Security Position Statement: EMV® Contactless Privacy an update

EMV-SWG-NB13r11 EMVCo Position Statement on EMV Contactless Privacy November 2019 1. Statement for EMVCo Associates: SWG Doc Ref: EMVSWG NB13r11 Statement: Media and regulatory attention has recently been given to privacy concerns associated with the use of contactless payments technology. Contactless technology is based on the use of a short range radio frequency (RF) field generated by the reader, which provides energy to power cards and is modulated by two distinct techniques to transfer data in the two directions. The nature of this interface opens two angles of attack whereby a fraudster might illicitly obtain card payment data: • E-pick-pocketing - Reading data directly from the cardholder device. This is where a snooping device is taken near to a cardholder's contactless device and is able to power and interrogate it in the same way as a standard terminal would. The cardholder would not be aware unless the snooper was particularly intrusive. The information that could be read in this way is no different to that which can be read by legitimate terminals. • Eavesdropping - Covert surveillance at the time of a legitimate transaction. This is where a snooping device might listen in on active transactions (e.g. in a shopping mall) and is able to obtain some or all of the transaction data. Note that in this case the card is powered by the merchant terminal in the normal way. There are fraud risks and privacy risks that apply to all contactless cards & devices, but the nature of the card or device may offer different mitigating possibilities. This paper focuses on the risks to personal privacy, which mainly relates to the capture of Personally Identifiable Information (PII), or other data from the card that could allow identification and/or tracking of individual cardholders. The fraud risk relates to the capture of data (e.g. PAN and expiry date) to be used for fraudulent transactions (especially for cross-channel fraud) and is limited by the usual payment system risk management controls. E-pick-pocketing a contactless card is of no direct value to a fraudster unless they can create a transaction to submit through an accredited merchant. Since Payment Systems have a fundamental requirement for all payment cards to be identifiable, then there © 2019 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV-SWG-NB13r11 must exist an identifier unique to each card, of which the PAN is the most obvious and is required for transaction routing. Other data or combinations of data may also identify a card, for example the ICC public key certificate. There is a potentially unique identifier not related only to the payment application but rather to all applications supported by the device. This is the UID (Type A) or PUPI (Pseudo-unique PICC identifier) (Type B) defined in the ISO 14443 contactless communications layer (Level 1). These can either be a fixed value (unique within a card batch) or random (configured to generate a random UID/PUPI for each transaction). The use of fixed values should therefore be avoided, but it is thought to currently be common practice, especially for cards. E-pick-pocketing or fake merchant Regarding the prevention of e-pick-pocketing, EMVCo is not aware of any viable technical solutions at the EMV specification level. However, there are many physical wallet products on the market that incorporate shielding to prevent cards being read whilst in the wallet. Other form factors (e.g. mobile phones) can be configured to require cardholder assent prior to a payment transaction. A card “activate” button is also feasible and could be implemented irrespective of EMV, however they might be inconvenient and could slow transactions. It has been proposed that the issue could be solved by ensuring that cards authenticate that a terminal is legitimate before releasing sensitive data, but whilst technically possible, this is neither practical nor viable. Introducing an additional global PKI for terminal authentication would be expensive and a massive undertaking to deal with what is actually a minimal concern, plus the additional public key cryptography in the card would totally undermine the speed of contactless transactions. In addition such a defence could be easily undone by use of stolen terminals or criminal use of live terminals. EMVCo has produced a separate position statement on this topic entitled Terminal Authentication by the Card. Experience indicates that particular attention should be paid to products that migrate from contact to contactless (including mobile devices). In many cases cardholder personal information is available over the contact interface for legitimate customer service reasons and care needs to be taken that this feature does not transfer to the contactless interface. If cardholder name is a feature of the service, then generic terms, such as “Valued Customer” could be used. Industry recommendations are that cards should not return cardholder personal information during a contactless transaction. Products should not allow logs to be interrogated over the contactless interface. It should also be noted that because of the need to deliver power to the card, it is technically difficult to e-pickpocket a card at ranges over 50cm. Anyone who claims otherwise should be challenged to demonstrate. © 2019 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. EMV-SWG-NB13r11 Eavesdropping Eavesdropping on legitimate transactions can take place at a greater distance using a suitable radio receiver. It can be assumed that all the commands and responses can be read, although in practice the signal-to-noise ratio is poor for the responses from the card, making them more difficult to read reliably. It should be noted that obtaining PANs (say in a shopping mall) does not immediately reveal a person’s identity without additional supporting information about the consumer. However, widespread and routine eavesdropping could enable an unknown individual to be tracked. Mitigating defences are mainly by means of encryption of the card to terminal interface and use of randomised ISO L1 UIDs and PUPIs. It should be noted that whilst Payment Tokens are of value in fraud prevention, they offer little advantage in preventing tracking by eavesdropping, as the tokens would have to be renewed more frequently than is practical. © 2019 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found at www.emvco.com. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries.