Overloaded "Online vs Offline" in EMV Card Processing

When EMV card processing is discussed, one confusing usage of terminology is Online vs Offline. They mean different things in different context.

The most obvious usage is to describe through which channel the payment is done.

Offline payments refer to, generally, where the card is present at the time of payment, usually inserted (Chip), swiped (Magnetic stripe), tap (contactless) at the payment terminal. Loosely, offline payments are Card Present (CP) payments. Sometimes they are also called in-store payments, in-person payments, etc., but vending machine is offline payments where no store or person are present.

Online payments refer to Card Not Present (CNP) transactions. E-commerce payments, whether on merchant's web sites, or in merchant's mobile apps, are majority of online payments. However, long before e-commerce existed, phone orders, catalog orders are also online. They are also called keyed transactions, because a physical card is not present to merchant, instead, the card number, expiration date, and security code need to be "keyed" in.

What about Apple Pay, Google Pay or Samsung Pay? When they are used to tap payment terminals, they are offline (CP) transactions; when they are used for in-app purchases, they are online (CNP) transactions.

What is the significance to distinguish offline and online transactions? For consumers, nothing much. For merchants, foremost, the fees are different - because Card Present transactions bear less risks than Card Not Present, the fees are lower. Also for merchants, fraud liability generally is on merchant side for online transactions, except with Three-Domain Security (3DS) authenticated transactions; for offline transactions, generally issuers are liable for fraud, except those who are still only accepting magnetic stripe cards or don't follow guidelines.

EMV uses cryptography to authenticate the card, in other words, the card is not a authentic and not a counterfeit. There are 2 ways a card is authenticated: online and offline.

When an EMV card is provisioned and manufactured, a symmetric key is securely embedded in the chip on the card. This key is used to generate a cryptogram on top of various data elements of the transaction (including a unpredictable random number) using 3DES.

This cryptogram is called Authorization ReQuest Cryptogram (ARQC), and is passed all the way to issuer. Issuer, possessing the same symmetric key specific for the issued card, regenerates the ARQC itself and matches the ARQC generated by the card. This is called Online card authentication, as it requires issuer to authenticate the card and this process must be online.

Similarly, a card can authenticate the issuer and the world (network, terminal). This is done through ARPC, which is a cryptogram generated by issuer when sending the response to terminal. The terminal sends ARPC to the chip, and chip authenticates it.

Card authenticity can be verified offline, too. By definition, symmetric key cryptography won't work for offline authentication, because the dependent parties in this case are card and terminal, not including issuer. Therefore, RSA public key crypto is used.

There are 3 methods used in Offline card authentication: SDA, DDA, CDA.

Certification Authority (in this case, likely the card network, such as Visa, Mastercard) uses its private key to encrypt and sign the issuer's public key, the result is Issuer Public Key Certificate (IPKC, tag 0x90). Issuer also uses its own issuer private key to encrypt and sign a piece of static application data, called Signed Static Application Data (SSAD, tag 0x93). Both IPKC and SSAD are embedded in the chip.

A terminal is deployed with Certification Authority's public keys, this is the responsibility of acquirers. For the terminal to authenticate card using SDA, it uses Certification Authority's public key to decrypt and signature-verify IPKC to get Issuer's public key; it then uses Issuer's public key to decrypt and signature-verify SSAD.

SDA can authenticate that a card is not altered, but it doesn't validate if a card is not a counterfeit. In addition, SDA can't prevent skimming because SSAD is static for every transaction. For these reasons, SDA is not used widely any more.

DDA stores Card (ICC) Public Key Certificate in addition to Issuer Public Key Certificate, and it stores Card (ICC) Private Key as well. In addition to Static Application Data (as used in SDA), card provisioning uses Issuer Private Key to encrypt and sign Static Application Data and Card Public Key into the ICC Public Key Certificate (tag 0x9F46).

The terminal sends Dynamic Data Authentication Data Object List (DDOL) to the card, the card uses the Card (ICC) private key to encrypt and sign the DDOL values to generate Signed Dynamic Application Data (SDAD), and returns SDAD to terminal.

The terminal restores Issuer Public Key the same way as in SDA, then uses it to decrypt and signature-verify Card (ICC) Public Key. Then it uses ICC Public Key to decrypt and signature-verify SDAD.

DDA uses 3 layers of key pairs to verify integrity: CA, Issuer and card.

CDA is a combination of DDA and application cryptogram generation. As we know, cryptogram is used in ARQC which requires online authentication. CDA requires the signature to include cryptogram, and guarantees cryptogram isn't corrupted.

One thing to note is online and offline authentications are not mutually exclusive. While there is only 1 offline authentication method used per transaction, most of the time, both offline and online authentications are checked for the transaction.

Outside USA and Singapore, majority of EMV credit cards deployments use Chip-and-PIN, such as in Europe and Canada. In USA, PIN-debit and PIN-prepaid use Chip-and-PIN, while credit cards use Chip-and-Signature. PIN verification can be online and offline.

The PIN can be stored in the chip, and therefore, offline verification is possible (and fast). The complexities of offline PIN verification are:

Terminals when performing Online PIN verification sends PIN to Issuer encrypted, and issuer confirms or rejects the PIN. Online PIN verification is actually not new to EMV. In magnetic stripe world, for example, PIN-debit has been verified online.

Note that PIN verification in contactless use case is always online. Contactless exchanges data and authentication at the very beginning of the tap and takes about one second, after which, card/device can be moved away from terminal, therefore, offline PIN verification doesn't make sense.

EMV card transactions support offline authorization. When it was first deployed in Europe, to combat unstable communication between terminal and acquirer. Furthermore, for lower amount, lower risk transactions can be done offline without obtaining authorization from issuers and networks, if issuers support it. Issuers also can control the limits (what's the value of transactions, how many offline transactions before it must go online) by embedding those parameters in the EMV chip.

In USA, most credit, debit and prepaid card transactions require online authorization.

References: