Why Payment Protection Is At The Frontier Of New Technology

Posted: May 25 2016, 11:43am CDT | by , in News | Technology News


Why Payment Protection is at the Frontier of New Technology
Photo Credit: Getty Images

Why payment protection is at the frontier of new technology

Any business accepting payment for goods or services, whether that's online or off, needs to consider the issue of payment security. Similarly, any sector such as banking, healthcare or government that stores clients' financial information needs to be hyper-aware of their responsibilities in this area. Criminals are taking full advantage of the latest technological developments in order to find new ways to steal money, and criminal applications could in some ways be seen as leading the field in this area of technology.

Most of these advances in theft technology are forms of hacking, either into computer systems and accounts or into credit cards and point of sale devices. Institutions and merchants need to stay abreast of changing technologies, both in terms of security vulnerabilities in the systems they are using and in terms of ways to combat those vulnerabilities. This is both an ethical and a statutory obligation. As well as seriously affecting the victim, this kind of financial fraud can seriously erode public trust in a company or institution, with massive cost to its reputation or brand.

The rise of contactless payment

While the US is only just beginning the widespread adoption of chip and pin technology, experts are predicting that in the UK- where this has been standard on credit cards for many years- the use of PIN numbers will be obsolete within the next four years. Contactless credit and debit cards using radio frequency identification (RFID) technology are now relatively commonplace. These have evolved both to combat credit card fraud and to make purchases quicker and easier. EMV contactless communication protocol specifications are deployed to transmit the required information from the card to a near field communication enabled device, in this case the payment terminal.

The payment transaction itself is achieved via a card-specific proprietary protocol, meaning that each type of credit card has its own protocol specifications. A multi-purpose reader is required in order to facilitate a range of cards. Outside of ease of payment, contactless card payments have both pros and cons in terms of security. The main advantage of course is that there is no PIN number involved, so this can't be stolen by someone looking over your shoulder as you're entering it. The main disadvantage, which has been widely reported, is that data from contactless cards is designed to be transmitted and can actually be read by smartphones with NFC capabilities. Open source software can then be used to build a custom NFC app to make use of the stolen data. This "electronic pickpocketing" can be easily achieved without the victim's knowledge, merely by brushing up against the cardholder in a public space while using an appropriate device. Cardholders can protect themselves against this by shielding their card in a special plastic wallet, but this arguably counter-acts the "quick and easy to use" factor that is the contactless card's main selling point.

Mixed responses from banks

Obviously the banking sector is at the highest risk of payment fraud after retail, and should be in a position to develop effective methods of protection. After almost £480m was stolen via fraud from its banks in 2014, the UK has committed itself to developing more secure payment technology and cyber-security measures as a result.

British banks are already experimenting with high-tech security solutions for high-value transactions. These include wristbands that monitor a customer's heartbeat for signs of unusual stress, in a similar manner to a lie detector test. Fingerprint and iris scanners are also in use to confirm the identity of an individual in certain personal, face-to-face transactions.

Online bank fraud however is still a major problem in the UK and the US. It is claimed that while the technology exists to counter bank hacking it is not being rolled out because of the prohibitive costs. Equally problematic is the fact that most banking directors and board members do not have the technological background to recognize the need for these high level solutions. The revised European payment services directive (PSD2) calls for a minimum of two-factor authentication, such as a password and an associated phone number. But this bare minimum seems to be all that Europe's major banking institutions are prepared to undertake at present.

Winning systems

While to some degree the banks are adopting a reactionary, defensive stance, other perhaps unlikely sectors are leading the way in terms of payment protection. Casinos are obviously very tempting targets for thieves, and for this reason big online casinos like 888casino have been at the forefront of innovative security technology. Solutions developed for gaming houses have since been swiftly adopted by other businesses and institutions, including banking and the military. A primary example is Non-Obvious Relationship Awareness (NORA) software. This was developed for casinos in order to determine whether two players, or a player and a dealer, have any kind of past relationship or association that could suggest collusion to cheat the house.

NORA works by utilizing the player's card routinely carried by casino regulars. These function much like a store loyalty card but are also used for security purposes. When scanned, they provide a wealth of information supplied via reputation management technology, instantly giving access to all publicly available information on a guest. This can then be cross-referenced against other guests present, and even casino staff. Homeland Security swiftly adopted the technology for anti-terrorism purposes, and it is now used by assorted financial and business institutions. Other ways in which casinos have pioneered security technology include sophisticated digital surveillance devices with facial recognition software, and chips protected by RFID technology.

Health risks

The healthcare sector is also finding itself increasingly targeted by cyber-attacks. As a result, new technology is constantly being implemented in order to protect service users' confidential medical records, personal information and financial data. Stolen medical records can be used as the basis of further financial fraud as they give access to information that can be used for identity theft such as social security numbers and so on. As a result, identity and access management is the focus of the fastest growing branch of healthcare cyber security. Major companies like IBM and Lockheed Martin are among those specifically engaged in developing sophisticated healthcare cyber security options.

Encryption tools

Back in the retail sector, a combination of encryption and tokenization is being seen as the way forward in payment processing technology security. This approach is currently being deployed both in respect of physical credit cards and in cardless payment methods such as Apple's “Apple Pay” mobile wallet system. Mobile wallets are already a widely accepted form of payment in Japan and variations on this method are starting to catch on in the West. Android Pay is another example.

Although different systems vary in their approach, generally actual credit card data is replaced with a token number string so that no sensitive information is stored in the POS device. Information sent from the terminal to the payment service provider is securely encrypted using algorithms that transform plain text information into “ciphertext”. A similar algorithm is then required to decrypt it. The actual credit card information meanwhile may be stored in a separate secure element (SSE) within the customer's mobile device. This is never actually shared with the merchant or their devices, so reducing the risk of electronic theft.

Protecting data

This is important because the most vulnerable points in a card-based transaction for merchants are pre and post-authorization. This is when data is stored, however briefly, in the merchant environment, with varying levels of vulnerability that need to be assessed and addressed. One system being developed for this purpose is the aforementioned separate secure element for credit card information, which effectively bypasses the point of sale software altogether. Another option in development is the use of Cloud-based POS systems. These are particularly suitable for online commerce as they can be securely and seamlessly integrated with most ecommerce sites and provide secure data transmission and storage. However payment systems at ground level, such as cellphones and laptops, still remain a weak spot as the card data is still processed through them, albeit briefly. This is the point at which sophisticated e-fraudsters are most likely to strike.

Fraud screening

Card not present transactions, conducted via mail order, telephone or- increasingly- online are obviously on the rise in our modern digital era. These present a particular security risk, as they are the most common way for stolen cards to be utilized. One system developed to ensure these are genuine is fraud screening. Fraud screening tools use a number of different validation tests, with several hundred options present on some decision engines. These include pattern recognition software and rule generation. Velocity checking is used to screen multiple payments or transaction attempts from one IP address, while suspicious IP addresses, regions and even countries can be flagged up or blocked. Card numbers can also be immediately checked against global positive and negative databases to check transaction history and whether they are genuine or not. Different systems use different variations on high, low or medium risk, but generally the final decision on whether to accept a transaction remains with the merchant, based on the advice given by the screening tool.

A secure future

There's no doubt that data protection and payment security are going to be increasingly pressing issues over the next few years. Our finances stand revealed as so much information that can be hacked, stolen, copied and cloned by ingenious cyber-criminals. With the growing number of online transactions and cards largely replacing cash in the real world, the public needs to know that their money is secure if they are going to be able to take full advantage of our technologically enabled world. Similarly, our relationship with stores, service providers and institutions now involves large amounts of personal information being harvested and stored, from our shopping habits to our health records. We need to feel confident that this too is secure and confidential.

The future will see seemingly unrelated sectors working together to meet their common goals, developing more sophisticated methods of encryption, storage and transmission in order to avoid critical information theft. Ironically, it is precisely by sharing information that these sectors will ensure that all of our sensitive information is protected from those who would misuse it.

You May Like


The Author

<a href="/latest_stories/all/all/2" rel="author">Luigi Lugmayr</a>
Luigi Lugmayr () is the founding chief Editor of I4U News and brings over 15 years experience in the technology field to the ever evolving and exciting world of gadgets. He started I4U News back in 2000 and evolved it into vibrant technology magazine.
Luigi can be contacted directly at ml@i4u.com.




Leave a Comment

Share this Story

Follow Us
Follow I4U News on Twitter
Follow I4U News on Facebook

You Also Like


Read the Latest from I4U News