top of page
Search

Progression | RSA to ECC

  • Writer: Utkarsh Parhate
    Utkarsh Parhate
  • May 8, 2024
  • 2 min read

To execute a transaction, the chip and the acceptance terminal engage in a conversational exchange that follows a set of criteria laid down by the EMV chip specifications. This conversation includes steps taken by both the card and the terminal to complete the transaction, including the authorization system. Unlike old magstripe transactions, the chip in an EMV transaction processes information and performs complex cryptography calculations using secret keys to ensure the security and verification of its communications with the terminal.

To ensure that payment transactions are accepted at an international level, the payment community has developed a multi-layered approach to security, utilizing a variety of techniques to combat fraudulent activities. Cryptography is one such protective layer. In an EMV chip payment context, the merchant payment terminal verifies digital signatures generated by the card's issuer and the payment system to cryptographically authenticate both the card and its associated data. This process helps ensure secure payment transactions.



Since its inception in the mid-1990s, the EMV chip specifications have used RSA (Rivest-Shamir-Adleman) public key cryptography, which was widely deployed and internationally standardized. However, since October 2021, the EMV contact chip specification has included support for another type of public key cryptography, elliptic curve cryptography (ECC). The revised specification uses elliptic curve mechanisms also standardized by the international standardization organization ISO.


When comparing ECC with RSA, ECC provides strong security efficiency. This is essential to ensure smooth migration and set the foundation for supporting the long-term security needs of the payment community. Though ECC doesn't make current payments significantly more secure, it enables robust security in new payment innovations without impacting technical performance or slowing transaction processing times. Therefore, the payment community's use of this cryptography standard can enable enhanced security for future payment scenarios.


Although RSA is not at risk strategically in the future, its limitations present a challenge. Increasing the key size increases both transmission and computing time, which would slow transaction times. In contrast, ECC uses smaller sizes for the same strength, making it a compact and efficient option for limited storage and processing speed. The payment community has options, including RSA and ECC, but also other cryptographic hash functions like Sha256 and block-side mechanisms. Going forward, emphasis will be placed on the long-term use of ECC within the EMV payment ecosystem because of its efficiency and the benefits it offers for contactless transactions.


With elliptic curve technology, we can also include a secure channel that encrypts the account number on the card while it's being transferred from the card to the terminal. This ensures that the card usage cannot be tracked from one terminal to another or from one merchant to another, thereby protecting privacy. The payment community continually monitors the payment security landscape and works with a wide range of parties to understand potential current and future trends and threats. For instance, it is actively monitoring the role of quantum computing and its impact. The National Institute of Technology has made efforts to develop quantum-resistant cryptography to address this issue.

 
 
 

Comments

bottom of page