EMV Card Information Protection Standard
Organization of technological interaction between the processor and the bank’s services
The daily activities of the processing center units and their interaction with financial institutions and payment systems are regulated by procedures.
The procedures of the processing center should be formalized, approved by the heads of the involved departments, as well as regularly reviewed with a certain periodicity.
Security of processing centers
One of the most important practical aspects of the functioning of the bank’s processing center is to ensure its security. Unlike conventional information systems, the bank’s processing center contains information about the details that allow access to customers’ money, and compromising this data can lead to significant financial losses. That is why a significant share of the costs of creating and operating a processing is associated with security costs.
Let’s consider some aspects of the security of processing centers.
Physical security – implies restricting access of unauthorized personnel to the territory of data processing and personalization centers, as well as the resistance of these buildings to external influences. Access control facilities (hereinafter referred to as access control systems) should be used in premises and technical zones, and security and video surveillance equipment should be used in special regime zones.
Organizational and technical security – implies the existence of a service of security officers (security officers). Mandatory measures include the availability of procedures regulating the life cycle of cryptographic keys (key management), the availability and execution of procedures for accessing data and cryptographic information, as well as audit procedures.
The information system of the processing center should use means of authentication, access control and audit.
A mandatory rule should be the presence of separate environments for the development, testing and operation of applications, with the removal of the operating environment into a separate hardware and software complex. All new software and hardware must first be tested in specially designated environments. It is also desirable that separate departments of the processing center should be engaged in the development and maintenance of the system.
Transactional security is a set of measures aimed at ensuring the integrity of information exchange between hosts and devices, preventing data falsification and the impossibility of obtaining PIN codes from transaction data. Technically, it is provided by using a multi-stage key system for encrypting PIN blocks (one-time session keys for devices, transport keys for interfaces), using MAC codes (Message Authentication Code) to confirm the integrity of messages, using encryption hardware (HSM — Hardware Security Module) to store cryptographic data and perform translation and PIN verification operations.
It is also important to check the compliance of the transaction data with the magnetic stripe data of the card, as well as the data in the processing database — this allows you to cut off the card selection procedures.
Risk management consists in the use of technical means and organizational procedures that minimize or control various categories of risks.
Technical means of risk management include the use of software and hardware tools that allow analyzing authorization traffic, a database with transaction history and claim cycle messages and detecting various kinds of attacks and probable fraud based on rules (rule-based) or neural networks.
Organizational and technical means include interfaces with databases of international payment systems containing information about cases of fraud and unfair business practices, for example, System to avoid fraud effectively (SAFE), Member alert to control high-risk (MATCH), National merchant alert system (NMAS).
Organizational risk management tools include the verification and certification of personnel with access to critical data.
The security of personalization procedures should be ensured even at the design stage of the center, based on the requirements of subsequent certification in international payment systems. In particular, the layout and design of the premises should provide for a number of zones (production zone, receiving and transmitting zone, PIN envelope printing zone, storage area, etc.) equipped with technical means of access restriction, monitoring and auditing. Special attention should also be paid to the recruitment of personnel.
Payment Card Industry Information Security Standard (PCI DSS)
In 2006, the PCI Security Standards Council, formed by five leading payment systems American Express, Discover Financial Services, JCB, MasterCard and VISA, published a standard for information protection in the payment card industry — Payment Card Industry Data Security Standard (PCI DSS).
This standard combines the requirements of a number of regulatory documents of payment systems in the field of information protection, in particular:
• Visa Europe & other regions: Account information security (AIS);
• Visa USA: Cardholder information security (CISP);
• MasterCard: Site data protection (SDP).
The requirements of the standard apply to all companies (processing centers, payment gateways, Internet providers) working with international payment systems. Depending on the number of transactions processed, each company is assigned a certain level with an appropriate set of requirements that they must fulfill. The requirements of the standard provide for annual audits of companies, as well as quarterly network scans performed by certified auditors.
The PCI DSS standard establishes the following control areas and 12 basic requirements that an organization must meet in order to be certified for compliance with the standard.
I. Building and maintaining a secure network
1. Creating and maintaining a firewall configuration to protect cardholder data;
2. Non-use of system passwords and other security parameters set by default by solution providers.
II. Protection of cardholder data
3. Ensuring the protection of cardholder data during storage;
4. Ensuring the transfer of cardholder data in encrypted form when they are transmitted through unsecured and public networks.
iii. Vulnerability Management Program support
5. Use and regular update of antivirus software;
6. Development and support of secure systems and applications.
IV. Implementation of strict access control measures
7. Restriction of access to data on the principle of official necessity;
8. Assigning a unique identifier to each person who has access to a computer;
9. Restriction of physical access to cardholder data
V. Regular monitoring and testing of networks
10: Recording and tracking all sessions of access to network resources and cardholder data;
11. Regular testing of security systems and processes.
VI. Maintenance of information security policy
12. Availability and implementation of the information security policy in the organization.
In this section, we have briefly tried to highlight the main aspects related to the processing of bank card transactions — technological issues of processing organization, organizational structure, procedures and security issues.
Nevertheless, without pretending to the completeness of the coverage of these issues, we hope that the above material will be useful to the reader both in the general study of this issue and in the implementation of specific projects.
Payment card service equipment
Terminals, ATMs, PIN pads are front-end devices for servicing bank cards, which are installed in trade and service enterprises (integrated into acquiring networks of payment systems) and in bank service points (bank branch terminals). Since this equipment works in cooperation with authorization centers (CA), their functionality largely depends on the solution used in CA (for example, if the CA provides for the maintenance of bonus accounts of customer loyalty programs, then the terminal implements the functionality of payment from the customer’s bonus account). All bank card acceptance devices are subject to special security requirements regulated by the payment systems of the cards being serviced. The devices are subject to mandatory certification.
POS terminal equipment
A trading terminal for card servicing is usually serviced by a cashier, but it can also be a self-service system (for example, a ticket vending machine).
The first devices for accepting bank cards in trade and service enterprises were manual imprinters, which provided the possibility of obtaining an impression of the embossed data of a plastic card (card number, expiration date, last name of the holder) on a special trade receipt (slip), on which the transaction amount was then indicated and the client’s confirming signature was put.
The first electronic POS terminal is considered to be a device supplied by Visa in 1979 to a retail outlet. It was cumbersome and inconvenient, and the operation time on the card on it reached up to 5 minutes.
Since then, many technologies have changed in various related fields (electronics, cryptography, communications), microprocessor-based ones have replaced magnetic cards, the requirements for security and time of card transactions have increased, but the purpose of POS terminals has not changed — payment operations for goods and services in trade and service enterprises using a payment bank card.
At the same time, the main criterion remains safety and speed of service. According to experts, reducing the transaction time by just 1 second can save a large chain of stores large sums only on the salary of cashiers. The effect of improving customer impressions is even more significant. According to one of the sociological studies conducted by NCR in Europe, the main impression of a regular shopping trip for people is the irritation caused by queues, especially in the checkout areas of supermarkets. Since, in general, the standard of living is growing all the time, people transfer their positive impressions to all other spheres of activity, and they form inflated expectations. As a result, queues in stores especially annoy them. In fact, 54% of Europeans spend between half an hour and four hours in queues weekly.
In addition, the Russian branch of the VISA payment system, in a letter dated January 31, 2007, put forward recommendations on the transaction time on the POS device: for retail outlets with more than 750 VISA card transactions per month, the maximum allowable transaction time is no more than 30 seconds in the case of 90% of transactions. It can be assumed that other payment systems will soon control this important technical parameter.
The main types of devices and their capabilities
Types of devices. Despite the commonality of the tasks to be solved, the range of POS terminals is quite wide, which is caused primarily by attempts to solve the business problems of the seller (merchant in the terminology of international payment systems) in relation to his business processes or topological model.
One of the tasks of the seller is the automation of the trade and service enterprise. According to this criterion, POS terminals are divided into operator- or cashier-serviced (attended) and unattended (unattended) automated systems on which the customer himself performs all operations in self-service mode.
Self-service terminals are installed at automated gas stations, at ticket sales points, in payphones and wherever automated delivery of goods or services is carried out. Accordingly, they are subject to requirements for vandal resistance and maintenance of operability in a wide temperature range