A tokenization technique for improving the security of EMV contactless cards

Abstract

ABSTRACT This paper focuses on the EMV contactless payment cards and their vulnerability of leaking sensitive information such as the cardholder name, Primary Account Number (PAN), and the expiry date of the EMV card. Such data can be sniffed using off-the-shelf hardware or software without the knowledge of the genuine cardholder. The paper proposes a tokenization technique to replace the PAN of the actual EMV contactless card’s with a token to protect the genuine data from being sniffed by an attacker and used in the Card-No-Present (CNP) attack or any other attacks. The proposal was inspired by the implementation of the tokenization in the EMV Mobile payment such as Apple, Google, and Samsung mobile payments. We argue that the proposed tokenization technique is easy to adopt and cost-effective to implement by EMV protocol as it does not require any changes to the infrastructure of existing payment systems. A vital feature of the proposal is that all the changes in the EMV protocol are at the personalization phase of the EMV card. The paper presents a successful implementation of the tokenization approach using a Java contactless card framework to represent EMV contactless cards to demonstrate its effectiveness in improving the security and protecting the privacy of the card’s information.