EMV terms and acronyms for the elements of multi-layered security
The details of changing security solutions can be confusing, not least because of the proliferation of terms and abbreviations with specific payment-industry meanings. Here are some industry terms and acronyms that can help define and explain the components of multi-layered security:
Authentication (online): A cryptographic process in which an issuer/host is able to validate the authenticity of a payment card in order to prevent counterfeiting, and a payment smartcard is optionally able to validate the issuer/host in order to prevent fraudulent “man-in-the-middle” attacks on cardholder data.
Authentication (offline): An authentication process that allows the payment terminal to authenticate a smartcard’s validity through asymmetric public/private key cryptography, designed for use in cases where the device is unable to connect online to the issuer. The card’s chip may also authorize the transaction if the defined risk parameters (especially brand requirements and floor limits) of both the chip and the terminal have been satisfied.
PAN: Primary Account Number, which is the card number embossed or represented by the credit or debit card credentials.
PAN Encryption: Called variously End-to-End or Point-to-Point Encryption, this method encrypts card data that included the PAN, the expiration date, and the Security Code (if present). Encryption methods vary, as do the encryption mechanisms. Encrypted data must not be mathematically traceable to the original PAN, nor can the data destination have the means to decrypt.
PIN Validation (online): The cardholder PIN is encrypted by the PIN entry device and sent within the authorization request to the issuer. The issuer decrypts the PIN and validates the identity of the cardholder.
PIN Validation (offline): The cardholder PIN is validated by the PIN embedded in the chip by the issuer. The PIN may be either enciphered or in clear text, since it is never transmitted away from the security of the card reader. Offline PIN validation may be used in conjunction with offline card authentication and authorization or, in cases where the issuer does not support online PIN, offline validation may be used alongside online card authentication and authorization.
Tokenization: Tokenization requires that a replacement value – or “token” – be substituted for the cardholder PAN during the transaction. This token may or may not resemble an actual PAN, depending on the specifics of the tokenization solution. In any case, the token must never be mathematically traceable to the original PAN.
Making sure everyone on your security team is speaking the same language is critical to avoid errors and omissions that could compromise security. If in doubt, ask for complete clarification.
To see a more complete list of EMV and transaction security terminology, please visit http://www.emv-connection.com/standardization-of-terminology/
Allen Friedman is the Director of Payment Solutions at Ingenico Group, North America