Blog article
See all stories »

Extending EMV To Protect Sensitive Card Data

The EMV has finally come to the US, the largest payment market, which was fully reliant on the outdated and counterfeiting prone magnetic stripe technology. Why is EMV so significant as payment technology?

Being based on smart card chip technology, the EMV is able to utilize advanced use of cryptography to:

  • detect counterfeit cards by performing 'challenge-response' based card Dynamic Data Authentication (DDA)
  • digitally sign the final transaction outcome (resulting in transaction cryptogram values unique for each EMV transaction), which protects from replay attacks and guarantees non repudiation
  • authenticate the cardholder, by offline PIN verification
  • verify the authenticity of the card issuer server's online authorization response (by verifying the digital signature of the Issuer Authentication Data carried as part of the response message)

With such rich arsenal of advanced security techniques, EMV is clearly superior technology compared to the static magnetic stripe and QR codes.

But does EMV 'as-is' today, offer full protection of sensitive card data at point of sale? No it does not. All current EMV cards still provide to POS terminals (and indirectly all downstream Merchant systems) the Primary Account Number (PAN / card number) unprotected during the EMV transaction. According to Smart Payment Association, just in 2014 over 1.5 billion EMV payment cards were shipped ( That's lot of unprotected PANs being potentially exposed.

The POS terminals and downstream Merchant systems are considered inherently less secure than tamper proof EMV chip-cards and Payment Network / Card Issuer systems. In result, the Merchant POS and downstream systems are frequent targets for the successful cyber attacks, resulting in millions of stollen PAN values. The stollen card data can be tried to be used in online / Card Not Present (CNP) payment use cases. If online merchant isn't asking for the CVV value, which doesn't seem to be mandatory (in recurring payments it is not even possible), the fraudulent online transaction with stollen card data is usually approved by the card issuers. The costs associated with recent massive and prominent data breaches (Target, Home depot, etc) can be devastating – those include, but are not limited to, the costs of reissuing compromised cards, costs of retail brand damage, civil class law suits, etc. The recent reports of Apple Pay registration fraud with stollen card data should be a wakeup call that PAN protection at POS should not be taken as lightly as so far.

The Acquirers and POS vendors have attempted to address the issue of protecting sensitive card data for in-store payments with Point To Point Encryption (P2PE). The basic principle of P2PE is that the special secure POS card reader uses shared key with Acquirer host, to encrypt the PAN right inside the card reader, before it enters the POS application and Merchant systems. It is definitely the step in the right direction, however the P2PE solutions may have its own set of challenges.

For example:

  • Merchants are expected to make investment to purchase / lease / install POS terminals having P2PE capable card readers
  • P2PE approach assumes that Merchants are honest, i.e. not willing to collaborate with fraudsters - for example dishonest Merchant could have 2 card readers (1 of them used for skimming) - and then 'swipe' (or tap) the unsuspecting cardholder's card twice during the transaction.
  • P2PE is considered by many as Acquirer proprietary - i.e. once Merchant adopts the P2PE offering of an Acquirer, it is usually hard to switch to another Acquirer, even if they offer better transaction processing service in terms of support and transaction fees.

All these factors potentially create resistance and slow down wider adoption of the P2PE solutions

On the other hand, the Tokenization Framework, which was recently introduced by the EMVCo, is aiming at protection of the sensitive card data in card present mobile NFC (HCE included) and card not present / online payments. ApplePay is the most prominent example of successful payment application using Tokenization. Trying to cover as many as possible of the mobile and card not present use cases though, EMVCo Tokenization introduced several new data elements and roles and requires that participants in the payment ecosystem make changes to accommodate those extensions.

Unfortunately the EMVCo Tokenization still isn't addressing the protection of sensitive PAN data in payment transactions done with plastic EMV cards at physical POS terminals. We clearly do need an approach for protecting sensitive card data in those use cases as well, and at the same time not rely on merchant's willingness to collaborate (as is the case with P2PE)

Fortunately that goal can be achieved rather simply and cheaply - by moving the PAN encryption from POS P2PE card reader to the card chip, hosting the EMV payment application. The concept of 'End To End Format Preserving Encryption' (or E2E-FPE) offers a simple, cost-effective enhancement of the standard EMV functionality, by seamlessly adding Format Preserving PAN Encryption capability as an extension of the standard EMV card application, without impacting the current set of EMV and ISO 8583 specifications and protocols. It ensures that only Payment Network Host and EMV payment application are aware of the real PAN values and that every system in between those trusted end points only deals with format preserving and unique per transaction ‘PAN cryptogram’ values.

By being ‘unique per transaction’, the E2E-FPE ‘PAN cryptogram’ is useless to anybody who steals it after the transaction has already been completed. By being ‘format preserving’, the ‘PAN cryptogram’ looks, feels and behaves like real PAN, ensuring normally handling and routing thru the POS terminals, Merchant and Acquirer systems, eliminating need for expensive changes in those components. Despite utilizing the 'unique per transaction PAN cryptograms' the E2E-FPE solution fully preserves the ability of Merchant and Acquirer systems to easily and reliably detect repeat usage of the same physical EMV card. That is very important for virtually unchanged handling of REFUNDs, LOYALTY and TRANSPORTATION (Tap-In/Tap-Out) payment use cases.

The E2E-FPE solution would be perfect complement to the EMVCo Tokenization, because it protects PAN during transactions performed by plastic physical EMV cards at physical POS terminals, while EMVCo Tokenization framework protects PAN in mobile and online transactions. These two methods applied and combined together have potential to empower the Payment Network and / or card Issuers to ensure the full protection of the sensitive payment credentials in all payment use cases.

Even better, by reducing (or completely eliminating) the current Merchant's PCI-DSS costs, those cost savings can then make a compelling business case for EMV adoption.

More details about concept of E2E-FPE can be found here:




Comments: (1)

Milos Dunjic
Milos Dunjic - TD Bank Group - Toronto 19 May, 2016, 18:02Be the first to give this comment the thumbs up 0 likes

Latest reported ATM skimming fraud would not be possible with EMV cards enhanced with E@E-FPE FinTech innovation

Now hiring