EMVCo has issued a new specification bulletin that adds support for elliptic curve cryptography (ECC) to its EMV contact chip specifications to enable “robust EMV contact chip security long term as payment technologies evolve”.
The addition of support for ECC is detailed in Specification Bulletin 243 and applies to the EMV Integrated Circuit Card Specifications for Payment Systems v4.3.
Use of the ECC cryptography standard enables enhanced transaction security “without impacting on the technical performance of a payment device or slowing transaction processing time,” the standards body says.
“In an EMV contact chip payment, the merchant point-of-sale terminal can cryptographically authenticate a card and its data.
“For this purpose, EMVCo has based its EMV contact chip specifications on RSA (Rivest-Shamir-Adleman) public key cryptography since its inception and intends to continue to support this standard.
“The addition of ECC into EMV specification helps achieve superior cryptographic strength with much smaller key sizes, enabling more efficient transactions in the future.”
“The longer the cryptographic key used to secure a transaction, the more storage and processing power required. The size of a cryptographic key is therefore important,” EMVCo Executive Committee chair Robin Trickel explains.
“EMVCo recognises that RSA could continue to offer ‘stronger’ keys, however, these would increase in length resulting in slower computing and transaction times.
“In contrast, ECC is compact and efficient, making it an appealing option for use in devices with limited storage and processing capabilities.
“While it doesn’t make current payments more secure today, it ensures robust security can be maintained in new payment innovations, setting the foundation to support the long-term security needs of the payment community.”