Abstract
EMV is the de-facto worldwide payment system used by Mastercard, Visa, American Express, and such. In-shop EMV contactless payments are not anonymous or private: the payers' long-term identification data leaks to merchants or even to observers. Anti-Money Laundering (AML), Know Your Customer (KYC) and Strong Customer Authentication (SCA) are payment regulations protecting us from illegal activities, but --in so doing-- contribute chiefly to this lack of privacy in EMV payments. Threading the tightrope of AML, KYC and SCA regulations, we provide two privacy-enhancing, EMV-compatible, law-abiding and usable and practicable contactless-payments protocols: PrivBank and PrivProxy. We do not use privacy-enhancing technology, like homomorphic encryption, that would break backwards-compatibility with current EMV, but rather we do privacy by engineering design, adhering to the existing EMV infrastructure, as is. So, PrivBank and PrivProxy provably achieve strong notions of payers and merchant privacy, anonymity and unlinkability as seen in e-cash or shopping vouchers, whilst being implementable in EMV as it stands.
| Original language | English |
|---|---|
| Title of host publication | USENIX Security '25 |
| Publisher | USENIX Association |
| Publication status | Accepted/In press - 31 Jan 2025 |
| Event | 34th USENIX Security Symposium - Seattle Convention Center, Seattle, United States Duration: 13 Aug 2025 → 15 Aug 2025 https://www.usenix.org/conference/usenixsecurity25 |
Publication series
| Name | USENIX Conference Proceedings |
|---|---|
| Publisher | USENIX Association |
| ISSN (Print) | 1049-5606 |
Conference
| Conference | 34th USENIX Security Symposium |
|---|---|
| Abbreviated title | USENIX Security '25 |
| Country/Territory | United States |
| City | Seattle |
| Period | 13/08/25 → 15/08/25 |
| Internet address |