SB n° 313 Update to Book C-5

EMV® Specification Bulletin No. 313 EMV® Specification Bulletin No. 313 Second Edition January 2026 Second Edition January 2026 Updates to EMV@ Book C-5 Applicability This Specification Bulletin applies to: • EMV® Contactless Specifications for Payment Systems, Book C-5 – Kernel 5 Specification, Version 2.11, June 2023 • EMV Specification Bulletin No. 313 First Edition Related Documents • None Effective Date • October 1st, 2026 Description This Specification Bulletin provides further updates to the first edition of EMV Specification Bulletin No. 313. Details of the changes will be provided from the next page onwards, with modifications from the first edition marked in yellow highlights. [Details of the Changes] ⚫ Description 1. Description Change of Outcome and Outcome Parameter for End Application (with restart On-Device CVM): ➢ The status of UI Request on Outcome Present has been changed from “Processing Error” to “Not Ready”. ➢ The Outcome has been changed from “End Application” to “Try Again”. 2. Clarification for TVR update before Generate AC processing in case of CDA failure: ➢ This specification bulletin is a clarification for TVR Byte 1 bit 3 (‘CDA Failed’) update in case of CDA failure： ✓ If CDA is failed due to 3.4.1.3, the Kernel shall set TVR Byte 1 bit 3 (‘CDA Failed’) to ‘1’ before Generate AC. ✓ If CDA is failed due to any reason other than 3.4.1.3, the Kernel shall set set TVR Byte 1 bit 3 (‘CDA Failed’) to ‘1’ after Generate AC. ➢ Requirement 3.4.1.4, which was removed by the first edition, has been reinstated. And update the current requirement using the TVR Byte 1 bit 3 (‘CDA Failed’) to use the newly © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 EMV® Specification Bulletin No. 313 Second Edition January 2026 introduced TVR Byte 5 bit 3 (‘CA public key missing’). ➢ Add Annex A.10 and update Table B-1 to address the newly introduced TVR Byte 5 bit 3 (‘CA public key missing’). ➢ Update Table D-1, Byte5 to reflect the updates to Requirement 3.4.1.4. 3. Update to the Requirement (Generate AC Response Analysis): The requirements have been updated to provide an End Application Outcome if the Terminal Interchange Profile does not indicate ‘EMV contact chip supported’. The following section provides details. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 EMV® Specification Bulletin No. 313 Second Edition January 2026 1. Description Change of Outcome Parameter for End Application (with restart - On-Device CVM) (1) Replace requirement 3.12.9 as follows. 3.12.9 Try AgainEnd Application (with restart - On-Device CVM) Requirement – On-Device CVM to be Performed 3.12.9.1 If the Kernel is informed that the transaction shall be reattempted to allow entry of a Confirmation Code into a mobile device, Then the Kernel shall provide an End ApplicationTry Again Outcome with the following parameters: End ApplicationTry Again: ・Start: B ・Online Response Data: N/A ・CVM: N/A ・UI Request on Outcome Present: Yes Message Identifier: ‘20’ (“See Phone for Instructions”) Status: Processing Error Not Ready Hold Time: 13 ・UI Request on Restart Present: Yes Message Identifier: ‘21’ (“Present Card Again”) Status: Ready to Read ・Data Record Present: No ・Discretionary Data Present: No ・Alternate Interface Preference: N/A ・Receipt: N/A ・Field Off Request: 13 ・Removal Timeout: Zero © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 EMV® Specification Bulletin No. 313 Second Edition January 2026 (2) Replace requirement 3.8.1.5 as follows. Requirement – GENERATE AC Response Analysis 3.8.1.5 If the Status Word returned by the card is equal to ‘6986’, Then the Kernel shall terminate the transaction with an End ApplicationTry Again (with restart, On-device CVM) Outcome as defined in section 3.12.9 . This Status Word indicates that the CVM shall be performed on the cardholder device prior to attempting the transaction (e.g. a Confirmation Code shall be entered on the mobile device). © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 EMV® Specification Bulletin No. 313 Second Edition January 2026 3. Clarification for TVR update before Generate AC processing in case of CDA failure (1) Replace the section 3.4.1.3 as follows. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 5 3.4.1.3 If the Transaction Mode is ‘EMV Mode’ And Offline Data Authentication is supported (implementation and acquirer option) And the AIP (Tag ‘82’) indicates that CDA is supported (Byte 1 bit 1 is ‘1’) And any of the following Data Elements is absent from the card: Certification Authority Public Key Index (Tag ‘8F’) Issuer Public Key Certificate (Tag ‘90’) Issuer Public Key Exponent (Tag ‘9F32’) Issuer Public Key Remainder (Tag ‘92’), when required (based on the sizes of tags ‘9F46’ and ‘90’, when both are present) ICC Public Key Certificate (Tag ‘9F46’) ICC Public Key Exponent (Tag ‘9F47’) ICC Public Key Remainder (Tag ‘9F48’), when required (based on the ICC Public Key Length and the size of tag ‘9F46’, when both are present) Then the Kernel shall set TVR Byte 1 bit 6 (‘ICC Data Missing’) and Byte 1 bit 3 (‘CDA Failed’) to ‘1’.4 (except for when Issuer Public Key Remainder (Tag ‘92’) and ICC Public Key Remainder (Tag ‘9F48’) are not required)5 4 If CDA is failed due to 5.4.1.3, the Kernel shall set TVR Byte 1 bit 3 (‘CDA Failed’) to ‘1’ before Generate AC.If the AIP (Tag ‘82’) indicates that CDA is supported (Byte 1 bit 1 is ‘1’), and if CDA processing is failed due to any reason other than 5.4.1.3 such as CAPK index mismatch, the Kernel shall set TVR byte1bit3 (CDA failed) to “1” after Generate AC processing in accordance with the section 5.8.2.1. 5 If the kernel performs the validation of certificates during CDA Signature verification, it is not mandatory to set TVR Byte 1 bit 6 (‘ICC Data Missing’) and TVR Byte 1 bit 3 (‘CDA Failed’) to ‘1’ when the Issuer Public Key Remainder (Tag'92') and ICC Public Key Remainder (Tag'9F48') are required, but absent from the card. © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 6 EMV® Specification Bulletin No. 313 Second Edition January 2026 (2) To ensure clarity of the requirements, remove section 3.4.1.4 and integrate its content as a note into section 3.4.1.3. Requirement 3.4.1.4, which was removed by the first edition, has been reinstated and inserted below. 3.4.1.4 If the Transaction Mode is ‘EMV Mode’ And Offline Data Authentication is supported (implementation and acquirer option) And the AIP (Tag ‘82’) indicates that CDA is supported (Byte 1 bit 1 is ‘1’) And the Certification Authority Public Key corresponding to the CAPK index (Tag ‘8F’) provided by the card is not present in the Kernel configuration data, Then the Kernel shall set TVR Byte1 bit 8 (‘Offline Data Authentication is not performed’) and Byte 15 bit 3 (‘CDA FailedCA public key missing’) to ‘1’. (Note: the kernel recovers the Issuer public key or ICC public key later during the transaction to optimise the performance. If this processing is failed, kernel shall set TVR Byte1bit3 (CDA failed) to “1” after Generate AC processing in accordance with the section 3.8.2.1.) 3.4.1.4 If the Transaction Mode is ‘EMV Mode’ And Offline Data Authentication is supported (implementation and acquirer option) And the Certification Authority Public Key corresponding to the CAPK index (Tag ‘8F’) provided by the card is not present in the Kernel configuration data, Then the Kernel shall set TVR Byte 1 bit 3 (‘CDA Failed’) to ‘1’. (Note: the kernel recovers the ICC public key later during the transaction to optimise the performance). © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 7 EMV® Specification Bulletin No. 313 Second Edition January 2026 (3) Replace the requirement 3.8.1.4 as follows. 3.8.1.4 If Offline Data Authentication is supported (implementation and acquirer option) And the AIP (Tag ‘82’) indicates that CDA is supported (Byte 1 bit 1 is ‘1’) And the TVR (Tag ‘95’) does not indicate ‘CA public key missing’ (Byte 5 bit 3 = ‘0’), Then the Kernel shall request a CDA Signature in the Reference Control Parameter (bit 5 is set to ‘1’). © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 8 EMV® Specification Bulletin No. 313 Second Edition January 2026 (4) Add the definition of Terminal Verification Results as A.10 in Appendix A and update the “specified” column for Terminal Verification Results in Appendix B. A.10 Terminal Verification Results (Tag ‘95’) Table A-10: Terminal Verification Results TVR Byte 1 (Leftmost) b8 b7 b6 b5 b4 b3 b2 b1 Meaning 1 Offline data authentication was not performed 0 SDA failed (N/A in this specification) 1 ICC data missing 1 Card appears on terminal exception file 0 DDA failed (N/A in this specification) 1 CDA failed x x Each bit RFU TVR Byte 2 b8 b7 b6 b5 b4 b3 b2 b1 Meaning 0 ICC and terminal have different application versions (N/A in this specification) 1 Expired application 1 Application not yet effective 1 Requested service not allowed for card product 0 New card (N/A in this specification) x x x Each bit RFU TVR Byte 3 © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 9 EMV® Specification Bulletin No. 313 Second Edition January 2026 b8 b7 b6 b5 b4 b3 b2 b1 Meaning 1 Cardholder verification was not successful 1 Unrecognised CVM 0 PIN Try Limit exceeded (N/A in this specification) 1 PIN entry required and PIN pad not present or not working 1 PIN entry required, PIN pad present, but PIN was not entered 1 Online PIN entered x x Each bit RFU TVR Byte 4 b8 b7 b6 b5 b4 b3 b2 b1 Meaning 1 Transaction exceeds floor limit 0 Lower consecutive offline limit exceeded (N/A in this specification) 0 Upper consecutive offline limit exceeded (N/A in this specification) 1 Transaction selected randomly for online processing 1 Merchant forced transaction online x x x Each bit RFU TVR Byte 5 (Rightmost) b8 b7 b6 b5 b4 b3 b2 b1 Meaning 1 Default TDOL used (N/A in this specification) 1 Issuer authentication failed 1 Script processing failed before final GENERATE AC © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 10 EMV® Specification Bulletin No. 313 Second Edition January 2026 b8 b7 b6 b5 b4 b3 b2 b1 Meaning 1 Script processing failed after final GENERATE AC 0 RFU 1 CA public key missing x x Each bit RFU Table B-1: Data Elements Dictionary Name Description Terminal Status of the different functions as seen Verification Results from the terminal (TVR) Source Kernel Pre sence M Format b Specified Tag Length Kernel ‘95’ 5 See A.10 © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 11 EMV® Specification Bulletin No. 313 Second Edition January 2026 (5) Update the bit meaning and values of Default Terminal Action Code Byte 5 bit 3 in Appendix D. Table D-1: Default Terminal Action Code values Terminal Action Code – Byte 1 (Leftmost) Meaning Offline data authentication was not performed SDA failed ICC data missing Card appears on terminal exception file DDA failed CDA failed RFU RFU Denial 0 0 0 0 0 1 0 0 Online 1 0 0 1 0 0 0 0 Default 1 0 0 1 0 0 0 0 Terminal Action Code – Byte 2 Meaning ICC and terminal have different application versions Expired application Application not yet effective Requested service not allowed for card product New card RFU RFU RFU Denial 0 Online 0 Default 0 0 1 1 0 1 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Terminal Action Code – Byte 3 Meaning Cardholder verification was not successful Denial 0 Online 0 Default 0 © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 12 EMV® Specification Bulletin No. 313 Second Edition January 2026 Meaning Unrecognised CVM PIN Try Limit exceeded PIN entry required and PIN pad not present or not working PIN entry required, PIN pad present, but PIN was not entered Online PIN entered RFU RFU Denial 0 0 0 0 0 0 0 Online 0 0 0 Default 0 0 0 0 0 0 0 0 0 0 0 Terminal Action Code – Byte 4 Meaning Transaction exceeds floor limit Lower consecutive offline limit exceeded Upper consecutive offline limit exceeded Transaction selected randomly for online processing Merchant forced transaction online RFU RFU RFU Denial 0 0 0 0 Online 1 0 0 1 Default 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Terminal Action Code – Byte 5 (Rightmost) Meaning Default TDOL used Issuer authentication failed Script processing failed before final GENERATE AC Script processing failed after final GENERATE AC Denial 0 0 0 0 Online 0 0 0 Default 0 0 0 0 0 © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 13 EMV® Specification Bulletin No. 313 Meaning RFU CA public key missing RFU RFU Second Edition January 2026 Denial 0 0 0 0 Online 0 1 0 0 Default 0 1 0 0 4. Update to the Requirement – Generate AC Response Analysis Replace the section 3.8.1.6 as follows. Requirement – GENERATE AC Response Analysis 3.8.1.6 If the Status Word returned by the card is equal to ‘6984’, Then If the Terminal Interchange Profile (dynamic) indicates ‘EMV contact chip supported’ (byte 1 bit 2 = ‘1’), Then the Kernel shall terminate the transaction with a Try Another Interface Outcome as defined in section 3.12.6. Else The kernel shall terminate the transaction with End Application Outcome as defined in section 3.12.7. This Status Word indicates that the card is a dual-interface card that prefers to conduct the transaction using the contact interface. End of document © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 14 EMV® Specification Bulletin No. 313 Second Edition January 2026 Legal Notice The EMV® Specifications are provided “AS IS” without warranties of any kind, and EMVCo neither assumes nor accepts any liability for any errors or omissions contained in these Specifications. EMVCO DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT, AS TO THESE SPECIFICATIONS. EMVCo makes no representations or warranties with respect to intellectual property rights of any third parties in or in relation to the Specifications. EMVCo undertakes no responsibility to determine whether any implementation of the EMV® Specifications may violate, infringe, or otherwise exercise the patent, copyright, trademark, trade secret, know-how, or other intellectual property rights of third parties, and thus any person who implements any part of the EMV® Specifications should consult an intellectual property attorney before any such implementation. Without limiting the foregoing, the Specifications may provide for the use of public key encryption and other technology, which may be the subject matter of patents in several countries. Any party seeking to implement these Specifications is solely responsible for determining whether its activities require a license to any such technology, including for patents on public key encryption technology. EMVCo shall not be liable under any theory for any party’s infringement of any intellectual property rights in connection with the EMV® Specifications © 2026 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 15