e-EMV: emulating EMV for internet payments with trusted computing technologies

This paper shows how the functionality associated with EMV-compliant payment cards can be securely emulated in software on platforms supporting Trusted Computing technology. We describe a detailed system architecture encompassing user enrolment, card deployment (in the form of software), card activation, and subsequent transaction processing. Our proposal is compatible with the existing EMV transaction processing architecture, and thus integrates fully and naturally with already deployed EMV infrastructure. We show that our proposal, which effectively makes available the full security of PoS transactions for Internet-based CNP transactions, has the potential to significantly reduce the opportunity for fraudulent CNP transactions.

[1]  Uta Wille,et al.  Risks and Potentials of Using EMV for Internet Payments , 1999, Smartcard.

[2]  Martín Abadi,et al.  A Logical Account of NGSCB , 2004, FORTE.

[3]  C. Mitchell,et al.  Preventing Phishing Attacks Using Trusted Computing Technology , 2006 .

[4]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[5]  Boris Balacheff,et al.  Securing Intelligent Adjuncts Using Trusted Computing Platform Technology , 2000, CARDIS.

[6]  Cristian Radu Implementing Electronic Card Payment Systems , 2002 .

[7]  Allan Tomlinson,et al.  Application of Trusted Computing to Secure Video Broadcasts to Mobile Receivers , 2005 .

[8]  C. Mitchell,et al.  Extending EMV to support Murabaha transactions , 2003 .

[9]  Michael K. Reiter,et al.  Minimal TCB Code Execution , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[10]  Kenneth G. Paterson,et al.  Securing peer-to-peer networks usingtrusted computing , 2005 .

[11]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[12]  Adrian Perrig,et al.  SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes , 2007, SOSP.

[13]  Ahmad-Reza Sadeghi,et al.  Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[14]  Aaron Weiss Trusted computing , 2006, NTWK.

[15]  Ahmad-Reza Sadeghi,et al.  Beyond secure channels , 2007, STC '07.

[16]  Chris Mitchell Trusted Computing (Professional Applications of Computing) (Professional Applications of Computing) , 2005 .

[17]  Chris J. Mitchell,et al.  Using EMV Cards to Protect E-commerce Transactions , 2002, EC-Web.

[18]  Trent Jaeger,et al.  PRIMA: policy-reduced integrity measurement architecture , 2006, SACMAT '06.

[19]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[20]  Paul England,et al.  NGSCB: A Trusted Open System , 2004, ACISP.

[21]  Kenneth G. Paterson,et al.  Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis , 2006 .

[22]  Ahmad-Reza Sadeghi,et al.  European Multilateral Secure Computing Base - Open Trusted Computing for You and Me , 2004 .

[23]  Ron Natan Appendix A: Payment Card Industry (PCI) Data Security Standard (DSS) Version 1.1: Impact on Oracle Security Implementations , 2009 .

[24]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[25]  Allan Tomlinson,et al.  Conditional access in mobile systems: securing the application , 2005, First International Conference on Distributed Frameworks for Multimedia Applications.

[26]  Li Wei-hua Preventing Phishing Attacks Using Trusted Computing Technology , 2008 .

[27]  Ahmad-Reza Sadeghi,et al.  TCG inside?: a note on TPM specification compliance , 2006, STC '06.

[28]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).