One of my favorite things about the Payments industry is the pace of innovation.  Five years ago, when the Payment Card Industry Data Security Standard became mandatory, the industry buzzed with ingenious new ways to secure cardholder data.  Today, terms like “end-to-end encryption,” “tokenization,” and “encrypted at the swipe” are commonplace.  In fact, those technologies are now more often the rule than they are the exception.  Today, the industry is abuzz with a new phenomenon, the mobile payment platform.  Again, it is startling to see how quickly companies can develop both hardware and software to meet the clamoring demands for mobile methods.  Here is a brief discussion of those methods.

Near Field Communications (NFC) – In NFC technologies payment data is stored on a chip or device in the consumer’s phone.  When a purchase is to be made, the phone or other NFC-enabled device is “waved” near special equipment on the merchant side.  The purchase is approved and the consumer can walk out.

The benefits of such a solution are its speed and ease of use.  The consumer is required to do no more than wave the device near the merchant’s specialized POS.  For small purchases, the convenience is difficult to beat.  The challenges include the limits on the size of the purchase, its storage of data within the NFC device, and the requirement for the merchant to purchase special equipment to accept those payments.  With more and more providers offering NFC, the prices for the merchant-side equipment are beginning to fall, but merchants have been reluctant to adopt this technology as it does require a purchase of equipment.

Text/SMS – Also referred to as carrier billing, Text/SMS payments are particularly popular for merchants of digital goods, such as games, music, and ring tones.  The carrier billing model is growing increasingly popular in the realm of digital sales and Peer to Peer (P2P) payments.  In this model, a payment authorization is transmitted via text message and the amount of the payment is charged to the user’s mobile phone bill.  This method proves effective in high-volume, low ticket sales, such as P2P or digital goods.

Application-Based Payments – With the rapid adoption of Smartphone technology, these types of solutions are likely to become more prevalent. In this model, the user downloads the payment application and enters their preferred payment methods.  The secure storage of this data is fertile ground for debate, as there are proponents of storing the data on the phone itself, and others that prefer the data securely stored with the application’s provider in an encrypted or tokenized form to reduce the likelihood of misappropriation of data.  The application based model provides significant opportunities for value-add functionality, such as coupons or reservations.

In addition to these technologies, the eWallet, or at least the term, has become ubiquitous.  The eWallet allows users to link their payment cards to an application or device (usually an NFC chip) in order to facilitate payment.  Many companies are pursuing mobile payments through the adoption of the eWallet.

The next 12-18 months will be interesting in that the market will likely settle on a preferred model.  Of particular note is the very real possibility that the model that emerges will be a combination of those technologies discussed previously, or even one that has yet to be introduced.

Dr. Heather Mark, PhD;  SVP Market Strategy

Recently, several prominent vendors within the payment card industry have begun to square-off (pun intended) and have lobbed a number of ‘open letters’ to the industry in which they each make claims and accusations.  You can read the letters here 1, 2, 3. While there is likely validity to at least part of each vendor’s letter and/or responses the greatest impact is simply their addition to the confusion within the payment card industry.  Without dissecting each letter it is fair to say that they each revolve around at least one of two concepts:  Encryption and/or Authentication and how each applies to security and/or fraud.  Click each link to read a primer on Authentication and Encryption. This blog post will (hopefully) help shed some light on the concepts as they apply to the payment card industry and allow merchants to choose the correct solution.

Security of Payment Card Data

Without a doubt ensuring the security of payment card data (Credit and debit card data) is critical to every merchant’s ongoing success.  The card brands (Visa, MasterCard, Amex, Discover, JCB) all have rules mandating that merchants protect data.  Each requires compliance with the Payment Card Industry Data Security Standard (PCI DSS).  One of the most effective methods of protecting payment card data is to ensure it is rendered unreadable through encryption or other methods when at rest (ie. stored) and when transmitted.  Encryption is not only effective but is one of the accepted methods required to comply with PCI DSS requirement 3.4.   Encryption applies to both standard PCs as well as mobile devices such as smart phones.  If a vendor is allowing data to be read from a swipe device attached to a smart phone and the device does not encrypt the data 1) it is not secure and 2) it is not compliant with the PCI DSS and other card brand rules.  As a merchant you should never allow a device to transmit unencrypted payment card data from a mobile device.

Fraud Prevention

Fraud is defined as the use of deception for personal gain.  Within the payment card industry we consider fraud the unauthorized use of a payment card for purchases.  This could include data stolen that is used by a thief or could include the use of a card by an unauthorized family member of friend.  Fraud prevention is a complex topic.  While we often hear about data breaches and their resulting fraud, the reality is that fraudulent transactions represent a very small percentage of payment card transactions. Visa’ Head of Global Payment System Security Mr. Eduardo Perez stated in an interview that global fraud was only about 6 basis points.  This represents only about 6 cents of every $100 dollars in transactions.  There exist two basic methods to preventing fraud.  First, is to protect payment card data from being stolen.  The PCI DSS, and various state laws are focused on ensuring that data is not stolen.  One of the most effective methods of ensuring data is not stolen is to ensure that it is protected with appropriate encryption and other security controls. Merchants, and 3rd party service providers (Like ProPay) have an important role to play in the protection of data.  Ensuring that you are in compliance with the relevant rules and are using technology that adequately protects data both at rest and in transit is critical.  Using encrypted swipe devices on mobile terminals is not an option to ensure that data is protected from compromise.

While this works well on data that is at rest or being transmitted, it does not address data that is stolen from ’skimmed’ cards where humans handle the cards and swipe them through magnetic stripe readers that are designed to copy payment card data.  The second, and most effective method of reducing fraud is through advanced authentication.  The card brands currently have a number of authentication programs that are designed to minimize fraud.  These include, AVS, CVV, CVV2, EMV, 3DSecure, and PIN authentication. You can read more about this in Security 101: Authentication.  It should be noted that as a merchant your responsibility is to ensure that you require the appropriate authentication for the appropriate type of transaction.  For example, if you accept card payments from a website, you are well served to require either CVV or AVS or both to ensure you have greater confidence that the card being used is in p0session of the authorized user.  One of the ‘open letters’ to the industry made some very pointed comments related to fraud prevention and authentication being the responsibility of the hardware vendor.    As a merchant your role is to ensure that you require the appropriate authentication for the appropriate transaction.  If you follow the card brand rules for authentication you are protected from fraudulent transactions.  Developing and approving new authentication tools and mechanisms are the domain of the card brands and banks.  It is simply not accurate to suggest that hardware vendors or 3rd party processors have a role in developing or requiring new authentication tools.  The letter is right in that every participant plays a role in fraud prevention.  Consumers should protect their cards, merchants should use technology that supports data security (encrypted swipe devices, for example), 3rd party vendors (like ProPay and others) should continue to develop technologies such as tokenization and encrypted swipe devices that enable merchants to protect data, and banks and card brands should continue to evaluate new authentication technologies which can reduce the incidence of fraud.

The Great Trade-Off

I used to conduct PCI related training for Visa and the PCI SSC throughout the world.  Invariably someone in the US would ask when the US was going to move to Chip and PIN like in the UK.  Their question was usually followed by a statement similar to the following: “If the US moved to Chip and PIN, we would eliminate fraud.  This should be enough to get the merchant onboard” My response was simple.  I would ask them how much they were personally willing to spend to upgrade to Chip and PIN.  Would they be willing to spend $50 for every $25 in fraud they could prevent.  The answer was always a predictable and emphatic ‘No’.  I would also ask if they were willing to reduce their acceptance of payment cards by 25% if they could reduce their fraud by 10%.  Again, the answer was ‘No’.  This is the challenge with fraud prevention and security.  There are many people who will make definitive statements about how to prevent fraud without considering the impact to acceptance and the overall cost.  There is a trade off between security and convenience/cost.  When faced with a belligerent attendee who refused to consider the trade-off, I would state with absolute confidence that I could prevent 100% of their payment card fraud.   When they asked how, I would simply suggest that they not accept payment cards.  This was never an acceptable option as they knew that without payment cards their sales would drop significantly.  Again, this demonstrates the trade-off.  When faced with losing sales, suddenly the prospect of fraud was more palatable.

Summary

Of the three letters referenced previously, Verifone was closest to the mark when they advocated using encrypted swipe devices for mobile phones.  ProPay agrees with this position and our own JAK product ensures that data is encrypted at the devices and employs DUKPT key management as discussed in the Encryption post.  This supports merchant’s PCI DSS compliance and provides significant information security benefits by ensuring that IF the data is ever stolen or intercepted from the device, it is useless to the thieves.  As a mobile merchant ensure you are using an encrypted swipe device.  This supports compliance with PCI DSS and prevents your customer’ data from being stolen.  Also ensure you are accepting the appropriate authentication for the type of transaction.  If you follow the rules you are protected in the instances where there may be fraud.

Chris Mark, EVP; Data Security & Compliance

This is intended to be complementary to the post: Security 101: Authentication.

Encryption is explained in Wikipedia as:  “…the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as ciphertext). In many contexts, the word encryption also implicitly refers to the reverse process, decryption (e.g. “software for encryption” can typically also perform decryption), to make the encrypted information readable again (i.e. to make it unencrypted).”

At a high level encryption requires three elements (yes this is a very basic primer)…1) the plaintext or input 2) the algorithm and 3) the key (s).  The value of encryption is based upon the strength of the algorithm and the length of the key(s).  All industry accepted, or government approved algorithms are in the public domain. As an example, you can read about the 3DES algorithm here.  As stated by Auguste Kerchoff in the 19th century: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” Understanding this point, it is fair to say that the key provides the proverbial “keys to the kingdom” in encryption and as such the keys need to be protected.

With this in mind, there are two basic types of encryption which rely upon different methods of key management.  The first type of encryption is known as symmetric key (or private key) and relies upon a single key (or trivially related key) to encrypt and decrypt the data.  Symmetric key algorithms are those used every day and includes 3DES, AES, and Twofish.  The challenge with private key encryption is that the key must remain private.  Another form of encryption is known as asymmetric or public key encryption.  In public key encryption two mathematically related keys are employed.  The first key, known as the public key, is used to encrypt the data, while only the mathematically related private key can be used to decrypt the data.  Public key cryptography is often used to secure email and provide digital signatures for electronic documents.    The value of public key encryption is that the encrypting key (the public key) can be distributed and does not need to be protected as only the related private key can be used to decrypt the data.  A well known email encryption program called Pretty Good Privacy (PGP) uses public key cryptography to secure email.

A variation on public key cryptography that was patented by Visa is known as Derived Unique Key Per Transaction (DUKPT).  In DUKPT, every single transaction uses a new key that is generated from the preceding transaction.  In this model, if a single key is compromised the preceding and following transactions are protected.  DUKPT is specified in ANSI X9.24 part 1 and is used to encrypt PIN based transactions.

At a high level encryption allows data to be rendered unreadable to anyone without the proper key.  With the proper key the data can be decrypted into the original form and read.  As stated previously: “A cryptosystem should be secure if everything about the system, except the key, is public knowledge.” If employed correctly and the keys are appropriately secured, the data is protected.  It is this premise that provides the value of encryption.

Chris Mark

EVP, Data Security & Compliance

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.  While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as: “…the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.

Access control is a combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

Chris Mark, EVP; Data Security & Compliance

An article on Foxnews today reports that the French Goverment is the victim of a “spectacular” cyberattack which originated in China.  The French government disclosed that it has been a victim of a targetted attack from IP addresses in China which were focused on documents on international economic affairs.  The hackers were searching for documents related to the G20, which the French are leading this year.  The Group of 20 or more informally the G20 was established in 1999 to:  “ bring together systemically important industrialized and developing economies to discuss key issues in the global economy. The inaugural meeting of the G-20 took place in Berlin, on December 15-16, 1999, hosted by German and Canadian finance ministers.”

Regarding the ’spectaular’ description of the attack, the French government concedes it has been under constant and sustained attack since December 2010.  Patrick Pailloux, director general of the French National Agency for Information Technology Security, said of the attacks: “The actors were determined professionals and organized. It is the first attack of this size and scale against the French state,”