EMV-based Mobile Payment Protocol for Offline Transaction - With the Ability of Mutual Authentication

The standards for Europay, MasterCard and Visa (EMV) have been widely adopted by current major financial services corporations but there are certain security threats: (1) authentication is one-way only, i.e. from a reader to a card. (2) EMV-compatible contactless smartcards do not encrypt sensitive data in the mobile transactions, which allows attackers to steal the users' personal information. (3) During offline transactions, the merchants cannot verify whether a credit card has been revoked. In 2013, Yang proposed a protocol to enhance the security of EMV standards. Yang's method can perform mutual authentication between a point-of-sale (POS) and a credit card, but the users can exceed the credits after multiple offline transactions. To improve Yang's method, we propose a new offline transaction mechanism that is compatible with the EMV standards. In our scheme, a user is required to apply for a limited and divisible credits from a bank, and stores the credits into his NFC phone's security elements (SE). During an offline transaction, the user has to send his certificate and the specific amount of credits to the merchant. The merchant verifies user's certificate, collects the credits, and redeems the payments from the bank. Our protocol is suitable for the offline environment that accommodates multiple merchants; it prevents exceeding the limitation in multiple offline transactions; and it enhances the security of EMV standards.