Hi DDA is one of the authentication options available as part of the offline authentication process between an EMV card and its corresponding terminal. In this the Trusted CA (run by the card schemes) signs CA's for issuer banks who inturn sign the end user certificates stored on cards.
Is there is possibility of an intermediate CA coming into picture between the Card Scheme CA (root CA) and the Issuer Bank CA ? So the way this would operate is, the card scheme cross signs regional CA's who in turn signs Issuer Bank CA's. During the authentication process, the terminal should chain up to the root CA and perform the necessary checks. Some thoughts .. Cheers Amol