Publications

Payment Gateway Security – A Developer’s View

Payment Gateway Security Development

Over the last decade, payment gateways have become a growing industry for online retailers and service providers. An increasing number of users are demanding a safe, easy, and reliable way of transferring money, and companies like PayPal, Dwolla, Stripe, and WePay have surged in response. Unfortunately, these new businesses have drawn the eyes of attackers and criminals who see these platforms as an easy source of consumer and credit card data.

While there has been incredible innovation in the development of secure payment gateways, there’s also been incredible innovation in the attacks used against these systems. Payment gateway security standards have been developed to detect and prevent these attacks, but many companies still find themselves as the victims of cyber attacks and intrusions. Detecting and preventing payment gateway fraud can be difficult, but a proper implementation can prevent the loss of business and possible legal repercussions.

Data Breaches Are A Big Deal

One mobile payment provider learned the importance of proper security the hard way. In 2014, Charge Anywhere LLC discovered that malicious software had been implanted on its networks. The malware only intercepted network traffic between August and September of the same year, but Charge Anywhere acknowledged that the attacker had the ability to capture traffic from as far back as 2009. Although most of the traffic was encrypted, the company stated that the attacker was able to capture and gain access to transaction authorization requests that were transmitted in plain text. In other words, once the attacker gained access to the network, he or she was able to detect and retrieve sensitive unencrypted data.

Charge Anywhere isn’t the only payment processor to experience a data breach. Two years earlier, Global Payments Inc. confirmed up to 1.5 million compromised credit and debit card numbers in a data breach. Even this was a drop in the bucket compared to the Heartland Payment Systems breach, which exposed as many as 100 million credit and debit card numbers in 2008. This attack followed hot on the heels of the Hannaford Brothers Co. breach, which compromised over 4 million card accounts. One year earlier, retail giant TJX Companies Inc. lost over 45 million card numbers through several of its stores including T.J. Maxx, Marshalls, and HomeGoods. All of this comes after a 2005 breach of CardSystems Solutions, which placed over 40 million card accounts at risk.

Are you beginning to see a trend? These attacks show no signs of slowing down, either. Black hat hackers are launching increasingly sophisticated attacks, leaving security experts scrambling to stay ahead of the game. Developers are working to build secure payment gateways that can automatically detect these intrusions, alert administrators, and prevent access to sensitive cardholder information.

Problems With Existing Systems

Many of the attacks listed above dealt with data in-transit. Securing network traffic is critical, but payment gateway security is a multifaceted problem. For instance, most payment providers rely on TLS encryption to secure traffic between the frontend (such as a website) the backend (the payment processing system), and other parties (credit card companies, banks, etc). But what happens to the data once it hits its destination?

Companies that store sensitive data rely on high-grade encryption to keep confidential data secure. Companies that implement encryption poorly, or that needlessly store data that they don’t need, are at a much higher risk of theft or fraud. Payment gateway processors require a security architecture that can withstand attacks, whether they originate externally or internally.

Breach Mitigation and Prevention

Companies that experience breaches typically do so because of a poor security architecture, lack of standards, or poor management. With regards to data, encryption is key. TLS encryption is the standard for transmitting data over networks, including the World Wide Web (via the HTTPS protocol). TLS ensures that data in transit can only be read by the intended receiver while appearing scrambled to everyone else.

For data at rest, companies rely on database encryption to secure sensitive cardholder data. In many cases, companies will encrypt sensitive data (card numbers, verification codes, etc.) while storing non-sensitive data (names, addresses, phone numbers, etc.) as plain text. This minimizes the extra processing power imposed by the encryption and decryption processes while still protecting critical information. An attacker who gains access to the database will be able to retrieve encrypted payment information, but they won’t be able to use that information without first gaining access to the encryption method.

Secure payment gateways also limit the systems that can connect to them. Techniques such as two-factor authentication, user and IP-address whitelisting, and alerts for unauthenticated users can help prevent or reduce the impact of intrusions. Remember, a secure system is only as strong as its weakest link.

PCI DSS

Organizations that handle any kind of cardholder data are subject to the Payment Card Industry Data Security Standard (PCI DSS), which is designed to prevent credit card fraud. PCI DSS provides a set of standards for payment gateway processors that cover secure data transmission, secure data storage, intrusion to detection, access to private information, and methods for collecting sensitive information. PCI compliant companies also undergo periodic auditing to validate their compliance.

DDoS Attacks

One of the fastest growing methods of attack against online services is Distributed Denial-of-Service, or DDoS. A typical denial-of-service (DoS) attack floods a computer with huge amounts of data, exhausting the computer’s resources and causing poor performance. The sheer volume of data can prevent the computer from responding to requests, or even damage hardware. A DoS attack becomes distributed when it originates from multiple sources simultaneously. DDoS attacks are responsible for temporarily taking down some of the world’s largest web services including Microsoft’s Xbox Live, Sony’s Playstation Network, and Facebook.

Ignite Can Help

Web payments can be difficult to get right. There are many components with sensitive and intricate parts, and a single mistake could result in lost customers, fines, or legal claims. When developing a platform for online purchases, you need a team that not only understands web security standards, but can create secure components that integrate well with your existing systems.

Outsourcing lets you shift part of your development process to a dedicated resource, leaving your teams to focus on what’s important. Ignite’s dedicated development team provides comprehensive development, testing, and integration services that are custom-tailored to your business. We analyze the latest threats in online payment gateways to deliver software that protects against today’s exploits, while taking a proactive approach against tomorrow’s attacks.

What We Can Do

Ignite offers many services for creating secure systems or improving the security of existing systems. Some of our services include:

  • Designing apps with security in mind. We’ll help you deploy secure, native apps for iOS, Android, Windows Mobile, and BlackBerry.
  • Designing a PCI DSS-compliant architecture. With our knowledge and experience in PCI DSS compliance, we’ll create a system that passes the audit while meeting the unique needs of your business.
  • Comprehensive penetration testing. We offer penetration testing services that will detect vulnerabilities before they become a problem.
  • Defending against DDoS. We provide effective DDoS mitigation, ensuring your services won’t be taken offline when faced with a targeted attack.

Developing a payment platform for the web is no easy task. From protecting sensitive customer information to reliably communicating with credit card providers, custom payment gateways require knowledge and expertise that only dedicated teams can provide. By outsourcing with Ignite, you can expect a custom payment gateway that provides a solid security architecture and the highest quality fraud detection and prevention.

For more information, contact us at http://igniteoutsourcing.com/contact-us/