Recommended security controls for online payment system

The electronic payment system is a mode of payment over an electronic network such as the internet. In other words, we can say that e-payment is a method in which a person can make Online Payments for the purchase of goods and services without physical transfer of cash and cheques, irrespective of time and location. The electronic payment system is the basis of online payments. The online payment system development is a higher form of electronic payments.
 
This article is aimed at providing necessary security control recommendations to ensure compliance while communicating with Online Payment application.

Recommended Security Controls

Merchants

  1. Merchant’s network communication devices shall be hardened as per Vendor’s Minimum Baseline Security Standard (MBSS) and Vendor’s recommendation checklist.
  2. Digital certificate shall be enabled for encryption of channels/packets to ensure the safety of data in motion. The servers’ certificates shall be 2048 bits key length with a strong hashing algorithm like SHA2.
  3. Merchants who would interact with banks shall comply security requirement controls as per respective bank policy recommendations.
  4. Merchants should comply with all applicable security controls as per ISO/IEC 27002:2013. ISO/IEC 27002:2013 specifies some 35 control objectives and 114 controls to protect the confidentiality, integrity and availability of information. The following sections needs to be compliant:
    • Section 5: Information security policies
    • Section 9: Access control
    • Section 10: Cryptography
    • Section 11: Physical and environmental security (11.2 Equipment security)
    • Section 12:  Operations management
    • Section 13: Communications security
    • Section 14: System acquisition, development, and maintenance
    • Section 16: Information security incident management
    • Section 17:  Information security aspects of business continuity management
    • Section 18: Compliance (Compliance with legal and contractual requirements and information security reviews)
  5. The merchant can refer and ensure compliance to appropriate security controls clauses as per ISO/IEC 27033 standard which gives detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections.
  6. Merchant shall secure communications with bank network through applicable gateways, firewalls (network & application), intrusion detection/prevention systems, web proxy and service orchestration mechanism in accordance with a policy. This also includes identifying and analysing network/application security threats, defining security control requirements, designing, implementing, operating, monitoring and reviewing the controls.
  7. All network communication devices of Merchant’s shall be running with the latest application & security patches as well as Anti Virus and Anti Spam patches  to repel  attacks.
  8. Vulnerability assessment, penetration testing, security controls effectiveness check or security Audit are recommended to be in place periodically (yearly basis).
  9. The merchant site shall be sealed with reputed web scanning and protection tools.


(
Click on the above image for full view)

Banks
  1. All devices communicating with Online Payment system must be hardened as per Vendor’s Minimum Baseline Security Standard (MBSS) and Vendor’s recommendation checklist.
  2. CA certificate & software components functionality should be enabled for encryption of channels/packets to ensure the safety of data in motion.
  3. Entire payment messages should be digitally signed using RSA SHA-2 while communicating to Online Payment system. This supersedes the digital signing requirement mentioned in the Interface Service Specification document.
  4. Bank should communicate with Online Payment system via trusted network only.
  5. Banks should comply/adhere to all applicable security controls as per ISO/IEC 27002: 2013. ISO/IEC 27002:2013 specifies some 35 control objectives and 114 controls to protect the confidentiality, integrity and availability of information.
  6. The following sections need to be compliant:
    • Section 5: Information security policies
    • Section 9: Access control
    • Section 10: Cryptography
    • Section 11: Physical and environmental security (11.2 Equipment security)
    • Section 12:  Operations management
    • Section 13: Communications security
    • Section 14: System acquisition, development, and maintenance
    • Section 16: Information security incident management
    • Section 17:  Information security aspects of business continuity management
    • Section 18: Compliance (Compliance with legal and contractual requirements and Information security reviews)
  7. For better security control, banks who would interact with Online Payment system can refer and ensure compliance to appropriate security controls clauses as per ISO/IEC 27033 standard, which gives detailed guidance on the security aspects of the management, operation and use of information system networks, and their inter-connections.
  8. It is recommended to secure banks communications through gateways, network firewalls, application firewalls, Intrusion Detection/Protection Systems, web proxy and service orchestration mechanism in accordance with a policy. This also includes identifying and analysing network security threats, defining security control requirements, designing, implementing, operating, monitoring and reviewing the controls
  9. Below security controls are recommended to be in place at banks security gateways to analyse and control network traffic :
    • Packet filtering
    • Stateful packet inspection
    • Application proxy (application firewalls)
    • Network address translation (NAT)
    • Content analysis and filtering
    • Audit and monitoring
  10. All changes to firewall configuration parameters, enabled services, permitted connectivity paths, and suspicious activity should be logged/reviewed and retained as per Bank’s Data Retention Policy.
  11. All web and application servers requiring access should be protected by a Host Intrusion Prevention System (HIPS) and Web Application Firewall (WAF).
  12. All devices should run the latest application and security patches, Anti-Virus / Anti-Spam patches to repel attacks
  13. Security controls effectiveness check or audit is recommended to be in place periodically (yearly basis).
Bank Microsite
  1. Microsite must undergo vulnerability and penetration testing on quarterly/half yearly basis and must mitigate Open Web Application Security Project (OWASP) Top 10 and SANS top 25 vulnerabilities.
  2. Since the customer is usually required to enter personal authentication details, the entire communication is required to be encrypted using appropriate mechanism. Transport Layer Security (TLS) may be used through HTTPS protocol only.
  3. To validate the microsite, CA certificate signed request is recommended to be used.
  4. It is recommended to implement 3-D secure protocol as Verified by VISA, MasterCard, SecureCode and J/Secure by JCB, which adds an additional layer of security for online payments. 3-D Secure promises to alleviate some of the problems facing online merchants, like the inherent distance between the seller and the buyer, and the inability of the first to easily confirm the identity of the second.
  5. Payment Gateway providers should follow the Payment Card Industry Data Security Standard (PCI DSS), which ensure the safety of data . This is recommended security control but not mandatory for Online Payment system, as Online Payment system does not deal with card data.


(
Click on the above image for full view)
 

References - As per PCI DSS, ISO/IEC 27002:2013, ISO/IEC 27033 and 3-D secure protocol.

Authored by Anil Kumar Dubey
TCS Enterprise Security and Risk Management
Rate this article: 
Average: 1 (1 vote)
Article category: