Card based transactions account for barely 1% of all non-cash transactions by value,in India.Security concerns rank high on the list of barriers to card adoption,not just in this country,but also in those with much higher penetration.

1. Overview of Banking Application
Security and PCI DSS Compliance for
Banking Applications
Thought Paper
www.infosys.com/finacle
Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing

2. Overview of banking application security and PCI
DSS compliance for banking applications
Card based transactions account for barely banking applications and carrier networks against
1% of all non-cash transactions by value, in deliberate attack or unintentional breach. This
India. Security concerns rank high on the list of paper discusses banking software application
barriers to card adoption, not just in this country, security practices in general, as well as banks’
but also in those with much higher penetration. compliance with the provisions of the Payment
Card Industry Data Security Standard (PCI DSS),
The card ecosystem, comprising issuing banks,
which focuses specifically on the safeguards for
application developers, technology vendors
credit and debit card data.
and regulators, has taken several steps to secure
Software application security and
security compliance
Software applications, like Internet Banking, systems, rather than piecemeal. A cohesive and
which are exposed to users on public networks, holistic security approach is most effective. To
are vulnerable to security threats. Stories illustrate, let us take the example of a banking
abound about individual or group hackers application that is connected to a database; it
managing to penetrate public bank networks, to is not only necessary to protect the application
gain access to applications and databases. but also the database at the other end. We’ve
seen instances of databases using default
Banks employ either or a combination of passwords, hardly the recipe for foolproof safety!
the following approaches to secure their
software applications: Current banking application
• Proactive security: The banks deploy adequate security practices
security measures to protect networks and Typically, banks safeguard their applications at
applications from cyber attack. three levels:
• Post incident security: The banks put a • At the network level, banks use firewalls and
mechanism in place to constantly monitor filters to ensure security.
activity logs, databases, webservers, networks
etc., which alerts them the moment there is • At the core banking/ application level, the
a security breach and also helps them responsibility for security rests with the
reconstruct the sequence of events, which respective vendors.
led up to it. In such an event, the banks isolate • At the third party application level, banks
or “de-alienate” their applications, webservers, protect middleware, databases, webservers
databases et al immediately and follow it up etc. with security packs that are provided by
with a tightening of proactive security measures. their vendors.
The need for holistic security Security of banking applications in card
The securing of individual components, such as transactions
applications, networks, access controls etc. must It is necessary to secure card transaction data
be done in coordination with all other security while in storage and also during transactions.
02 Thought Paper

3. • Debit/ credit card data is usually stored in Working of card based payments
databases, which are in turn stored in data
centers. These must be safeguarded through SWITCHING
Services by external
regular information security audit. Also, the vendor
owners of the data must ensure that it is
stored in encrypted form. SWITCH
(at Bank)
SWITCH
(at Bank)
BANK - A
Core Banking
• It is also essential to protect card data as it
BANK - A
Core Banking
transits through networks, routers, firewalls,
filters, middleware, web services etc. during POS/ATM POS/ATM
a transaction.
(In)Famous card security breaches
Despite elaborate measures, card security does The case of card systems
get breached from time to time. Some past
In this example of application security breach,
incidents resulted in massive losses for card
hackers employed a sophisticated technique
owners and their banks. The most famous ones
called SQL Injection to extract customers’ card
are listed below:
information. Card Systems had not firewalled
their web application. This inadequacy was
The case of heartland payment systems
exploited by the hackers, who planted a small
Heartland, a payment processor of debit and code snippet (a database query that is run on
credit card transactions, was the victim of an a database to extract data) onto Card Systems’
attack wherein the perpetrators planted malicious database by means of a web application, which
software onto its payment network to record was used by customers to access their own
data sent during payment processing. The data. The hackers used File Transfer Protocol
attackers managed to capture the highly to retrieve this information. Here again, the
confidential digital data encoded on the reverse company’s failure to erect network firewalls and
of credit/debit cards. It is estimated that 100 encrypt important data was the reason for the
million or more credit/ debit cards were affected. breach. To make things worse, old transaction
information had not been deleted, which added
The case of TJX companies to the huge losses.
This is a great example of how inadequate
security measures allowed fraudsters to break Is PCI compliance a guarantee of security?
in at two levels – that of the network as well The Heartland episode shot into the limelight
as the application. Hackers breached TJX especially because the company had been
Companies’ data security by penetrating the certified as PCI compliant. This unfortunate
network security at Kiosks and Points of Sale incident was a wake-up call for the payment
(POS). They broke into TJX’s network, which card industry, which until then was not subject
was not firewalled, and used USB keys to load to a rigorous audit mandate. In those days, it
software on to the POS terminals to gain access was common for banks and other institutions
to the network. Their modus operandi was to to dismantle their security checks or encryption
remotely control the payment network and gain processes once they received a one-time audit
access to customer data, which was stored by certification. After the Heartland incident, it
TJX in an unencrypted form. Around 46 million was decided to make periodic audit compulsory
card holder accounts were estimated to be for the payment card industry to ensure
affected by the attack. adherence to data security standards.
Thought Paper 03

4. Current card-related security practices Security (TLS) and Secure Socket Layer (SSL),
of banks and the latter to encrypt specific fields –
such as account number – rather than the
• Most banks deploy a Hardware Security
entire message.
Module (HSM) at terminals involved in card
payment transactions. This hardware could • Tunneling refers to the encapsulation of a
be in the form of a smart card, which message, say, in Protocol A within another
must remain inserted for the transaction to one, say, Protocol B, prior to transmission
take place. over a virtual private network (VPN) which
can be set using Secure Shell (SSH) protocol.
• Another technique in use is End-to-End
It is useful for sending unencrypted data
Encryption. Data is encrypted (or encoded)
within an encrypted network. Likewise,
at its origin (Point A) and transmitted to
HTTPS (Secure HTTP) is another protocol that
its target (Point B), where it is decrypted
is used for tunneling.
(decoded). This technique employs both
transport-level and data level security; the • Of late, the JPOS library framework (Java library
former to encrypt transmitted data using based ISO8583 framework) has come into use.
network protocols such as Transport Level
Holes in current application security practices
• While tunneling is a useful encryption PA DSS and its impact on core banking
technique, it has its pitfalls. In fact, hackers can systems
exploit it to bypass firewalls and breach the
The objectives of Payment Application Data
application level security of payment processors.
Security Standards – part of PCI DSS – are as follows:
• Web pages are made vulnerable by insecure
• To test applications for vulnerabilities –
coding practices, which can be exploited
including at the coding level – and find ways
by techniques such as SQL injection, script
to address them.
injection etc. Regular code audit can improve
the security of web pages. • To facilitate the implementation of a network
which is secured from the lowest datagram
• The practice of keeping services such as
level to the routing level.
telnet or File Transfer Protocol (FTP) running
when not in use weakens security. The simple • To ensure that the interfaces and database
remedy to this problem is to shut down routines responsible for storing cardholder
unused services and ports. data are configured in a way that the data is not
stored on servers with Internet connectivity,
PCI DSS V02 standard (payment and to encourage the use of dedicated servers
card industry – data security standard separated from the Internet for this purpose.
version 02)
• To facilitate secure remote access – governed
Payment Card Data Security Standards were by smart cards, tokens, i-keys – to applications,
developed to improve the safety of cardholders’ and ensure the correct implementation of
data and ensure adoption of consistent data access policies.
security measures globally.
• To encrypt sensitive traffic over public
The scope of PCI DSS covers security networks (with HTTPS or SSL) such that the
management, policies and procedures, network data is safeguarded against sniffing tools and
architecture, and software design. other threats.
04 Thought Paper

5. • To encrypt all non-console administrative security is effective only if the user is trained
access to credit card holders’ data through to implement the right practices; integrators
specialized devices such as POS, Swap and customers who are direct stakeholders in
terminals, ATM switches and so on. the system must be supported with adequate
documentation, explaining what is expected
• To maintain instructional documentation and
from them.
training programs for customers, resellers and
integrators. It must be noted that application
Impact of PCI DSS compliance on core
banking system
Banks must achieve PCI compliance in order to the assessment recommended by the standards
standardize their security infrastructure for card in order to maintain security.
based payment transactions. PCI compliance is
Banks’ external dependency regarding
a “regular process” containing various steps to
PCI DSS
ensure that the banks’ technological environment
is compliant with security requirements. In fact, The external dependency for compliance has
this move is led by the industry. two components:
Core Banking System (CBS) applications handle • Compliance at the level of the application, at
debit /credit card data through two distinct modes: which code level dependency can be resolved.
• Direct dealing with card based data • Compliance in the external environment in
which card based data is processed, namely
• Using vendor driven modules to deal with card
switches, token drivers or specified devices for
based data
hardware level security.
Since PCI DSS standards are comprehensive, they
Since PCI involves both layers, compliance usually
impact virtually every aspect of core banking
requires multiple dependencies to be resolved.
applications supporting card transactions.
However, the biggest impact is the banks’
The way forward
demand for complete security of the core b
anking application, its environment and coding In India, PCI DSS compliance is at a nascent
practices, and also of the data handled by stage. At present, there is no regulatory thrust in
other applications. this direction, nor adequate infrastructure and
skilled manpower to perform audits. This is still
Achieving PCI DSS continuity a growing market, and may take a while to come
to terms with the higher security expectations laid
PCI DSS specifies periodic validation; banks and
down by these standards.
application vendors must periodically perform
Makarand Madhukar Baji
Senior Consultant, Finacle Payments, Infosys
Sandhya Ravikumar
Senior Systems Engineer, Finacle E-Banking and Channel Support, Infosys
Thought Paper 05

6. About Finacle
Finacle from Infosys partners with banks to transform process, product
and customer experience, arming them with ‘accelerated innovation’
that is key to building tomorrow’s bank.
For more information, contact finacleweb@infosys.com www.infosys.com/finacle
© 2012 Infosys Limited, Bangalore, India, Infosys believes the information in this publication is accurate as of its publication date; such information is subject to change without notice. Infosys
acknowledges the proprietary rights of the trademarks and product names of other companies mentioned in this document.