Browse > Article
http://dx.doi.org/10.3837/tiis.2016.04.022

Cryptographically-Generated Virtual Credit Card Number for Secure Card-Not-Present Transactions  

Park, Chan-Ho (Department of Computer Science, Dankook University)
Park, Chang-Seop (Department of Software, Dankook University)
Publication Information
KSII Transactions on Internet and Information Systems (TIIS) / v.10, no.4, 2016 , pp. 1864-1876 More about this Journal
Abstract
Card-Not-Present (CNP) transactions taking place remotely over the Internet are becoming more prevalent. Cardholder authentication should be provided to prevent the CNP fraud resulting from the theft of stored credit card numbers. To address the security problems associated with CNP transactions, the use of a virtual card number derived from the transaction details for the payment has been proposed, instead of the real card number. Since all of the virtual card number schemes proposed so far are based on a password shared between the cardholder and card issuer, transaction disputes due to the malicious behavior of one of the parties involved in the transaction cannot be resolved. In this paper, a new virtual card number scheme is proposed, which is associated with the cardholder's public key for signature verification. It provides strong cardholder authentication and non-repudiation of the transaction without deploying a public-key infrastructure, so that the transaction dispute can be easily resolved. The proposed scheme is analyzed in terms of its security and usability, and compared with the previously proposed schemes.
Keywords
CNP Transaction; CNP Fraud; Cardholder Authentication; Non-Repudiation;
Citations & Related Records
연도 인용수 순위
  • Reference
1 EMVCo, "EMV - Integrated Circuit Card specifications for payment systems," ver. 4.2, 2008. Article (CrossRef Link)
2 R. Anderson and S. J. Murdoch, “EMV: Why payment systems fail,” Communications of the ACM, vol. 57, no. 6, pp. 24-28, June 2014. Article (CrossRef Link)   DOI
3 M. Bond, M. O. Choudary, S. J. Murdoch, S. Skorobogatov and R. Anderson, "Be Prepared: The EMV Preplay Attack," IEEE Security & Privacy, vol.13, no. 2, pp. 56-64, Mar.-Apr. 2015. Article (CrossRef Link)   DOI
4 M. Bond, O. Choudary, S. J. Murdoch, S. Skorobogatov and R. Anderson, "Chip and Skim: Cloning EMV Cards with the Pre-play Attack," in Proc. of 2014 IEEE Symposium on Security and Privacy, pp. 49-64, May 2014. Article (CrossRef Link)
5 S. J. Murdoch and R. Anderson, "Security protocols and evidence: Where many payment systems fail," Financial Cryptography and Data Security, LNCS 8437, pp. 21-32, Mar. 2014. Article (CrossRef Link)
6 Mastercard and Visa, "SET: Secure Electronic Transaction specification," ver. 1.0, 1997.
7 Visa International Service Association, "3-D Secure protocol specification: core functions," ver. 1.0.2, July 2002.
8 M. Assora and A. Shirvani, "Enhancing the security and efficiency of 3-D Secure," Information Security, LNCS, vol. 4176, pp. 489-501, 2006. Article (CrossRef Link)
9 S. J. Murdoch and R. Anderson, "Verified by Visa and Master Card Secure Code: or, How not to design authentication," Financial Cryptography, LNCS, vol. 6052, pp. 336-342, 2010. Article (CrossRef Link)
10 G. Wallace, J. Pepitone, J. O’Toole, C. Isidore, J. Pagliery and J. Johns, “Target: 40 million credit cards compromised,” CNN Money, Dec. 19. 2013.
11 PCI Security Standard Council, "Information Supplement: PCI DSS Tokenization Guidelines," PCI Data Security Standard, 2011. Article (CrossRef Link)
12 Y. Li and X. Zhang, “Securing credit card transactions with one-time payment scheme,” Electronic Commerce Research and Applications, vol. 4, pp. 413-426, 2005. Article (CrossRef Link)   DOI
13 I. Molloy, J. Li and N. Li, "Dynamic virtual credit card numbers," Financial Cryptography and Data Security, LNCS, vol. 4886, pp 208-223, 2007. Article (CrossRef Link)
14 F. Buccafurri and G. Lax, "A light number-generation scheme for feasible and secure credit-card-payment solutions," E-Commerce and Web Technologies, LNCS, vol. 5183, pp 11-20, 2008. Article (CrossRef Link)
15 F. Javani and S. Mohammadi, “A new credit card payment system based on 3D-Secure using one-time-use transaction numbers,” Information Assurance and Security Letters, vol. 1, pp. 60-65, 2010. Article (CrossRef Link)
16 A. Shamir, "SecureClick: A Web payment system with disposable credit card numbers," Financial Cryptography, LNCS, vol. 2339, pp. 196-209, 2002. Article (CrossRef Link)
17 T. Aura, "Cryptographically Generated Addresses (CGA)", RFC 3972, Mar. 2005 Article (CrossRef Link)