Examining Users’ Understanding of Security Failures in EMV Smart Card Payment Systems

Akeem Olowolayemo, Nafisat Adewale, Akram M. Zeki, Zubair Ahmad


New credit cards containing Europay, MasterCard and Visa (EMV) chips for enhanced security, and for in-store purchases (rather than online purchases) have been adopted considerably in recent years. EMV supposedly protects the payment cards in such a way that the computer chips in a card referred to as chip-and-pin cards generate a unique one-time code each time the card is used.  The one-time code is designed such that if it is copied or stolen from the merchant system or from the system terminal, it cannot be useful for creating a counterfeit copy of that card or counterfeit chip of the transaction. However, in spite of this design, EMV technology is not entirely foolproof from failure. This paper dis-cusses the issues, failures and fraudulent cases associated with EMV Chip-And-Card technology. The work also evaluates people’s understanding of these issues and the consequential precautions they take to safeguard their information while using the EMV cards for transactions.


Chip and PIN Card Fraud; Card Security; Protocol Failure, Card Authentication, Users’ perceptions, Payment Risks, Awareness.

Full Text:



Anderson, R., Bond, M., & Murdoch, S. J. (2007). Chip and spin. Infosecurity, 4(8), 38–40. https://doi.org/10.1016/S1754-4548(07)70204-8

Barisani, A., Bianco, D., & Laurie, A. (2011). Chip & PIN is definitely broken - Credit Card skimming and PIN harvesting in an EMV world. In Defcon 2011.

Bond, M., Choudary, O., Murdoch, S. J., Skorobogatov, S., & Anderson, R. (2014). Chip and skim: Cloning EMV cards with the pre-play attack. In Proceedings - IEEE Symposium on Security and Privacy (pp. 49–64). https://doi.org/10.1109/SP.2014.11

Degabriele, J. P., Lehmann, A., Paterson, K. G., Smart, N. P., & Strefler, M. (2012). On the Joint Security of Encryption and Signature in EMV BT - Topics in Cryptology – CT-RSA 2012: The Cryptographers’ Track at the RSA Conference 2012, San Francisco, CA, USA, February 27 – March 2, 2012. Proceedings. In O. Dunkelman (Ed.), Lecture Notes in Computer Science (LNCS) (pp. 116–135). Berlin, Heidelberg: Springer Berlin Heidelberg. https://doi.org/10.1007/978-3-642-27954-6_8

Drimer, S., & Murdoch, S. J. (2007). Keep your enemies close: Distance bounding against smartcard relay attacks. USENIX Security Symposium, 7. Retrieved from http://dl.acm.org/citation.cfm?id=1362910

Drimer, S., Murdoch, S. J., & Anderson, R. (2008). Thinking inside the box: System-level failures of tamper proofing. In Proceedings - IEEE Symposium on Security and Privacy (pp. 281–295). https://doi.org/10.1109/SP.2008.16

EMVCo. (2011a). Integrated Circuit Card Specifications for Payment Systems, Book 3: Application Specification. EMV Integrated Circuit Card Specifications for Payment Systems. Retrieved from http://www.emvco.com/specifications.aspx?id=223

EMVCo, L. (2011b). EMV – Integrated Circuit Card Specifications for Payment Systems, Book 4: Cardholder, Attendant, and Acquirer Interface Requirements, Version 4.2 ed. EMV2011, Dec, 4(November). Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Integrated+Circuit+Card+Specifications+for+Payment+Systems#1

Francis, L., Hancke, G., Mayes, K., & Markantonakis, K. (2012). Practical relay attack on contactless transactions by using NFC mobile phones. Cryptology and Information Security Series, 8, 21–32. https://doi.org/10.3233/978-1-61499-143-4-21

Gray, D., & Ladig, J. (2015). The Implementation of EMV Chip Card Technology to Improve Cyber Security Accelerates in the U.S. Following Target Corporation’s Data Breach. International Journal of Business Administration, 6(2), 60–67. https://doi.org/10.5430/ijba.v6n2p60

Murdoch, S. J. (2009). Reliability of Chip & PIN evidence in banking disputes. Digital Evidence and Electronic Signature Law Review, 6, 98–115. https://doi.org/10.14296/deeslr.v6i0.1862

Murdoch, S. J. (2015). Banks undermine chip and PIN security because they see profits rise faster than fraud.

Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2010). Chip and PIN is broken. In Proceedings - IEEE Symposium on Security and Privacy (pp. 433–446). https://doi.org/10.1109/SP.2010.33

Murdoch, S. J., Drimer, S., Anderson, R., & Bond, M. (2013). EMV PIN verification “ wedge ” vulnerability.

Ruiter, J. De, & Poll, E. (2012). Formal Analysis of the EMV Protocol Suite, 113–129.

The U K Cards Association. (2012). Card Expenditure Statistics. January.

The UK Cards Association. (2009). Standard 70, Book 2 – Card Acceptor to Acquirer Interface Standards: Messages, Data Elements and Code Values for Real-time Systems.

DOI: http://dx.doi.org/10.30630/joiv.3.2.244


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

JOIV : International Journal on Informatics Visualization
Published by Information Technology Department
Politeknik Negeri Padang, Indonesia

© JOIV - ISSN : 2549-9610 | e-ISSN : 2549-9904 

Phone : +62-82386434344
Email  : hidraamnur@live.com | hidra@pnp.ac.id

Creative Commons License is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

View My Stats