Thought Paper: Overview of Banking Applications


Published on

Card based transactions account for barely 1% of all non-cash transactions by value,in India.Security concerns rank high on the list of barriers to card adoption,not just in this country,but also in those with much higher penetration.

Published in: Economy & Finance, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Thought Paper: Overview of Banking Applications

  1. 1. Overview of Banking ApplicationSecurity and PCI DSS Compliance forBanking ApplicationsThought Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
  2. 2. Overview of banking application security and PCI DSS compliance for banking applications Card based transactions account for barely banking applications and carrier networks against 1% of all non-cash transactions by value, in deliberate attack or unintentional breach. This India. Security concerns rank high on the list of paper discusses banking software application barriers to card adoption, not just in this country, security practices in general, as well as banks’ but also in those with much higher penetration. compliance with the provisions of the Payment Card Industry Data Security Standard (PCI DSS), The card ecosystem, comprising issuing banks, which focuses specifically on the safeguards for application developers, technology vendors credit and debit card data. and regulators, has taken several steps to secure Software application security and security compliance Software applications, like Internet Banking, systems, rather than piecemeal. A cohesive and which are exposed to users on public networks, holistic security approach is most effective. To are vulnerable to security threats. Stories illustrate, let us take the example of a banking abound about individual or group hackers application that is connected to a database; it managing to penetrate public bank networks, to is not only necessary to protect the application gain access to applications and databases. but also the database at the other end. We’ve seen instances of databases using default Banks employ either or a combination of passwords, hardly the recipe for foolproof safety! the following approaches to secure their software applications: Current banking application • Proactive security: The banks deploy adequate security practices security measures to protect networks and Typically, banks safeguard their applications at applications from cyber attack. three levels: • Post incident security: The banks put a • At the network level, banks use firewalls and mechanism in place to constantly monitor filters to ensure security. activity logs, databases, webservers, networks etc., which alerts them the moment there is • At the core banking/ application level, the a security breach and also helps them responsibility for security rests with the reconstruct the sequence of events, which respective vendors. led up to it. In such an event, the banks isolate • At the third party application level, banks or “de-alienate” their applications, webservers, protect middleware, databases, webservers databases et al immediately and follow it up etc. with security packs that are provided by with a tightening of proactive security measures. their vendors. The need for holistic security Security of banking applications in card The securing of individual components, such as transactions applications, networks, access controls etc. must It is necessary to secure card transaction data be done in coordination with all other security while in storage and also during transactions.02 Thought Paper
  3. 3. • Debit/ credit card data is usually stored in Working of card based payments databases, which are in turn stored in data centers. These must be safeguarded through SWITCHING Services by external regular information security audit. Also, the vendor owners of the data must ensure that it is stored in encrypted form. SWITCH (at Bank) SWITCH (at Bank) BANK - A Core Banking• It is also essential to protect card data as it BANK - A Core Banking transits through networks, routers, firewalls, filters, middleware, web services etc. during POS/ATM POS/ATM a transaction.(In)Famous card security breachesDespite elaborate measures, card security does The case of card systemsget breached from time to time. Some past In this example of application security breach,incidents resulted in massive losses for card hackers employed a sophisticated techniqueowners and their banks. The most famous ones called SQL Injection to extract customers’ cardare listed below: information. Card Systems had not firewalled their web application. This inadequacy wasThe case of heartland payment systems exploited by the hackers, who planted a smallHeartland, a payment processor of debit and code snippet (a database query that is run oncredit card transactions, was the victim of an a database to extract data) onto Card Systems’attack wherein the perpetrators planted malicious database by means of a web application, whichsoftware onto its payment network to record was used by customers to access their owndata sent during payment processing. The data. The hackers used File Transfer Protocolattackers managed to capture the highly to retrieve this information. Here again, theconfidential digital data encoded on the reverse company’s failure to erect network firewalls andof credit/debit cards. It is estimated that 100 encrypt important data was the reason for themillion or more credit/ debit cards were affected. breach. To make things worse, old transaction information had not been deleted, which addedThe case of TJX companies to the huge losses.This is a great example of how inadequatesecurity measures allowed fraudsters to break Is PCI compliance a guarantee of security?in at two levels – that of the network as well The Heartland episode shot into the limelightas the application. Hackers breached TJX especially because the company had beenCompanies’ data security by penetrating the certified as PCI compliant. This unfortunatenetwork security at Kiosks and Points of Sale incident was a wake-up call for the payment(POS). They broke into TJX’s network, which card industry, which until then was not subjectwas not firewalled, and used USB keys to load to a rigorous audit mandate. In those days, itsoftware on to the POS terminals to gain access was common for banks and other institutionsto the network. Their modus operandi was to to dismantle their security checks or encryptionremotely control the payment network and gain processes once they received a one-time auditaccess to customer data, which was stored by certification. After the Heartland incident, itTJX in an unencrypted form. Around 46 million was decided to make periodic audit compulsorycard holder accounts were estimated to be for the payment card industry to ensureaffected by the attack. adherence to data security standards. Thought Paper 03
  4. 4. Current card-related security practices Security (TLS) and Secure Socket Layer (SSL), of banks and the latter to encrypt specific fields – such as account number – rather than the • Most banks deploy a Hardware Security entire message. Module (HSM) at terminals involved in card payment transactions. This hardware could • Tunneling refers to the encapsulation of a be in the form of a smart card, which message, say, in Protocol A within another must remain inserted for the transaction to one, say, Protocol B, prior to transmission take place. over a virtual private network (VPN) which can be set using Secure Shell (SSH) protocol. • Another technique in use is End-to-End It is useful for sending unencrypted data Encryption. Data is encrypted (or encoded) within an encrypted network. Likewise, at its origin (Point A) and transmitted to HTTPS (Secure HTTP) is another protocol that its target (Point B), where it is decrypted is used for tunneling. (decoded). This technique employs both transport-level and data level security; the • Of late, the JPOS library framework (Java library former to encrypt transmitted data using based ISO8583 framework) has come into use. network protocols such as Transport Level Holes in current application security practices • While tunneling is a useful encryption PA DSS and its impact on core banking technique, it has its pitfalls. In fact, hackers can systems exploit it to bypass firewalls and breach the The objectives of Payment Application Data application level security of payment processors. Security Standards – part of PCI DSS – are as follows: • Web pages are made vulnerable by insecure • To test applications for vulnerabilities – coding practices, which can be exploited including at the coding level – and find ways by techniques such as SQL injection, script to address them. injection etc. Regular code audit can improve the security of web pages. • To facilitate the implementation of a network which is secured from the lowest datagram • The practice of keeping services such as level to the routing level. telnet or File Transfer Protocol (FTP) running when not in use weakens security. The simple • To ensure that the interfaces and database remedy to this problem is to shut down routines responsible for storing cardholder unused services and ports. data are configured in a way that the data is not stored on servers with Internet connectivity, PCI DSS V02 standard (payment and to encourage the use of dedicated servers card industry – data security standard separated from the Internet for this purpose. version 02) • To facilitate secure remote access – governed Payment Card Data Security Standards were by smart cards, tokens, i-keys – to applications, developed to improve the safety of cardholders’ and ensure the correct implementation of data and ensure adoption of consistent data access policies. security measures globally. • To encrypt sensitive traffic over public The scope of PCI DSS covers security networks (with HTTPS or SSL) such that the management, policies and procedures, network data is safeguarded against sniffing tools and architecture, and software design. other threats.04 Thought Paper
  5. 5. • To encrypt all non-console administrative security is effective only if the user is trained access to credit card holders’ data through to implement the right practices; integrators specialized devices such as POS, Swap and customers who are direct stakeholders in terminals, ATM switches and so on. the system must be supported with adequate documentation, explaining what is expected• To maintain instructional documentation and from them. training programs for customers, resellers and integrators. It must be noted that applicationImpact of PCI DSS compliance on corebanking systemBanks must achieve PCI compliance in order to the assessment recommended by the standardsstandardize their security infrastructure for card in order to maintain security.based payment transactions. PCI compliance is Banks’ external dependency regardinga “regular process” containing various steps to PCI DSSensure that the banks’ technological environmentis compliant with security requirements. In fact, The external dependency for compliance hasthis move is led by the industry. two components:Core Banking System (CBS) applications handle • Compliance at the level of the application, atdebit /credit card data through two distinct modes: which code level dependency can be resolved.• Direct dealing with card based data • Compliance in the external environment in which card based data is processed, namely• Using vendor driven modules to deal with card switches, token drivers or specified devices for based data hardware level security.Since PCI DSS standards are comprehensive, they Since PCI involves both layers, compliance usuallyimpact virtually every aspect of core banking requires multiple dependencies to be resolved.applications supporting card transactions.However, the biggest impact is the banks’ The way forwarddemand for complete security of the core banking application, its environment and coding In India, PCI DSS compliance is at a nascentpractices, and also of the data handled by stage. At present, there is no regulatory thrust inother applications. this direction, nor adequate infrastructure and skilled manpower to perform audits. This is stillAchieving PCI DSS continuity a growing market, and may take a while to come to terms with the higher security expectations laidPCI DSS specifies periodic validation; banks and down by these standards.application vendors must periodically perform Makarand Madhukar Baji Senior Consultant, Finacle Payments, Infosys Sandhya Ravikumar Senior Systems Engineer, Finacle E-Banking and Channel Support, Infosys Thought Paper 05
  6. 6. About FinacleFinacle from Infosys partners with banks to transform process, productand customer experience, arming them with ‘accelerated innovation’that is key to building tomorrow’s bank.For more information, contact© 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosysacknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.