Upload
hiteshasnani94
View
171
Download
2
Embed Size (px)
DESCRIPTION
Payment Card Security
Citation preview
PAYMENT CARD SECURITY
AGENDA’S
• Introduction• Security Issues• Payment Card Industry• Digital Certificate• Protocols• Advantages• Disadvantage• Conclusion• References
INTRODUCTION
• In the past year, the number of users reachable through Internet has increased dramatically• Potential to establish a new kind of open
marketplace for goods and services•Online shops in Internet• Bookshop (Amazon.com)• Flight Reservation and Hotel Reservation shopping
place, etc.
•An effective payment mechanism is needed
SECURITY ISSUES
• Internet is not a secure place
• Authorization, Access Control:• protect intranet from hordes: Firewalls
• Confidentiality, Data Integrity:• protect contents against snoopers: Encryption
• Authentication: • both parties prove identity before starting transaction: Digital
certificates
• Non-repudiation: • proof that the document originated by you & you only: Digital signature
PAYMENT CARD INDUSTRY
PCI = Payment Card Industry• PCI Data Security Standards compliance• Validate our Data• Validation method dependent on our “Merchant
Level”, which is a reflection of the number of transactions per year
CONT.
• “Payment Card Industry” encompasses all the organizations that store, process and transmit cardholder data• PCI Security Standards Council (PCI SSC)• Card brands (VISA, MasterCard, etc.)• Banks (Bank of America, Chase, etc.)• Service Providers (manage the transactions for the
banks, like PayPal, First Data, VeriSign)• Merchants (like K-State – the entity that takes the
credit card info from the customer)
Protect Cardholder Data• Do not store sensitive authentication data after
authorization (even if encrypted)…• … card verification value (3-digit code on back of
the card), PIN, or mag stripe content• Render PAN [Primary Account Number] unreadable
anywhere it is stored…• … examine a sample of removable media (for
example, back-up tapes) to confirm that the PAN is rendered unreadable
DIGITAL CERTIFICATE
• A digital identity document binding a public-private key pair to a specific person or organization• Verifying a digital signature only proves that the
signer had the private key corresponding to the public key used to decrypt the signature• Does not prove that the public-private key pair
belonged to the claimed individual• We need an independent third party to verify the
person’s identity (through non-electronic means) and issue a digital certificate
DIGITAL CERTIFICATE CONTENTS
• Name of holder• Public key of holder• Name of trusted third party (certificate authority)• DIGITAL SIGNATURE OF CERTIFICATE
AUTHORITY• Data on which hash and public-key algorithms
have been used• Other business or personal information
CERTIFICATION AUTHORITY
PROTOCOLS
• Credit card based• Secure Electronic Transaction (SET)• Secure Socket Layer (SSL)
• Electronic coins• DigiCash• Net Cash
CREDIT CARD BASED
• Parties involved: cardholder, merchant, issuer, acquirer and payment gateway• Transfer user's credit-card number to merchant via
insecure network• A trusted third party to authenticate the public key
SET EncryptionRequest is Sent toE-commerce Server
E-Commerce ServerVerifies Transaction
Purchaseis Requested
MerchantSends Recordto Bank
Transactionis Approved
Bank CreditsMerchant’s Account
SECURE ELECTRONIC TRANSMISSION (SET)
SET
• Developed by VISA and MasterCard• To facilitate secure payment card transactions over
the Internet• Digital Certificates create a trust chain throughout the
transaction, verifying cardholder and merchant validity• It is the most secure payment protocol
CONT..
• The SET specification uses public key cryptography and digital certificates for validating both consumers and merchants.• The SET protocol provides confidentiality, data
integrity, user and merchant authentication, and consumer non-repudiation.
PAYMENT PROCESS
• The messages needed to perform a complete purchase transaction usually include:• Initialization (PInitReq/PInitRes)• Purchase order (PReq/PRes)• Authorization (AuthReq/AuthRes)• Capture of payment (CapReq/CapRes)
INITIALIZATION
CardholderCardholder MerchantMerchant
PInitReq: {BrandID, Chall_C}
PInitRes: {TransID, Date, Chall_C, Chall_M}SigM
PURCHASE ORDER
CardholderCardholder MerchantMerchant
PReq: {OI, PI}
Pres: {TransID, [Results], Chall_C}SigM
AUTHORIZATION
MerchantMerchant AcquirerAcquirer IssuerIssuer
{{AuthReq}SigM}PKA
{{AuthRes}SigA}PKM
Existing Financial Network
CAPTURE OF PAYMENT
MerchantMerchant AcquirerAcquirer IssuerIssuer
{{CapRes}SigA}PKM
Existing Financial Network
Clearing
CapReq
CapTokenCapToken
ADVANTAGES
• It is secure enough to protect user's credit-card numbers and personal information from attacks• hardware independent• world-wide usage
DISADVANTAGES
• User must have credit card• No transfer of funds between users• It is not cost-effective when the payment is small• None of anonymity and it is traceable
SECURE SOCKET LAYER
• Created by Netscape for secure message transmission. • Uses public-key encryption• Browser is the client
ELECTRONIC CASH/COINS
• Parties involved: client, merchant and bank• Client must have an account in the bank• Less security and encryption• Suitable for small payment, but not for large payment• E.g.. Net cash
Electronic Cash Payment Protocol: NetCash
CurrencyServer 1
Currency Server 2
5. Verify coins
Buyer Merchant7. Receipt
3. CS1’s certificate
4. Validate coins
2. New coins
1. E-Check
6. New coins/E-Check
Making a purchase with NetCash
NET-CASH
A Net Cash coin has the following form:- CS_name: - name of the currency server.
- CS add: - network address of the currency server.
- Expiry: - the date on which the coin becomes invalid..
CONT.
CONT..
- Serial #: - a unique identifier of the coin to the currency server.- Value: - the amount of the coin Each coin is encrypted with currency server’s secret key (SKcs), which becomes a digital signature to show that the coin is authentic.
DIGICASH (E-CASH)
• A fully anonymous electronic cash system• Using blind signature technique• Parties involved: bank, buyer and merchant• Using RSA public-key cryptography• Special client and merchant software are needed
WITHDRAWING E-CASH/COINS
• User's cyber wallet software calculates how many digital coins are needed to withdraw the requested amount• software then generates random serial numbers for
those coins• the serial numbers are blinded by multiplying it by a
random factor
WITHDRAWING E-CASH COINS
• Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank
• When the bank receives the message, it checks the signature
• After signing the blind coins, the bank returns them to the user
ADVANTAGES
• Cost-effective for small payment• User can transfer his electronic coins to other user• No need to apply credit card• Anonymous feature• Hardware independent
33
DISADVANTAGES
• It is not suitable for large payment because of lower security• Client must use wallet software in order to store the
withdrawn coins from the bank• A large database to store used serial numbers to
prevent double spending
34
CONCLUSIONS
• An effective, secure and reliable Internet payment system is needed• Depending on the payment amount, different level of
security is used• SET protocol is an outstanding payment protocol for
secure electronic commerce
REFERENCE'S
• http://sce.uhcl.edu/yang/teaching/csci5931webSecuritySpr04/SecureSocketLayer.ppt• http://www.it.iitb.ac.in/~sri/talks/secnet.ppt• http://vfu.bg/en/e-Learning/E-Business--
Internet_payment_systems.ppt• https://
www.k-state.edu/its/security/training/roundtables/presentations/SIRT_roundtable_Jan11-credit_card_info.ppt
Thank u..