Enhancing EMV Online PIN Verification

Abstract

EMV (Europay MasterCard Visa) is a globally accepted standard for chip card-based payment transactions, which benefits from the intrinsic security characteristics of chip cards. The EMV specification is relatively flexible and can be deployed in both online and offline card acceptance environments. In the offline environment, payment terminals and cards only communicate with each other in order to approve/decline the payment transactions, whereas in the online environment authorisation entities are also involved in the overall process. An authorisation entity can either be the Card Issuing Bank (CIB) or the payment scheme operator (e.g. Visa, Master-Card). Aside from the transaction authorisation, the EMV specifications define offline-PIN verification as one of the main cardholder verification methods. However, in an online authorisation environment, the PIN verification process is referred to as Online-PIN Verification (OPV). This process is the main focus of this paper. We discuss the OPV process that has placed indelible trust assumptions on the intermediary entities (subcontractors) between a payment terminal and a scheme operator/CIB. When this trust (assumption) is scrutinised, there is a potential attack scenario that an adversary can use to gain access to PIN data. This information can be used by an adversary to carry out an online PIN approved transaction without the involvement of the genuine cardholder but with the correct PIN. We then propose three solutions based on the existing OPV process as potential countermeasures that are then implemented to measure any incurred performance penalties and subjected to mechanical formal analysis using CasperFDR.