Anda di halaman 1dari 7

Emerging Trends in Payments Security

Emerging Trends in Payments Security


Satish Grampurohit, Delivery Manager, and Alok Ranjan Tripathy, Business Manager, Banking and Capital Markets, Infosys Technologies, India

t has been a long journey from the practice of bartering to todays sophisticated payment schemes. Previously, making a payment required both parties to be physically present for an exchange to take place. Over the years, with advances in technology, payment between two parties has evolved such that it can be made from any place and at any time. The amount of money being exchanged has also risen signicantly. This has led Banks are continually exploring to numerous security risks and consequential improvements in more sophisticated and payment security systems. innovative mechanisms to Payments can either be cash (the exchange of domestic or enhance transaction security. international currencies) or cashless (plastic cards, cheques, The mobile phone as a payment electronic and online). Figure 1 shows the distribution of channel is being tested as different payment methods across the globe in 2007. Countries a more resilient option as it in Asia Pacic, barring Australia, still prefer cash as the primary provides two-factor, two-channel mode of payment. However, there is a major shift towards cards authentication. in some countries such as India, Thailand and South Korea, Payment security is one of the where the number of debit and pre-paid cards issued in these primary focus areas for banks. countries stood at 33.9 million, 13.9 million and 11.6 million If banks can build customer cards respectively in 2007. In addition, several emerging markets confidence, they will not only experienced triple-digit growth in card payments: Bangladesh be able to retain clients but also (155%), Pakistan (146%) and Vietnam (123%).1 increase their client base. Cash payment remains significantly ahead of cashless transactions and is the dominant preference among consumers. However, cashless payment transactions are on the rise. For speed and convenience, banks and card companies have introduced a spectrum of alternative means of making payments. This has lead to a surge in transaction volumes and an increase in the sophistication of fraudsters, which together has led to the adoption of cutting-edge technology in payment systems. Fraudulent activities in payments are on the rise. In Asia Pacic, recent statistics show that there are more than a quarter of a million fraudulent transactions per year in Australia alone. Banks and payment service providers have been investing heavily in technology to strengthen their security and internal controls to counter these threats. However, reliance on technology alone is not sufcient as it also exposes quite a few areas of opportunities for fraud, some of which are listed in Figure 2. The irrecoverable damage to nancial institutions is on the rise, especially through the exploitation of cards. Figure 3 shows estimates of fraud in recent years in the UK, one of the countries where cards are used predominantly as a means of payment.
While cash remains the dominant method of payment, cashless transactions are on the increase and with this comes an increase in the number of fraudulent payment transactions.
1. Figures from Visa Asia Pacic, Singapore, press release dated 28 May 2007, www.visa-asia.com.
HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009

Technology

172

Emerging Trends in Payments Security

FIGURE 1: Distribution of Payment Methods across the Globe in 2007


% of payment methods across globe UK US Canada Japan China Australia 0% Credit card 6 33 36 20% Debit card 15 40% Cash 60% 11 24 27 27 13 20 79 90 40 80% Cheque 21 29 60 36 20 3 12 22 9 100% Others 6 4 2

Technology

Source: McKinsey/GCI Payments Practice, APACS (UK payments association) and presentation by Chris Skinner, Financial Services Club, UK at the IEA & Marketforces Inaugural Conference The Future of Cards and Payments, 2 & 3 July 2008

FIGURE 2: Opportunities for Fraudulent Transactions in Payment Technology


Area of technology Data Details Personal data Financial data User details, e.g. identification, password Cards Physical cards Personal identification number (PIN), password, secure code Card number Network Transfer of data through Internet Transfer of data through Intranet Personal data
Source: Infosys Technologies

Threats Identity theft, forgery Forgery, data breach Identity theft, forgery Theft, identity theft, counterfeit, mail non-receipt Identity theft Card not present (CNP) Hacking, system failure through virus, spyware, phishing, CNP System failure, identity theft, data breach, CNP Identity theft, forgery

Payment Security
With the rise of online payments and the huge loss in profits for companies and banks from fraudulent transactions, increased payment security is needed to maintain consumer condence. Prevention Through Software Systems and Services With the help of technology, it is possible to automate key services such as identity management, web analysis of fraudulent activities, address verification and credit scoring. Increasingly, to minimise the
HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009

173

Emerging Trends in Payments Security

FIGURE 3: Estimated Fraud Involving Payments in the UK 2002-07


GBP m 600 500 400 300 200 100 0 2002 2003 Card
Source: APACS the UK payments association

2004 Cheque

2005

2006 Online

2007

Technology

exploitation of weak spots, the security requirements for a payment system are moving from traditional nonfunctional requirements to mandatory requirements for each function. Some of the emerging practices are: Digital signatures; Public key encryption systems; Two-factor authentication; and Smart-card swipe devices. Manual verification of transactions, cardholder verification numbers, address verification and payer authentication are some other anti-fraud methods that have contributed immensely to the improvement of payment security in recent years. Prevention Through Compliance The Payment Card Industry Data Security Standard (PCI DSS) came into existence in 2005 as a result of the collaborative efforts of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.2 Its a 12-key standardised, industry-wide set of requirements and processes. These baseline processes and guidelines apply to all participating nancial institutions, retailers, software providers, online sellers and any third party. Compliance to PCI DSS will dictate the future of online payment security. The key standardised requirements of PCI DSS are: Install and maintain a rewall conguration to protect data; Do not use vendor-supplied defaults for passwords or other security parameters; Protect stored data;

2.

For more information about the PCI DSS, see the PCI Security Standards Council web site, www. pcisecuritystandards.org.
HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009

174

Emerging Trends in Payments Security

Encrypt the transmission of cardholder data and sensitive information; Use and regularly update anti-virus software; Develop and maintain secure systems and applications; Restrict access to data by other businesses on a need-to-know basis; Assign a unique ID to each person with computer access; Restrict physical access to cardholder data; Track and monitor all access to network resources and cardholder data; Regularly test security systems and processes; and Maintain a policy that addresses information security.

Can Prevention-Based Techniques Be Effective?


A prevention strategy is always dependent on past data and experience and is ever-changing in nature. Compliance and technology may still not be sufcient to prevent fraud and maintain consumer condence, especially in small businesses and individual customer groups. The lack of active participation and knowhow of the law enforcement community to track down and resolve online fraud is not helping the cause. This needs a collaborative effort from the worldwide community to create awareness among consumers, educate consumers on the remedial action needed to set up some good examples on how to curb crime in a timely manner. Financial institutions, retailers and online sellers should also gear up to provide adequate mentoring to consumers regarding online security precautions.

Technology

Emerging Trends
Increasingly, banks are adopting two-factor authentication techniques. An authentication factor is a piece of information and a process used to authenticate or verify a persons identity for security purposes. Using two factors as opposed to one delivers a higher level of authentication assurance. Chip and PIN (as used in password-protected cards) is one example of two-factor authentication that has signicantly reduced costs to business and individuals. An advanced implementation of this is the practice of using an additional handheld device along with a card (or multi-factor authentication) to carry out a transaction. MasterCards card authentication programme3 and Visas dynamic password authentication4 are based on this technology and use a handheld security device in combination with a card. The combination will generate a unique, once-only security code for each online transaction. The Royal Bank of Scotland and Barclays have also adopted payment security practices based on this method.5 On similar lines, Croatia-based Privredna Banka Zagreb has distributed handheld smart card readers to all its Internet and telephone banking customers.6 The handheld readers made by US-Belgium company Vasco requires cardholders to insert their cards and enter the same PIN they enter when making withdrawals with the cards from automatic teller machines.7 The cardholder then receives a single-use password they enter on the web site or over the phone to conduct the transaction. While a higher level of security can be employed by adopting multi-factor authentication, the use of biometrics could enhance security further. New devices and cards enabled with biometric readers are being introduced by some vendors. Users biometrically authenticate their identity via their ngerprint to the smart card or token and then enter a PIN or password. This method has the limitation of scalability. In addition, it is vulnerable to a repeat attack once the biometric information is compromised, it may easily be repeated unless the reader is completely secure and guarded.

3. 4. 5. 6. 7.

For information on MasterCards security initiatives, products and services, see www.mastercard.com. For information on Visas security initiatives, products and services, see www.visa.com. See the web sites of The Royal Bank of Scotland (www.rbs.com) and Barclays (www.barclays.com). For more details, see www.pbz.h. For more details, see www.vasco.com.
HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009

175

Emerging Trends in Payments Security

Increasingly, mobile phones are being used for payment devices. Some experiments have been conducted with mobile phones acting as a credit or cheque card (see the article Mobile Payment 2.0: The Next-Generation Model in this publication for more information). New two-factor authentication tools can transform a mobile phone into a token device either by short message service (SMS) or an interactive telephone call. A mobile phone payment system does not just offer two-factor authentication but also brings in two-channel authentication, making it far more robust. Some of the drawbacks of this option are the additional fees for text, data services or call minutes, and the latency involved with the SMS. Some major developments in this area are going to enhance mobile phones as the processor while security tokens reside on the mobile as client software. This is yet to be fully commercialised. It is likely that banks and vendors will increasingly adopt complex approaches involving a combination of method, machine and consumer: Method: Two-factor and even multi-factor authentication mechanisms could be adopted. Machine: Various options, such as card and swipe, smart cards and USB tokens8. Though there are limitations caused by size, mobility and reliability, technology should soon advance to address these challenges. Consumer: Banks could use biometrics to enhance security. The expectations of the individual involved and the personal impact of these new techniques will inuence the direction of such payment security systems. Additional emerging trends in online payments are: PCI DSS-compliant data centres to manage consumer data; MasterCard3 initiatives SecureCode for use in online merchandising Maestro PayPass e-purse an electronic/cashless payment card MasterCard inControl a device-neutral payments processing platform that allows corporate customers to better manage spending on corporate cards; Visa card initiatives Veried by Visa a password-protected identity-checking service for online merchandising O2 Wallet trial a scheme by a UK consortium made up of Visa, Barclays, Oyster, Nokia, Transport for London and other partners to test the use of mobile phones to pay for purchases and travel around London9; Other initiatives, including payment gateways and services Online payment services from PayPal, NetBanx, PayPoint10; PCI DSS-compliance and consulting services from CyberSource, an e-commerce payment management specialist company11; Global payment services integration in developing economies such as China and India; Retailer consortium initiatives.

Technology

8.

A physical handheld device, using Universal Serial Bus (USB) standard for interfaces, used to aid in authentication for security purposes. 9. See O2 press release dated 28 November 2007, www.o2.co.uk. 10. More information is available on the companies respective web sites: www.paypal.com, www1.netbanx.com and www. paypoint.com. 11. For more information, see www.cybersource.com.

176

HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009

Emerging Trends in Payments Security

Conclusion
Payments are increasingly moving towards being cashless, leading to huge opportunities for fraud. The confidence of consumers in payment systems is still not high and banks need to build systems that are tamper-proof. A number of new practices have been developed, namely two-factor authentication (chip and PIN) and multi-factor authentication (card and special handheld devices). The mobile phone as a payment channel is being explored as a more resilient option as it provides two-factor, two-channel authentication. Cutting-edge technology options such as biometrics are also being considered. These practices are yet to prove their resilience and are also not fully commercialised. A better approach to payment security, which is yet to evolve, would be based on the three key areas of method, machine and consumer. All security developments are subject to the level of sophistication of that particular market. Some countries in Asia Pacic (for example, Australia, Japan and New Zealand) have high levels of payments security, while other countries do not have the regulations in place or the software and systems to prevent fraudulent transactions. While Asia Pacic generally lags behind countries in the West in this area, advances in technology and compliance should mean that the region can enjoy a comparable standard of payments security in the not too distant future.
Technology
177

HSBCs Guide to Cash, Supply Chain and Treasury Management in Asia Pacific 2009