e-EMV: Emulating EMV for Internet payments using Trusted Computing technology

The introduction of Static Data Authentication (SDA) compliant EMV cards with their improved cardholder verification and card authentication capabilities has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (POS) terminals. However, with this POS-based reduction has come a corresponding increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the fact that Internet-based CNP processing has no easy way of integrating EMV into its transaction architecture. In this regard, payment is reliant on Mail Order Telephone Order (MOTO) based processing where knowledge of card account details is deemed a sufficient form of transaction authorisation. This report aims to demonstrate how Trusted Computing technology can be used to emulate EMV for use in Internet-based CNP transactions. Through a combination of a Trusted Platform Module, processer (with chipset extensions) and OS support we show how we can replicate the functionality of standard EMV-compliant cards. The usage of Trusted Computing in this setting allows a direct migration to more powerful Combined DDA and application cryptogram generation (CDA) cards as well as offering increased security benefits over those seen in EMV’s deployment for POS transactions. Customer to Merchant interaction in our setting mirrors transaction processing at traditional POS terminals. We build upon the services offered by Trusted Computing in order to provide a secure and extensible architecture for Internet-based CNP transactions.