The introduction of EMV-compliant payment cards, with their
improved cardholder verification and card authentication capabilities,
has resulted in a dramatic reduction in the levels of fraud seen at
Point of Sale (PoS) terminals across Europe. However, this reduction
has been accompanied by an alarming increase in the level of fraud
associated with Internet-based Card Not Present (CNP) transactions.
This increase is largely attributable to the weaker authentication pro-
cedures involved in CNP transactions. This paper shows how the
functionality associated with EMV-compliant payment cards can be
securely emulated in software on platforms supporting Trusted Com-
puting technology. We describe a detailed system architecture encom-
passing user enrollment, card deployment (in the form of software),
card activation, and subsequent transaction processing. Our proposal
is compatible with the existing EMV transaction processing architec-
ture, and thus integrates fully and naturally with already deployed
EMV infrastructure. We show that our proposal, which effectively
makes available the full security of PoS transactions for Internet-based
CNP transactions, has the potential to significantly reduce the oppor-
tunity for fraudulent CNP transactions