SlideShare ist ein Scribd-Unternehmen logo

Card Payments Processing - Security

L
Lakshmana Kattula

An overview of Card Payments Processing and some Security Considerations

Wirtschaft & FinanzenTechnologie
1 von 10
Downloaden Sie, um offline zu lesen
Card Payments Processing Security Considerations Lakshmana Kattula Enterprise/Solution Architect vivalaks@gmail.com June 2011
Contents • Actors • Components • Card Payment Processes • Card Payment Process – Authorization • Security Needs • Fraud • Technologies • Solution Design
Actors Involved • Cardholder (A1) – Customers • Merchant or Retailer (A2) – Tesco, Amazon, etc • Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc • Card Association or Card Network (A4) – Visa, Mastercard, etc • Issuer (A5) – CapitalOne, Citi, etc
Components Involved • Payment Card (C1) • Card Processing Terminal – POS, Web Interface, etc. (C2) • Merchant DataCentre/Network (C3) • Merchant Payment Gateway (C4) • Merchant Bank’s Data Centre (C5) • Merchant Bank’s Payment System (C6) • Card Association’s Data Centre (C7) • Card Association’s Payment System (C8) • Issuer’s Data Centre (C9) • Issuer’s Payment System (C10)
Card Payment Process • Authorization • Settlement – Batching – Clearing • Funding
Card Payment Process - Authorization A2 A3 6 6 C3 C5 A1 C1 C2 1 2 C4 3 C6 1. The cardholder uses the card at the card payment terminal 2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction 3. The merchant payment system submits the request to the acquirer 4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer 5. The card network requests for authorization from the issuer C10 C8 6. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
Security Needs • Threats • Vulnerabilities • Risk Assessments • Fraud Management • Enterprise Security Policies and Principles • Compliance Needs
Fraud • Stolen cards • Card not present transaction • Identity theft • Application fraud • Account takeover • Skimming • Internal/Employee Fraud • Fraud Detection Tools
Technologies • Firewalls • VPNs • PKI • Encryption • Web Services/XML Security • Tokens • Anti Virus • 2-Factor Authentication • Network Admission Control • Vulnerability Scanners • Intrusion Detection/ Intrusion Prevention • Physical Security • File Integrity Monitoring • Patch Management Systems
Solution Design – A Sample Template • Process security impact Describe the required process changes/configurations in order to comply to Client's business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation. • Application & Integration security impact Describe the required application changes/configurations in order to comply to Client's user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Client's integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging. • Information security impact Describe the required data changes/configurations in order to comply to the Client's ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly. • Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Client's infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Client's infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven. • Compliance to web-applications policy Describe measures taken in order to comply to the Client's ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten. • Compliance to PCI DSS Describe measures taken in order to comply to the Client's Europe PCI DSS policy if the systems deal with card type data • Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.

Empfohlen

Equinox t4220
Equinox t4220Equinox t4220
Equinox t4220
Joseph Oese
 
Credit Card Merchant Services
Credit Card Merchant ServicesCredit Card Merchant Services
Credit Card Merchant Services
CardsCashRewards.com, Inc.
 
Verifone IR Presentation September 2015
Verifone IR Presentation September 2015Verifone IR Presentation September 2015
Verifone IR Presentation September 2015
Verifone
 
Electronic Billing And Payment Market, After All These Years
Electronic Billing And Payment Market, After All These YearsElectronic Billing And Payment Market, After All These Years
Electronic Billing And Payment Market, After All These Years
Randy Pilkenton
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments Framework
Lakshmana Kattula
 
electronic bill payment and presentment
electronic bill payment and presentmentelectronic bill payment and presentment
electronic bill payment and presentment
tejinderubs
 
The Future of Mobile Payments
The Future of Mobile PaymentsThe Future of Mobile Payments
The Future of Mobile Payments
Jonathan LeBlanc
 
Pos Presentation
Pos PresentationPos Presentation
Pos Presentation
Supriti Sawant
 

Empfohlen

Equinox t4220
Equinox t4220Equinox t4220
Equinox t4220
Joseph Oese
 
Credit Card Merchant Services
Credit Card Merchant ServicesCredit Card Merchant Services
Credit Card Merchant Services
CardsCashRewards.com, Inc.
 
Verifone IR Presentation September 2015
Verifone IR Presentation September 2015Verifone IR Presentation September 2015
Verifone IR Presentation September 2015
Verifone
 
Electronic Billing And Payment Market, After All These Years
Electronic Billing And Payment Market, After All These YearsElectronic Billing And Payment Market, After All These Years
Electronic Billing And Payment Market, After All These Years
Randy Pilkenton
 
Mobile Payments Framework
Mobile Payments FrameworkMobile Payments Framework
Mobile Payments Framework
Lakshmana Kattula
 
electronic bill payment and presentment
electronic bill payment and presentmentelectronic bill payment and presentment
electronic bill payment and presentment
tejinderubs
 
The Future of Mobile Payments
The Future of Mobile PaymentsThe Future of Mobile Payments
The Future of Mobile Payments
Jonathan LeBlanc
 
Pos Presentation
Pos PresentationPos Presentation
Pos Presentation
Supriti Sawant
 
Shrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdfShrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdf
vikashdidwania1
 
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
batoole333
 
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsMahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Deepika Singh
 
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
hyt3577
 
Q1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdfQ1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdf
Adnet Communications
 
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammamabortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
samsungultra782445
 
Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...
robinsonayot
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdf
Henry Tapper
 
logistics industry development power point ppt.pdf
logistics industry development power point ppt.pdflogistics industry development power point ppt.pdf
logistics industry development power point ppt.pdf
Salimullah13
 
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
globusfinanza
 
FE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case StudiesFE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case Studies
NghiaPham100
 
Collecting banker, Capacity of collecting Banker, conditions under section 13...
Collecting banker, Capacity of collecting Banker, conditions under section 13...Collecting banker, Capacity of collecting Banker, conditions under section 13...
Collecting banker, Capacity of collecting Banker, conditions under section 13...
RaniT11
 
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdfMASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
Cocity Enterprises
 
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnLaw of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
TintoTom3
 
7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options
Vince Stanzione
 
Toronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdfToronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdf
JinJiang6
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
Henry Tapper
 
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdfFOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
Cocity Enterprises
 
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
batoole333
 
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai MultipleDubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
kojalpk89
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
hyt3577
 
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammamabortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
samsungultra782445
 
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdfMASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
Cocity Enterprises
 
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnLaw of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
TintoTom3
 
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdfFOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
Cocity Enterprises
 
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai MultipleDubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
kojalpk89
 

Kürzlich hochgeladen (20)

Shrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdfShrambal_Distributors_Newsletter_May-2024.pdf
Shrambal_Distributors_Newsletter_May-2024.pdf
 
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
Black magic specialist in Canada (Kala ilam specialist in UK) Bangali Amil ba...
 
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot GirlsMahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
Mahendragarh Escorts 🥰 8617370543 Call Girls Offer VIP Hot Girls
 
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
QATAR Pills for Abortion -+971*55*85*39*980-in Dubai. Abu Dhabi.
 
Q1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdfQ1 2024 Conference Call Presentation vF.pdf
Q1 2024 Conference Call Presentation vF.pdf
 
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammamabortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
abortion pills in Riyadh Saudi Arabia (+919707899604)cytotec pills in dammam
 
Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...Test bank for advanced assessment interpreting findings and formulating diffe...
Test bank for advanced assessment interpreting findings and formulating diffe...
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdf
 
logistics industry development power point ppt.pdf
logistics industry development power point ppt.pdflogistics industry development power point ppt.pdf
logistics industry development power point ppt.pdf
 
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
Avoidable Errors in Payroll Compliance for Payroll Services Providers - Globu...
 
FE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case StudiesFE Credit and SMBC Acquisition Case Studies
FE Credit and SMBC Acquisition Case Studies
 
Collecting banker, Capacity of collecting Banker, conditions under section 13...
Collecting banker, Capacity of collecting Banker, conditions under section 13...Collecting banker, Capacity of collecting Banker, conditions under section 13...
Collecting banker, Capacity of collecting Banker, conditions under section 13...
 
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdfMASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
MASTERING FOREX: STRATEGIES FOR SUCCESS.pdf
 
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnLaw of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Law of Demand.pptxnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
 
7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options
 
Toronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdfToronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdf
 
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
20240419-SMC-submission-Annual-Superannuation-Performance-Test-–-design-optio...
 
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdfFOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
FOREX FUNDAMENTALS: A BEGINNER'S GUIDE.pdf
 
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
 
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai MultipleDubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
Dubai Call Girls Deira O525547819 Dubai Call Girls Bur Dubai Multiple
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 

Empfohlen (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Card Payments Processing - Security

  • 1. Card Payments Processing Security Considerations Lakshmana Kattula Enterprise/Solution Architect vivalaks@gmail.com June 2011
  • 2. Contents • Actors • Components • Card Payment Processes • Card Payment Process – Authorization • Security Needs • Fraud • Technologies • Solution Design
  • 3. Actors Involved • Cardholder (A1) – Customers • Merchant or Retailer (A2) – Tesco, Amazon, etc • Merchant Bank or Acquirer (A3) – HSBC, Lloyds, Barclays, etc • Card Association or Card Network (A4) – Visa, Mastercard, etc • Issuer (A5) – CapitalOne, Citi, etc
  • 4. Components Involved • Payment Card (C1) • Card Processing Terminal – POS, Web Interface, etc. (C2) • Merchant DataCentre/Network (C3) • Merchant Payment Gateway (C4) • Merchant Bank’s Data Centre (C5) • Merchant Bank’s Payment System (C6) • Card Association’s Data Centre (C7) • Card Association’s Payment System (C8) • Issuer’s Data Centre (C9) • Issuer’s Payment System (C10)
  • 5. Card Payment Process • Authorization • Settlement – Batching – Clearing • Funding
  • 6. Card Payment Process - Authorization A2 A3 6 6 C3 C5 A1 C1 C2 1 2 C4 3 C6 1. The cardholder uses the card at the card payment terminal 2. The card payment terminal submits ISPs 4 6 the card details to the merchant payment system for authorization of the transaction 3. The merchant payment system submits the request to the acquirer 4. The acquirer sends a request to the C9 C7 card network to communicate and 5 obtain authorization from the issuer 5. The card network requests for authorization from the issuer C10 C8 6. An authorization code is sent to the 6 card payment terminal through the same path backwards A4 A3
  • 7. Security Needs • Threats • Vulnerabilities • Risk Assessments • Fraud Management • Enterprise Security Policies and Principles • Compliance Needs
  • 8. Fraud • Stolen cards • Card not present transaction • Identity theft • Application fraud • Account takeover • Skimming • Internal/Employee Fraud • Fraud Detection Tools
  • 9. Technologies • Firewalls • VPNs • PKI • Encryption • Web Services/XML Security • Tokens • Anti Virus • 2-Factor Authentication • Network Admission Control • Vulnerability Scanners • Intrusion Detection/ Intrusion Prevention • Physical Security • File Integrity Monitoring • Patch Management Systems
  • 10. Solution Design – A Sample Template • Process security impact Describe the required process changes/configurations in order to comply to Client's business process security standards. Eg. Compliance of financial/contractual approval-workflows to the Bill Of Authority (BOA), compliance of process design to privacy legislation. • Application & Integration security impact Describe the required application changes/configurations in order to comply to Client's user identity and user authentication standards. Eg. TIMTAM-integration, adherence to single sign on, properly filled SegregationOfDuties (SOD) table per application. Describe the required integration changes/configurations in order to comply to Client's integration security standards. Eg. Usage of sftp for batch-file transfer, measurements for secure and guaranteed delivery-messaging. • Information security impact Describe the required data changes/configurations in order to comply to the Client's ‘data-classification confidentiality’ standards. Eg. Scrambling (of data in Test environments), encryption. Classify all data and address the requirements of the standard accordingly. • Infrastructure security impact Describe the required infrastructure changes/configurations in order to comply to Client's infrastructure security standards, being the required Mission Critical Value (MCV, order of application-restart after disaster). In case a third party vendor does the application-hosting, compliance to the Client's infrastructure security standards is implied in their Data Centre agreements. Otherwise (SaaS, BPO, cloud computing) it must be proven. • Compliance to web-applications policy Describe measures taken in order to comply to the Client's ‘web-applications policy’, if web based applications are part of the IT-solution. E.g. Perform vulnerability testing on among others the OWASP top ten. • Compliance to PCI DSS Describe measures taken in order to comply to the Client's Europe PCI DSS policy if the systems deal with card type data • Testing & Acceptance Describe the necessary testing types of testing during the testing strategy and planning. E.g. Vulnerability scans, Penetration testing, Performance testing, Failover & DR testing, etc.