How Payment Cards Really Work?
•
0 likes•1,120 views
This talk is an introduction about technical aspects of how payment cards function, what technical protocols are involved and what are implementation complexities in a typical payments project. You will learn about concepts like Authorisation and Clearing, Tokenization and know about novelties in the payment world, which will affect consumers in the nearest future.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to How Payment Cards Really Work?
Similar to How Payment Cards Really Work? (20)
More from Dmitry Buzdin
More from Dmitry Buzdin (20)
Recently uploaded
Recently uploaded (20)
How Payment Cards Really Work?
- 1. Version 1.1 How Payment Cards Really Work? Dmitry Buzdin 20.12.2018
- 2. Agenda • Whats in your card and what can you do with it? • Why payments are a complex IT domain? • What happens when you buy stuff?
- 5. How many payment cards you have on you?
- 7. Primary Account Number Individual account number Issuer identification number Checksum Major industry identifier 4 = VISA 5 = Mastercard 4000 1234 5678 9010
- 8. BIN Checker https://www.bincodes.com/bin-checker/ Issuers are assigned BIN ranges : from–to
- 9. Magstripe Card Verification Value (CVV)
- 10. Payment Networks
- 11. https://www.paymentscardsandmobile.com/unionpay-stays-on-top-as-the-worlds- largest-card-scheme/
- 12. How it all works together?
- 15. Authorization https://en.wikipedia.org/wiki/Authorization_hold Holds/freezes the money until payment confirmation comes through
- 18. Lots of messages going back and forth, what are those?
- 19. ISO 8583 https://en.wikipedia.org/wiki/ISO_8583 "standard for financial transaction card originated interchange messaging”
- 22. EBCDIC Encoding • Originated from IBM mainframes • Blocked file format – 2 byte delimiter after every 4096 bytes https://en.wikipedia.org/wiki/EBCDIC
- 23. ASCII Representation 1240¸‘√å·‚ 16534520700001811300000000000000600000000000600000000000600061000000 610000001403170000001810D10101C9100500120014005311230518605329600000 00000230699969806999698123456789012R1002300CHPPIN000000000CHPPIN69Th e Big Store 1234 Main StreetCamanducaia 90210 BRA3690002003MCS0003003MCS0023003NA 01460360029018400000000000429860000000000960148008986284020158030MCC 20300017513102301 NNNNNN0159067 1 F13102301131023010165001M01700328005556666 8005556666 0177002N 018904118005551212 019100121000051Original DE032 = 009667 And Modified DE032 = 999698986986986076_* ÜÇXïöúüÄü%⁄¡üvü&≠’‘'ıèÈü'Äü6ü72ó9Ä016 MCG0110840313 00000002060148810699969806014881@ö Single financial transaction
- 24. 1240¸‘√å·‚ 16534520700001811300000000000000600 0061000000610000001403170000001810D 11230518605329600000000002306999698 02300CHPPIN000000000CHPPIN69The Big Main StreetCamanducaia 90210 BRA3690002003MCS0003003MCS0023003NA 01460360029018400000000000429860000 Message Type Identifier
- 25. MTI Meaning Usage 0100 Authorization Request Request from a point-of-sale terminal for authorization for a cardholder purchase 0110 Authorization Response Request response to a point-of-sale terminal for authorization for a cardholder purchase 1240 First Presentment The merchant processes the original transaction. 0210 Issuer Response to Financial Request Issuer response to request for funds 0230 Issuer Response to Financial Advice Confirmation of receipt of financial advice 0400 Acquirer Reversal Request Reverses a transaction
- 26. 1240¸‘√å·‚ 16534520700001811300000000000000600 0061000000610000001403170000001810D 11230518605329600000000002306999698 02300CHPPIN000000000CHPPIN69The Big Main StreetCamanducaia 90210 BRA3690002003MCS0003003MCS0023003NA 01460360029018400000000000429860000 Message Type Identifier Data Element Bitmap
- 27. Data Element Bitmap 62 10 00 11 02 C0 48 04 0x22 = 0110 0010 DE2, DE3 and DE7 are present 128 Standard Data Elements
- 28. 1208 pages 318 pages 866 pages
- 30. 1240¸‘√å·‚ 16534520700001811300000000000000600 0061000000610000001403170000001810D 11230518605329600000000002306999698 02300CHPPIN000000000CHPPIN69The Big Main StreetCamanducaia 90210 BRA3690002003MCS0003003MCS0023003NA 01460360029018400000000000429860000 Message Type Identifier Data Element Bitmap DE2
- 32. Key Data Elements • DE-2 PAN • DE-4 Amount • DE-37 Retrieval Reference Number - UID set by Acquirer • DE-42 Card acceptor Merchant Identifier (MID) • DE-43 Card acceptor name/location • DE-49 Currency code • DE-18 Merchant Category Classification (MCC) • DE-39 Response code
- 33. Consuming ISO 8583 • Generic parsers exist • DE list should be configured for each MTI • Payment schema specific • Software vendor specific • Use-case specific • Version specific
- 34. Even More DE can have subfields … with subfields Hundreds of optional fields (PDS) Some DE have their own binary format
- 35. Weird Fields • PDS 0620—Oil Company Brand Name • PDS 0585—Mini-Bar Charges • PDS 0725—Overtime Hours Worked
- 36. 1) Request-reply 2) Batch files
- 37. ISO 8583 Overall • Monstrous format • Bandwidth efficient • Contains layers of legacy • Vendor specific elements and workflows • Few open source offerings (JPOS, j8583)
- 38. ECommerce API Merchant ECommerce Provider Payment Network Payment Gateway REST + JSON SOAP ISO8583
- 39. Is it safe to transfer PAN in plain text?
- 41. Payment Card Industry Data Security Standard https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
- 43. In Plain English • Protected network • All cardholder data encrypted in transfer and on disk • Regular security checks • Audited access to systems and data • Documented procedures • Physical security
- 44. PCI-DSS primary goal is protecting card sensitive data
- 45. Do’s and Dont’s https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf Render PAN unreadable
- 46. One-way hash 4000 1234 5678 9010 2a2e033b311bf13f8 Irreversible
- 47. PAN Masking 4000 1234 5678 9010 4000 12** **** 9010 Individual account number Issuer identification number Hash and masked PAN can not be stored in the same place
- 48. Tokenization 4000 1234 5678 9010 Abc45sdd124ssksk One-use or multiple use tokens B33fas%$liiii
- 49. Strong Cryptography “Strong cryptography with associated key-management processes and procedures”
- 51. HSM Functions • DES and Triple DES (key lengths 112 bit, 168 bit) • AES (key lengths 128 bit, 192 bit, 256 bit) • RSA (key lengths up to 4096 bit) • Hashing: MD1, SHA-1, SHA-2 • Payment specific algorithms • Key management
- 52. Key Management • Key strength • Accountability and audit • Key rotation https://www.owasp.org/index.php/Key_Management_Cheat_Sheet
- 53. Key Ceremony Generation of root private and public key pair
- 54. Security as a Service https://www.vaultproject.io TOTP PKI RSA Key-Value Dynamic Secrets
- 56. All major cloud providers are PCI-DSS compliant (so are major data centres) https://cloud.google.com/security/compliance/pci-dss/ https://docs.microsoft.com/en-us/azure/security/blueprints/pcidss-paaswa-overview https://aws.amazon.com/compliance/pci-dss-level-1-faqs/
- 59. Avoid PCI-DSS by not knowing sensitive data
- 60. External Web Form Redirect From Merchant Redirect Back To Merchant Payment service provider hosted page
- 61. Mobile Apps 1. PAN 4. UID 3. UID 2. UID
- 62. Cards 2.0
- 65. Payments Overall • Legacy data formats • Lots of integrations • Security-security-security • Legal restrictions • New APIs and standards are coming • Lots of changes right now!
- 66. http://a-heads.eu Dmitry Buzdin You want paymentz? – let us know! dmitry@a-heads.eu