The following is a summary of the talk "The practical application of cryptography to international card payment" given by John Beric and Mike Ward from Mastercard International on day 2 of the workshop. The core topic of the talk was EMV, a global system for debit and credit card transactions based on smart cards.
After arguing for the necessity of card payments, the first speaker made it clear that the real world does not always implement what cryptographers like to see because of the long life cycles of the system. Then, he outlined the history of distance payments, in the form of cheques, magnetic stripe card transactions, and offline EMV transactions. Cheques provide physical evidence and are hard to forge, but they are slow to process and the signature check cannot be made at the time of the transaction. The only advantage of magnetic stripe cards over cheques is the faster processing, at the cost of no physical evidence and little protection against copying of the card. To make these acceptable to customers nevertheless, the banks operate a policy of zero liability on the side of customers, which in turn the facilites fraud.
Finally, offline EMV transactions offer evidence by a digital signature, and it is believed that the cost of breaking the scheme exceeds the possible profits. This contrasts the case of magnetic stripe cards, where the investments required to copy a card are rather low. Nonetheless, the world of EMV transactions is not perfect as there might be corrupted terminals intercepting the PIN or not displaying the correct amount of a transaction on the display. There are plans to mitigate this by employing the users' smartphones as part of the trusted computing base. But of course, cards and PIN can be stolen as well as smartphones.
The second speaker highlighted some technical details. The central theme in the implementation of EMV seems to be that the specification recommends a high level of security; however, the recommendations are not always followed in favour of the flexibility of a globally employed system. In some regions for example, the majority of cards do not support digital signatures but use a so-called static signature, which only provides authentication of the card instead of authorisation of a specific transaction. In the same spirit, the failure of a cryptographic check may not lead to the abortion of a transaction because a part of the system might simply not support the necessary cryptographic schemes. While the specification recommends the use of AES, implementations mostly use 3DES and even proprietary ciphers and signature schemes.
The talk was concluded by an outlook to a future specification, where elliptic curve cryptography (ECC) will be adopted. An open question related to this is whether Schnorr signatures will be used. In the question session, a member of the audience suggested that the emphasis should be on the simplification of the historically grown specification instead of the introduction of ECC, which he accounts more to the economic interests of the patent holders involved.