EMV® — developed and managed by American Express, Discover, JCB, Mastercard, UnionPay, and Visa — is a global standard for credit cards that uses computer chips to authenticate (and secure) chip-card transactions.

The certificate of the smart card cannot be retrieved from the smartcard reader. It can be a problem with the smartcard reader hardware or the smartcard reader's driver software. Verify that you can use the smartcard reader vendor's software to view the certificate and the private key on the smartcard. The smartcard certificate has expired. Alcor SmartCard Reader Driver for Windows 10 (32-bit), 8.1 (64-bit), 8 (64-bit), 7 (32-bit, 64-bit) - ThinkPad T540p, W540, W541. When an EMV card is inserted into a chip reader, the card essentially tells the reader that it is authentic, and the transaction is processed without any data exchange. Processed transactions are stored up. Download EMVSCARD DS Smart Card B card reader drivers or install DriverPack Solution software for driver update. Both product previews for debit and credit EMV card issuance prompted significant registered interest. MUNICH, Germany, 20 December, 2016 – Matica Technologies AG, has accelerated the dates for the completion of its latest product introductions for the instant card issuance market after a significant number of companies attending Trustech.

You probably have a lot of questions. So we’ll walk you through everything you need to know.

Everything About EMV

Intro to Chip Card Technology

The nationwide EMV migration is well underway. Banks are issuing new credit cards with EMV chips. But what exactly is EMV? EMV or chip cards, are the new, more secure credit cards we’re currently transitioning to in the U.S. EMV chips encrypt bank information making it far more secure than the old magstripe cards. This is important since the United States has a pretty serious issue with credit card fraud.

So how exactly will this affect your business? For starters, you’ll need a new processing device to read the information in the chip cards. And as of October 2015, businesses that don’t have an EMV processing device could be on the hook for fraudulent chip card transactions. (This is something called the “liability shift,” which we’ll go into below).

Drivers Emvscard Ds

As you might imagine, EMV is a pretty hot topic right now. There’s a lot of information to sift through. And because any EMV card discussion usually mentions “fraud” and “liability,” it’s natural that it could put small business owners on edge.

But, rest easy—we’ve got you covered. The Square contactless and chip reader accepts EMV and NFC payments like Apple Pay, protects you from the liability shift, and is just $49.

In this guide we’ll explain what EMV is, how credit card chips work, the liability shift and what it means for your business, and how you can protect yourself and accept chip cards and NFC payments.

Are all credit cards with chips EMV-compliant?

Not necessarily. But the vast (vast) majority of credit cards that have chips are EMV-compliant. If you have questions about your credit card and whether it’s EMV-compliant, contact your issuing bank.

Accept chip cards everywhere.

Order the Square contactless and chip reader.

Why are we switching to EMV?

The United States is switching over to chip cards in an effort to curb credit card fraud. In fact, even though the United States has a quarter of the world’s credit card transactions, almost half of the world’s credit card fraud happens here. This is because magnetic-stripe cards use an outdated technology and easy for fraudsters to counterfeit. Chip cards, on the other hand, are way more secure. An EMV credit card chip is actually a super-small computer that’s extremely hard to counterfeit. When the data is transmitted during a card transaction, it’s encrypted which means even if bad guys intercepted the information, they probably wouldn’t be able to do anything with it. So as a country we’re switching to cards with EMV chips. The recent high-profile security breaches at some of the country’s largest retailers have added motivation to make the switch quickly.

How much do EMV readers cost?

As mentioned above, on average an EMV card reader costs between $500 and $1,000, which isn’t chump change. But fortunately it doesn’t have to cost that much. The Square contactless and chip reader—which accepts both EMV and NFC payments — just $49. Order yours here.

How do you process an EMV transaction?

You dip the credit card vertically, chip first, into an EMV-enabled reader instead of swiping it horizontally on a magstripe reader.

What’s the deal with this “liability shift”?

Here’s the lowdown: It used to be that if you ran a fraudulent card, the banks absorbed the costs. But as of October 2015, if someone pays with a fraudulent chip card, and you’re not set up with an EMV card reader, it’s possible that the banks are no longer be liable. So say, for example, a fraudster buys $30 worth of hot sauce from a restaurant with a counterfeit EMV chip card. If the restaurant doesn’t have a chip card reader to process the transaction, it could be on the hook for the $30. Read more about the liability shift in our Simple Guide to the Liability Shift.

Am I legally required to accept EMV?

There’s actually no law that requires businesses to be EMV compliant by the liability shift. It’s up to each individual seller to decide whether or not to upgrade. What has changed is the way that the banks and the processing networks handle fraudulent charges. But even though the EMV liability shift is not officially a law, it’s a good idea to protect yourself by ordering an EMV reader (like the Square contactless and chip reader) soon so you can accept the most secure forms of payment.

Why do EMV transactions take so long?

If you’ve paid with a chip card, you know firsthand that they take significantly longer to process than magstripe cards. The card has to be inserted into the reader for the entirety of the transaction — which can take several seconds. This is all while the security technology is at work. What’s happening is that the EMV chip on the credit card is talking back and forth with the EMV reader to make sure you are who you say you are. However, the sluggishness is noticeable — especially for a technology that many people think is new.

The fact that EMV transactions take so long will likely push forward the adoption of faster, more convenient payment methods like NFC. NFC payments— also known as contactless payments — are just as secure as EMV payments but take a fraction of the time because they go through your mobile device.

Is EMV new technology?

No. In fact, EMV has been the standard in nearly every major market except for the U.S. for decades (which you’ve probably noticed if you’ve traveled to Europe or Canada). According to a report by payment-processing company First Data, it’s now estimated that 70 percent of non-U.S. credit card terminals are EMV chip card enabled.

Does EMV chip cards security make a difference?

Definitely. Credit card chips have been proven to help curb fraud — especially in Europe, where roughly 90 percent of credit card terminals are now EMV enabled. The UK has seen a nearly 70 percent decline in counterfeit card transactions since adopting chip cards, according to Barclays. Similarly, in Canada, research firm Aite Group reports that losses from counterfeit, lost, and stolen cards dropped from $245 million in 2008 to $112 million in 2013.

Why has it taken the U.S. so long to get on the EMV bandwagon?

Switching to EMV seems like a no-brainer, so why have we been dragging our feet here in the U.S.? The biggest reason is cost. Switching out all our cards and payment processing systems — things like ATMs, registers, vending machines, self-service kiosks, ticket terminals — will cost anywhere between $8 billion and $12 billion. Some serious sticker shock.

But it’s a worthy investment (and also worthy of fast-tracking) when you put that in context with how much we’re losing to fraud each year. According to a Nilson report, we lost over $5.3 billion to credit card fraud in 2013, up 14.5 percent since 2012. The switch to EMV will help curtail that number.

When will everyone have chip cards?

The shift to EMV is not going to happen overnight, but it’s moving along steadily. Chances are you’ve already gotten a chip card from your bank and seen some of your customers pay with them. Some data to illustrate the progression: In March of 2015, just 17 percent of cards swiped at businesses with Square Stand or Reader had a credit card chip. By August 2015, that jumped to roughly 36 percent. In July 2016 the number of EMV cards processed through Square’s system was up to 71 percent and we expect it to be around 75 percent by the end of the year.

Given this adoption rate, it’s a good idea to prepare your business now — especially as more and more people come to recognize EMV as a more secure way to pay.

When will you need an EMV reader or terminal?

There’s no hard deadline to purchase a EMV reader or credit card machine, but it’s a good idea to get one soon to protect your business and be covered for the liability shift.

How can I accept EMV at my business?

To accept EMV at your business, you’ll need a new, EMV-enabled credit card reader. Chip cards are processed differently than magnetic-stripe cards. They’re dipped vertically (EMV chip part down) instead of swiped horizontally. We like to call it the “chip and dip.” So you’ll need a reader that’s set up with the technology to process them. The Square contactless and chip reader accepts EMV and is just $49. It also accepts NFC (“contactless”) payments like Apple Pay.

How do I use Square’s EMV reader?

Square’s EMV reader is easy to use and compatible with iOS and Android.

  1. Purchase Square’s contactless and chip reader, which turns most smartphones or tablets into an EMV reader.
  2. Download the Square Point of Sale app for iOS or Android.
  3. Ring up your customer in the Square app.
  4. Insert your customer’s EMV-enabled card into the reader. Wait for all of the lights to flash from red to green when the transaction is successful. Square’s reader lets you know when you can remove the card.
  5. Receive your transfers as soon as the next business day. Square sends payments directly to your bank account in one to two business days.

What’s the difference between EMV vs. NFC?

EMV and NFC are often mentioned in the same conversations. That’s because they both represent the future of more secure, authenticated payments. However, they’re not interchangeable (a common mistake people make). EMV and NFC are actually entirely different technologies.

While EMV® (developed and managed by American Express, Discover, JCB, Mastercard, UnionPay, and Visa) is synonymous with chip card technology, NFC (which stands for “near field communication”) goes hand in hand with contactless, mobile payments. Basically, NFC is the technology that allows smartphones and other devices (like a payments reader) to communicate with each other when they’re close together. The devices have to be close, though (that’s the “near” part), usually around two inches or less.

What are some other payments trends to watch for?

Soon, NFC contactless payments (aka mobile payments) will begin to pick up steam. This means that more and more, people will start paying for things via their smartphones and watches. You can already see contactless payments in action at large retailers across the country — places like Walgreens, Whole Foods, and Home Depot, for example.

The progression towards contactless payments is natural. After all, our mobile devices are becoming like another limb. We increasingly look to our smartphones and watches to take care of daily life — relying on them for things like email, social media, and even health monitoring. So it makes sense that we’ll want to use our mobile devices to pay for stuff. (For one, it means you no longer have to carry around a wallet stuffed to the brim).

What’s more, contactless payments like Apple Pay are just as secure as EMV payments. They’re dynamically encrypted through something called tokenization, making them virtually impossible for fraudsters to hack. Apple Pay is also protected by Apple’s fingerprint technology (Touch ID). So even if you lose your phone, all your bank details are protected.

As we mentioned before, while EMV transactions are secure, they’re pretty slow. This will likely push people (and businesses) towards faster, more convenient payment technologies like NFC. This will be especially true once people realize they’re just as secure as chip cards.

We’ve seen this trend abroad — countries that have already adopted EMV as the standard have seen a faster acceleration of mobile payments adoption. So it’s worth getting yourself set up to accept both EMV and NFC at your business to stay current with how people will soon want to pay.

The Square contactless and chip reader accepts both EMV and NFC payments — so you can securely take any form of payment that comes across your countertop.

-->

This article provides some guidelines for enabling smart card logon with third-party certification authorities.

Original product version: Windows Server 2012 R2, Windows 10 - all editions
Original KB number: 281245

Summary

You can enable a smart card logon process with Microsoft Windows 2000 and a non-Microsoft certification authority (CA) by following the guidelines in this article. Limited support for this configuration is described later in this article.

More information

Requirements

Smart Card Authentication to Active Directory requires that Smartcard workstations, Active Directory, and Active Directory domain controllers be configured properly. Active Directory must trust a certification authority to authenticate users based on certificates from that CA. Both Smartcard workstations and domain controllers must be configured with correctly configured certificates.

As with any PKI implementation, all parties must trust the Root CA to which the issuing CA chains. Both the domain controllers and the smartcard workstations trust this root.

Drivers Emvscard Ds-82

Emvscard

Active Directory and domain controller configuration

  • Required: Active Directory must have the third-party issuing CA in the NTAuth store to authenticate users to active directory.
  • Required: Domain controllers must be configured with a domain controller certificate to authenticate smartcard users.
  • Optional: Active Directory can be configured to distribute the third-party root CA to the trusted root CA store of all domain members using the Group Policy.

Smartcard certificate and workstation requirements

  • Required: All of the smartcard requirements outlined in the 'Configuration Instructions' section must be met, including the text formatting of the fields. Smartcard authentication fails if they are not met.
  • Required: The smartcard and private key must be installed on the smartcard.

Configuration instructions

  1. Export or download the third-party root certificate. How to obtaining the party root certificate varies by vendor. The certificate must be in Base64 Encoded X.509 format.

  2. Add the third-party root CA to the trusted roots in an Active Directory Group Policy object. To configure Group Policy in the Windows 2000 domain to distribute the third-party CA to the trusted root store of all domain computers:

    1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    2. In the left pane, locate the domain in which the policy you want to edit is applied.
    3. Right-click the domain, and then click Properties.
    4. Click the Group Policy tab.
    5. Click the Default Domain Policy Group Policy object, and then click Edit. A new window opens.
    6. In the left pane, expand the following items:
      • Computer Configuration
      • Windows Settings
      • Security Settings
      • Public Key Policy
    7. Right-click Trusted Root Certification Authorities.
    8. Select All Tasks, and then click Import.
    9. Follow the instructions in the wizard to import the certificate.
    10. Click OK.
    11. Close the Group Policy window.
  3. Add the third party issuing the CA to the NTAuth store in Active Directory.

    The smart card logon certificate must be issued from a CA that is in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store.

    • If the CA that issued the smart card logon certificate or the domain controller certificates is not properly posted in the NTAuth store, the smart card logon process does not work. The corresponding answer is 'Unable to verify the credentials'.

    • The NTAuth store is located in the Configuration container for the forest. For example, a sample location is as follows: LDAP://server1.name.com/CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=name,DC=com

    • By default, this store is created when you install a Microsoft Enterprise CA. The object can also be created manually by using ADSIedit.msc in the Windows 2000 Support tools or by using LDIFDE. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

      295663 How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store

    • The relevant attribute is cACertificate, which is an octet String, multiple-valued list of ASN-encoded certificates.

      After you put the third-party CA in the NTAuth store, Domain-based Group Policy places a registry key (a thumbprint of the certificate) in the following location on all computers in the domain:

      HKEY_LOCAL_MACHINESoftwareMicrosoftEnterpriseCertificatesNTAuthCertificates

      It is refreshed every eight hours on workstations (the typical Group Policy pulse interval).

  4. Request and install a domain controller certificate on the domain controller(s). Each domain controller that is going to authenticate smartcard users must have a domain controller certificate.

    If you install a Microsoft Enterprise CA in an Active Directory forest, all domain controllers automatically enroll for a domain controller certificate. For more information about requirements for domain controller certificates from a third-party CA, click the following article number to view the article in the Microsoft Knowledge Base:

    291010 Requirements for domain controller certificates from a third-party CA

    Note

    The domain controller certificate is used for Secure Sockets Layer (SSL) authentication, Simple Mail Transfer Protocol (SMTP) encryption, Remote Procedure Call (RPC) signing, and the smart card logon process. Using a non-Microsoft CA to issue a certificate to a domain controller may cause unexpected behavior or unsupported results. An improperly formatted certificate or a certificate with the subject name absent may cause these or other capabilities to stop responding.

  5. Request a smart card certificate from the third-party CA.

    Enroll for a certificate from the third-party CA that meets the stated requirements. The method for enrollment varies by the CA vendor.

    The smart card certificate has specific format requirements:

    • The CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List) must be populated, online, and available. For example:

    [1]CRL Distribution Point
    Distribution Point Name:
    Full Name:
    URL=https://server1.name.com/CertEnroll/caname.crl

    • Key Usage = Digital Signature

    • Basic Constraints [Subject Type=End Entity, Path Length Constraint=None] (Optional)

    • Enhanced Key Usage =

      • Client Authentication (1.3.6.1.5.5.7.3.2)
        (The client authentication OID) is only required if a certificate is used for SSL authentication.)
      • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)
    • Subject Alternative Name = Other Name: Principal Name= (UPN). For example:
      UPN = [email protected]
      The UPN OtherName OID is: '1.3.6.1.4.1.311.20.2.3'
      The UPN OtherName value: Must be ASN1-encoded UTF8 string

    • Subject = Distinguished name of user. This field is a mandatory extension, but the population of this field is optional.

  6. There are two predefined types of private keys. These keys are Signature Only(AT_SIGNATURE) and Key Exchange(AT_KEYEXCHANGE). Smartcard logon certificates must have a Key Exchange(AT_KEYEXCHANGE) private key type in order for smartcard logon to function correctly.

  7. Install smartcard drivers and software to the smartcard workstation.

    Make sure that the appropriate smartcard reader device and driver software are installed on the smartcard workstation. It varies by smartcard reader vendor.

  8. Install the third-party smartcard certificate to the smartcard workstation.

    If the smartcard was not already put into the smartcard user's personal store in the enrollment process in step 4, then you must import the certificate into the user's personal store. To do so:

    1. Open the Microsoft Management Console (MMC) that contains the Certificates snap-in.

    2. In the console tree, under Personal, click Certificates.

    3. On the All Tasks menu, click Import to start the Certificate Import Wizard.

    4. Click the file that contains the certificates that you are importing.

      Note

      If the file that contains the certificates is a Personal Information Exchange (PKCS #12) file, type the password that you used to encrypt the private key, click to select the appropriate check box if you want the private key to be exportable, and then turn on strong private key protection (if you want to use this feature).

      Note

      To turn on strong private key protection, you must use the Logical Certificate Stores view mode.

    5. Select the option to automatically put the certificate in a certificate store based on the type of certificate.

  9. Install the third-party smartcard certificate onto the smartcard. This installation varies according to Cryptographic Service Provider (CSP) and by smartcard vendor. See the vendor's documentations for instructions.

  10. Log on to the workstation with the smartcard.

Possible issues

Drivers Emv Card Ds Card

During smartcard logon, the most common error message seen is:

The system could not log you on. Your credentials could not be verified.

This message is a generic error and can be the result of one or more of below issues.

Certificate and configuration problems

  • The domain controller has no domain controller certificate.

  • The SubjAltName field of the smartcard certificate is badly formatted. If the information in the SubjAltName field appears as Hexadecimal / ASCII raw data, the text formatting is not ASN1 / UTF-8.

  • The domain controller has an otherwise malformed or incomplete certificate.

  • For each of the following conditions, you must request a new valid domain controller certificate. If your valid domain controller certificate has expired, you may renew the domain controller certificate, but this process is more complex and typically more difficult than if you request a new domain controller certificate.

    • The domain controller certificate has expired.
    • The domain controller has an untrusted certificate. If the NTAuth store does not contain the certification authority (CA) certificate of the domain controller certificate's issuing CA, you must add it to the NTAuth store or obtain a DC certificate from an issuing CA whose certificate resides in the NTAuth store.

    If the domain controllers or smartcard workstations do not trust the Root CA to which the domain controller's certificate chains, then you must configure those computers to trust that Root CA.

  • The smartcard has an untrusted certificate. If the NTAuth store does not contain the CA certificate of the smartcard certificate's issuing CA, you must add it to the NTAuth store or obtain a smartcard certificate from an issuing CA whose certificate resides in the NTAuth store.

    If the domain controllers or smartcard workstations do not trust the Root CA to which the user's smartcard certificate chains, then you must configure those computers to trust that Root CA.

  • The certificate of the smart card is not installed in the user's store on the workstation. The certificate that is stored on the smartcard must reside on the smartcard workstation in the profile of the user who is logging on with the smart card.

    Note

    You do not have to store the private key in the user's profile on the workstation. It is only required to be stored on the smartcard.

  • The correct smartcard certificate or private key is not installed on the smartcard. The valid smartcard certificate must be installed on the smartcard with the private key and the certificate must match a certificate stored in the smartcard user's profile on the smartcard workstation.

  • The certificate of the smart card cannot be retrieved from the smartcard reader. It can be a problem with the smartcard reader hardware or the smartcard reader's driver software. Verify that you can use the smartcard reader vendor's software to view the certificate and the private key on the smartcard.

  • The smartcard certificate has expired.

  • No User Principal Name (UPN) is available in the SubjAltName extension of the smartcard certificate.

  • The UPN in SubjAltName field of the smartcard certificate is badly formatted. If the information in the SubjAltName appears as Hexadecimal / ASCII raw data, the text formatting is not ASN1 / UTF-8.

  • The smartcard has an otherwise malformed or incomplete certificate. For each of these conditions, you must request a new valid smartcard certificate and install it onto the smartcard and into the profile of the user on the smartcard workstation. The smartcard certificate must meet the requirements described earlier in this article, which include a correctly formatted UPN field in the SubjAltName field.

    If your valid smartcard certificate has expired, you may also renew the smartcard certificate, which is more complex and difficult than requesting a new smartcard certificate.

  • The user does not have a UPN defined in their Active Directory user account. The user's account in the Active Directory must have a valid UPN in the userPrincipalName property of the smartcard user's Active Directory user account.

  • The UPN in the certificate does not match the UPN defined in the user's Active Directory user account. Correct the UPN in the smartcard user's Active Directory user account or reissue the smartcard certificate so that the UPN value in the SubjAltName field the matches the UPN in smartcard users' Active Directory user account. We recommend that the smart card UPN matches the userPrincipalName user account attribute for third-party CAs. However, if the UPN in the certificate is the 'implicit UPN' of the account (format [email protected]_FQDN), the UPN does not have to match the userPrincipalName property explicitly.

Revocation checking problems

If the revocation checking fails when the domain controller validates the smart card logon certificate, the domain controller denies the logon. The domain controller may return the error message mentioned earlier or the following error message:

The system could not log you on. The smartcard certificate used for authentication was not trusted.

Note

Emvscard

Failing to find and download the Certificate Revocation List (CRL), an invalid CRL, a revoked certificate, and a revocation status of 'unknown' are all considered revocation failures.

The revocation check must succeed from both the client and the domain controller. Make sure the following are true:

  • Revocation checking is not turned off.

    Revocation check for the built-in revocation providers cannot be turned off. If a custom installable revocation provider is installed, it must be turned on.

  • Every CA Certificate except the root CA in the certificate chain contains a valid CDP extension in the certificate.

  • The CRL has a Next Update field and the CRL is up to date. You can check that the CRL is online at the CDP and valid by downloading it from Internet Explorer. You should be able to download and view the CRL from any of the HyperText Transport Protocol (HTTP) or File Transfer Protocol (FTP) CDPs in Internet Explorer from both the smartcard workstation(s) and the domain controller(s).

Verify that each unique HTTP and FTP CDP that is used by a certificate in your enterprise is online and available.

To verify that a CRL is online and available from an FTP or HTTP CDP:

  1. To open the Certificate in question, double-click on the .cer file or double-click the certificate in the store.
  2. Click the Details tab, and select the CRL Distribution Point field.
  3. In the bottom pane, highlight the full FTP or HTTP Uniform Resource Locator (URL) and copy it.
  4. Open Internet Explorer and paste the URL into the Address bar.
  5. When you receive the prompt, select the option to Open the CRL.
  6. Make sure that there is a Next Update field in the CRL and the time in the Next Update field has not passed.

To download or verify that a Lightweight Directory Access Protocol (LDAP) CDP is valid, you must write a script or an application to download the CRL. After you download and open the CRL, make sure that there is a Next Update field in the CRL and the time in the Next Update field has not passed.

Support

Microsoft Product Support Services does not support the third-party CA smart card logon process if it is determined that one or more of the following items contributes to the problem:

Drivers Emvscard Ds 64

  • Improper certificate format.
  • Certificate status or revocation status not available from the third-party CA.
  • Certificate enrollment issues from a third-party CA.
  • The third-party CA cannot publish to Active Directory.
  • A third-party CSP.

Additional information

The client computer checks the domain controller's certificate. The local computer therefore downloads a CRL for the domain controller certificate into the CRL cache.

Drivers Emv Card Ds Visa

The offline logon process does not involve certificates, only cached credentials.

To force the NTAuth store to be immediately populated on a local computer instead of waiting for the next Group Policy propagation, run the following command to initiate a Group Policy update:

Emv Card Personalization

You can also dump out the smart card information in Windows Server 2003 and in Windows XP by using the Certutil.exe -scinfo command.