Augmenting Internet-based Card Not Present Transactions with 
Trusted Computing: An Analysis

by Shane Balfe and Kenneth G. Paterson

Abstract:

In this paper, we demonstrate how the staged roll out of Trusted 
Computing technology, beginning with ubiquitous client-side Trusted 
Platform Modules (TPMs), can be used to enhance the security of
Internet-based Card Not Present (CNP) transactions. This approach can be 
seen as an alternative to the proposed mass deployment of unconnected 
card readers in the provision of CNP transaction authorisation. Using 
TPM functionality (and the new PC architecture that will evolve around 
it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D 
Secure and server-side SET. We highlight how the use of TPM 
functionality, as is currently being deployed in the marketplace, is not 
a panacea for solving all the problems associated with CNP transactions. 
In this instance, a more holistic
approach requiring additional Trusted Computing components incorporating 
Operating System, processor and chipset support is required to combat 
the threat of malware.