PAYMENT CARD SECURITY

AGENDA’S

• Introduction• Security Issues• Payment Card Industry• Digital Certificate• Protocols• Advantages• Disadvantage• Conclusion• References

INTRODUCTION

• In the past year, the number of users reachable through Internet has increased dramatically• Potential to establish a new kind of open

marketplace for goods and services•Online shops in Internet• Bookshop (Amazon.com)• Flight Reservation and Hotel Reservation shopping

place, etc.

•An effective payment mechanism is needed

SECURITY ISSUES

• Internet is not a secure place

• Authorization, Access Control:• protect intranet from hordes: Firewalls

• Confidentiality, Data Integrity:• protect contents against snoopers: Encryption

• Authentication: • both parties prove identity before starting transaction: Digital

certificates

• Non-repudiation: • proof that the document originated by you & you only: Digital signature

PAYMENT CARD INDUSTRY

PCI = Payment Card Industry• PCI Data Security Standards compliance• Validate our Data• Validation method dependent on our “Merchant

Level”, which is a reflection of the number of transactions per year

CONT.

• “Payment Card Industry” encompasses all the organizations that store, process and transmit cardholder data• PCI Security Standards Council (PCI SSC)• Card brands (VISA, MasterCard, etc.)• Banks (Bank of America, Chase, etc.)• Service Providers (manage the transactions for the

banks, like PayPal, First Data, VeriSign)• Merchants (like K-State – the entity that takes the

credit card info from the customer)

Protect Cardholder Data• Do not store sensitive authentication data after

authorization (even if encrypted)…• … card verification value (3-digit code on back of

the card), PIN, or mag stripe content• Render PAN [Primary Account Number] unreadable

anywhere it is stored…• … examine a sample of removable media (for

example, back-up tapes) to confirm that the PAN is rendered unreadable

DIGITAL CERTIFICATE

• A digital identity document binding a public-private key pair to a specific person or organization• Verifying a digital signature only proves that the

signer had the private key corresponding to the public key used to decrypt the signature• Does not prove that the public-private key pair

belonged to the claimed individual• We need an independent third party to verify the

person’s identity (through non-electronic means) and issue a digital certificate

DIGITAL CERTIFICATE CONTENTS

• Name of holder• Public key of holder• Name of trusted third party (certificate authority)• DIGITAL SIGNATURE OF CERTIFICATE

AUTHORITY• Data on which hash and public-key algorithms

have been used• Other business or personal information

CERTIFICATION AUTHORITY

PROTOCOLS

• Credit card based• Secure Electronic Transaction (SET)• Secure Socket Layer (SSL)

• Electronic coins• DigiCash• Net Cash

CREDIT CARD BASED

• Parties involved: cardholder, merchant, issuer, acquirer and payment gateway• Transfer user's credit-card number to merchant via

insecure network• A trusted third party to authenticate the public key

SET EncryptionRequest is Sent toE-commerce Server

E-Commerce ServerVerifies Transaction

Purchaseis Requested

MerchantSends Recordto Bank

Transactionis Approved

Bank CreditsMerchant’s Account

SECURE ELECTRONIC TRANSMISSION (SET)

SET

• Developed by VISA and MasterCard• To facilitate secure payment card transactions over

the Internet• Digital Certificates create a trust chain throughout the

transaction, verifying cardholder and merchant validity• It is the most secure payment protocol

CONT..

• The SET specification uses public key cryptography and digital certificates for validating both consumers and merchants.• The SET protocol provides confidentiality, data

integrity, user and merchant authentication, and consumer non-repudiation.

PAYMENT PROCESS

• The messages needed to perform a complete purchase transaction usually include:• Initialization (PInitReq/PInitRes)• Purchase order (PReq/PRes)• Authorization (AuthReq/AuthRes)• Capture of payment (CapReq/CapRes)

INITIALIZATION

CardholderCardholder MerchantMerchant

PInitReq: {BrandID, Chall_C}

PInitRes: {TransID, Date, Chall_C, Chall_M}SigM

PURCHASE ORDER

CardholderCardholder MerchantMerchant

PReq: {OI, PI}

Pres: {TransID, [Results], Chall_C}SigM

AUTHORIZATION

MerchantMerchant AcquirerAcquirer IssuerIssuer

{{AuthReq}SigM}PKA

{{AuthRes}SigA}PKM

Existing Financial Network

CAPTURE OF PAYMENT

MerchantMerchant AcquirerAcquirer IssuerIssuer

{{CapRes}SigA}PKM

Existing Financial Network

Clearing

CapReq

CapTokenCapToken

ADVANTAGES

• It is secure enough to protect user's credit-card numbers and personal information from attacks• hardware independent• world-wide usage

DISADVANTAGES

• User must have credit card• No transfer of funds between users• It is not cost-effective when the payment is small• None of anonymity and it is traceable

SECURE SOCKET LAYER

• Created by Netscape for secure message transmission. • Uses public-key encryption• Browser is the client

ELECTRONIC CASH/COINS

• Parties involved: client, merchant and bank• Client must have an account in the bank• Less security and encryption• Suitable for small payment, but not for large payment• E.g.. Net cash

Electronic Cash Payment Protocol: NetCash

CurrencyServer 1

Currency Server 2

5. Verify coins

Buyer Merchant7. Receipt

3. CS1’s certificate

4. Validate coins

2. New coins

1. E-Check

6. New coins/E-Check

Making a purchase with NetCash

NET-CASH

A Net Cash coin has the following form:- CS_name: - name of the currency server.

- CS add: - network address of the currency server.

- Expiry: - the date on which the coin becomes invalid..

CONT.

CONT..

- Serial #: - a unique identifier of the coin to the currency server.- Value: - the amount of the coin Each coin is encrypted with currency server’s secret key (SKcs), which becomes a digital signature to show that the coin is authentic.

DIGICASH (E-CASH)

• A fully anonymous electronic cash system• Using blind signature technique• Parties involved: bank, buyer and merchant• Using RSA public-key cryptography• Special client and merchant software are needed

WITHDRAWING E-CASH/COINS

• User's cyber wallet software calculates how many digital coins are needed to withdraw the requested amount• software then generates random serial numbers for

those coins• the serial numbers are blinded by multiplying it by a

random factor

WITHDRAWING E-CASH COINS

• Blinded coins are packaged into a message, digitally signed with user's private key, encrypted with the bank's public key, then sent to the bank

• When the bank receives the message, it checks the signature

• After signing the blind coins, the bank returns them to the user

ADVANTAGES

• Cost-effective for small payment• User can transfer his electronic coins to other user• No need to apply credit card• Anonymous feature• Hardware independent

33

DISADVANTAGES

• It is not suitable for large payment because of lower security• Client must use wallet software in order to store the

withdrawn coins from the bank• A large database to store used serial numbers to

prevent double spending

34

CONCLUSIONS

• An effective, secure and reliable Internet payment system is needed• Depending on the payment amount, different level of

security is used• SET protocol is an outstanding payment protocol for

secure electronic commerce

REFERENCE'S

• http://sce.uhcl.edu/yang/teaching/csci5931webSecuritySpr04/SecureSocketLayer.ppt• http://www.it.iitb.ac.in/~sri/talks/secnet.ppt• http://vfu.bg/en/e-Learning/E-Business--

Internet_payment_systems.ppt• https://

www.k-state.edu/its/security/training/roundtables/presentations/SIRT_roundtable_Jan11-credit_card_info.ppt

Thank u..