Security of processing centers of EMV transactions

One of the most important practical aspects of the functioning of the Bank’s processing center is to ensure its security. Unlike conventional information systems, the Bank’s processing center contains information about the details that allow access to customers ‘ money, and compromising this data can lead to significant financial losses. This is why a significant portion of the cost of creating and operating a processing is associated with security costs.

Let’s look at some aspects of processing center security.

Transactional security

A set of measures aimed at ensuring the integrity of information exchange between hosts and devices, preventing data falsification and the inability to obtain PIN codes from transaction data. Technically, it is provided by using a multi-stage key system for encrypting PIN blocks (one-time session keys for devices, transport keys for interfaces), using MAC codes to confirm the integrity of messages, using HSM hardware to store key information and perform translation and PIN verification operations. It is also important to check whether the transaction data matches the card’s magnetic stripe data, as well as the data stored in the processing database.this allows you to cut off the card selection procedures. Organizational measures include the availability of key Management regulations, as well as the regulation of data storage and access procedures in the processing center.

Risk management

Technically, it consists in using hardware and software tools that allow analyzing authorization traffic, a database with transaction history and claims cycle messages, and detecting various types of attacks and possible frauds based on rules (rule-based) or neural networks. Organizational and technical tools include interfaces with databases of international payment systems containing information about fraud and unfair business practices, such as System to Avoid Fraud Effectively (SAFE), Member Alert to Control High-Risk (MATCH), and National Merchant Alert System (NMAS).

Organizational and technical security

It implies the presence of a security officer service( security officers), the presence and implementation of regulations for working with key information. In the information system of the processing center should be used for authentication, access control, and auditing. Access control devices (ACS) must be used in premises and technical zones, and technical security and video surveillance devices must be used in special zones. The culture of software development and maintenance is of particular importance for the smooth operation of the processing center. A mandatory rule is to have separate application development, testing, and operation environments, and the operating environment must be separated into a separate hardware and software package. All new software and hardware must be pre-tested in dedicated environments. It is also desirable that the development and maintenance of the system was developed by individual units to the processing center.

Security of personalization procedures

The security of personalization procedures should be ensured even at the design stage of the center, based on the requirements of subsequent certification in international payment systems. In particular, the layout and construction of premises should include a number of zones (production zone, receiving and transmitting zone, pin-envelope printing zone, storage zone, etc.) equipped with technical means of restricting access, monitoring and auditing. Special attention should also be paid to the selection of personnel.

UCS processing center and its features

CJSC United credit card Company (DCS) has one of the largest processing centers in Russia, processing according to various estimates from 35 to 60% of the turnover in various segments of the plastic card market. The processing center’s facilities are located on several geographically distributed technological sites.
The company is a certified provider of services to ensure the issuance and maintenance of plastic cards of the international payment systems Visa International (official status of TRP) and MasterCard (official status of MSP). The company’s data processing center is built in compliance with all industry standards and has a powerful, high-tech and modern processing based on the software of the world’s leading vendors (OpenWay Systems, ACI), offering banks a full range of processing services to support the issue of Bank cards, both international payment systems and any local card projects.

Currently, the company’s processing center offers banks the following services: personalization of Bank cards with a microprocessor (VSDC) and a magnetic stripe, generation of PIN codes and printing of PIN envelopes. The company has modern DataCard equipment (model range from DC280 to DC9000) for personalization of cards of international and local payment systems, as well as various types of club and discount cards. The capabilities of the personalization equipment allow you to apply photos and logos, as well as meet all the requirements of international payment systems in the field of personalization. The company’s personalization Bureau has repeatedly passed an audit of international payment systems with minimal comments;
maintaining databases on cards, authorizations, transactions – the software installed in DCS allows you to open and maintain card accounts in any currency (rubles, dollars, euros, etc.). Any Bank card product is configured in such a way that any authorization, and subsequently payment, takes into account the Bank’s Commission charged to the cardholder for this operation. Bank fees can be set in a currency other than the currency of the card account. Authorization or payment will be an automatic conversion of the Bank into the currency of the card account at the rate set by the Bank on the day of transaction that will allow you to block authorization in the card account sufficient funds to cover the amount of transaction and Bank charges;
secure document management using the Verba OW cryptosystem-allows banks to send orders to DCS to perform operations on their cards, as well as receive confirmation of their execution and a package of reports on the total operating day;
a reporting system that allows you to generate a package of reports on transactions using Bank cards and devices, as well as transactions that have passed through the clearing files of international payment systems, based on the results of the operating day. The system features allow you to configure individual reporting schemes for processed banks;
processing of clearing files of international payment systems-formation and sending of outgoing clearing files of IPS is performed according to the results of the operating day, processing of incoming files – as they are received according to the used technological schemes;
connecting and monitoring ATMs-the DCS processing center allows you to connect and monitor Diebold, Wincor Nixdorf and NCR ATMs using the X25 and TCP/IP communication protocols. The set of operations available to the cardholder in ATMs is constantly expanding;
connecting POS-terminals and cash servers of trade and service enterprises. The vast experience accumulated by the company-the largest acquirer, allows you to connect terminal equipment from leading manufacturers (Ven’fone, Hypercom, Bull, Lipman, etc.) and cash servers of the majority of suppliers present on the market with the implementation of standard (purchase, cash withdrawal, statement) and non-standard (registration and repayment of loans, payment for mobile operators) functionality;
round-the-clock customer support, which allows cardholders to receive service 24 hours 7 days a week, 365 days a year. Using the code word, the client can get information about the available limit, information about current transactions and card authorizations, and block the card in the company’s database;
multi-user system for remote access to the processing center database, which allows banks to get real-time information on cards about available limits, authorizations made, paid transactions, manage available limits on cards (reduce / increase limits, remove authorizations), set restrictions on performing certain operations on cards, block / unblock cards, conduct claims work, monitor and manage the Bank’s ATMs, independently manage the connection/disconnection to the service for sending SMS notifications to the mobile phones of cardholders, as well as implement a number of other features for managing the database of cards, transactions and devices in agreement with the processor company. Unlike similar services offered on the market, the technology used by DCS allows the Bank to “see” the Bank’s card/device database in the same way as it is seen by the company. Thus, the solution offered by the company with minimal financial costs brings the Bank as close as possible to the functionality of its own processing center;
sending SMS messages to the mobile phones of the main mobile operators upon authorization by card is another modern service offered by the DCS processing center.
Cooperation with DCS allows banks to quickly and effectively implement plastic projects at a high quality level due to the following factors:
availability of certification by international payment systems to support almost the entire product range of Visa and MasterCard;
passing an annual audit by international payment systems for compliance with the rules of the organization of the process of issuing and servicing cards, which indicates a high level of security and correctness of the construction of this technological process;
fast connection to technological solutions that have already been tested and used in the company will allow the Bank to offer its clients a wide range of services;
DCS has a 24-hour support service for Bank card holders;
using the knowledge and experience of highly qualified specialists of the company will allow you to quickly solve non standard tasks that arise before the Bank;
the technological solutions of interaction offered by the processing company will allow the Bank to obtain functionality comparable to the capabilities of its own processing center at a minimum cost of money;
a reasonable tariff policy of the company will allow the Bank to more transparently understand the structure of current and future expenses for maintaining the process of issuing and servicing cards and, as a result, manage expenditure items more effectively;
the constantly updated and expanded range of services offered to banks allows banks to access the latest developments in the industry with minimal investment costs.
Using the outsourcing capabilities of the largest processor in the industry is a reliable way for banks to implement effective and secure card programs.