Under The Hood - EMV as a Technology

Under The Hood - EMV as a Technology

EMV jointly created by Euro Pay, MasterCard, and Visa is a security standard for payment cards, sometimes referred to as "chip and PIN," "chip and signature," or simply “Chip Technology.” Its purpose is to establish global interoperability with Point Of Sale terminals and ATMs and to reduce fraud. An independent joint venture was established named EMVCo in 2004.  JCB, American Express, and Discover Card have since joined. Each partner independently implements its own chip cards and version of the standards, but each is based on a common specification. The standardsfor smart cards are outlined under the ISO 7816-1 through 7816-6 documents. A standard set of tests must be passed in order to certify an EMV implementation. 

Unlike traditional mag-strip technology, which only stores static information, EMVutilizes a microprocessor for dynamic authentication. These are dynamic values existing within the card itself that, when verified by an EMV certified device, ensure the card authenticity. 

The intent of the card is to make it harder for criminals to reproduce illegitimate copies.  EMV cards also store a list of certificate authority public keys used in the authorization process, although some still use RSA 1024. The keys and cryptographic operations are physically secured with a tamper-detecting module.  When a terminal is online, the terminal can send the entered PIN to the acquirer, this is sent over the wire using 2-Key Triple-DES, formatted in standard ISO PIN block format. Terminals will generally operate in a connected state, but facilities exist to authenticate in offline environments.  

3 Types of Authentication

The three types of authentication used when a terminal is offline are SDA (Static Data Authentication), DDA (Dynamic Data Authentication), and CDA (combined DDA and application cryptogram generation).  The expectation is that CDA would be used, thenDDA, and finally SDA depending on the capabilities of the card and terminal.  

1. Using SDA, terminals can verify the certificate is signed by and unrevoked, legitimate CAPK or the card's static data blob is signed by the issuer.  This method doesn’t protect against replay, meaning an attacker who observes this once can clone the SDA capability over the card.  

2. Using DDA, terminals choose an unpredictable 32-bit number (UN) that gets added to other data in the DOL (data object list) sent to the card.  The card hashes data with SHA-1 then signs the hash using the private RSA key.  The terminal is expected to verify this in order to complete the authentication.

3. Using CDA, the card has a separate PIN encipherment certificate, verified through the issuers CA.  CDA is similar to DDA in that a unique number is generated however, it is 64-bits in length.  The terminal pads the message with the random number and encrypts using the cards RSA public key. The card decrypts, verifies the number matches, and then verifies the PIN against its internal storage.

Application Identifier

An EMV card also stores an AID (application Identifier), which identifies the card applications that it will support.  Each chip-enabled terminal must contain a list of application IDs with which the acquirer has an agreement. The card and terminal must have at least one AID in common and agree on which one to use. Once an AID is agreed upon, the parameters of the application dictate how the two will communicate throughout the transaction. 

Vulnerabilities of EMV Devices

Many exploits have proved to have vulnerabilities in various implementations of EMV compliant devices. Hackers were able to exploit a buffer overflow on a VeriFone terminal inserting executable code to gain full control of the banking terminal, from these values could be changed and transactions spoofed.  The “Yes–Card” attack involves making a copy of a legitimate EMV card then modifying it to accept any PIN.  The “Wedge” attack involves inserting a device between the card and the terminal.  This can be done with an inconspicuous amount of hardware and an undergraduate level understanding of electronics, in contrast to the argument that it is too complicated for criminals to carry out. EMV technology is still susceptible to many traditional methods of attack like the one the ram scrapers used at Target stores. 

At Black Hack 2014 in Las Vegas, a demo was given by Lucas Zaichkowsky in which, after inserting his card, he simply performed a ram dump from the DOS prompt and was able to view all his credit card data in plain text. 

Fraud Reduction

EMV has demonstrated a reduction in fraud. Studies in Europe, starting in 2007, where EMV technology is being more widely used, show a reduction in fraud. EMV is not an “end all be all” solution to fraud as many are insisting.  However, it is a proven technology, scalable, and has reduced fraud to a degree. 

Visa & MasterCard Insure EMV Only

Visa and MasterCard have introduced programs to the US, which exempt merchants from the PCI-DSS audit if 75 % of the merchant’s transactions with each company are processed through an EMV certified device.  A recent ruling by Visa and MasterCard will potentially hold merchants liable for card present fraud if the breach could have been prevented with the use of a chip-enabled device. 

Why EMV is A Great Move For Data Security

EMV is a necessary adoption and merchants will have to foot the bill to update hardware, certify processes, and safely implement the technology without other business processes suffering. The long-term security is well worth the spend. Now, EMV is perfect for Card Present Transactions, but Card Not Present Fraud hit over $2 Billion in Europe alone, last year. Merchants will have to approach their data security strategy with a layered approach, which includes Tokenization and Consumer Authentication. We will be covering the layered data security approach in our following EMV Adoption series. Stay Tuned…

TokenEx is a PCI compliant, Tokenization security platform that offers unlimited flexibility in how you access, store, and secure your data, while remaining processor agnostic. Follow us on Twitter and LinkedIn

Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog