NCR University Course:

23003 EMV/CAM2 Exits for APTRA

Advance NDC

Subject:

Command and Response and BER-TLV

March 2012
 Command and Response and BER-TLV

The product described in this book is a licensed product of NCR

Corporation.

NCR is a trademark of NCR Corporation.

Adobe and Acrobat Reader are trademarks of Adobe Systems
Incorporated.
Microsoft, Windows and Windows NT are registered trademarks
or trademarks of Microsoft Corporation in the United States
and/or other countries.

All other brand or product names are trademarks or registered

trademarks of their respective companies or organisations.

It is the policy of NCR Corporation (NCR) to improve products as

new technology, components, software, and firmware become
available. NCR, therefore, reserves the right to change
specifications without prior notice.

All features, functions, and operations described herein may not

be marketed by NCR in all parts of the world. In some instances,
photographs are of equipment prototypes. Therefore, before
using this document, consult with your NCR representative or
NCR office for information that is applicable and current.

To maintain the quality of our publications, we need your

comments on the accuracy, clarity, organization, and value of this
book.

Address correspondence to: [email protected]

Copyright © 2009
By NCR Corporation
Duluth, Georgia, U.S.A.
All Rights Reserved

23003 EMV/CAM2 Exits for APTRA Advance NDC

 Command and Response and BER-TLV

Revision Record

Issue Date Remarks

01 July-2009 New Document

02 Sep-2009 2 byte Length added

03 Fe2010 Updated page refs on page 5

04 Mar 2012 Added V Pay to page 3

23003 EMV/CAM2 Exits for APTRA Advance NDC

 Command and Response and BER-TLV

Command and Response

You should have already heard or read the ICC Basics seminar
which talked briefly about the ISO7816-4 structure for commands
and responses as well as a list of commands.

The reason we are covering this again in more detail, and the
reason why it is so important that you understand this level of
detail, is that during any card transaction, if there is an error in
processing, the command that the ATM is sending to the card and
the response from the card is logged to the journal printer and is
your only source of information for determining the error.

For example, the following data was logged as a command being

submitted from the terminal to the card:

00 A4 04 00 07 A0 00 00 00 04 10 10 00

From this we can see that the terminal was issuing a Select
command to the card and that it was the first time this particular
a “select by name” command was sent to the card. The
application that the card was trying to select was a MasterCard
application.

The response to this command might have been:

6A 82

Which tells us that there are no MasterCard applications on this

card. Had it found one, the response might have been:

90 00 6F 17 84 07 A0 00 00 00 04 10 10 A5 0C 50 0A 4D
61 73 74 65 72 43 61 72 64

This tells us that this is the only MasterCard application on this

ICC and that the label to display on screen to the cardholder is
“MasterCard”

So, how did we get from all that Hex, to that explanation?

23003 EMV/CAM2 Exits for APTRA Advance NDC 1

 Command and Response and BER-TLV

As you have already seen, the EMV standards use ISO7816 of

Command Structure which part 4 includes a structure for submitting commands to the
card.

All communication between the The terminal submits commands to the ICC and the ICC
terminal and the ICC is a responds; this is the only communication between the 2 devices.
command from the Terminal
The command structure is:
which results in a response
from the ICC
CLA 1 byte Class of Instruction

INS 1 byte Instruction Code

P1 1 byte 1st parameter for instruction

P2 1 byte 2nd parameter for instruction

Lc 1 byte Length of command data

Data Variable Command data

Le 1 byte Expected response length

Taking our earlier example, the following data was logged as a

command being submitted from the terminal to the card:

00 A4 04 00 07 A0 00 00 00 04 10 10 00

So the first byte, 00 is the Class of Instruction and the next byte
A4 is the Instruction Code.

The first 2 EMV commands, Read Record and Select are

documented in the EMV 4.2 specification document “EMV v4.2
Book 1 ICC to Terminal Interface CR05.pdf”.

On page 146 of this file (Page 130 in the footer) you see the Select
command has CLA 00 INS A4.

Parameter 1, or the “Reference control parameter”, according to

the EMV Specification can only be '04, meaning Select By Name.
There are probably more options in ISO7816 but EMV have
chosen to implement only this one.

23003 EMV/CAM2 Exits for APTRA Advance NDC 2

 Command and Response and BER-TLV

Parameter 2, or “Selection options” is 00 in our example, so this is

the first time this particular Select command has been sent to this
card (See Short Select below).

The next parameter, Lc, is the Length of the Data being given to
the ICC as part of the command. The EMV specification says (in
section 11.3.3) that for the Select command “The data field of the
command message contains the PSE name or the DF name or the
AID to be selected.” (AID is the Application Identifier, also
known as the Application Name)

So the name being selected is 07 bytes long. The next 7 bytes are
“A0 00 00 00 04 10 10” so this is the name that the select
command is trying to select.

AIDs (or application names) are made up of 2 components, the

Registered Application Identifier (RID) represents the payment
scheme and is issued by the ISO/IEC 7816-5 Registration
Authority. We know that “A000000003” has been registered to
Visa and “A000000004” to MasterCard for example.

The second part of the AID is called the PIX, can be from 0 to 11
bytes long and is defined by the card scheme. Both Visa and
MasterCard use “1010” for their Debit/Credit applications.

The details of this second part are available from the card scheme,
some examples are:

Scheme RID Product PIX

Visa A000000003 Credit/Debit 1010

Electron 2010
V Pay 2020
Plus 8010

MasterCard A000000004 Credit/Debit 1010

Cirrus 6000
Maestro 3060

American A000000025 AEIPS 01

Express

JCB A000000065 1010

23003 EMV/CAM2 Exits for APTRA Advance NDC 3

 Command and Response and BER-TLV

Remember the PIX can be up to 11 bytes long so some schemes

say things like “PIX may optionally be expanded to distinguish
between MasterCard credit products (i.e. Standard Card, Gold
Card, Platinum Card, Business Card, Purchasing Card, Fleet
Card)”. See Short Select.

So in our example we are attempting to select “A0 00 00 00 04

10 10” which is a MasterCard Credit/Debit application.

The EMV standard allows for Short Select. The name of a Visa
Short Select Credit/Debit application is A0000000031010. If an issuer wanted
to put 2 Visa applications on the same chip, Visa tell them to call
the applications A000000003101001 and A000000003101002.

The terminal will only ever try to select the standard Visa name,
A0000000031010. An ICC with multiple applications must
support Short Select which means that when it receives the first
select command of A0000000031010 the ICC will respond with
“A000000003101001 found”. The terminal can see that the
returned name is longer than that used in the Select command
and can therefore send a second Select command for the same
name.

The second time the Select command is sent the Parameter 2, or

“Selection options” is set to 02 to indicate that this is not the first
time this select command has been used (in this session with this
card). The multi-application card will now respond with
“A000000003101002 found”.

There might be more Visa applications on the ICC so the terminal

must do a 3rd Select command, but this time will receive a “Not
Found” error so it knows that it has found all the applications of
this particular type.

No matter what the command, the ICC must always respond

Command Response with 2 bytes, called Status Words or SW1 and SW2. With the
select command there are 4 possible responses from the ICC:

• 9000 the Select command was successful

• 6A82 File Not Found

• 6A81 Function not supported (the card is blocked)

• 6283 Selected File Invalid (the Application is blocked)

23003 EMV/CAM2 Exits for APTRA Advance NDC 4

 Command and Response and BER-TLV

All of these responses are documented in the same “EMV v4.2

Book 1 ICC to Terminal Interface CR05.pdf” manual, but not all in
the same section.

Earlier on we gave 2 examples of the response:

6A 82

Page 150 (134 in the footer) tells us that this response means “File
Not Found”, so there are no MasterCard Credit/Debit
applications on this card. Had it found one, the response might
have been:

90 00 6F 17 84 07 A0 00 00 00 04 10 10 A5 0C 50 0A 4D
61 73 74 65 72 43 61 72 64

The first 2 bytes are SW1 and SW2 which page 150 (134 in the
footer) of the same EMV Terminal Interface guide says:
“’9000’ indicates a successful execution of the command”.

The rest is Data returned from the ICC, page 149 (133 in the
footer) of the same EMV guide tells us that a valid response to a
successful selection of an application (ADF – Application
Definition File) begins ‘6F’ and contains 2 mandatory objects, DF
(Directory File) Name and FCI (File Control Information)
Proprietary Template. The FCI Proprietary Template may contain
7 optional data objects, the last one of which can itself contain any
number of card scheme specific data objects.

But to understand the Data returned from a command, you need

to understand the BER-TLV standard.

23003 EMV/CAM2 Exits for APTRA Advance NDC 5

 Command and Response and BER-TLV

BER-TLV

When working with EMV standards, data is often formatted

according to the BER-TLV encoding standard.

For example, if we send a Select command to the card and we get

a good response, one of the optional data objects the card might
return is the “Application Priority Indicator”. On an ICC
containing multiple applications this tells us the order in which
the terminal must offer them to the cardholder.

But this is an optional object in the middle of several optional

objects, so there is no way of knowing, from order or position,
whether this data is included or not.

So every data object is given a reference number, called a Tag.

If you look at Annex A of the “EMV v4.2 Book 3 Application

Specification CR05.pdf” there is a list of Data Elements:

• A1 page 147 – Data elements sorted by name

• A2 page 170 – Data elements sorted by tag

Page 150 shows that “Application Priority Indicator” is tag ‘87’,

length 1 byte, is held on the ICC and is stored in binary form.

So the first item to look for when looking at Data is the Tag,
If the least significant 5 bits of
which can be either 1 byte or 2 byte. Look up the tag you are
the first byte are all 1, then it is
given in the relevant EMV document.
a 2 byte tag (almost always if
the first byte ends in F then it
Following the tag there must be a “length” (normally 1 byte), this
is a 2 byte tag).
is the length of the actual data expressed in Hex. With tag 87 we
know from the EMV manual that we are expecting length 1.

So then the next 1 byte will be the actual data value.

So a valid Application Priority Indicator would be expressed in

hex as:

87 01 01

Going back to the example of the data returned from the earlier
Our Example Select command, we had the following data:

23003 EMV/CAM2 Exits for APTRA Advance NDC 6


If the length of the data is
greater than 127 bytes, a
different format is used.
Command and Response and BER-TLV
6F 17 84 07 A0 00 00 00 04 10 10 A5 0C 50 0A 4D 61 73
74 65 72 43 61 72 64
So working through the data as Tag-Length-Value.
Either from page 149 of the “EMV v4.2 Book 1 ICC to Terminal
Interface CR05.pdf” or from page 170 of the “EMV v4.2 Book 3
Application Specification CR05.pdf” guide we find that tag 6F is
the File Control Information (FCI) Template.
So the data in this template is 17 (hex) bytes long (23 decimal)
which, if you count them, is the rest of the data.
The data in the template is in itself BER-TLV encoded, so 84 is
another tag. Tag 84 is the “Dedicated File (DF) Name” which it
says is 7 bytes long, “A0 00 00 00 04 10 10”.
The DF Name returned is the same as the AID that we submitted
in the Select command so we know that this is the only
MasterCard application on the ICC.
So now A5 is another tag, File Control Information (FCI)
Proprietary Template, length 0C (12 decimal) so that is the rest of
the data.
Being another template, the next byte, 50 is again a tag,
Application Label, length 0A. So if you now convert the next 10
bytes to ASCII, what do you get?
4D 61 73 74 65 72 43 61 72 64
Managing longer data
We have said that the Length is normally 1 byte – but that would
impose a maximum length on any BER-TLV data. To get round
that restriction, BER-TLV only uses the 7 least significant bits of
the Length byte – with the most significant bit of the byte being
set to 0. If the value is more than 127 bytes long, the structure is
changed – the most significant bit is set to a 1 and the remainder
of that byte specifies how many bytes are used to specify the
length. So, if the data was 128 bytes long the ‘L’ portion would be
81 80
23003 EMV/CAM2 Exits for APTRA Advance NDC 7
 Command and Response and BER-TLV

Tutor Marked Assignment 1

Answer the following questions and send your answers by email

to your tutor. You will need to refer to the following
documentation:

• EMV v4.2 Book 1 ICC to Terminal Interface CR05.pdf

• EMV v4.2 Book 3 Application Specification CR05.pdf

1. The following data has been logged:

DATA SENT TO THE CARD >>>

00 A4 04 00 07 A0 00 00 00 03 20 10 00

DATA RECEIVED FROM THE CARD <<<

6A 82

a. What is the command being issued?

b. What is the data with the command?

c. What does the response mean?

2. The following data has been logged:

DATA SENT TO THE CARD >>>

00 B2 01 0C 00

DATA RECEIVED FROM THE CARD <<<

90 00 70 37 5F 25 03 02 12 31 5F 24 03 07 12 31 9F
07 02 FF 00 5A 08 54 13 33 00 89 00 03 28 5F 34 01
00 9F 0D 05 00 00 00 00 00 9F 0E 05 00 00 00 00 00
9F 0F 05 00 00 00 00 00

a. What is the command being issued?

b. What is the data with the command? (See note 1)

c. What does the response mean?

d. What data is returned in the response? Find names for

each item but you do not need to do more than that.

Note 1: SFI stands for Short File Identifier and is the number of
the Data File in use.

23003 EMV/CAM2 Exits for APTRA Advance NDC 8