EMV ("Europay, Visa, MasterCard") standard has been invented a while ago (first release in 1994) as an urgent need to address security flaws of the previous generation magnetic stripe cards. There are more than two decades time-span between the first publication of EMV spec and this article. Because of that, we have a lot of resources describing EMV in the land of the worldwide web. However, one particular component that is present in each EMV transaction, but doesn't have a good "explain me like I'm 5 years old" clarification is "EMV Tags". This is what we're going to cover in this post.
"EMV Tags" are usually mile-long alpha-numeric strings in a
BER-TLV format. "TLV" or as it might be referred to as
"SIMPLE-TLV" stands for "Tag Length Value". BER-TLV is an
"expanded" version of "TLV" that allows supplying tags with variable
length, include one "TLV" inside another and provides few extra
capabilities (for more details please refer to stackoverflow
post). As was mentioned, "EMV tags" play one of the key roles in the
EMV processing (that's where the name is coming from) but aren't part of
any other "entry mode" (neither magstripe swipe nor manual entry
through/without terminal nor any other).
When all non-emv "entry modes" can be successfully performed using a bigger or lesser amount of customer data stored on the card (like card number (PAN), CVV, Exp. date), there is a necessary involvement of "EMV Tags" in EMV transaction. Why are they so important for "EMV"?
Let's take a look at the FirstData's definition of "EMV tags":
Values involved in an EMV transaction (which result from the Issuer’s implementation choices) are transported and identified by a tag that defines the meaning of the value, the format, and the length.
In other words, this is a set of data required to facilitate an EMV transaction.
As we know, EMV is a much more secure payment method with extra functionalities compare to its predecessors. In order to support all of these features, there is a need to supply and process an additional set of data that represents it. That's another role which "EMV Tags" play. They are the "additional data" that enables new EMV capabilities (but aren't limited to that).
One of the best ways to highlight it even better is to look at the following slide with the examples:
The picture above shows a list of "EMV Tags" with corresponding
meaning for each in the "Chip Data" column. For instance, the very first
9F26 tag represents "Application Cryptogram". This
cryptogram is generated by the card and send to the card issuer to
confirm that the "chip" was not falsified (if you're eager to learn more
about cryptograms, please refer to EMV's
Guide to EMV Chip Technology and/or one of the versions of EMV
Book). This feature provides an additional layer of security we
talked before.
As was referred earlier, "EMV Tags" facilitate new functionality of EMV, but are not bound by it. These tags can also contain sensitive data such as PAN, Cardholder Name, full track1/track2 data, etc. A full list of tags can be found on emvlab website. However, when sensitive EMV data is transmitted, it either will be encrypted (most likely with the same encryption method as the other sensitive data) or removed completely before leaving the card reader device.
As the last paragraph of this high-level overview it's important to
note that data in some EMV tags can vary by the issuer (e.g. tag
91 - Issuer Authentication Data) and would be
different from one bank to another.