Cryptography standard enables robust EMV® contact chip security long-term as payment technology evolves
28 October 2021 – The EMV® Contact Chip Specification, managed by global technical body EMVCo, now supports Elliptic Curve Cryptography (ECC). Use of this cryptography standard by the payment community can enable enhanced security without impacting technical performance of a payment device or slowing transaction processing time. The inclusion of ECC is required to support new, future payment scenarios.
In an EMV contact chip payment, the merchant point-of-sale terminal can cryptographically authenticate a card and its data. For this purpose, EMVCo has based its EMV Contact Chip Specifications on RSA (Rivest-Shamir-Adleman) public key cryptography since its inception and intends to continue to support this standard. The addition of ECC into EMV Specifications helps achieve superior cryptographic strength with much smaller key sizes, enabling more efficient transactions in the future.
Robin Trickel, EMVCo Executive Committee Chair, explains: “The longer the cryptographic key used to secure a transaction, the more storage and processing power required. The size of a cryptographic key is therefore important. EMVCo recognises that RSA could continue to offer ‘stronger’ keys, however, these would increase in length resulting in slower computing and transaction times. In contrast, ECC is compact and efficient, making it an appealing option for use in devices with limited storage and processing capabilities.”
EMVCo has been working with the payment community for several years through its Associate Programme to identify how it can facilitate scalable security as payment practices and technology evolve.
“ECC provides strong security efficiency when compared to RSA, which is essential to ensure a smooth migration,” adds Trickel. “So while it doesn’t make current payments more secure today, it ensures robust security can be maintained in new payment innovations, setting the foundation to support the long-term security needs of the payment community.”
The EMV Contact Chip Specification for ECC (Specification Bulletin 243) has been published following approval of its release by EMVCo’s Board of Advisors and is available for royalty-free download from www.emvco.com. Updates to the EMV chip technology infrastructure will be part of the natural product lifecycle over a period of time for both cards and point-of-sale terminals.
EMVCo aims to provide EMV technology users with a suite of options to meet regional and local requirements. Both ECC and RSA will be supported by EMVCo while there is demand within the payment community. EMVCo does not mandate the use of encryption standards.
– ENDS –