The China Financial Integrated Circuit Card Specifications (Version 1.0) (hereinafter the “PBOC 1.0”) promulgated by the PBC in 1998 initiated the preparation for the testing of financial IC cards in China. In April 1998, the Bank Card Test Center was opened. During the early stage of financial IC card testing, China’s production and application of financial IC cards was in the preliminary stage with limited testing. In 2005, the PBOC 2.0 was promulgated, marking the fast development of financial IC cards. Hence matching testing standards were required to regulate IC card testing in order to facilitate the health development of the IC card industry. In 2008, the PBC promulgated the China Financial Integrated Circuit Card Testing Specifications to ensure the conformity with the China Financial Integrated Circuit Card Specifications.
The China Financial Integrated Circuit Card Testing Specifications provides uniform technical specifications for the whole process from R&D to issuance and application of bank IC cards, as well as scientific, prudent, comprehensive and systematic testing standards which can better guide and regulate the production, issuance, testing and application of bank IC cards. Furthermore, PBOC2.0 is compatible with international IC cards, which paves the way for the domestic bank cards to run on an international track too.
The China Financial Integrated Circuit Card Testing Specifications comprises the following three parts:
(I) Debit/credit application card testing specifications
This part comprises nine chapters, including Terminologies and Definitions, Symbols and Abbreviations, Code Definitions, Electrical Property and Communication Protocol Testing Case Study, Application Testing Case Study, and Appendices, of which the Electrical Property and Communication Protocol Testing Case Study, and Application Testing Case Study are the main components.
The Electrical Property and Communication Protocol Testing Case Study includes approximately 60 testing cases on General Requirements, Electrical Property Testing, Reset Response Testing, Character Transmission Testing, T=0 Protocol Testing and T=1 Protocol Testing.
The Application Testing Case Study defines approximately 600 testing cases on 50 applications, covering all applications of the cards.
(II) Debit/credit application terminal testing specifications
This part comprises eight chapters, including Terminologies and Definitions, Symbols and Abbreviations, Code Definitions, Card Reader Module Testing Case Study, and Application Kernel Testing Case Study, of which the Card Reader Module Testing Case Study and the Application Kernel Testing Case Study are the main components.
The Card Reader Module Testing Case Study includes approximately 190 testing cases on General Requirements, Mechanical Property Testing, Electrical Property Testing, Card Operation Process Testing, Reset Response Testing, T=0 Protocol Testing, T=1 Protocol Testing and Terminal Transmission Layer Testing.
The Application Core Testing Case Study defines approximately 900 testing cases on 16 applications, covering all applications of terminals.
(III) Debit/credit application personalization testing guide
This part comprises seven chapters, including Symbols and Abbreviations, Testing Conditions, Code Definitions, and Testing Case Study. The Testing Case Study is the main component.
The Testing Case Study includes over 90 testing cases on 15 applications, i.e. Reset Response Testing, Forced Data Reading from the IC File, Consistency between Magnetic Strip and IC Card Data, Application Selection, Application Initialization, Static Data Certification, Dynamic Data Certification, Composite Dynamic Data Certification, Card-holder Certification, Terminal Risk Management, Transaction Details, Other Optional Data Check, Validity of Keys, Data Grouping, and Consistency between Personalized Data and ICS.
III. Promotion and Application of the Testing Specifications
(I) Organizing and implementation trainings for commercial banks and relevant enterprises
In order to promote and implement technical standards for financial IC cards, explore new technologies, businesses and models for bank card application and support the fast and healthy development of the bank card industry, the Bank Card Test Center has, with the guidance from the PBC, organized training courses on bank card standards, technologies and businesses nationwide since 2004. As of the end of 2010, it has delivered 16 training seminars for commercial bank and seven for bank card-related enterprises, training over 2,000 persons.
All training seminars focused on the development status of China’s bank card industry and the international trend. They covered hot topics on the development of domestic and international bank card industries, and introduced new technologies and businesses of bank cards. One of the key objectives of these seminars is to publicize and educate people about PBOC 2.0 and the testing specifications, such as the PBOC 2.0 system, the network access testing for IC cards and terminals in the PBOC 2.0, IC card system testing indicators and technical requirements, and IC card innovative technologies and businesses etc.
(II) Conducting IC card testing to propel the implementation of financial IC card standards
To support the implementation of the PBOC 2.0, enhance the management of IC cards and processing terminal products in China’s financial network, and provide professional guidance to the R&D, design, and production of IC cards and terminal products by IC card enterprises, the PBC promoted the IC card-related testing in line with the requirements in the testing specifications as to provide professional services for card manufacturers in quality control and for commercial banks in bidding and product selection. After the promulgation of the China Financial Integrated Circuit Card Specifications (Version 2010), the Bank Card Test Center upgraded relevant testing cases to ensure the conformity of testing. The details are as follows:
1. Testing of IC cards
(1) Electronic wallet/passbook application
During the initial stage of financial IC card testing, the testing scope of electronic wallet/passbook application is limited to physical property and basic application functions. With the fast development of sector-specific applications (such as utility and public transport card) in recent years, the number of tests for electronic wallet/passbook applications keeps increasing, and the scope of testing gets diversified. Additions include the testing for electrical parameters and communication protocols compatible with international standards. The testing cases in application functions and security are improved also. Currently, the testing for electronic wallet/passbook application includes physical property, electrical parameter, communication protocol, COS commands, application functions, basic security, application firewall, anti-power supply, and service life of cards, meeting the requirements of the compatibility, universal application and security of cards.
(2) Debit/credit application
In response to the international EMV migration, the PBC incorporated the debit/credit application into the PBOC 2.0 with the core functions compatible with EMV specifications. The debit/credit application uses both symmetric and asymmetric key algorithm and supports off-line and online transactions. Inside the cards, complicated data elements and risk parameters are defined, and thus more efforts are required for testing the cards than the electronic wallet/passbook application.
To support the promotion of the debit/credit application, the Bank Card Test Center launched the proprietary PBOC 2.0-based IC card testing platform and designed over 600 testing cases for debit/credit applications, including electrical property, character transmission, T=0 protocol, T=1 protocol, application selection, application locking, data certification, risk management and script processing. The testing platform, as the vehicle for implementing testing standards, has completed the testing of over 100 IC cards since its launch, well supporting the development of domestic IC cards.
(3) Electronic cash application
The electronic cash application is based on the debit/credit application and mainly acts to transfer certain amount from the principal debit/credit account into the IC card for its off-line use without debit/credit risks. The electronic cash application has good potential in certain low-value payment areas and is well received by enterprises.
The testing of electronic cash is build upon the basic debit/credit card testing which should comply with the testing specifications, and additionally consisted of specific sub-testings on the updates of electronic-cash data, reads and updates of electronic cash balance, application initialization and off-line data authorization, which can satisfy the needs of testing the electronic cash application and basic security performance. In 2010, the electronic cash application was added into the PBOC 2.0, making the testing of electronic cash application reach a record high. Currently debit/credit cards developed by most developers support electronic cash application, and the testing of electronic cash application will be made along with the testing for debit/credit application.
(4) Contactless IC card payment application
Contactless IC card payment application is convenient, fast and secure, and is welcomed in areas requiring fast payments (such as public transport and municipal bill payments). It was used in the low-value payment IC card pilot project in Ningbo sponsored by the PBC. To promote this application, a special contactless card testing system was developed, and the contactless IC card communication protocol testing equipment was imported so that the contactless IC card communication protocol is compatible the relevant international standards. The testing of contactless payment application is either qPBC testing or MSD testing: qPBC uses an optimized debit/credit process to make off-line transactions possible via contactless interface. Encipherment, decipherment and transaction shall be completed within 500 mini-seconds for the IC cards to satisfy the requirements of fast transactions. Testing shows that currently only middle to high-end products can satisfy this requirement. MSD remains information in the original magnetic strip, and is a transitional product for the migration of magnetic strip to IC card. The testing focuses on the dynamic CVN generation.
2. IC card processing terminal testing
The promotion and application of bank cards are closely related to the development of the bank card processing environment. The application of bank IC cards highly depends on the development of IC card processing terminals and the environment. In recent years, under the leadership of the PBC, the China UnionPay and commercial banks have stepped up efforts in reconstructing or installing IC card processing terminals, which brings intensifying testing accordingly. Currently, the testing of IC card processing terminals mainly comprises the Level 1 testing, Level 2 testing and contactless terminal testing.
(1) Level 1 testing
Level 1 testing is the card reader module testing under Part 2 of the China Financial Integrated Circuit Card Testing Specifications, and is the most fundamental requirement for ensuring the compatibility between the terminal and the IC card. Since the testing for IC card processing terminals started in 1998, it has included the testing of basic communication parameters of terminals. However, due to the limitations in testing infrastructure, there are not many testing items available. In 2005, the Bank Card Test Center set up the EMV International Lab and learned from international testing practices and technologies. The bottom layer testing for processing terminals was separated as the Level 1 testing items. Level 1 testing can tell whether the terminal can communicate with standard IC cards, based on which applications in need can be developed to enable transactions. At present, the Level 1 testing includes over 200 cases on contact mechanical property, electrical property, card operating process, reset response, protocol and terminal transmission layer, which are fully compatible with international standards.
(2) Level 2 testing
Level 2 testing is the application kernel testing under Part 2 of the China Financial Integrated Circuit Card Testing Specifications, and aims to ensure the conformity with standards in terms of all operations and transaction process at the terminal. Terminals passing the Level 2 testing can process transactions with the IC cards. Depending on the application types supported by the terminal, Level 2 testing can be divided into electronic wallet/passbook testing, debit/credit testing and electronic cash testing. Some terminals may support only one application while others may support multiple ones. Compared with Level 1 testing, Level 2 testing is more complicated with a large number of testing items. It requires more human-machine interaction and experienced testing personnel. Level 2 testing items shall change accordingly with applications. The Level 2 testing for debit/credit application leads in the number of testing items, which include over 2,000 cases on 16 aspects such as Application Selection, Application Security, Encipherment Algorithm, Interface File and Commands Schematics. It takes around two weeks to complete the full test.
(3) Contactless terminal testing
Testing of contactless communication interface and application functions for terminals can significantly improve the compatibility of terminals and the success rate of card swiping. In recent years, along with the development of contactless applications, the requirements for the card reading capability of contactless terminals have become increasingly stringent. In response, the Bank Card Test Center has invested more in the R&D of contactless testing, such as importing the most advanced testing equipment to design and developed relevant testing cases. The testing of the simulation and digital parameters of contactless terminals in China has reached the international level, and can basically satisfy the needs of contactless terminal testing.
3. Testing of IC personalization and network access of terminals
In addition to the testing of IC cards and IC card processing terminals, the testing of IC personalization and network access of terminals is also a major part of IC card testing. Before issuance of IC cards and installation of processing terminals by the acquirer, the IC cards shall be network-based. This requires the control at the card issuance and processing stage to complete the testing for IC personalization and network access of terminals.
(1) Testing of IC card personalization
The testing of IC card personalization is conducted before card issuance by commercial banks, and aims to examine whether the personalized data in the card complies with PBOC 2.0the business and risk parameter settings in the card are accurate, and the card and the terminals the UnionPay network are well interconnected with each other. The issuing bank can select an appropriate template from the 11 standard personalization templates provided by the China UnionPay and then fill in the personalization data for testing.
(2) Network access testing for IC card processing terminals
The objective of network access testing for IC card processing terminals is to check the interconnection between the terminal and PBC cards, and between the terminal and the UnionPay network. Based on the type of network access, the testing can be divided into network access testing for directly connected terminals and network access testing for indirectly connected terminals: the former tests the terminals directly connected with the UnionPay network, the main job of which is to test the networking capability of directly-connected terminals according to the terminal data message format required by China UnionPay’s requirements ; meanwhile the latter tests the terminals indirectly connected with the UnionPay network through the network of acquirers, the major duty of which is to test whether the indirectly-connected terminal can intercommunicate with the UnionPay network in terms of using the network of acquirers to transfer transaction messages.
4. Testing of IC card systems
The PBC promulgated the Technical Guidelines on the Conformity and Security Testing of Bank Card Systems of Commercial Banks (hereinafter the “Testing Guidelines”) in order to standardize and secure the bank card system in commercial banks, and required commercial banks to test newly-issued cards accordingly. The Testing Guidelines also specifies requirements for the relevant tests of IC cards. The system test of IC cards examines system function, performance, risk monitoring, security, interconnection, documentation and outsourcing management, which reviews the bank card system from both the perspective of technology and management.
Under the guidance of the PBC, the Bank Card Test Center, as a participant in drafting the Testing Guidelines, has been supporting the PBC in bank card system testing. By the end of 2010, the Bank Card Test Center has carried out tests on magnetic strip card systems of seventeen commercial banks and IC card systems of six commercial banks in total.
IV. Conclusion and Outlook
(I) Increasingly diversified PBOC-compliant IC card products
Figure 1: IC card related products tests made between 2008 and 2010
The promotion of the serial standards for financial IC card testing has contributed to the emergence of a large number of IC card-related products conforming to the PBOC 2.0. Take the Bank Card Test Center as an example. Figure 1 suggests that the number of tests made for IC card-related products has been increasingly growing, with a year-on-year increase of 60% in 2009 and 155% in 2010.
(II) The improved quality of IC card products
Under the leadership of the PBC, a full-service testing system has been established by Bank Card Test Center after over a decade’s efforts, covering the whole process from IC cards to processing terminals and onwards to IC card systems, from the bottom physical equipment and communication to the high-level applications, and from functions to basic security. The implementation of the testing standards not only improves the product quality of enterprises, but also leads the enterprises to focus on both standards and applications. The technology and standardization levels of domestic IC card products have been improved remarkably. The China UnionPay has focused on testing the physical property of cards since the UnionPay cards sampling mechanism established in 2007. The sampling results show that the average pass rate in 2008 was 60%, 76.6% in 2009 and 76.1% in 2010. The quality of bank cards is improving in general, which sets the technical foundation for the massive application of financial IC cards.