Card Payments Processing - Security


Published on

An overview of Card Payments Processing and some Security Considerations

Published in: Economy & Finance, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Card Payments Processing - Security

  1. 1. Card Payments Processing Security Considerations Lakshmana Kattula Enterprise/Solution Architect June 2011
  2. 2. Contents• Actors• Components• Card Payment Processes• Card Payment Process – Authorization• Security Needs• Fraud• Technologies• Solution Design
  3. 3. Actors Involved• Cardholder (A1) – Customers• Merchant or Retailer (A2) – Tesco, Amazon, etc• Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc• Card Association or Card Network (A4) – Visa, Mastercard, etc• Issuer (A5) – CapitalOne, Citi, etc
  4. 4. Components Involved• Payment Card (C1)• Card Processing Terminal – POS, Web Interface, etc. (C2)• Merchant DataCentre/Network (C3)• Merchant Payment Gateway (C4)• Merchant Bank’s Data Centre (C5)• Merchant Bank’s Payment System (C6)• Card Association’s Data Centre (C7)• Card Association’s Payment System (C8)• Issuer’s Data Centre (C9)• Issuer’s Payment System (C10)
  5. 5. Card Payment Process• Authorization• Settlement – Batching – Clearing• Funding
  6. 6. Card Payment Process - Authorization A2 A3 6 6 C3 C5A1 C1 C2 1 2 C4 3 C61. The cardholder uses the card at the card payment terminal2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction3. The merchant payment system submits the request to the acquirer4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer5. The card network requests for authorization from the issuer C10 C86. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
  7. 7. Security Needs• Threats• Vulnerabilities• Risk Assessments• Fraud Management• Enterprise Security Policies and Principles• Compliance Needs
  8. 8. Fraud• Stolen cards• Card not present transaction• Identity theft• Application fraud• Account takeover• Skimming• Internal/Employee Fraud• Fraud Detection Tools
  9. 9. Technologies• Firewalls• VPNs• PKI• Encryption• Web Services/XML Security• Tokens• Anti Virus• 2-Factor Authentication• Network Admission Control• Vulnerability Scanners• Intrusion Detection/ Intrusion Prevention• Physical Security• File Integrity Monitoring• Patch Management Systems
  10. 10. Solution Design – A Sample Template• Process security impact Describe the required process changes/configurations in order to comply to Clients business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation.• Application & Integration security impact Describe the required application changes/configurations in order to comply to Clients user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Clients integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging.• Information security impact Describe the required data changes/configurations in order to comply to the Clients ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly.• Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Clients infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Clients infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven.• Compliance to web-applications policy Describe measures taken in order to comply to the Clients ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten.• Compliance to PCI DSS Describe measures taken in order to comply to the Clients Europe PCI DSS policy if the systems deal with card type data• Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.