6. Card Payment Process - Authorization
A2 A3
6 6
C3 C5
A1 C1 C2
1 2 C4 3 C6
1. The cardholder uses the card at the
card payment terminal
2. The card payment terminal submits ISPs 4 6
the card details to the merchant
payment system for authorization of
the transaction
3. The merchant payment system
submits the request to the acquirer
4. The acquirer sends a request to the
C9 C7
card network to communicate and 5
obtain authorization from the issuer
5. The card network requests for
authorization from the issuer C10 C8
6. An authorization code is sent to the 6
card payment terminal through the
same path backwards A4 A3
10. Solution Design – A Sample Template
• Process security impact
Describe the required process changes/configurations in order to comply to Client's business process security standards. Eg. Compliance
of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation.
• Application & Integration security impact
Describe the required application changes/configurations in order to comply to Client's user identity and user authentication standards.
Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application.
Describe the required integration changes/configurations in order to comply to Client's integration security standards. Eg. Usage of sftp
for batch-file transfer, measurements for secure and guaranteed delivery-messaging.
• Information security impact
Describe the required data changes/configurations in order to comply to the Client's ‘data-classification confidentiality’ standards. Eg.
Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly.
• Infrastructure security impact
Describe the required infrastructure changes/configurations in order to comply to Client's infrastructure security standards, being the
required Mission Critical Value (MCV, order of application-restart after disaster).
In case a third party vendor does the application-hosting, compliance to the Client's infrastructure security standards is implied in their
Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven.
• Compliance to web-applications policy
Describe measures taken in order to comply to the Client's ‘web-applications policy’, if web based applications are part of the IT-solution.
E.g. Perform vulnerability testing on among others the OWASP top ten.
• Compliance to PCI DSS
Describe measures taken in order to comply to the Client's Europe PCI DSS policy if the systems deal with card type data
• Testing & Acceptance
Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing,
Performance testing, Failover & DR testing, etc.