We will instruct here how to read contactless data from Mastercard application on the card.
This flow is different from complete Mastercard transaction flow. Why someone would need to read contactless data? Sometimes cards are need to be read to identify card PAN (or DPAN in case of Google Pay or Apple Pay) and use it as a pass or discount token for certain cervices that have already been purchased before with the same card.
- One example would be an account-based transit fare collection system (see more details here).
- Another example could be a campus-like card, i.e. Wonderland or Zoo pass.
Please follow How To Read NFC Card Directories first. You can continue if you found a Directory Entry for Mastercard.
Step 1. Select Mastercard application by issuing Select command with ADF name 0xA000041010. For the purpose of our exercise, the APDU response data is irrelevant. But we can tell you that the response data is a bit different in two cases (at least for the cards we tested):
- If this is a real card form factor, the response does not have card PDOL
- If this is a virtual card application within Google Pay or Apple Pay, the response has card PDOL. Contrary to Visa case, the card PDOL comprises (requests from the terminal) some terminal-specific data tags and does not comprise transaction-specific data tags at all. It does not request an unpredictable number to perform DDA either. Contrary to Visa, DDA is performed at a separate step of transaction, Generate Application Cryptogram, which is out of our scope for the time being.
We will also skip Get Processing Options command, simply because we do not need it to get the card PAN.
Step 2. (This works with and without Google Pay or Apple Pay). Issue command Read Record , to read Record #1 in file #1 (sometimes – in file #2) and find there Tag “56”- Track 1 Data.
After that, you should either instruct your NFC reader to turn off the electromagnetic field or quickly remove the card from the field.
Step 3. Extract Card PAN from Tag 56.. The PAN digits are presented there as symbols, one byte each. Please note, that if this is a virtual card application within Google Pay, you will get DPAN, not PAN. See related problems here.
You can also find Expiration Date somewhere in the card data you read but it is not real. You cannot find in the card data you read a real cardholder name, CVV1, and CVV2.
All that makes the data you obtained useless for the purpose of making a fraudulent transaction: either e-commerce one (card not present, MOTO), or via faked chip, or faked magnetic stripe one, or contactless one.
That is why having and using NFC EMV contactless cards is safe. You do not need to protect your contactless card by placing it in a electromagnetic field screening box, but you may wish to do this because some reckless hackers, trying to read your card data, may burn your card contactless receiving equipment by using too strong electromagnetic field for too long.