HSM KitHSM Kit
English

VISA Certificate Validation: CA Keys, Issuer Certificates & EMV

Payment Security# VISA# Certificate# EMV# CA Key
Last Updated: May 21, 20266 min readBy HSM Kit Team
Need to calculate this now?
Use our free online VISA Certificate Validator tool.

VISA Certificate Validation is the process of verifying the authenticity of EMV chip cards using a chain of digital certificates. This guide explains how VISA's certificate system works, from CA public keys to issuer certificate verification.

What is VISA Certificate Validation?

VISA Certificate Validation is part of the EMV chip card security model. When a VISA card (VSDC — VISA Smart Debit/Credit) is used at a terminal, the terminal must verify that the card is genuine and hasn't been tampered with. This is done through a chain of digital certificates.

The certificate chain ensures:

  • The card was issued by a legitimate issuer
  • The card's public key is authentic
  • The data on the card hasn't been modified

EMV Certificate Chain

The EMV certificate chain has three levels:

Certificate Authority (CA) Public Key
    └── Issuer Public Key Certificate
            └── ICC Public Key Certificate (on the card)

Level 1: CA Public Key

  • The root of trust
  • Owned by the payment scheme (VISA, Mastercard, etc.)
  • Pre-loaded in terminals
  • Used to verify issuer certificates

Level 2: Issuer Public Key Certificate

  • Issued by the CA to the card issuer (bank)
  • Contains the issuer's public key
  • Signed by the CA's private key

Level 3: ICC Public Key Certificate

  • Issued by the issuer to the individual card
  • Contains the card's (ICC) public key
  • Signed by the issuer's private key

VSDC CA Public Key

The VSDC (VISA Smart Debit/Credit) CA Public Key is the root key for VISA's EMV certificate system.

Key Properties

  • Algorithm: RSA
  • Key sizes: 1408, 1728, 1976, or 2048 bits
  • Exponent: Typically 65537 (0x010001)
  • RID: Registered Application Provider Identifier (VISA: A000000003)

Key Distribution

CA public keys are distributed to terminals through:

  • Terminal loading/key injection ceremonies
  • TR-31 key blocks for secure transport
  • Direct loading from payment scheme

Key Index (Index)

Each CA public key has an index (1-255) that identifies it:

  • The card stores the index of the CA key used
  • The terminal uses this index to select the correct CA key
  • This enables key rotation without reissuing all terminals

Issuer Public Key Certificate

The Issuer Public Key Certificate is issued by the CA to the card issuer. It contains:

Certificate Contents

  • Issuer public key
  • Issuer identifier
  • Certificate expiration date
  • Certificate serial number

Certificate Format

The certificate is an RSA digital signature:

Certificate = RSA_Sign(CA_Private_Key, Certificate_Data)

Where Certificate_Data includes:

  • Certificate header
  • Issuer public key (modulus and exponent)
  • Issuer identifier
  • Expiration date

Verification Process

  1. Terminal extracts the certificate from the card
  2. Terminal retrieves the CA public key (using the RID and index)
  3. Terminal decrypts the certificate using the CA public key: 
    Decrypted = RSA_Verify(CA_Public_Key, Certificate)
  4. Terminal extracts the issuer public key from the decrypted data
  5. Terminal verifies the certificate hasn't expired

Signed Data Verification

Signed Data is additional data on the card that is signed by the issuer:

Purpose

Signed Data provides integrity protection for:

  • Static data on the card (PAN, expiry, etc.)
  • Application data
  • Other critical fields

Verification Process

  1. Terminal reads the signed data from the card
  2. Terminal uses the issuer's public key (from the certificate) to verify: 
    Valid = RSA_Verify(Issuer_Public_Key, Signed_Data, Signature)
  3. If verification succeeds, the data is authentic

What Signed Data Protects

  • Prevents modification of card data
  • Ensures the card hasn't been cloned with different data
  • Protects against certain types of fraud

Complete Verification Flow

Step 1: Select Application

  1. Terminal sends SELECT command to card
  2. Card returns application data including:
    • RID (A000000003 for VISA)
    • CA Public Key Index
    • Application data

Step 2: Retrieve CA Public Key

  1. Terminal looks up CA Public Key using RID and index
  2. If key not found, transaction may proceed with offline verification or decline

Step 3: Read Issuer Certificate

  1. Terminal reads the Issuer Public Key Certificate from the card
  2. Terminal reads additional data needed for verification

Step 4: Verify Issuer Certificate

  1. Terminal decrypts the certificate using CA Public Key
  2. Terminal extracts Issuer Public Key
  3. Terminal verifies certificate expiration

Step 5: Read ICC Certificate

  1. Terminal reads the ICC Public Key Certificate from the card
  2. Terminal reads the ICC PIN Encipherment Public Key (if present)

Step 6: Verify ICC Certificate

  1. Terminal decrypts ICC certificate using Issuer Public Key
  2. Terminal extracts ICC Public Key
  3. Terminal verifies certificate expiration

Step 7: Verify Signed Data

  1. Terminal reads signed data and signature from the card
  2. Terminal verifies signature using Issuer Public Key
  3. If all verifications succeed, card is authentic

RSA Operations in Certificate Validation

Certificate validation involves several RSA operations:

RSA Verification

Signature^e mod n = Hash(Data)

Where:

  • e is the public exponent
  • n is the modulus
  • Hash is typically SHA-1 (for legacy) or SHA-256

Certificate Recovery

For EMV certificates, the process involves:

  1. Raise the certificate to the power of the public exponent
  2. Apply the decryption algorithm
  3. Recover the signed data
  4. Verify the hash

This is implemented in the HSM using specialized RSA commands.

Practical Considerations

Terminal Implementation

Terminals must:

  • Store all relevant CA Public Keys
  • Implement the full certificate verification chain
  • Handle key index lookups
  • Manage certificate expiration

HSM Support

HSMs perform the heavy cryptographic operations:

  • RSA decryption for certificate recovery
  • Hash verification
  • Key storage and management

Error Handling

If certificate validation fails:

  • Transaction should be declined
  • Error logged for investigation
  • Card may be flagged for review

Security Properties

Trust Chain

The certificate chain provides:

  • Root of trust (CA key)
  • Hierarchical verification
  • Key separation between levels

Anti-Cloning

Certificate validation prevents:

  • Card cloning with different data
  • Modification of card data
  • Unauthorized card issuance

Key Rotation

The system supports key rotation:

  • New CA keys can be distributed
  • Old keys can be phased out
  • Cards carry the index of which key was used

Common Questions

What happens if the CA key is compromised?

If a CA key is compromised, all certificates issued by that key are potentially invalid. The payment scheme would issue a new CA key and reissue affected cards.

Can I validate certificates without an HSM?

While the algorithms are known, HSMs provide:

  • Secure key storage
  • Performance optimization
  • Compliance with payment scheme requirements

How often are CA keys rotated?

CA keys are long-lived (years to decades). Rotation is planned well in advance and coordinated across the payment ecosystem.

What is the difference between offline and online verification?

  • Offline: Terminal verifies the full certificate chain locally
  • Online: Certificate verification may be performed by the issuer's HSM during authorization

Try It Yourself

Use our VISA Certificate Validation tools to understand and practice with EMV certificate verification:

All processing happens locally in your browser — your keys never leave your device.

Related Tool
VISA Certificate Validator