Cryptography Reference
In-Depth Information
that is encrypted in order to generate the PVV. The issuing bank needs to share
the key that it uses to compute this PVV with the PCO.
The PVV is four digits long, so that its security is 'equivalent' to that of the PIN
itself. Like the CVV, the PVV is normally stored on the magnetic stripe but not
displayed on the card. During a PIN verification request, the PCO recomputes the
PVV using the PIN that has been offered by the customer and checks whether this
value matches the PVV on the magnetic stripe. If it does then the PIN verification
is accepted.
Although CVVs and PVVs are short values, and hence theoretically could be
exhaustively searched for by an attacker, PCOs use procedural controls to stop
any apparent attack of this type. A typical control rejects the card after amaximum
of three or four attempts. In this way a relatively weak cryptographic mechanism
is strengthened by an appropriate management control.
PAYMENT CARD AUTHORISATION
When a payment card is inserted into a terminal, the main goal of the terminal is
normally to determine the validity of the card and decide whether the transaction
that is being requested is likely to go through. Prior to magnetic stripe cards, this
process required a merchant to make a telephone call to the issuer. The ability
for a terminal to extract data from the magnetic stripe and automatically contact
the issuer in order to authorise a transaction certainly makes this process easier.
However, it is important to note that with magnetic stripe cards this process still
requires direct (online) communication with the card issuer. This requirement
has restricted the adoption of payment cards of this type in countries with poor
communication infrastructures.
12.4.3
EMV cards
EMV cards were introduced for two main reasons. The first reason was in order
to improve the security of payment card transactions. The other reason was to
lower telecommunication costs by introducing a secure means of authorising a
transaction offline, hence reducing the number of times that a merchant might
have to contact a card issuer.
The introduction of EMV cards has greatly increased the use of cryptography
to protect payment card services since the chip on the card is capable of storing
cryptographic keys. As we will see in Sections 12.4.4 and 12.4.5, they have also
increased the diversity of secure services for which a card can be used.
PIN VERIFICATION
PIN verification becomes much more straightforward for EMV than for magnetic
stripe cards, since the PIN can be stored on the chip itself. This allows a terminal
to easily verify the PIN without having to contact the card issuer, or use a service
based on a PVV.
