Switch ON

Dynamic Key Exchange

csdivakar — Tue, 27 Oct 2009 06:41:15 +0000

Dynamic Key Exchange

Some networks and institutions increase their security level by exchanging the working key used on a regular basis. EFT SWITCH may be configured to allow dynamic key changes between itself and networks or devices. When exchanging a working key, it is necessary to store the new key in a “spare” location until the key exchange has been confirmed.

Having two fields for storing key cryptograms generally does this with a flag to indicate which cryptogram is active. Thus, during an exchange, the new key is written to the inactive field. Once the exchange has completed, the inactive and active fields have their roles switched.

The process of key exchange (where the remote system initiates a key exchange) is as follows:

1. The other system encrypts the new working key under the Key Encryption Key (KEK) and transmits it to EFT SWITCH.

2. EFT SWITCH collects the encrypted KEK and sends it, and the encrypted working key, to the Hardware Security Module (HSM) for processing.

3. The HSM processes the new key by:

3.1 decrypting the KEK cryptogram under its MFK

3.2 decrypting the new working key cryptogram under the KEK

3.3 encrypting the clear working key under its MFK

4. The HSM returns the new working key cryptogram to EFT SWITCH where it is written to the appropriate database table.

At a given time, only one key exchange message is processed.

For the financial messages, the dynamic key exchange is triggered under different conditions, e.g.

After given number of times the KPE, the KMAC or the KME keys are used,
Whenever a synchronization error between these keys occur,

After given number of times an invalid PIN block error may occur

Process Flow of Credit Card Authorisation

csdivakar — Tue, 27 Oct 2009 05:28:56 +0000

Proces Flow of Credit Card

Benefits of Chip and PIN

csdivakar — Mon, 19 Oct 2009 05:50:38 +0000

Benefits	Description
More Secure Environment	In countries with a mature Chip and PIN acceptance, the technology has contributed to a marked decrease in fraud from counterfeit and lost and stolen cards (which traditionally accounted for the majority of losses).
Better Levels of Service	Chip and PIN technology is enabling banks and Retailers to extend the reach of contactless payments. This includes contactless payments and a number of unattended or self-service payments. The cardholder feels more in control and confident and customer perception is less time is spent at the POS. Also some transaction can be processed offline.
Increase in POS Spending Volumes	Consumers and Retailers have been quick to adapt the new cardholder Verification method (CVM).
Reduction in Charge Backs	Once the chip on the card accepts the transaction, then the retailer is relieved of any fraudulent transactions
Brand Protection	Chip and PIN makes a secure transaction even more secure because of PIN verification whenever used in a ace to face transaction. For online purchases there are other layers of security via tools
Faster Transaction Times	Chip and PIN transactions are more complex then MSR transactions, yet they are faster. (In fashion and DVD and News stores study documented that the elapsed time for a cash transaction was 14 seconds, MSR with signature 43 seconds, and Chip and PIN 29 seconds.
Reduces Counterfeiting and Skimming	A lost or stolen card cannot be used to completely transaction without its corresponding PIN. This technology virtually eliminates the ability to copy the contents of the chip to another card.

Relationship between PCI-DSS and PA-DSS

csdivakar — Mon, 12 Oct 2009 06:32:34 +0000

Relationship between PCI DSS and PA-DSS

The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security

Standard (PCI DSS) Requirements and Security Assessment Procedures. This document, which can be found at www.pcisecuritystandards.org,

details what is required to be PCI DSS compliant (and therefore what a payment application must support to facilitate a customer’s PCI DSS

compliance).

Traditional PCI Data Security Standard compliance may not apply directly to payment application vendors since most vendors do not store,

process, or transmit cardholder data. However, since these payment applications are used by customers to store, process, and transmit

cardholder data, and customers are required to be PCI Data Security Standard compliant, payment applications should facilitate, and not prevent,

the customers’ PCI Data Security Standard compliance. Just a few of the ways payment applications can prevent compliance follow.

1. Storage of magnetic stripe data in the customer’s network after authorization;

2. Applications that require customers to disable other features required by the PCI Data Security Standard, like anti-virus software or

firewalls, in order to get the payment application to work properly; and

3. Vendor’s use of unsecured methods to connect to the application to provide support to the customer.

Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to

compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging

fraud resulting from these breaches

Relationship between PCI DSS and PA-DSS

The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures.

Traditional PCI Data Security Standard compliance may not apply directly to payment application vendors since most vendors do not store, process, or transmit cardholder data. However, since these payment applications are used by customers to store, process, and transmit cardholder data, and customers are required to be PCI Data Security Standard compliant, payment applications should facilitate, and not prevent, the customers’ PCI Data Security Standard compliance. Just a few of the ways payment applications can prevent compliance follow.

1. Storage of magnetic stripe data in the customer’s network after authorization;

2. Applications that require customers to disable other features required by the PCI Data Security Standard, like anti-virus software or firewalls, in order to get the payment application to work properly; and

3. Vendor’s use of unsecured methods to connect to the application to provide support to the customer.Secure payment applications, when implemented in a PCI DSS-compliant environment, will minimize the potential for security breaches leading to compromises of full magnetic stripe data, card validation codes and values (CAV2, CID, CVC2, CVV2), PINs and PIN blocks, and the damaging fraud resulting from these breaches.

Courtesy : PCI-DSS Council

Moving from Magnetic Stripe to Chip Technology

csdivakar — Mon, 05 Oct 2009 07:51:20 +0000

Is chip technology good for business?

Yes, because chip technology means greater security and more streamlined processing, especially when combined with PIN authentication, which can reduce fraud. Merchants will no longer have to store vouchers for these types of transaction. Chip technology will also bring increased opportunities for self-service POS stations.

How will chip technology work?

The cardholder inserts the chip card into a card reader and leaves it in the terminal until the transaction is complete. The card reader identifies whether a card is PIN-enabled. If so, the customer will be prompted to enter their PIN rather than sign a receipt. Chip transactions will be similar to magnetic stripe transactions in most other respects.

Are there any changes to settlement procedures?

While chip technology eliminates the need for paper vouchers and streamlines reconciliation, it normally will not negatively affect back-end processes.

What are the fallback procedures if the POS terminal fails to read the chip?

If the chip fails, the magnetic stripe and signature can usually be used instead. Or, in chip and PIN countries, if the cardholder forgets their PIN, they may be allowed to use a signature. However, these options may be discontinued once migration to chip is sufficiently advanced within a particular country. This is one more reason why it is important to encourage customers to use chip technology now.

Is chip technology good for business?

How will chip technology work?

Are there any changes to settlement procedures?

While chip technology eliminates the need for paper vouchers and streamlines reconciliation, it normally will not negatively affect back-end processes.

What are the fallback procedures if the POS terminal fails to read the chip?

PAYMENT APPLICATION – DATA SECURITY STANDARD

csdivakar — Tue, 29 Sep 2009 04:22:58 +0000

The Payment Application Data Security Standard (PA-DSS), formerly referred to as the Payment Application Best Practices (PABP), is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). PA-DSS was implemented in an effort to provide the definitive data standard for software vendors that develop payment applications. The standard aims to prevent developed payment applications for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN. In that process, the standard also dictates that software vendors develop payment applications that are compliant with the Payment Card Industry Data Security Standards (PCI DSS).

For a payment application to be deemed PA-DSS compliant, software vendors must ensure that their software includes the following 14 protections.

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.

2. Protect stored cardholder data.

3. Provide secure authentication features.

4. Log payment application activity.

5. Develop secure payment applications.

6. Protect wireless transmissions.

7. Test payment applications to address vulnerabilities.

8. Facilitate secure network implementation.

9. Cardholder data must never be stored on a server connected to the internet.

10. Facilitate secure remote software updates.

11. Facilitate secure remote access to payment application.

12. Encrypt sensitive traffic over public networks.

13. Encrypt all non-console administrative access.

14. Maintain instructional documentation and training programs for customers, resellers, and integrators.

Payment Card Industry – Data Security Standard

csdivakar — Tue, 22 Sep 2009 06:31:29 +0000

Payment Card Industry (PCI) – Data Security Standard is standard set based on a consensus based process led by 5 major credit card companies. It is not a government enforced standard and compliance is enforced by the credit companies.

Non-compliance results in higher fees and severe fines in the event of breach. All merchants and service providers collecting and processing credit card transactions are required to comply with the PCI-DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

Benefits of Implementing PCI-DSS ( based on www.visaeurope.com)

In today’s environment, security has become a consideration for every type of business.

By following the standardised, industry-wide procedures of PCI DSS, organisations can:

Protect their customers’ personal data
Boost customer confidence through a higher level of data security
Insulate themselves from financial losses and remediation costs
Maintain customer trust, and safeguard the reputation of their brand
Provide a complete ‘health check’ for any business that stores or transmits customer information

As the technology used by merchants and their partners has evolved, card fraud has become more sophisticated. Any business that stores or transmits cardholder account data is a potential target.

PCI DSS protects cardholders and minimises the risk to your business.

Implementation of technological solutions that reduce the amount of card data handled by an organisation may also help considerably as they may:

Reduce the amount of data at risk of compromise
Reduce the scope of a PCI DSS compliance and other security and audit projects
Simplify an organisation’s security needs and plans

Examples of technologies that may help increase your security and reduce the risk of compromises are the use of a PCI DSS compliant service provider, the use of a secure payment application, the implementation of EMV Chip and PIN, data encryption, and tokenisation.