Transaction Security Challenges & Solutions

Transcription

1 Transaction Security Challenges & Solutions A REPORT FROM NEWNET COMMUNICATION TECHNOLOGIES, LLC Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL

2 Payment Transactions & Security Risk Payment transactions seek authorization of transactions based on card swipe or wallet taps at POS or POI devices or card data typed from computers, tablets or smartphone and presented at web pages, for a swift and secure approval from banking authorization servers. While swiftness has certainly improved over the last few decades with modem speed increasing from 300bps to high speed connections and even mobile and broadband IP networks taking this into near immediate responses, security may still be miles away from being any close to what the industry wants and customers prefer. With a major industry analysis reporting 47,000 reported security incidents and 621 confirmed data breaches in 2013 and with 2,500 data breaches and 1.1 billion compromised records in the last decade, security of transactions is a major issue that needs to be addressed from all parties in the payment ecosystem. It is relevant to consider whether this high volume of breaches indicate the lack of technology or if it is the result of the technology adoption being sub-par due to lack of awareness and understanding and in some extreme cases due to the perception that cost of security is far more than the cost of fraud or security breach itself. Reported security breaches forms a combination of physical tampering, brute force hacking, malware/spyware to capture stored data or read and decode memory area, social engineering attempts at network and database access with the intent to obtain sensitive card holder information and similar personal identity information which can be further abused for fraudulent activities including unauthorized payment and other transactions. These activities are targeted at each and every entity in the payment ecosystem including the retailers, service providers, acquirers, processors, financial institutions including banks and third party processors and providers who partake in the payment transaction processes. One of the most vulnerable areas in the payment process is the availability of card data in clear text format after the point of presentation at retail or merchant location with a POS/POI terminal or on public networks which is highly vulnerable for exposure and fraud etc, before it reaches the authorization servers. The fundamental requirement to avoid a payment fraud or data breach is to avoid sensitive data being available on devices handling card data or on public networks in clear text. Especially since this data need to traverse the public networks across multiple heterogeneous network types, it is imperative that the card data is transformed from clear text into suitable encrypted forms. Targeted devices for potential hacking and similar fraudulent activities in the payment transaction domain include ATM, POS terminal & controller, Database Server, PC based cash register, File server, Web application server and all devices which may have any role in handling payment transactions. Transaction Security Challenges & Technology Encryption is key to avoid data in clear text and this transformation of card information should happen at the very first point of card presentation. While encryption is crucial, it is also important to ensure that the encryption is done at the very first instance of presentment and with sufficient strength to avoid any brute force attacks. This will require the encryption to be based on the latest techniques to use the advanced encryption cyphers. Another key aspect of encryption is the determination of the entity that should decrypt the encrypted information and physical and network security of such devices so that those devices are not reachable for potential hackers and fraud perpetrators. The environment in which the card data encryption and decryption occurs need to be specifically verified and proven to be proof of external accesses and by default protected from any physical users in a normal scenario. This should have sufficient protection mechanisms to log any such user accesses and built in abilities to stop handling of transaction data, if any such compromise is suspected. Physical security is another key area of concern to ensure that the devices and environments dealing with card data are sufficiently protected from all unauthorized access and all authorized accesses are monitored, logged with specific assignment of responsibility and all related actions are to be handled by appropriate supervision and user authentication mechanisms.

3 Security remains a major concern for all legacy and emerging payment services, increasingly because many of these are employing innovative ways of doing transactions and involves newer levels of security requirements to handle the fraud associated with these new services. Industry standard security procedures for data encryption, network security with access restrictions, enhanced user authentication procedures, advanced standards based encrypted data exchanges and avoidance of sensitive data transfers over the public networks are the several possible ways to ensure the security for the new services. While offering the convenience of the new services it is absolutely essential to ensure that these services are not threatening to weaken any of the security barriers which the industry standards has envisaged on public IP or Dial based networks. Securing the sensitive data in secure locations including physical storage; encrypting sensitive data when subjected to transport over public networks and systems using point to point encryption(p2pe) mechanisms; secure session usages and secure transport of transaction data over public networks with no hop without security (TLS/SSL/IPsec/ HTTPS); tokenization mechanisms to involve card data surrogacy rendering transmitted payment data information useless for subsequent usages with one time tokens and avoiding card data retention; device, user, network and system authentication using Certificate authorization process(x.509); employing strong encryption technologies which can withstand brute force attacks; avoiding sensitive data storage in clear text in any systems or devices including any transient storage in memory; event tracking logs on devices for memory and data access attempts; usage of alternative one time codes or 2D codes to substitute sensitive card data with all payment transactions with Issuers private servers to host the card information for reverse lookup and approval; avoidance of card data from being transported across networks and devices represents the major mechanisms practical and applicable in the current day context to ensure the security of present day transactions and also for the emerging futuristic payment options. Along with the implementation of security practices, equally important is the routine verifications of each of the entry and exit points of the networks, perimeters of the networks, every system and device in the environment dealing with the payment traffic, database servers that hold the sensitive data and user accesses to these systems and activities performed from each of these systems and servers. NewNet Transaction Security Solutions NewNet payment transaction solutions specifically addressing security of transactions are listed below: P2PE (Point To Point Encryption) NewNet s TransKrypt security server system offers the P2PE solution for Acquirers/Processors and Service Providers working in conjunction with approved point of interaction devices that are certified for usage in a P2PE environment. The P2PE solution supported by NewNet s TransKrypt Security Server is based on ANSI X9.24 standards specified DUKPT mechanisms. The NewNet TransKrypt Security Server utilizes FIPS Level 2 HSM solution to store sensitive data like encryption keys securely and provide encryption and decryption capabilities. TransKrypt solution provides P2PE capability for Terminal Line Encryption using Derived Unique Key Per Transaction (DUKPT); working in conjunction with the NewNet AccessGuard and Total Control STG systems which aggregates, switches and routes transaction from POS devices.

4 Tokenization NewNet s secure transaction solutions provide an integrated cost-effective solution for tokenization of sensitive data. Tokenization is a process by which the primary account number (PAN) or other sensitive data is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value. The tokenizer application provides an interface for tokenizing the input data string into desired length. Similarly the token can be converted back to the original data if required. NewNet s Tokenization application is an optional part of the Security Server provided by NewNet for its customers in order to enable them to tokenize sensitive data. The application can be installed as part of the Security Server platform which complies with the security requirements. Tokenization solution uses HSM module which is a tamper proof device to store keys used for the tokenization. The HSM module ensures that the encryption keys reside on a secure device and cannot be accessed or tampered with without destroying the module. The tokenization solution need to be installed in a secure location and will talk with other authorized systems using TLS/SSL with valid certificates. Merchants can use the tokenization solution to reduce the PCI-DSS scope by storing transaction data with a token instead of the PAN, as recommended by PCI. Secure POS/POI Sessions(TLS/SSL) NewNet s AccessGuard 1000 solution can aggregate thousands of persistent and non-persistent TLS/SSL/IPSec connections and transactions. TLS/SSL cryptographic protocol provides secure communications over the Internet. The protocol allows client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery. TLS/SSL involves a number of basic phases including peer negotiation for algorithm support; public key encryption-based key exchange and certificate-based authentication; symmetric cipher-based traffic encryption. The NewNet AccessGuard 1000 solution uses next generation hardware acceleration encryption engines to achieve the performance required for the financial market. This implies that with AccessGuard 1000 TLS/SSL offloader the back end systems or additional network devices are not necessary for processing any portion of the TLS/SSL traffic. By processing the entire TLS/SSL transaction, AccessGuard 1000 uses a model of receiving encrypted data from POS, decrypting transaction data, routing the transactions data based on specific transaction protocols securely over TLS/SSL/IPsec sessions towards the host system. Secure Server Sessions (IPsec/TLS/SSL) IPsec is offered for secure connection between AccessGuard 1000 / Total Control STG (AG1K/TC STG) and peer Servers or Host Servers. This includes secure connections from AG1K/TC STG systems to Authorization Host servers, Network nodes, VPN servers etc or among AG1K system. IPsec is also employed between TC STG and AG1K systems in a secure IP connection model based network architecture that connects them from a remote site to central site with TC STG or AG1K in a remote site and AG1K in a central site. Similar to TLS/SSL usage with client POS/POI devices, TLS/SSL may be used with Host servers as well. While for permanent connections with Host servers, typically IPsec is preferred. IPsec (Internet Protocol Security) comprises of a suite of protocols that provides security to Internet communications at the IP layer. The most common current use of IPsec is to provide security between two locations (gateway-to-gateway) or between a remote user and an enterprise network (host-to-gateway); it can also provide end-to-end, or host-to-host, security.

5 Client/Server Certificate Authorization NewNet s Certificate Authorization system is an optional application package provided for customers in order to enable them to create and verify client certificates for their POS devices and other payment processing devices in conjunction with TLS/SSL. The package is used on industry grade Server system with secure storage capabilities. Certificate Authorization system is intended to be used as special purpose certificate authority (CA) server for acquirers, processors and service providers. This is expected to be used within a payment processor organization to ensure that devices that talk to each other via secure connections (TLS/SSL, SSH etc) are authenticated via valid certificates and thus prevent man-in-the-middle (MITM) attacks. This server application consists of CRL distribution servers as well to track the certificate validity of client devices and servers. Strong Encryptions AES (Advanced Encryption Standard) is an advanced specification for the encryption that supports key size of 192, 256 and 512 bits.3des (Triple DES) is a version of DES that en crypts a message three times using the DES 56-bit key, which is effectively 168-bit key encryption. Couple with stronger encryption mechanisms, using larger key lengths for Certificates up to 2048 bits further increases the security of the sessions. Considering the computationally intensive operations of these strong encryption methods, NewNet systems uses next generation hardware acceleration encryption processor engines to achieve the high performance and rapid transaction handling required for the financial market. About NewNet Communication Technologies NewNet Communication Technologies, LLC is a global provider of innovative solutions for next generation mobile technology. For over 25 years, NewNet has enabled global operators and equipment manufacturers to rapidly develop and deploy cutting edge, revenue generating solutions needed to build, grow and improve global communications. NewNet specializes in Mobile Messaging, Secure Transaction Transport, Interactive Voice Response, Real Time Charging and Rating, Wireless Broadband and Network Optimization solutions that have reached millions of end users in over 90 countries. Contact Us traxcominfo@newnet.com Copyright NewNet Communication Technologies, LLC. 700 East Butterfield Road, Suite 350, Lombard, IL