Certification Level for Tag 91 Issuer Authentication Data

Question

I am doing an investigation related to the EMV Tag 91 Issuer Authentication Data, and I found this related question that covers pretty much of what I am looking for and based on the information shown in there:

In order to support the formats of Authorization Response Code, CSU or ARPC inside of TAG 91 for different brand cards, devices/terminals should comply with EMV Certification Level 3? Or the devices should comply only Certification Level 1/2 to support the different formats?

Answer 1

I have implemented an open source EMV payment framework (https://github.com/vicente-da-silva/dcemv). This implements both EMV contactless and contact kernels. Included in the project is a SimulatedPaymentProvider.cs in the DCEMV_SimulatedPaymentProvider project which can generate the appropriate response (tag 8a, 91 as well as 71 or 72 for scripts) back to the card for External Authenticate and 2nd gen AC. It is able to build the correct response for different card associations and different cryptogram versions.

Answer 2

EMV is a framework that is used by the payment schemes to build their specifications on top of it. EMV defines Issuer Authentication Data as a binary tag with length from 8 to 16 bytes. It is unnecessary for terminal to understand the structure, subelements, etc. Terminal does not parse it (it is a primitive data object). From the terminal point of view neither IAD nor Issuer Script Commands that may be found in the authorization response should be interpreted, only passed unmodified to the card. Any EMV level 2 compliant terminal will behave in this way as it is verified during the certification process that regardless of the individual schemes implementations tag 91 is passed unmodified and transaction result will not be based on any response code that may be part of individual schemes implementation of IAD.

Short answer would be - on the terminal side, please treat tag 91 as binary object that shouldn't be modified, but only passed to the level 2 kernel. The kernel will treat it the same but will also apply necessary trimming/padding and handle issuing or not additional Issuer Authentication command basing on AIP and CDOL2 and will set TVR and TSI accordingly.