Secure Payment Networks

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
1
 Contents
• Introduction
• Structure of Banks and Saving Banks
• Structure of networks and payment schemes and stakeholders
• Secure Authentication methods
– 2 Factor Authentication
– Biometrics
– Encryption/PKI/Digital Signature
• Kinds of Payment Applications
• Protocols for Self Service Systems
• Networks Attacks
• Secure Server and Cloud Solutions
• Standardisation and Certification

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
2
Authentication

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
3
Authentication
Authentication (from Greek: αὐθεντικός authentikos, "real, genuine", from αὐθέντης authentes, "author") is the act of confirming the truth of an attribute of a single piece
of data claimed true by an entity. In contrast with identification, which refers to the act of stating or otherwise indicating a claim purportedly attesting to a person or thing's
identity, authentication is the process of actually confirming that identity. It might involve confirming the identity of a person by validating their identity documents,
verifying the authenticity of a website with a digital certificate,[1] . In other words, authentication often involves verifying the validity of at least one form of identification.
(Source Wikipedia)

Multi-Factor Authentication (MFA)

MFA is an authentication design that requires two or more independent ways of verifying an identity. Examples include something that the user possesses such as a
telephone or other physical token, inherent factors like biometric traits or something known like a password. ATM’s are prime examples of MFAs because you need a card
(physical token) and a PIN (something known) in order for the transaction to take place.

Token

Knowledge

Presence

Out-of-Band Authentication (OOB)

OOB utilizes totally separate channels, like mobile devices, to authenticate transactions that originated on a computer. Any transaction that requires deposits from one place
to another, like a large money transfer, would generate a phone call, text or notification on an app that there is more authentication required for the transaction to be
completed. With two necessary channels, it is much more difficult for a hacker to steal money.

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
4
 2 Factor Authentication

OTP time based or event based

Backup

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
5
Authentication 3D secure
3-D Secure is an XML-based protocol designed to be an additional security layer for
online credit and debit card transactions. It was originally developed by Arcot Systems
(now CA Technologies) and first deployed[1] by Visa with the intention of improving the
security of Internet payments, and is offered to customers under the Verified by
Visa/Visa Secure brands. Services based on the protocol have also been adopted by
Mastercard as SecureCode, Discover as ProtectBuy[2] and by JCB International as
J/Secure. American Express added 3-D Secure in selected markets on November 8, 2010
as American Express SafeKey, and continues to launch additional markets.[3]
EMV 3-D Secure Three-Domain Secure (3DS) is a messaging protocol developed by
EMVCo to enable consumers to authenticate themselves with their card issuer when
making card not present (CNP) transactions. The additional security layer helps prevent
unauthorized CNP transactions and protects the merchant from CNP exposure to fraud.
The three domains Secure consist of the merchant/acquirer domain, issuer domain, and
the interoperability domain (e.g. Payment Systems).

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
6
Authentication 3D secure flow

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
7
Authentication 3D secure flow
The protocol uses XML messages sent over SSL connections with client
authentication[6] (this ensures the authenticity of both peers, the server and the
client, using digital certificates).
A transaction using Verified-by-Visa or SecureCode will initiate a redirection to the
website of the card-issuing bank to authorize the transaction. Each issuer could
use any kind of authentication method (the protocol does not cover this) but
typically, a password tied to the card is entered when making online purchases.
The Verified-by-Visa protocol recommends the bank's verification page to load in
an inline frame session. In this way, the bank's systems can be held responsible
for most security breaches. Today it is easy to send a one-time password as part
of an SMS text message to users' mobile phones and emails for authentication, at
least during enrollment and for forgotten passwords.
The main difference between Visa and Mastercard implementations lies in the
method to generate the UCAF (Universal Cardholder Authentication Field):
Mastercard uses AAV (Accountholder Authentication Value) and Visa uses CAVV
(Cardholder Authentication Verification Value).
Source: https://en.wikipedia.org/wiki/3-D_Secure

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
8
 Payment Service Directive (PSD2)
WHAT IS THE AIM OF THE DIRECTIVE?

•Directive (EU) 2015/2366 (Payment Service Directive 2 — PSD 2) provides the legal foundation for the
further development of a better integrated internal market for electronic payments within the EU.
•It puts in place comprehensive rules for payment services*, with the goal of making international payments
(within the EU) as easy, efficient and secure as payments within a single country.
•It seeks to open up payment markets to new entrants leading to more competition, greater choice and better
prices for consumers.
•It also provides the necessary legal platform for the Single Euro Payments Area (SEPA).
•It repealed Directive 2007/64/EC (PSD) from 13 January 2018.

KEY POINTS

•The directive seeks to improve the existing EU rules for electronic payments. It takes into account emerging
and innovative payment services, such as internet and mobile payments.
•The directive sets out rules concerning:
• strict security requirements for electronic payments and the protection of consumers’ financial
data, guaranteeing safe authentication and reducing the risk of fraud;
• the transparency of conditions and information requirements for payment services;
• the rights and obligations of users and providers of payment services.
•The directive is complemented by Regulation (EU) 2015/751 which puts a cap on interchange fees charged
between banks for card-based transactions. This is expected to drive down the costs for merchants in
accepting consumer debit and credit cards.
Source: https://eur-lex.europa.eu/legal-content/EN/LSU/?uri=CELEX:32015L2366

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
9
 Authentication for eID systems

The following cryptographic protocols are used for chip and terminal access control and
authentication, and must be implemented by the chip and terminal (see also [TR-03116]
part 2):

• Password Authenticated Connection Establishment – PACE ([TR-03110])

• Terminal Authentication Version 2 – TA2 ([TR-03110])
• Passive Authentication – PA ([ICAO 9303])
• Chip Authentication Version 2 – CA2 ([TR-03110])
• Residence permit only: Basic Access Control ([ICAO 9303]), PACE according to ([ICAO
PACE]) as well as Terminal Authentication Version 1 and Chip Authentication Version 1
according to ([TR-03110]).

Source: BSI Germany

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
10
 PKI Introduction
• Elements of PKI
• A typical PKI consists of hardware, software, policies and standards to manage the creation, administration,
distribution and revocation of keys and digital certificates.
• Digital certificates are at the heart of PKI as they affirm the identity of the certificate subject and bind that identity
to the public key contained in the certificate.

• A typical PKI includes the following key elements:

• A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate
the identity of individuals, computers and other entities
• A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses
permitted by the root
• A certificate database, which stores certificate requests and issues and revokes certificates
• A certificate store, which resides on a local computer as a place to store issued certificates and private keys
• A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates
using its private key; its public key is made available to all interested parties in a self-signed CA certificate. CAs use
this trusted root certificate to create a "chain of trust" -- many root certificates are embedded in Web browsers so
they have built-in trust of those CAs. Web servers, email clients, smartphones and many other types of hardware
and software also support PKI and contain trusted root certificates from the major CAs.
• Along with an entity’s or individual’s public key, digital certificates contain information about the algorithm used to
create the signature, the person or entity identified, the digital signature of the CA that verified the subject data
and issued the certificate, the purpose of the public key encryption, signature and certificate signing, as well as a
date range during which the certificate can be considered valid.

• Source: G&D, Veridos, techtarget.com, https://www.youtube.com/watch?v=EizeExsarH8

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
11
 PKI stakeholder

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
12
 Key Handling
• Key Usage
• PKI and CA keys and certificates can be used in many applications, including IPsec and other VPN protocols, web based security protocols like Secure
Sockets Layer (SSL), Transaction Layer Security (TLS) and Secure HTTP, as well as Secure Shell, PGP, etc. In some of these applications, multiple key
pairs may be issued. One key set might be used for authentication and encryption, while another key set might be used for digital signatures. This
enables us to have the first key pair escrowed and backed up without compromising the privacy of the owners digital signature, and therefore avoid
misuse.
• Key Expiration
• At some time keys will expire. The lifetime of the key is defined at the time of the key creation, using valid from and valid to fields. Once the key
expires, it must be removed from the system and destroyed. Then, the new key should be created for the owner. Expired keys are not added to the
CRL.
• Key Revocation
• During the lifetime of the key, there may be situations in which we will have to revoke the key. Key revocation takes place in situations in which
owner information changes, like domain name, company name, etc. Also, revocation can occur in case of key theft, if the key has been compromised,
or in case of acceptable use policy violation.
• Once the key is revoked, it is listed in the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP) server is updated. This
way clients can query OCSP server to find the status of the certificate. Status of the certificate can be valid, suspended, and revoked. A suspended
certificate is one which is still valid, but is temporarily removed from valid use. Suspended certificate can be reactivated again.
• Renewing Keys
• We can renew a certificate before it expires. We use our current key and sign the request for the new key. This way we don’t have to go trough the
process of proving our identity, and the new key can be issued very quickly.
• Key Update is a related process to renewing, in which a new key is generated by modifying the old key that is still valid.
• Destroying Keys
• Key destruction takes place when key is no longer useful. When a key is to be destroyed, we need to notify the CA so that they can update their CRL
and OCSP servers.
• Deregistration
• Deregistration means that all information for the owner of the key gets invalid and is to be removed from the server. This happens, for example,
when the company who owns the key stops existing. Deregistration is different from revocations because in revocation, only the key gets revoked,
while the owner information remains valid. In deregistration all information of the owner is deleted from the CA database.

• Source: http://www.utilizewindows.com/key-management-principles/

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
13
 Digital Signature
• Private companies and governments agencies all around the word
make huge investments for the automation of their processes and
in the management of the electronic documentation.
• The main requirement in the management of digital documentation
is its equivalence, from a legal perspective, to paperwork, affixing a
signature on a digital document is the fundamental principle on
which are based the main processes of authorization and validation,
apart from the specific area of applica on.
• Main benefits for the introduction of digital signing processes are
cost reduction and complete automation of documental workflow,
including authorization and validation phases.
• In essence, digital signatures allow you to replace the approval
process on paper, slow and expensive, with a fully digital system,
faster and cheaper.

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
14
Digital Signature process

Source: researchgate.net

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
15
 Digital Signature Process
• A Digital signature is a one-way hash, of the original data, that has been encrypted with the signer’s private key. A
digital signature process is composed by the following steps:
• The signer calculates the hash for the data he needs to sign. The message digest is a file size small (160-bit SHA-1
now deprecated, with 256-bit SHA-256) that contains some sort of control code that refers to the document. The
hash function is produced minimizing the likelihood to get the same value of the digest from different texts and is
also “one way” function: this means that from calculates hash it is impossible to get back the original text.
• The signer, using his private key, encrypt the hash calculate.
• Signer sends the original data and the digital signature to the receiver. The pair (document and signature) is a
signed document or a document to which was attached a signature. The document is in clear text but it has the
signature of the sender and can be sent so that it can be read by anyone but not altered since the digital signature
guarantees also integrity of the message.
• For the verification, The receiving software first uses the signer’s public key to decrypt the hash, then it uses the
same hashing algorithm that generated the original hash to generate a new one-way hash of the same data. The
receiving software compares the new hash against the original hash. If the two hashes match, the data has not
changed since it was signed.
• The authenticity of a document can be verified by anyone decrypting the signature of the document with the
sender’s public key, obtaining the fingerprint of the document, then comparing it with that obtained by applying
the hash function (which is known) to the document received which was attached the signature. If the two
fingerprints are equal, the authenticity and integrity of the document are demonstrated.
The signing and verification operations may be delegated to a schedule issued by the certification.
Thanks to the mechanism shown, the digital signature ensures non-repudiation: the signer of a document
transmitted cannot deny having sent it and the receiver can deny to have received it. In other words means that
the information cannot be ignored, as in the case of a conventional signature on a paper document in the
presence of witnesses.

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
16
 Examples
• Resuming, digital signatures can reliably automate the signatures of authorization allowing the
elimination of paper, reducing costs and improving the speed of production processes.
By virtue of all these advantages, the digital signature can be particularly useful for:
• Government agencies in regulated sectors with workflows subject to formal approval;
• organizations must submit documents that need to be approved by various offices;
• representatives of organizations that use, or services that require commercial building and the
provision of reports or contracts signed;
• Away from executives such as a signature is required to activate the processes;
• organizations which cooperate with external partners and require approval for workflows;
• Web portals with external modules that require compilation and signing.
• Note that the type of documents to which to apply the digital signature is particularly composite,
and includes:
– sales proposals, contracts with customers.
– purchase orders, contracts / agreements with partners.
– contracts, agreements, acts of the board.
– leases, contracts, expense reports and reimbursement approvals.
– Human Resources: Documentation of employment of employees, presence control cards.
– Life Sciences: Questions and proposals, QC records, standard operating procedures (SOPs), policies, work
instructions.
– Mechanical work: drawings, sketches, plans, instructions and relations of production.
health services: medical and patient consent forms, medical exams, prescriptions, laboratory reports.

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
17
Qualified Digital Signature
• A qualified electronic signature is an electronic signature that is compliant to EU Regulation No 910/2014 (eIDAS Regulation) for
electronic transactions within the internal European market.[1] It enables to verify the authorship of a declaration in electronic data
exchange over long periods of time. Qualified electronic signatures can be considered as digital equivalent to handwritten
signatures.[2](Dawn M. "Qualified Electronic Signatures For eIDAS". Cryptomathic. Retrieved 13 June 2016. Qualified Electronic
Signature". Bundesnetzagentur. Retrieved 13 June 2016)
• What are the eSignatures Assurance Levels Under eIDAS?
Regulations such as eIDAS have developed their own eSignature classifications based on trust and assurance. These terms signify the level of assurance provided by different types of signatures
as specified by the goals of the regulation.
The following classifications are the terms presented by eIDAS with the goal of creating a common foundation and framework for secure electronic signatures to enhance trust and facilitate
interoperability and cross-border usage and acceptance.
eIDAS have also created an accreditation for delivering eSignatures with the highest level of assurance (qualified electronic signatures) and in doing so, they have changed the market for
eSignatures in Europe. Let’s look into how they have done this.
• Basic Level Electronic Signatures
• Advanced Electronic Signatures
• Qualified Electronic Signatures
A qualified electronic signature is:
An advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.
First, let’s look at what a ‘qualified signature creation device’ is. According to eIDAS requirements,
The device must ensure:
The confidentiality of the electronic signature creation data
The electronic signature creation data used for electronic signature creation can practically only occur once
The electronic signature creation data used for signature creation cannot be derived and the signature is protected against forgery using current available technology
The electronic signature creation data used for signature creation can be reliably protected by the legitimate signatory against use by others
The device shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing
Generating or managing signatory data on behalf of the signatory may only be done by a qualified trust service provider
Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation
data only for back-up purposes provided the following requirements are met:
The security of the duplicated datasets must be at the same level as for the original datasets
The number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service
It might seem a bit vague (probably because they are covering themselves so as to stay in line with technological standards in the future), but what the regulation is saying is that if you are using a
qualified electronic signature, you must be storing the creation and signature data on a highly reliable and assured device.
What hardware is reliable enough to do this? Our advice is to store this information in a HSM (Hardware Service Module) which can be stored in your organization in a secure place. For it to have
all the security features mentioned above, you would need the HSM to be in line with FIPS 140-2 Level 3 at minimum, which is a security standard created for cryptographic modules like a HSM.
The next part of the definition for qualified electronic signatures says that data on the device must be based on a ‘qualified certificate for electronic signatures’. As opposed to advanced
electronic signatures, which do not outright say you have to use a Digital Certificate, the definition for qualified says that a certificate is a must. A qualified certificate can only be purchased from
a Certificate Authority who is also ISO 15408 accredited as per the regulation.
EU Member states are required to recognize the validity of a qualified electronic signature that has been created using a qualified certificate from another member state.

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
18
Signature types

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
19
 eIDAS

The eIDAS Regulation:

•ensures that people and businesses can use their own national electronic identification schemes (eIDs)
to access public services in other EU eID are available.

•creates an European internal market for eTS - namely electronic signatures, electronic seals, time stamp,
electronic delivery service and website authentication - by ensuring that they will work across borders and
have the same legal status as traditional paper based processes. Only by providing certainty on the legal
validity of all these services, businesses and citizens will use the digital interactions as their natural way of
interaction.

The eIDAS regulation brings benefits to European businesses, citizens and government
services. Consult the infographics below to explore how eIDAS can benefit you.

Source: https://www.docusign.de/eidas
https://ec.europa.eu/digital-single-market/en/news/webinar-benefits-eid-
and-trust-services-professional-services-sector

5/6/2020/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
20