When Less is More, the EMVCo C-8 Contactless Kernel

When Less is More, the EMVCo C-8 Contactless Kernel
Steve Cole Director, Tech Engagement Merchant Advisory Group
Dec 6, 2023

In October of 2022, EMVCo published a new specification for a contactless kernel.  While that may be a yawn-inducing announcement for many people, the potential significance of this specification should not be overlooked.  One of the primary drivers for the development of this specification was to eventually reduce the number of contactless kernels that merchants have to implement, certify, and support.  If this specification reaches the ultimate desired end state, it means that your contactless certifications will look much more like your contact certifications with one kernel certified to all of the global card brands.  This will lead to lower implementation costs, reduced certification complexity, and faster time to market.  In addition, the C-8 kernel introduces new features that increase security and provide new implementation options.  Let’s take a look at a few of the key features being introduced.

First, the C-8 kernel introduces advanced cryptography that will help secure payment transactions for many years to come.  Today, EMV uses RSA public key infrastructure.  The current design of contact and contactless payments uses increasing RSA key lengths intended to keep payments secure as computing power increases.  Each year, EMVCo assesses the strength of the key lengths relative to the potential for the encryption to be broken.  As of today, only two EMV-supported key lengths remain, the 1408-bit and 1984-bit keys.  While the 1984-bit key is still assessed to be secure to the end of EMVCo’s 10-year projection horizon (December 2033), the expiration date for the 1408-bit key has been set at December 31, 2024 (the card brands have historically allowed an additional six months for merchants to remove the expired keys from their devices).  Using ever-increasing key lengths is not really an option as the increased computing power and processing time would be detrimental to a fast contactless payment experience.  Enter Elliptical Curve Cryptography (ECC) which provides higher levels of security with shorter key lengths than RSA.  In addition to using ECC in the C-8 kernel, EMVCo also introduced the usage of Advanced Encryption Standard (AES) to create a secure channel between the payment device and the terminal which protects against man-in-the-middle attacks.

The EMVCo contactless kernel also supports a cloud-based processing option.  Capitalizing on the development of the “kernel in the cloud” configurations that have come to market over the last few years, the C-8 kernel supports these types of split architectures.  With this model, the heavy lifting, such as performing cryptographic functions, is handled in the cloud after the card has been removed from the payment acceptance device’s communication field.  This allows for the “card in field” time to be independent of network latency and stay under half a second.  Interestingly, support for cloud operations can lead to a simplified “TapToMobile” implementation with a lightweight client on the mobile device, no keys required on the device and, where sensitive data is passed via the secure channel, the device is not exposed to any sensitive card data. 

Possibly most important to merchants from an implementation perspective, the C-8 kernel is designed to work within the existing contactless terminal architecture.  As a migration to a single contactless kernel will require several years to complete, the ability for the C-8 kernel to “play nice” with the 20+ existing kernels is a critical requirement for the solution to support.  For the foreseeable future, the “single” contactless kernel will actually be “another” contactless kernel and, as such, it must be able to operate in the same architecture and work using the same processes the other contactless kernels use during the transition period.  In addition to the C-8 kernel being based on the existing architecture, other features will help facilitate a smooth transition.  As an example, configuration data files in the kernel contain mapping of new data tags to legacy tags so the impact on transaction processing can be minimized.

The C-8 contactless kernel represents an opportunity to take complexity and cost out of the payments acceptance system in an era when complexity seems to pile on top of complexity on an almost daily basis.  The good news is that a couple of the card networks have already announced card products that are either compatible with the C-8 kernel or specifically designed for it.  In the short term, working with your solution providers to understand where the development of the C-8 kernel lies on their product roadmaps will inform you of where the implementation of their solutions can fit into your roadmap.  While it will be a long road to the day when there is only a single contactless kernel, we will only get there if we take the first steps.

The Merchant Advisory Group

Driving positive change and innovation in the payments industry that serves the merchants interest through collaboration, education, and advocacy.