I stumbled upon this stackoverflow question : What encryption mechanism is used for EMV contactless transaction information ?
The answer is simple : none. The communication between an EMV card and a contactless reader is not encrypted. You can easily eavesdrop and record the exchanged APDUs, for example using the Fime SmartSpy contactless spy.
But that doesn’t mean you’ll be able to clone a card, or to perform transactions using the recorded dialog. You will get access to some information (ex : the card number, the track2 equivalent data), but :
- you will miss information required to create a magnetic stripe card
- you won’t have the CVV (number written behind the card) required to make online purchases
- You won’t be able to “replay” the transaction because the transaction data includes two unpredictable numbers generated by the terminal and the card, which are unique to each transaction and signed by the card.
The last point – the signing part – is when cryptography comes into play. The card holds a private key/certificate used to sign the transaction so the acquirer can authenticate it and validate it. This certificate is never transmitted during the transaction and cannot be accessed. That’s this private key/certificate which is protected and encrypted on the card.