GHL Systems’ NetMATRIX TLE uses symmetric key encryption and decryption which is more
suitable in an environment where processing power; memory and bandwidth are limited –
where up to 4 Billion unique keys per terminal application and also supports Unique Key Per
Transaction. Additionally, the NetMATRIX TLE uses Dynamic Key Derivation instead of Static
Keys for each transaction effectively preventing Terminal Cloning and reducing Key
Management issues. It further provides a Remote Key Injection (RKI) utility to ease the
deployment of Keys into terminals, remotely.
Streamlining Python Development: A Guide to a Modern Project Setup
Secure ip payment networks what's available other than ssl - final
1. 2008
A GHL Whitepaper
Secure IP Networks:
What’s Available other than SSL?
2. Secure IP Payment Networks: What’s available other than SSL?
Payments security threat models today assume a powerful adversary, with access to
virtually all communications links and insecure networks and systems. As a result, financial
institutions, businesses, card associations and statutory bodies have, in recent years taken
vital steps in addressing these threats by working closely together and introducing all
necessary measures to combat this scourge.
In fact, banks across the globe continue to invest heavily and consider strategic options
regarding security and fraud management tools and practices to strengthen control of non-
public consumer and corporate information, primarily on the heels of such mandates such
as capital and operational risk management, and stronger customer authentication.
Deceitful online and offline schemes target banks from both within and without. (Source:
Top 10 Strategic IT Initiatives for Financial Services in 2007, Financial Insights, 2007)
With these considerations in mind, against the backdrop of increasing IP-based network
deployments by financial services institutions, this article seeks to briefly present prevailing
approaches often touted as the solution to the issue of payment network security - the
ubiquitous Security Sockets Layer (SSL). The chief aim is to provide a viable security solution
to payment infrastructure that seeks to address the shortfalls of SSL – the GHL Systems’
NetMATRIX Terminal Line Encryption.
The context of this article, however, is limited to the deployment of both concepts into
TCP/IP EDC terminal networks.
SSL
Secure Sockets Layer (SSL) is a collection of TCP/IP security protocols and is considered by
many to be the current de facto Internet security standard. The purpose of SSL is to provide
a layer of security between the sockets at the transport layer and the application accessing
the network through the sockets. The idea is that, when SSL is active, network services such
as FTP and HTTP are protected from attack by the secure SSL protocols.
Typically, only the server is authenticated (i.e., its identity is validated) while the client
remains unauthenticated; this means that the end user (whether an individual or an
application, such as a Web browser) can be ensured of whom it is communicating. SSL is
commonly used in banking and e-commerce websites, but also in non-commercial sites that
offer online memberships and webmail.
Terminal Line Encryption (TLE)
Terminal Line encryption in its broadest sense, effectively protects against wire-tapping and
other threats such as eavesdropping/card skimming, ghost or phantom EDC terminals, host
spoofing and replay attacks. Wire tapping is the monitoring of telephone, Internet traffic or
even wireless local area networks by a third party, often by covert means and fraudulent
purposes. Again, within the context of this discussion, we refer specifically to the
2
3. interception of card transaction data traffic from EDC terminal to the bank or destination
host on IP networks.
In simplistic terms, Terminal Line Encryption (TLE) converts parts of a message holding
sensitive cardholder information to incoherent and incomprehensible data while in
transition. Only the intended receiver who is able to decrypt the message can read the
information to complete the transaction, thus preventing any attempt by fraudsters to
capture payment card details, account numbers or any other information.
Combined approaches: TLE & EMV
Malaysia’s foray into terminal line encryption back in 2005 is perhaps the best testament of
the effectiveness of TLE in combating card fraud. To strengthen its payment security
infrastructure, Malaysia implemented line encryption of its terminals and bank systems,
making it the first country in the world to deploy both line encryption and EMV technology
nationwide.
Malaysia’s experience is unique in the sense that the Malaysian central bank (Bank Negara)
mandated for both line encryption and EMV to be implemented as a combined approach in
overcoming card fraud. This works in tandem to enhance the integrity of the payments
systems and instruments, while promoting confidence and ensuring consumers' interests
are safeguarded.
3
4. Using actual fraud data and experience from the Malaysian experience, there is historical
and empirical evidence that depict the strong inverse relationship between increasing chip
maturity and declining counterfeit fraud.
Source: Bank Negara Malaysia, 2005
As a result of these two initiatives, and according to Visa Asia Pacific’s Mr. Ingo Noka, Head
of Visa’s Payment Security Services, “Counterfeit fraud in Malaysia on domestically-issued
cards fell from an average of 0.16 percent in the years 2000 to 2004 to a record low of 0.03
percent in 2005. Expressed in US dollars, after one year of using chip cards, domestic
counterfeit has dropped 92 percent from about US$400,000 in January 2004 to US$31,000
in August 2005.
“Since September 2004, the share of fraud losses due to counterfeit fraud has fallen from 90
percent to 22 percent and we see a shift to lost or stolen and card-not-present (CNP) fraud
types which now represent 73 percent of fraud losses”. (Source: Visa Payment Security
Bulletin - Issue 1, 2006)
Currently, about 90% of the terminals in Malaysia are encrypting authorization messages.
4
5. A Brief Comparison of SSL and NetMATRIX TLE as a payment network security
solution
GHL Systems’ NetMATRIX TLE uses symmetric key encryption and decryption which is more
suitable in an environment where processing power; memory and bandwidth are limited –
where up to 4 Billion unique keys per terminal application and also supports Unique Key Per
Transaction. Additionally, the NetMATRIX TLE uses Dynamic Key Derivation instead of Static
Keys for each transaction effectively preventing Terminal Cloning and reducing Key
Management issues. It further provides a Remote Key Injection (RKI) utility to ease the
deployment of Keys into terminals, remotely.
Performance considerations
SSL is a PKI (Public Key Infrastructure) implementation and thus requires greater resources
(in terms of processing power and memory) and more overhead (in terms of processing
time, hand-shaking overhead, session keys exchange, etc. further constrained by bandwidth
limitations). This is compounded if one needs to perform a Client/Device authentication
besides Host authentication, since a Digital Certificate needs to be downloaded to the
terminals.
Communication Channels/Technologies Independence
• NetMATRIX TLE functionality is independent of the underlying carrier technology and
protocol and can work over X.25, TCP/IP, SNA, SDLC, HDLC, LAPB networks, while SSL
can only work over TCP/IP-based network.
• NetMATRIX TLE can also work over a Heterogeneous network (a combination of
different underlying network protocols) while SSL can only work over a homogenous
TCP/IP network.
• NetMATRIX TLE secures data at each individual terminal application layer which
conforms to the ISO8583 format and can be routed through a bank’s existing payment
infrastructure without additional major investments
• Where typical SSL implementations require a TCP/IP environment to support the
implementation which has to be augmented with additional security infrastructure such
as Firewalls, SSL Accelerators or Intrusion Detection Systems, NetMATRIX can be
deployed across a variety of environments without requiring such investments
Greater security and flexibility
NetMATRIX TLE secures transaction and card data at each individual terminal application
layer instead of at the communication channel layer. Additionally, it further provides more
flexibility than SSL as NetMATRIX TLE allows application-specific customization to determine
the exact fields/data that need to be encrypted/decrypted.
5
6. Other key considerations:
SSL implementation requires a Certificate Server if in-house certificates are being used. If
banks or other financial institutions already have their own Certificate Server then this
would probably be a non-issue. However, if public digital certificates from Certification
Authorities are used, then this would mean additional costs as their pricing model is
typically based on each individual digital certificate. Other considerations that warrant
notice is also to consider the long-term management of the digital certificates themselves.
Conclusion
As the industry advances forward, changes in the payments landscape will continue to be
dynamic and the level of requirements, complexity, and sophistication in payment networks
will further intensify. While considerable efforts have been undertaken to enhance
protection for consumers and banks alike, still more remains to be done.
Given the issues and considerations discussed – as well as its own experiences implementing
TLE in India, Malaysia, Thailand and Indonesia, GHL Systems believes the time is now for
card associations, banks, and payment network security/technology/solution providers to
reconsider the proposition that SSL should remain the de facto standard – as far as TCP/IP
EDC terminal networks are concerned.
6