Payment systems and applications around the world have always put on extra emphasis on security. As payment systems deals with sensitive payment information, breach of those information may end up in account or money being compromised. As a result card transactions in ATMs and POS terminals and online transactions have always been featured with additional layers of security. But the security hackers have also identified flaws of the system and tried to exploit them. So, the payment security system has evolved over time to cope up with security threats.
SECURITY IN CARD PAYMENTS Paying with cards has been a popular way of payment over the years. Instead of carrying additional cash, consumers can pay with debit, credit or prepaid card. As the payment card is directly used for making payments, security of the cards is the first priority of the cardholder. Card security can be considered from different perspectives.
CARD ISSUER PERSPECTIVE
Card issuers are those parties who provides the cards to the cardholders for usage. Usually banks and financial institutions act as the card issuers. Before providing payment cards to the card users, usually banks go through a process called card personalization. In this process, issuer bank and cardholder related data are written on the card. Whether it is magnetic stripe card or chip card, different security measures and parameters will have to be provided inside the card by the issuer during card personalization.
Apart from card issuance, issuers play a big role after a transaction is performed by the cardholder. After performing transaction, the transaction request needs to be verified and authorized by the issuer. At this stage different parameter checks are performed like the authenticity of the cardholder, authenticity of the transaction performing terminal, cardholders’ eligibility etc. After performing all these verification, the issuer’s system authorizes the transaction. So, it is very important for the issuer to perform proper verification before authorizing a transaction. Otherwise fraudulent transaction request will be approved and customers’ money will be compromised.
Acquirers own the payments acceptance device (known as POS terminals) used for payments. In Bangladesh, the banks usually act as acquirers after taking license from Bangladesh Bank. Acquirers provide these POS terminals to merchants and provide training on how to use the POS terminals. From an acquirer perspective, it is crucial to manage the security of the terminal during transaction.
The POS terminals accept payment cards from the cardholders. The terminals initially validate the cards by different parameter checks and forwards the transaction request to the acquiring system. The security of the POS terminal is very important, especially from the acquirers’ perspective. If enough security measures are not taken, hackers can use the POS terminals to clone cardholders’ payment card data and use those data to prepare a payment card for use at other terminals. In order to prevent these types of fraud, acquirers need to periodically perform maintenance and security evaluation of the terminals to make sure that those terminals have not been compromised.
There is always a dilemma among the merchants regarding payment card acceptance. In order to accept card payments, they need to share the transaction royalty with other parties of the payment eco-system. On top of that, they also need to face cardholders directly in case of a failed or fraud transaction. So, merchants also need to be aware of the basics of card transaction.
As the merchants directly handle the POS terminals, they should be properly trained about the usage and security aspects of the terminals. In case of online merchants, the risk is greater as they can integrate with different security programs from payment networks.
As the cardholder is the owner of the payment card, it is his duty to maintain very important aspects of the payment security. One integral part of a card payment system is the transaction PIN associated with the card. The cardholder should change the default PIN provided by the issuer bank as soon as he receives the card. Moreover, during the card’s lifecycle, he should not disclose the card PIN to any untrusted person like merchant or any bank employee.
MAGNETIC STRIPE CARDS VS. CHIP CARDS
Since the evolution of payment cards, there have been different card types with different security feature. This is an era where there is a worldwide transformation going on among the financial institutions from magnetic stripe cards to chip cards. EMV – a consortium consisting world’s leading payment brands like Visa, Mastercard, American Express etc. is leading the change.
MAGNETIC STRIPE CARDS
Magnetic stripe card is one of the first generation payment cards which got popularity during 1990s. As its name says, these type of cards have black magnetic band on their back. Cardholder and issuer bank data is stored on that band. The card needs to be swiped against the POS terminal and then the cardholder needs to enter the card PIN.
But using magnetic stripe cards also presents a lot of potential threats. Reading data from the magnetic band is quite easy and simple. Magnetic stripe readers are easy to get and can also be made at home with simple tools like cassette recorders. So, if a cardholder leaves his magnetic stripe payment card temporarily, reading its data and making transaction with that is not very difficult. Moreover, during reading card data, no verification and cryptographic operation is performed, which significantly increases the security risk.
The introduction of chip cards has removed the huge threat presented by the usage of magnetic stripe cards. Chip cards come with a smart chip in it which has cryptographic and processing capability. We can even think it as a small computer as the chip also includes microprocessor, memory etc. like computers. The introduction of chip inside cards enables a great leap in card payments allowing a first level verification and authentication between cardholder and the terminal. This significantly reduces the risk posed by magnetic stripe cards. Because without proper authentication, chip data will be unreadable.
As mentioned before, global payment consortium EMV is leading the transformation to chip cards worldwide. In order to make the process easy, they have provided various standards on how a chip card should be prepared, how it should communicate with the ATM and POS terminals and how a transaction will be authenticated and authorized. As all the prominent payment brands are member of EMV consortium and follow EMV standards; banks, financial institutions and payment processors are adopting EMV standard to ensure security and interoperability of their systems. Adoption of EMV standard has also resulted in significant reduction of the incidents of fraudulent transactions worldwide.
SECURITY IN ONLINE PAYMENTS
Buying necessary things sitting at home through e-commerce websites is the latest trend. It has become a hassle free medium for people to buy things as well as saving valuable time. One important aspect of these e-commerce sites is the payment medium. Usually e-commerce sites accept payment through payment cards of different banks and financial institutions. After checking out, customers need to enter their card number, expiry date and CVV number which are all printed on the card. The card information is then processed by the card issuing bank through any payment gateway and thus the transaction gets authorized.
An important point in online payment is its difference with card payment. In case of card payment along with card security, cardholders need to enter their PIN to perform the payment. But in the e-commerce sites, there is no provision of entering the card PIN along with all other card information. This poses a greater risk as anyone can get hold of the payment card in absence of the cardholder and perform the payment. A successful work around of this problem was the introduction of OTP.
OTP is a onetime password consisting of a few digits. When a cardholder inputs his card data in the e-commerce website, these data are sent to the issuer bank’s system. The banking system then generates an OTP and sends the OTP to the cardholder’s mobile via SMS. The cardholder then enters the OTP in the website and the OTP verification is performed at the bank’s end. This successful verification results in the completion of the transaction. Thus OTP brings an additional layer of security in the online payment domain. The OTP can be delivered to the cardholder via software or hardware OTP generators which in fact works as 2-factor authentication tool.
CASH ON DELIVERY
One of the striking features and benefits of e-commerce websites is its ability to support cash on delivery. Customers can check out items and can choose to pay when the item will be delivered. During delivery, customer pays to the delivery man. Thus the delivery man collects cash from different customers and at the end of the day he submits those cash at the e-commerce site office.
Major risk in this system is the movement of the delivery man with cash. He moves all day to the doorsteps of different customers with all those cash. So, there is a huge risk of the cash being compromised through forfeiture or seizure.
This risk can be mitigated if the transaction can be made cashless. If the customer pays to the deliveryman with a digital wallet, the deliveryman will not need to carry cash and the threat of losing cash will not be there. One way out can be the use of QR Codes. The products can come up with QR Codes associated with them. Customers can scan those QR Codes with mobile app and pay to the e-commerce site. This QR Code payment feature can also be implemented in other areas where handling of cash is still a big issue and going cashless is a necessity.
NEW TECHNOLOGIES: NEW BENEFITS
Payment eco-system is now experiencing the emergence of new technologies in the form of mobile payment. By using mobile wallet, consumers can store digital versions of their payment cards in their mobile with the help of Host Card Emulation (HCE) technology. The consumers don’t need to carry payment cards with them. They can carry the mobile to make payment at merchant locations. Payment with mobile device can also be performed in different ways. NFC (Near Field Communication) and QR Code are most promising of those. With NFC, the customer taps his mobile device with the POS terminal and the transaction takes place. With QR Code, the customer needs to scan QR Code at merchant location or the merchant can scan QR Code from customer for the payment to take place.
This disruption and innovation presented by mobile payment also comes with new degrees of threats and challenges. While using chip cards, the card application performs all the processing with the help of the chip. But in case of mobile payment, all the sensitive payment data of the emulated card resides inside the mobile and the greater risk lies there. Consumer mobile device holds different other mobile applications along with the payment application. So, there is always a risk of hacking apps trying to breach the security of the payment app and stealing sensitive payment data. Moreover, communication with banking system is another challenge here. In case of card payment, the POS device uses a dedicated medium for communicating with banking system, so the risk of data capturing from that medium is insignificant. But in case of mobile payment, the mobile application will have to communicate with the banking system through untrusted Wi-Fi network or mobile internet. This poses a great challenge in front of the mobile payment solution providers to securely transport the transaction data to banking server.
Different way outs of this threats have already been thought of and adopted in different systems. One ground breaking idea is tokenization. EMV has backed up tokenization with their framework and major payment schemes have started to move into tokenized system.
Another important aspect of the mobile payment security is to store the sensitive data safely inside the mobile device and also to make the communication with the banking server safe. In order to obtain the storage and communication security, cryptography is a fundamental measure. Adopting cryptography will make sure that stored and transmitted data stays in encrypted way and it will only be decrypted by the intended recipient. Financial mobile application providers need to keep these measures in mind in order to offer a secure and robust solution to the general people and also to the financial society.
The security in payment system is a vast and challenging area. Although new measures are being taken to tackle different threats, hackers are also working on creating anti-measures. So, the security measures including both technical and manual needs to be audited and updated from time to time. Introduction of new disruptive payment technologies like mobile payment and QR code payment has surely made payment convenient but has also posed a new threat. Application of proper security features along with these newer technologies will be the key to their success in coming days. ■