EMV VERIFY command returning 69 85

Question

I'm trying to communicate with a card using my smart card reader, I'm using Jaccal in order to do this from my Java SE app. The problem I have is that even though I'm pretty sure my VERIFY command is right (offline PIN) I keep getting status word = 69 85 (Conditions of use not satisfied). So my command looks like this.

verify command:

00 20 00 80 08 24 94 94 FF FF FF FF FF

The PIN is 9494, since this is a test card I don't mind disclosing the PIN.

Regards Vic

Answer 1

The correct sequence for using the verify command would be the following

• Select Payment application

  00A4040007A000000003101000
  (or 00A4040007A000000004101000, or whatever application you want to use)
  

• Get Processing Options

  80A8000002830000
  (possibly with adapted data objects according to PDOL)
  

• (optionally) check the current PIN try counter

  80CA9F1700
  

• Verify the PIN (if card supports VERIFY with plain text PIN)

  002000800824xxxxFFFFFFFFFF
  (where xxxx is a 4 digit PIN)
  

As found out, only one PIN VERIFY command will be accepted.

Answer 2

Status word=69 85 is defined as "Command not allowed" ("conditions of use not satisfied", as you mentioned), in EMV 4.3 book 3, section '6.3.5 Coding of the Status Bytes'

Providing the whole EMV dialog between your application and card would help troubleshooting, but here are some common cases in which this issue could happen :

• The VERIFY command sequence of execution is invalid. From section "10.5 Cardholder Verification"

"This function may be performed any time after Read Application Data and before completion of the terminal action analysis."

• Your card doesn't support offline pin verification.

To validate if you respect the VERIFY command sequence of execution, here is an example of a typical sequence of execution :

1. SELECT FILE
2. GET PROCESSING OPTIONS
3. READ RECORD (as many times as required)
4. GET DATA
5. VERIFY
6. GENERATE APPLICATION CRYPTOGRAM

To check if your card supports offline PIN verification :

1. Check the Application Interchange Profile field (AIP, tag 82) returned in response to the GET PROCESSING OPTIONS command. Byte 1, Bit 5 should be set to 1 if cardholder verification is supported, as explained in section '10.5 Cardholder Verification'. Example of an AIP value : 1C 00
2. In Cardholder Verification Method (CVM) List (tag 8E), ensure you have a valid CVM rule with byte 1, bit 1 = 1 (meaning "Plaintext PIN verification performed by ICC", annex 'C3 Cardholder Verification Rule Format'). The CVM list starts with 2 amount fields of 4 bytes each, and then a variable number of 2 bytes CVM rules. Example of a CVM list whose last rule forces offline pin : 00 00 00 00 00 00 00 00 02 01 01 00.