SlideShare une entreprise Scribd logo

Securing Online Card Transactions

Shaillender (Bob) Mittal, CPSP
Shaillender (Bob) Mittal, CPSP

Is 3D Secure really safe? Not really! Here is a look at an innovative solution to prevent online transaction frauds relating to credit and debit cards

1  sur  29
Télécharger pour lire hors ligne
Securing Online Credit Card Transactions REL-ID Authentication Services
Contents • Context • Why does credit card fraud happen? • How to fix it? • Rel-ID Credit Card Authentication Service • How does it work? • Security Flaws in 3D Secure • 3D Secure and TruCard • Payment Model • Advantages of the service • About Uniken
Context • The final liability of the damage in case of a fraudulent credit card transaction is with the end customer or sometimes the issuing bank • Customers are not aware that their credit card data can be easily stolen and reused • The basic flaw in the current system is that currently customers cannot authenticate and verify the transaction before it is approved by the issuing bank • Uniken is offering its REL-ID CARD AUTHENTICATION SERVICE to the card issuing banks in a SaaS model to secure online credit card transactions.
Why does credit card fraud happen? • Lets first understand how the credit card transaction is processed • Authorization Process 1. The customer after selecting the mode of payment – provides the credit card details to the website – which submits this to the payment gateway 2. The payment gateway submits that to the merchant banks processor (acquiring bank) 3. The merchant bank submits this to the credit card network 4. The credit card network submits it to the issuing bank, which checks the validity, credit limit and approves/disapproves the transaction 5. The credit card network relays this information to the merchant banks process, which sends it to the payment gateway and finally to the merchants website – based on which the merchant decides to process the sale • Settlement Process 1. The issuing bank then pays the credit card network 2. The credit card network pays the merchant bank 3. The merchant bank then deposits this amount in the merchants account
Why does credit card fraud happen? • The fraud happens because none of the entities present in the entire authorization process authenticate the individual providing the credit card details • The mere knowledge of the credit card data is deemed good enough to “believe” he/she is indeed the authentic credit card holder • There are a few solutions available that attempt to solve this by asking a password or pin in addition to the credit card data – however, fraudsters set-up phished merchant websites to get access to this additional information as well along with the credit card details (if they are already stealing credit card data by phishing the website – they can as well get the login/.password data!) • Once the customer comes to know that his credit card has been fraudulently used, he/she disputes it to the issuing bank, who then investigate the case – most of the time the customer is made to bear the impact – as the issuing bank only ensures if the appropriate process was followed by the merchant before issuing the goods. If the issuing bank takes the liability, even then this is then distributed across all its customers
How to fix this fraud? The only way to fix this fraud is to ensure that the credit card owner (customer) is made to authenticate and verify the transaction (over a secure channel) by the issuing bank just before approving and authorizing the transaction
Fundamental limitations of 3D Secure • In 3D Secure protocol the credit card holder is authenticated before the transaction is submitted by the merchants website to the visa/mastercard network and not when the transaction is getting approved/authorized by the issuing bank • The customer cannot authenticate the website where she is submitting the login/password information and the “personal message” based authentication of the website is vulnerable to MITM and MITB attacks • Merchant website authentication is not possible hence the customers can still loose the credit card data • It is mandatory for the merchants to integrate their website with the 3D Secure Solution (they need to install MPI and pay substantial fees to the solution provider)
REL-ID Credit Card Authentication Service • The REL-ID Credit Card Authentication server will seamlessly integrate with the issuing banks transaction and card authorization system • The TruCard software will be freely distributed to the customer • The Issuing Banks can avail this service with zero investment in the infrastructure • If the issuing bank has implemented 3D Secure then TruCard works seamlessly with the 3D Secure solution, the TruCard ensures that the Login/Password information is protected from MITM and MITB attacks • If they have not implemented the 3D Secure solution then TruCard will ask for a PIN to turn itself ON and authenticate the customer • TruCard solution has absolutely NO dependence on the merchants or on the type of card network (Visa/Mastercard) • TruCard solution does not require any credit card data of the customer • The integration of this service in to their authorization process will be free • They can disable this service at any point in time with just a 60 day notice with no impact on user experience
How will this work? (Without 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from the credit card network will send the transaction details along with the customer ID (created during registration) to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will authenticate the customer by requesting for the pin, if the TruCard has been configured to Auto- ON mode then the Customer will directly verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
User Experience TruCard Activation
User Experience - Online Purchase (without 3D Secure)
User Experience - Online Purchase (without 3D Secure)
User Experience - Online Purchase (without 3D Secure) Payment Successful!
How will this work? (With 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. • The TruCard will display a personal message (set during registration) to ensure authenticity of the software • Once registered, the customer can install the software on as many computers as she wants directly from the website Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from merchant plug-in will request for the 3D Secure credentials along with the customer ID and personal message to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will accept the customers 3D Secure Credentials and pass it on to the 3D Secure ACS • The 3D Secure ACS will authenticate and redirect to the merchant website for it to submit the transaction Optional (Transaction Verification) • If the TruCard has been configured to Auto-ON mode then the Customer can further verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
User Experience - Online Purchase (without 3D Secure)
User Experience - Online Purchase (without 3D Secure)
User Experience - Online Purchase (without 3D Secure) Payment Successful!
Solution Architecture (without 3DSecure) 2 Normal Payment Authorization 1 6 3 5 4 User verifies & approves transaction
Solution Architecture (with 3DSecure) 6 Normal Payment Authorization MPI ACS 2 1 7 3 5 4 User verifies & approves transaction
3D Secure and TruCard 3D Secure TruCard 1 3D Secure cannot protect from phishing and MITM attacks – it is very Protects from Phishing and MITM due easy steal the 3D Secure Login/Password information to RMAK mutual authentication protocol 2 It mandates the Merchant to participate in 3D Secure to make it work, TruCard DOES NOT require the merchant to participate in the solution and is completely independent of Merchants 3 In 3D Secure the transaction data are shown to the customer during The transaction data shown the authentication as submitted by the customer to the merchant and not customer for verification is the same the one submitted by the merchant for authorization (the customer that the bank has received for may think she is approving USD 200 while the actual transaction authorization from the credit card submitted to the card network could be USD 210) network 4 • 3D Secure requiresneed TruCard? Why do we the customer to authenticate every time they do an Does not require the customer to – to maintain online transaction, TruCard requires the customer to authenticate only authenticate every time once to turn it ON (optionally it can be turned ON automatically, without asking the PIN everytime) 5 3D Secure requires PKI (Digital Certificates) making it extremely costly to Does not require PKI – is based on the implement and maintain RMAK protocol (that provides for encryption and mutual authentication).
3D Secure and TruCard • We have already implemented 3D Secure – now what? – TruCard seamlessly integrates with 3D Secure – The user experience does not change at all and fixes all the flaws in 3D Secure solution – Instead of showing a web-page to capture the 3D Secure login/password information (which is prone to Phishing and MITM attacks), TruCard will accept the 3D Secure Login/Password and send it to issuers authentication server – TruCard will eliminate MITM and Phishing attacks completely – TruCard provides for Transaction Verification , Transaction Log and more importantly credit card statements on demand
SMS based solutions and its limitations • The SMS cannot ensure confirmation of the delivery of the message more so in real time; and the customer may end up doing the transaction again and again • SMS is not a secure channel as the transaction information is sent over an unencrypted SMS channel • There are simple attacks available to change the mobile number of the credit card owner (due to flaws in mobile number registration process).
TruCard SAAS Model • The issuing bank will NOT be charged anything for integrating the REL-ID Card Authentication Server with their credit card authorization and approval system • The customer will NOT be charged anything for downloading and installing the TruCard Software • The issuing bank will be charged a fixed % of the transaction amount for every transaction verification and authentication done by the customer or based on a monthly rental model • The issuing bank will be billed on a monthly basis
Advantages of REL-ID TruCard Authentication Solution • The TruCard is a software agent that is very easy to download and install • The customer has to register for this service with the banks and REL-ID authentication service does not retain any credit card details • The customer has to authenticate to TruCard using a password/pin to turn it ON (it can be optionally turned ON automatically by remembering the credentials) • TruCard communicates with the REL-ID Card Authentication Server over a mutually authenticated encrypted channel (all authentication/approval data is sent over this channel) • There are no upfront costs to the issuing bank as they do not have to invest anything to enable this service
About Uniken
Uniken Introduction UNIKEN is a technology innovation and product engineering firm that works closely with its customers to provide high quality products that meets their business automation and cutting edge technology needs We specialize in taking our in house innovations from concept through to production through patented product engineering design methodologies. Our staff includes 50+ product designers and engineers, technologists and researchers with backgrounds in computer science, software technology, embedded systems and professional services. As a company we invest in technology innovation, product design and product engineering Headquartered in Tampa, FL, US, with offices in US and India, we have a R&D and Product Engineering Center in India.
What does Uniken do? Market Analysis and • UNIKEN Technology R&D Center Problem Specifications • Concept innovation and rapid prototyping Technology • Conducts research in • Information Security R&D • Pattern Recognition • Embedded Systems • Performance Modeling Business • UNIKEN Product Engineering Group Requirements Product • Customized product development Customers • Requirements Analytics Engineering • Product Design (patent pending process) • Product Development • Performance Testing • UNIKEN Products Product Delivery • Customized Business Automation Products • REL-ID (Identity Security) Products • DEEKSHA (e-Learning) • SHOPPEX (Mobile Shopping)
Uniken - Management Team Profile DETAILS OF RELEVANT NAME DESIGNATION QUALIFICATIONS EXPERIENCE WORK EXPERIENCE • Tata Research Development & CEO M. S. Design Centre Sanjay Deshpande 13 years Director (Computer Science) • Infosys Technologies Ltd. • Persistent Systems Pvt. Ltd. Nanjundeaswar CTO B. Tech. • Infosys Technologies Ltd. 12 years Ganapathy Director (IIT Kharagpur) CDO B. Tech Prakash Salvi • IMR Global 15 years Director (Computer Science) PGDM • Tata Consultancy Services Vivek Saxena CBO 16 years (IIM Ahmedabad) • Infosys Technologies Ltd. COO Nilesh Dhande MBA (Systems) • Infosys Technologies Ltd. 9 years Director • Six Sigma Master Black Belt Subramanian Gopalan Advisor to the Board B. Tech. • Director of Sourcing, GE, Greater 40 years China • Chief Scientist – Motorola Dr. Pat Shankar Advisor to the Board Ph. D. 30 years Biometrics Division • Associate Professor, University of Dr. Lev Goldfarb Advisor to the Board Ph. D. 20 years New Brunswick B. Tech. • VP - Infosys Technologies Ltd. Ajay Dubey Director 25 years (IIT Kanpur) • COO - Persistent Systems Pvt. Ltd.
Contact Details Shaillender Mittal Director Sales shaillender.mittal@uniken.com Tel: (020) 66427970/71 | Mob: 9823422211

Recommandé

The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure ProtocolVlad Petre
 
Payer Authentication Solutions For Verified by VISA
Payer Authentication Solutions For Verified by VISAPayer Authentication Solutions For Verified by VISA
Payer Authentication Solutions For Verified by VISAFirst Atlantic Commerce
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System OverviewNarudom Roongsiriwong, CISSP
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayNyros Technologies
 
Payments primer
Payments primerPayments primer
Payments primerSumeet Maniar
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transactionHarsh Mehta
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 

Recommandé

The 3-D Secure Protocol
The 3-D Secure ProtocolThe 3-D Secure Protocol
The 3-D Secure ProtocolVlad Petre
 
Payer Authentication Solutions For Verified by VISA
Payer Authentication Solutions For Verified by VISAPayer Authentication Solutions For Verified by VISA
Payer Authentication Solutions For Verified by VISAFirst Atlantic Commerce
 
Payment Card System Overview
Payment Card System OverviewPayment Card System Overview
Payment Card System OverviewNarudom Roongsiriwong, CISSP
 
Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Payment gateway/payment service providers and future trends in mobile payment...
Payment gateway/payment service providers and future trends in mobile payment...Danail Yotov
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayNyros Technologies
 
Payments primer
Payments primerPayments primer
Payments primerSumeet Maniar
 
secure electronics transaction
secure electronics transactionsecure electronics transaction
secure electronics transactionHarsh Mehta
 
Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Set Secure Electronic Transaction (SET)
Set Secure Electronic Transaction (SET)Suraj Dhalwar
 
eZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment GatewayseZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment GatewaysGraham Brookins
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayShujaShah
 
What's 3D costing your business?
What's 3D costing your business?What's 3D costing your business?
What's 3D costing your business?Adigital
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 WebinarIvona M
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAshraf Bashir
 
E financial services (payment gateway)
E financial services (payment gateway)E financial services (payment gateway)
E financial services (payment gateway)valliappan1991
 
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N Tankit05gupta
 
Payment gateways
Payment gateways Payment gateways
Payment gateways NiyasudheenAK
 
PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017Tushar Belwal
 
eCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An IntroductioneCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An IntroductionAidanChard
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cardsDilip Kumar
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraudUjwal Tamminedi
 
3D secure password
3D secure password3D secure password
3D secure passwordachintya354
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayAsif Hussain
 
Ebiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary TransactionsEbiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary TransactionsAhmad Alflahat
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and PrivacyNarudom Roongsiriwong, CISSP
 
3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide- Mark - Fullbright
 
AnyID: Security Point of View
AnyID: Security Point of ViewAnyID: Security Point of View
AnyID: Security Point of ViewNarudom Roongsiriwong, CISSP
 
emv-ebook
emv-ebookemv-ebook
emv-ebookRichard Dover
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?Shashi Dhar Kumar
 
Cyber cash
Cyber cashCyber cash
Cyber cashChitra Lekha
 
E-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking TechnologyE-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking Technologyizan28
 

Contenu connexe

Tendances

eZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment GatewayseZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment GatewaysGraham Brookins
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayShujaShah
 
What's 3D costing your business?
What's 3D costing your business?What's 3D costing your business?
What's 3D costing your business?Adigital
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 WebinarIvona M
 
E financial services (payment gateway)
E financial services (payment gateway)E financial services (payment gateway)
E financial services (payment gateway)valliappan1991
 
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N Tankit05gupta
 
PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017Tushar Belwal
 
eCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An IntroductioneCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An IntroductionAidanChard
 
3D secure password
3D secure password3D secure password
3D secure passwordachintya354
 
Ebiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary TransactionsEbiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary TransactionsAhmad Alflahat
 
3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide- Mark - Fullbright
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?Shashi Dhar Kumar
 

Tendances (20)

eZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment GatewayseZ Publish Workflows and Payment Gateways
eZ Publish Workflows and Payment Gateways
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
What's 3D costing your business?
What's 3D costing your business?What's 3D costing your business?
What's 3D costing your business?
 
3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar3D-Secure 2.2 Webinar
3D-Secure 2.2 Webinar
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
E financial services (payment gateway)
E financial services (payment gateway)E financial services (payment gateway)
E financial services (payment gateway)
 
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
2909460 U M L D I A G R A M S B A N K M A N A G E M E N T
 
Payment gateways
Payment gateways Payment gateways
Payment gateways
 
PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017PayNet Mobile Banking Introduction 2017
PayNet Mobile Banking Introduction 2017
 
eCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An IntroductioneCommerce Payment Gateways: An Introduction
eCommerce Payment Gateways: An Introduction
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
 
Emv and fraud
Emv and fraudEmv and fraud
Emv and fraud
 
3D secure password
3D secure password3D secure password
3D secure password
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Ebiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary TransactionsEbiz 05 Online Monetary Transactions
Ebiz 05 Online Monetary Transactions
 
AnyID and Privacy
AnyID and PrivacyAnyID and Privacy
AnyID and Privacy
 
3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide3-D Secure Acquirer and Merchant Implementation Guide
3-D Secure Acquirer and Merchant Implementation Guide
 
AnyID: Security Point of View
AnyID: Security Point of ViewAnyID: Security Point of View
AnyID: Security Point of View
 
emv-ebook
emv-ebookemv-ebook
emv-ebook
 
How payment gateway process works?
How payment gateway process works?How payment gateway process works?
How payment gateway process works?
 

Similaire à Securing Online Card Transactions

E-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking TechnologyE-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking Technologyizan28
 
Online payments and Security Gateways
Online payments and Security Gateways Online payments and Security Gateways
Online payments and Security Gateways Sarujan Chandrakumaran
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gatewayshighrisk gateways
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gatewayKartik Kalpande Patil
 
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techLecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techSerious_SamSoul
 
E banking of axis bank
E banking of axis bankE banking of axis bank
E banking of axis bankSitaram Saini
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIThiteshasnani94
 
Chapter 15: GETTING THE MONEY
Chapter 15: GETTING THE MONEY Chapter 15: GETTING THE MONEY
Chapter 15: GETTING THE MONEY Syeda Tabia
 
Payment Integration A Comprehensive Guide to Payment Gateway
Payment Integration A Comprehensive Guide to Payment GatewayPayment Integration A Comprehensive Guide to Payment Gateway
Payment Integration A Comprehensive Guide to Payment GatewayInexture Solutions
 
3 d secure password
3 d secure password3 d secure password
3 d secure passwordachintya354
 
PayU 3D Secure Merchant Guide
PayU 3D Secure Merchant GuidePayU 3D Secure Merchant Guide
PayU 3D Secure Merchant GuidePenny Paine
 

Similaire à Securing Online Card Transactions (20)

Cyber cash
Cyber cashCyber cash
Cyber cash
 
E-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking TechnologyE-commerce System Technologies, Repository and Networking Technology
E-commerce System Technologies, Repository and Networking Technology
 
Online payments and Security Gateways
Online payments and Security Gateways Online payments and Security Gateways
Online payments and Security Gateways
 
Payment gateway
Payment gatewayPayment gateway
Payment gateway
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 
E Payment
E PaymentE Payment
E Payment
 
Credit card processing highrisk gateways
Credit card processing highrisk gatewaysCredit card processing highrisk gateways
Credit card processing highrisk gateways
 
Digital signature and adv payment gateway
Digital signature and adv payment gatewayDigital signature and adv payment gateway
Digital signature and adv payment gateway
 
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_techLecture 13 -_e-commmerce_e-banking_and_advanced_tech
Lecture 13 -_e-commmerce_e-banking_and_advanced_tech
 
E banking of axis bank
E banking of axis bankE banking of axis bank
E banking of axis bank
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
 
Chapter 15: GETTING THE MONEY
Chapter 15: GETTING THE MONEY Chapter 15: GETTING THE MONEY
Chapter 15: GETTING THE MONEY
 
Class 13
Class 13Class 13
Class 13
 
Mb2420032007
Mb2420032007Mb2420032007
Mb2420032007
 
Payment Integration A Comprehensive Guide to Payment Gateway
Payment Integration A Comprehensive Guide to Payment GatewayPayment Integration A Comprehensive Guide to Payment Gateway
Payment Integration A Comprehensive Guide to Payment Gateway
 
Can security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerceCan security and convenience go hand in hand in e-commerce
Can security and convenience go hand in hand in e-commerce
 
Credit Card Systems
Credit Card SystemsCredit Card Systems
Credit Card Systems
 
3 d secure password
3 d secure password3 d secure password
3 d secure password
 
Internet Banking
Internet BankingInternet Banking
Internet Banking
 
PayU 3D Secure Merchant Guide
PayU 3D Secure Merchant GuidePayU 3D Secure Merchant Guide
PayU 3D Secure Merchant Guide
 

Securing Online Card Transactions

  • 1. Securing Online Credit Card Transactions REL-ID Authentication Services
  • 2. Contents • Context • Why does credit card fraud happen? • How to fix it? • Rel-ID Credit Card Authentication Service • How does it work? • Security Flaws in 3D Secure • 3D Secure and TruCard • Payment Model • Advantages of the service • About Uniken
  • 3. Context • The final liability of the damage in case of a fraudulent credit card transaction is with the end customer or sometimes the issuing bank • Customers are not aware that their credit card data can be easily stolen and reused • The basic flaw in the current system is that currently customers cannot authenticate and verify the transaction before it is approved by the issuing bank • Uniken is offering its REL-ID CARD AUTHENTICATION SERVICE to the card issuing banks in a SaaS model to secure online credit card transactions.
  • 4. Why does credit card fraud happen? • Lets first understand how the credit card transaction is processed • Authorization Process 1. The customer after selecting the mode of payment – provides the credit card details to the website – which submits this to the payment gateway 2. The payment gateway submits that to the merchant banks processor (acquiring bank) 3. The merchant bank submits this to the credit card network 4. The credit card network submits it to the issuing bank, which checks the validity, credit limit and approves/disapproves the transaction 5. The credit card network relays this information to the merchant banks process, which sends it to the payment gateway and finally to the merchants website – based on which the merchant decides to process the sale • Settlement Process 1. The issuing bank then pays the credit card network 2. The credit card network pays the merchant bank 3. The merchant bank then deposits this amount in the merchants account
  • 5. Why does credit card fraud happen? • The fraud happens because none of the entities present in the entire authorization process authenticate the individual providing the credit card details • The mere knowledge of the credit card data is deemed good enough to “believe” he/she is indeed the authentic credit card holder • There are a few solutions available that attempt to solve this by asking a password or pin in addition to the credit card data – however, fraudsters set-up phished merchant websites to get access to this additional information as well along with the credit card details (if they are already stealing credit card data by phishing the website – they can as well get the login/.password data!) • Once the customer comes to know that his credit card has been fraudulently used, he/she disputes it to the issuing bank, who then investigate the case – most of the time the customer is made to bear the impact – as the issuing bank only ensures if the appropriate process was followed by the merchant before issuing the goods. If the issuing bank takes the liability, even then this is then distributed across all its customers
  • 6. How to fix this fraud? The only way to fix this fraud is to ensure that the credit card owner (customer) is made to authenticate and verify the transaction (over a secure channel) by the issuing bank just before approving and authorizing the transaction
  • 7. Fundamental limitations of 3D Secure • In 3D Secure protocol the credit card holder is authenticated before the transaction is submitted by the merchants website to the visa/mastercard network and not when the transaction is getting approved/authorized by the issuing bank • The customer cannot authenticate the website where she is submitting the login/password information and the “personal message” based authentication of the website is vulnerable to MITM and MITB attacks • Merchant website authentication is not possible hence the customers can still loose the credit card data • It is mandatory for the merchants to integrate their website with the 3D Secure Solution (they need to install MPI and pay substantial fees to the solution provider)
  • 8. REL-ID Credit Card Authentication Service • The REL-ID Credit Card Authentication server will seamlessly integrate with the issuing banks transaction and card authorization system • The TruCard software will be freely distributed to the customer • The Issuing Banks can avail this service with zero investment in the infrastructure • If the issuing bank has implemented 3D Secure then TruCard works seamlessly with the 3D Secure solution, the TruCard ensures that the Login/Password information is protected from MITM and MITB attacks • If they have not implemented the 3D Secure solution then TruCard will ask for a PIN to turn itself ON and authenticate the customer • TruCard solution has absolutely NO dependence on the merchants or on the type of card network (Visa/Mastercard) • TruCard solution does not require any credit card data of the customer • The integration of this service in to their authorization process will be free • They can disable this service at any point in time with just a 60 day notice with no impact on user experience
  • 9. How will this work? (Without 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from the credit card network will send the transaction details along with the customer ID (created during registration) to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will authenticate the customer by requesting for the pin, if the TruCard has been configured to Auto- ON mode then the Customer will directly verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
  • 11. User Experience - Online Purchase (without 3D Secure)
  • 12. User Experience - Online Purchase (without 3D Secure)
  • 13. User Experience - Online Purchase (without 3D Secure) Payment Successful!
  • 14. How will this work? (With 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. • The TruCard will display a personal message (set during registration) to ensure authenticity of the software • Once registered, the customer can install the software on as many computers as she wants directly from the website Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from merchant plug-in will request for the 3D Secure credentials along with the customer ID and personal message to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will accept the customers 3D Secure Credentials and pass it on to the 3D Secure ACS • The 3D Secure ACS will authenticate and redirect to the merchant website for it to submit the transaction Optional (Transaction Verification) • If the TruCard has been configured to Auto-ON mode then the Customer can further verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
  • 15. User Experience - Online Purchase (without 3D Secure)
  • 16. User Experience - Online Purchase (without 3D Secure)
  • 17. User Experience - Online Purchase (without 3D Secure) Payment Successful!
  • 18. Solution Architecture (without 3DSecure) 2 Normal Payment Authorization 1 6 3 5 4 User verifies & approves transaction
  • 19. Solution Architecture (with 3DSecure) 6 Normal Payment Authorization MPI ACS 2 1 7 3 5 4 User verifies & approves transaction
  • 20. 3D Secure and TruCard 3D Secure TruCard 1 3D Secure cannot protect from phishing and MITM attacks – it is very Protects from Phishing and MITM due easy steal the 3D Secure Login/Password information to RMAK mutual authentication protocol 2 It mandates the Merchant to participate in 3D Secure to make it work, TruCard DOES NOT require the merchant to participate in the solution and is completely independent of Merchants 3 In 3D Secure the transaction data are shown to the customer during The transaction data shown the authentication as submitted by the customer to the merchant and not customer for verification is the same the one submitted by the merchant for authorization (the customer that the bank has received for may think she is approving USD 200 while the actual transaction authorization from the credit card submitted to the card network could be USD 210) network 4 • 3D Secure requiresneed TruCard? Why do we the customer to authenticate every time they do an Does not require the customer to – to maintain online transaction, TruCard requires the customer to authenticate only authenticate every time once to turn it ON (optionally it can be turned ON automatically, without asking the PIN everytime) 5 3D Secure requires PKI (Digital Certificates) making it extremely costly to Does not require PKI – is based on the implement and maintain RMAK protocol (that provides for encryption and mutual authentication).
  • 21. 3D Secure and TruCard • We have already implemented 3D Secure – now what? – TruCard seamlessly integrates with 3D Secure – The user experience does not change at all and fixes all the flaws in 3D Secure solution – Instead of showing a web-page to capture the 3D Secure login/password information (which is prone to Phishing and MITM attacks), TruCard will accept the 3D Secure Login/Password and send it to issuers authentication server – TruCard will eliminate MITM and Phishing attacks completely – TruCard provides for Transaction Verification , Transaction Log and more importantly credit card statements on demand
  • 22. SMS based solutions and its limitations • The SMS cannot ensure confirmation of the delivery of the message more so in real time; and the customer may end up doing the transaction again and again • SMS is not a secure channel as the transaction information is sent over an unencrypted SMS channel • There are simple attacks available to change the mobile number of the credit card owner (due to flaws in mobile number registration process).
  • 23. TruCard SAAS Model • The issuing bank will NOT be charged anything for integrating the REL-ID Card Authentication Server with their credit card authorization and approval system • The customer will NOT be charged anything for downloading and installing the TruCard Software • The issuing bank will be charged a fixed % of the transaction amount for every transaction verification and authentication done by the customer or based on a monthly rental model • The issuing bank will be billed on a monthly basis
  • 24. Advantages of REL-ID TruCard Authentication Solution • The TruCard is a software agent that is very easy to download and install • The customer has to register for this service with the banks and REL-ID authentication service does not retain any credit card details • The customer has to authenticate to TruCard using a password/pin to turn it ON (it can be optionally turned ON automatically by remembering the credentials) • TruCard communicates with the REL-ID Card Authentication Server over a mutually authenticated encrypted channel (all authentication/approval data is sent over this channel) • There are no upfront costs to the issuing bank as they do not have to invest anything to enable this service
  • 26. Uniken Introduction UNIKEN is a technology innovation and product engineering firm that works closely with its customers to provide high quality products that meets their business automation and cutting edge technology needs We specialize in taking our in house innovations from concept through to production through patented product engineering design methodologies. Our staff includes 50+ product designers and engineers, technologists and researchers with backgrounds in computer science, software technology, embedded systems and professional services. As a company we invest in technology innovation, product design and product engineering Headquartered in Tampa, FL, US, with offices in US and India, we have a R&D and Product Engineering Center in India.
  • 27. What does Uniken do? Market Analysis and • UNIKEN Technology R&D Center Problem Specifications • Concept innovation and rapid prototyping Technology • Conducts research in • Information Security R&D • Pattern Recognition • Embedded Systems • Performance Modeling Business • UNIKEN Product Engineering Group Requirements Product • Customized product development Customers • Requirements Analytics Engineering • Product Design (patent pending process) • Product Development • Performance Testing • UNIKEN Products Product Delivery • Customized Business Automation Products • REL-ID (Identity Security) Products • DEEKSHA (e-Learning) • SHOPPEX (Mobile Shopping)
  • 28. Uniken - Management Team Profile DETAILS OF RELEVANT NAME DESIGNATION QUALIFICATIONS EXPERIENCE WORK EXPERIENCE • Tata Research Development & CEO M. S. Design Centre Sanjay Deshpande 13 years Director (Computer Science) • Infosys Technologies Ltd. • Persistent Systems Pvt. Ltd. Nanjundeaswar CTO B. Tech. • Infosys Technologies Ltd. 12 years Ganapathy Director (IIT Kharagpur) CDO B. Tech Prakash Salvi • IMR Global 15 years Director (Computer Science) PGDM • Tata Consultancy Services Vivek Saxena CBO 16 years (IIM Ahmedabad) • Infosys Technologies Ltd. COO Nilesh Dhande MBA (Systems) • Infosys Technologies Ltd. 9 years Director • Six Sigma Master Black Belt Subramanian Gopalan Advisor to the Board B. Tech. • Director of Sourcing, GE, Greater 40 years China • Chief Scientist – Motorola Dr. Pat Shankar Advisor to the Board Ph. D. 30 years Biometrics Division • Associate Professor, University of Dr. Lev Goldfarb Advisor to the Board Ph. D. 20 years New Brunswick B. Tech. • VP - Infosys Technologies Ltd. Ajay Dubey Director 25 years (IIT Kanpur) • COO - Persistent Systems Pvt. Ltd.
  • 29. Contact Details Shaillender Mittal Director Sales shaillender.mittal@uniken.com Tel: (020) 66427970/71 | Mob: 9823422211