Payment Systems and the
Introduction of Tokenisation to
Enhance Security
Konstantinos Dean Apostolopoulos [dapo] [390069]
Peter Mansour [pmansour] [391805]
Department of Computing and Information Systems, University of Melbourne, Australia
Email: d.apostolopoulos@student.unimelb.edu.au, p.mansour@student.unimelb.edu.au
The forms of payment have evolved throughout the last half century to make use of emerging technological innovations to greatly enhance the security and convenience of transacting with money. With the introduction of the swipe card, accessibility to and security of money and bank accounts were greatly improved.
However, adversarial parties have always been motivated to gain entry for both white- and black-hat rationales. The advent of chip-and-pay systems has greatly improved security, and we explore a new advancement in the payments industry, tokenisation augmented with mobile devices, and the advantages the technologies provide to security and convenience.
Keywords: Payment Systems; EMV standards; Tokenisation; Chip and Pay; Swipe; Mobile
Payments; Security and Vulnerabilities in Payment Systems
Submitted Monday, 27 October, 2014

1.
1.1.

INTRODUCTION

Customer’s card.

History of Credit Card Payments

Credit cards have come a long way since their introduction in the mid twentieth century. Originally using IBM’s magnetic stripe card technology, they have evolved to use integrated circuit cards as well as contactless technologies such as RFID and NFC.
The main idea behind credit cards is that a customer can make a purchase without actually paying for it, but by just providing a proof that the debt could be repaid
[1]. In modern credit card transactions, this is done when a Merchant proves to their bank (the Acquiring
Bank ) that another bank (the Issuing Bank ) will pay for a purchase, and so can safely process the transaction knowing that the money will be added to the account.
1.2.

Card Technologies

In a credit card transaction, the Customer is represented by their Card, while the Merchant is represented by their Point of Sale (POS) Terminal. Many technologies have been used for facilitating communication between credit cards and terminals. The ones in current use today, in order of emergence, are magnetic stripes, integrated circuit cards (“Smartcards”), RFenabled Smartcards (“Contactless”), and NFC devices.
Figure 1 shows the different kinds of interfaces that a POS terminal can use when interacting with a

FIGURE 1. The three most common interfaces to EMV
Terminals [2].

1.3.

Transaction Protocols

The merchant needs to communicate with the customer’s bank (the Issuing Bank) to ensure that they commit to paying (authorise) the transaction. Plenty of protocols exist for these interactions, the oldest of which being Magnetic Stripe, which is also the least secure of the protocols currently in use (mostly in the US).

COMP90043: Cryptography and Security

2

K. D. Apostolopoulos, P. Mansour

However, the purpose of its continued use is to maintain backwards compatibility with existing infrastructure.
2.

8.

The terminal shows that the transaction is complete. Figure 2 shows the flow of the two key transaction messages at each of the key actors.

EMV 4.3

The most prevalent secure transaction protocol currently in use is defined by the EMV 4.3 Contact specification, commonly known as Chip-and-Pin [3]. It is maintained by EMVCo, a partnership of the world’s major credit-card giants [4], and will be discussed in some detail in this paper.
2.1.

Key Actors

The following are the key actors in a normal credit-card point of sale transaction:
•
•

•

•

•

2.2.

The Customer is the individual making the purchase, and is represented by their SmartCard.
The Merchant is the individual receiving payment for a purchase, and is represented by their
Terminal.
The Issuing Bank is the bank of the Customer, and is responsible for authorising payments from the Customer’s account.
The Acquiring Bank is the bank of the