Security

This Security Q&A provides answers to some popular questions that arise related to the EMV ICC Specifications for Payment Systems, Book 2: Security and Key Management.

  1. What is the validity period for Payment System RSA keys and how are they reviewed?
  2. Does EMV use x.509 public key certificates?
  3. What is the EMVCo position on elliptic curves or other alternative cryptography?
  4. What is the EMVCo position on AES?
  5. Where can I find other documentation that will help me understand the security issues relating to EMV?
  6. Where can I find security requirements for PIN Entry Devices?
  1. What is the validity period for Payment System RSA keys and how are they reviewed?

    At the end of each year EMVCo makes recommendations to the Payments Systems regarding expiry dates of Payment System public keys. These recommendations are published in EMVCo Notice Bulletins that are available from the Bulletins section of the EMVCo website.

    The longer keys are shown with an anticipated lifetime rather than an expiry date due to the fact that the prediction of future crypto-analytic capabilities is not an exact science. Thus, for the longer keys, whilst it can be confidently predicted that lifetimes will extend beyond 10 years from the present time, an actual expiry date cannot be set with precision.

  2. Does EMV use x.509 public key certificates?

    No. The format of the EMV public key certificates is defined in Section 5 and 6 of Book 2 of the EMV Specification. They are more compact than x.509 certificates and are created using the ISO/IEC 9796-2 digital signature algorithm that provides "message recovery". This results in a solution that specifically addresses the requirements of IC payment card transactions.

  3. What is the EMVCo position on elliptic curves or other alternative cryptography?

    EMVCo constantly reviews alternative types of cryptography. For further information regarding elliptic curve cryptography with EMV see the ECC draft of Book 2 (June 2007) located on the EMV website under Specifications > Additional Files > New Cryptography Drafts. The EMVCo Security Working Group is considering the use of ECDSA (or Schnorr ECDSA) for offline card authentication and the use of ECIES for offline PIN encipherment.

  4. What is the EMVCo position on AES?

    EMVCo has published a bulletin (SU74) that allows AES as an option for EMV's online cryptography in addition to the currently supported Two Key Triple DES.

  5. Where can I find other documentation that will help me understand the security issues relating to EMV?

    EMVCo has published the EMV Issuer and Application Security Guidelines that contain additional information relating to EMV security. For subscribers these Guidelines can be found within the Specifications section on the EMVCo website under Specifications > Additional Files

  6. Where can I find security requirements for PIN Entry Devices?

    Please refer to PCI PED security requirements. These can found at:https://www.pcisecuritystandards.org/security_standards/ped/index.shtml