The Payments Ecosystem: Security Challenges in the 21st Century Phil Smith III Voltage Security, Inc. March 2013.

Slides:

Advertisements

Similar presentations

Credit Card Processing 101

Advertisements

Weighing the Risks and Benefits of Online Financial Transactions

Credit Cards 101. Shopping for A Credit Card Comparison shop credit cards Dont take the first offer that comes to you: –Pre-approval Means nothing No.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Identity theft Protecting your credit identity. Identity Theft Three hundred forty three million was lost from consumers in 2002 The number of complaints.

Government Prepaid Card

What Are the Functions of ATM Machines?

Lecture 3 Title: Online Payment: Credit Card and PayPal

[FI Name]s Merchant Services Program Employee Training Presentation.

Types of Credit Consumer Loan One time loan that the borrower pays back in a specified period of time with a pre-determined payment schedule Home mortgages,

Credit Cards. What is a Credit card? A plastic card that represents a line of credit A line of credit is an account with money that you can borrow repeatedly.

Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.

Introduction to computer

Let’s Get Financially Focused! Objectives Students will be able to: 1. Define credit. 2. Explain the negative impact that counterfeiting, forgery, fraud,

ICT at Work Banking and Finance.

Contactless Payment. © Family Economics & Financial Education – January 2007 –– Financial Institution Unit – Contactless Payment - 2 Funded by a grant.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

LECTURE 7 REF: CHAPTER 11 ELECTRONIC COMMERCE PAYMENT SYSTEMS PREPARED BY : L. Nouf Almujally Copyright © 2010 Pearson Education, Inc. 1.

Grade 12 Family Studies. B6I.

Choosing a Credit Card By, Camaron Crittenden, Adrienne Martinez, Blake Opdycke, Katie Riffe.

1.7.2.G1 Electronic/Online Banking & Bill Pay Take Charge of Your Finances.

Chapter 6 E-commerce Payment Systems

Credit Card And Prepaid Process Edward M. Kwang President.

Credit card and Debit card Working and Management.

Electronic Payment By: El Panda. What is an electronic payment? Electronic money (also known as e-currency, e-money, electronic cash, electronic currency,

“Electronic Payment System”

FINANCIAL SOCCER Module 3 Credit, debit and prepaid cards Collect a quiz and worksheet from your teacher.

Ecommerce Applications 2009/10 Session 31 E-Commerce Applications E-payment.

Digital Payment Systems

Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.

Payment Systems for Electronic Commerce

WHAT IS A CREDIT CARD.. A credit card is part of a system of payments named after the small plastic card issued to users of the system. It is a card entitling.

Credit Cards and Other Debt Tuesday, Jan 21 st. Class Overview Intro to Credit Story Credit Card Debt Consumer Credit Dangerous Debt Practices.

Traditional and Electronic Payment Methods Chapter 3.

Banking: Checking Account What is a Checking Account? An account where money is deposited and kept for day-to-day expenses Also called demand deposit.

Copyright © 2002 Pearson Education, Inc. Slide 6-1.

BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.

EFTPOS and credit Card payments Jana Skriveris Line 4 Due: 14 th Nov Business Admin.

MIS 3090 IT for Financial Services Digital Cash September 4, 2015.

Credit statistics Average college student has 4.25 credit cards College seniors graduated with an average credit card debt of more than $4,100. Close to.

3.1.G1 © Family Economics & Financial Education – Revised October 2004 – Consumer Protection Unit – Identity Theft Funded by a grant from Take Charge America,

USING CREDIT. Managing Money & Credit: A Lifelong Skill.

© 2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

Banking and Credit Cards. Fees ATM Fee- charge for using ATM services from a different bank ATM Fee- charge for using ATM services from a different bank.

Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.

E-PAYMENT METHODS 1. FACT OR FICTION ??? VISA processed 15,200 credit card transactions per minute. The first ATM machine was developed in 1939?. Luther.

Identity Theft  IDENTITY THEFT occurs when someone wrongfully acquires and uses a consumer’s personal identification, credit, or account information.

Confidential – For Discussion & General Information Purposes Only EMV to Card Not Present Fraud Gavin Levin, CTP eReceivables Consultant.

Traditional and Electronic Payment Methods Chapter 3.

The next generation of payments is here. Is your business ready?

Checking Accounts. What is a checking account? A bank account that allows easy access to the funds. You can use your checking account to pay bills. With.

Business Administration term project 2 (25%) financial Management Systems Debit card and credit card payments By Ashleigh Gray.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

e-Learning Module Credit/Debit Payment Card Acceptance and Security

E-Payment Methods Fazal rehman shamil. 2001Daniel L. Silver2 Major Architectural Components of the Web Internet Browser Database Server Client 1 Server.

Grade 12 Family Studies.  Do you have a credit card?  What is it used for?  How is it like a loan?

1.7.2.G1 © Family Economics & Financial Education – Revised May 2005 – Financial Institutions Unit – Electronic Banking Funded by a grant from Take Charge.

What does Chip offer Banks today?. CARD TYPES CREDIT DEBIT CHARGE PRIVATE LABEL PRE-PAYMENT MULTI FUNCTION.

Credit Cards are a part of most American’s lives, but if you don’t know how to use them, they can really make your life more difficult Credit cards don’t.

Credit and debt management. Student Learning Objective Compare and contrast the financial benefits of different products and services offered by a variety.

HOW TO CHOOSE A CREDIT CARD. CHARGE IT! Using credit cards to pay for goods and services is a fact of life for most consumers. Yet, many consumers do.

PayPal and Other Third Party Payment Options Presented by Meg Monsen, Eric Zeng, and Michael Leonard.

EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.

WHAT NEW, WHAT NEXT IN PAYMENT PROCESSING. EMV WHAT IS EMV? 3  An acronym created by Europay ®, MasterCard ® and Visa ®  The global standard for the.

Banking in the United States. U.S. Banking System Overview  The Federal Reserve System is the central banking system of the United States.  Regulates.

E-Commerce Payment System

Third-party Payment options, PayPal Implementation

Chip & Pin and Apple Pay: Vulnerabilities of the Changing Payment Systems Jay Isaacson.

Day One of Training.

Presentation transcript:

The Payments Ecosystem: Security Challenges in the 21st Century Phil Smith III Voltage Security, Inc. March 2013

Agenda (C) Voltage Security, Inc. All Rights Reserved2 A Short History of Payments The Payments Landscape Today Anatomy of a Card Swipe Card Fraud: How It Happens Evolution Protecting Yourself and Your Company

A Short History of Payments

Early currencies Large Purchases Small Purchases Purchases on Yap (Island of Stone Money) In the Beginning… (C) Voltage Security, Inc. All Rights Reserved4

Evolution Lighter than goats! Chek invented: Persia, 550–330 BC –Achaemenid Empire (remember them?) –India, Rome, Knights Templar used cheques (C) Voltage Security, Inc. All Rights Reserved5

More Modern Uses Cheques revived in 17 th century England Soon after: preprinted, numbered, etc. –Magnetic Ink Character Recognition added in 1960s (C) Voltage Security, Inc. All Rights Reserved6 MICR

Modern Payments Systems

Many Alternatives to Checks Not the only game in town any more… –Online payment services (PayPal, WorldPay…) –Electronic bill payments (Internet banking et sim.) –Wire transfer (local or international) –Direct credit, initiated by payer: ACH in US, giro in Europe –Direct debit, initiated by payee –Debit cards –Credit cards –…and of course good ol cash! (C) Voltage Security, Inc. All Rights Reserved8 Well focus on these

Charge Cards vs Credit Cards Terms often interchanged, but quite different –Charge cards must be paid off that month –Credit cards offer revolving credit Charge cards came first –Most through stores, as loyalty/service improvements –Early 1900s: department stores, oil companies –1936: Universal Air Travel Plan (air, rail, cruise travel) –1946: First bank card –1950: Diners Club –1958: American Express (C) Voltage Security, Inc. All Rights Reserved9

Closed and Open Loop Systems Early cards were closed loop –Only entities involved: buyer, seller, perhaps bank/issuer (AmEx) Most/all modern cards are open loop –One or more intermediaries involved in each transaction –Topology varies wildly depending on merchant size, etc. Even closed loop systems may touch open loop –E.g., store-specific gift cards may verify through open loop (C) Voltage Security, Inc. All Rights Reserved10

Credit Cards 1958: BankAmericard –First true credit card, originally California only –Eventually started licensing to other banks –Became VISA in : MasterCharge (now MasterCard) created 1985: Discover, originally closed loop (Sears!), now open Even AmEx now offers revolving credit cards and debit (C) Voltage Security, Inc. All Rights Reserved11

Debit Cards vs. Credit Cards vs. Gift Cards Debit cards are tied directly to a bank account –Many are usable for both signature and PIN debit –Signature debit feels like but is not a credit transaction –Debit cards also let you get cash back when making purchases Gift cards are essentially debit cards –Many hourly employees are paid with prepaid debit cards –Your Starbucks card is a refillable gift card, aka electronic purse Credit card rewards try to lure folks away from debit –Banks see credit users who dont carry balances as freeloaders –No-fee cards may be eliminated (though weve heard that before) 12

Anatomy of a Card Swipe A man walks into a bar… –…and eventually swipes a VISA card to pay the tab Simple, right? Wrong…so wrong… (C) Voltage Security, Inc. All Rights Reserved13

Jargon: Acquirers, Processors, Issuers, and Brands Acquirers are the banks who the merchant deals with –Eventually pay the merchant the money you charge Processors do what it sounds like: process transactions –Acquirer and processor distinction unimportant to the consumer –Ill use them interchangeably, so dont be confused Brands are the cards: VISA, American Express, et al. –The central clearing house for transactions Issuers are the banks the consumer deals with –Your credit card came from an issuer (C) Voltage Security, Inc. All Rights Reserved14

The Simple Case: Small Merchant (C) Voltage Security, Inc. All Rights Reserved15 Card swipe Processor / acquirer Issuer TBTF B ANK, I NC. Card Brand

More Complex Case (C) Voltage Security, Inc. All Rights Reserved16 Card swipe Card Brand POS terminal Controller Switch / Gateway Processor / acquirer Issuer TBTF B ANK, I NC.

Card Not Present (C) Voltage Security, Inc. All Rights Reserved17 Call Center / Mobile Wallet Virtual POS Terminal Controller Switch / Gateway Processor / acquirer Card Brand Issuer TBTF B ANK, I NC.

And Then Theres the Web… (C) Voltage Security, Inc. All Rights Reserved18 Browser Payment Page Controller Switch / Gateway Processor / acquirer Card Brand Issuer TBTF B ANK, I NC.

Details: Authorization vs. Settlement Card brand does authorization at purchase time –Contacts issuing bank with card and charge details –Checks status of account, allows or declines Merchant does settlement at end-of-day (or thereabouts) –At settlement, actual charges are processed, sent to issuing bank (C) Voltage Security, Inc. All Rights Reserved20

Anatomy of a PAN (Primary Account Number) A Costco AmEx: A Chase VISA: MII indicates card type: 1 & 2: Airlines, future (2) 3: Travel & Entertainment (DC, AX) 4: Visa 5: MasterCard, banking 6: Discover, merchandising, banking 7: Gasoline cards 8: Telecom 9: For use by national standards bodies; digits 2–4 are ISO country code Within those ranges: Amex: 34 or 37 JCB: 1800, 2131, 35 Diners Club: , 36, 38 MasterCard: 51–55 Discover: 6011 or 650x (C) Voltage Security, Inc. All Rights Reserved Major Industry Identifier (MII)

Anatomy of a Card Number A Costco AmEx: A Chase VISA: First six digits are the IIN Brands vary, howeverits not that simple! (C) Voltage Security, Inc. All Rights Reserved Issuer Identification Number (IIN, formerly BIN)

Examples of Card Sub-Formats American Express: 3 = type (business or personal) 4 = currency 5-11 = actual account number = card # within account 15 = Luhn checksum VISA: Digits 2-6 = bank Digits 7-12 or 7-15 = account# MasterCard: 2-n (n=4-6) = bank number (1x, 2xx, 3xxx, xxxxx) n-15 = account number (C) Voltage Security, Inc. All Rights Reserved23

Anatomy of a Card Number A Costco AmEx: A Chase VISA: This is the real account number –The part unique to your card (C) Voltage Security, Inc. All Rights Reserved Individual Account Identifiers

Anatomy of a Card Number A Costco AmEx: A Chase VISA: Last digit: Luhn checksum –To catch data entry errors, not for security! (C) Voltage Security, Inc. All Rights Reserved Luhn checksum

Whats On the Magnetic Stripe (or chip)? Three tracks of data –PAN (Primary Account Number), name, expiration, etc. –Data often duplicated across tracks –Many format variations, controlled by flag bits Not a lot of data storage capacity –Lowest common denominator: dialup POS terminals! (C) Voltage Security, Inc. All Rights Reserved26

Who Pays For All This? (You, of course, but how?) Merchants are divided into four tiers (1 = highest/largest) –Based on processing volume –Higher tier = more security requirements, including annual audits Merchants pay per transaction, typically either –Transaction charge + percentage of transaction (e.g., $ %) –Fixed percentage of total transactions –Credit cards cost more than signature debit; PIN debit cheapest The Big Money: interest and late fees –But transaction fees add up: tens of $billions each year! (C) Voltage Security, Inc. All Rights Reserved27

Credit Card Economics 28

What About Checkout Fees? 2013/01/27: US merchants can charge customers swipe fees –Result of 2005 antitrust suit, large retailers vs. credit card companies Significant restrictions: –Must disclose fees in multiple places (store, POS, web page, receipt) –Cannot exceed amount of transaction fees –Credit cards only: not debit, even signature debit used as credit card –Still forbidden in ten states: CA, CO, CT, FL, KS, ME, MA, NY, OK, TX –Must be consistent: if do business in CA, cannot charge anywhere The reality: No major retailers plan to charge fees –Negative perception viewed as worse than cost of fees –Net result: these fees are a non-event (C) Voltage Security, Inc. All Rights Reserved29

Every One of These Gets a Bite of the Pie…

Fees and More Fees: Debit Cards Checks are rapidly dying (you knew that) –PIN debit most popular payment method –Cheapest for merchants, too Ironic, considering banks fears about lost fees with debit –No credit card overdraft/late payment fees! Well go broke! –Brainstorm: Allow debit overdrafts! –Second brainstorm: Process signature transactions largest to smallest –Legislation, lawsuits, settlements straightened this out some (C) Voltage Security, Inc. All Rights Reserved31

Card Fraud: How It Happens

Types of Card Fraud Lost/stolen cards, or new cards intercepted from mail Unauthorized card-not-present use (thieves, merchants) Counterfeit cards (from stolen/skimmed card information) Identity theft/identity creation Bust Out and Friendly Fraud (C) Voltage Security, Inc. All Rights Reserved33

Skimmers

Pinhole camera glued to ATM 35 (C) Voltage Security, Inc. All Rights Reserved

Fraud and the Payments Industry The Payments industry doesnt care [much] about fraud –Total US credit card charges: $1.5T –Industry revenues: $150B –Fraud: $1.5B (estimated) –Losses due to default/bankruptcy: $20B (estimated) What they care most about is consumer confidence –Coupled with ease of use –Fighting fraud thus worth their while, but for PR more than $$$ –US card fraud has dropped every year for the last decade or so (C) Voltage Security, Inc. All Rights Reserved36

Who Pays for Fraud? Usually not the card brands! –Issuers push as much as possible onto merchants Usually not you (at least, not directly) –Laws often provide consumer protection –The consumer confidence/ease-of-use thing plays here, too Merchants often have no recourse –E.g., Friendly Fraud: claimed to be more than 2x real fraud! –You pay in higher prices, of course Debit cards have fewer protections than credit cards! –Consumer usually pays for PIN debit fraud (C) Voltage Security, Inc. All Rights Reserved37

Payments Protection Sure is a nice credit card you have there… would be a shame if sumpin happened to it…

Industry Anti-Fraud Measures Artificial intelligence/heuristics –(Try to) detect buying patterns that look fraudulent Restrictions on high-risk items –E.g., electronics shipped to addresses other than cardholders AVS (Address Verification Service), –Validates parts of address with card brand Manually entering last four –Matches physical numbers to magstripe values (C) Voltage Security, Inc. All Rights Reserved39

Industry Anti-Fraud Measures Physical card features to reduce card-present fraud –CSC/CVD/CVV/CVVC/CVC/CCV/V-Code –Cardholders photo on card –Holograms (C) Voltage Security, Inc. All Rights Reserved40

Anti-Fraud Measures: Visa Card Security Features (C) Voltage Security, Inc. All Rights Reserved41

More Industry Anti-Fraud Measures EMV: cross-brand standard for smart cards –AKA Chip & Pin cards –Enables offline authorizations (and thus transactions) Card-never-leaves-owners-presence (EU/Canada/others) Encryption at point of salein both POS and browser –PCI DSS requires encryption at various levels for some tiers (C) Voltage Security, Inc. All Rights Reserved42

RFID and NFC (Near-Field Communications) spreading –Allow waving card or touching SmartPhone instead of swiping –VISA payWave, MasterCard PayPass, AmEx ExpressPay –ISIS mobile wallet in your smartphone! In theory, black hats can read these from afar –Clone the card info, use it (perhaps only once) In fact, no reported cases of this kind of fraud –Plus: more than one such card makes it impossible (interference) –Can also wrap card in foil, or use sleeves sold/given as swag –Perhaps dummy RFID+NFC built into wallet to force interference? What About RFID and NFC Cards? (C) Voltage Security, Inc. All Rights Reserved43

For Yourself: Common Sense Youve heard the usual warnings… 1.Dont give your card number out casually 2.Avoid writing down your card number 3.Keep your card in sight as much as possible 4.Consider virtual credit card numbers for web transactions 5.Keep a list of the numbers in a secure place 6.Check your statements 7.Dont send money to Nigerian courtiers (C) Voltage Security, Inc. All Rights Reserved44

For Your Company: Encryption and Tokenization Encrypt/tokenize stored credit card numbers, per PCI DSS –PCI DSS offers good guidance on how to reduce data breach risk –Lots of options; I happen to think Voltage SecureData is best POS end-to-end encryption –If youre a merchant or processor, encrypt in the payment terminal –Leading payments processors use Voltage for this purpose Web end-to-end encryption –Encrypt in the browser, using FPE in JavaScript –Even with SSL, waypoints may be insecure, are in PCI DSS scope –Surprise, Voltage has a solution for that too (C) Voltage Security, Inc. All Rights Reserved45

Evolution

Physical Evolution Square, SailPay, GoPayment, PayAnywhere, mPowa… –Smartphone + hardware = easy mobile payments –First four are swipe-only; mPowa also does Chip&Pin LevelUp, Boku –Payments through your phone without a swipe device Twitter –Amex Sync lets you buy things directly by tweeting! DipJar –Simplify tipping for credit card transactions (Starbucks!) Dwolla –Person-to-person paymentsDebit card PayPal (sorta) (C) Voltage Security, Inc. All Rights Reserved47

Logical Evolution Cash to checks to credit cards to…ecash! –Big in 1999–2001 Internet bubble: DigiCash, eCash, Flooz,Beenz, InternetCash, Dexit, Qpass –Survivors and newcomers, mostly overseas: Chipknip, Geldkarte, Itex, Klickex, MintChip, Mono, Ukash, cashU –Bitcoin, LiteCoin, Ven, Ripple: faith- (crypto-) backed currencies Digital gold currency providers also came and went –Included Standard Reserve, OSGold, INTGold, EvoCash, V-Money –Most failed due to fraud by founders (C) Voltage Security, Inc. All Rights Reserved48

Infrastructure Evolution Payments landscape is constantly evolving –Layers (processors, networks) are sold or spun off –Mergers/, consolidations, partnerships (JCB+MC, Discover+JCB…) Threat landscape also evolving –Carder sites, international fraud rings growing –Chip & Pin (EMV) will arrive here sooner or later, may help –Unless superseded first (perhaps by end-to-end encryption) Protection (via encryption) is spreading –Makes data breaches (almost) meaningless –Voltage SecureData helps a lot here (C) Voltage Security, Inc. All Rights Reserved49

Threat Evolution Some EMV devices use weak random number generator –Could lead to pre-play attacks: cards cloned from POS data $10 million stolen by cracking Subway stores POS systems –Payment terminals were on the Internet Bitcoin hacked for $250,000 worth of virtual cash –Keys were stored unencrypted Australian McDonalds customers card data stolen –Thieves replaced swipe devices, cloned cards; at least $4M stolen (C) Voltage Security, Inc. All Rights Reserved50

Summary Weve barely scratched the surface here Credit cards are the payments technology we use most …though ACH and wire transfer are far larger $$$-wise Spend some time with Google: youll learn a ton more And watch the news…things will keep changing! (C) Voltage Security, Inc. All Rights Reserved51

Questions? Phil Smith III (703) (C) Voltage Security, Inc. All Rights Reserved52