Why is data duplicated in EMV card?

Question

I am working in EMV card and my new task is to compare Magstripe data with chip data. Data that should be common in Mag and chip is:- PAN, Card Holder Name, Expiry date. Here I don't understand the following:-

A single data like PAN is present in multiple places:-
It present in Mag Track1
It present in Mag Track2
It present in 5A EMV Tag
It present in 57 [track 2 equivalent data] EMV Tag.

or expiry date
It present in Mag Track1 and Track2
It present in 57 [track 2 equivalent data] EMV Tag.
it present in 5f24 emv tag.

Why is the same data present in multiple locations? And which data should be common to Mag and chip and its location in EMV chip?

What is the significance of keeping Mag data in Chip, and under what TAG values, so that I could compare those values only?

Answer 1

In the early day of EMV, the Track 2 Equivalent Data was used to 'ease' the transition: chip readers could be installed without changing the POS software, which would start a magstripe transaction as if the card had been swiped.

Similarly, there used to be 'partial grade' transactions where the card & terminal would use EMV (for example to perform offline authentication, offline PIN verification, etc.) but the online transaction would be as if the magstripe had been read. This allowed the acquirers to gradually update to EMV.

So today the Track 2 Equivalent Data is probably not needed anymore, but 1) you never know if some old system somewhere still relies on it and 2) perhaps more importantly, removing it would require changes by the issuers/perso bureaus (i.e., data preparation & personalization) which bring costs & risks for little benefits.

Answer 2

There is not any reasonable explanation why magstripe equivalent data is present in the tags. When considering “Fall Back Method” does not help with understanding the issue in depth because during the fall back process the POS system prompts the user to utilize the magstripe which would render the PAN an other security information. Absolutely no reason the fall back would pull data from the chip which is why it’s call a fall back.

Answer 3

Why same data is present in multiple location?

Because the EMV standard first started out supporting only magnetic stripe cards, then was extended to handle smart / chip cards, and most recently has been extended to support the tap-and-go contactless smart cards.

Each extension was typically designed in such a way as to maintain some kind of backwards compatibility with cards from the previous version (so smart card readers typically also have in-built magstripe readers to support the abovementioned 'fallback' case). However, the magstripe data is fundamentally less secure/trustworthy than smartcard data, because the smartcard has an in-built cryptoprocessor which can provide a degree of integrity and confidentiality, so you should always prefer the smartcard data to the magstripe data.

Answer 4

The CVV value must be different on the tag 57 data than the CVV value encoded on the mag stripe track 2. This aids in fraud mitigation.

Answer 5

It is known as 'fallback'. If for whatever reason you cannot read the chip data (card damaged, or issue with your device) you fallback to track 2 data.

The service code on track 2 will indicate whether or not this is a chip enabled card, and subsequently adjust the authorization request sent to the acquirer/issuer. It is then the issuers decision on whether to accept or decline the transaction (bearing in mind fallback to track 2 data is much less secure)

In summary, always trust the values on chip if you can access those. Fallback to track 2 data only if necessary.