Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Danushka Jayasinghe, Konstantinos Markantonakis, Raja Akram, Keith Mayes

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.
Original languageEnglish
Title of host publicationRadio Frequency Identification and IoT Security
Subtitle of host publicationRFIDSec 2016
EditorsG Hancke, K Markantonakis
Pages107-122
Number of pages16
DOIs
Publication statusPublished - 20 Jul 2017

Publication series

Name Lecture Notes in Computer Science
Volume10155

Fingerprint

Dive into the research topics of 'Enhancing EMV Tokenisation with Dynamic Transaction Tokens'. Together they form a unique fingerprint.

Cite this