|

Card Payment System OverviewNarudom Roongsiriwong CISSP

May 1, 2023

|

About MeHead of IT Security, Kiatnakin Bank PLC (KKP)Committee Member – Cloud Security Alliance (CSA)Consultant – OWASP Thailand ChapterWorking Team for Adviser to the Finance Ministry's National

e-Payment projectE-mail: narudom.roongsiriwong@owasp.org

May 1, 20232

|

When the customer want to make a payment by credit/debit card, authorization flow starts.

May 1, 20233

|

Simplified Authorization Flow

1. The customer make a payment. Enter cardholder data into the merchant’s payment system (POS, e-commerce website).

2. The Merchant sends card data to an acquirer/payment processor who will route data to through the payments system for processing. For e-commerce, a payment gateway may redirect website to the acquirer.

3. The acquirer/processor sends the data to Payment brand4. Payment brand forwards the data to the issuer. The issuer

verifies and make approval. . For e-commerce, a payment gateway may redirect website to the issuer (ex. Verified by VISA).

May 1, 20234

|

Simplified Authorization Flow for Card Payment

5. If the issuer agrees to fund the purchase, it will generate an authorization number and routes back to the card brand.

6. Payment brand forwards the authorization code back to the acquirer/processor.

7. The acquirer/processor sends the authorization code back to the merchant.

8. The merchant concludes the sale with the customer.

May 1, 20235

|

Electronics Data Capture (EDC)

May 1, 20236

A Point-of-sale terminal for submitting and validating card transactions to a merchant account provider, or some other card transaction processor.

|7

EDC Use Case

May 1, 2023

|

ISO 8583 Financial Transaction Message Format

May 1, 20238

One of the most widely used formatCard originated transactions

purchase, withdrawal, deposit, refund, reversal, balance inquiry, payments and inter-account transfers

System-to-system messagessecure key exchanges, reconciliation of totals, network

sign-on/sign-off and other administrative messagesStructured as follows

Header Message type identifier

Primarybitmap

Secondarybitmap Data elements

|

ISO 8583 Message Structure

May 1, 20239

HeaderNetwork specific thus Visa and MasterCard use a different

message header structureMessage Type Identifier (MTI)

Classifies the high level function of the messageOne or more bitmaps indicating which data elements are

present in the message

Data elements or fields

 Bitmap  Binary value  Defines presence of fields4210001102C04804

0100001000010000000000000001000100000010110000000100100000000100

2, 7, 12, 28, 32, 39, 41, 42, 50, 53, 62

|

Magnetic Card vs EMV

May 1, 202310

Magnetic Stripe Card Chip CardInitial terminal-card interaction

Terminal gets static data from card

• Terminal identifies card type (chip, non-chip)

• Terminal and card agree on Application ID• Card generates request cryptogram

Request includes

Data from magnetic stripe

Authorization processing must include EMV• Validate request cryptogram• Optionally generate response cryptogram• Optionally generate a command for the

cardResponse may include new EMV data elements

Final terminal-card interaction

• Card validates response cryptogram if sent by issuer

• Card executes command if sent by issuer

|

Verification Options

Cardholder Verification

May 1, 202311

No CVMSignatureOn-line PIN at ATMOn-line PIN at POSOff-line PIN plain textedOff-line PIN enciphered

Verification Fallback

|

Card not Present

May 1, 202312

A remote purchase where the cardholder and the card are not present at the point-of-sale

A remote purchase CNP transaction can be for:Mail orderTelephone orderA sale made over the internetRecurring

VerificationCVV2 Verification by requesting the three-digit codeAVS verify the cardholder’s billing address by the issuerVerified by VISA®

|

Card Management System

May 1, 202313

Register – adding a smart card to the smart card management system Issue – issuing or personalizing the smart card for a smart card holder Initiate – activating the smart card for first use by the smart card holder Deactivate – putting the smart card on hold in the backend system Activate – reactivating the smart card from a deactivated state Lock – also called block; smart card holder access to the smart card is not

possible Unlock – also called unblock; smart card holder access to the smart card is re-

enabled Revoke – credentials on the smart card are made invalid Retire – the smart card is disconnected from the smart card holder Delete – the smart card is permanently removed from the system Unregister – the smart card is removed from the system (but could potentially be

reused) Backup - Backup smart card certificates and selected keys Restore - Restore smart card certificates and selected keys

|

Simplified Settlement Flow

May 1, 202314

1. The merchant submits settlement message from EDC. For e-commerce, it would be done automatically.

2. Merchant’s bank sends clearing data to payment brand3. Payment brand calculates net settlement position and sends

advisement to merchant’s bank and cardholder’s bank and Transfer Fund Order to settlement banks

|

Simplified Settlement Flow

May 1, 202315

4. Settlement bank facilitates exchange of funds to guarantee payment to merchant’s bank

5. Cardholder’s bank sends payment to settlement bank6. Merchant’s bank pay merchant for card purchases.7. Cardholder’s bank bills cardholder for purchases

|

Thank You

May 1, 202316