EMV in e-commerce systems

At the moment, it makes no sense to define the term “e-commerce” itself, since over the past 5-7 years there has been a qualitative leap in the development of systems through which customer service is provided through open communication channels. First of all, it should be noted that two large classes of e-commerce systems have appeared: commerce on the Internet (e-commerce) and commerce using mobile phones (m-commerce). The fact is that historically, the development of the Internet and mobile operator services has occurred in different ways in different regions and countries. For example, in Europe and Asia, mobile services are developing at a faster pace than the Internet, and vice versa in the USA. That is why these two classes arose. E-commerce systems are based on the principle of providing services through communication channels based on public networks. M-commerce systems use the channels of mobile operators for these purposes, the main problem of which in terms of use for commerce is the relative high cost of use and low bandwidth — this limits the ability of outlets to provide information about their services. That is why at the moment the outlets that want to provide the most complete information about the product do it on their websites on the Internet. Mobile channels are mainly used to provide services that do not require additional information (for example, payment for services of mobile operators, digital TV, etc.), although there are successful exceptions, such as the sale of electronic tickets, convenient, fast, practical.

Considering the means of making payments, two main types of payment means can be distinguished
• * anonymous means of payment;
* authorized means of payment.
The category of anonymous means of payment includes all possible means of electronic payments, the receipt of which does not require the client to provide official identity documents, or the data of such documents cannot be associated with the client during the payment transaction. An example is prepaid cards, the purchase of which can be made for the customer’s cash without the latter’s identity card.
Authorized means of payment are, as a rule, means of managing the client’s bank account. A classic example is a payment bank card or other electronic means of payment that make it possible to uniquely authenticate the client. In this case, various means of electronic authentication are meant, ranging from electronic keys to special applets for smart cards, PDAs and smartphones.
For a more complete understanding of the order of interaction of all participants in the e-commerce process, let’s consider the basic schemes of organizing services and providing payment services in public networks.

The procedure for providing services and making payments by the client, in the case when the service provider (point of sale) provides a full set of services. In accordance with the chosen scheme, the point of sale supports both the functions of an electronic store and a payment service. This means that the customer chooses a service or a product and pays for it, as a rule, within the framework of a single hardware and software complex that is used by this service provider. In other words, the point of sale enters into an agreement with the acquiring bank for the provision of services for the authorization of payment transactions, and the client provides the data of his means of payment (the most common case when bank card details are provided) directly to the store. In this case, the point of sale will make the payment and store the client’s confidential information. Payment security (fraud monitoring) will also be a function of the software provided by the point of sale. This solution is quite expensive, so only a few large companies (for example, large airlines) can afford it. The obvious advantage of this solution is that the outlet has complete information about the client, which allows you to effectively manage the process of servicing the latter.
To reduce the cost of implementing the functionality of the payment service, another scheme of interaction between a point of sale and other e-commerce participants is currently most common.

The payment service is provided to the store by other participants. Such participants can be either an issuing bank or a specialized company that authorizes transactions for retail outlets operating in the field of e-commerce. This scheme has more advantages, since the costs of servicing one outlet are reduced, a centralized system is created for the application of security policies and fraud monitoring systems. Such schemes are less expensive, both for stores and for payment service providers, in this case, the term “everyone should do their own thing” comes in handy.
It should be noted that none of the above schemes solved the issue of payment security in general. The entire responsibility for making the payment lies with the acquiring bank or the point of sale (depending on the terms of the acquiring service agreement), but none of the participants in such customer service schemes can guarantee the complete authenticity of the cardholder, as well as the authenticity of the point of sale in which the payment transaction is made.

1 – the customer selects the goods on the point of sale website and creates a shopping cart, then he goes to the purchase payment page; 2a – the data of the payment amount, purchase identifier and point of sale identifier are transmitted through the client’s browser to the MPI module, which communicates between the point of sale and the payment service with DS, to obtain information about the participation of the issuing bank and this card in the 3D-Secure program; 2b — If the issuing bank registered in the payment system has an ACS server and the card number is present in the table of card ranges allocated for participation in the program, the request is transmitted to the ACS of the corresponding issuer; 2c, the 2d data of the client’s card is compared with the data of the registered cards to authenticate the client. The response is transmitted to the DS server and then to the MPI module. In this case, the DS server serves as a universal center confirming the data transmitted by the issuing bank’s ACS and signing the issuing bank’s response with the payment system key; 3a, 3b – Client authentication request data is transmitted via the browser to the ACS. In fact, a direct secure channel is established between the client and the issuing bank’s ACS; 4 – The Client enters his password or secret code data that uniquely authenticates him; 5a, 5b – The ACS server response data is transmitted to the MPI module for subsequent decision-making on authorization of this transaction; 6 -The acquiring bank’s processing center conducts a standard payment authorization procedure using the fields returned by MPI to indicate the results of client authentication.

To solve this problem, VISA and MasterCard payment systems have developed a fundamentally new scheme that would allow unambiguously authenticating the cardholder and the point of sale during the payment process. Thus, it is possible to divide the responsibility between the participants. It should also be noted that this scheme allowed the use of various authentication methods not limited by the rigid framework of the exchange protocol between the host and the payment service. Below is a brief description of the third scheme of interaction of participants during a payment transaction – when using the 3D-Secure protocol.
The electronic payment security program in the Internet environment was launched by Visa in 2003, it was called Verified by VISA (VbV) and was based on the 3D-Secure protocol for secure payment transactions. MasterCard started using a similar program in 2004. This program was called Mastercard Secure Code, it is based on the use of the same type of protocol. The general scheme of interaction of participants in the process of using the 3D-Secure protocol
If the issuing bank does not participate in security programs or does not support the 3D-Secure protocol, steps 2b-5b are not carried out. The acquiring bank specifies this in a separate field of the payment transaction authorization protocol.

At the moment, the certification carried out by the VISA system for acquiring banks has become de facto mandatory for obtaining an acquiring license in the field of e-commerce. MasterCard does not require mandatory certification of acquiring banks, but they, as a rule, to ensure the security of the system as a whole, voluntarily carry out full certification. Certification of issuing banks in the field of e-commerce is currently mandatory only if the ACS component and the 3D-Secure protocol are used.

Ensuring the security of operations

The security of using payment services is one of the most important issues in the field of e-commerce. First of all, it is necessary to understand what risks may be applicable to each of the participants in the process of using an electronic payment service. Here is a far from complete list of risks that participants are exposed to:
* client’s risks:
* non-receipt of a service or receipt of a service that does not meet quality requirements;
* discrediting of the client’s means of payment; seller’s risks:
* refusal of the client from the rendered service;
* Acquirer’s risks:
* provision of authorization services to a “bad” seller;
* provision of authorization services to a “bad” client;
* Risks of the issuer:
* provision of authorization services to a person who does not have the right to use this means of payment;
* provision of authorization services to a “bad” client;

A “bad customer” is not only a customer who refused a service and demands a refund (as a rule, such incidents are solved by the seller or service provider). This term, rather, refers to fraudsters or, legally speaking, to people who purposefully use means of payment that do not belong to them (in general, it does not matter what kind of means of payment it is — a card or any other means of access to the account). The problem of a “bad client”, as you know, is not new, the appearance of such clients is provoked by two factors: anonymity and relative impunity (not every card fraudster makes sense to catch). The solution to this problem may lie in the creation of a clear e-commerce security system, which should include:
* rules for assessing and limiting the possibility of illegitimate use of payment means (fraud monitoring and authentication);
* creation of an economic base for the protection of anonymous payments.
The economic basis for the protection of anonymous payments provides for limiting the client’s ability to make a payment in an anonymous mode. This means that the client can make a limited number of attempts to make such a payment for a small amount. Thus, the use of anonymous payments for carders becomes simply unprofitable, and therefore of little interest (which is why most electronic payment systems strive to limit the possibilities of anonymous customers as much as possible).

Fraud monitoring is certainly an important part of e-commerce systems. Fraud monitoring systems are based on two mechanisms: (1) static filters and (2) analysis of accumulated transaction data in order to search for payments with a high risk of fraud. Static filters are the simplest method of reducing the risk of payment transactions. As a rule, filters are part of the security policy agreed by the point of sale and the payment service. Analysis of accumulated transaction data can reveal a sequence of “bad customer” transactions that raises concerns (for example, using cards of several countries at the same time).
Client authentication ensures the legitimacy of the use of the payment method.

User authentication tools

The classic method used to authenticate the client is still a combination of the data of a unique name, which, as a rule, uses the card number and password specified by the client at the time of registration in the electronic payment system. Unfortunately, this method is not secure enough to use it as a universal authentication method in e-commerce services in general. Recently, methods of forming a unique one-time password have been increasingly developed, such methods include One Time Password (OTP) algorithms. OTP methods refer to two-factor authentication methods. These methods are based on an algorithm for generating a cryptogram based on a secret key that is located on a secure medium (for example, a smart card) – factor 1, as well as a client PIN code, for accessing carrier data — factor 2, and then presenting this cryptogram in the form of a so—called “token” – a set of decimal or symbolic characters (words). The token is necessary for the possibility of fast and error-free password data entry in authentication systems.
At the moment, the greatest interest when using cards of international payment systems as a means of payment may be the implementation of OTP in the form of a separate application on the card. To get a one-time password, it is enough to use a card with such an application and a special device in the form of a keychain that checks the PIN code of the card and displays the one-time password on a liquid crystal screen (as a rule, these are 6-8 digit decimal numbers).
VISA and MasterCard payment systems have their own implementations of such an application built on the basis of the MasterCard Chip Authentication Program (CAP) standard, for the Visa payment system such an application is called Dynamic Passcode Authentication (DPA). This application is based on the EMV standard and can be placed on a payment card together with the main payment application, which allows the issuing bank to use the card both as a means of payment and as a means of client authentication to access services requiring strict authentication. Thus, a smart card is a truly universal means of accessing a client’s account. The change in the scheme of customer interaction with ACS in payment systems using the 3D-Secure protocol

4a – transfer of the authentication form to the client; 4b – data entry for the formation of a cryptogram (token) (performed using an additional device); 4c – token data entry into the authentication form; 4d – token data transfer to the ACS server and cryptogram data verification.

In conclusion, I would like to note one important detail. The use of complex multi-factor authentication systems, of course, increases the security of electronic and mobile commerce systems, but does not solve all security issues. Authentication systems do not allow protecting the user and the system from “man—in—the-middle” attacks (the attacker is between the user and the electronic payment service and can perform actions on behalf of the user within an already initialized session), in this case, it is necessary to use SSL/TLS channel protection protocols for protection. It is also necessary to protect the system from attacks using Trojan programs that allow you to control the actions of the client directly on his computer. Protection in this case can be the use of an alternative channel for confirming the operation (for example, an SMS notification with the data of the operation performed). In case of unauthorized actions, it is difficult for a fraudster to trace the user’s actions through an alternative channel.