Card Issuing

Card Issuing & EMV Chip Personalisation Consultancy

Scheme-certified expertise across the complete card programme lifecycle — from BIN sponsorship and EMV chip profile engineering to personalisation bureau setup and live portfolio optimisation.

Programme Overview

Launching or re-platforming a card programme is a multi-year, multi-stakeholder undertaking that demands deep fluency across scheme rules, cryptographic key management, chip personalisation technology and regulatory frameworks. FinPay Consultants guides issuers — banks, fintechs, prepaid programme managers and processor bureaux — through every stage of this lifecycle.

We begin with BIN sponsorship strategy: selecting the right principal member, agreeing portfolio parameters with Visa or Mastercard, and structuring the BIN range for product segmentation (credit, debit, prepaid, commercial). We then progress to scheme membership formalities — completing the Visa/Mastercard enrolment pack, agreeing settlement bank arrangements and registering the programme in Vision/MATCH. Once the commercial foundation is set, our chip specialists take over for EMV profile design: constructing Application Identifier (AID) configurations, Application File Locator (AFL) structures, Cardholder Verification Method (CVM) lists, Issuer Action Codes (IAC) and offline authentication parameters to exacting scheme and business specifications. Finally, we oversee the personalisation bureau integration — selecting a bureau partner, validating Perso Data Package (PDP) formats, orchestrating HSM key loading and managing card artwork approval through scheme design centres. Post-launch, we support ongoing portfolio management: chip profile updates, contactless limit reviews and scheme compliance attestations.

Scheme Membership

Visa and Mastercard enrolment packs, BIN assignment, settlement bank linkage and programme registration.

EMV Chip Engineering

Full AID, AFL, CVM, IAC and ODA profile design with contactless harmonisation and domestic scheme coexistence.

Perso Bureau & HSM

Bureau selection, PDP file specification, Thales/Utimaco HSM integration and full key management hierarchy design.

EMV Chip Profile Design

The EMV chip profile is the DNA of your card product. Every parameter choice has downstream consequences for authorisation rates, offline transaction behaviour, fraud exposure and scheme compliance. Our consultants design profiles from first principles, documented against EMV Book 3 and the relevant scheme specifications (Visa VSDC, MC M/Chip).

AID Selection & Priority

The Application Identifier (AID) tells a terminal which payment application resides on the chip. Most dual-scheme cards carry multiple AIDs; the terminal selects the mutual candidate with the highest priority number (lowest byte value). Standard AIDs used in production programmes include:

  • A0000000031010 — Visa Credit (VSDC)
  • A0000000032010 — Visa Debit (VSDC)
  • A0000000033010 — Visa Electron
  • A0000000041010 — Mastercard Credit (M/Chip)
  • A0000000043060 — Mastercard Maestro
  • A0000002281010 — mada (Saudi Arabia domestic)

Priority bytes in the Application Priority Indicator (tag 87) must be assigned carefully. Domestic scheme AIDs are typically given priority 1 within their home market, with international AIDs at priority 2, ensuring local scheme routing where mandated by the central bank.

AFL (Application File Locator) Construction

The Application File Locator (tag 94) tells the terminal exactly where to find each data object on the card — which Short File Identifier (SFI 1–10) and which record number. AFL entries also flag which records must be included in the offline authentication hash (signed static or dynamic data). A typical AFL for a Visa Credit profile might read:

SFI 2, Records 1–3 (signed) | SFI 3, Records 1–2 (unsigned) | SFI 4, Records 1–1 (unsigned)

Record distribution must account for mandatory data objects (PAN, Track 2 Equivalent, Application Expiry Date, CVR, IAC) as well as optional objects (Issuer URL, PDOL parameters). Over-packing SFI 1 record 1 creates interoperability issues on older terminals with small APDU buffer limits.

CVM List Design

The Cardholder Verification Method (CVM) List (tag 8E) is an ordered sequence of CVM rules. Each rule contains an X amount, a Y amount, a CVM code and a condition code. The terminal attempts each rule in order, stopping at the first successful one. Amounts are expressed in the card's minor currency unit (e.g., for USD amounts are in cents). A production CVM list for a contactless-enabled credit card typically follows this order:

  1. Enciphered PIN verified online — if terminal supports online PIN and transaction exceeds contactless CVM Required Limit
  2. Enciphered PIN verified offline — for contact chip transactions below the UCOL floor (if offline PIN is in scope)
  3. Signature — fallback for terminals that do not support PIN
  4. No CVM required — for contactless tap-and-go below the CVM Required Limit

X and Y amounts serve as transaction value thresholds used with specific condition codes (e.g., "if unattended terminal", "if supported by terminal"). Setting them to zero with condition code 03 (always) creates an unconditional rule. Incorrect CVM list design is the most common cause of failed scheme certification test cases.

Issuer Action Codes (IAC)

The three IAC objects — IAC-Denial (9F0E), IAC-Online (9F0D) and IAC-Default (9F0F) — are 5-byte bitmasks that map directly onto the Terminal Verification Results (TVR). They instruct the card how to behave when specific risk conditions are flagged during offline processing. The table below shows representative flag settings for a standard credit card profile:

TVR Flag Byte.Bit IAC-Denial IAC-Online IAC-Default Meaning
Offline data auth not performed 1.7 0 1 1 Go online; approve offline if unavailable
SDA failed 1.6 1 0 0 Deny — card authentication has failed
ICC data missing 1.5 1 0 0 Deny — malformed chip data
Card appears on terminal exception list 1.4 1 0 0 Deny — terminal hot-card file match
DDA failed 1.3 1 0 0 Deny — dynamic auth signature invalid
Cardholder verification failed 2.7 0 1 1 Go online; approve if comms unavailable
Unrecognised CVM 2.6 0 1 0 Go online; decline if unable
PIN try limit exceeded 2.5 1 0 0 Deny — card is PIN-blocked
Expired application 2.4 1 0 0 Deny — card past expiry date
Upper offline transaction limit exceeded 3.7 0 1 1 Go online; approve if unable
Lower offline transaction limit exceeded 3.6 0 1 0 Go online; decline if unable
Transaction selected randomly for online processing 3.5 0 1 1 Go online; approve offline if unavailable
Merchant forced transaction online 3.4 0 1 1 Go online; approve if unable
New card 4.7 0 1 0 Go online; decline if unable
Issuer authentication failed 4.6 0 0 1 Approve offline (ARPC verification failed but proceed)
Script processing failed before final Generate AC 5.6 0 0 1 Approve offline; log for post-processing

Card Risk Management (CRM) Thresholds

CRM thresholds govern when the chip mandates an online authorisation based on cumulative offline spending. Four parameters work in concert:

  • LCOL (Lower Consecutive Offline Limit) — transaction count below which the card may remain offline without a forced online check. Typical value: 3.
  • UCOL (Upper Consecutive Offline Limit) — transaction count at which the card must go online or decline offline. Typical value: 6.
  • LCOA (Lower Consecutive Offline Amount) — cumulative offline amount in minor currency units below which offline approval is permitted. Typical value: USD 5000 (500000 in cents).
  • UCOA (Upper Consecutive Offline Amount) — cumulative offline ceiling; breaching this forces an online transaction or decline. Typical value: USD 10000 (1000000 in cents).
Design Note: LCOL/LCOA thresholds affect the TVR bits "Lower consecutive offline limit exceeded" and "Lower consecutive offline amount exceeded" — which feed into IAC-Online but not IAC-Denial. UCOL/UCOA breaches feed IAC-Default. Misaligning these values is a common cause of unexpected offline decline rates in markets with intermittent connectivity.

Offline Data Authentication: SDA, DDA and CDA

EMV defines three mechanisms for offline card authentication, each with a different security/performance trade-off:

  • SDA (Static Data Authentication) — The issuer signs a static data record with its RSA private key; the terminal verifies with the issuer public key certificate stored on the card. Fast, but vulnerable to pre-play attacks because the signed data never changes. Use only for low-risk, low-value portfolios or markets where terminal capability prevents DDA.
  • DDA (Dynamic Data Authentication) — The chip generates a unique dynamic signature per transaction using its own ICC private key. Eliminates pre-play risk. Preferred for mainstream credit/debit products. Requires the terminal to perform a GET CHALLENGE command and one additional RSA operation, adding ~150 ms to contact transaction time.
  • CDA (Combined DDA/Application Cryptogram Generation) — Merges DDA and the ARQC/TC/AAC generation into a single RSA operation on the Generate AC command. Provides the highest security — the terminal cannot separate authentication from the transaction cryptogram, preventing attacks where a tampered terminal accepts a valid DDA signature while recording a different transaction. Recommended for all new credit and debit programmes where the card OS supports it.
  • fDDA (fast Dynamic Data Authentication) — A contactless-optimised variant of DDA that removes the GET CHALLENGE command, reducing the RF field exposure time required for offline authentication. fDDA is now the dominant contactless ODA method across APAC and GCC deployments running Visa payWave and Mastercard Contactless kernels. Issuers targeting contactless-heavy markets (mada, KNET, BENEFIT, MyDebit) should configure fDDA as the primary contactless ODA method.

Contactless Profile Parameters

Contactless (NFC) transactions use a stripped-down kernel profile (Visa payWave / Mastercard Contactless). Key parameters that must be defined in the chip profile:

  • CTL Transaction Limit (Reader Contactless Transaction Limit) — Maximum transaction amount eligible for contactless processing. Above this, the terminal forces a contact chip transaction. Configured both on-card and on-terminal; the lower of the two applies. Typical value: USD 250 / GBP 100 / EUR 50 (market-dependent).
  • CVM Required Limit — Transactions below this amount may proceed contactless with no CVM (tap-and-go). Above this, the terminal must obtain CVM (typically online PIN for contactless). Typical value: USD 100 / GBP 45 / EUR 50.
  • Floor Limit — Transactions below this value can be approved offline without an ARQC. Must align with the scheme-mandated floor (often zero for contactless, meaning all contactless transactions must be online).
  • Zero Amount Tap Enable Flag — Enables contactless transit use-cases (open-loop transport) where the initial tap carries a zero amount and the fare is debited at exit. Must be explicitly enabled in the kernel configuration.

Dual-Interface Harmonisation

Dual-interface cards carry separate EMV personalisation records for contact (ISO 7816) and contactless (ISO 14443) interfaces. A common error is personalising different CVM lists, AIDs or CRM thresholds to each interface, creating inconsistent cardholder experiences and certification failures. FinPay Consultants applies a harmonisation framework that maps every tag value across both interface profiles and flags mismatches before the first personalisation run — avoiding costly reprints and scheme re-test cycles.

Domestic Scheme Coexistence

Many markets mandate that cards issued domestically carry both an international scheme AID and a local domestic scheme AID. Key domestic schemes our consultants have implemented:

  • mada (Saudi Arabia) — Operated by SAMA; AID A0000002281010. Mandatory on all POS-capable debit cards issued in KSA. Specific contactless limits and MasterKey PIN management requirements.
  • KNET (Kuwait) — Operated by KNET/KIPCO; mandatory on all debit cards issued in Kuwait. Requires parallel Perso file with KNET-specific key sets and CVK derivation.
  • BENEFIT (Bahrain) — GCC interbank network; dual AID with BENEFIT-specific CVR/IAC parameters and Bahrain Central Bank contactless thresholds.
  • MyDebit (Malaysia) — Operated by PayNet; AID A0000008780001. Mandatory on Debit Mastercard and Visa Debit cards issued in Malaysia. Full EMV chip and contactless support required from 2023 onwards.

Personalisation Bureau Advisory

Perso Data Preparation

The Personalisation Data Package (PDP) is the machine-readable instruction set that drives the card OS during personalisation. It encodes every data object that will be written to the chip — including the EMV profile tags described above, the PAN and sequence number, track equivalents, and derived keys. PDP file formats vary by bureau (Thales, Valid, CPI, IDEMIA each use proprietary variants), but all must conform to the card OS vendor's specification and be validated against an EMVCo-compliant reference implementation before production.

Key management during Perso uses ANSI X9.24 (DUKPT) or a Master-Session key derivation scheme. The bureau HSM holds the Base Derivation Key (BDK) or LMK-protected zone master keys, and derives unique card keys per PAN during the personalisation run. FinPay Consultants validates PDP templates, reviews key derivation logic, and witnesses pilot runs before sign-off on production volumes.

HSM Integration

Hardware Security Modules are the cryptographic root of trust for the entire card programme. We have hands-on experience with the three dominant HSM platforms used in payment personalisation:

  • Thales payShield 10K — industry-standard for issuers and bureaux; supports all major payment HSM command sets (Visa, Mastercard, EMV)
  • Utimaco Se-Series — common in European issuer environments and national payment switches
  • Entrust nShield — favoured in cloud-adjacent and hybrid deployments

Key Management Hierarchy

A robust key management hierarchy is critical to the security of the card programme. The standard hierarchy for an EMV issuer programme:

  • LMK (Local Master Key) — HSM's own master key, never leaves the HSM. All other keys are stored LMK-encrypted.
  • ZMK (Zone Master Key) — used to exchange keys securely between HSMs during key loading ceremonies. Double or triple-length DES or AES.
  • ZPK (Zone PIN Key) — encrypts PIN blocks in transit between PIN pad and issuer host. Never shared with third parties unencrypted.
  • CVK (Card Verification Key) — used to generate and verify CVV/CVV2/iCVV values. Unique per BIN range.
  • PVK (PIN Verification Key) — used in IBM 3624 or VISA PVV pin verification offset generation.
  • IMK (Issuer Master Key) — card-programme master key from which per-card AC session keys are derived during Perso (using EMV key derivation).

Card Artwork Approval

Both Visa and Mastercard maintain dedicated design centres that review and approve all card artwork before production. Approval requirements include: correct placement and minimum size of the scheme hologram or holorite, network acceptance marks, contactless symbol placement (EMVCo specification), chip graphic position tolerance, embossing zone clearance, and magnetic stripe coercivity marking. Typical approval cycles run 3–6 weeks. FinPay Consultants prepares the artwork submission pack, liaises with the scheme design centre and manages iterative feedback rounds to minimise delays.

Frequently Asked Questions

Mandatory EMV personalisation data falls into three groups. Card-level data includes the PAN, expiry date, cardholder name, PAN sequence number, and Service Code. Application-level data includes Application Identifier (AID), Application Version Number (tag 9F08), Application Usage Control (tag 9F07), and Application Effective and Expiry Dates (tags 5F25 and 5F24). Cryptographic data includes the Application Master Key diversified to produce the card's ICC Master Key, and the RSA or ECC key pair for offline data authentication (SDA, DDA, or CDA). Additionally, risk management parameters — Velocity Check limits (tag 9F14/9F23), Lower and Upper Consecutive Offline Limit (tags 9F14/9F23), and the CVM List (tag 8E) — must be configured according to your scheme certification profile and card product rules.

The Application Request Cryptogram (ARQC) is a MAC computed by the ICC using the Session Key derived from the ICC Master Key (itself derived from the Application Master Key) and input data including the Amount, Currency Code, Date, Unpredictable Number, and other transaction data. The issuer host receives the ARQC in DE 55 of the ISO 8583 authorisation request. The HSM at the issuer host diversifies the Application Master Key to the ICC Master Key using the PAN and PAN Sequence Number, then derives the Session Key using the ATC, and verifies the ARQC against the same input data. A matching ARQC confirms card authenticity and data integrity. If verification fails, the issuer should decline with response code 63 or equivalent and flag for investigation — ARQC failures indicate potential card cloning or data manipulation.

Contactless limits operate at two levels. The terminal Contactless Transaction Limit (CTL) is set by the acquirer/merchant and controls the maximum amount eligible for contactless tap without PIN. The Cardholder Verification Method (CVM) required limit — when the transaction exceeds this threshold, CVM (typically PIN or consumer device CVM) is required. Scheme limits vary: Mastercard and Visa mandate jurisdiction-specific CTL maximums in their operating regulations. For on-card limits stored in tag 9F7B (Extended Selection for contactless), these are personalised at card production and cannot be updated post-issuance without card replacement. However, issuer host-side controls, 3DS, and real-time fraud rules can apply additional limits dynamically without requiring physical card changes.

Ready to Design Your EMV Chip Profile?

Whether you are launching a new card programme, re-platforming an existing one, or troubleshooting certification failures, our chip profile specialists are ready to help. Contact us for a no-obligation technical scoping session.

Start the Conversation