|
|
|
|
|
|
by rswail
376 days ago
|
|
|
So a few things: 1. Under the current EMV standards for terminals, the NFC and/or chip connection is via a secure element that protects the data in the transaction both in transit and at rest. 2. The transaction is protected in transmission not only by TLS encryption, but with an individual HMAC generated using a key that is derived from a base key that is unique to the terminal and merchant. The interaction with the card is relatively read-only. There is a "dynamic CVV" that is generated on the card in chip/contactless transactions that adds some security, however, the data on the card is mostly open (PAN, expiry date, CC name etc). The CHI (cardholder information) has to be maintained in an encrypted state at all times. The business processes (where this article found the root shell) is not involved in the actual card or transaction security. It communicates with the secure element via a protocol that allows it to specify the amount and other details for a transaction, but the authorization (PIN or otherwise) and encrypted messages are entirely within the secure element. |
|
|