Actors Involved• Cardholder (A1) – Customers• Merchant or Retailer (A2) – Tesco, Amazon, etc• Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc• Card Association or Card Network (A4) – Visa, Mastercard, etc• Issuer (A5) – CapitalOne, Citi, etc
Components Involved• Payment Card (C1)• Card Processing Terminal – POS, Web Interface, etc. (C2)• Merchant DataCentre/Network (C3)• Merchant Payment Gateway (C4)• Merchant Bank’s Data Centre (C5)• Merchant Bank’s Payment System (C6)• Card Association’s Data Centre (C7)• Card Association’s Payment System (C8)• Issuer’s Data Centre (C9)• Issuer’s Payment System (C10)
Card Payment Process - Authorization A2 A3 6 6 C3 C5A1 C1 C2 1 2 C4 3 C61. The cardholder uses the card at the card payment terminal2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction3. The merchant payment system submits the request to the acquirer4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer5. The card network requests for authorization from the issuer C10 C86. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
Solution Design – A Sample Template• Process security impact Describe the required process changes/configurations in order to comply to Clients business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation.• Application & Integration security impact Describe the required application changes/configurations in order to comply to Clients user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Clients integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging.• Information security impact Describe the required data changes/configurations in order to comply to the Clients ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly.• Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Clients infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Clients infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven.• Compliance to web-applications policy Describe measures taken in order to comply to the Clients ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten.• Compliance to PCI DSS Describe measures taken in order to comply to the Clients Europe PCI DSS policy if the systems deal with card type data• Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.