EMV CVM DatabaseUsing Cardpeek to determine a card's CVM list |
Do you have a EMV credit card and what to determine what the card's CVM list looks like? This tutorial will show you how to do so.
In order to read the CVM least, you need some form of hardware that can read a smart card. If you have a reader that works with US Government PIV, US Military CAC, or some other sort of card reader, it will work with you EMV credit card too. Some laptops and keyboards, typically those marketed towards businesses that use smart cards, have built-in card readers. Otherwise, you can buy a USB smart card reader, there are several available for less than $20 on Amazon. I use an SCM SCR331 reader.
You'll also need software that can read the data on the card. Fortunately, there is a free application called Cardpeek that works well for this. Cardpeek works on Windows, Mac OS X, Linux, and FreeBSD. This tutorial will guide you through using Cardpeek to discover you card's CVM list, so if you haven't yet, download and install Cardpeek.
Once you've connected your card reader, launch Cardpeek. You will be prompted to select your card reader; should you happen to have more than one connected, select the one you wish to use. The click OK.
After you do this, the main Cardpeek window will appear:
Once the Cardpeek window appears, insert your EMV credit card into your card reader, chip first, and leave it there, the same as if you were using your card at an EMV-enabled payment terminal. On my card reader, the light blinks for a few moments and then stops, this may vary depending on your reader and computer. On Windows, your computer will also attempt to install device driver software and ultimately fail, this is fine.
After you insert your card, click the "Analyzer" button in Cardpeek's toolbar, and select "EMV" from the menu that appears:
The application and card will work for a few moments, then you will be prompted with a dialog box asking if you want to issue a Get Processing Options command. Click Yes.
The application and card will work for several more seconds, and when it is done the Cardpeek window will be filled with the information it read off your card and the status bar at the bottom of the window will read "Disconnected reader".
Scroll through the window until you find the Cardholder Verification Method (CVM) List. It may help to enlarge or maximize the Cardpeek window.
Explaining CVM processing is beyond the scope of this tutorial, but I'll provide a basic summary. When you insert the card into a payment terminal, the terminal will read this list, in order, until it finds a cardholder verification method that it supports and is appropriate for the transaction. Also know that the "If" statement shown at the end is processed first.
So we start with CVM 1. It states "If unattended cash". This generally refers to withdrawing cash from an ATM (from your bank account if its a debit card, or a cash advance if its a credit card). The CVM is "Enciphered PIN verified online." So if we're at an ATM, the terminal is instructed to verify your PIN over the network with the bank, and if this fails, then fail cardholder verification. This is exactly the same as using a magnetic stripe card at an ATM.
But if we're not an ATM, then CVM 1 doesn't apply. So we go on to CVM 2. This states "If the terminal supports the CVM". Well, that's not totally helpful, we need to know if this CVM is supported by the terminal. The CVM is "Signature (paper)", meaning the cardholder should be asked to sign a receipt or digital pad. Most payment terminals where a cashier is present support this (even in countries where most people have Chip and PIN cards), so this is the CVM that will be used. This is just like would happen with a magnetic stripe card had you swiped it at a payment terminal, or if you had swiped the EMV card at a location that didn't support EMV. So the example above shows a Chip and Signature card.
So most of the time the user of the card shown will be asked to sign a receipt, but there are two more CVMs shown, so let's talk about those. CVM 3 is No CVM. In this case, the transaction is allowed to proceed without performing any sort of cardholder verification. This isn't quite as odd as it sounds, many low value transactions in the US at unattended kiosks are effectively No CVM. Think about using a magnetic stripe card at a parking meter, subway ticket machine, or gas station where you insert and remove the card to make a payment.
CVM 4 is "Enciphered PIN verification performed by ICC". Similar to CVM 1, this refers to verifying a PIN. Only this one is verified "by ICC" rather than online. ICC is another way of referring to the chip on the card. So this is saying that the card itself should verify the PIN. This is referred to as "offline PIN", compared to "online PIN" where the PIN is verified over the network by the issuing bank. Credit cards can support one or the other or both for purchases, this card supports offline PIN, which is common in countries that historically had high telecom costs, and thus wanted to be able to perform cardholder verification without going online.
So what we have here is what some call "Chip and Signature with PIN capability". The majority of the time, the cardholder will be prompted to sign a receipt, but in a few cases, will be prompted to enter a PIN. In some countries that have had EMV for a while, it is common for unattended payment terminals like train ticket kiosks to require PIN, and at those kiosks, this card will work. Some US banks have been issuing credit cards that don't have any sort of PIN support (other than for cash advances), and the credit card industry has been advocating for the support of No CVM to be mandated at unattended kiosks, so in the future, a Chip and Signature only card may work at those locations as well.
So now that you know what the CVM list on your card is, you should know what to expect when you use your card. If your card doesn't appear on this site, or this site shows a CVM list that's different from the card, let us know and we can add it. You can use this contact form to send us the details. At minimum, please send the CVM list and the card name; a link to the card on the issuer's web site would be quite helpful as well to allow us to easily add the additional details.
Hosted by SpottersWiki.