Nowadays, we participate in ecommerce activities on regular basis without appreciating what goes on in the background and how these services are monitored for security. In the following article, you will find brief overview of the main steps involved when performing online payments and how these services are regulated by the authorities.
A customer (Cardholder) is purchasing a product form a merchant who accepts credit card on-line payments. The merchant uses a third-party organization (called the acquirer) that provides card processing services. Customers obtain their credit cards from an organization (called issuer) such as, banks or financial institutions. There are various brands (card associations) of credit card networks such as, VISA, MasterCard, etc. These networks act as a gateway between the third-party company (acquirer) servicing the merchants on-line payment and the bank or financial institution (issuer) for authorizing and funding transactions.
The payment process goes through the following steps:
- The customer pays for a purchase from the merchant on-line store
- The acquirer verifies with the bank that the card number & transaction amount are both valid and then processes the transaction – transaction authorized
- Transaction is stored in a batch for later processing by the acquirer
- Transactions batch is sent to the bank by the acquirer using the respective card association network, which debits the customer accounts and credits the acquirer – acquirer has been paid for all transactions
- The acquirer pays the merchant, less the processing fee
Credit card companies and banks can be trusted, hopefully! But what security controls are in place for the merchants and acquirers setups? We need a secure process, in other words, a mechanism that oversees that the cardholder’s data is stored, processed and transmitted securely from the Merchant’s website to the Bank.
Payment Card Industry (PCI) Data Security Standard (DSS) governs all the security procedures that all entities involved should adhere to. It started with the major card associations having their own security programs and progressed to a combined effort to develop the PCI standard and council. Apart from acquirers and issuers as PCIs’ member organizations we find service providers. Service providers are companies that provide card related services to acquirers and issuers.
PCI compliance requirements are based on different levels where such levels relate to the volume of credit card transactions performed annually. For example, merchants with more than 6 million annual transactions fall under level 1 while major payment gateways are at level 1 in the service provider’s category. However, a small merchant with a small amount of transactions annually but with a history of data breaches can be moved to level 1. All levels carry the same security requirements, with top levels having more stringent validation requirements. For example, Level 1 requires that merchants or service providers meet the DSS standard, conduct and pass yearly penetration tests, quarterly scans and pass a yearly audit by external auditors. Lower levels have less firm validation requirements.
When we say security requirements we mean that entities should install and maintain a firewall configuration to protect cardholder data, use strong passwords, restrict logical and physical access to data, use updated anti-virus software on their systems, develop and maintain secure systems, protect cardholder data, etc. The list goes on not only to the internal environment but to the cardholder data overall environment which can be a networked system connected to a public network or an off-site data storage service. Most audits fail because merchants or service providers fail to protect stored data according to these requirements!
