Part 4

In Part 1 we had discussed resiliency as the underlying principle that drives the design of mission-critical payment systems. In Part 2 we discussed performance as one of the essential cornerstones for such systems. In Part 3 we explored scalability as one of the key desirable features for such systems.

Payment systems are built with security as a key design principle. In this concluding part, Part 4, we explore security in digital payment systems and how layers of security are used to protect these systems.

Security is addressed from two perspectives, (a) access control, and (b) information control.

For access control, the objective is to provide restricted and informed access to the digital payment system along with maintaining an audit trail of who accessed what information.

It is sometimes important to assess the inferential aspect of certain information and restrict access based on that. For example, suppose there are a couple of organizations providing information on fraud percentage to the central authority, and the central authority publishes the overall aspect, say percentage of fraud reported by both at an aggregate level. As the number of organizations is very small, it becomes possible for one organization to “infer” the fraud percentage of the other organization – but this is something that is undesirable.

For information control, super sensitive information such as PIN or biometric is not allowed to be stored, and the information that is allowed to be stored has to be maintained with suitable obfuscation, like encryption, hashing, tokenization, etc. Since data is the basis of the information, it needs to be protected when data is in motion, when data is being processed and when data is at rest.

Now, let us dive into each of these and explore the challenges and some of the solutions.

Access Control

It is a good practice to have an Integrated Access Management (IAM) system and every application portal or application user interface uses it and implements Role Based Access Control (RBAC) to determine which users have read/write/read-and-write/extract access on the information maintained by that application. This enables single point of access control. Should someone delegate her access rights to someone else for a certain period, say, when she is out-of-office, that is also managed centrally. However, not all features would allow delegation, hence the application needs to consider that during design. IAM helps when someone changes departments, gets promoted, joins, or exits from an organization, since the access control is managed from one place. It is typical for an application to maintain an audit log of access and change of sensitive information that alters the access control itself. Applications typically use a maker-checker workflow for protecting critical access control information.

It is important to note that access control is usually implemented using user-id, password and additional factors of authentication like OTP, grid-code, biometric, and more. Adding more factors of authentication increases the friction on usage, and hence should ideally be applied only when needed. This “need” could be driven by the value of the asset being accessed or if the system “suspects” a change in the context of the access being attempted, such as, change of device, change of location, etc. This mechanism of invoking higher factors for authentication based on need is termed Risk Based Authentication (RBA). At present, AI/ML is being liberally used to detect any “outlier of access context” and accordingly invoke RBA which helps to balance between friction of usage and value of asset being protected.  

Information Control

Based on business domain compliance norms, there is some specific information that cannot be persisted. In digital payments, applications are directed not to store information like PIN, biometric information, full card number, card verification code or value (CAV2, CID, CVC2, CVV2) pertaining to the card, Personally Identified Information (PII), and many more as per the details in the PADSS. Application audits are done by third parties who certify applications as compliant with these requirements. Users refrain from using applications and systems that are not compliant.

While storage and usage of full card numbers or account numbers are not allowed, masked information is allowed to provide readability to users. Even the first few or last few digits/characters of such identifiers can help users understand that it belongs to them.

Another mechanism used is to create a mnemonic or token that associates with the card or account number. User remembers the mnemonic and the system can capture the details of the account in a map. This completely insulates the sensitive information.

A standard technique of protecting the information is through encryption. The keys are exchanged prior to the information transmission and the encryption is performed before the transmission; on receipt, the information is unencrypted using the key previously shared.

To protect a transaction in motion and in rest, one of the above obfuscation techniques is used. However, the information needs to be obtained in clear text. Hence, the keys need to be maintained in a very secured manner.

Keys can be managed and maintained in Hardware Security Modules (HSM) that only programs can access and use. In cases where a human needs to “know” the keys, it is often that the keys are “split” and each part of the key is known to different people. Hence, unless multiple key owners collaborate, the secret cannot be revealed.

A very important characteristic of a key is the degree of difficulty to guess/break the key using brute force with available technology. It is exponentially difficult to break as the length of the key increases. However, availability of faster processing implies that the key length should be increased to maintain the same degree of difficulty of guessing/breaking the key by brute force. Thus, it remains a game of catch-up. With the advent of quantum computers this will become an increasingly bigger challenge to address.

Conclusion

Increased protection comes at a cost of friction for users and for processing. The protection to the information needs to be when the information is in motion, being processed and when at rest. Multilayer authentication, multimodal obfuscation, and secured communication networks are typically used. However, the standard hygiene of doing background check of users of sensitive systems, running KYC with regular refresh of the information goes a long way in implementing the security beyond the technology protections available.

Click on these links for more information: