Note: My this article originally published in Business Recorder March 12, 2015.
Banks, Telcos and other Financial Institutions in Pakistan and globally are innovating and launching new electronic payment services at a promising pace, however, fraudsters on the other hand are also coming up with inventive tactics at a steady pace, to compromise these digital payments. Be it J.P. Morgan Hack leading to information leak of close to 80 million accounts or Target’s security breach in United States that lead to theft of at least 40 million credit cards’ information, for past two years the payments industry world-wide has been witnessing some of the biggest third party frauds of history. Having no similar statistics available on security breaches from within Pakistan does not indicate that the local industry has managed to secure itself, rather it just indicates the lack of reporting from this aspect as well as the need of heightened security scrutiny.
The recent Carbanak attack that targeted ATMs world-wide including Pakistan and resulted in losses of millions of dollars should be enough to raise alarms for Pakistan being on the target list of international gangs. Compliance to international security standards hence becomes a necessity to avoid financial and reputational risks by enabling customers to carry out safe and secure payments.
While there is no single standard that could act as a silver bullet, following are some of the security practices that are essentially needed for a multi-layered security strategy to thwart attacks:
PCI-DSS Compliance PCI-DSS known as the Payment Card Industry Data Security Standard is a widely used standard that applies to different entities involved in processing of card-based and cash-based transactions. It requires networks involved in exchange and processing of transaction information to be secure using Firewalls and other network level security measures. Similarly, all the servers, systems and applications involved in processing of financial transactions also need to be hardened with all necessary anti-malware installed. At the network and OS level, all latest security patches should be regularly installed. Stringent access control parameters also need to be in place to stop any un-authorised access to systems and/or applications.
All the software applications and solutions being used in payment processing play a critical role in enabling financial institutions to achieve PCI DSS Compliance as this standard has laid out specific rules for management of card, customer and transactional data. Any card holder information such as Track 2 or PIN data etc is to be transmitted in an encrypted format. Similarly, not all transactional data is not to be revealed completely for all application users and instead data masking technique is to be used. Several other rules respect to password policy and overall information security are also provided by PCI DSS.
In order to encourage development of applications that comply with these standards, the PCI Security Standards has also introduced a set of best practices for software application providers and vendors under the banner of PA-DSS compliance. For instance, TPS flagship product IRIS Enterprise Switch happens to be the only the Pakistani fintech product which has officially been awarded PA-DSS Compliance Certificate by the PCI Council.
EMV Compliance Pakistani card market is hugely dominated by Magstripe based cards whereas the increasing skimming and counterfeit based frauds highlight the need to switch to EMV complaint chip and pin based cards. While some of the local banks and financial institutions have started launching EMV based cased, there is need to migrate the existing card base to EMV complaint cards. For this issuer banks need card personalization systems that are capable of producing chip based cards according to EMV/Co standards. Additionally, the acquiring terminals be it ATMs or Point-of-Sale machines also need to be EMV compliant. This would help the local customers benefit from the cryptographic card authentication mechanisms.
Encryption and Tokenization Encryption enables merchants, acquirers and issuer banks to encrypt the tunnel carrying card holder/customer data or the data itself that is being transmitted. Encryption could be E2EE (End-to-End Encryption) or P2PE (Point-to-Point Encryption).
To further secure data, the technique of Tokenization is now being used to translate card holder data into randomly generated irreversible data after transaction is authorised and also codes against sensitive data in processing at the backend. In addition to these security techniques, Card-less transactions through bio-metric signature and other technologies such as NFC also seem to bring in secure payment mechanisms, however, it all largely depends on how long it takes for vulnerabilities in these systems to be exposed too. For any organisation, the key to prevent and mitigate frauds is to continuously invest in implementing latest security measures, create awareness in all stakeholders (merchants, customers and employees) about taking appropriate actions for secure transactions and complying with global security standards.
TPS Pakistan TPS was established in 1996 to provide bespoke payment systems and top notch customer services to banks. Focused since its inception to bring efficiency and convenience in banking and payments through use of right technology, TPS offers a combination of technical and business expertise in the area of card management, multi-channel issuing and acquiring, payment processing, alternate delivery channel management, bills payment, remittances, payment gateways and internet and mobile banking.
Today TPS serves over 120 customers across 32 countries in multiple industry verticals such as banks, telecoms, payment processors, central banks, exchange houses, issuers, acquirer and other financial institutions, across 32 countries in MEA, Europe, and Asia. Our prestigious clients for enterprise payment solution in the region include Central Bank of UAE, 1LINK (Pakistan), Network Int’l (UAE), EasyPaisa (Pakistan) and Omnibus (Bangladesh). Fariha Akhtar is currently serving as a technical solutions specialist in TPS. She is a technologist with strong passion for payments domain. She has been associated with TPS for over 7 years.