2008

A GHL Whitepaper

Secure IP Networks:

What’s Available other than SSL?

2

Secure IP Payment Networks: What’s available other than SSL?

Payments security threat models today assume a powerful adversary, with access to

virtually all communications links and insecure networks and systems. As a result, financial

institutions, businesses, card associations and statutory bodies have, in recent years taken

vital steps in addressing these threats by working closely together and introducing all

necessary measures to combat this scourge.

In fact, banks across the globe continue to invest heavily and consider strategic options

regarding security and fraud management tools and practices to strengthen control of non-

public consumer and corporate information, primarily on the heels of such mandates such

as capital and operational risk management, and stronger customer authentication.

Deceitful online and offline schemes target banks from both within and without. (Source:

Top 10 Strategic IT Initiatives for Financial Services in 2007, Financial Insights, 2007)

With these considerations in mind, against the backdrop of increasing IP-based network

deployments by financial services institutions, this article seeks to briefly present prevailing

approaches often touted as the solution to the issue of payment network security - the

ubiquitous Security Sockets Layer (SSL). The chief aim is to provide a viable security solution

to payment infrastructure that seeks to address the shortfalls of SSL – the GHL Systems’

NetMATRIX Terminal Line Encryption.

The context of this article, however, is limited to the deployment of both concepts into

TCP/IP EDC terminal networks.

SSL

Secure Sockets Layer (SSL) is a collection of TCP/IP security protocols and is considered by

many to be the current de facto Internet security standard. The purpose of SSL is to provide

a layer of security between the sockets at the transport layer and the application accessing

the network through the sockets. The idea is that, when SSL is active, network services such

as FTP and HTTP are protected from attack by the secure SSL protocols.

Typically, only the server is authenticated (i.e., its identity is validated) while the client

remains unauthenticated; this means that the end user (whether an individual or an

application, such as a Web browser) can be ensured of whom it is communicating. SSL is

commonly used in banking and e-commerce websites, but also in non-commercial sites that

offer online memberships and webmail.

Terminal Line Encryption (TLE)

Terminal Line encryption in its broadest sense, effectively protects against wire-tapping and

other threats such as eavesdropping/card skimming, ghost or phantom EDC terminals, host

spoofing and replay attacks. Wire tapping is the monitoring of telephone, Internet traffic or

even wireless local area networks by a third party, often by covert means and fraudulent

purposes. Again, within the context of this discussion, we refer specifically to the

3

interception of card transaction data traffic from EDC terminal to the bank or destination

host on IP networks.

In simplistic terms, Terminal Line Encryption (TLE) converts parts of a message holding

sensitive cardholder information to incoherent and incomprehensible data while in

transition. Only the intended receiver who is able to decrypt the message can read the

information to complete the transaction, thus preventing any attempt by fraudsters to

capture payment card details, account numbers or any other information.

Combined approaches: TLE & EMV

Malaysia’s foray into terminal line encryption back in 2005 is perhaps the best testament of

the effectiveness of TLE in combating card fraud. To strengthen its payment security

infrastructure, Malaysia implemented line encryption of its terminals and bank systems,

making it the first country in the world to deploy both line encryption and EMV technology

nationwide.

Malaysia’s experience is unique in the sense that the Malaysian central bank (Bank Negara)

mandated for both line encryption and EMV to be implemented as a combined approach in

overcoming card fraud. This works in tandem to enhance the integrity of the payments

systems and instruments, while promoting confidence and ensuring consumers' interests

are safeguarded.

4

Using actual fraud data and experience from the Malaysian experience, there is historical

and empirical evidence that depict the strong inverse relationship between increasing chip

maturity and declining counterfeit fraud.

Source: Bank Negara Malaysia, 2005

As a result of these two initiatives, and according to Visa Asia Pacific’s Mr. Ingo Noka, Head

of Visa’s Payment Security Services, “Counterfeit fraud in Malaysia on domestically-issued

cards fell from an average of 0.16 percent in the years 2000 to 2004 to a record low of 0.03

percent in 2005. Expressed in US dollars, after one year of using chip cards, domestic

counterfeit has dropped 92 percent from about US$400,000 in January 2004 to US$31,000

in August 2005.

“Since September 2004, the share of fraud losses due to counterfeit fraud has fallen from 90

percent to 22 percent and we see a shift to lost or stolen and card-not-present (CNP) fraud

types which now represent 73 percent of fraud losses”. (Source: Visa Payment Security

Bulletin - Issue 1, 2006)

Currently, about 90% of the terminals in Malaysia are encrypting authorization messages.

5

A Brief Comparison of SSL and NetMATRIX TLE as a payment network security

solution

GHL Systems’ NetMATRIX TLE uses symmetric key encryption and decryption which is more

suitable in an environment where processing power; memory and bandwidth are limited –

where up to 4 Billion unique keys per terminal application and also supports Unique Key Per

Transaction. Additionally, the NetMATRIX TLE uses Dynamic Key Derivation instead of Static

Keys for each transaction effectively preventing Terminal Cloning and reducing Key

Management issues. It further provides a Remote Key Injection (RKI) utility to ease the

deployment of Keys into terminals, remotely.

Performance considerations

SSL is a PKI (Public Key Infrastructure) implementation and thus requires greater resources

(in terms of processing power and memory) and more overhead (in terms of processing

time, hand-shaking overhead, session keys exchange, etc. further constrained by bandwidth

limitations). This is compounded if one needs to perform a Client/Device authentication

besides Host authentication, since a Digital Certificate needs to be downloaded to the

terminals.

Communication Channels/Technologies Independence

• NetMATRIX TLE functionality is independent of the underlying carrier technology and

protocol and can work over X.25, TCP/IP, SNA, SDLC, HDLC, LAPB networks, while SSL

can only work over TCP/IP-based network.

• NetMATRIX TLE can also work over a Heterogeneous network (a combination of

different underlying network protocols) while SSL can only work over a homogenous

TCP/IP network.

• NetMATRIX TLE secures data at each individual terminal application layer which

conforms to the ISO8583 format and can be routed through a bank’s existing payment

infrastructure without additional major investments

• Where typical SSL implementations require a TCP/IP environment to support the

implementation which has to be augmented with additional security infrastructure such

as Firewalls, SSL Accelerators or Intrusion Detection Systems, NetMATRIX can be

deployed across a variety of environments without requiring such investments

Greater security and flexibility

NetMATRIX TLE secures transaction and card data at each individual terminal application

layer instead of at the communication channel layer. Additionally, it further provides more

flexibility than SSL as NetMATRIX TLE allows application-specific customization to determine

the exact fields/data that need to be encrypted/decrypted.

6

Other key considerations:

SSL implementation requires a Certificate Server if in-house certificates are being used. If

banks or other financial institutions already have their own Certificate Server then this

would probably be a non-issue. However, if public digital certificates from Certification

Authorities are used, then this would mean additional costs as their pricing model is

typically based on each individual digital certificate. Other considerations that warrant

notice is also to consider the long-term management of the digital certificates themselves.

Conclusion

As the industry advances forward, changes in the payments landscape will continue to be

dynamic and the level of requirements, complexity, and sophistication in payment networks

will further intensify. While considerable efforts have been undertaken to enhance

protection for consumers and banks alike, still more remains to be done.

Given the issues and considerations discussed – as well as its own experiences implementing

TLE in India, Malaysia, Thailand and Indonesia, GHL Systems believes the time is now for

card associations, banks, and payment network security/technology/solution providers to

reconsider the proposition that SSL should remain the de facto standard – as far as TCP/IP

EDC terminal networks are concerned.