Reading SFIs records is a requirement in the EMV transactions to request specific card elements to process EMV transactions. Without them, the transaction cannot be completed. The tricky part is how to generate the READ RECORD command and from which location the terminal obtains this information. In the next example, I will explain how the terminal generated the 00 B2 02 0C 00(READ RECORD) command.

For this analysis, I will use partial communication between a card and terminal from a transaction. To analyze the SFIs, we will focus on the Card response 11: 80 06 18 00 08 02 04 00 90 00

Breaking apart the response:

  • 80: Format 1 type
  • 06: Response length
  • 18 00: AIP (Application Interchange Profile)
  • 08 02 04 00: The SFIs reference
  • 90 00: Status bytes – previous command processed correctly

To understand the SFI reference 00 B2 02 0C 00, we should make some conversion from the SFI response to obtain the real SFI file from the 08 byte in the SFI reference:

First, we must shift 3 positions to the right because the real SFI is the first 5 bits in the 0x08 byte. So 0x08 = 0000 1000, after we shifted the three positions >> 3 = 0000 0001 = 0x01. We have to shift the result 3 bits to the left; and finally, we use 4 to get the real SFI. The last 3 bits have to be set to “00000100” thats why we combined the 4 = 00000100:

00000001 = 0x01
00001000 << 0x03
00000100 | 0x04
00001100 = 0x0C

With this context, we can expand all the posible combinations to that specific SFI. Using the SFI 0x0C, and knowing that the terminal has to design a command to read the records from 02 to 04(08 02 04 00), we can create all command combinations that will work for that specific card: 

  • 00 B2 02 0C 00
  • 00 B2 03 0C 00
  • 00 B2 04 0C 00

Hope this help to clarify a few concepts about SFIs command generation.