Cardholder Verification in EMV

Kyryll Prytula
7.10.2022

This article has been written to provide a brief introduction to cardholder verification with EMV and the challenges posed by different verification methods. One objective of EMV was to drive down fraud; to do this we need to prove three things:

  1. The bank is who we think it is.
  2. The cardholder is the person to whom the card was issued.
  3. The terminal (or card reading device) is who it should be.

To achieve proving the cardholder identity one of the items of data retrieved from the card is the cardholder verification method (CVM) list. This ordered list contains one or more ways in which we should try to prove the cardholder is who they say they are. Please note that not all cards support cardholder verification as indicated by the Application Interchange Profile (AIP).

The Cardholder Verification Method (CVM) List

The CVM list comes back from the card in response to a read data request for tag 0x8E as follows:

Field NameField DescriptionField LengthEncoding
XAn amount in the application’scurrency used in the cardholder verification rules.4 bytesBinary
YAn amount in the application’scurrency used in the cardholder verification rules.4 bytesBinary
CVRule1

.

.

CVRuleZ

A variable number of cardholder verification rules each 2 bytes long.2*Z bytesBinary

The following logic is then applied to process the list:

Processing a Cardholder Verification Rule

The most important part of the process is actually processing the cardholder verification rules; a cardholder verification rule is formed of two bytes where byte 1 is the CVM code and byte 2 is the conditions under which one may then apply the CVM code in byte 1 (where it is supported):

ByteBits(s)ValueMeaning
1

(CVM

Code)

1-60Fail CVM processing.
1Offline plaintext PIN.
2Online PIN (always enciphered).
3Offline plaintext PIN and paper based Signature.
4Offline enciphered PIN.
5Offline enciphered PIN and paper based Signature.
30Paper based Signature only.
31Approve CVM processing.
*Reserved.
70Fail cardholder verification if verification is unsuccessful.
71Move to next rule if verification is unsuccessful.
83Reserved for future use.
2

(CVM Condition Code)

*0x00Always try to apply this rule.
0x01Only try to apply this rule where this is an unattended cash transaction.
0x02If not unattended cash and not manual cash and not purchase with cashback
0x03Always try to apply this rule where the CVM code is supported.
0x04If this is a manual cash transaction apply this rule.
0x05If this is a purchase with cashback apply this rule.
0x06If transaction is in the application currency and is under X value (see the description of the CVM List for definition of X) then apply this rule.
0x07If transaction is in the application currency and is over X value (see the description of the CVM List for definition of X) then apply this rule.
0x08If transaction is in the application currency and is under Y value (see the description of the CVM List for definition of Y) then apply this rule.
0x09If transaction is in the application currency and is over Y value (see the description of the CVM List for definition of Y) then apply this rule.
*Reserved.

Processing A CVM Code

Once a mutually supported CVM code has been established and is valid under the CVM code’s associated rules the code is applied. Currently one can do a combination of the following things:

  • Fail.
  • Succeed.
  • Online PIN Verification.
  • Offline PIN Verification.
  • Signature Verification.

Offline PIN is perhaps the most complex scenario where to be successful once entered the PIN must also be verified with the chip, only then is cardholder verification deemed successful.

For online PIN as soon as a PIN has been successfully captured to be sent online (with an ARQC in first generation of the application’s cryptogram) then cardholder verification is deemed successful.

For signature this is perhaps easiest; if the terminal is capable of handling signature then it is deemed successful.

Summary

Generally the most complex scenario for a device handling EMV is the requirement for Offline PIN and Signature as for verification to be successful both the requirements for verification of the offline PIN and the signature support must be met.

We hope this article has shed a little light on verifying a cardholder is who they say they are and the processes that are involved; for more information on this process please see EMV 4.3 Book 3 on the EMVCo website http://www.emvco.com/specifications.aspx?id=223 and of course any comments are welcomed!

Share