Home Solutions Solutions Security

 

SecurityA modern approach to electronic payment security must embrace multilevel protection, as well as effectively combine proactive and reactive measures. The main threats that are present in the e-payments industry today can be summarised into four broad groups:

  • Interception and modification of the data transferred over communication lines
  • Fraud performed by means of lost and stolen cards
  • Card-not-present fraud
  • Abuse of authority delegated to staff at various payment system member organisations
  • Security solutions offered by Compass Plus are capable of addressing all of these threats by means of creating a sound security system.

As it is well known, to enable a secure cryptographic system, financial institutions need Host Security Modules (HSM). The TranzWare products and solutions support several HSM types and to access these devices the TranzWare applications use a standard interface – TranzWare Online CryptoServer. Such an approach allows HSM functionality to be available to a wide range of different applications and also allows to “hide” from them what specific device they communicate with. TranzWare Online CryptoServer (TWO CS) supports HSM8000 and payShield 9000 lines by Thales e-Security, some Atalla models and products supplied by SafeNet - ProtectServer and ProtectHost lines. All low-level aspects of the implementation are performed by TWO CS itself, whereas client applications (such as TranzWare Card Factory) refer to the module only with business-logic level requests, for example calculation of PVV and PIN. TWO CS can be easily integrated with third party applications.

Although TWO CryptoServer can help to significantly enhance security there is still a problem of managing cryptographic keys, especially in the systems that have hundreds or thousands of devices. Compass Plus has developedTranzWare Online Key Management System(TW KMS) to address this specific problem. Implementing this module can considerably simplify the work of staff dealing with the cryptographic keys, therefore, reducing human error and improving security. The system facilitates automatic generation of cryptographic keys as it includes the following capabilities:

  • Templates for clear component printing. It is enough to define the key printing template and later use it for printing clear key values
  • Key generation for the whole group of terminals or other objects
  • Interface for importing cryptographic keys
  • Automatic registration of the keys in a database and, if the keys were created for specific objects, their allocation to these objects

Additionally, TWO KMS monitors the entire lifecycle of cryptographic keys.

The system is closely integrated with TranzWare Online(front office system) and therefore, enables the following:

  • Assigning the keys to specific objects (e.g. terminals, card prefix) or groups of objects of a payment system
  • Usage of each key only for a specific object if it is of an appropriate type and state, others cannot be used
  • Automatic uploading and withdrawal of the keys because all the keys (their cryptograms) are stored in the TranzWare Online database

Unfortunately not all areas of a payment system can be protected by cryptography, where one of the most obvious examples is remote banking. These are characterised by Card Not Present transactions, absence of a device that can perform cryptographic function and store cryptographic keys, as well as by data being transferred over public networks. Introducing cryptographic protection systems in this case is, although possible, still leaves them vulnerable, immobile, requiring investment in certain software or even hardware from the customer’s side. Also such system organisation cannot be applied to phone banking.

To address this problem and offer enhanced security features, TranzWare Online offers a comprehensive multi-factor authentication without having to use costly hardware on the user’s side. An example of multi-factor authentication can be a combination of a static password (something the user knows) and single-use passwords (dynamic passwords) list. TranzWare Online allows a client application (e.g. TranzWare Internet Banking – remote internet banking solution or TranzWare Online FIMI – web interface to resources of a remote processing centre) to authenticate a user by means of freely combining different methods.

As was noted above, another security threat in the e-payments business, is fraudulent actions performed by means of lost and stolen cards. TranzWare Fraud Analyzerwas specifically designed to monitor, reveal and prevent fraud and risks associated with lost and stolen cards. The system enables the following:

  • Identification of suspicious transactions and sequences of transactions
  • Card, account, retailer and other objects activity control
  • Generation and allocation of alerts to different (specifically assigned) operators
  • Provision of all information on alerts (including the hierarchy of all connected to them objects) to risk-reviewers
  • Decision-making and response (action) generation (for example, block card request, initiation of case investigation, etc)
  • Case investigation management, automatic action generation, document workflow management
  • Analysis, search and detection of patterns, dependences and tendencies; report generation

Today, EMV standard is no longer an idea, many European banks have completed their migration to the EMV standard and hundreds of financial institutions are well on their way. The rationale for EMV is straightforward – significant reduction in costs of card fraud and improvement in overall security of card-based transactions. The TranzWare product family has been made EMV-compliant several years ago. All the relevant products have been repeatedly successfully certified for EMV compliance. Moreover, Compass Plus offers pre-authorised cardsfull M/Chip and VSDC issuing and acquiring functionality to ensure top-notch security of retail banking business.

TranzWare Online also supports EMV DPA/CAP technology. Compass Plus and their technological partners - GemaltoVASCO Data Securityand VISA were the first companies to launch a product based on the EMV CAP technology in Russia as well as in the CEMEA region.

Additionally, TranzWare e-Commerce – an integrated 3-D Secure protocol compliant solution further extends the security features offered by the TranzWare product family by means of enabling secure use of payment cards on the Internet. It provides a host-to-host interaction with issuers and acquirers as well as Visa and MasterCard networks. The product performs authentication of electronic transactions in compliance with 3-D Secure (Verified by Visa and SecureCode) standard and allows customer identification from an issuer’s as well as acquirer’s side. Above all, the solution is designed to be suitable for issuers as well as acquirers and its ACS and MPI modules (for issuers and acquirers respectively) are independent of each other and as such can be supplied separately. TranzWare e-Commerce has been successfully certified for compliancy with 3-D Secure and is a part of Verified by Visa and MasterCard SecureCode programmes.

Additionally, features such as user and session monitoring and auditing as well as access right control are embedded into all TranzWare modules to enhance security within an organization and reduce risks associated with abuse of authority delegated to financial institution personnel.

For further information please contact us.