handbook for the implementation, certification, and Regional
activation of a VSDC program, giving high-level information from other documents and Procedures for
referrals to more detailed documents, as appropriate. Member
Production
Please note that separate VSDC Member Implementation Guides are available for Certificates
issuers that use VIS, CPA, and contactless. Please contact your Visa representative
for the current version. VSDC CA
User’s Guide

June 2008 Visa Internal Use Only A-3

Appendix B Terminology and Definitions

Appendix B Terminology and Definitions

This appendix contains a list of chip-related acronyms, terms, and definitions that are
commonly used by the VSDC CA.

Table B-1 Terminology and Definitions

Term Definition
Acquirer A Visa Member that signs a Merchant or disburses currency
to a Cardholder in a Cash Disbursement and, directly or
indirectly, enters the resulting Transaction Receipt into
Interchange.
CA See Certification Authority.
Card Authentication A means of validating whether a card used in a transaction
is the genuine card issued by the issuer.
Certification Authority In general, an entity responsible for establishing and
vouching for the authenticity of Public Keys through
issuance and management of Public Key certificates.
Combined DDA/AC generation A particular way of performing Dynamic Data Authentication,
(CDA) which involves including the Application Cryptogram (AC) in
the dynamic signature generated by the ICC. See the VIS
Card Specification, Section 6.4.4.2.
Cryptographic key The numeric value entered into a cryptographic algorithm
that allows the algorithm to encrypt, decrypt, sign, or
validate the signature of a message.
Cryptography The study of mathematical techniques for providing aspects
of information security, such as confidentiality, data integrity,
authentication, and nonrepudiation.
Data authentication Validation that data stored in the ICC has not been altered
since card issuance. See also Offline Data Authentication.
Decryption The reversal of the corresponding encryption, a reversible
transformation of a cryptogram by a cryptographic algorithm
to retrieve the original plain text data.
Digest See Hash.
Digital Signature A transformation of data intended to prove to the data
recipient or also to third parties one or both of the following:
• Ownership of a particular secret (typically the private
component of a Public Key pair) by the originator of the
data
• The integrity of the data that was signed
Dynamic Data Authentication This method ensures that issuer-selected card data
(DDA) elements and transaction-specific dynamic data elements
have not been fraudulently altered and that they come from
a valid card.

June 2008 Visa Internal Use Only B-1

Visa Smart Debit/Credit Certification Authority Service Description

Term Definition
e In this document set, used to denote the length, in bytes, of
the IPK Exponent. There are two valid values for the IPK
Exponent, viz. 3 and 65537, corresponding to the values 1
and 3 for e, respectively.
EMVCo EMVCo, LLC, was formed to manage, maintain, and
enhance the EMV Integrated Circuit Card Specifications for
Payment Systems.
EMV Integrated Circuit Card Technical specifications developed jointly by Visa,
Specifications for Payment MasterCard, and JCB to create standards and ensure global
Systems interoperability for use of chip technology in the payment
industry.
Entrust Desktop application currently employed by Visa to secure
internal e-mail. Information available on Visa Intranet:
insite/dept/Infosec/ISedu/Entrust-reference.htm
Hash or hash digest The result of applying a hash algorithm to a piece of input
data.
Hash Algorithm An algorithm used to create a fixed-length output (‘digest’)
from variable length input data. Hash algorithms work for
input data of any length. They have the property that it is
difficult to find two different input data that have the same
digest, and also that given particular output, it is in general
difficult to find input that when hashed generates the output.
SHA-1 is an example of a hash algorithm, and is the one
currently used in VSDC.
Hardware Security Module A tamper-resistant, hardware security module, which
(HSM) connects as a peripheral to a host computer. The HSM
provides the host with a secure environment in which to
perform its cryptographic processing.
IPK Issuer Public Key
Issuer A Visa Member that issues cards and whose name appears
on the card as the issuer (or, for cards that do not identify
the issuer, the Member that enters into the contractual
relationship with the cardholder).
NCA In this document set, used to denote the length, in bytes, of
the VSDC CA Public Key Modulus.
NI In this document set, used to denote the length, in bytes, of
the issuer Public Key Modulus.
Offline Data Authentication A process whereby the card is validated at the point of
transaction, using RSA Public Key technology to protect
against counterfeit or skimming. VIS includes two forms:
Static Data Authentication (SDA) and Dynamic Data
Authentication (DDA).
Offline Enciphered PIN A cardholder verification methodology defined in EMV in
which the cardholder PIN is entered at a point of sale (POS)
device, encrypted there with an ICC Public Key, and sent to
the ICC where it is validated.

B-2 Visa Internal Use Only June 2008

Appendix B Terminology and Definitions

Term Definition
Private Key The private (secret) component of an asymmetric key pair.
The Private Key is always kept in secret by its owner. It may
be used to digitally sign messages for authentication
purposes.
Public Key The public component of an asymmetric key pair. The
Public Key is usually publicly exposed and available to
users. A certificate to prove its origin often accompanies it. It
may be used to verify a message digital signature to
authenticate the message sender. In RSA, the Public Key
consists of the Public Key Exponent and the Public Key
Modules.
Public Key algorithm A cryptographic algorithm that allows the secure exchange
of information and message authentication but that does not
require a shared secret key, through the use of two related
keys—a Public Key which may be distributed in the clear
and a Private Key which is kept secret.
Public Key Certificate An asymmetric transformation of the Public Key by a
Certification Authority and intended to prove to the Public
Key recipient the origin and integrity of the Public Key.
Public Key Index A number assigned to each VSDC CA Public Key. The PKI
in conjunction with RID identifies the CA Public Key in the
terminal to be used to recover the card’s IPK Certificate.
Public Key pair The two mathematically related keys, a Public Key and a
Private Key, which, when used with the appropriate Public
Key algorithm, can allow the secure exchange of information
and message authentication, without the secure exchange
of a secret.
RA See Registration Authority.
Registration Authority In general, an entity responsible for verifying the authenticity
and authorization of parties requesting Public Key
certificates and for interacting with the CA in servicing those
requests.
RSA A Public Key cryptosystem developed by Rivest, Shamir,
and Adleman, widely known as RSA. It is used for data
encryption and authentication.
Service Identifier Identifies a Visa service. The Proprietary Application
Identifier Extension (PIX) is left justified and padded on the
right with four hex zeros.
Current valid International Service Identifiers are:
hex 1010 0000 for Debit/Credit
hex 2010 0000 for Electron
hex 2020 0000 for V PAY
hex 3010 0000 for Interlink
hex 8010 0000 for Plus
For valid Regional/National Service Identifiers, please check
with your Visa representative for the current list.

June 2008 Visa Internal Use Only B-3

Visa Smart Debit/Credit Certification Authority Service Description

Term Definition
SHA-1 A particular hash algorithm that is used in Visa Smart
Debit/Credit.
Signature See digital signature.
Signed Static Application Data A value calculated by using card data encoded with a Public
(SSAD) Key algorithm, used to ensure that card data has not been
modified since issuance.
Skimming The process of copying sufficient data from a debit, credit,
or ATM card to manufacture a working copy of the card.
Static Data Authentication A type of Offline Data Authentication where the acceptance
(SDA) device validates a cryptographic value placed on the card
during personalization. This validation protects against
some types of counterfeit but does not protect against
skimming.
Symmetric Algorithm An algorithm in which the key used for encryption is identical
to the key used for decryption. TDEA is the best known
symmetric encryption algorithm.
Triple Data Encryption TDEA (sometimes referred to as Triple DES) as defined in
Algorithm (TDEA) ISO/IEC 18033 Information technology—Security
techniques—Encryption algorithms—Part 3: Block ciphers.
Visa Smart Debit/Credit (VSDC) The Visa service offerings for chip-based debit and credit
programs. These services, based on EMV and VIS
specifications, are supported by VisaNet processing, as well
as by Visa rules and regulations.
VSDC Certification Authority The Visa Certification Authority that certifies VSDC issuers
as participants in VSDC.

Table B-2 Notation

cn Compressed numeric—each byte is used to
represent two decimal digits, and the decimal
number is padded with trailing hexadecimal FFs
b Binary representation
n Numeric—each byte is used to represent two
decimal digits, and the decimal number is padded
with leading hexadecimal 0s

B-4 Visa Internal Use Only June 2008