Securing Financial Transactions • Chapter 6 319 words, the same company owns both the cardholder and merchant rela- tionship and steps in as an intermediary for all uses of the cards. American Express, Discover, and Diners Club are examples of closed loops.There is one American Express franchise, one Diners Club franchise (now owned by CitiBank), and one Discover Card company. When a cardholder with a bank card from Bank A uses the card to transact with a merchant whose account is at Bank B and the transaction is processed through a different third party, it’s called an open-loop system. Bank card systems using Visa and MasterCard are examples of open loops. In reality, neither the Visa nor MasterCard companies issue cards directly to consumers. Rather, they rely on their member banks to establish the lines and set the terms for consumer credit and debit within their own portfolios.They also rely on the banks to offer the Merchant Services to enable retailers to accept their cards as forms of payment. Typically a merchant’s bank will provide such services in addition to the other banking services retailers need. Visa and MasterCard serve as Brand Association authorities that estab- lish and maintain the by-laws that frame the uses of their logos and the accompanying agreements between their member banks. Both Visa and MasterCard claim they each have over 20,000 member banks throughout the world to form their franchises. In a closed-loop system, the cardholder and merchant accounts are typically operated on the same systems. Settlement (see the next section) then becomes a matter of debiting one side of the system and crediting the other side without any need to access the banking network, except to collect charges from any other acquirers who may process charges from the closed-loop system brand. Capture and Settlement In settling a batch, the card processor must first receive it.The software in Apollo Marketplace’s terminal initiates a file transfer that sends it via the private line to Delphi’s Card Processing Service. At Delphi’s, the batch is sorted by the Bank Identification Number (or BIN, a piece of informa- tion contained in the account numbers) in preparation for capture pro- cessing. Each set of transactions with the same BIN is sent to the bank www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 319 320 Chapter 6 • Securing Financial Transactions identified by the code where the bank will turn those earlier temporary debits into permanent debits. Each bank sums up the total charges on its accounts and performs a wire transfer to the account indicated for Apollo Marketplace at the National Bank.This work is performed using Automated Clearing Houses (ACHs) that enable wire-transfer operations. At this point, your account at Bacchus Bank reflects your charge and awaits the cycle cut that prepares your billing statement. Once an entire batch is settled, Apollo Marketplace’s account at the National Bank reflects the total batch’s credits (less returns and voided transactions, and less processing and discount rate fees).With the next batch, the process begins anew. As you see, at every step of the process, someone has a hand out looking for fees. Merchants are expected to pay these fees for the conve- nience of accepting payment cards and generally consider them a cost of doing business. It’s also the merchant that pays when a customer dis- covers and reports that a charge is made using a lost or stolen card. In these cases, the bank issues the merchant what’s called a chargeback to its merchant account, reversing the original credit to the account. On top of the chargeback, the merchant bank will charge a fee for handling and sometimes add additional nuisance fees to encourage the merchant to be more careful in what cards he or she is accepting.This situation is similar to the hefty fees levied when a checking account customer bounces a check. Force enough chargebacks or bounce enough checks, and your bank will begin to reevaluate its relationship with you and may termi- nate it altogether. In the Point of Sale world, it’s easy enough to take adequate precau- tions to prevent chargebacks (by checking a signature or a picture ID, for example), but in today’s online world, the task is much more difficult, and thus far, banks are doing little to help merchants gain confidence when accepting payment cards online. As you’ll see later in this chapter, various methods and alternative payment systems for Internet uses are being developed to reverse the trends of increased fraud and chargebacks and to foster an atmosphere of mutual trust. www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 320 Securing Financial Transactions • Chapter 6 321 Steps in an Internet-Based Payment Card Transaction Let’s revisit the Apollo Marketplace, but this time we’ll bring the Internet into the picture to see what’s different about the transaction. Along the way, we’ll also point out some of the riskier pieces of the puzzle that attract hackers. Over the months, the Apollo Marketplace’s business had exploded. Customers, tired of the frequently long lines at the register, began demanding that the Marketplace offer shop-at-home services with rapid delivery. A few months earlier, Delphi’s Card Processing Service started offering Internet payment acceptance to those merchants that it services. It built virtual POS software that merchants can access via the Internet to process card authorization requests and settlement steps.The Marketplace decides to implement the online service. Before any transactions can take place, merchant e-commerce Web sites need special software on their own servers to interact with the vir- tual POS. Let’s assume that merchant systems are ready for such payment processing—we’ll call that Phase 0.The subsequent phases outline the progression of the marketplace’s online processes. ■ Phase 0: All merchant e-commerce software and requi- site systems are in place. The Apollo Marketplace web site at www.Apollo-market.com is up and running.The Marketplace offers a full line of products for sale through the simple click of a few buttons and local delivery within two hours.The site is a model of customer service.Traffic is on the increase, as are sales. Just last week the business took in over $95,000 from Web site sales alone! ■ Phase 1: The shopping experience. At the Apollo’s “Marketplace on the Web,” customers are also helped out to prepare for checkout.The Marketplace has hypertext and con- tent on its home page to attract people into using their plastic for shopping there.They have linked in privacy policies, visible assurances of security and trust, and even links to bank Web sites www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 321 322 Chapter 6 • Securing Financial Transactions that offer credit cards.With a single click on Apollo Marketplace’s Home Page “Shop Now” button, shoppers can browse through the vast catalog of items, examine product details, and decide what they want to purchase. ■ Phase 2: Item selections. As shoppers select their goods, they add them with the shopping cart software that Apollo Marketplace’s Merchant Server uses, which dynamically tallies up the sale. Each item is added through a link directly below the product photograph and price. ■ Phase 3: Checkout. Just as a shopper pushes his or her shop- ping cart to the cash register, the Merchant Server responds in kind when the consumer clicks the “Check Out” icon found on every page he or she sees.The shopping cart software adds up the items in it, adds sales tax and delivery and handling fees, and presents a list of the items and the totals to the customer. If the customer is satisfied with the order, he or she proceeds to the payment selection phase. ■ Phase 4: Form of payment selection and entry—RISK AREA 1. With order totals still displayed on the screen, the consumer is given a choice of payment options.The customer may select from MasterCard,Visa,American Express, and Discover Card.The customer also has the option of paying cash-on-delivery (COD) or paying with a check-by-phone prior to order delivery. For our purposes, let’s choose MasterCard as the form of payment. Customers are presented with a form in which to enter their payment card number or, if they prefer, a phone number to call it in. ■ Risk Description. Nonprotected form data is transported over the Internet as Hypertext Transfer Protocol (HTTP) plaintext—visible by any device (router, gateway, packet sniffer, etc.) on the network that touches the packets as they make their way from source to destination.This is the same problem that makes using email to transport sensitive or confidential data a poor choice. See the section later in this www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 322 Securing Financial Transactions • Chapter 6 323 chapter on the Secure Sockets Layer (SSL) protocol to miti- gate this risk. ■ Phase 5: Payment Initiation Processing—RISK AREA 2. When the form with the payment and purchase information is received back at Apollo Marketplace’s Merchant Server, software then begins preparing an electronic message intended for the virtual POS at Delphi’s Card Processing Service that operates the system on behalf of the National Bank merchant services. This message includes information about the merchant’s identi- fication, the payment card number, card holder name, expiration date, amount of charge, and other identifying information. Banks also offer additional services (at a fee, of course) to help reduce fraud and chargebacks. One of these services is called the Address Verification Service (AVS) to verify that the billing address provided matches the one in the records the bank keeps. To help differentiate themselves in a crowded market, other card processors offer a variety of value-added services to help reduce fraud and chargebacks. ■ Risk Description. On receipt of the HTTP Post operation, Apollo Marketplace’s Web server holds sensitive and confiden- tial information that’s at risk for theft if the Web server is compromised. Depending on what the Web server does with the data (whether it stores it in its own file system or calls a back-office server for storage and processing), the risk model changes. In general, it’s a poor idea to store any data on a Web server that’s needed by mission-critical applications. ■ Phase 6: Payment Authorization Request and Response—RISK AREA 3. Delphi’s Card Processing Service uses the details about the amount of sale, the merchant account requesting it, and the payment card information to decide where to send the request. On Delphi’s system, software is used to create a bank standard authorization request (using ISO8583 as the guide) and place it on the bank’s Interchange Network that locates your account at Bacchus Bank.With an approval code from Bacchus Bank to proceed with the sale, software at www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 323 324 Chapter 6 • Securing Financial Transactions the National Bank sends back a message to the virtual POS on Delphi’s system that authorizes Apollo Marketplace’s merchant software to complete the sale.The Marketplace’s system responds with a confirmation of the sale, produces an electronic version of a receipt or record of charge, and stores the record for eventual capture and settlement processing. ■ Risk Description. The database containing payment card numbers, expiration dates, cardholder’s names, and billing addresses is an irresistible target for both outside hackers and insider malcontents, so you must take precautions to prevent attacks on this data from all corners. ■ Phase 7: Delivery of Goods. An hour and half goes by, and the customer hears a knock on the door.As a premier customer, Apollo Marketplace always gives this customer its best service. The customer accepts the box of goods with a signature on the delivery form, and the Marketplace is assured that the customer is satisfied and the sale is final. ■ Phase 8: Capture and Settlement—RISK AREA 4. With the successful authorization code from Phase 6, Apollo Marketplace’s merchant software received and stored a capture record.With the sale completed and the goods delivered, the Marketplace’s merchant software can initiate a Capture Request to finalize the sale with Delphi’s Card Processing system.With each Capture Response, the Settlement File builds up, awaiting the Marketplace’s decision to deposit these receipts into the merchant account at the National Bank in exchange for funds transfer. Unless you’re selling goods that can be delivered imme- diately over the Internet (software, images, etc.), you’re left with no other choice but to wait until you ship your goods to the customer before you settle the charge. Bank card association rules often forbid authorization, settlement, and capture to occur together for Mail Order/Phone Order (MOTO) merchants, and almost all E-commerce sites are treated as MOTO merchants. www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 324 Securing Financial Transactions • Chapter 6 325 ■ Risk Description. Databases of settlement records are at risk while they’re stored (see Risk Area 3 above), and they are at risk while in transport to and from the processor. As batch files, you may consider using standard File Transfer Protocol (FTP) to send and receive, but FTP cannot protect the contents during transport. Consequently, you’ll need another channel to share this data or protect the Internet channel through cryptography. While the actual processing work is identical to the work initiated via a POS terminal operating on a private network, virtual POS termi- nals make it possible to use the Internet for communicating between the parties needed for charge processing.To protect this information from prying eyes or outright theft, these systems rely on applied cryptography and other defense-in-depth mechanisms. Toxic Data Lives Everywhere! As you can readily see, payment card data flows through a number of disparate systems as a charge traverses its way through the Internet and through private networks. Sometimes the data winds up in the wrong hands. Wherever the data is stored (in the clear) or placed on the network (in the clear), it becomes at risk for theft. Hackers love credit card data for a number of reasons: It’s easy to steal, it’s easy to resell, and it’s hard to get caught. The best targets are those that are loosely protected, contain large volumes of payment card data, and are easy to access over the Internet. Merchant e-commerce servers should come to mind right about now. Protect yourself from becoming a target for payment card theft, and you protect the very nature of e-commerce itself! If you think about e-com- merce data as a form of hazardous materials, you’ll begin to get the right ideas about how to treat it with utmost care. Understanding the phases of the Internet shopping experience and their related risk factors will help you instinctively determine what safe- guards to employ, and where. www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 325 326 Chapter 6 • Securing Financial Transactions Approaches to Payments via the Internet Consumers on the Internet have it easy. All the banking laws revolving around payment cards favor the consumer, and no change to this policy is likely to happen anytime soon. Merchant chargeback rates are sky- rocketing at the same time that the stakes are getting higher.Within the last year,Visa and MasterCard have tightened up their rules about how many chargebacks their merchant accounts can process before they start incurring fines from the merchant bank. Merchants can even lose their merchant accounts altogether. Chargebacks are usually measured as a percentage of volume. If $100,000 goes through your merchant account in one month, and $1,000 gets charged back against your account, you’ve got a 1 percent www.syngress.com FBI Warns of Organized Credit Card Theft Ring The FBI’s National Infrastructure Protection Center (NIPC) issued a warning in March 2001 of credit card thieves from Eastern Europe who are targeting vulnerable U.S. e-commerce sites, and who have already stolen more than a million credit card numbers. Groups of hackers from Russia and the Ukraine are targeting Microsoft NT systems that aren’t up to the latest patch levels that close down the vulnerabilities they’re able to exploit. The hackers attempt to extort the merchants for ransom on the data, and if their demands aren’t met, they publish the card numbers on public Web sites. After the NIPC warning surfaced, the Center for Internet Security published Steve Gibson’s PatchWork Tool as a free tool for merchants to help them determine if their systems have all the patches that the FBI lists as necessary to repel the attacks. PatchWork can also audit the merchant systems to see if any telltale signs of a previous compromise are present. Go to www.cisecurity.org/ patchwork.html to download the PatchWork Tool. Damage & Defense… 134_ecomm_06 6/19/01 12:01 PM Page 326 Securing Financial Transactions • Chapter 6 327 chargeback rate.The magic number of 1 percent is the target that the banks would like to see. In the world of the Web, however, where fraud is by far the biggest problem, bank card associations are reporting that fraud has created an untenable situation that calls for immediate solu- tions. Although only 2 percent of Visa International Inc.’s credit-card transactions are acquired via the Internet, 50 percent of its disputes and discovered frauds are in that area, claimed Mark Cullimore, director of emerging technology at Visa International Asia-Pacific. “This has become a significant issue for our industry over the past six months,” he said. “It is all down to the problem of authentication, which has become the most important issue in the financial industry.” With the experience that’s been gained to date with Internet pay- ment card processing, new solutions to the fraud and chargeback prob- lems appear on the market almost daily. Many of these systems rely on advanced uses of technology for risk management, including predictive models, scoring of confidence, etc. In the next section, we’ll look at what’s being done to help mer- chants gain some confidence that the payment cards they accept are legitimate and in the hands of legitimate users. Options in Commercial Payment Solutions If customers truly want the goods or services your online store offers, but they find bugs in the implementation of your product catalog or when using your shopping cart software, or they find your site less-than- easy to navigate, they’re likely to forgive you and continue with their purchases. If they find bugs or problems with your payment processing, you can be sure you’ll never see them again. Imagine that a happy cus- tomer will tell 4 or 5 friends, but an unhappy one will tell 10 or more. Your duty is to assure your customers that your site is reliable and that their private and confidential information is kept safe and sound. Payment systems are viewed as two major categories—one where you operate the system on equipment you own or control (as in Phases 4, 5, 6, and 8 described earlier) and ones that are operated on your www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 327 328 Chapter 6 • Securing Financial Transactions behalf by third-party providers.The next sections will explore these sys- tems and their subcategories. First, it’s essential to decide the route you want to choose. Consider your overall business objectives first before you choose a route. If you can afford it, running your own operation may be your best choice. If you are more inclined to first “test the waters” and gain expe- rience in online selling, or if you maintain a small catalog or have low sales volumes, you may not be able to justify the investment or security rigor that’s required for an in-house system. Commerce Server Providers A breed of Internet Service Providers (ISPs) that are tailored to the needs of the small to mid-sized online sales community is cropping up all over the globe.These Commerce Server Providers (CSPs) will lease you access to the system, allocate disk space for you to maintain your prod- ucts, may offer multiple payment processing options, and may even pro- vide robust site reporting and easy Web-browser-based interfaces for maintenance. Many of them are operated under secure and trustworthy environments and may even offer Web design service. Be careful, though—not all CSPs provide the same levels of service or the same payment processing fee structures. If your CSP is also a local ISP, cus- tomers may find your site too slow to tolerate because you’re sharing resources with dial-up PPP users and other locally hosted content or transactional sites. As you pore through lists of CSPs, decide if you’re willing to use all the services the CSP provides or if you can “bring your own service.”You may find a better bargain in payment processing if your options are greater.You may also want to offer your customers a mix of payment types to increase your odds of a sale by those who can’t or won’t use credit cards online. For example, you may want CyberCash to process your credit card charges, your bank to process online checks, and Qpass to handle micropayments (for small dollar purchases like news articles, clip art, and shareware). CSPs are also more likely to pay close attention to known security problems in Internet sales environments.To protect an electronic mall, CSP operators make huge investments in network and personnel www.syngress.com 134_ecomm_06 6/19/01 12:01 PM Page 328 [...]... arrived unaltered Figure 6. 2 A Digitally Signed Message Message Contents Encrypted Message Digest This is how it works: Because the digital signature can be decrypted only by using your public key, your recipient knows that you created the digest because you never share your private key with anyone else .Your www.syngress.com 345 134 _ecomm_ 06 3 46 6/19/01 12:01 PM Page 3 46 Chapter 6 • Securing Financial... message digest for your message, you’ll encrypt it using your private key and append (attach) the encrypted message digest to your original message.This process is called creating a digital signature or digitally signing a message, and it is illustrated in Figure 6. 2 At this point, if you send your message to your recipient (who already holds a copy of your public key), he can “test” your signature to... described—can help turn your e-commerce site into a genuine citadel Trusted hosts are another security measure that you may elect to use Using Access Control Lists (ACLs) on your application servers helps to thwart attempts at running or installing programs without the authority www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 335 Securing Financial Transactions • Chapter 6 to do so If your application... with an empty virtual cash register Most everyone who uses the Web recognizes the ubiquity of SSL Figure 6. 6 shows how Netscape Navigator browsers indicate that SSL is “active.” Figure 6. 6 An SSL-Enabled Web Browsing Session www.syngress.com 353 134 _ecomm_ 06 354 6/ 19/01 12:01 PM Page 354 Chapter 6 • Securing Financial Transactions SSL addresses some of the concerns of transporting confidential data via... connection.The best approach for creating these zones uses what are called three-tier or n-tier architectures www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 331 Securing Financial Transactions • Chapter 6 When you’re ready to expand your information-only Web site into an e-commerce capable site and have decided to bring all processing inhouse, you’ll want to start out with a secure processing environment rather... authentication, privacy, and message integrity A graphical look at the digital signing process is found in Figure 6. 3 A look at the process to create digital envelopes is found in Figure 6. 4 www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 347 Securing Financial Transactions • Chapter 6 Figure 6. 3 Using Public-Private Key Pairs to Create a Digital Signature 1 Sender creates message The quick brown fox... powerful mechanism to protect user passwords on e-commerce sites Should your site require IDs and passwords for personalization reasons, you’ll want to store the passwords that people create in the form of a hash value.That way, even if a hacker steals your security database records, the hacker won’t be able to use the data to impersonate your customers directly Instead he or she will need to use additional... because you can never really be sure the server will remain constantly in your control Should a man-in-the-middle attack occur, perhaps a few Web pages will be spoofed, but your important assets will remain secure Never operate your CGI or ASP scripts on www.syngress.com 333 134 _ecomm_ 06 334 6/ 19/01 12:01 PM Page 334 Chapter 6 • Securing Financial Transactions the Web server that’s handling public... for operational purposes.This may include language compilers, Perl/CGI/PHP libraries, administrative utilities, and factory-supplied logons and passwords www.syngress.com 335 134 _ecomm_ 06 3 36 6/19/01 12:01 PM Page 3 36 Chapter 6 • Securing Financial Transactions s Firewalls should disallow FTP, telnet, or requests on any open ports s Don’t operate software such as FTP, telnet, or email systems on any... (from receiver's digital certificate) via any communications channel desired www.syngress.com 347 134 _ecomm_ 06 348 6/ 19/01 12:01 PM Page 348 Chapter 6 • Securing Financial Transactions In summary,Table 6. 1 shows the purposes and uses of public and private keys to secure electronic communications Table 6. 1 Public/Private Key Uses Create Digital Signature Sender’s private key Sender’s public key Receiver’s . architectures. www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 330 Securing Financial Transactions • Chapter 6 331 When you’re ready to expand your information-only Web site into an e-commerce capable site and have. or control (as in Phases 4, 5, 6, and 8 described earlier) and ones that are operated on your www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 327 328 Chapter 6 • Securing Financial Transactions behalf. and while it’s stored and www.syngress.com 134 _ecomm_ 06 6/19/01 12:01 PM Page 3 36 Securing Financial Transactions • Chapter 6 337 processed within your stewardship. Let’s take a look at some funda- mental