In April, EMVCo Associates met at the EMVCo Technical Meeting in Singapore to engage in the technical direction of EMVCo, and provide technical input to specification development activity. In this post, Arman Aygen, Director of Technology at EMVCo, highlights some of the key topics covered.
1. Supporting biometric card payments
The growing use of mobile devices for payments has enabled consumer authentication to be performed on a consumer’s own device via passcodes, passwords and patterns, as well as biometrics such as fingerprint, iris, and facial recognition. This type of authentication on a consumer device is known as a Consumer Device Cardholder Verification Method (CDCVM).
Over recent years, EMVCo has worked to promote confidence and consistency across CDCVM solutions by identifying and addressing the specific security, functional and performance needs to enable seamless and secure payments.
In Singapore, EMVCo discussed how supporting the growing use of biometric payment cards marks a natural evolution of this activity. The development of performance and security requirements for fingerprint sensors and processors, and supporting approval and evaluation frameworks, will help balance convenience and security while taking into account the unique considerations for biometric cards. This will be a key focus for EMVCo during this year, and more information about this work will follow shortly.
2. What’s next for the EMV® Contactless Kernel Specifications
In October 2022, Version 1 of the EMV Contactless Kernel Specification (EMV® Contactless Specifications for Payment Systems: Book C-8 – Kernel 8 Specification) was published to support the evolution of contactless and mobile payments and simplify global acceptance.
Version 1.1 of the EMV Contactless Kernel Specification is now simplified by removing the cryptographic functions and instead cross-references EMV® Contactless Specifications for Payments Systems: Book E – Security and Key Management.
Book E is a new, dedicated document that defines the approaches and cryptographic methods – including Elliptic Curve Cryptography (ECC) – to ensure adequate security functionality. EMVCo has released Book E for Associate review, and both documents are expected to be finalised by the end of Q2 2023.
EMVCo is also planning the development of supporting documentation to provide additional information on system aspects for use of the kernel. This work is planned to be carried out through Q3 and Q4 2023.
Finally, EMVCo expects to have EMV Contactless Kernel test documents and testing capabilities available in early 2024.
3. Evolving EMV 3-D Secure (EMV 3DS)
Following the release of Version 220.127.116.11 of the EMV 3DS Specifications in 2022, additional updates and improvements have been identified to optimise implementations. This includes improved support for Secure Payment Confirmation (SPC) and out-of-band (OOB) authentication features.
To incorporate these elements and other additional clarifications, EMVCo is publishing Version 18.104.22.168 of the EMV 3DS Specifications. To ensure full interoperability, the latest version is effective immediately and replaces EMV 3DS v22.214.171.124. Testing will be updated to reflect the latest enhancements and EMVCo is engaging with laboratories, test platform providers and EMV 3DS product providers to support the transition.