EMV: Integrated Circuit Card Specifications for Payment Systems



Similar documents
A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Securing Card-Not-Present Transactions through EMV Authentication. Matthew Carter and Brienne Douglas December 18, 2015

Fundamentals of EMV. Guy Berg Senior Managing Consultant MasterCard Advisors

Electronic Payments Part 1

JCB Terminal Requirements

How To Protect A Smart Card From Being Hacked

Using EMV Cards to Protect E-commerce Transactions

M/Chip Functional Architecture for Debit and Credit

Chip & PIN is definitely broken. Credit Card skimming and PIN harvesting in an EMV world

Smart Cards for Payment Systems

Requirements for an EMVCo Common Contactless Application (CCA)

Payment systems. Tuomas Aura T Information security technology

Formal models of bank cards for free

Payment systems. Tuomas Aura T Information security technology. Aalto University, autumn 2012

Master Thesis Towards an Improved EMV Credit Card Certification

Visa Recommended Practices for EMV Chip Implementation in the U.S.

SMARTCARD FRAUD DETECTION USING SECURE ONETIME RANDOM MOBILE PASSWORD

A Guide to EMV Version 1.0 May 2011

Extending EMV payment smart cards with biometric on-card verification

EMV: A to Z (Terms and Definitions)

Formal analysis of EMV

Euronet s EMV Chip Solutions Superior Protection with Enhanced Security against Fraud

Chip & PIN is definitely broken v1.4. Credit Card skimming and PIN harvesting in an EMV world

Credit Card Processing Overview

White Paper. EMV Key Management Explained

Payment systems. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2015

The Canadian Migration to EMV. Prepared By:

What Merchants Need to Know About EMV

EMVCo Letter of Approval - Contact Terminal Level 2

CardControl. Credit Card Processing 101. Overview. Contents

MasterCard PayPass. M/Chip, Acquirer Implementation Requirements. v.1-a4 6/06

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

MOBILE CHIP ELECTRONIC COMMERCE: ENABLING CREDIT CARD PAYMENT FOR MOBILE DEVICES

EMVCo Letter of Approval - Contact Terminal Level 2

First Data s Program on EMV

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

Pima Federal Visa Credit Cards Frequently Asked Questions (FAQs)

U.S. EMV Debit Implementation Guidelines for POS Acquirers

What Issuers Need to Know Top 25 Questions on EMV Chip Cards and Personalization

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

EMV EMV TABLE OF CONTENTS

Guideline on Debit or Credit Cards Usage

EMV : Frequently Asked Questions for Merchants

EMV Frequently Asked Questions for Merchants May, 2014

CONTACTLESS PAYMENTS. Joeri de Ruiter. University of Birmingham. (some slides borrowed from Tom Chothia)

Chip and PIN is Broken a view to card payment infrastructure and security

EMV (Chip-and-PIN) Protocol

Chip & PIN notes on a dysfunctional security system

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

toast EMV in 2015: How Restaurants Can Prepare for the New Chip-and-Pin Standard

PayPass M/Chip Requirements. 10 April 2014

Card Technology Choices for U.S. Issuers An EMV White Paper

Payments Transformation - EMV comes to the US

Introductions 1 min 4

PayPass - M/Chip Requirements. 5 December 2011

EMV and Small Merchants:

EMV Acquiring at the ATM: Early Planning for Credit Unions

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

Securing Mobile Payment Protocol. based on EMV Standard

EMVCo Letter of Approval - Terminal Level 2

Preparing for EMV chip card acceptance

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

Visa Smart Debit/Credit Certificate Authority Public Keys

Overview of Contactless Payment Cards. Peter Fillmore. July 20, 2015

EMV (Chip and PIN) Project. EMV card

Relay attacks on card payment: vulnerabilities and defences

implementing American Express EMV acceptance on a Terminal

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Network Security Protocols

EMV 96 Integrated Circuit Card Terminal Specification for Payment Systems

Frequently Asked Questions (FAQ) on HSBC Chip Credit Cards

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

How To Prevent Fraud On A Credit Card

Mitigating Fraud Risk Through Card Data Verification

Electronic Payments. EITN40 - Advanced Web Security

American Express. Merchant Services. Grow your business With POS terminals from American Express

Security Rules and Procedures Merchant Edition

Security Rules and Procedures Merchant Edition. 5 February 2015

What is EMV? What is different?

Guide to Data Field Encryption

PCI and EMV Compliance Checkup

Banking Security Architecture

E M V I M P L E M E N TAT I O N T O O L S F O R S U C C E S S, P C I & S E C U R I T Y. February 2014

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

Questions & Answers on Payment Statistics

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

American Express Contactless Payments

CANADIAN PAYMENTS ASSOCIATION ASSOCIATION CANADIENNE DES PAIEMENTS RULE E1

Understand the Business Impact of EMV Chip Cards

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

SETUP GUIDE. Thank you for your purchase of Hamilton products! In this handy guide, you will discover: ADDITIONAL REQUIREMENTS SETUP HOW IT WORKS

Acquirer Device Validation Toolkit (ADVT)

THE APPEAL FOR CONTACTLESS PAYMENT 3 AVAILABLE CONTACTLESS TECHNOLOGIES 3 USING ISO BASED TECHNOLOGY FOR PAYMENT 4

Credit card: permits consumers to purchase items while deferring payment

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

Transcription:

: Integrated Circuit Card Specifications for Payment Systems Jan Krhovják Faculty of Informatics, Masaryk University Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 1 / 13

Outline EMV Basic Information Introduction to EMV Offline data authentication Static data authentication Dynamic data authentication User authentication Signature based PIN based Automatic risk management Terminal risk management Terminal action analysis Card action analysis Conclusion Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 2 / 13

Introduction to EMV EMV Basic Information EMV 4.1 specifications consist of four books (786 pages) Application Independent ICC to Terminal Interface Requirements Security and Key Management Application Specification Cardholder, Attendant, and Acquirer Interface Requirements Basic terminology Merchant, payee Cardholder, customer, payer, or simply user Card issuer, cardholder s bank, or simply bank No distinguishing (for this presentation) between issuer or acquirer bank Fraud, a deception made for a personal gain All parties should be protected against the fraud Unauthorized and illegal use of a credit card to purchase property ICC, an acronym for integrated circuit(s) card Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 3 / 13

Introduction to EMV EMV Basic Information EMV 4.1 specifications consist of four books (786 pages) Application Independent ICC to Terminal Interface Requirements Security and Key Management Application Specification Cardholder, Attendant, and Acquirer Interface Requirements Basic terminology Merchant, payee Cardholder, customer, payer, or simply user Card issuer, cardholder s bank, or simply bank No distinguishing (for this presentation) between issuer or acquirer bank Fraud, a deception made for a personal gain All parties should be protected against the fraud Unauthorized and illegal use of a credit card to purchase property ICC, an acronym for integrated circuit(s) card Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 3 / 13

Offline Data Authentication Basic Principles of Offline Data Authentication The goal is offline detection of fake (altered/duplicated) cards Based on asymmetric cryptography (namely on RSA) RSA public key must be always 3 or 2 16 1 Existence of a certification authority (CA) is required Integrity of transmitted public keys must be secured Each EMV terminal must contain actual CA public key Supported mechanisms Static data authentication (SDA) Dynamic data authentication (DDA) Combined DDA and application cryptogram generation (CDA) Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 4 / 13

Offline Data Authentication Basic Principles of Offline Data Authentication The goal is offline detection of fake (altered/duplicated) cards Based on asymmetric cryptography (namely on RSA) RSA public key must be always 3 or 2 16 1 Existence of a certification authority (CA) is required Integrity of transmitted public keys must be secured Each EMV terminal must contain actual CA public key Supported mechanisms Static data authentication (SDA) Dynamic data authentication (DDA) Combined DDA and application cryptogram generation (CDA) Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 4 / 13

SDA: Static Data Authentication I Offline Data Authentication Basics of SDA Performed by terminal Confirms legitimacy of critical ICC-resident static data Detects unauthorized alteration of data after personalization Settings and process of SDA Public key of CA is stored in each terminal Public key of issuer bank is certified by CA and stored on ICC Static application data are signed by issuer bank and stored on ICC Security of SDA Based on secrecy of private RSA keys Counterfeiting/duplication not solved Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 5 / 13

SDA: Static Data Authentication I Offline Data Authentication Basics of SDA Performed by terminal Confirms legitimacy of critical ICC-resident static data Detects unauthorized alteration of data after personalization Settings and process of SDA Public key of CA is stored in each terminal Public key of issuer bank is certified by CA and stored on ICC Static application data are signed by issuer bank and stored on ICC Security of SDA Based on secrecy of private RSA keys Counterfeiting/duplication not solved Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 5 / 13

SDA: Static Data Authentication I Offline Data Authentication Basics of SDA Performed by terminal Confirms legitimacy of critical ICC-resident static data Detects unauthorized alteration of data after personalization Settings and process of SDA Public key of CA is stored in each terminal Public key of issuer bank is certified by CA and stored on ICC Static application data are signed by issuer bank and stored on ICC Security of SDA Based on secrecy of private RSA keys Counterfeiting/duplication not solved Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 5 / 13

SDA: Static Data Authentication II Offline Data Authentication Diagram of SDA (taken from the original specification) Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 6 / 13

Offline Data Authentication DDA: Dynamic Data Authentication I Basics of DDA Performed by terminal&card (ICC with coprocessor required) Confirms legitimacy of critical ICC-resident/generated data and data received from terminal Detects counterfeited/duplicated cards Settings and process of DDA Similar as for SDA New unique ICC RSA key pair is stored on each card ICC private key is securely stored (can not leave the card) ICC public key is signed & stored together with static application data Terminal sends random challenge to be signed by ICC private key Security of DDA Based on secrecy of private RSA keys The chip card must be able to protect ICC private key Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 7 / 13

Offline Data Authentication DDA: Dynamic Data Authentication I Basics of DDA Performed by terminal&card (ICC with coprocessor required) Confirms legitimacy of critical ICC-resident/generated data and data received from terminal Detects counterfeited/duplicated cards Settings and process of DDA Similar as for SDA New unique ICC RSA key pair is stored on each card ICC private key is securely stored (can not leave the card) ICC public key is signed & stored together with static application data Terminal sends random challenge to be signed by ICC private key Security of DDA Based on secrecy of private RSA keys The chip card must be able to protect ICC private key Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 7 / 13

Offline Data Authentication DDA: Dynamic Data Authentication I Basics of DDA Performed by terminal&card (ICC with coprocessor required) Confirms legitimacy of critical ICC-resident/generated data and data received from terminal Detects counterfeited/duplicated cards Settings and process of DDA Similar as for SDA New unique ICC RSA key pair is stored on each card ICC private key is securely stored (can not leave the card) ICC public key is signed & stored together with static application data Terminal sends random challenge to be signed by ICC private key Security of DDA Based on secrecy of private RSA keys The chip card must be able to protect ICC private key Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 7 / 13

Offline Data Authentication DDA: Dynamic Data Authentication II Diagram of DDA (taken from the original specification) Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 8 / 13

Offline Data Authentication CDA: Combined DDA and Application Cryptogram (AC) Generation Basics of CDA Performed by terminal&card in parallel with card action analysis Settings and process of CDA Similar as for DDA Random challenge is a part of request for AC Signed AC contains this random challenge Security of CDA Extra security for AC Advantage if secure communication between terminal and ICC can not be guaranteed Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 9 / 13

Offline Data Authentication CDA: Combined DDA and Application Cryptogram (AC) Generation Basics of CDA Performed by terminal&card in parallel with card action analysis Settings and process of CDA Similar as for DDA Random challenge is a part of request for AC Signed AC contains this random challenge Security of CDA Extra security for AC Advantage if secure communication between terminal and ICC can not be guaranteed Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 9 / 13

Offline Data Authentication CDA: Combined DDA and Application Cryptogram (AC) Generation Basics of CDA Performed by terminal&card in parallel with card action analysis Settings and process of CDA Similar as for DDA Random challenge is a part of request for AC Signed AC contains this random challenge Security of CDA Extra security for AC Advantage if secure communication between terminal and ICC can not be guaranteed Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 9 / 13

User Authentication Negotiation of authentication method Supported methods Signature-based (handwritten) PIN-based (offline/online, plaintext/encrypted) Several combinations Priority list of card-supported methods stored on ICC Terminal selects the first terminal-supported method from this list Selected method is dependent on the terminal type One supported method can be no cardholder verification required Successful verification At least one metod is successfully performed The list is exhausted Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 10 / 13

User Authentication Negotiation of authentication method Supported methods Signature-based (handwritten) PIN-based (offline/online, plaintext/encrypted) Several combinations Priority list of card-supported methods stored on ICC Terminal selects the first terminal-supported method from this list Selected method is dependent on the terminal type One supported method can be no cardholder verification required Successful verification At least one metod is successfully performed The list is exhausted Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 10 / 13

Verification processing EMV User Authentication Signature-based or online PIN-based authentication Same process as used in the case of magnetic strip cards PIN is formatted into PIN-block, encrypted by using 3DES,... Chip card should provide extra security against skimming Offline encrypted PIN-based authentication New own RSA key pair is associated with PIN encipherment This key pair is stored/certified as the key for DDA Original PIN necessary for verification is securely stored on ICC PINpad/terminal must be physically/logically well secured Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 11 / 13

Verification processing EMV User Authentication Signature-based or online PIN-based authentication Same process as used in the case of magnetic strip cards PIN is formatted into PIN-block, encrypted by using 3DES,... Chip card should provide extra security against skimming Offline encrypted PIN-based authentication New own RSA key pair is associated with PIN encipherment This key pair is stored/certified as the key for DDA Original PIN necessary for verification is securely stored on ICC PINpad/terminal must be physically/logically well secured Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 11 / 13

Automatic Risk Management Automatic Risk Management Protects against offline undetectable threats Decides if transaction should be: approved offline, declined offline, or transmitted online Terminal risk management Floor limit checking Random transaction selection Velocity checking Terminal&card action analysis T: reject transaction offline C: reject offline T: transaction should go online C: go online reject offline T: transaction might be completed offline C: go online reject offline approve offline Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 12 / 13

Automatic Risk Management Automatic Risk Management Protects against offline undetectable threats Decides if transaction should be: approved offline, declined offline, or transmitted online Terminal risk management Floor limit checking Random transaction selection Velocity checking Terminal&card action analysis T: reject transaction offline C: reject offline T: transaction should go online C: go online reject offline T: transaction might be completed offline C: go online reject offline approve offline Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 12 / 13

Automatic Risk Management Automatic Risk Management Protects against offline undetectable threats Decides if transaction should be: approved offline, declined offline, or transmitted online Terminal risk management Floor limit checking Random transaction selection Velocity checking Terminal&card action analysis T: reject transaction offline C: reject offline T: transaction should go online C: go online reject offline T: transaction might be completed offline C: go online reject offline approve offline Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 12 / 13

Conclusion & References Conclusion EMV introduces the Chip&PIN technology Chip cards provide more secured storage for sensitive data If SDA is not used... PIN-based user authentication is more secure (for whom?) If the secure method is negotiated... Several online references: EMV 4.1 Specifications http://www.emvco.com/cgi bin/detailspec.pl?id=5 EMV POS terminal interceptor http://www.cl.cam.ac.uk/ mkb23/interceptor/ Chip and SPIN webpage http://www.chipandspin.co.uk/ and article http://www.cl.cam.ac.uk/ mkb23/spin/spin.pdf Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 13 / 13

Conclusion & References Conclusion EMV introduces the Chip&PIN technology Chip cards provide more secured storage for sensitive data If SDA is not used... PIN-based user authentication is more secure (for whom?) If the secure method is negotiated... Several online references: EMV 4.1 Specifications http://www.emvco.com/cgi bin/detailspec.pl?id=5 EMV POS terminal interceptor http://www.cl.cam.ac.uk/ mkb23/interceptor/ Chip and SPIN webpage http://www.chipandspin.co.uk/ and article http://www.cl.cam.ac.uk/ mkb23/spin/spin.pdf Jan Krhovják (FI MU) EMV (Europay, MasterCard, Visa) 20. 3. 2006 13 / 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information