The document provides an overview of how payment cards work, detailing components such as card numbers, expiration dates, and payment networks, as well as the complex processes involved in processing transactions. It discusses authorization, transaction messages, and security standards like PCI-DSS, emphasizing the importance of protecting cardholder data. The document also highlights various technical details about transaction formats and encryption methods in the payments industry.

1. Version 1.1
How Payment Cards
Really Work?
Dmitry Buzdin
20.12.2018

2. Agenda
• Whats in your card and what can you do with it?
• Why payments are a complex IT domain?
• What happens when you buy stuff?

3. About Speaker
http://a-heads.eu
Dmitry
Buzdin

4. Tally Sticks
Stock
Foil

5. How many payment
cards you have on you?

6. Chip
Contactless
Payment network
Product
Cardholder
Expiration date
PAN

7. Primary Account Number
Individual account number
Issuer identification number Checksum
Major industry identifier
4 = VISA
5 = Mastercard
4000 1234 5678 9010

8. BIN Checker
https://www.bincodes.com/bin-checker/
Issuers are assigned BIN ranges : from–to

9. Magstripe
Card Verification Value (CVV)

10. Payment Networks

11. https://www.paymentscardsandmobile.com/unionpay-stays-on-top-as-the-worlds-
largest-card-scheme/

12. How it all works
together?

13. https://medium.com/@stephenjcho/deciphering-the-payments-stack-efbcb9c8eac4

14. https://www.mastercard.co.uk/en-gb/merchants/start-accepting/payment-process.html

15. Authorization
https://en.wikipedia.org/wiki/Authorization_hold
Holds/freezes the money until payment
confirmation comes through

16. Auth vs Clearing
https://gomedici.com/overview-of-the-payments-industry/

17. https://gomedici.com/overview-of-the-payments-industry/

18. Lots of messages going
back and forth,
what are those?

19. ISO 8583
https://en.wikipedia.org/wiki/ISO_8583
"standard for financial transaction card
originated interchange messaging”

20. Transactions from Prod

22. EBCDIC Encoding
• Originated from IBM mainframes
• Blocked file format – 2 byte delimiter after every 4096
bytes
https://en.wikipedia.org/wiki/EBCDIC

23. ASCII Representation
1240¸‘√å·‚
16534520700001811300000000000000600000000000600000000000600061000000
610000001403170000001810D10101C9100500120014005311230518605329600000
00000230699969806999698123456789012R1002300CHPPIN000000000CHPPIN69Th
e Big Store 1234 Main StreetCamanducaia 90210
BRA3690002003MCS0003003MCS0023003NA
01460360029018400000000000429860000000000960148008986284020158030MCC
20300017513102301 NNNNNN0159067
1 F13102301131023010165001M01700328005556666
8005556666 0177002N 018904118005551212
019100121000051Original DE032 = 009667 And Modified DE032 =
999698986986986076_* ÜÇXïöúüÄü%⁄¡üvü&≠’‘'ıèÈü'Äü6ü72ó9Ä016
MCG0110840313 00000002060148810699969806014881@ö
Single financial transaction

24. 1240¸‘√å·‚
16534520700001811300000000000000600
0061000000610000001403170000001810D
11230518605329600000000002306999698
02300CHPPIN000000000CHPPIN69The Big
Main StreetCamanducaia 90210
BRA3690002003MCS0003003MCS0023003NA
01460360029018400000000000429860000
Message Type Identifier

25. MTI Meaning Usage
0100 Authorization Request
Request from a point-of-sale terminal for authorization for a
cardholder purchase
0110 Authorization Response
Request response to a point-of-sale terminal for authorization for a
cardholder purchase
1240 First Presentment The merchant processes the original transaction.
0210
Issuer Response to Financial
Request
Issuer response to request for funds
0230
Issuer Response to Financial
Advice
Confirmation of receipt of financial advice
0400 Acquirer Reversal Request Reverses a transaction

26. 1240¸‘√å·‚
16534520700001811300000000000000600
0061000000610000001403170000001810D
11230518605329600000000002306999698
02300CHPPIN000000000CHPPIN69The Big
Main StreetCamanducaia 90210
BRA3690002003MCS0003003MCS0023003NA
01460360029018400000000000429860000
Message Type Identifier
Data Element Bitmap

27. Data Element Bitmap
62 10 00 11 02 C0 48 04
0x22 = 0110 0010
DE2, DE3 and DE7 are present
128 Standard Data Elements

28. 1208 pages
318 pages
866 pages

30. 1240¸‘√å·‚
16534520700001811300000000000000600
0061000000610000001403170000001810D
11230518605329600000000002306999698
02300CHPPIN000000000CHPPIN69The Big
Main StreetCamanducaia 90210
BRA3690002003MCS0003003MCS0023003NA
01460360029018400000000000429860000
Message Type Identifier
Data Element Bitmap
DE2

31. LLVAR
165345207000018113000000000…
LL=16 VALUE=5345207000018113
Element length 16 numerics

32. Key Data Elements
• DE-2 PAN
• DE-4 Amount
• DE-37 Retrieval Reference Number - UID set by Acquirer
• DE-42 Card acceptor Merchant Identifier (MID)
• DE-43 Card acceptor name/location
• DE-49 Currency code
• DE-18 Merchant Category Classification (MCC)
• DE-39 Response code

33. Consuming ISO 8583
• Generic parsers exist
• DE list should be configured for each MTI
• Payment schema specific
• Software vendor specific
• Use-case specific
• Version specific

34. Even More
DE can have subfields … with subfields
Hundreds of optional fields (PDS)
Some DE have their own binary format

35. Weird Fields
• PDS 0620—Oil Company Brand Name
• PDS 0585—Mini-Bar Charges
• PDS 0725—Overtime Hours Worked

36. 1) Request-reply
2) Batch files

37. ISO 8583 Overall
• Monstrous format
• Bandwidth efficient
• Contains layers of legacy
• Vendor specific elements and workflows
• Few open source offerings (JPOS, j8583)

38. ECommerce API
Merchant
ECommerce Provider
Payment Network
Payment Gateway
REST + JSON
SOAP
ISO8583

39. Is it safe to transfer
PAN in plain text?

40. PCI-DSS
Certification

41. Payment Card Industry
Data Security Standard
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

42. PCI-DSS Requirements

43. In Plain English
• Protected network
• All cardholder data encrypted in transfer and on disk
• Regular security checks
• Audited access to systems and data
• Documented procedures
• Physical security

44. PCI-DSS primary goal is
protecting card sensitive
data

45. Do’s and Dont’s
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
Render PAN unreadable

46. One-way hash
4000 1234 5678 9010
2a2e033b311bf13f8
Irreversible

47. PAN Masking
4000 1234 5678 9010
4000 12** **** 9010
Individual account number
Issuer identification number
Hash and masked PAN can not be stored in the same place

48. Tokenization
4000 1234 5678 9010
Abc45sdd124ssksk
One-use or multiple use tokens
B33fas%$liiii

49. Strong Cryptography
“Strong cryptography with
associated key-management
processes and procedures”

50. Hardware Security Module
(HSM)

51. HSM Functions
• DES and Triple DES (key lengths 112 bit, 168 bit)
• AES (key lengths 128 bit, 192 bit, 256 bit)
• RSA (key lengths up to 4096 bit)
• Hashing: MD1, SHA-1, SHA-2
• Payment specific algorithms
• Key management

52. Key Management
• Key strength
• Accountability and audit
• Key rotation
https://www.owasp.org/index.php/Key_Management_Cheat_Sheet

53. Key Ceremony
Generation of root private and public key pair

54. Security as a Service
https://www.vaultproject.io
TOTP
PKI RSA
Key-Value
Dynamic Secrets

55. https://www.vaultproject.io/docs/concepts/seal.html

56. All major cloud providers
are PCI-DSS compliant
(so are major data centres)
https://cloud.google.com/security/compliance/pci-dss/
https://docs.microsoft.com/en-us/azure/security/blueprints/pcidss-paaswa-overview
https://aws.amazon.com/compliance/pci-dss-level-1-faqs/

57. Does Everyone Need
PCI-DSS?

58. https://www.compliance101.com/pci-compliance/

59. Avoid PCI-DSS by not
knowing sensitive data

60. External Web Form
Redirect
From Merchant
Redirect Back
To Merchant
Payment service provider hosted page

61. Mobile Apps
1. PAN
4. UID
3. UID
2. UID

62. Cards 2.0

63. Tokenization
Host Card Emulator

64. https://developer.mastercard.com
https://developer.visa.com/

65. Payments Overall
• Legacy data formats
• Lots of integrations
• Security-security-security
• Legal restrictions
• New APIs and standards are coming
• Lots of changes right now!

66. http://a-heads.eu
Dmitry
Buzdin
You want paymentz? – let us know!
dmitry@a-heads.eu