The main trends in the field of protection of bank payments

Main article: Information security in banks

Summary

Financial institutions are the economic sphere which is the most protected in respect of information security. The reasons are obvious – risks of economic losses in case of cyberincidents – direct and observable. At the same time, financial institutions have sufficient budgets and motivation for high-quality development of the IT and cybersecurity systems.

Nevertheless, the cybersecurity incidents connected with illegitimate transactions are widespread now and do not lose relevance. Is considered by the author what processes are now in a risk zone and what are thought already rather over, and their risks are minimized at the moment.

As statistics shows, transactions between the user and a banking system are the least protected and most frequent targets of malefactors. Therefore transactions of "the client device-a bank backend" level are considered below. Internal and interbank payment transactions are not a subject of this article.

Introduction

Statistics of The Boston Consulting Group of 2019 confirms growth of popularity of cashless payments in the world for the last 10 years: the universal gain makes 13.6% since 2010, statistics on North America on the average makes 3.2% a year, 5% – for the European region. And the engine of growth of transactions in the European region is Russia: the number of non-cash card transactions in Russia from 2010 to 2018 grew by the person by 30 times that made Russia the world leader in number protected tokenized ^[1] It was promoted by rapid technology growth of the banking sector, easier adaptation of contactless mobile payments using the Apple Pay, Google Pay and other similar applications, distribution of platforms e-kommerts, lack of burdening by "traditional character" when choosing a technology platform. Thus, Russia became the market, largest in Europe, on the volume of transactions with use of digital purses.

Rapid distribution of cashless payments enters natural risks of information security to the financial sphere. They are connected as with the organization of the payment process and loss of control of financial company over it, and with fraud risks through users of payment systems.

For risk minimization in the course of the organization of payments there is a number of regulating authorities and mandatory standards to which there should correspond in the measure defined to it each participant of transaction. The main complexity consists that in terms of a system fraudulent payments can meet all necessary requirements for confirmation of voluntary intention of the user. And the schemes of fraud directed to users with payment data in recent years developed into full-fledged social engineering. Different schemes of input of the user in delusion are used. So, according to FBI, collected worldwide on the known incidents, by the end of 2019 the following trends regarding social engineering are observed:

• The following scenarios of social fraud are most often used: schemes of advance payments, schemes of fraud with investments, fraud on romantic subject, fraudulent technical support, operation of a subject of grandsons, fraud with the state fraud, charitable and lottery fraud, repair of the house, fraud on television/radio and deception with relationship and guardianship. Under the pretext of different situations swindlers convince the user voluntarily to give data of bank cards or to dictate the coming confirmation codes and by that make a fraudulent transfer.
• The large volume of complaints arrives from the victims 60 years (it is voluntary statistics, therefore estimated data) – about 68000 complaints to $835 million damage are more senior.
• Actively the quantity of so-called "Tech Support Fraud" – operation of trust of users to technical support grows. The malefactor is represented the professional of IT service of the company (most often travel agency, financial company) and under the pretext of protection of means convinces the user to provide data for money transfer to the "safe" account. For 2019 complaints arrived from 48 countries, the loss estimate makes $54 million that shows growth by 40% in comparison with previous year.

Russia on a result of 2019 got to the twenty of the countries by the number of the victims of such attacks.

The Central Bank of Russia, in turn, shared analytics of system operation of processing of incidents of FINTSERT and Automated system of "Fid-Antifrod" for 2019:

• 69% of all operations on money transfer without the actual consent of clients were made as a result of motivation of clients by deception to independent carrying out transaction – fraud using social engineering, or as a result of receiving by malefactors direct access to electronic payment instruments. The volume of plunders is 5723.5 million rubles, against the background of the total amount of transactions with use of electronic means of payments – 7.3 trillion rub.
• The average cost of plunder is: for individuals – 10 thousand rubles, for legal – 152 thousand rubles So the tendency to multiple medium-sized plunders is traced.
• The main number of incidents is connected with operations on payment of goods and services on the Internet (CNP transaction) and methods of social engineering (fraud). The noticeable percent of incidents is result of receiving by malefactors the access to a system RBS with use harmful SOFTWARE expected cracking of software stationary computers.
• In geographical leaders: Moscow and Central Federal District, St. Petersburg, Ural, Volga and Far East federal districts.
• Despite dominance of conditionally voluntary consent to performing transactions of plunders, banks managed to compensate to clients about 935 million rubles that makes 15% of the stolen amounts.

About trends in protection of process of payment transactions

Financial the organizations are under the influence of a large number of the regulatory organizations and their regulations: PCI SSC (PCI DSS), FSTEC (PDN CUES and dr) FSB, Central Bank and Financial that, NPS, requirements SWIFT and others. Acts PCI DSS, the Central Bank RUSSIAN FEDERATION of century have the direct relation to payment transactions and security requirements of the user payments Russia.

CENTRAL BANK OF THE RUSSIAN FEDERATION

• The policy of the Central Bank in the field of data protection (cyber security)
• The policy of the Central Bank in the field of development of innovations and financial technologies

First, and others, according to the become effective laws, turn requirements of the Bank of Russia, namely standards 683-P, GOST 57580.1, 382-P from the status referral into the status obligatory, in coordination with FSTEC and FSB. Thus, powers of the Central Bank and, respectively, level of security of financial institutions amplify. New documents reflect a tendency to gain of regulation of information security and ensuring real security of financial institutions instead of a formalism.

The Central Bank for last year directed the attention to the continuity of monitoring of cybersecurity and development of FINTSERT of fid and also to protection against fraudulent transfers and payment transactions (fraud). Powers an antifraud systems and possibilities of bank on operational suspension of suspicious transfers and time blocking of electronic means of payments at suspicion of their compromise for a period of up to two working days are legislatively strengthened (the bases for suspicion: coincidence of parameters of payments to base of fraudulent devices or accounts, abnormal payment parameters, for example, amount and frequency, place of implementation of payment, etc.). The bank informs the client, requests confirmation for resuming of carrying out payments and, respectively, either blocks, or resumes payment, makes recommendations about reduction of risk of emergence of similar situations. The similar mechanism is started under advice about fraudulent transaction from the injured client of bank – for a period of up to 5 days for payment confirmation (if money transfer did not happen yet therefore it is extremely important to announce similar transactions quickly!).

The direct relation to protection of payments of clients and counteraction to implementation of money transfers without the consent of the client has resolution 683-P. Main requirements 683-P: certification of the application software in FSTEC on absence of NDV or the analysis of vulnerabilities on OUD4, ensuring integrity and reliability of the protected information, transmission security on communication channels, registration and storage within 5 years of information on all actions connected with access to the protected data of workers and clients. Plus sending data on an incident in FINTSERT.

In Russia in an active stage of study there is a project of service of fast interbank payments (SBP) – implementation of interbank transfers between clients using mobile phone number that considerably simplifies translation procedure. Connection of credit institutions to SBP at the moment is voluntary, but already large number of banks expressed the intention. The Central Bank of the Russian Federation, in turn, already entered a part of the normative and organizational concepts concerning this system into Provision 672-P, i.e. security requirements to such type of transfers are also already actively studied.

PCI DSS

The Payment Card Inductry Security Standards Council organization (PCI SSC) is the international regulating authority according to standards of security of the industry of payment cards. Council of PCI SSC was created by the collective solution of international payment systems of VISA, MasterCard, American Express, JCB, Discover. Competences of council of PCI SSC include development and support of standards of data security provision of the industry of payment cards. The main documents are:

• Payment Card Industry Data Security Standard – PCI DSS – the main document defining security requirements to service providers and the trade and service companies using payment cards in the address.
• Payment Card Industry Payment Application Data Security Standard – PCI PA-DSS – the standard defining requirements for security to the payment applications and process of their development processing data on holders of cards, thereby minimizing the attacks of a type of "supply chain".
• Payment Card Industry Point-to-Point Encryption – PCI P2PE – the standard containing requirements to solutions on data encryption of payment cards by transfer between participants of payment procedure (from trade and service company to merchant acquirer).
• Payment Card Industry PIN Transaction Security – PCI PTS – the standard containing requirements to the devices processing the personal identifier (PIN): POS terminals, PIN keyboards, hardware modules of safe storage and processing of actions with PIN (HSM).
• Payment Card Industry Token Service Provider – PCI TSP – security requirements for service providers of tokenization.
• The Card Production standard is the standard for payment card issuers (issuing cards of the organizations).
• PCI 3DS Core Security Standard is the standard of security for the organizations performing or providing functions of payments without physical providing the map.

The key active standard is PCI DSS of version 3.2 now. Attention focus in it, in comparison with the previous versions, in view of growth of popularity of service models in IT, is displaced on expansion of responsibility of service providers and criteria for evaluation of all participants involved in service of transactions obligations for regular testing of payment systems and the requirement to masking of an account number are fixed. The PCI DSS standard comprises twelve sections of check of security of systems:

• Protection of the computer network.
• Configuration of components of information infrastructure.
• Protection of the stored data on holders of cards.
• Protection of transmitted data about holders of cards.
• Antivirus protection of information infrastructure.
• Development and support of information systems.
• Access control to data on holders of cards.
• Authentication mechanisms.
• Physical protection of information infrastructure.
• Recording of events and actions.
• Control of security of information infrastructure.
• Information security management.

NFC

• Contactless NFC payments

The market is mobile, technologies are constantly transformed towards improvement of the user experience (usability). So, rapid development was gained by technologies of contactless payment (NFC) which bear in themselves new risks. The corresponding set of standards is regularly updated and reviewed. In particular, much attention in the developed document revisions PCI SSC is paid to devices "Commercial off-the-shelf" (COTS) – to the commercial ready devices participating in payments are smartphones, tablets and other devices with the NFC chip. Now updating of the CPoC standard (Contactless Payments on COTS) which raises the following questions is made:

• Requirements to payments via the NFC interface ("Tap and Go"), including certification procedures for program and hardware a component of participants of NFC payment.
• Requirements to contactless payments using a tape (Magnetic Stripe Readers, MSR) and the chip ("Europay + MasterCard + VISA", EMV, the standard for bank card transactions with the chip).
• Questions of prohibition on transactions with entering the PIN and other procedures of verification of the user of the card – CVM (Cardholder Verification Method) – online or offline PIN, the signature of the check.

As for commercial payment devices (COTS), the standard of security of the PA DSS payment applications corresponding to them earlier based on requirements of VISA and Master Card is removed from support. It is succeeded by new standards for payment applications on devices "Software-Based PIN Entry on COTS" (SPoC, 2018) and the standard for devices of contactless payment "PCI Contactless Payments on COTS" (CPoC, 2020) under a framework of "Software Security Framework" – the program of certification of PCI SSC for producers of payment solutions. For producers of cards and reader devices of payment transactions and means of ensuring of work of payment transactions the certification mechanism is entered. The certified laboratories will be accredited by PCI SSC and perform further service of check program and the hardware given on certification. Thus, accomplishment program and the hardware of payments of requirements of structure of PCI SSC is guaranteed. In particular, the Software-Based PIN Entry on COTS standard which appeared in 2018 comprises the principles and methodology of assessment for mobile payment solutions in which input of the PIN code is performed on mobile devices (smartphones, tablets) and means data encryption of PIN and the account when sending between the reading-out terminal, the device of payment and a backend and also other security requirements. What trends of development of the standard: in development now updating to PCI DSS v4.0, an exit is planned for 2020. Except updating of the standard, the purpose of the new version is development of the relation to cybersecurity as to permanent process (continuous process), gain of methods of validation and procedures.

The full range of the PCI SSC standards covers all processes connected with payment cards and payments – from production of hardware-software providing, before ensuring protection of transactions of trade and service company. At the same time a set of standards since 2012 is obligatory for all organizations where are present storage, processing or transfer at least of one card number of PCI SSC, any of five international payment participating systems of Council ("WORLD", Visa, MasterCard, American Express, JCB and Discover) within any business process of the organization, with annual control of maintenance of compliance by internal or external audit.

In 2017 the Russian payment system "MIR" joined Council of PCI SSC.

3D secure

Separately It should be noted the standard of security "PCI Three-Domain Secure Core Security Standard" (3DS). It enters a packet of the PCI SSC standards as the standard of security for the organizations performing or providing the functions defined in EMV 3-D Secure Protocol and Core Functions Specification.

The standard defines authentication mechanisms of participants of payment, security and protection against deception (fraud) of transactions in the absence of the requirement in physical demonstration of the card (Card-Not-Present, CNP), in particular, at payments on the Internet. The standard adds additional to CVV step of authentication through the disposable confirmation code provided by bank to the user of the card in the Sms, the Push-notification or in a different way.

PSD2

The payment directive Revised Payment Service Directive – PSD2 – extends to the countries of the European Union and affects implementation of online payments (what was not in the first version of 2007) and that is more important, implementation of safety of such payments.

The purpose of new directive PSD2 – to create the system of "open banking" in Europe, having created equal conditions for all players of the market, large and small and to make payments safer, having improved client protection. The directive is directed to decrease in probability of fraud with electronic transactions. It should improve protection of client data due to use of reliable authentication of users in electronic transactions: the password or the PIN code, PLUS these cards, PLUS this biometrics, PLUS the dynamic code from the client bank.

PSD2, first of all, standardized API of data transmission between banks and payment system at commission by the client of online payment, and, respectively, between the organization of payment and target bank client. The directive introduced requirements to security: enciphering of communications from/to the organization initiator of payment, restriction of available fields of a request of payment data.

Besides, the directive includes the rule about the unconditional right to return of debit write-off up to 8 weeks after making payment, control of collection of additional resources for making payments according to the card (commission), restriction for a maximum amount of not authorized payment (up to 50 euros).

Outputs

The PCI SSC standards are not fixed at the state level as obligatory, more precisely, only some states entered them into the USA at the legislative level. But, thanks to requirements of payment systems, they are executed in a large number of the organizations. The research of Cisco company on accomplishment of the standard in the USA of 2011 revealed the following:

• From all industries best of all fulfill the requirements of PCI DSS of retailer and financial institutions; retail belonged in the most serious way to implementation and implementation of this standard.
• At the same time 85% of respondents consider that at the moment their organizations are capable to undergo successfully audit of PCI DSS, and 78% successfully underwent such audit from the first.
• Most good results in the field showed the state organizations: 85% of state institutions successfully underwent audit of PCI DSS from the first. Worst of all there underwent such audit the medical organizations (72%).
• 67% of the polled heads of the companies and members of Boards of Directors consider PCI DSS very important initiative; besides, 60% of respondents confirmed that the PCI DSS standard can stimulate other projects connected with networks and network security.

10 years ago the Verizon company began tracking of accomplishment of the PCI DSS standard among the companies. The report of "Verizon PCI Report" of 2019 shows that dynamics of maintenance of compliance is ranged of 22% (2009) to 7.5% (2011) and 55.4% (2016) – see figure 1. And now, 15 years later after a release of the standard, more than 35% support the systems of protection in completely relevant compliance to the standard, many companies are in process of study of similar procedures.

Fig. 1 – Dynamics of maintenance of the systems of protection on compliance to the PCI DSS standard by years

In the conditions of technology breakthrough of the financial sphere the 3D Secure technology was widely adopted enough thanks to convenience to the user at the high level of security.

In Russia, besides, since 2020 there are obligatory requirements of the Central Bank of the Russian Federation to financial institutions. And since July, 2016 the law "About making changes in 54-FZ "About use of the cash registers at implementation of cash monetary payments and (or) calculations using payment cards" (the cash registers works – further "cash register equipment"), obliging, including, online payment transactions to perform everything using the cash register equipment, the online transfer of fiscal data connected to a system in FTS. The fiscal data operators (FDO) which locate special technical means of processing of fiscal data in real time, formations, checks and storages at themselves base of fiscal data and also their transfer to tax authority are for this purpose used. This law is useful to the end user that upon any online purchase he receives by mail or other method the confirmatory check which is the full fiscal document. OFD, in turn, locates technical means of protection of fiscal data and necessary licenses of FSTEC and FSB.

Recommendations to the user

Now the greatest threat in the field of payments is posed by fraud on the basis of social engineering. Therefore education of technology literacy among users of banking services is important. What can be recommended as measures of digital hygiene for the end user payment ^[2]:

• Not save payment data on doubtful services, compare risks and need of input of payment data on the resources which are not supporting the 3D Secure standard (he demands support not only from a payment system and financial institution, but also and from the trade and service company).
• Not to save the code from a reverse side of the card (CVV code) anywhere! And not to tell anybody the following codes: The CVV code, the code from the SMS, Push-notifications, the card PIN code – them has no right to request NIKTO – neither the employee of the bank, nor technical support, nobody other, you use these codes only in the course of certain payment transactions.
• Avoid fraud: be vigilant, not trust phone calls. Not open the personal data: Full name, place and year of birth, passport details. Employees of the bank have access to this information if necessary, and if someone tries to learn from you these data, – it is suspicious, hang up a receiver and independently call back in bank.
• In case of successful fraud: to quickly announce bank suspicious payment and to carry out all instructions required by bank. The timely message will allow to block temporarily payment for clarification of its legitimacy. In case of loss or theft of the card it is necessary to arrive also.
• Not download and not install programs on mobile devices at the request of strangers, and, especially, not to tell them access codes to programs. It is necessary to understand well that you set and why. It is desirable to manage attentively the rights requested by programs and to minimize them.

Author of article: Mikhaylova Anna Yurevna.

You watch also Payment systems and services