Secure ip payment networks what's available other than ssl - final

538 views

Published on

GHL Systems’ NetMATRIX TLE uses symmetric key encryption and decryption which is more
suitable in an environment where processing power; memory and bandwidth are limited –
where up to 4 Billion unique keys per terminal application and also supports Unique Key Per
Transaction. Additionally, the NetMATRIX TLE uses Dynamic Key Derivation instead of Static
Keys for each transaction effectively preventing Terminal Cloning and reducing Key
Management issues. It further provides a Remote Key Injection (RKI) utility to ease the
deployment of Keys into terminals, remotely.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
538
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Secure ip payment networks what's available other than ssl - final

  1. 1. 2008 A GHL Whitepaper Secure IP Networks: What’s Available other than SSL?
  2. 2. Secure IP Payment Networks: What’s available other than SSL? Payments security threat models today assume a powerful adversary, with access to virtually all communications links and insecure networks and systems. As a result, financial institutions, businesses, card associations and statutory bodies have, in recent years taken vital steps in addressing these threats by working closely together and introducing all necessary measures to combat this scourge. In fact, banks across the globe continue to invest heavily and consider strategic options regarding security and fraud management tools and practices to strengthen control of non- public consumer and corporate information, primarily on the heels of such mandates such as capital and operational risk management, and stronger customer authentication. Deceitful online and offline schemes target banks from both within and without. (Source: Top 10 Strategic IT Initiatives for Financial Services in 2007, Financial Insights, 2007) With these considerations in mind, against the backdrop of increasing IP-based network deployments by financial services institutions, this article seeks to briefly present prevailing approaches often touted as the solution to the issue of payment network security - the ubiquitous Security Sockets Layer (SSL). The chief aim is to provide a viable security solution to payment infrastructure that seeks to address the shortfalls of SSL – the GHL Systems’ NetMATRIX Terminal Line Encryption. The context of this article, however, is limited to the deployment of both concepts into TCP/IP EDC terminal networks. SSL Secure Sockets Layer (SSL) is a collection of TCP/IP security protocols and is considered by many to be the current de facto Internet security standard. The purpose of SSL is to provide a layer of security between the sockets at the transport layer and the application accessing the network through the sockets. The idea is that, when SSL is active, network services such as FTP and HTTP are protected from attack by the secure SSL protocols. Typically, only the server is authenticated (i.e., its identity is validated) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a Web browser) can be ensured of whom it is communicating. SSL is commonly used in banking and e-commerce websites, but also in non-commercial sites that offer online memberships and webmail. Terminal Line Encryption (TLE) Terminal Line encryption in its broadest sense, effectively protects against wire-tapping and other threats such as eavesdropping/card skimming, ghost or phantom EDC terminals, host spoofing and replay attacks. Wire tapping is the monitoring of telephone, Internet traffic or even wireless local area networks by a third party, often by covert means and fraudulent purposes. Again, within the context of this discussion, we refer specifically to the 2
  3. 3. interception of card transaction data traffic from EDC terminal to the bank or destination host on IP networks. In simplistic terms, Terminal Line Encryption (TLE) converts parts of a message holding sensitive cardholder information to incoherent and incomprehensible data while in transition. Only the intended receiver who is able to decrypt the message can read the information to complete the transaction, thus preventing any attempt by fraudsters to capture payment card details, account numbers or any other information. Combined approaches: TLE & EMV Malaysia’s foray into terminal line encryption back in 2005 is perhaps the best testament of the effectiveness of TLE in combating card fraud. To strengthen its payment security infrastructure, Malaysia implemented line encryption of its terminals and bank systems, making it the first country in the world to deploy both line encryption and EMV technology nationwide. Malaysia’s experience is unique in the sense that the Malaysian central bank (Bank Negara) mandated for both line encryption and EMV to be implemented as a combined approach in overcoming card fraud. This works in tandem to enhance the integrity of the payments systems and instruments, while promoting confidence and ensuring consumers' interests are safeguarded. 3
  4. 4. Using actual fraud data and experience from the Malaysian experience, there is historical and empirical evidence that depict the strong inverse relationship between increasing chip maturity and declining counterfeit fraud. Source: Bank Negara Malaysia, 2005 As a result of these two initiatives, and according to Visa Asia Pacific’s Mr. Ingo Noka, Head of Visa’s Payment Security Services, “Counterfeit fraud in Malaysia on domestically-issued cards fell from an average of 0.16 percent in the years 2000 to 2004 to a record low of 0.03 percent in 2005. Expressed in US dollars, after one year of using chip cards, domestic counterfeit has dropped 92 percent from about US$400,000 in January 2004 to US$31,000 in August 2005. “Since September 2004, the share of fraud losses due to counterfeit fraud has fallen from 90 percent to 22 percent and we see a shift to lost or stolen and card-not-present (CNP) fraud types which now represent 73 percent of fraud losses”. (Source: Visa Payment Security Bulletin - Issue 1, 2006) Currently, about 90% of the terminals in Malaysia are encrypting authorization messages. 4
  5. 5. A Brief Comparison of SSL and NetMATRIX TLE as a payment network security solution GHL Systems’ NetMATRIX TLE uses symmetric key encryption and decryption which is more suitable in an environment where processing power; memory and bandwidth are limited – where up to 4 Billion unique keys per terminal application and also supports Unique Key Per Transaction. Additionally, the NetMATRIX TLE uses Dynamic Key Derivation instead of Static Keys for each transaction effectively preventing Terminal Cloning and reducing Key Management issues. It further provides a Remote Key Injection (RKI) utility to ease the deployment of Keys into terminals, remotely. Performance considerations SSL is a PKI (Public Key Infrastructure) implementation and thus requires greater resources (in terms of processing power and memory) and more overhead (in terms of processing time, hand-shaking overhead, session keys exchange, etc. further constrained by bandwidth limitations). This is compounded if one needs to perform a Client/Device authentication besides Host authentication, since a Digital Certificate needs to be downloaded to the terminals. Communication Channels/Technologies Independence • NetMATRIX TLE functionality is independent of the underlying carrier technology and protocol and can work over X.25, TCP/IP, SNA, SDLC, HDLC, LAPB networks, while SSL can only work over TCP/IP-based network. • NetMATRIX TLE can also work over a Heterogeneous network (a combination of different underlying network protocols) while SSL can only work over a homogenous TCP/IP network. • NetMATRIX TLE secures data at each individual terminal application layer which conforms to the ISO8583 format and can be routed through a bank’s existing payment infrastructure without additional major investments • Where typical SSL implementations require a TCP/IP environment to support the implementation which has to be augmented with additional security infrastructure such as Firewalls, SSL Accelerators or Intrusion Detection Systems, NetMATRIX can be deployed across a variety of environments without requiring such investments Greater security and flexibility NetMATRIX TLE secures transaction and card data at each individual terminal application layer instead of at the communication channel layer. Additionally, it further provides more flexibility than SSL as NetMATRIX TLE allows application-specific customization to determine the exact fields/data that need to be encrypted/decrypted. 5
  6. 6. Other key considerations: SSL implementation requires a Certificate Server if in-house certificates are being used. If banks or other financial institutions already have their own Certificate Server then this would probably be a non-issue. However, if public digital certificates from Certification Authorities are used, then this would mean additional costs as their pricing model is typically based on each individual digital certificate. Other considerations that warrant notice is also to consider the long-term management of the digital certificates themselves. Conclusion As the industry advances forward, changes in the payments landscape will continue to be dynamic and the level of requirements, complexity, and sophistication in payment networks will further intensify. While considerable efforts have been undertaken to enhance protection for consumers and banks alike, still more remains to be done. Given the issues and considerations discussed – as well as its own experiences implementing TLE in India, Malaysia, Thailand and Indonesia, GHL Systems believes the time is now for card associations, banks, and payment network security/technology/solution providers to reconsider the proposition that SSL should remain the de facto standard – as far as TCP/IP EDC terminal networks are concerned. 6

×