Bank IC Card Reading Flow Instructions
Detailed Explanation of Bank UnionPay IC Card Reading Process
The card reading process of UnionPay IC cards complies with the PBOC specification and ISO 7816 standard, implemented through multiple rounds of APDU (Application Protocol Data Unit) command interactions between the card reader and the card. Below is a detailed breakdown based on the latest technical documents.
I. Initialization Phase: Power Supply and Protocol Negotiation
1. Power Activation and Reset
The card reader provides power (VCC) to the card and sends a reset signal (RST). The card returns an ATR (Answer to Reset) within 400-40000 clock cycles, containing transmission protocol info (e.g., T=0 or T=1), baud rate adjustment factor (D), and clock conversion factor (F). For example, the starting character 3B in ATR indicates positive logic convention, while 95 indicates subsequent TA1 and TD1 interface characters.
2. PPS (Protocol and Parameter Selection) Negotiation
The card reader sends a PPS request based on ATR parameters to negotiate the communication protocol (e.g., T=1) and transmission parameters (F, D). If TD1 in ATR is 81 (binary 10000001), it means T=1 is supported. The card reader sends 00 00 00 as a PPS request, and new parameters are enabled after the card confirms.
II. Application Selection Phase: From Payment System to Target Application
1. Select PSE (Payment System Environment)
The card reader sends a SELECT command to select the PSE file 1PAY.SYS.DDF01 to obtain the card’s supported applications:
CLA INS P1 P2 Lc Data Le
00 A4 04 00 07 A000000333010101 00 // Select PSEThe card returns FCI (File Control Information) with SFI (Short File Identifier) and AID list.
2. Traverse Application List
Read records via SFI, parse multiple AIDs (e.g., A000000333010101), and determine the target application by priority or user selection.
3. Final Application Selection
Send a SELECT command to select a specific application (e.g., debit/credit):
00 A4 04 00 07 A0000000041010 00 // Select application with AID A0000000041010The card returns application interaction features (e.g., DDA/SDA support) and PDOL (Processing Options Data Object List).
III. Application Initialization and Data Acquisition
1. GPO (Get Processing Options)
Based on PDOL (e.g., 9F38 tag), the card reader generates a GPO command with terminal risk analysis results (e.g., transaction amount, currency code):
CLA INS P1 P2 Lc Data Le
80 A8 00 00 08 9F02060000010000 00 // Example GPO commandThe card returns AFL (Application File Locator) and AIP (Application Interchange Profile), indicating files to read and authentication methods.
2. Read Files According to AFL
Using SFI and record ranges from AFL, send a READ RECORD command to read key data (e.g., static authentication tags 9F4A, IC card public key certificate 9F46 for dynamic authentication):
00 B2 01 0C 00 // Read SFI=0x01 record; P2=0x0C shifts SFI left by 3 bitsData is returned in TLV format, including card version and issuer public key.
IV. Security Authentication Phase: Dynamic Data Authentication (DDA)
1. Internal Authentication and Signature Generation
The card reader sends an INTERNAL AUTHENTICATE command with terminal data specified by DDOL (e.g., random number 9F37, transaction amount 9F02):
00 88 00 00 0C 9F370412345678 00 // Example internal authentication commandThe card signs data with its private key and returns dynamic signature data (e.g., 9F47 tag).
2. Signature and Public Key Chain Verification
Verification steps:
- Read IC card public key certificate
9F46from the card, decrypt with the issuer’s public key to get the IC card public key. - Hash DDOL data and card-sent signature data, compare with decrypted signature.
- Authentication passes if matching; otherwise, the transaction terminates.
V. Transaction Processing and Termination
1. Generate Application Cryptogram
The card reader sends a GENERATE AC command to request the card to generate a Transaction Certificate (TC) or Authorization Request Cryptogram (ARQC):
80 AE 00 00 08 9F02060000010000 00 // Command to generate ARQCThe card returns the cryptogram (e.g., 5F2A currency code, 9A transaction date) and transaction counter (ATC).
2. Online Verification and Card Writing
The card reader sends ARQC to the issuer’s backend for verification. After receiving the Authorization Response Cryptogram (ARPC), it sends an EXTERNAL AUTHENTICATE command to complete mutual authentication:
00 82 00 00 08 8001020304050607 00 // Example external authentication commandIf successful, a write command (e.g., UPDATE RECORD) updates the card balance and transaction log.
3. Transaction Termination and Deactivation
The card reader sends a DESELECT command to release the application and disconnect:
00 E4 00 00 00 // Deactivate the cardAfter the card returns 9000, the card reader cuts power, ending the process.
VI. Key Commands and Data Structures
| Phase | Command Example | Function Description |
|---|---|---|
| Application Selection | 00 A4 04 00 07 AID 00 |
Select application by AID; return FCI and PDOL |
| Data Acquisition | 00 B2 01 0C 00 |
Read AFL-specified records for auth data |
| Dynamic Authentication | 00 88 00 00 0C 9F3704RANDOM 00 |
Internal auth; card returns dynamic signature |
| Cryptogram Generation | 80 AE 00 00 08 9F0206AMOUNT 00 |
Generate ARQC/TC for verification |
| Security Authentication | 00 82 00 00 08 ARPC 00 |
External auth to verify issuer response |
VII. Security Mechanisms and Normative Basis
- Dynamic Data Authentication (DDA): Prevents card duplication via IC card private key signature (RSA/SM2 algorithms).
- PBOC 3.0 Specification: Supports dual-algorithm systems (RSA/SM2) and requires multi-application/dynamic key management compatibility.
- ISO 7816-4: Defines APDU format and secure message exchange for cross-industry compatibility.
Through this process, UnionPay IC cards ensure a secure transaction loop, protecting financial data confidentiality, integrity, and non-repudiation.
Card dispenser Operate with Reading Bank IC Card: