Mutual authentication between EMV applets (such as MasterCard's M/Chip and Visa's VSDC) and POS Terminal

1
votes

As I know, for EMV cards, before transaction taking place, the terminal perform Card Authentication (using Static Data Authentication or Dynamic Data Authentication) to make sure the card is not a fake card. (In reverse, it seem that there is no way for POS Terminal Authentication)

In Google Play, there are many applications can read EMV card data. With a NFC-enable smartphone, we can read the sensitive card information including card number and expiration date. (And the same for contact EMV card by using a smartcard reader)

My question is:

For EMV cards, is there any standards which specifies 'mutual authentication' protocol between cards and terminals. And the card only send card data to terminal after performing 'mutual authentication' step.

Thanks,

3
authenticationemvmutual-authentication

3 Answers

1
votes

Nothing to my knowledge. I believe this is so because the business use case does not justify this requirement.

Case 1. As you said there are readers who can read card data. However if at all someone take all the data from the card and replay it on a terminal, since transactions are protected by a single use cryptogram, and unpredictable number is provided by terminal, it will fail.

Case 2. A fraudster after forging a card can get some goods/services and leave, but for the terminal, it has to be registered to an acquirer/bank. There cannot be zombie terminals. Hence it is terminal who want to check the genuineness of the card and not the other way around.

You can get the track/card from chip, but so does mag stripe.

1
votes

There is nothing like Mutual Authentication in EMV Payment Transaction between Terminal & Card.

Since every transaction is based on some transaction specific unique data & cryptography then cloning is not possible (here I am not talking about SDA cards).

Even though any reader is able to read the data (which is actually allowed by EMV), Since these readers application is not authorized by EMV, so they can't use the VISA/MasterCard servers for transaction processing.

0
votes

(Extending existing answers with another point of view)

During online transaction card validates that terminal is able to communicate with card issuer -- i.e. that the terminal is able to deliver card-generated ARQC to the issuer and is given a valid ARPC.

As Gaurav Shukla notes in his answer fake terminals are not able to communicate with respective payment association servers.