See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/323073718

An Overview of the EMV Protocol and Its Security Vulnerabilities

Conference Paper · February 2018

DOI: 10.1109/MOBISECSERV.2018.8311444

CITATIONS READS
2 1,065

3 authors:

Nour El Madhoun Emmanuel Bertin

Sorbonne Université Orange Labs
8 PUBLICATIONS   48 CITATIONS    103 PUBLICATIONS   509 CITATIONS   

SEE PROFILE SEE PROFILE

Guy Pujolle
Sorbonne Université
789 PUBLICATIONS   6,517 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SUNI: Secure and Unified Network Infrastructure View project

IOT security View project

All content following this page was uploaded by Nour El Madhoun on 19 March 2018.

The user has requested enhancement of the downloaded file.

An Overview of the EMV Protocol and Its Security
Vulnerabilities
Nour El Madhoun∗ , Emmanuel Bertin† , Guy Pujolle∗
∗ Sorbonne Université, CNRS, LIP6, 4 place Jussieu 75005 Paris, France
† OrangeLabs, 42 rue des Coutures BP 6243 14066 Caen, France
Email: {nour.el-madhoun, guy.pujolle}@lip6.fr; emmanuel.bertin@orange.com
Abstract—EMV (Europay Mastercard Visa) is the inter-
national standard implemented to secure purchase and de-
posit/withdrawal transactions. It represents a set of security
rules and messages exchanged between the transaction actors
in order to guarantee important security properties (such as
authentication, authorization, integrity, etc.). However, several
recent research studies have analyzed the EMV security standard
and show that it is vulnerable to attacks. This paper presents an
overview of the EMV protocol and its security vulnerabilities.
Index Terms—EMV protocol, EMV vulnerabilities, in-store
payment, NFC technology, security.
I. I NTRODUCTION
With the increase in the prices of our purchases, cash pay-
ment becomes more difficult and less secure because we have
to carry large quantities of coins and banknotes. Therefore,
in order to safely manage our funds, guarantee the fluidity
of our financial transactions and effectively get rid of using
only cash, banks today offer us the possibility to open a bank
account and provide us with several means of payment such as
bank cards, checks and transfers [1]. Indeed, a bank payment
method can be used at any time and anywhere, and in the case
of theft or fraud, one only needs to call the bank and interrupt
the payment method. In the studies [2] [3] [4], authors show
that the bank card is considered the safest and most practical
means of payment because it: is simple to obtain by banks, is
small in size (we can safely keep it to be protected), includes
insurance/assistance and it allows to [5] [6] [7]:
• Deposit or withdraw cash: by inserting it into any ATM
(Automated Teller Machine) and by entering a PIN
(Personal Identification Number) code to authenticate the
client (cardholder).
• Perform online payments: by manually entering the bank-
ing data, which are stored in the card, on the website of
the merchant. The online payment is done remotely where
the client and the merchant are not in the same place.
The banking data are: PAN (Primary Account Number),
client’s name, expiration date, security code (three-digit
visual cryptogram).
• Make purchases in stores where the client and the mer-
chant are in the same place, and the merchant’s payment
device is represented by a POS (Point Of Sale) machine.
The purchase transaction in a store can be executed in
two different cases:
1
– With contact: the client inserts his bank card into
the POS and enters a PIN code or a signature to
authenticate himself. This case of payment is generally
used for any amount requested by the merchant.
– Contactless: this case of payment is based on the
NFC (Near Field Communication) wireless technology
which allows interaction between two devices without
any physical contact, within a short distance (5-10
centimeters) [8]. This technology is integrated today
in the form of an NFC antenna in bank cards and
POS devices in order to rapidly perform contactless
purchase transactions; the client only approaches the
NFC bank card near to the POS and he does not need
to enter a PIN code or a signature. In fact, the NFC
payment is generally used for small amounts (less than
20 Euros in France). We note that NFC technology is
also integrated in smartphones that can then act as NFC
cards to execute contactless purchases [6]. In the rest
of this paper, a client’s payment device either refers to
a classic bank card or to an NFC bank card or to an
NFC smartphone (see section II-A).
In this work, we are interested in introducing generali-
ties on the EMV standard that is intended to secure pur-
chase (contact/contactless-NFC) and deposit/withdrawal trans-
actions. Authors of many recent studies have analyzed this
standard by showing that it is vulnerable to attacks and it fails
to ensure important security properties. We also present an
overview of these vulnerabilities in this paper.
II. EMV S TANDARD
EMV is the security payment standard managed by a con-
sortium EMV with shared control between payment schemes:
Visa [9], MasterCard [10], American Express [11], JCB (Japan
Credit Bureau) [12], China UnionPay [13] and Discover [14].
It allows to secure the communication between the actors
involved in a contact/contactless-NFC purchase transaction
and in a deposit/withdrawal operation, by exchanging a set
of security messages and rules [15]. For more details and
clarifications about the EMV protocol, it is essential to consult
these references [6] [15] [16] [17] [18] [19].
A. EMV Actors
Fig-1 illustrates the actors that participate in executing a
secure purchase or deposit/withdrawal transaction [1] [16]:
 (1)
(2)
(3)
Fig. 1. EMV payment system
(1) Payment scheme (Visa, MasterCard, American Express,
etc.): it is a network guaranteeing the transfer of money and
the communication between banks. Any eligible establishment
can enter this scheme as a member to become a bank with
licensing fees. For settlement of a purchase transaction, the
acquiring bank communicates with the issuing bank (and vice
versa for a refund) through the payment scheme thanks to
the banking network. The same principle is used so that the
ATM bank communicates with the issuing bank to complete
a deposit/withdrawal transaction.
(2) Issuing bank: it is the bank that contracts with the client
to open his bank account. It generates banking data identifying
the client and ensuring security purposes (as authentication,
authorization, etc.). These banking data are sensitive and they
are securely stored in the issuing bank.
(3) Client’s payment device:
• Bank card: it is provided by the issuing bank and includes
a smart chip which is able to execute cryptographic
security functions. It may contain only one contact in-
terface or both contact and NFC interfaces. It can be
used to make contact/contactless-NFC purchases or to
deposit/withdraw cash money (see section I). In addition,
the issuing bank securely stores the banking data in its
smart chip.
• NFC smartphone: it integrates an NFC antenna and it acts
as an NFC bank card in card emulation mode thanks to an
NFC payment application provided by the issuing bank
[5] [20]. It can only be used to make contactless-NFC
2
(4)
(4)
(5)
(5)
purchases. The banking data are either stored in the SIM
card as in orange bank system [21] or are replaced by
tokenized banking data [22] [23].
(4) Acquiring bank: it is the bank that contracts with the
merchant to open a company’s bank account.
(4)’ ATM bank: it is the bank that provides ATM machines.
(5) POS: it is the merchant’s device provided by the
acquiring bank and allowing to accept contact/contactless-NFC
purchases from client payment devices.
(5)’ ATM: it allows for a client to use his bank card to
deposit or withdraw cash money.
B. EMV Protocol Session
To perform a secure EMV purchase or deposit/withdrawal
transaction, EMV actors exchange security messages that can
be divided into four steps [15] [16] [18]:
1) Initialization: it is a primary negotiation step between
the client’s payment device and the POS/ATM. The latter gets,
from the client’s payment device, basic data needed for the
next steps such as the PAN and the expiration date, and other
information about the security features and configurations
supported by the client’s payment device. The latter may
optionally request from the POS/ATM some information (as
the country code, the amount...) before sending its own data.
2) Authentication of the client’s payment device: this step
provides protection against counterfeit client payment devices
and ensures the integrity of banking data. There are three EMV
authentication methods: SDA (Static Data Authentication),
DDA (Dynamic Data Authentication) and CDA (Combined
Data Authentication). In fact, this step is optional and the
client’s payment device tells the POS/ATM, in the previous
step, which methods it supports. If the POS/ATM and the
client’s payment device support one or more common meth-
ods, then the POS/ATM shall execute the most secure (highest)
common method supported by both. However, if there are no
common method, then this step will not be executed.
3) Authentication of the client: this step allows protection
against lost and stolen client payment devices. The client’s
payment device must support at least one CVM (Cardholder
Verification Method). One can encounter the following types
of CVMs:
• PIN entry: the client enters the PIN code into the PIN pad
on the POS/ATM. This PIN can be validated and verified
in two different ways:
– Online: the POS/ATM sends it encrypted using a
symmetric key to the issuing bank, which can check
whether it is correct or not.
– Offline: the POS/ATM sends it encrypted using the
asymmetric cryptography or in clear to the client’s pay-
ment device, which compares it with the PIN reference
stored in its memory.
• Handwritten signature: the client provides his signature
on a paper (receipt).
• PIN and signature: this method is simply a combination
of a PIN entered and a written signature that are both
provided by the client.
• No CVM: it is intended only for contactless-NFC pur-
chases that do not require to entrer a PIN code or a
signature, because they must be executed quickly and they
are limited to small amounts as presented in section I.
In fact, the choice of executing a CVM is governed by
the capabilities of the client’s payment device, POS/ATM
capabilities and the type of the transaction performed. The
client’s payment device sends a CVM list containing its
capabilities to the POS/ATM in the initialization step. The
CVM list also indicates the priority order of CVMs so that
the POS/ATM will execute each CVM according to its priority,
and if one CVM fails, the POS/ATM continues with the next
CVM until at least one is successful or the list is finished.
4) The actual transaction: it is the final step in EMV
protocol and it is not optional as step 2 if there is no common
method or step 3 in the case of NFC payment. Indeed, it can
be executed either in the online mode (with the issuing bank)
or in the offline mode (with the client’s payment device). The
POS/ATM chooses what mode it wants to perform the actual
transaction, but the client’s payment device may refuse the
choice of an offline mode and force the POS/ATM to go online.
• Offline transaction: the client’s payment device provides
a confirmation proof of the transaction through a TC
(Transaction Certificate) to the POS/ATM, which sends
it later to the issuing bank.
• Online transaction: the client’s payment device provides
an ARQC (Authorisation Request Cryptogram) to the
POS/ATM which forwards it to the issuing bank for
3
approval. If the client’s payment device receives the
approval, then it sends a TC to the POS/ATM as a
confirmation proof of the transaction.
• Declined transaction: in both modes, the client’s payment
device can completely reject the transaction where it
sends to the POS/ATM an AAC (Application Authen-
tication Cryptogram) instead of a TC or an ARQC.
III. EMV A NALYZES
A. EMV Security Vulnerabilities
1) Vulnerabilities attached to the EMV specification
a) In the study [17], authors demonstrate that an attacker
can authorize an EMV purchase transaction by entering
an incorrect PIN code in the offline case of the EMV
step 3. The attacker modifies the step 3 by sending
the POS a message indicating that the PIN entered (by
the attacker) is well verified by the client’s payment
device and it is correct, and by informing the client’s
payment device that the transaction is verified by a
signature and no PIN is required. The main cause for
this attack is that: the response of the client’s payment
device indicating that the PIN code was correct is not
authenticated by the POS [24].
b) If the client’s payment device is a bank card that
supports SDA method, then it can be easily cloned
and the cloned card can be used to perform offline
purchase transactions. Consequently, the cloned card
can also be programmed to support the CVM ’offline
plaintext PIN’ and to confirm any PIN received for
verification. In fact, this vulnerability is only detected
by the issuing bank and not by the POS [18].
c) The EMV payment system guarantees that client pay-
ment devices corresponding to different issuing banks
are accepted by any POS/ATM of any acquiring/ATM
bank around the world. Therefore, to make any client’s
payment device compatible with any POS/ATM, the
EMV primary negotiation step is included (see section
II-B). The papers [25] and [26] show that this step
presents an important vulnerability in the EMV stan-
dard, where it is possible for an attacker to modify
the abilities of the client’s payment device or the
POS/ATM to put the POS/ATM in a vulnerable state.
This type of attack is called a downgrade attack.
• According to EMV specifications [15], an EMV
contactless-NFC purchase transaction should not
be accepted if an attacker uses a cloned NFC
bank card, because the original secret key of the
original NFC bank card cannot be copied. How-
ever, in the work [25], authors demonstrate that
an attacker who happens to clone an NFC bank
card (without copying the original secret key), can
modify the capabilities of the cloned NFC bank
card to fool the POS into executing a contactless-
NFC magnetic stripe purchase transaction (used in
 the United States) rather than an EMV contactless-
NFC purchase transaction [24].
d) Authors in [27] illustrate that it is theoretically possible
to falsify a DDA or CDA cryptographic authentica-
tion signature. This attack is not practical because it
is necessary to execute 4,639 partial transactions by
accessing the client’s payment device to generate the
falsified DDA or CDA signature. Also, each transaction
lasts about 500ms and therefore, in order to achieve this
attack, one needs to have access to the client’s payment
device for 38 minutes [24].
e) The studies [1] [6] [28] show that the EMV standard
does not ensure the full required security for a pur-
chase or deposit/withdrawal transaction by missing the
guarantee of two security properties:
• The confidentiality of banking data: the client’s
payment device sends banking data "the PAN and
the expiration date" in clear to the POS/ATM in the
initialization step.
• The authentication of the POS/ATM is not ensured
to the client’s payment device. The latter can
communicate with any unauthenticated reader by
sending the banking data without encryption.
f) After a successful EMV purchase transaction, the POS
prints two proofs of payment: the first one is intended
for the client and contains the PAN and the expiration
date truncated both, the second one is destined to the
trader and contains the PAN and the expiration date
written both in clear text for traceability purposes.
In [1] [29], authors indicate that a thief can steal
the merchant printed proofs to get banking data from
several clients. Then, he can use the stolen data to
make fraudulent purchase transactions on the internet
without needing to enter the security code: several
websites as "www.amazon.com", "www.zappos.com"
do not request the security code.
2) Vulnerabilities due to the contactless-NFC interface
a) By default, NFC technology allows communication
between two devices within a short distance "5-10cm".
Therefore, the EMV consortium has assumed that a
contacless-NFC purchase transaction cannot exceed
this short distance [30]. Hence, a relay attack presented
in [31] [32] breaks this assumption by showing that it is
possible to perform an NFC purchase transaction using
an NFC bank card which is at a distance of several
kilometers from the POS. Fig-2 illustrates this attack
[24] [33].
b) A contactless-NFC purchase transaction is done wire-
lessly and this leaves a vulnerability for data hacking
attacks: eavesdropping and prolonging reading dis-
tance. The papers [28] [34] show that an attacker can
eavesdrop the NFC communication during an NFC
purchase transaction to retrieve the banking data sent
without encryption. Also, he can remotely steal bank-
ing data from NFC bank cards, by extending the NFC
4
reading distance, thanks to an amplifier which can be
attached to the NFC antenna of an unauthenticated
NFC reader to reach up until 1.50 meters. In fact,
the attacker can use the banking data to make online
fraudulent purchases, to track the client using the PAN
number and also to do a brute force attack to obtain
the security code as presented in [7].
B. Proposed Solutions
Security protocols have been proposed in [6] [35] [36] [37]
to guarantee the confidentiality of banking data and ensure the
authentication of the POS/ATM to the client’s payment device.
In the study [7], authors present a solution preventing attacks
by brute force.
Fig. 2. Contactless relay attack [24] [33]
IV. C ONCLUSION
In this paper, we presented an overview of the EMV
payment standard and we discussed its security vulnerabilities.
R EFERENCES
[1] N. El Madhoun and E. Bertin, “Magic always comes with a price:
Utility versus security for bank cards,” The 1st IEEE Cyber Security
in Networking Conference (CSNet’17), 2017.
[2] Etude de l’institut de sondages d’opinion CSA, “Les français et les
moyens de paiement,” last connection (06/08/2017). [Online]. Available:
https://www.economie.gouv.fr/files/sondagecsa_synthese.pdf
[3] Féderation bancaire française, “Les moyens de paiement,” last
connection (06/08/2017). [Online]. Available: http://www.fbf.fr/fr/files/
AC3CBC/Les%20Moyens%20de%20Paiement.pdf
[4] La finance pour tous, “La carte bancaire,” last connection
(06/08/2017). [Online]. Available: http://www.lafinancepourtous.com/
Banque-au-quotidien/Moyens-de-paiement/La-carte-bancaire/
[5] H. A. Al-Ofeishat and A. Mohammad, “Near field communication (nfc),”
International Journal of Computer Science and Network Security, pp.
93–99, 2012.
[6] N. El Madhoun and G. Pujolle, “Security enhancements in emv protocol
for nfc mobile payment,” The 15th IEEE International Conference on
Trust, Security and Privacy in Computing and Communications (IEEE
TrustCom-16), 2016.
[7] M. A. Ali, B. Arief, M. Emms, and A. van Moorsel, “Does the online
card payment landscape unwittingly facilitate fraud?” IEEE Security &
Privacy, vol. 15, no. 2, pp. 78–86, 2017.
[8] S. A. Ahson and M. Ilyas, Near field communications handbook. CRC
Press, 2011.
[9] VISA, last connection (20/10/2017). [Online]. Available: https:
//www.visa.fr/
[10] MasterCard, last connection (20/10/2017). [Online]. Available: http: [37] ——, “A cloud-based secure authentication protocol for contactless-
//www.mastercard.com/fr/particuliers/index.html nfc payment,” IEEE 4th International Conference on Cloud Networking
[11] American Express, last connection (20/10/2017). [Online]. Available: (CloudNet), pp. 328–330, 2015.
https://www.americanexpress.com/fr/
[12] Japan Credit Bureau, last connection (20/10/2017). [Online]. Available:
http://www.global.jcb/en/
[13] China UnionPay, last connection (20/10/2017). [Online]. Available:
http://www.unionpayintl.com/en/
[14] Discover Card, last connection (20/10/2017). [Online]. Available:
https://www.discover.com/
[15] EMV Books - Integrated Circuit Card Specifications for Payment
Systems, Book 1: Application Independent ICC to Terminal Interface
Requirements, Book 2: Security and Key Management, Book 3: Applica-
tion Specification, Book 4: Cardholder Attendant and Acquirer Interface
Requirements, V. 4.3, EMVCo, http://www.emvco.com/, Nov. 2011.
[16] J. De Ruiter and E. Poll, “Formal analysis of the emv protocol suite,”
Springer Theory of Security and Applications, pp. 113–129, 2012.
[17] S. J. Murdoch, S. Drimer, R. Anderson, and M. Bond, “Chip and pin is
broken,” IEEE Symposium on Security and Privacy, pp. 433–446, 2010.
[18] J. van den Breekel, D. A. Ortiz-Yepes, E. Poll, and J. de Ruiter, “Emv
in a nutshell,” Technical Report, 2016.
[19] S. Bouzefrane, “La norme emv,” last connection (06/08/2017).
[Online]. Available: http://cedric.cnam.fr/~bouzefra/cours/Cartes_
Bouzefrane_EMV_nov2009.pdf
[20] V. Coskun, B. Ozdenizci, and K. Ok, “A survey on near field commu-
nication (nfc) technology,” Springer Wireless personal communications,
pp. 2259–2294, 2013.
[21] Orange Bank, “Le paiement mobile.” [Online]. Available: https:
//www.orangebank.fr/portalserver/informations-utiles/paiement-mobile
[22] U. Mattsson and Y. Rozenberg, “Tokenization in payment environ-
ments,” 2013, uS Patent App. 13/761,009.
[23] M. R. Ornce, R. Moyer, G. J. Sackenheim, A. B. Dollarhide, K. R.
Glenn, and S. H. Pile, “Tokenized contactless payments for mobile
devices,” 2011, uS Patent App. 13/315,544.
[24] M. J. Emms, “Contactless payments: usability at the cost of security?”
Newcastle University, 2016.
[25] M. Roland and J. Langer, “Cloning credit cards: A combined pre-
play and downgrade attack on emv contactless,” WOOT - 7th USENIX
conference on Offensive Technologies, 2013.
[26] A. Barisani, D. Bianco, A. Laurie, and Z. Franken, “Chip and pin
is definitely broken,” Presentation at CanSecWest Applied Security
Conference, Vancouver, 2011.
[27] J. P. Degabriele, A. Lehmann, K. G. Paterson, N. P. Smart, and
M. Strefler, “On the joint security of encryption and signature in emv,”
pp. 116–135, 2012.
[28] M. Emms and A. van Moorsel, “Practical attack on contactless payment
cards,” HCI2011 Workshop Heath, Wealth and Identity Theft, 2011.
[29] Les experts Ooreka, “Ticket de carte bancaire,” last connection
(06/08/2017). [Online]. Available: https://carte-bancaire.ooreka.fr/
astuce/voir/515831/ticket-de-carte-bancaire
[30] ISO 14443 Contactless Integrated Circuit Cards, “International standards
organisation,” 2011.
[31] L. Francis, G. Hancke, K. Mayes, and K. Markantonakis, “Potential
misuse of nfc enabled mobile phones with embedded security elements
as contactless attack platforms,” ICITST IEEE International Conference
for Internet Technology and Secured Transactions, 2009.
[32] K. Markantonakis, L. Francis, G. Hancke, and K. Mayes, “Practical relay
attack on contactless transactions by using nfc mobile phones,” Radio
Frequency Identification System Security: RFIDsec, 2012.
[33] M. Emms, L. Freitas, and A. van Moorsel, “Rigorous design and im-
plementation of an emulator for emv contactless payments,” Computing
Science, Newcastle University, 2014.
[34] Channel 4 News, “Millions of barclays card users exposed
to fraud.” [Online]. Available: https://www.channel4.com/news/
millions-of-barclays-card-users-exposed-to-fraud
[35] U. B. Ceipidor, C. M. Medaglia, A. Marino, S. Sposato, and A. Moroni,
“Kernees: A protocol for mutual authentication between nfc phones and
pos terminals for secure payment transactions,” IEEE International ISC
Conference on Information Security and Cryptology (ISCISC), 2012.
[36] N. El Madhoun, F. Guenane, and G. Pujolle, “An online security protocol
for nfc payment: Formally analyzed by the scyther tool,” International
Conference on Mobile and Secure Services (MobiSec), pp. 1–7, 2016.

View publication stats