Recommended
More Related Content
Recently uploaded
Recently uploaded (20)
Featured
Featured (20)
Card Payments Processing - Security
- 1. Card Payments Processing Security Considerations Lakshmana Kattula Enterprise/Solution Architect vivalaks@gmail.com June 2011
- 2. Contents • Actors • Components • Card Payment Processes • Card Payment Process – Authorization • Security Needs • Fraud • Technologies • Solution Design
- 3. Actors Involved • Cardholder (A1) – Customers • Merchant or Retailer (A2) – Tesco, Amazon, etc • Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc • Card Association or Card Network (A4) – Visa, Mastercard, etc • Issuer (A5) – CapitalOne, Citi, etc
- 4. Components Involved • Payment Card (C1) • Card Processing Terminal – POS, Web Interface, etc. (C2) • Merchant DataCentre/Network (C3) • Merchant Payment Gateway (C4) • Merchant Bank’s Data Centre (C5) • Merchant Bank’s Payment System (C6) • Card Association’s Data Centre (C7) • Card Association’s Payment System (C8) • Issuer’s Data Centre (C9) • Issuer’s Payment System (C10)
- 5. Card Payment Process • Authorization • Settlement – Batching – Clearing • Funding
- 6. Card Payment Process - Authorization A2 A3 6 6 C3 C5 A1 C1 C2 1 2 C4 3 C6 1. The cardholder uses the card at the card payment terminal 2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction 3. The merchant payment system submits the request to the acquirer 4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer 5. The card network requests for authorization from the issuer C10 C8 6. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
- 7. Security Needs • Threats • Vulnerabilities • Risk Assessments • Fraud Management • Enterprise Security Policies and Principles • Compliance Needs
- 8. Fraud • Stolen cards • Card not present transaction • Identity theft • Application fraud • Account takeover • Skimming • Internal/Employee Fraud • Fraud Detection Tools
- 9. Technologies • Firewalls • VPNs • PKI • Encryption • Web Services/XML Security • Tokens • Anti Virus • 2-Factor Authentication • Network Admission Control • Vulnerability Scanners • Intrusion Detection/ Intrusion Prevention • Physical Security • File Integrity Monitoring • Patch Management Systems
- 10. Solution Design – A Sample Template • Process security impact Describe the required process changes/configurations in order to comply to Client's business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation. • Application & Integration security impact Describe the required application changes/configurations in order to comply to Client's user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Client's integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging. • Information security impact Describe the required data changes/configurations in order to comply to the Client's ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly. • Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Client's infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Client's infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven. • Compliance to web-applications policy Describe measures taken in order to comply to the Client's ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten. • Compliance to PCI DSS Describe measures taken in order to comply to the Client's Europe PCI DSS policy if the systems deal with card type data • Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.