Two Payment Worlds Collide

Are online and offline payment security diverging to the point of total separation, or are there intersects between the two?
Are online and offline payment security diverging to the point of total separation, or are there intersects between the two?

Transactional security has been a concern since long before the internet came along and drove so much commerce away from the store fronts. The technology that secures payments has changed quite dramatically in both the online and offline worlds in recent years, and the days of relying upon holding currency up to the light or comparing signatures on credit cards offline are long gone, soon to be joined by simplistic online transactional authentication methods like card verification codes. But does this necessarily mean that online and offline payment security is diverging to the point of total separation, or are there intersects between the two? More to the point, do these two transactional security technology worlds help or hinder each other? The answers may surprise you.

Security Confluence

The first thing to consider when looking at the evolution of payment security technologies is how they are approached both on- and offline and determine whether there is any overlap. The obvious instinct is to say that, in both transactional worlds, card and user authentication are key. This assumption would be true, but they are typically implemented differently: offline the cardholder is most often present to authenticate using a PIN or signature, whereas online some cross-referencing a portion of the cardholder’s address along with a card verification code is common practice.

A ‘cardholder not present’ transaction would seemingly always be more risky from the retailer’s perspective. But as the director of mobile security at Cryptography Research, Scott Forbes, points out, this isn’t necessarily the case. “One of the advantages of online security measures is that online transactions are increasingly able to leverage aggregated data and fraud algorithms more than offline measures”, he told Infosecurity. “Using such big data methods allows retailers, banks, and law enforcement to create detailed purchasing profiles for individual consumers and stores, thereby enabling the fraud algorithms to flag individual transactions occurring outside of established payment parameters”.

Of course, the truth is that when it comes to technology overlap – from the risk perspective – the distinction between an online and offline transaction is increasingly a blurred one anyway. Consumers at a retail location point-of-sale (POS) terminal are using a networked device with a risk profile that leaves it susceptible to malware, unauthorized access and with an ability to skim transactional data if compromised.

On the flipside, though, as Forbes reminds us, online connectivity also allows for real-time validation of a user or card, plus Over-the-Air (OTA) updates to mitigate constantly emerging software-based malware attacks – not forgetting the fraud algorithms that enable merchants and banks to identify questionable transactions based on the velocity of those transactions, the geographic location of a payment, and the type of shipping requested. Perhaps this explains why the IT security industry as it applies to transactional technology is, far from becoming more divergent between the online and offline worlds, actually converging.

The Payment Diversification Crisis

Ian Hermon, payments security manager at Thales e-Security, points to PayPal as being perhaps the biggest advocate of trying to merge the two payment worlds. “It already has a dominant share of online transactions”, Hermon states, “the key driver behind this is that many people feel more secure with PayPal because they do not need to provide card details during the transaction – their login credentials enable PayPal to integrate the real card information from the secure cloud database. The security relies on PayPal keeping the database secure and users not allowing their credentials to be stolen or guessed”. Indeed, the company is working hard to get merchants to accept PayPal at the physical POS by integrating additional software into their terminals.

Rafe Pilling, the principal consultant for Security & Risk Consulting at Dell SecureWorks, told us that one way or another, everything is going online with a global move to ‘Europay, MasterCard and Visa’, or EMV for short. This is the global standard for the inter-operation of integrated circuit cards and related POS terminals for authenticating card transactions, also known as Chip & PIN.

“This technology has been very successful in Europe in reducing card fraud where the user is present, and the majority of card-present fraud now comes from cards that have been cloned and taken for use outside of Europe or with non-European cards that are used fraudulently on non-Chip & PIN devices”, Pilling explains. He adds that “generally the market is moving towards having a wider range of electronic options to pay for goods and alongside PayPal-type payment services, which have been around for a few years, we are also seeing emerging technologies such as electronic wallets, NFC-equipped point-of-sale terminals like Paywave, and smartphone app-based payment mechanisms, including Passbook”.

This lack of homogeneity will help make it difficult for an attacker to come up with one strategy and will likely slow them down, but the trend also presents an array of new targets and technologies that are bound to have unnoticed security flaws that attackers can take advantage of. Iain High, managing director of payment service provider Anderson Zaks, thinks this is leading the card payment industry into a crisis situation.

“These alternative forms of payment, such as mobile NFC, PayPal and Google, bypass PCI security and are starting to gain a foothold”, he observes. “It is forecast that by 2015, 50% of non-cash transactions will fall within these categories”.

For Some, a Simple Answer

Not everyone sees this movement as convergence, per se. Take David Harley, a senior research fellow at ESET, who perceives it more as “providers pushing remorseless towards a fully online marketplace”. He warns that while, in principle, this doesn’t have to mean an end to offline authentication based on the physical presence of the customer, “it’s a likely outcome”.

Authentication mechanisms will be more and more remote/cloud-based according to Harley, although he admits that in the US, the late adoption of EMV to some extent seems to buck this trend. “It has to be seen in the context of a current authentication model that still relies on ‘something you have’ (the card) in tandem with a signature that more often than not doesn’t even get looked at”, he insists. In Europe, Harley sees providers moving toward PIN-protected devices, the equivalent of EMV protection. “It may be that the distinction between cardholder present and card not present [transactions] will, for all intents and purposes, disappear”, he muses.

As far as Marion King, president of the UK & Ireland division at MasterCard, is concerned, once the ecosystem is open to all then security is clearly a priority for the success of any payment service. “For far too long now, the industry has been guilty of assuming that people know as much about the issues around secure payments as they do”, King explains. “In reality, all anyone is really interested in is security being embedded into the payment process, without the worry of having their data stolen or used without their consent”.

King looks to existing strong encryption as the future, telling us that whereas online payments used to require the headache of having to enter card number, expiration date and card verification code (CVC), now all this data can be securely stored across multiple cards in a single digital wallet. “This takes away the risk of screen images getting grabbed from a consumer’s key personal banking details, such as PIN numbers”, King insists. But where are the loopholes?

Pat Carroll, CEO of ValidSoft, thinks the real question as we continue to move toward the mobile wallet, is whether EMV is actually still applicable? “Where is the chip in the phone?” Carroll asks, answering with, “it’s essentially gone. So how is EMV handled in those mobile wallet products?” If you search online and read industry blogs the question remains, for the time being, unanswered. “It seems that PayPass uses CVC3 technology”, Carroll says, adding “but that falls short of a full EMV protection”.

So how can Mom-and-Pop enterprises address security when moving exclusively from one transactional realm into both? Rafe Pilling thinks the answer is simple. They should “minimize their involvement in the card processing flow” by outsourcing the payment process and using a third party that offers a PCI DSS-compliant payment processing service.

Getting involved with the storing and processing of payment card transactions not only brings the risks of suffering a breach, investigation costs, fines and legal fees, but also requires them to put in all of the security controls to protect payment card flows. As Pilling concludes: “the fewer entities we have processing credit card payments, the less there is to protect”.


The PCI DSS Challenge
Bill Morrow has twice been appointed to serve on the Texas Emerging Technology Fund board, and currently sits on the University of Texas San Antonio Development Board. Morrow is the CEO of security software company Quarri Technologies, based in Texas. He argues that as the card transaction industry continues to migrate to online, browser-based transactions, this evolutionary process highlights critical security gaps that create significant risks to organizations that need to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance:

“It is clear that PCI compliance continues to be a challenge for many companies that are processing card transactions, and it can be viewed as challenging and expensive for SMEs and independent retailers. In fact, Verizon’s 2011 PCI industry compliance report stated that only 64% of companies achieved PCI compliance in 2010.

However, businesses should not see PCI compliance as a hindrance but more a necessity. Any credit card processing conducted in the web browser leaves data at risk, as it’s unencrypted on the endpoint, and many organizations are not up-to-date with anti-virus software, leaving them vulnerable to malware and man-in-the-middle threats. That same data can also remain in the web browser cache in clear text format and be vulnerable to extraction by malware. Simple, everyday tasks, such as cut, copy, paste and screen capture, places sensitive data in the system-wide clipboard, which is also rendered in clear text format and easily accessible, even after the web session has ended. In addition, stored user names and passwords from browser sessions remain available in the authentication cache and vulnerable to malware.

Now with online shopping moving from desktop to smartphone, we can expect even more targeted attacks on online shoppers. Online payment security is needed now more than ever to ensure businesses are compliant and adequately protecting personal financial data.”


What’s hot on Infosecurity Magazine?