Open in app

Sign in

Write

Sign in

An Overview of security measures used in Payment Gateways

Yashsali
8 min readMay 25, 2021

--

A] Use of Payment Gateways

Online businesses have become a major part of the business world today and provide an easy way to buy and sell goods and services. The general model for an online payment transaction usually includes five parties: the client, the client’s financial institution, the merchant, the merchant’s financial institution, and the payment gateway. A payment gateway is a technology that is used by merchants to accept credit or debit purchases from customers. The term includes the payment processing portals found in online stores & e-commerce sites like Amazon, Myntra, Flipkart etc.

B] How Payment Gateways work

A payment gateway is an intermediary between the merchant’s website, the client’s financial institution & the merchant’s financial institution. The process of how payment gateway works is as follows:

❖ First customer selects items from the merchant’s web site and adds them into the shopping cart.

❖ Then the customer provides his credit card information to the merchant.

❖ Merchant sends this information to the payment gateway for authorization purposes.

❖ The payment gateway checks validity of the customer’s information by providing this data to the acquiring bank and it sends it to the issuing bank.

❖ After accepting or rejecting the transaction, the bank sends a response to the gateway and then gateway sends response to the merchant.

❖ Then the merchant sends a response and provides purchased items to the customer and requests payments from the payment gateway.

❖ Finally the payment gateway verifies the merchant and deposits money in the merchant’s account.

Security is the utmost concern for customers. They would have no confidence if payment gateways were not ensuring security and authenticity. There are different techniques and protocols used to enhance security of payment gateways. We have listed out each security measure in detail below.

C] Security Measures Used

1] Data Encryption

The main method used by payment gateways is Data Encryption which is used to safeguard payments. Once customers enter the details regarding their debit or credit card, they are encrypted through a public key and can only be decrypted by the payment gateway’s private key. Because of which the possibility of accessing customer data by unauthorized parties during transmission from the gateway to the acquiring bank is reduced to a great extent.

There are multiple ways that data encryption can be applied:

Symmetric encryption(single key)

  • In symmetric encryption, the key is a shared secret that is used to perform both encrypt and decrypt the data.
  • In a payment processing environment, a symmetric key that is used to encrypt sensitive cardholder data can also be used to decrypt it. A merchant shouldn’t have too much data being encrypted with a single symmetric key because in this case if that key is compromised, then all the data is compromised. Hence, multiple security mechanisms are required to be built into the encryption lifecycle in order to protect the key.

Asymmetric encryption (public key/private)

  • Asymmetric encryption uses two separate keys. Only the public key encrypts the data, while only the private key decrypts the data.
  • In a payment environment, the public key can be distributed to a merchant or to the POS(Point of Sale) device, and that device can store the key in hardware or software. Even if that key is extracted by someone who shouldn’t have rights to it, all that the person can do is encrypt data with the key; he can’t decrypt anything.
  • On the other hand, the corresponding private key which is used for decryption must be handled very securely.

2] Secure Socket Layer(SSL)

SSL is used by payment gateways to protect sensitive customer information. This standard security protocol establishes an encrypted channel to allow for safe transfer of private data over public channels, such as between a web server and a browser. Most payment gateways use this protocol to make transfer of data between different parties more secure.

The Secure Socket Layer Protocols include:

  • SSL record protocol
  • Handshake protocol
  • Change-cipher spec protocol
  • Alert protocol

3] Secure Electronic Transaction(SET)

This protocol makes sure to secure the transmission of any customer’s card details during an online transaction. Because of this, it prevents merchants from accessing sensitive information as it blocks out the details of the debit or credit cards.

SET is not a system that is used to enable payment but it is a security protocol applied to those payments.

SET functionalities :

Provide Authentication

  • Merchant Authentication — To prevent theft, SET allows customers to check previous relationships between a merchant and financial institution. Standard X.509V3 certificates are used for this verification.
  • Customer / Cardholder Authentication — SET checks if use of credit card is done by an authorized user or not using X.509V3 certificates.

Provide Message Confidentiality : Confidentiality means preventing unintended people from reading the message which is being transferred. SET implements confidentiality by using encryption techniques. Traditionally DES is used for encryption purposes.

Provide Message Integrity : SET doesn’t allow message modification using signatures. Messages are protected against unauthorized modification using RSA digital signatures with SHA-1.

How SET works:

Consumer (cardholder) obtains a digital certificate from the issuer. The issuer (for e.g Mastercard) can act as a certificate authority (CA) or an approved certificate authority is used for the tactic during which case verification of the issuer is obtained by the CA before certification of the customer . The consumer’s digital certificate contains the consumer’s public key, issuer’s public key, and credit details. A software application called a digital wallet is installed on the client. Digital wallets store consumer’s digital certificates in encrypted form.

Merchant obtains a digital certificate from his bank (acquirer) that acts as CA or another CA that’s approved by the acquirer. there’s also another entity called the payment gateway that’s acknowledged by financial institutions to process online payment transactions. Merchant’s certificate includes payment gateway’s public key and merchant’s public key.

Consumer places his order to the merchant online and thus the consumer’s browser makes sure the authenticity of the merchant through the merchant’s certificate that arrives at the client.

Client’s digital wallet sends the order to the merchant. Transfer of the certificate of the consumer to the merchant makes sure the merchant that the account number is valid and approved by the issuer. This so-called order is in two parts.

One part is that the knowledge about the order (the products, services, delivery address, etc). This information is then encrypted with the help of the merchant’s public key.

The other part is that the payment information that’s encrypted with the help of the overall public key of the payment gateway.

By using this strategy, merchants can only access the order information and thus the financial institutions can only access the payment details. Integrity and non-repudiation are ensured through the creation of two digital signatures, one for the merchant (by encrypting the message digest of order information) and hence the other one for the issuer (by encrypting the message digest of payment information). This concept is known as a dual signature.

Merchant forwards the order to the payment gateway so on urge authorization for the payment. Authorization is obtained from the issuer and forwarded to the merchant.

Merchant processes the order then requests capture through the payment gateway.

4] Tokenization

Tokenization substitutes a mastercard number with a randomly generated string of characters. This one-time code also called as a “token” can’t be traced by the cardholder and therefore the numbers are meaningless without a decryption key.

In the event of a knowledge breach, hackers cannot decode the numbers and this reduces the risk of payment fraud through using stolen data. As sensitive card data isn’t saved on merchant networks, this also protects the merchants.

5] PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) compliance assists financial institutions and merchants to provide secure payment solutions. Some requirements under this standard include:

  • Use validated payment software at the point-of-sale or website shopping cart.
  • Do not store sensitive customer data on computers.
  • Encrypt transmission of customer data across any open public networks.
  • Use a firewall on networks and PCs.
  • Teach employees about security measures, such as protecting cardholder data.

Merchants who make use of a payment gateway do not need to worry about PCI compliance as a secure payment gateway will offer PCI level 1 security. The Payment Card Industry Data Security Standard (PCI DSS) defines a “Level 1” merchant as the one who processes at least 1 million, 2.5 million, or 6 million transactions per year, looking at which credit cards the merchant accepts. It is the highest, & most stringent, of the PCI DSS levels.

D] Common Payment Frauds and How to Prevent them

As we all know, anything online comes with its risks. It is common knowledge that the data or any application posted online comes with its vulnerabilities,& these vulnerabilities are constantly growing. Even after applying above mentioned security measures, merchants are at risk of payment fraud. Suspicious activities are hard to detect because even though they are similar, they are hardly identical. Here are some common types of payment frauds-

  • Phishing: This usually happens on websites or emails demanding private information like credit card or bank account details. When the source is unfamiliar, it indicates a possibility of stealing information.
  • Identity Theft: A cybercriminal steals your personal information and uses it under false pretense. Hackers hijack personal credentials through public Wi-Fi or pass the old security firewalls.
  • Pagejacking: Hackers reroute the traffic from the ecommerce website to another website which may contain some malicious material which they use to infiltrate network security systems.
  • Advance fee and wire transfer scams: Hackers target credit card owners and ecommerce store owners and promise them a credit card or money at a later date in return of payment in advance.
  • Merchant Identity Fraud: Hackers set up a merchant account on behalf of a legitimate business. They vanish before the cardholders discover the fraudulent payments and reverse the transactions.

Users have to be very careful and alert to identify the frauds. These frauds can be easily averted if we take certain precautions. These precautions are simple day to day measures which we can apply to be safe. These include:

  • Stay up to date about the latest fraud trends
  • Partner with a verified payment processor
  • Encrypt transactions and emails which contain confidential information
  • Regularly change login credentials and tokens
  • Create a policy regarding access to confidential informationBuy an antivirus software and run regular security checks
  • Make user login before any purchase mandatory

E] References:

  1. https://myimanetwork.imanet.org/
  2. https://securionpay.com/payment-security/
  3. https://www.bigcommerce.com/ecommerce-answers/payment-fraud-what-it-and-how-it-can-be-avoided/

Written By: Siddharth Juikar, Yash Sali & Tejinderpal Singh

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Network Security
Payment Gateway
Paymentfraud
Security Measures

--

--

Yashsali
Yashsali

Written by Yashsali

1 Follower
3 Following

Responses (6)

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech