How to read bank card with Android NFC
Have you ever wondered how some ππ§ππ«π¨π’π apps can π«πππ πππ§π€ πππ«ππ¬ π°π’ππ‘ ππ π? Or how does πππ© ππ¨ πππ² work? In this article, I give an overview of the software process that occurs between a contactless bank card and a reader.
This article describes the process of reading bank card information at the application level. Information that can be read this way include:
- full pan number
- expiration date
- information about card payment system and brand
- data required for payment processing
Applications that may need this feature include:
- Payment applications
- Applications with fill in payment form that can be autofilled with NFC
- Applications that receive hashed card number (PAN) as user identifier
A bank card usually have three types of interfaces:
- Magnetic stripe - black stripe on the back of a bank card
- ICC Contact or Integrated Circuit Card, Contact - little silver or gold microchip embedded on the front of a bank card.
- ICC Contactless or Integrated Circuit card, Contactless - closed conducting loop inside bank card. It can be seen by shining a strong flashlight through the card.
This article describes interaction with last interface in the listβICC Contactless (ISO 14443). ICC Contactless may be absent on bank card. ICC Contactless cards usually have a contactless symbol printed on the card.
Exchange with this interface can be performed with regular Android smartphone NFC.
In order to read bank card processing data, application must go through the following steps:
- Request for Answer To Select
- Build the Candidate List (Card Applications List)
- Manual or automatic application select
- Get Processing Options with or without PDOL
- Read records if needed
All this steps and their meaning is described below.
1. Request for Answer To Select
First step is called RATS β Request for Answer To Select. It means that exchange with contactless bank card is always initiated by device, e.g. Smartphone with NFC.
APDU β Application Protocol Data Unit, is an exchange format between card and device.
Exchange with bank card is performed by sending from device to bank card APDU-C (APDU-Command) and receiving from bank card APDU-R (APDU-Response).
APDU exchange and RATS command in Android can be implemented by using android.nfc.tech.IsoDep.
APDU-C consists of Header and Body.
Header include:
- CLA β command class.
- Ins β instruction byte.
- P1 β first parameter of the command. 0 if absent.
- P2 β second parameter of the command. 0 if absent.
Body include: Lc Send β data length. Data β command data. Le Receiver β expected response length of APDU-R.
APDU-C example for Select.
Mastercard: 00_A4_04_00_07_A0000000041010_00
- CLA: 00
- Ins: A4
- P1: 04
- P1: 00
- Lc Send: 07
- Data: A0000000041010 (Mastercard AID)
- Le Receiver: 00
APDU-R include Body and Trailer.
Body include response data. It is empty if the exchange failed with exception.
Trailer include response status bytes (words) about exchange result:
- SW1 (Status Word-1)
- SW2 (Status Word-2)
APDU-R example: _6A_82
- Body: empty because of Error: File not found, Mastercard card application was not found on card
- SW1: 6A
- SW2: 82
Complete list of Status Word available here.
APDU data is encoded in TLV format - Tag, Length, Value.
Example: 84_07_A0000000041010
- Tag: 84
- Length: 07
- Value: A0000000041010
TLV data can be decoded with this service.
2. Build the Candidate List (Card Applications List)
Candidate List is a list of card applications, like Visa, MasterCard, Maestro. On this step, device should determine card application to interact with and parameters required for further exchange.
There are two methods of building the Candidate List: PSE and PSA.
PSE β Payment System Environment, is a directory on the card with a universal name Β«2PAY.SYS.DDF01Β» in case of contactless card. Building the Candidate List with PSE is called Β«Implicit Application SelectionΒ». Device sends to card APDU command - SELECT Β«2PAY.SYS.DDF01Β»
Example: 00_A4_04_00_0E_325041592E5359532E4444463031_00
- Cla: 00
- Ins: A4
- P1: 04
- P2: 00
- Lc: 0E
- Data: 325041592E5359532E4444463031 (byte representation of string Β«2PAY.SYS.DDF01Β»)
- Le: 00
If the directory is present on the card, the card will return SW1/SW2 = 9000 (OK), and also return parameters for further exchange with card application (more on this later).
If there is no directory on the map, APDU-R SW1/SW2 will have = 6A82 (File not found). Note that Β«2PAY.SYS.DDF01Β» is always present on the contactless chip, so the selection of applications via the contactless interface is always done via PSE.
PSA β Payment System Application, also known as AID (Application Identifier), the specific application identifier of a card.
The list of AIDβs is stored in the device memory. The selection of an application through the List of AIDβs consists of sending a request (SELECT command) from a device to a card indicating a specific AID in the Β«DataΒ» field.
Example: 00_04_00_07_A0000000041010_00
- Cla: 00
- P1: 04
- P2: 00
- Lc: 07
- Data: A0000000041010 (Mastercard AID)
- Le: 00
If the AID requested by the device is missing, the card will return APDU-R, where SW1/SW2 will be = 6A82 (File not found), after that reader device (Smartphone, POS or ATM) should send the next AID in the list, etc. until the negotiation is completed, or the AID list is exhausted. Accordingly, if the device configuration does not contain the AID of this particular card, the exchange should be terminated.
3. Manual or automatic application select
Some bank cards can have multiple card applications, e.g., different payment brands or different products of the same brand. In this case, two options are available: Cardholder Selection and Application Priority Indicator.
Cardholder Selection β is a process of manual selection of a card application by user. Device displays list of available applicationβs names from tag 50 (Application Label) and user selects application for further exchange.
Application Priority Indicator β application tag 87 in APDU-R. The lower the indicator value, the higher the application priority. Suppose that the card sent back the following scheme in the APDU-R:
- Tag 84: Dedicated File (DF) Name: A00000000410101
- Tag 87: Application Priority Indicator: 02
- Tag 84: Dedicated File (DF) Name: A00000000410102
- Tag 87: Application Priority Indicator: 01
In this case, the application A00000000410102 should be preferred because its tag 87 value (01) is the lowest.
4. Get Processing Options with or without PDOL
By this step, device must determine Payment Application AID by PSE or PSA. Next, device must send SELECT APPLICATION with AID that was picked.
SELECT APPLICATION Response contains basic information about Payment Application, like: Application Label (Tag 50), Language Preference (Tag 5F2D), Device Type.
Different Payment Applications have different SELECT APPLICATION Response. One of the key differences is a content of Tag 9F38 (PDOL). PDOL (Processing Parameter Data Object List) is a set of values that must be provided by device for further processing (GET PROCESSING OPTION command).
PDOL might be absent in SELECT APPLICATION Response. For example, some Mastercard cards donβt have it, while Visa almost always have PDOL. The absence of PDOL means that GET PROCESSING OPTION command doesnβt need any PDOL.
Example of PDOL from Visa:
1
9F1A02
By decoding TLV we can see that this is a Terminal Country Code. It means that device must provide a country code in which it is located. If device meets some unknown tag in PDOL than device can provide zeros as the default parameter.
Further processing is done by GET PROCESSING OPTION command with PDOL (if needed).
Example of GPO with PDOL: 80_A8_00_00_04_83020643
- Cla: 80
- Ins: A8
- P1: 00
- P2: 00
- Lc: 04
- Data with PDOL: 83020643
Example of GPO without PDOL: 80_A8_00_00_02_8300
- Cla: 80
- Ins: A8
- P1: 00
- P2: 00
- Lc: 02
- Data: 83_00 β data Length is zero
GPO response contains Processing options and bank card capabilities. PAN (bank card number) can sometimes be extracted in this step. GPO response may have Tag 77 (Track2 data). Track2 data is a value stored on a magnetic stripe of a card. It includes a PAN. But Tag 77 is not always present in the GPO response. More processing data may be discovered by reading Payment Application Files. To do this, device must extract a value of Tag 94 (Application File Locator) and use it with READ RECORD command.
AFL example: 28_01_04_01
- 28 β Short File Identifier
- 01 β first SFI record number
- 04 β last SFI record number
- 01 β number of records for ODA
5. Read records
Read records example: 00_B2_01_2C_00
- Cla: 00
- Ins: B2
- P1: 01
- P2: 2C
- Lc: 00
This commands reads record 1 of SFI 5. Parameter for this command comes from AFL value from GPO response. For each record, READ RECORD commands transceived separately. For example, if last SFI record number in AFL is 4 then device transceives READ RECORD 4 times to read the whole File. These records have processing data that include Tag 77 (Track2 or Magnetic Stripe value with PAN).
There are also other commands that can be transceived after GPO command like: PIN TRY COUNT and APPLICATION TRANSACTION COUNTER.
Conclusion
This was a brief overview of reading processing data from bank card. Further information can be acquired from EMV Books:
- Book 1: ICC To Terminal Interface
- Book 2: Security and Key Management
- Book 3: Application Specification
- Book 4: Cardholder, Attendant & Acquirer. Interface Requirements.
I used the described process when implementing a bank card reader feature in the android application βNFP: Social Servicesβ for a Financial Services Agency.
Feel free to contact me if you need help implementing a similar feature for your Android application.
My Telegram: @SlavaGrishanin
My LinkedIn: Slava Grishanin
Sources:
https://www.scribd.com/document/19132767/EMV-v4-1-Book-1-ICC-to-Terminal-Interface
https://developer.android.com/reference/android/nfc/tech/IsoDep
https://www.eftlab.com/knowledge-base/complete-list-of-apdu-responses
https://downloads.acs.com.hk/technology/491-08-emv.pdf
https://dokumen.tips/documents/emv-v43-book-3-application-specification-20120607062110791.html