skip to main content
10.1145/1456455.1456468acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

e-EMV: emulating EMV for internet payments with trusted computing technologies

Published: 31 October 2008 Publication History

Abstract

This paper shows how the functionality associated with EMV-compliant payment cards can be securely emulated in software on platforms supporting Trusted Computing technology. We describe a detailed system architecture encompassing user enrolment, card deployment (in the form of software), card activation, and subsequent transaction processing. Our proposal is compatible with the existing EMV transaction processing architecture, and thus integrates fully and naturally with already deployed EMV infrastructure. We show that our proposal, which effectively makes available the full security of PoS transactions for Internet-based CNP transactions, has the potential to significantly reduce the opportunity for fraudulent CNP transactions.

References

[1]
M. Abadi and T. Wobber. A Logical Account of NGSCB. In Proceedings of the 24th International Conference on Formal Techniques for Networked and Distributed Systems, volume 3235 of LNCS, pages 1--12. Springer Verlag, 2004.
[2]
M. Al--Meaither and C. J. Mitchell. Extending EMV to Support Murabaha Transactions. In Proceedings of the 7th Nordic Workshop on Secure IT Systems, pages 95--108. NTNU, 2003.
[3]
A. Alsaid and C. J. Mitchell. Preventing Phishing Attacks Using Trusted Computing Technology. In Proceedings of the 6th International Network Conference, pages 221--228, 2006.
[4]
AMD. AMD64 architecture programmer's manual: Volume 2: System programming, AMD Publication no. 24594 rev. 3.11 edition, 2006.
[5]
APACS. Card Fraud Losses Continue to Fall. http://www.apacs.org.uk/, March 2007.
[6]
APACS. Card Fraud The Facts 2007. http://www.apacs.org.uk/, April 2007.
[7]
B. Balacheff, D. Chan, L. Chen, S. Pearson, and G. Proudler. Securing Intelligent Adjuncts Using Trusted Computing Platform Technology. In Proceedings of the 4th working Smart Card Research and Advanced Applications, pages 177--195. Kluwer Academic, 2001.
[8]
S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing Peer-to-Peer networks using Trusted Computing. In C.J. Mitchell, editor, Trusted Computing, pages 271--298. IEE Press, 2005.
[9]
S. Balfe and K.G. Paterson. Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis. Technical report, Technical report RHUL-MA-2006-9-v2, (Department of Mathematics, Royal Holloway, University of London). http://www.rhul.ac.uk/mathematics/techreports.
[10]
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho,R. Neugebauery, I. Pratt, and A. Warfield. XEN and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, pages 164--177. ACM Press, 2003.
[11]
E. Brickell, J. Camenisch, and L. Chen. Direct Anonymous Attestation. In Proceedings of the 11th ACM Conference on Computer and Communications Security, pages 132--145. ACM Press, 2004.
[12]
PCI Security Standards Council. Payment Card Industry Data Security Standard -- Version 1.1. https://www.pcisecuritystandards.org/, 2006.
[13]
R. Dhamija, J. D. Tygar, and M. Hearst. Why Phishing Works. In Proceedings of the 2006 Conference on Human Factors in Computing Systems, pages 581--590. ACM Press, 2006.
[14]
EMVCo. Book 3 -- Application Specification, 4.0 edition, December 2000.
[15]
EMVCo. EMV Specifications Version 4.1. http://www.emvco.com, June 2004.
[16]
S. Gajek, A-R. Sadeghi, C. Stüble, and M. Winandy. Compartmented Security for Browsers--Or How to Thwart a Phisher with Trusted Computing. In Proceedings of the 2nd International Conference on Availability, Reliability and Security, pages 120--127. IEEE Computer Society, 2007.
[17]
E. Gallery and A. Tomlinson. Conditional Access in Mobile Systems: Securing the Application. In Proceedings of the 1st International Conference on Distributed Frameworks for Multimedia Applications, pages 190--197. IEEE, 2005.
[18]
Y. Gasmi, A-R. Sadeghi, P. Stewin, M. Unger, and N. Asokan. Beyond Secure Channels. In Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pages 30--40. ACM Press, 2007.
[19]
D. Grawrock. The Intel Safer Computer Initiative: Building Blocks for Trusted Computing, chapter Protected Input and Output, pages 143--164. Intel Press, 2006.
[20]
V. Haldar, D. Chandra, and M. Franz. Semantic Remote Attestation: A Virtual Machine Directed Approach to Trusted Computing. In USENIX Virtual Machine Research and Technology Symposium, pages 19--41. USENIX, 2004.
[21]
E.V. Herreweghen and U. Wille. Risks and Potentials of Using EMV for Internet Payments. In Proceedings of the 1st USENIX Workshop on Smartcard Technology, pages 163--174. USENIX, 1999.
[22]
IBM-Global-Services. IBM Global Business Security Index Report, February 2005.
[23]
Intel-Corporation. LaGrande Technology Preliminary Architecture Specification, Intel Publication no. D52212 edition, May 2006.
[24]
C. Jackson, D. Boneh, and J. Mitchell. Attack of the transaction generators. http://crypto.stanford.edu/SpyBlock/spyblock.pdf.
[25]
V. Khu-Smith and C.J. Mitchell. Using EMV Cards to Protect E-commerce Transactions. In Proceedings of the 3rd International Conference on E-Commerce and Web Technologies, volume 2455, pages 388--399. Springer-Verlag, 2002.
[26]
J.M. McCune, B. Parno, A. Perrig, M.K. Reiter, and A. Seshadri. Minimal TCB Code Execution. In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 267--272. IEEE Computer Society, 2007.
[27]
P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/uk/news/article/459478/combatingcardfraud/, January 2005.
[28]
C.J. Mitchell, editor. Trusted Computing. IEE Professional Applications of Computing Series 6. The Institute of Electrical Engineers (IEE), London, UK, April 2005.
[29]
C. Radu. Implementing Electronic Card Payment Systems. Artech House, Inc., 2002.
[30]
A-R. Sadeghi, M. Selhorst, C. Stüble, C. Wachsmann, andM. Winandy. TCG inside?: A Note on TPM Specification Compliance. In Proceedings of the 1st ACM workshop on Scalable Trusted Computing, pages 47--56. ACM Press, 2006.
[31]
A-R. Sadeghi and C. Stüble. Property-Based Attestation for Computing Platforms: Caring About Properties, Not Mechanisms. In Proceedings of the 2004 Workshop on New Security Paradigms, pages 67--77. ACM Press, 2004.
[32]
A--R. Sadeghi, C. Stüble, and N. Pohlmann. European Multilateral Secure Computing Base: Open Trusted Computing for You and Me. http://www.prosec.rub.de/, 2004.
[33]
U.S. Securities and Exchange Commission. Form 10-K -- The TJX Companies, INC. http://www.sec.gov/, 2007.
[34]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles, pages 335--350. ACM Press, 2007.
[35]
SETCo. SET Secure Electronic Transaction 1.0 Specification -- The Formal Protocol Definition, May 1997.
[36]
E. Shi, A. Perrig, and L.V. Doorn. BIND: A Fine-Grained Attestation Service for Secure Distributed Systems. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 154--168. IEEE Computer Society, 2005.
[37]
TCG. Trusted computing: Opportunities and challenges. https://www.trustedcomputinggroup.org/downloads/tcgpresentations/, 2004.
[38]
TCG. Interoperability Specification for Backup and Migration Services, 1.0 revision 1.0 edition, 2005.
[39]
TCG. TCG Specification Architecture Overview Revision 1.2, 1.2 revision 93 edition, 2006.
[40]
TCG. TCG Mobile Trusted Module Specification, 1.0 revision 1 edition, 2007.
[41]
TCG. TPM Main: Parts 1-3: Design Principles, Structures and Commands, 1.2 revision 103 edition, 2007.
[42]
The Sunday Times. Don't Use Cards at Petrol Stations. http://business.timesonline.co.uk/, Febuary 18 2007.
[43]
Visa. 3-D Secure Protocol Specification: System Overview. http://international.visa.com/fb/paytech/secure/main.jsp, May 2003.
[44]
Visa. CISP -- List of Validated Payment Applications. http://usa.visa.com/merchants/, October 2007.
[45]
Visa. CISP Bulletin 102307 -- Visa Announces New Payment Application Security Mandates. http://usa.visa.com/merchants/, October 2007.

Cited By

View all
  • (2013)A cloud based dual-root trust model for secure mobile online transactions2013 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC.2013.6555287(4404-4409)Online publication date: Apr-2013
  • (2012)Softer SmartcardsFinancial Cryptography and Data Security10.1007/978-3-642-32946-3_24(329-343)Online publication date: 2012
  • (2011)Compiling information-flow security to minimal trusted computing basesProceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software10.5555/1987211.1987223(216-235)Online publication date: 26-Mar-2011
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
STC '08: Proceedings of the 3rd ACM workshop on Scalable trusted computing
October 2008
100 pages
ISBN:9781605582955
DOI:10.1145/1456455
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 October 2008

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. EMV
  2. card not present
  3. trusted computing

Qualifiers

  • Research-article

Conference

CCS08
Sponsor:

Acceptance Rates

Overall Acceptance Rate 17 of 31 submissions, 55%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2013)A cloud based dual-root trust model for secure mobile online transactions2013 IEEE Wireless Communications and Networking Conference (WCNC)10.1109/WCNC.2013.6555287(4404-4409)Online publication date: Apr-2013
  • (2012)Softer SmartcardsFinancial Cryptography and Data Security10.1007/978-3-642-32946-3_24(329-343)Online publication date: 2012
  • (2011)Compiling information-flow security to minimal trusted computing basesProceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software10.5555/1987211.1987223(216-235)Online publication date: 26-Mar-2011
  • (2011)Trusted computing enhanced user authentication with OpenID and trustworthy user interfaceInternational Journal of Internet Technology and Secured Transactions10.1504/IJITST.2011.0431333:4(331-353)Online publication date: 1-Oct-2011
  • (2011)Uni-directional trusted pathProceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks10.1109/DSN.2011.5958202(1-12)Online publication date: 27-Jun-2011
  • (2011)Compiling Information-Flow Security to Minimal Trusted Computing BasesProgramming Languages and Systems10.1007/978-3-642-19718-5_12(216-235)Online publication date: 2011
  • (2010)Blind processing: Securing data against system administrators2010 IEEE/IFIP Network Operations and Management Symposium Workshops10.1109/NOMSW.2010.5486559(304-311)Online publication date: Apr-2010

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media