Consumers and organizations have a variety of options for making and receiving payments. While these payment types share the ultimate goal of transferring funds from payer to payee, the path those funds travel and the approaches employed for safely and securely completing transactions vary. The Secure Payments Task Force developed the Payment Lifecycles and Security Profiles as an educational resource and to provide perspectives related to:
- The lifecycles of the most common payment types, covering enrollment, transaction flow and reconciliation
- Security methods, identity management controls and sensitive data occurring at each step in the payment lifecycles
- Relevant laws and regulations, and other references, as well as challenges and improvement opportunities related to each payment type
The profiles employ a consistent format for describing the lifecycle of each payment type. The lifecycle template is not designed to represent the nuances of specific payment transaction flows, but as a broad taxonomy that can be applied across different payment types for understanding and comparing controls and risks. The profiles are not all-encompassing in describing the layered security strategies that may be employed by specific networks, providers or businesses and shouldn’t be considered an assessment of overall security of different payment types. The improvement opportunities noted in the profiles highlight areas for further industry exploration and are not intended as guidance or specific solutions to be implemented.
These valuable resources were developed through the collaborative efforts of more than 200 task force participants with diverse payments and security expertise and perspectives. It is the hope of the task force that by helping industry stakeholders better understand these payments processes, the security and risks associated with these processes, and potential improvement opportunities, they will be well positioned to take action to strengthen their payment security practices.
Note: These materials were created by the Secure Payments Task Force and are intended to be used as educational resources. The information provided in the Payment Lifecycles and Security Profiles does not necessarily reflect the views of any particular individual or organization participating in the Secure Payments Task Force. The document is not intended to provide business or legal advice and is not regulatory guidance. Readers should consult with their own business and legal advisors.
Feedback and/or questions related to the Payment Lifecycles and Security Profiles can be submitted by using the “provide feedback” form.
Card Present PIN Definition: A payment card (e.g. credit or debit) transaction whereby the cardholder presents the card and enters a personal identification number (PIN), a secret numeric password known only to the cardholder and a system, to authenticate the cardholder to the system, and/or biometric authentication which authenticates the cardholder to the device and would include attributes used by the issuer for risk evaluation. The cardholder is only granted access if the PIN provided matches the PIN in the system and/or biometric authentication of the device. PINs are used throughout the industry and include ATM, Point of Sale (POS), Mobile Wallets, and eCommerce transactions. A PIN may also be used to complete a debit card transaction where the magnetic stripe of the card is swiped at the point of sale or transactions, an EMV chip card transaction where the chip of the card is inserted at the point of sale and the PIN replaces the cardholder’s signature to authorize the transaction, or on eCommerce sites where a virtual PIN pad is enabled.Enrollment
Payer ID / Enrollment
Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role
Payment Type Operation
Credit
Individual or organization requests credit account with issuer. Issuer verifies customer information in accordance with their Know Your Customer (KYC) program.
PIN can be created by consumer or uniquely randomly generated by financial institution.
The PIN associated with the account may be communicated to the cardholder via direct outreach, email, or physical mail.
Debit
Individual or organization requests credit account with issuer. Issuer verifies customer information in accordance with their Know Your Customer (KYC) program.
PIN can be created by consumer or uniquely randomly generated by financial institution.
The PIN associated with the account may be communicated to the cardholder via direct outreach, email, or physical mail.
Overview of Security Methods and Associated Risks
Security Methods
Issuer verifies the individual during enrollment before issuing a card.
Know Your Customer (KYC), Customer Identification Program (CIP), background checks, etc.; ID verification of a ‘carbon-based life form’
Employee training
Issuers may utilize anomaly and fraud detection tools to help identify suspicious or fraudulent activity associated with a specific account or group of accounts.
Risks
Social engineering (e.g. call center or end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Account takeover
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Credential stuffing (e.g. automated injection of breached username/password pairs in order to fraudulently gain access to user accounts)
Knowledge-based questions can be compromised.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Sensitive data used to enroll or open an account:
Any data that is inputted by the user (e.g. email, usernames, passwords)
Name
Date of Birth Address
Social Security Number
Demand Deposit Account Number (DDA)
Signature
Risks Associated with the Sensitive Payment Data
If compromised, this data can be used to fraudulently set up an account at a financial institution and be used for other identity theft crimes.
Payee ID / Enrollment
Enrollment of a payer includes identity (ID) proofing, management of users (enrollment, de-enrollment and changes) and determination of authority based on role
Payment Type Operation
Credit
Acquirer approves merchant.
Merchant is registered in advance and identification data is attributed when registered by the acquirer.
Debit
Acquirer approves merchant.
Merchant is registered in advance and ID data attributed when registered by the acquirer.
Overview of Security Methods and Associated Risks
Security Methods
Acquirer (or the agent of the acquirer) verifies the individual(s) or organizations enrolling as a merchant before establishing a merchant ID (KYC, CIP, background checks, etc.).
Employee training
Risks
An individual could create a fake merchant or consumer account which could lead to a ‘bust-out’ situation.
Synthetic Identity: Use of stolen identity information combined with fraudulent information to create a new ‘synthetic’ identity which is used to open fraudulent accounts and make fraudulent purchases. Strong enrollment processes may help mitigate synthetic identity risk throughout the transaction process.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Sensitive data used to enroll or open a merchant account
Name
Date of Birth Address
Social Security Number
Demand Deposit Account Number (DDA)
Signature
Business Name
Tax ID
Risks Associated with the Sensitive Payment Data
If compromised, someone that is not a merchant could create a fake merchant account. This could also occur if the merchant account is not fully vetted/authenticated prior to setting up the merchant account.
Transaction*
Payer Authentication
Verification of payer when originating payments
Payment Type Operation
Credit
Cardholder and card verification methods include PIN and Primary Account Number (PAN) along with other items such as expiration date, Card Verification Values1, EMV Application Cryptogram.
Debit
Cardholder and card verification methods include PIN and Primary Account Number (PAN) along with other items such as expiration date, Card Verification Values1, EMV Application Cryptogram.
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Initiation: Access Mode / Network
Environment in which the payment origination is requested
Payment Type Operation
Credit
Point of Sale (POS), ATM, mobile, internet, other omni channel solutions
Debit
Point of Sale (POS), ATM, mobile, internet, other omni channel solutions
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Initiation: Device / Method Used to Initiate Payment
Type of interaction or device used to enter payment account information
Payment Type Operation
Credit
Secure cryptographic device (SCD) which meets physical and logical security standards. Examples include ATM, PIN Entry Device (PED) terminal, mobile
Debit
Secure cryptographic device (SCD) which meets physical and logical security standards. Examples include ATM, PIN Entry Device (PED) terminal, mobile
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Initiation: Funding Account for Payment
Entry and/or identification of the funding account (with format checks)
Payment Type Operation
Credit
Credit account
Debit
Demand Deposit Account (“DDA”)
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Initiation: Payment Initiation Mechanism
Payment network, system and/or third-party accessed
Payment Type Operation
Credit
Merchant, acquirer, association or network, processor, issuer
Debit
Merchant, acquirer, association or network, processor, issuer
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Payer Authorization: Payment Network Traversed
“Rails” used to route authorization requests to the holder of the funding account
Payment Type Operation
Credit
Authorization occurs through payment networks (e.g. credit networks).
Debit
Authorization occurs through payment networks (e.g. debit networks).
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Payer Authorization: Transaction Authorization
Determination of whether to approve or decline a transaction including authorization time-frame, obligations, and any recourse decisions
Payment Type Operation
Credit
Transactions are approved or declined by the issuer within payment network service level agreements (SLAs).
Debit
Transactions are approved or declined by the issuer within payment network service-level agreements (SLAs).
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Format Exchange
Payment instructions, rules, and formatting
Payment Type Operation
Credit
Payment network or acquirer rules dictate format exchange rules.
Debit
Payment network or acquirer rules dictate format exchange rules.
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Receipt: Acknowledgement / Guarantee
Notification and confirmation of payment completion including terms for use
Payment Type Operation
Credit
Transaction approval is confirmed at device used to initiate transaction.
Debit
Transaction approval is confirmed at device used to initiate transaction.
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
Payee Authentication
Mode of access to funds (or accounts)
Payment Type Operation
Credit
Acquirer authenticates merchant to accept files and get paid.
Debit
Acquirer authenticates merchant to accept files and get paid.
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Merchant ID
Terminal ID
Terminal address
Merchant category code (MCC)
Terminal country code
Transaction currency code
Transaction type
Terminal entry capability
Merchant name
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
If compromised, this data may be used to submit fraudulent payments into the payments system, especially for card testing purposes.
If compromised, someone that is not a merchant could spoof a legitimate merchant.
Clearing and Settlement: Settlement / Exchange of Funds
Actual movement of funds to settle funding arrangements and applicable fees
Payment Type Operation
Credit
Settlement occurs per payment network rules (e.g. credit networks).
Debit
Settlement occurs per payment network rules (e.g. debit networks).
Overview of Security Methods and Associated Risks
Security Methods
Chip, PIN, Hardware Security Module (HSM) all must be managed per X9 Standards and Payment Card Industry (PCI) PIN regulations.
Encryption PIN blocks are well defined and are mostly universally standard. Hardware encryption systems utilize Triple DES encryption algorithm. Typical key management method is Derived Unique Key Per Transaction (DUKPT).
Participants in the payment transaction (e.g. merchants, acquirers/processors, payment networks, and issuers) may utilize anomaly and fraud detection tools to help identify risks and mitigate fraudulent transactions. Anomaly and fraud detection tools may include transaction risk scoring, risk-based authentication, transaction history and real-time authorization/decline capabilities among others.
Validate the integrity of the payment message. Review message format for inconsistencies.
Employee training
Consumer and corporate customer education
Strong key management is also necessary using secure rooms and environments to store and load encryption keys into PIN Entry Devices (PEDs). Most POS systems transmit card data in the clear. Many organizations use data encryption solutions where the card data is encrypted from the point of sale to the acquirer.
Physically secure devices which meet international security standards
Tokenization may be used for card data storage and used for future returns or loyalty.
As payments and technology continue to change, risk-based authentication is a way to continually evaluate and apply optimal security methods.
Risks
PIN verification is a form of multi-factor authentication. Skimming of card data and PIN’s are a common form of attack. It is difficult for consumer to know if the merchant/ATM/POS is legitimate.
Account takeover
Social engineering (e.g. end user) which could include business email compromise, masquerading fraud, imposter fraud, etc.
Machine takeover (e.g., payee, financial institutions, network/operator, payer)
Transaction data may be altered or spoofed (e.g. counterfeit transactions, credit master attacks, brute force attacks, etc.).
First party/theft/lost or stolen transactions
Many organizations use data encryption solutions where the card data is encrypted from the point of swipe to the acquirer. Only the issuer can authenticate the PIN.
There are methods of duplicating EMV chip transactions where the encryption fails but some issuers were accepting them anyway.
Sole reliance on a point in time compliance statement (minimal, “check the box” compliance) does not equal security.
Some POS systems/applications transmit and/or store card data in the clear.
End-to-end encryption is not universally applied in POS systems/applications.
Inadequately-controlled enrollment often poses additional risk at the time of transaction.
The speed of payment processing and reconcilement may impact the ability to identify fraud in time to recover funds.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted
Cardholder Data:
Cardholder data must be protected wherever it is processed, stored or transmitted.
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Service Code
Signature
Sensitive Authentication Data:
Sensitive Authentication Data must be protected and must not be stored after authorization of the transaction.
Full Track Data (magnetic stripe data or equivalent on a chip)
Card Verification Values1
PINs/PIN Blocks
Encryption Keys
PIN Offsets
EMV Data Elements:
Full Track Data equivalent on the chip
Application Authentication Cryptogram (AAC)
Application Cryptogram
Application Identifier (AID)
Application Transaction Counter (ATC)
Authorization Controls (aka Offline Risk Parameters)
Authorization Request Cryptogram (ARQC)
Card Authentication Method (CAM)
Chip Card Security Code (iCVV, Chip CVC, iCSC)
Dynamic Card Security Code (DCID, DCVC, DCVC3, DCVV)
Issuing bank ABA (routing) number
Issuing bank settlement account number
Merchant bank ABA number
Merchant settlement account number
Risks Associated with the Sensitive Payment Data
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal) as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1).
Compromised sensitive authentication data can be used in conjunction with compromised cardholder data to create counterfeit credit/debit cards that can be used as if they were the actual cardholder.
If compromised, this data may be used to make fraudulent debits to the settlement accounts.
Reconciliation
Reconciliation / Exception Handling
Process and responsibilities associated with reconciling and handling any exceptions or problems with a payment
Payment Type Operation
Credit
Disputes are required to be reported/processed within specified timeframe defined by payment network or card rules and regulations.
Debit
Disputes are required to be reported/processed within specified timeframe defined by payment network or card rules and regulations.
Overview of Security Methods and Associated Risks
Security Methods
Participants in the original payment transaction may utilize anomaly and fraud detection tools to identify suspicious patterns of activity that may warrant further investigation or potential modifications to transaction anomaly and fraud detection tools.
Inventory of Sensitive Payment Data and Associated Risks
Sensitive Payment Data (Data that needs to be protected)
Sensitive payment data must be protected wherever it is processed, stored or transmitted.
Merchant ID
Cardholder Data*:
Cardholder data must be protected wherever it is processed, stored or transmitted
Primary Account Number (PAN)
Cardholder Name
Expiration Date
Signature
Risks Associated with the Sensitive Payment Data
If compromised, someone that is not a merchant could spoof a legitimate merchant.
Compromised cardholder data can be used by a criminal to create a fake credit/debit card for keyed, card present fraud (e.g. the magnetic stripe or chip are not properly encoded and the merchant keys in the card number at the terminal), as well as card not present fraud at merchants that do not validate Card Verification Values1 (or where the fraudster has already obtained the Card Verification Values1)
User Protection / Recourse
Applicable rules, regulations, and legal means of recourse
Payment Type Operation
Credit
Determined by payment network rules and applicable consumer protection laws and regulations.
Regulation Z’s consumer protections apply to consumer credit.
Debit
Determined by payment network rules and applicable consumer protection laws and regulations.
Regulation E’s consumer protections apply to consumer debit.
Last Updated: 02/21/2018
Footnotes
1Card Verification Values: Card Verification Values represent data elements that are (1) encoded on the magnetic stripe or the chip of a payment card; or (2) printed on the physical payment card and are used to validate the card information during the transaction authorization process. Card Verification Values encoded on the magnetic stripe (e.g. CAV, CVV, CVC, CSC) or on the chip (e.g. dCVV, iCVV) are generated via a secure cryptographic process and may be static or dynamic data used to validate the card during the authorization process. Card Verification Values printed on the physical card (e.g. CID, CAV2, CVC2, CVV2) may be three-digit or four-digit codes printed on the front or back of the physical card that are uniquely associated with the physical card and ties the primary account number to the physical card. Note: Payment network rules and the Payment Card Industry (PCI) Security Standards Council provide additional definitions of Card Verification Values.
*Note: Payments/Transfers Flow in Both Directions