29 C
Wednesday, July 24, 2024

Role of PKI in Chip Card Payment Security

  • Abdullah Al-Shamim

The Public Key Infrastructure (PKI) is an infrastructure that includes man, machine and a set of guidelines to issue, manage, distribute and use Public Key certificates owned by the PKI entities. It also plays a significant role in authenticating a chip card by its Issuer.

Two different cryptographic mechanisms are used in a payment systemSymmetric and Asymmetric. When cryptographic request is generated by the chip card and authenticated by the Issuer (online), symmetric mechanism is used. To contrary, in case of asymmetric cryptography, the cryptographic request is authenticated locally through the terminal on behalf of the Issuer.

In payment ecosystem, the payment scheme (e.g. Visa, Mastercard), Issuer and the chip card got key pair ownership. These Private Key entities follow a hierarchical structure for issuance and maintenance of Public Key certificates. The payment scheme plays the role of Certification Authority (CA) that issues certificate for the Issuer and Issuer issues Public Key certificates for the chip card.

CA key pair is generated by the payment system in a secure way, commonly in a secure environment and application by using a hardware security module (HSM). Payment System CA distributes newly generated CA Public Keys to its member Issuers and Acquirers. Issuer needs it to verify Issuer Public Key Certificates generated by the Payment System CA during the key usage phase, and Acquirer requires them for secure loading of the CA Public Keys in its merchant terminals.

According to EMV, PKI is involved in two different offline processing steps in a payment transaction—one is offline PIN verification and another is offline data authentication. These two steps are highly recommended if Issuer supports offline transaction. In an offline transaction, Issuer has no way to verify the card content and that is why it uses its Public Key along with the ICC Public Key to verify an offline PIN and statically (known as Static Data Authentication—SDA) or dynamically (known as Dynamic Data Authentication—DDA or Combined Data Authentication—CDA) generated digital signature to make sure the authenticity of the card.

Kona Software Lab Ltd., the Bangladesh office of the South Korean payment and security industry pioneer Kona I Co., Ltd., is leading the chip card implementation in Bangladesh with the largest market share. With more than two decades of experience in card manufacture and numerous product certifications from various payment schemes, Kona group adds unique value to its more than 500 clients in almost 90 countries all over the world and helps them solidify their security considerations. The company also provides consultation in EMV migration, local scheme, card and terminal testing, and so forth; and wishes to continue it to help the players in the local payment and security industry in Bangladesh to reach their desired goal.

The author is a Payment and Security Specialist, Kona Software Lab Ltd.

Related Articles


Cloud Computing Security Issues, Threats and Controls

Cloud Computing and service models  The official NIST definition (NIST 800-145) of cloud computing says, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand...
API and Open Banking

API and Open Banking: Way for New Service Innovation for Banks and FinTech Companies

The people who gathered at a hall room of a city hotel in last month had one thing in common—they all are working in...
ISO 2001

ISO 27002: 2022 Implementation vs Reality

After almost a decade, ISO27001: 2013 is going to publish its new iteration of ISO27001:2022 in second (2nd) Quarter this year1. But prior to...
Deepfakes: The Synthetic Media I want to believe

Deepfakes: The Synthetic Media I want to believe

What Are Deepfakes? A deepfake is a sort of "synthetic media," which refers to material (such as images, audio, and video) that has been modified...
The power of API platforms

The power of API platforms brings the open banking promise into sharper focus

Open banking is a global phenomenon whose merits are felt in virtually every time zone, including those in the Asia-Pacific region. In contrast to...
Blockchains Gaming and Collusion

“Blockchains: Gaming and Collusion- A Reading in Political Economy”:  Futuristic Exploration with Fact-based Analysis

In this digital age, it has become quite common for us to constantly remain mesmerized by fascinating technologies.  However, deeper thoughts about those technologies,...