Payment card security By Hitesh Asnani SVIT


Published on

Payment Card Security

Published in: Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Payment card security By Hitesh Asnani SVIT

  2. 2. AGENDA’S • Introduction • Security Issues • Payment Card Industry • Digital Certificate • Protocols • Advantages • Disadvantage • Conclusion • References
  3. 3. INTRODUCTION • In the past year, the number of users reachable through Internet has increased dramatically • Potential to establish a new kind of open marketplace for goods and services • Online shops in Internet • Bookshop ( • Flight Reservation and Hotel Reservation shopping place, etc. • An effective payment mechanism is needed
  4. 4. SECURITY ISSUES • Internet is not a secure place • Authorization, Access Control: • protect intranet from hordes: Firewalls • Confidentiality, Data Integrity: • protect contents against snoopers: Encryption • Authentication: • both parties prove identity before starting transaction: Digital certificates • Non-repudiation: • proof that the document originated by you & you only: Digital signature
  5. 5. PAYMENT CARD INDUSTRY PCI = Payment Card Industry • PCI Data Security Standards compliance • Validate our Data • Validation method dependent on our “Merchant Level”, which is a reflection of the number of transactions per year
  6. 6. CONT. • “Payment Card Industry” encompasses all the organizations that store, process and transmit cardholder data • PCI Security Standards Council (PCI SSC) • Card brands (VISA, MasterCard, etc.) • Banks (Bank of America, Chase, etc.) • Service Providers (manage the transactions for the banks, like PayPal, First Data, VeriSign) • Merchants (like K-State – the entity that takes the credit card info from the customer)
  7. 7. Protect Cardholder Data • Do not store sensitive authentication data after authorization (even if encrypted)… • … card verification value (3-digit code on back of the card), PIN, or mag stripe content • Render PAN [Primary Account Number] unreadable anywhere it is stored… • … examine a sample of removable media (for example, back-up tapes) to confirm that the PAN is rendered unreadable
  8. 8. DIGITAL CERTIFICATE • A digital identity document binding a public-private key pair to a specific person or organization • Verifying a digital signature only proves that the signer had the private key corresponding to the public key used to decrypt the signature • Does not prove that the public-private key pair belonged to the claimed individual • We need an independent third party to verify the person’s identity (through non-electronic means) and issue a digital certificate
  9. 9. DIGITAL CERTIFICATE CONTENTS • Name of holder • Public key of holder • Name of trusted third party (certificate authority) • DIGITAL SIGNATURE OF CERTIFICATE AUTHORITY • Data on which hash and public-key algorithms have been used • Other business or personal information
  11. 11. PROTOCOLS • Credit card based • Secure Electronic Transaction (SET) • Secure Socket Layer (SSL) • Electronic coins • DigiCash • Net Cash
  12. 12. CREDIT CARD BASED • Parties involved: cardholder, merchant, issuer, acquirer and payment gateway • Transfer user's credit-card number to merchant via insecure network • A trusted third party to authenticate the public key
  13. 13. SET Encryption Request is Sent to E-commerce Server E-Commerce Server Verifies Transaction Purchase is Requested Merchant Sends Record to Bank Transaction is Approved Bank Credits Merchant’s Account SECURE ELECTRONIC TRANSMISSION (SET)
  14. 14. SET • Developed by VISA and MasterCard • To facilitate secure payment card transactions over the Internet • Digital Certificates create a trust chain throughout the transaction, verifying cardholder and merchant validity • It is the most secure payment protocol
  15. 15. CONT.. • The SET specification uses public key cryptography and digital certificates for validating both consumers and merchants. • The SET protocol provides confidentiality, data integrity, user and merchant authentication, and consumer non-repudiation.
  16. 16. PAYMENT PROCESS • The messages needed to perform a complete purchase transaction usually include: • Initialization (PInitReq/PInitRes) • Purchase order (PReq/PRes) • Authorization (AuthReq/AuthRes) • Capture of payment (CapReq/CapRes)
  17. 17. INITIALIZATION Cardholder Merchant PInitReq: {BrandID, Chall_C} PInitRes: {TransID, Date, Chall_C, Chall_M}SigM
  18. 18. PURCHASE ORDER Cardholder Merchant PReq: {OI, PI} Pres: {TransID, [Results], Chall_C}SigM
  19. 19. AUTHORIZATION Merchant Acquirer Issuer {{AuthReq}SigM}PKA {{AuthRes}SigA}PKM Existing Financial Network
  20. 20. CAPTURE OF PAYMENT Merchant Acquirer Issuer {{CapRes}SigA}PKM Existing Financial Network Clearing CapReq CapToken CapToken
  21. 21. ADVANTAGES • It is secure enough to protect user's credit-card numbers and personal information from attacks • hardware independent • world-wide usage
  22. 22. DISADVANTAGES • User must have credit card • No transfer of funds between users • It is not cost-effective when the payment is small • None of anonymity and it is traceable
  24. 24. • Created by Netscape for secure message transmission. • Uses public-key encryption • Browser is the client
  25. 25. ELECTRONIC CASH/COINS • Parties involved: client, merchant and bank • Client must have an account in the bank • Less security and encryption • Suitable for small payment, but not for large payment • E.g.. Net cash
  26. 26. Electronic Cash Payment Protocol: NetCash Currency Server 1 Currency Server 2 5. Verify coins Buyer Merchant 7. Receipt 3. CS1’s certificate 4. Validate coins 2. New coins 1. E- Check 6. New coins/E -Check Making a purchase with NetCash NET-CASH
  27. 27. A Net Cash coin has the following form: - CS_name: - name of the currency server. - CS add: - network address of the currency server. - Expiry: - the date on which the coin becomes invalid.. CONT.
  28. 28. CONT.. - Serial #: - a unique identifier of the coin to the currency server. - Value: - the amount of the coin Each coin is encrypted with currency server’s secret key (SKcs), which becomes a digital signature to show that the coin is authentic.
  29. 29. DIGICASH (E-CASH) • A fully anonymous electronic cash system • Using blind signature technique • Parties involved: bank, buyer and merchant • Using RSA public-key cryptography • Special client and merchant software are needed
  30. 30. WITHDRAWING E-CASH/COINS • User's cyber wallet software calculates how many digital coins are needed to withdraw the requested amount • software then generates random serial numbers for those coins • the serial numbers are blinded by multiplying it by a random factor
  31. 31. WITHDRAWING E-CASH COINS • Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank • When the bank receives the message, it checks the signature • After signing the blind coins, the bank returns them to the user
  32. 32. ADVANTAGES • Cost-effective for small payment • User can transfer his electronic coins to other user • No need to apply credit card • Anonymous feature • Hardware independent
  33. 33. DISADVANTAGES • It is not suitable for large payment because of lower security • Client must use wallet software in order to store the withdrawn coins from the bank • A large database to store used serial numbers to prevent double spending 33
  34. 34. CONCLUSIONS • An effective, secure and reliable Internet payment system is needed • Depending on the payment amount, different level of security is used • SET protocol is an outstanding payment protocol for secure electronic commerce 34
  35. 35. REFERENCE'S • curitySpr04/SecureSocketLayer.ppt • • Internet_payment_systems.ppt • https://www.k- tions/SIRT_roundtable_Jan11-credit_card_info.ppt
  36. 36. Thank u..