Enhancing EMV Online PIN Verification

Danushka Jayasinghe, Raja Akram, Konstantinos Markantonakis, Konstantinos Rantos, Keith Mayes

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

3 Citations (Scopus)

Abstract

EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both online and offline card acceptance environments. In the offline environment, payment terminals and cards only communicate with each other in order to approve/decline the payment transactions, whereas in the online environment authorisation entities are also involved in the overall process. An authorisation entity can either be the Card Issuing Bank (CIB) or the payment scheme operator (e.g. Visa, Master-Card). Aside from the transaction authorisation, the EMV specifications define offline-PIN verification as one of the main cardholder verification methods. However, in an online authorisation environment, the PIN verification process is referred to as Online-PIN Verification (OPV). This process is the main focus of this paper. We discuss the OPV process that has placed indelible trust assumptions on the intermediary entities (subcontractors) between a payment terminal and a scheme operator/CIB. When this trust (assumption) is scrutinised, there is a potential attack scenario that an adversary can use to gain access to PIN data. This information can be used by an adversary to carry out an online PIN approved transaction without the involvement of the genuine cardholder but with the correct PIN. We then propose three solutions based on the existing OPV process as potential countermeasures that are then implemented to measure any incurred performance penalties and subjected to mechanical formal analysis using CasperFDR.
Original languageEnglish
Title of host publication2015 IEEE Trustcom/BigDataSE/ISPA
PublisherIEEE Explore
Number of pages10
DOIs
Publication statusPublished - 3 Dec 2015
EventThe 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications - Helsinki, Finland
Duration: 20 Aug 2015 → …
Conference number: 14

Conference

ConferenceThe 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications
Abbreviated titleIEEE TrustCom-15
Country/TerritoryFinland
CityHelsinki
Period20/08/15 → …

Keywords

  • EMV
  • Online PIN Verification
  • Security
  • Cryptography
  • Implementation
  • Performance
  • CasperFDR

Fingerprint

Dive into the research topics of 'Enhancing EMV Online PIN Verification'. Together they form a unique fingerprint.

Cite this