e-EMV: Emulating EMV for Internet 
payments using Trusted Computing technology 

by Shane Balfe and Kenneth G. Paterson

Abstract:

The introduction of Static Data Authentication (SDA) compliant EMV cards 
with their improved cardholder verification and card authentication 
capabilities has resulted in a dramatic reduction in the levels of fraud 
seen at Point of Sale (POS) terminals. However, with this POS-based 
reduction has come a corresponding increase in the level of fraud 
associated with Internet-based Card Not Present (CNP) transactions. This 
increase is largely attributable to the fact that Internet-based CNP 
processing has no easy way of integrating EMV into its transaction 
architecture. In this regard, payment is reliant on Mail Order Telephone 
Order (MOTO) based processing where knowledge of card account details is 
deemed a sufficient form of transaction authorisation.

This report aims to demonstrate how Trusted Computing technology can be 
used to emulate EMV for use in Internet-based CNP
transactions. Through a combination of a Trusted Platform Module, 
processor (with chipset extensions) and OS support we show how we can 
replicate the functionality of standard EMV-compliant cards. The usage 
of Trusted Computing in this setting allows a direct migration to more 
powerful Combined DDA and application cryptogram generation (CDA) cards 
as well as offering increased security benefits over those seen in EMV's 
deployment for POS transactions. Customer to Merchant interaction in our 
setting mirrors transaction processing at traditional POS terminals. We 
build upon the services offered by Trusted Computing in order to provide 
a secure and extensible architecture for Internet-based CNP transactions.