How to Read Contactless EMV Cards

NFC EMV Explorer

We will instruct here how to read data from payment contactless cards such as Visa, Mastercard, or American Express. Everything in this post is confirmed during our application development.

These instructions cover only the NFC session between the card and the card reader, till the point where the card can be removed from the NFC field.

The payment transaction is still to be continued after that, according to the payment schemes (Visa Mastercard, AmEx, Interac, etc.). This phase is out of scope here.

Why someone would need to read contactless data without actually making a payment transaction? Sometimes cards are need to be read to identify card PAN (or DPAN in case of Google Pay or Apple Pay) and use it as a pass or discount token for certain services that have already been purchased with the same card.

• One example would be an account-based transit fare collection system (see more details here).
• Another example could be a campus-like card, i.e. Wonderland or Zoo pass.

The following needs at least some understanding of EMV process. That is why we strongly recommend that you use our NFC EMV Explorer app which literally walks your thought this process.

Step-by-Step Instructions

For better understanding the instructions below, we will be using screenshots obtained with the help of our EMV NFC Explorer App

Step 1. Please follow How To Read NFC Card Directories first. You can continue if you have found at least one Directory Entry in the card. Otherwise, this is not an EMV card.

Step 2. Select a payment application by issuing Select command with an ADF name found in the Directory Entry. The response data is a bit different in two cases (at least for the cards we tested):

• The response does not have the card PDOL (tag “9F38”)
• The response has the card PDOL tag. To our experience, If this is a virtual card application within Google Pay or Apple Pay, the response most likely has the card PDOL tag.

Step 3. Prepare formatted terminal PDOL List. if your obtained a card PDOL tag on the previous step, it is strongly recommended that you prepare a formatted terminal PDOL which needs to be used on the following step. The formatted terminal PDOL is a hex string which includes all terminal data elements that the card requested in the card PDOL tag.

Formatting the terminal PDOL properly is not an easy thing to do. This is probably the most sophisticated piece of code in our NFC EMV Explorer app.

Step 4. Execute Get Processing Options (GPO) command and include in its request body the formatted terminal PDOL (if your obtained a card PDOL tag on Step 2).

If you did everything well so fare, you get the AFL (Application File Locator – Tag “94”) in the response.

Step 5. Read records. If GPO returns the AFL, you can derive what records you have to read from the AFL. The latter has the full list of card records relevant to this EMV application.

If GPO fails or does not respond with the AFL, it is really a challenge to read records. In some cases the card does not allow doing this. When it does, you need to know which records to read, and this depends on the payment application (ADF and kernel).

Step 6. Execute Generate AC command. Visa does not require this. Mastercard and Interac – does.

After that, you should instruct your NFC reader to turn off the electromagnetic field, to prevent potential card damage.

Step 7. Find card PAN. It can be either in GPO Response, or in records you have read. It may be located in the following tags:

• PAN (tag “5A”)
• Track 1 equivalent data (tag “56”)
• Track 2 equivalent data (tag “9F6B”)

Please note, that if this is a virtual card application within Google Pay, you will get DPAN, not PAN. See related problems here.

You cannot find CVV1 or CVV2 in the card data you read.

Surprisingly, some card disclose the actual cardholder name in tag 5F20 that they should not do.