Securing digital banking infrastructure in the country
By: Manila Bulletin
In an event organized by Utimaco, a global platform provider of trusted cybersecurity and compliance solutions, in partnership with Securemetric and CorewareTechnology, titled ‘Building a Foolproof Infrastructure in Today’s Digital Banking World,’ Utimaco leaders shared insights and best practices to ensure a guarded digital future.
Understanding the data ecosystem
Card payment systems usually use what is commonly known as the “Four-Party Model.” This involves the cardholder, a consumer with a payment card provided by a bank or other financial institutions, and the merchant, a business, or an individual who receives card payments in exchange for products and services. Automated Teller Machines (ATMs) belong to this category as they accept payment cards.
Key parties also include the issuing bank, which provides payment cards to the card owner on behalf of the card networks. In this model, the issuer is the one who pays the acquiring bank for the purchased products and services by the cardholder, who then pays back the issuing bank according to the contract terms.
Lastly is the acquiring bank. It is a financial institution that contains the merchant’s bank account. Contracts with the acquirer enable merchants to accept payments from any issued card. While the model is simple, the four parties exchange critical data, which can be at risk if not secured.
Using cryptographic methods for data security
The industry uses cryptographic methods to protect consumers’ private information when stored or in motion online during a transaction. This includes encryption and tokenization. The former involves an algorithm that alters the data into an unrecognizable form known as ciphertext, a decryptable with a key. Meanwhile, the latter transforms the information into an indistinguishable set of characters referred to as tokens. If stolen, tokens present no value without the tokenization system.
Role of HSMs in securing transactions
Hardware Security Modules (HSMs) are devices to create, protect, and manage cryptographic keys in a secure domain during transactions. And HSM applications differ in the four key parties of the data ecosystem. The chip for EMV transactions in its payment card serves as a micro-portative HSM for a card owner. However, for the merchant side, the use of HSMs depends on the scale and nature of a business. Smaller vendors can rely on point-of-sale (POS) terminals built with secure memory and cryptographic hardware that can act as HSMs. Major retailers, on the other hand, would require network-attached HSMs to ensure secure transactions.
Meanwhile, the issuing bank needs robust HSMs to generate, protect, and manage the keys to activate and process payment cards. For the acquirer, HSMs handle all the merchant’s financial channel keys and process the cryptographic flow in the issuer’s direction.
“HSMs are essential to protect the ciphered transactions across the four corners of the data ecosystem. It acts as a safe in a financial institution’s network and houses the keys needed to decrypt consumers’ critical data. Now that banking transactions are increasing; data security and identity protection are more at risk from cybercriminals. This makes HSMs vital to the key parties in the data ecosystem,” said Deval Sheth, Managing Director for Asia Pacific at Utimaco.
Protecting payments with Utimaco
Utimaco offers reliable HSMs that can securely process transactions in the financial industry. One of these devices is the Atalla AT1000, a FIPS 140-2 Level 3 and PCI PTS v3 certified payment HSM. Among the financial institutions that integrated this HSM is a digital payment services platform and an e-money company in Pakistan called NayaPay.
With this, the financial institution aims to secure customers’ data, identities, and finances while adhering to compliance and regulation standards. After integrating Atalla AT1000, NayaPay gained robust and flexible protection at every transaction, cut the cost of ownership through consolidated HSM infrastructure, and met security and compliance requirements, among others.
“The Atalla AT1000 can secure critical data and associated keys for non-cash payment transactions in retail, cardholder authentication, and cryptographic keys of payment service providers, acquirers, processors, issuers, and even payment networks,” added Sheth.