|
Card Payment System OverviewNarudom Roongsiriwong CISSP
May 1, 2023
|
About MeHead of IT Security, Kiatnakin Bank PLC (KKP)Committee Member – Cloud Security Alliance (CSA)Consultant – OWASP Thailand ChapterWorking Team for Adviser to the Finance Ministry's National
e-Payment projectE-mail: [email protected]
May 1, 20232
|
When the customer want to make a payment by credit/debit card, authorization flow starts.
May 1, 20233
|
Simplified Authorization Flow
1. The customer make a payment. Enter cardholder data into the merchant’s payment system (POS, e-commerce website).
2. The Merchant sends card data to an acquirer/payment processor who will route data to through the payments system for processing. For e-commerce, a payment gateway may redirect website to the acquirer.
3. The acquirer/processor sends the data to Payment brand4. Payment brand forwards the data to the issuer. The issuer
verifies and make approval. . For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by VISA).
May 1, 20234
|
Simplified Authorization Flow for Card Payment
5. If the issuer agrees to fund the purchase, it will generate an authorization number and routes back to the card brand.
6. Payment brand forwards the authorization code back to the acquirer/processor.
7. The acquirer/processor sends the authorization code back to the merchant.
8. The merchant concludes the sale with the customer.
May 1, 20235
|
Electronics Data Capture (EDC)
May 1, 20236
A Point-of-sale terminal for submitting and validating card transactions to a merchant account provider, or some other card transaction processor.
|7
EDC Use Case
May 1, 2023
|
ISO 8583 Financial Transaction Message Format
May 1, 20238
One of the most widely used formatCard originated transactions
purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers
System-to-system messagessecure key exchanges, reconciliation of totals, network
sign-on/sign-off and other administrative messagesStructured as follows
Header Message type identifier
Primarybitmap
Secondarybitmap Data elements
|
ISO 8583 Message Structure
May 1, 20239
HeaderNetwork specific thus Visa and MasterCard use a different
message header structureMessage Type Identifier (MTI)
Classifies the high level function of the messageOne or more bitmaps indicating which data elements are
present in the message
Data elements or fields
Bitmap Binary value Defines presence of fields4210001102C04804
0100001000010000000000000001000100000010110000000100100000000100
2, 7, 12, 28, 32, 39, 41, 42, 50, 53, 62
|
Magnetic Card vs EMV
May 1, 202310
Magnetic Stripe Card Chip CardInitial terminal-card interaction
Terminal gets static data from card
• Terminal identifies card type (chip, non-chip)
• Terminal and card agree on Application ID• Card generates request cryptogram
Request includes
Data from magnetic stripe
Authorization processing must include EMV• Validate request cryptogram• Optionally generate response cryptogram• Optionally generate a command for the
cardResponse may include new EMV data elements
Final terminal-card interaction
• Card validates response cryptogram if sent by issuer
• Card executes command if sent by issuer
|
Verification Options
Cardholder Verification
May 1, 202311
No CVMSignatureOn-line PIN at ATMOn-line PIN at POSOff-line PIN plain textedOff-line PIN enciphered
Verification Fallback
|
Card not Present
May 1, 202312
A remote purchase where the cardholder and the card are not present at the point-of-sale
A remote purchase CNP transaction can be for:Mail orderTelephone orderA sale made over the internetRecurring
VerificationCVV2 Verification by requesting the three-digit codeAVS verify the cardholder’s billing address by the issuerVerified by VISA®
|
Card Management System
May 1, 202313
Register – adding a smart card to the smart card management system Issue – issuing or personalizing the smart card for a smart card holder Initiate – activating the smart card for first use by the smart card holder Deactivate – putting the smart card on hold in the backend system Activate – reactivating the smart card from a deactivated state Lock – also called block; smart card holder access to the smart card is not
possible Unlock – also called unblock; smart card holder access to the smart card is re-
enabled Revoke – credentials on the smart card are made invalid Retire – the smart card is disconnected from the smart card holder Delete – the smart card is permanently removed from the system Unregister – the smart card is removed from the system (but could potentially be
reused) Backup - Backup smart card certificates and selected keys Restore - Restore smart card certificates and selected keys
|
Simplified Settlement Flow
May 1, 202314
1. The merchant submits settlement message from EDC. For e-commerce, it would be done automatically.
2. Merchant’s bank sends clearing data to payment brand3. Payment brand calculates net settlement position and sends
advisement to merchant’s bank and cardholder’s bank and Transfer Fund Order to settlement banks
|
Simplified Settlement Flow
May 1, 202315
4. Settlement bank facilitates exchange of funds to guarantee payment to merchant’s bank
5. Cardholder’s bank sends payment to settlement bank6. Merchant’s bank pay merchant for card purchases.7. Cardholder’s bank bills cardholder for purchases
|
Thank You
May 1, 202316
Top Related