3

Ok I understand from my research that the Chip Card creates an AC Key(MasterKey+AccNumber) to communicate with the authorizing server securely (3DES key to have encrypted communication) but I don't understand the following..

  1. What's the difference between having the card talk to the server directly and having the card tell the point of sale system its details and then communicating with the authorizing server (Which can be done by a magnetic strip or proximity card)?

  2. What are the benefits of this procedure that EMV cards have then? and why is it necessary (if it is)?

Another question that i have is that i dont understand Combined DDA/generate application cryptogram (CDA), the websites and reports that i have found only gave very brief explanation of could someone point me in the direction of where i can find out more about it (preferably the technical aspects of how it works and what kind of crypto it uses etc).

Falcon Momot
  • 1,140
  • 6
  • 15
Brandon Seet
  • 61
  • 3
  • 2
    Communicating directly with the authorizing server means the POS doesn't need to be trusted in that domain and (more importantly) can't eavesdrop. – Falcon Momot Mar 21 '14 at 08:56
  • Ohh are there any examples of the POS being dishonest? – Brandon Seet Mar 21 '14 at 09:54
  • 4
    Target - Malware installed on their POS equipment sent 60,000,000 credit card numbers to hackers. Another older one actually attacked a firmware update for card scanners, making the actual scanner/keypad/screen for the customer send the data in an insecure way. In the US (without chip and pin), our POS equipment has to be secure, from the pinpad back. Many POS providers encrypt card data using smart cards, which can only be decrypted by the payment processor or register software. – Mat Carlson Mar 21 '14 at 11:10
  • 1
    The things are usually written by the cheapest available contractors, installed and maintained and operated by the cheapest labour available (often casual!), and basically never audited. There is little reason to trust them. – Falcon Momot Mar 22 '14 at 03:36

1 Answers1

3

In answer to:

What's the difference between having the card talk to the server directly and having the card tell the point of sale system its details and then communicating with the authorizing server (Which can be done by a magnetic strip or proximity card)?

The difference is that end-to-end encryption (also called point-to-point-encryption or P2PE in the payments industry) means that anyone between the card and the issuer is kept in the dark about the sensitive details of the transaction (PAN etc.).

As for:

What are the benefits of this procedure that EMV cards have then? and why is it necessary (if it is)?

The benefit is that you don't need to trust anyone between the card and the issuer. In the case of POS malware the advantage here is obvious. But this also has advantages even if there isn't any malware along the path between card and issuer.

If the merchant can't see the card details then the merchant can't store the card details. If the merchant can't store the card details it narrows the scope of PCI-DSS audits and reduces risk for the merchant. And for processors who route the transactions. And anyone else between the card and the issuer.

The PR answer from organizations in the apyments industry is that this makes everything safer for everyone. A more cynical answer is that the merchant would rather pay a bit more now for a P2PE solution to prevent expensive investigations, fines and settlements later.

Your question and my answer deal with encrypting the sensitive information between the card and the issuer but P2PE is something that grew out of EMV cards. It's an extra security measure made possible by EMV cards (and other 'intelligent' media). A mag-stripe card is a dumb medium and not being able to implement P2PE is just one drawback.

As for your question about DDA and CDA I'm afraid I can't provide a better answer than the simplified answers you can find on Google etc.

user3337410
  • 103
  • 1
  • 7
  • The card can indeed communicate privately with the issuer, but for various reasons, the PAN is not end-to-end encrypted between card and issuer in EMV. It is transmitted along the other transaction data (amount etc.), using whatever transport encryption the terminal, POS, merchant acquirer and card network use/mandate. – lxgr Dec 08 '15 at 13:44