Today’s EMV payments have one basic security deficiency – despite advanced use of cryptography to detect counterfeit cards (by performing static / dynamic card authentication, offline or online) and to also cryptographically sign the transaction outcome, the EMV compliant POS terminals and downstream Merchant and Acquirer systems still obtain and handle the Primary Account Number (PAN) from the EMV card ‘in clear’ during the EMV transaction. Since POS terminals and downstream Merchant systems are considered inherently less secure than tamper proof EMV chip cards and Payment Network / Issuer Authentication Host systems (using tamper resistant HSM modules), they are frequently the targets of the successful cyber attacks, resulting in millions of stolen PAN values and expiry dates, which can be effectively used in many online / Card Not Present (CNP) payment use cases. Costs associated with such massive and prominent data breaches can be devastating – those include, but are not limited to, the costs of reissuing compromised cards, costs of retail brand damage, civil class law suits, etc.
The latest EMVCo ‘Payment Tokenization Specification – Technical Framework’ document is mainly focused on the following use cases: Mobile NFC at POS, Mobile / Digital Wallet E-Commerce, Card-On-File E-Commerce and QR Code Scan at POS. The lack of physical card based EMV Contact / Contactless Payment use case is at least somewhat puzzling (it is mentioned only as a footnote as possible use case as well). However latest high profile data breaches (Target and Neiman Marcus being just the most prominent ones) should remind us that storing PAN related data ‘in clear’ inside POS terminal memory / file systems can be very risky and damaging. Even if standard EMV chipcards were used those data breaches would have happened anyway.
This paper presents and proposes a simple, cost-effective enhancement of the standard EMV chipcard functionality, by transparently adding End 2 End Format Preserving Encryption (E2E-FPE) of the PAN as an extension of the EMV card application. The goal is to ensure that only Payment Network and card Issuer controlled components (i.e. chip card hosting EMV payment application and Payment Network / Issuer Hosts) are aware of the real PAN values and know the details of the FPE processing. Basically the goal is to make the whole ‘EMV enhancement’ fully transparent to the POS devices, Acquirer systems. In result, they only deal with format preserving / unique per transaction ‘PAN cryptogram’ values. By being ‘unique per transaction’, the ‘PAN cryptogram’ is useless to anybody who steals it after the transaction has already been completed. By being ‘format preserving’, the ‘PAN cryptogram’ can be normally handled by and routed thru the POS terminals, Acquirer systems, eliminating need for any changes in those components. This simple EMV enhancement has potential to fully eliminate the existing risks associated with hacked POS terminals and Merchant systems. It establishes clear responsibility of the Payment Network / card Issuer (where it naturally belongs), for ensuring the full protection of the sensitive payment credentials, along the real time EMV transaction authorization rails.
No comments:
Post a Comment