Cryptography Reference
In-Depth Information
These include PIN changes, PIN unblocking instructions and changes to card
data items (such as credit limits). These instructions are sent by the card issuer
to the card (via a terminal). They are authorised by computing and verifying a
MAC on the instruction, which is generated using a symmetric key that is shared
by the card issuer and the card. Since this is a very different use of symmetric
cryptography, in line with the principle of key separation (see Section 10.6.1) this
key is different from the one used in online authentication.
12.4.4
Using EMV cards online
The previous security features of EMV cards all relate to applications where a card
comes into contact with a terminal owned by a merchant. In this sense the card is
physically 'present' and security features of the card can be directly employed.
However, an increasing number of transactions are conducted when the card
is remote from the merchant, most commonly when a customer makes an
online transaction. These are referred to as
card-not-present
(CNP) transactions.
The potential for fraud in such transactions is high, since the most common
information used to authenticate CNP transactions is simple card data (PAN,
expiry date, CCV2), which is relatively easily acquired by a determined attacker.
From the card holder perspective, the counter to this fraud threat has been
the ability to challenge fraudulent transactions. However, this brings significant
costs to the merchants, as well as being an inconvenience to the PCOs and
cardholders when new cards have to be reissued to customers who have been
fraud victims.
Secure Electronic Transactions
(SET) was a standard that proposed a heavy
architecture and set of procedures for securing CNP transactions. It relied on an
overarching public-keymanagement systemand required all merchants to acquire
special supporting equipment. Its complexity prevented it from being successful
and so Visa and Mastercard developed a more lightweight approach known as
3DSecure
. The two main goals of 3DSecure are:
1. The card issuer is able to authenticate its payment card holders during a CNP
transaction.
2. Amerchant gains assurance that it will not later be financially punished because
of a fraudulent transaction.
3DSecure is much more flexible than SET because it allows a card issuer to decide
by what means it will authenticate its card holders during a CNP transaction. The
overall benefits to all parties are that the increased transaction security allows the
PCOs to charge merchants less money for using their services.
At its heart, 3DSecure relies on the following process:
1. A merchant that is 3DSecure-enabled puts in a request for authorisation of
the card.
