A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

September 11, 2023 • Issue 23:09:01

Payments, a retrospective
The extraordinary life of a payment transaction - Security checkpoints

By Dale S. Laszig

In the payments industry's early days, merchant and consumer behaviors were as fixed as the countertop terminals that dominated retail and hospitality. Technologies held little interest beyond payment request, authorization and settlement. Fraudsters stole paper receipts from trash bins, perpetrating one-on-one attacks before truncated receipts and massive breaches forever changed the game.

Over time, additional measures attempted to protect payment card data in transit and at rest. This series traces the journey of an electronic transaction, from point of entry to financial host, exploring the many checkpoints along the way.

"Cloud security: a weighty issue," a view column published Oct. 26, 2009, in The Green Sheet, cited the July 1, 2010, deadline for implementing the PCI Data Security Standard (PCI DSS), comparing the standard to airport screenings.

"Just as travelers must submit to screening and identity checks at the airport in a post 9/11 world, credit card transactions need heightened verification and security," I wrote. "Think homeland security for terminals; these safeguards came in response to security breaches and are designed to protect cardholder data. While security procedures can't guarantee our safety when we fly or use our payment cards, they can minimize risk."

Evolve PCI DSS

Thirteen years later, as merchants prepare to implement PCI DSS v4.0 by March 31, 2024, security analysts are commenting on the standard's notable revisions. Qualifying organizations, for example, will have more latitude in interpreting guidelines, they noted.

"Entities with established processes to identify control failures and implement corrective actions within their environments generally have more mature risk management and security processes, with information about whether those processes are operating effectively," PCI SSC researchers wrote, in "PCI DSS v4.x: Items Noted for Improvement (INFI) Worksheet − Frequently Asked Questions," published by the PCI SSC in June 2023.

Adam "Sully" Perella, technical director at Schellman, noted that the most significant difference in PCI DSS v4.0 is its migration from a prescriptive to risk-based approach.

"From time-based requirements to vulnerability management, the standard calls upon organizations to look at how they operate, what is required to operate, and how this impacts the security of cardholder data," he said. "As a one-size-fits-all standard, this change will better accommodate different environments, technologies, and frameworks while pushing needed security principles."

Verify, authenticate

Consumers have acclimated to presenting identity documents when passing through airport security, applying for loans or purchasing restricted items that require age verification; merchants use advanced technology to verify and authenticate their customers. These terms are frequently used interchangeably but are materially different, stated Andrew Shikiar, executive director of the FIDO Alliance.

"Simply put, verification is the process of confirming someone's identity. Authentication is the process of recognizing someone's identity," he said. "The easiest way to think about it is that you verify someone's identity less often—usually at the point of account creation—to confirm they are who they say they are. You then authenticate them at subsequent sign-ins to confirm the person logging in is the person who created the account."

Noting that multifactor authentication (MFA) has sparked lively commentary among PCI SSC working groups, Shikiar pointed out that MFA is not foolproof or phishing resistant, because fraudsters can intercept one-time passwords. In fact, FIDO's passkey, a multidevice credential, allows users to log in once to access multiple devices and platforms, he said, adding that Google, Microsoft, Apple and other major platforms use this solution, which is more secure and simple than 40-year-old password technology.

Point-to-point encryption

Ruston Miles, founder and CEO at Payfactory, recalled the genesis of point-to-point encryption, (P2PE) a solution promulgated by the PCI SSC, which the council stated is designed to cryptographically protect account data from the point where a merchant accepts the payment card to the secure point of decryption.

By using P2PE, account data is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach, the council added, noting that PCI P2PE solutions can help merchants significantly reduce the PCI DSS validation effort of their cardholder data environment.

"The PCI Security Standards Council created the P2PE program in 2011," Miles said, adding that Bluefin, another company he founded, became the first North American provider of a PCI-validated P2PE solution in 2014 and now serves 300 global partners in 55 countries. Reflecting on the massive growth of P2PE over the past decade, Miles attributed its success to "componentization." The original P2PE standard was monolithic in nature, and each solution was complete from end to end but didn't flex to include multiple participants in the solution chain, he stated. For the most part, he noted, a single company needed to provide the entire solution, including all the many components of the P2PE standard, from key management in hardware security modules (HSMs) and key injection facilities (KIF), to devices and chain of custody management.

To solve for this complexity, Miles stated, the PCI SSC modularized the second version of the P2PE standard, making it much more flexible and representative of the complex and valuable interconnections among payments industry participants. This enabled each company to focus on what they do best and validate their individual component in the overall solution.

Miles noted that this is where we saw P2PE adoption take off exponentially, where a key injection facility (KIF) formerly focused on debit PIN-key injection could now extend their operations to be validated as a P2PE key injection facility component. And a device estate management company could extend their platform to satisfy device tracking and chain of custody management requirements for P2PE solutions.

"I'm truly grateful to have been a part of the evolution of the P2PE solution standard," he said. "And I truly believe that the Council's foresight and leadership in componentizing the standard directly led to P2PE's mass adoption and has made the payments world a safer place.

Secure global checkpoints

As payments become increasingly global, companies of all sizes are navigating disparate regulatory landscapes as they expand their footprints and adapt to different payment methods, currencies and privacy laws. The Digital Operational Resilience Act (DORA), adopted by the European Union on Dec. 22, 2022, is designed to improve operational efficiencies in information and communications technology (ICT).

Mark Young, cyber resilience and IT recovery lead at MorganFranklin, suggested that DORA's January 17, 2025, deadline, provides a long runway to implementation. EU members and U.S. firms operating in the region will have to comply with DORA's policies, procedures and security controls, he stated, by fully documenting their operational and digital resilience capabilities. This will require widespread integration and adoption across each participating organization.

"It is important that U.S. companies begin preparing for DORA compliance promptly," he said. "Changing policy or process alone won't be sufficient in this case; organizational or even cultural changes may be required. Additionally, many clients are having difficulty securing funding and resources to implement current resilience requirements that will be necessary for DORA compliance, so there is much work to be done with a fixed timeline to comply before January 17th, 2025."

Thwart emerging threats

As security analysts have noted, fraudsters are also evolving at the speed of payments, which makes complacency another potential failure point in a payment transaction's journey. Verizon's "2023 Payment Security Report Insights," white paper, published Aug. 23, 2023, advocated an approach to protect against emerging threats that integrates "requirements from various security standards into a single set, such as applicable PCI security standards (the Data Security Standard [DSS], PIN Transaction Security, Point-to-Point Encryption [P2PE], 3-D Secure [3DS]. Secure Software) as well as other regulations (Society for Worldwide Interbank Financial Telecommunications [SWIFT] Customer Security Control Framework [CSCF])."

The ultimate goal of PCI, Verizon researchers noted, is not compliance, but effective, sustainable data protection, backed by continual improvement.

Devalue data

As payment transactions travel across touchpoints and regions, the data they carry needs to be encrypted and tokenized immediately upon acceptance, Miles noted, beginning with the initial swipe, dip or tap of payment at a certified POS terminal, so the data is not accessible as it flows through the payment chain.

"Data devaluation needs to be first and foremost in the transaction journey," he said. "Online, information that is entered into a web form or ecommerce page should be tokenized upon submittal, including sensitive customer information—essentially masking this data as it flows through the payment chain and replacing the data for storage with tokens that represent the data but do not reflect the actual values."

Miles went on to say that most modern payment providers offer secure payment frames that combine iFrame technology with real-time tokenization. This is not to discount standard security measures, he added, such as firewalls, transaction monitoring, penetration testing, patching and more. These are all part of having a layered cybersecurity strategy.

"Building higher walls to keep the fraudsters out is no longer an option because of the myriad of data entry points in today's omnichannel payment experience," Miles said. "You must render the data useless to protect the merchant, the payment chain and the consumer." end of article

Dale S. Laszig, senior staff writer at The Green Sheet and founder and CEO at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email dale@dsldirectllc.com, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter https://twitter.com/DSLdirect

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing