Abstract
Tokenisation has been adopted by the payment industry as a method to prevent Personal Account Number (PAN) compromise in EMV (Europay MasterCard Visa) transactions. The current architecture specified in EMV tokenisation requires online connectivity during transactions. However, it is not always possible to have online connectivity. We identify three main scenarios where fully offline transaction capability is considered to be beneficial for both merchants and consumers. Scenarios include making purchases in locations without online connectivity; when a reliable connection is not guaranteed; and when it is cheaper to carry out offline transactions due to higher communication/payment processing costs involved in online approvals. In this study, an offline contactless mobile payment protocol based on EMV tokenisation is proposed. The aim of the protocol is to address the challenge of providing secure offline transaction capability when there is no online connectivity on either the mobile or the terminal. The solution also provides end-to-end encryption to provide additional security for transaction data other than the token. The protocol is analysed against protocol objectives and we discuss how the protocol can be extended to prevent token relay attacks. The proposed solution is subjected to mechanical formal analysis using Scyther. Finally, we implement the protocol and obtain performance measurements.
Original language | English |
---|---|
Title of host publication | The 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-16) |
Publisher | IEEE Computer Society |
Pages | 1-8 |
Number of pages | 8 |
ISBN (Electronic) | 978-1-5090-3205-1 |
ISBN (Print) | 978-1-5090-3206-8 |
DOIs | |
Publication status | Published - 9 Feb 2017 |
Keywords
- EMV Contactless
- Mobile Payments
- Tokenisation
- Ambient Sensor Data
- Security
- Cryptography
- Offline Transaction Tokens