Towards a More Secure EMV Payment System: Proposal of New Security Protocols and a New NFC Payment Architecture
Résumé rédigé par
Directeur de thèse:
EMV is the international standard implemented to secure contact and contactless-NFC purchase transactions. It represents a set of security rules and messages exchanged between the actors of the transaction in order to guarantee important security properties (as authentication, authorization, integrity, etc.). However, several recent research studies have analyzed the EMV protocol by showing that it is vulnerable to attacks.
In the first contribution of this thesis, we examine the EMV security standard, its vulnerabilities and the proposed solutions solving them. Afterwards, we direct our research to propose a new protocol that enhances EMV by adding a new security layer aiming to solve EMV vulnerabilities. This proposal is divided into two sub-proposals, each dealing with a different payment execution mode related to the connectivity of the merchant's payment device to the banking network: online or offline. The correctness of these proposals is checked using the Scyther security verification tool. In addition, a comparison between our solutions (online/offline) and the existing solutions is referred.
In the second contribution, we design a new contactless-NFC payment architecture allowing for a small merchant to use his smartphone integrating NFC technology, as a merchant’s payment device, to accept and process contactless-NFC purchases. We adapt our online security protocol, proposed in the first contribution, to the conditions of this new architecture to secure it.
Finally, we develop a real prototype of the NFC payment architecture proposed in the second contribution.