SlideShare a Scribd company logo

Payment Card System Overview

Download as PPTX, PDF
Narudom Roongsiriwong, CISSP
Narudom Roongsiriwong, CISSP

Payment card system authorization and settlement explanation including need-to-know information.

Retail
1 of 16
| Card Payment System Overview Narudom Roongsiriwong CISSP 24 June 2016
| About Me Head of IT Security, Kiatnakin Bank PLC (KKP) Committee Member – Cloud Security Alliance (CSA) Consultant – OWASP Thailand Chapter Working Team for Adviser to the Finance Ministry's National e-Payment project E-mail: narudom.roongsiriwong@owasp.org 24 June 20162
| When the customer want to make a payment by credit/debit card, authorization flow starts. 24 June 20163
| Simplified Authorization Flow 1. The customer make a payment. Enter cardholder data into the merchant’s payment system (POS, e-commerce website). 2. The Merchant sends card data to an acquirer/payment processor who will route data to through the payments system for processing. For e-commerce, a payment gateway may redirect website to the acquirer. 3. The acquirer/processor sends the data to Payment brand 4. Payment brand forwards the data to the issuer. The issuer verifies and make approval. . For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by VISA). 24 June 20164
| Simplified Authorization Flow for Card Payment 5. If the issuer agrees to fund the purchase, it will generate an authorization number and routes back to the card brand. 6. Payment brand forwards the authorization code back to the acquirer/processor. 7. The acquirer/processor sends the authorization code back to the merchant. 8. The merchant concludes the sale with the customer. 24 June 20165
| Electronics Data Capture (EDC) 24 June 20166 A Point-of-sale terminal for submitting and validating card transactions to a merchant account provider, or some other card transaction processor.
| EDC Use Case 24 June 20167
| ISO 8583 Financial Transaction Message Format 24 June 20168 One of the most widely used format Card originated transactions purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers System-to-system messages secure key exchanges, reconciliation of totals, network sign-on/sign-off and other administrative messages Structured as follows Header Message type identifier Primary bitmap Secondary bitmap Data elements
| ISO 8583 Message Structure 24 June 20169 Header Network specific thus Visa and MasterCard use a different message header structure Message Type Identifier (MTI) Classifies the high level function of the message One or more bitmaps indicating which data elements are present in the message Data elements or fields Bitmap Binary value Defines presence of fields 42100011 02C04804 0100001000010000000000000001000 1000000101100000001001000000001 00 2, 7, 12, 28, 32, 39, 41, 42, 50, 53, 62
| Magnetic Card vs EMV 24 June 201610 Magnetic Stripe Card Chip Card Initial terminal- card interaction Terminal gets static data from card • Terminal identifies card type (chip, non- chip) • Terminal and card agree on Application ID • Card generates request cryptogram Request includes Data from magnetic stripe Authorization processing must include EMV • Validate request cryptogram • Optionally generate response cryptogram • Optionally generate a command for the card Response may include new EMV data elements Final terminal- card interaction • Card validates response cryptogram if sent by issuer • Card executes command if sent by issuer
| Verification Options Cardholder Verification 24 June 201611 No CVM Signature On-line PIN at ATM On-line PIN at POS Off-line PIN plain texted Off-line PIN enciphered Verification Fallback
| Card not Present 24 June 201612 A remote purchase where the cardholder and the card are not present at the point-of-sale A remote purchase CNP transaction can be for: Mail order Telephone order A sale made over the internet Recurring Verification CVV2 Verification by requesting the three-digit code AVS verify the cardholder’s billing address by the issuer Verified by VISA®
| Card Management System 24 June 201613  Register – adding a smart card to the smart card management system  Issue – issuing or personalizing the smart card for a smart card holder  Initiate – activating the smart card for first use by the smart card holder  Deactivate – putting the smart card on hold in the backend system  Activate – reactivating the smart card from a deactivated state  Lock – also called block; smart card holder access to the smart card is not possible  Unlock – also called unblock; smart card holder access to the smart card is re-enabled  Revoke – credentials on the smart card are made invalid  Retire – the smart card is disconnected from the smart card holder  Delete – the smart card is permanently removed from the system  Unregister – the smart card is removed from the system (but could potentially be reused)  Backup - Backup smart card certificates and selected keys  Restore - Restore smart card certificates and selected keys
| Simplified Settlement Flow 24 June 201614 1. The merchant submits settlement message from EDC. For e- commerce, it would be done automatically. 2. Merchant’s bank sends clearing data to payment brand 3. Payment brand calculates net settlement position and sends advisement to merchant’s bank and cardholder’s bank and Transfer Fund Order to settlement banks
| Simplified Settlement Flow 24 June 201615 4. Settlement bank facilitates exchange of funds to guarantee payment to merchant’s bank 5. Cardholder’s bank sends payment to settlement bank 6. Merchant’s bank pay merchant for card purchases. 7. Cardholder’s bank bills cardholder for purchases
| Thank You 24 June 201616

Recommended

How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing WorksBusiness.com
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Credit Card Issuers
Credit Card IssuersCredit Card Issuers
Credit Card IssuersFloyd Saunders
 
Digital Bank: What and How
Digital Bank: What and HowDigital Bank: What and How
Digital Bank: What and HowIvano Digital
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
E-money
E-moneyE-money
E-moneyZakaria Hasan
 

Recommended

How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing WorksBusiness.com
 
EMV Overview
EMV OverviewEMV Overview
EMV OverviewKona Software Lab Limited.
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Credit Card Issuers
Credit Card IssuersCredit Card Issuers
Credit Card IssuersFloyd Saunders
 
Digital Bank: What and How
Digital Bank: What and HowDigital Bank: What and How
Digital Bank: What and HowIvano Digital
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
E-money
E-moneyE-money
E-moneyZakaria Hasan
 
E wallet
E walletE wallet
E walletanuja joshi
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emvAnil Chaurasiya
 
E wallet
E walletE wallet
E walletshaik chand basha
 
E wallet- final
E wallet- finalE wallet- final
E wallet- finalAnshuman Roy
 
National payment system architecture
National payment system architectureNational payment system architecture
National payment system architectureAnil Chaurasiya
 
Digital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unionsDigital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unionsMikhail Miroshnichenko
 
Credit Card Systems
Credit Card SystemsCredit Card Systems
Credit Card SystemsAce Institute of Management (Nepal), Institute of Management Studies (Nepal)
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayShujaShah
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway worksIkajo International
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayNyros Technologies
 
overview of electronic payment system
overview of electronic payment system overview of electronic payment system
overview of electronic payment system Kavitha Ravi
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
E-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-paymentE-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-paymentUttar Tamang ✔
 
7.credit card and debit card working and management
7.credit card and debit card working and management7.credit card and debit card working and management
7.credit card and debit card working and managementSuchet Pajni
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway Rohit Srivastav
 
Electronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationElectronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationDevansh Aggarwal
 
Payment
PaymentPayment
PaymentAman Lalpuria
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption StrategyNarudom Roongsiriwong, CISSP
 

More Related Content

What's hot

National payment system architecture
National payment system architectureNational payment system architecture
National payment system architectureAnil Chaurasiya
 
Digital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unionsDigital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unionsMikhail Miroshnichenko
 
Payment gateway
Payment gatewayPayment gateway
Payment gatewayHananBahy
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsCiklum Ukraine
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayShujaShah
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway worksIkajo International
 
overview of electronic payment system
overview of electronic payment system overview of electronic payment system
overview of electronic payment system Kavitha Ravi
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway providerPayment Gateways
 
E-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-paymentE-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-paymentUttar Tamang ✔
 
7.credit card and debit card working and management
7.credit card and debit card working and management7.credit card and debit card working and management
7.credit card and debit card working and managementSuchet Pajni
 
Electronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationElectronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationDevansh Aggarwal
 

What's hot (20)

E wallet
E walletE wallet
E wallet
 
Introduction to emv
Introduction to emvIntroduction to emv
Introduction to emv
 
E wallet
E walletE wallet
E wallet
 
E wallet- final
E wallet- finalE wallet- final
E wallet- final
 
National payment system architecture
National payment system architectureNational payment system architecture
National payment system architecture
 
Digital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unionsDigital platform and mobile app for banks and credit unions
Digital platform and mobile app for banks and credit unions
 
Credit Card Systems
Credit Card SystemsCredit Card Systems
Credit Card Systems
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Peter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online PaymentsPeter Afanasiev - Architecture of online Payments
Peter Afanasiev - Architecture of online Payments
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
How an online payment gateway works
How an online payment gateway worksHow an online payment gateway works
How an online payment gateway works
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
overview of electronic payment system
overview of electronic payment system overview of electronic payment system
overview of electronic payment system
 
Online payment gateway provider
Online payment gateway providerOnline payment gateway provider
Online payment gateway provider
 
E-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-paymentE-payment and E-payment System (EPS) / Classification of E-payment
E-payment and E-payment System (EPS) / Classification of E-payment
 
7.credit card and debit card working and management
7.credit card and debit card working and management7.credit card and debit card working and management
7.credit card and debit card working and management
 
Payment Gateway
Payment Gateway Payment Gateway
Payment Gateway
 
Electronic Payment System (EPS) Presentation
Electronic Payment System (EPS) PresentationElectronic Payment System (EPS) Presentation
Electronic Payment System (EPS) Presentation
 
Payment
PaymentPayment
Payment
 

Viewers also liked

OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceNarudom Roongsiriwong, CISSP
 
Exploring Payment Platforms - ISO 20022 and ISO 8583
Exploring Payment Platforms - ISO 20022 and ISO 8583Exploring Payment Platforms - ISO 20022 and ISO 8583
Exploring Payment Platforms - ISO 20022 and ISO 8583PECB
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsNarudom Roongsiriwong, CISSP
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Instabill Blogs August 10-14
Instabill Blogs August 10-14Instabill Blogs August 10-14
Instabill Blogs August 10-14Instabill
 

Viewers also liked (20)

OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
AnyID: Security Point of View
AnyID: Security Point of ViewAnyID: Security Point of View
AnyID: Security Point of View
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Unlock Security Insight from Machine Data
Unlock Security Insight from Machine DataUnlock Security Insight from Machine Data
Unlock Security Insight from Machine Data
 
ISO 8583 Financial Message Format
ISO 8583 Financial Message FormatISO 8583 Financial Message Format
ISO 8583 Financial Message Format
 
Exploring Payment Platforms - ISO 20022 and ISO 8583
Exploring Payment Platforms - ISO 20022 and ISO 8583Exploring Payment Platforms - ISO 20022 and ISO 8583
Exploring Payment Platforms - ISO 20022 and ISO 8583
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
Iso8583
Iso8583Iso8583
Iso8583
 
Risk Management in Project Management
Risk Management in Project ManagementRisk Management in Project Management
Risk Management in Project Management
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
plastic money
plastic moneyplastic money
plastic money
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Instabill Blogs August 10-14
Instabill Blogs August 10-14Instabill Blogs August 10-14
Instabill Blogs August 10-14
 
The Main Complaints of EMV Technology
The Main Complaints of EMV TechnologyThe Main Complaints of EMV Technology
The Main Complaints of EMV Technology
 

Similar to Payment Card System Overview

Software for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselySoftware for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselyCognizant
 
electronic commerce payment systems
electronic commerce payment systemselectronic commerce payment systems
electronic commerce payment systemstumetr1
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0Nugroho Gito
 
Guide to Understanding Credit Card Processing for Merchants
Guide to Understanding Credit Card Processing for MerchantsGuide to Understanding Credit Card Processing for Merchants
Guide to Understanding Credit Card Processing for MerchantsChloeBeckham
 
Online payment system
Online payment systemOnline payment system
Online payment systemmyangel27
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...IRJET Journal
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryNarudom Roongsiriwong, CISSP
 
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...IJRESJOURNAL
 
python pre-submission report.pdf
python pre-submission report.pdfpython pre-submission report.pdf
python pre-submission report.pdfSruthiMugle
 
E banking of axis bank
E banking of axis bankE banking of axis bank
E banking of axis bankSitaram Saini
 
SRS for banking system requirement s.ppt
SRS for banking system requirement s.pptSRS for banking system requirement s.ppt
SRS for banking system requirement s.pptubaidullah75790
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The MoneyResilient Systems
 

Similar to Payment Card System Overview (20)

Software for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing WiselySoftware for Payment Cards: Choosing Wisely
Software for Payment Cards: Choosing Wisely
 
Design.pptx
Design.pptxDesign.pptx
Design.pptx
 
Micro Finance with Smart Card
Micro Finance with Smart CardMicro Finance with Smart Card
Micro Finance with Smart Card
 
electronic commerce payment systems
electronic commerce payment systemselectronic commerce payment systems
electronic commerce payment systems
 
E-Commerce 08
E-Commerce 08E-Commerce 08
E-Commerce 08
 
Card payment evolution v1.0
Card payment evolution v1.0Card payment evolution v1.0
Card payment evolution v1.0
 
Guide to Understanding Credit Card Processing for Merchants
Guide to Understanding Credit Card Processing for MerchantsGuide to Understanding Credit Card Processing for Merchants
Guide to Understanding Credit Card Processing for Merchants
 
Online payment system
Online payment systemOnline payment system
Online payment system
 
Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...Application to Quickly and Safely Store and Recover Credit Card’s Information...
Application to Quickly and Safely Store and Recover Credit Card’s Information...
 
Embedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment IndustryEmbedded System Security: Learning from Banking and Payment Industry
Embedded System Security: Learning from Banking and Payment Industry
 
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...
Implementing a Secured E-Payment Authorisation System Using Two-Factor Authen...
 
Assignment
AssignmentAssignment
Assignment
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 
python pre-submission report.pdf
python pre-submission report.pdfpython pre-submission report.pdf
python pre-submission report.pdf
 
Class 13
Class 13Class 13
Class 13
 
E Payment
E PaymentE Payment
E Payment
 
E banking of axis bank
E banking of axis bankE banking of axis bank
E banking of axis bank
 
Securing Online Card Transactions
Securing Online Card TransactionsSecuring Online Card Transactions
Securing Online Card Transactions
 
SRS for banking system requirement s.ppt
SRS for banking system requirement s.pptSRS for banking system requirement s.ppt
SRS for banking system requirement s.ppt
 
The Target Breach – Follow The Money
The Target Breach – Follow The MoneyThe Target Breach – Follow The Money
The Target Breach – Follow The Money
 

More from Narudom Roongsiriwong, CISSP

How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19Narudom Roongsiriwong, CISSP
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard ProjectNarudom Roongsiriwong, CISSP
 

More from Narudom Roongsiriwong, CISSP (14)

Biometric Authentication.pdf
Biometric Authentication.pdfBiometric Authentication.pdf
Biometric Authentication.pdf
 
Security Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdfSecurity Shift Leftmost - Secure Architecture.pdf
Security Shift Leftmost - Secure Architecture.pdf
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
Security Patterns for Software Development
Security Patterns for Software DevelopmentSecurity Patterns for Software Development
Security Patterns for Software Development
 
How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19How Good Security Architecture Saves Corporate Workers from COVID-19
How Good Security Architecture Saves Corporate Workers from COVID-19
 
Secure Software Design for Data Privacy
Secure Software Design for Data PrivacySecure Software Design for Data Privacy
Secure Software Design for Data Privacy
 
Blockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for DummiesBlockchain and Cryptocurrency for Dummies
Blockchain and Cryptocurrency for Dummies
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
National Digital ID Platform Technical Forum
National Digital ID Platform Technical ForumNational Digital ID Platform Technical Forum
National Digital ID Platform Technical Forum
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSM
 
Application Security Verification Standard Project
Application Security Verification Standard ProjectApplication Security Verification Standard Project
Application Security Verification Standard Project
 
Coding Security: Code Mania 101
Coding Security: Code Mania 101Coding Security: Code Mania 101
Coding Security: Code Mania 101
 
CarbonCredit-V4
CarbonCredit-V4CarbonCredit-V4
CarbonCredit-V4
 

Payment Card System Overview

  • 1. | Card Payment System Overview Narudom Roongsiriwong CISSP 24 June 2016
  • 2. | About Me Head of IT Security, Kiatnakin Bank PLC (KKP) Committee Member – Cloud Security Alliance (CSA) Consultant – OWASP Thailand Chapter Working Team for Adviser to the Finance Ministry's National e-Payment project E-mail: narudom.roongsiriwong@owasp.org 24 June 20162
  • 3. | When the customer want to make a payment by credit/debit card, authorization flow starts. 24 June 20163
  • 4. | Simplified Authorization Flow 1. The customer make a payment. Enter cardholder data into the merchant’s payment system (POS, e-commerce website). 2. The Merchant sends card data to an acquirer/payment processor who will route data to through the payments system for processing. For e-commerce, a payment gateway may redirect website to the acquirer. 3. The acquirer/processor sends the data to Payment brand 4. Payment brand forwards the data to the issuer. The issuer verifies and make approval. . For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by VISA). 24 June 20164
  • 5. | Simplified Authorization Flow for Card Payment 5. If the issuer agrees to fund the purchase, it will generate an authorization number and routes back to the card brand. 6. Payment brand forwards the authorization code back to the acquirer/processor. 7. The acquirer/processor sends the authorization code back to the merchant. 8. The merchant concludes the sale with the customer. 24 June 20165
  • 6. | Electronics Data Capture (EDC) 24 June 20166 A Point-of-sale terminal for submitting and validating card transactions to a merchant account provider, or some other card transaction processor.
  • 7. | EDC Use Case 24 June 20167
  • 8. | ISO 8583 Financial Transaction Message Format 24 June 20168 One of the most widely used format Card originated transactions purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers System-to-system messages secure key exchanges, reconciliation of totals, network sign-on/sign-off and other administrative messages Structured as follows Header Message type identifier Primary bitmap Secondary bitmap Data elements
  • 9. | ISO 8583 Message Structure 24 June 20169 Header Network specific thus Visa and MasterCard use a different message header structure Message Type Identifier (MTI) Classifies the high level function of the message One or more bitmaps indicating which data elements are present in the message Data elements or fields Bitmap Binary value Defines presence of fields 42100011 02C04804 0100001000010000000000000001000 1000000101100000001001000000001 00 2, 7, 12, 28, 32, 39, 41, 42, 50, 53, 62
  • 10. | Magnetic Card vs EMV 24 June 201610 Magnetic Stripe Card Chip Card Initial terminal- card interaction Terminal gets static data from card • Terminal identifies card type (chip, non- chip) • Terminal and card agree on Application ID • Card generates request cryptogram Request includes Data from magnetic stripe Authorization processing must include EMV • Validate request cryptogram • Optionally generate response cryptogram • Optionally generate a command for the card Response may include new EMV data elements Final terminal- card interaction • Card validates response cryptogram if sent by issuer • Card executes command if sent by issuer
  • 11. | Verification Options Cardholder Verification 24 June 201611 No CVM Signature On-line PIN at ATM On-line PIN at POS Off-line PIN plain texted Off-line PIN enciphered Verification Fallback
  • 12. | Card not Present 24 June 201612 A remote purchase where the cardholder and the card are not present at the point-of-sale A remote purchase CNP transaction can be for: Mail order Telephone order A sale made over the internet Recurring Verification CVV2 Verification by requesting the three-digit code AVS verify the cardholder’s billing address by the issuer Verified by VISA®
  • 13. | Card Management System 24 June 201613  Register – adding a smart card to the smart card management system  Issue – issuing or personalizing the smart card for a smart card holder  Initiate – activating the smart card for first use by the smart card holder  Deactivate – putting the smart card on hold in the backend system  Activate – reactivating the smart card from a deactivated state  Lock – also called block; smart card holder access to the smart card is not possible  Unlock – also called unblock; smart card holder access to the smart card is re-enabled  Revoke – credentials on the smart card are made invalid  Retire – the smart card is disconnected from the smart card holder  Delete – the smart card is permanently removed from the system  Unregister – the smart card is removed from the system (but could potentially be reused)  Backup - Backup smart card certificates and selected keys  Restore - Restore smart card certificates and selected keys
  • 14. | Simplified Settlement Flow 24 June 201614 1. The merchant submits settlement message from EDC. For e- commerce, it would be done automatically. 2. Merchant’s bank sends clearing data to payment brand 3. Payment brand calculates net settlement position and sends advisement to merchant’s bank and cardholder’s bank and Transfer Fund Order to settlement banks
  • 15. | Simplified Settlement Flow 24 June 201615 4. Settlement bank facilitates exchange of funds to guarantee payment to merchant’s bank 5. Cardholder’s bank sends payment to settlement bank 6. Merchant’s bank pay merchant for card purchases. 7. Cardholder’s bank bills cardholder for purchases