Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Danushka Jayasinghe, Konstantinos Markantonakis, Raja Akram, Keith Mayes

Research output: Chapter in Book/Report/Conference proceedingPublished conference contribution

1 Citation (Scopus)


Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.
Original languageEnglish
Title of host publicationRadio Frequency Identification and IoT Security
Subtitle of host publicationRFIDSec 2016
EditorsG Hancke, K Markantonakis
Number of pages16
Publication statusPublished - 20 Jul 2017

Publication series

Name Lecture Notes in Computer Science

Bibliographical note

© Springer International Publishing AG 2017

International Workshop on Radio Frequency Identification: Security and Privacy Issues
RFIDSec 2016: Radio Frequency Identification and IoT Security


Dive into the research topics of 'Enhancing EMV Tokenisation with Dynamic Transaction Tokens'. Together they form a unique fingerprint.

Cite this