Thu 22 June 2017

← Latest posts

« Home

What’s new in EMVLab

I set up EMVLab back in 2009, along with my former colleague, Mike Bond. We set out to provide useful tools for people working in payment systems development and research, and based on feedback from users I think broadly speaking it’s done its job. I’ve kept it up and running, but there have been some features which are now showing their age.

In the past few months I’ve moved the site to a dedicated virtual machine in UCL (resolving some reliability and performance problems), but this also gave me an opportunity to update some other aspects that I’ve long been putting off. This post summarises these updates, as well as some of my future plans.

HTTPS availability

EMVLab is now available over HTTPS, thanks to Let’s Encrypt. At least for now I am not re-directing HTTP to HTTPS or using HTTPS-enforcing measures like HSTS. This is because one of the principles behind EMVLab was that it should require the bare minimum in terms of browser capability. Workstations in some payment systems companies are incredibly locked-down and so features like Javascript might not be available. I don’t know of any specific instances, but I could imagine that HTTPS is blocked in some cases too.

Basic handling of 3-byte tags

Many data structures in EMV are represented in tag-length-value format (part of the ASN.1 standard) and one of the most popular tools in EMVLab is the TLV decoder. When I set up the website all tags were one or two bytes long, and this assumption was built into the decoder. Since then the contactless EMV standards have now come out, and these do include 3-byte tags and so users of the site were reporting that the these broke the decoder.

I’ve now generalised the TLV decoder to handle arbitrary length tags (as per the specification), so such tags will not break the decoder. However I still have not updated the tag list so it will only describe tags present in EMV 4.1. Other tags will be shown and properly decoded, but identified as unknown tags. I hope to later update the list of tags to include more recent EMV tags, including contactless variants.

Basic handling of unknown tags

Related to the above, the EMV tag database will now generate a description for unknown tags. Obviously there’s not much that can be said about tags not in the database, but there is some structure in tag values as defined in the ASN.1 specification so I can tell whether the tag is constructed or primitive, and its class. For some tag ranges the EMV specification also states who can define new tags. These results are now shown.

Future plans

As mentioned above, I do plan to update the tag database. I also hope to incorporate some other helpful feedback I’ve received from users but have not yet had time to address. If you have particular requests please do get in touch either by email or the contact form.