• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Card Payments Processing - Security
 

Card Payments Processing - Security

on

  • 891 views

An overview of Card Payments Processing and some Security Considerations

An overview of Card Payments Processing and some Security Considerations

Statistics

Views

Total Views
891
Views on SlideShare
891
Embed Views
0

Actions

Likes
1
Downloads
28
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Card Payments Processing - Security Card Payments Processing - Security Presentation Transcript

    • Card Payments Processing Security Considerations Lakshmana Kattula Enterprise/Solution Architect vivalaks@gmail.com June 2011
    • Contents• Actors• Components• Card Payment Processes• Card Payment Process – Authorization• Security Needs• Fraud• Technologies• Solution Design
    • Actors Involved• Cardholder (A1) – Customers• Merchant or Retailer (A2) – Tesco, Amazon, etc• Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc• Card Association or Card Network (A4) – Visa, Mastercard, etc• Issuer (A5) – CapitalOne, Citi, etc
    • Components Involved• Payment Card (C1)• Card Processing Terminal – POS, Web Interface, etc. (C2)• Merchant DataCentre/Network (C3)• Merchant Payment Gateway (C4)• Merchant Bank’s Data Centre (C5)• Merchant Bank’s Payment System (C6)• Card Association’s Data Centre (C7)• Card Association’s Payment System (C8)• Issuer’s Data Centre (C9)• Issuer’s Payment System (C10)
    • Card Payment Process• Authorization• Settlement – Batching – Clearing• Funding
    • Card Payment Process - Authorization A2 A3 6 6 C3 C5A1 C1 C2 1 2 C4 3 C61. The cardholder uses the card at the card payment terminal2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction3. The merchant payment system submits the request to the acquirer4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer5. The card network requests for authorization from the issuer C10 C86. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
    • Security Needs• Threats• Vulnerabilities• Risk Assessments• Fraud Management• Enterprise Security Policies and Principles• Compliance Needs
    • Fraud• Stolen cards• Card not present transaction• Identity theft• Application fraud• Account takeover• Skimming• Internal/Employee Fraud• Fraud Detection Tools
    • Technologies• Firewalls• VPNs• PKI• Encryption• Web Services/XML Security• Tokens• Anti Virus• 2-Factor Authentication• Network Admission Control• Vulnerability Scanners• Intrusion Detection/ Intrusion Prevention• Physical Security• File Integrity Monitoring• Patch Management Systems
    • Solution Design – A Sample Template• Process security impact Describe the required process changes/configurations in order to comply to Clients business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation.• Application & Integration security impact Describe the required application changes/configurations in order to comply to Clients user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Clients integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging.• Information security impact Describe the required data changes/configurations in order to comply to the Clients ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly.• Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Clients infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Clients infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven.• Compliance to web-applications policy Describe measures taken in order to comply to the Clients ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten.• Compliance to PCI DSS Describe measures taken in order to comply to the Clients Europe PCI DSS policy if the systems deal with card type data• Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.