Securing Payment Systems to Prevent Cyber Attacks

• Securing Payment Network & Payment Touchpoints
• Securing Operating System, Network and Infrastructure
• Implement Fraud Detection on Payment Transactions
• Study & Implement Industry Standards for securing payment networks
• How to Secure TPS Payment Applications
• TPS Security Advisory Services
• References

There has been a recent increase in the attacks on payment system applications and payment touchpoints. These cyberattacks, data breaches and compromises can be avoided by taking some simple measures on multiple layers including infrastructure, payment application network and the payment application stack.

Many comprehensive guidelines are already available publicly on PCI Council, CIS, NIST, Payment Schemes – VISA, State Bank of Pakistan on securing the applications from breaches and protecting customer and transactional data.

In conjunction with these guidelines, TPS highly recommends the following bare necessary steps that should be taken by the banks to avoid any security breach incident causing financial and credibility loss of the financial institution.

Securing Payment Network and Payment Touchpoints

• Implement EMV Acquiring at all card based touchpoints and issue EMV Cards
• For Card Not Present scenarios, implement 3DSecure
• Engage vendors of ATM, POS, Network, Storage, Card Production to ensure the Hardware is securely configured and Software running on hardware devices is up to date and latest security patches are applied at the software and firmware level
• All the vendors should be requested to provide documentation on how to configure the touchpoints and devices for maximum security
• Do NOT use Windows XP and Windows Server 2008 or any other un-supported operating system anywhere in your environment as they are the weakest link and vulnerable to all kind of attacks
• Disable Macros in Microsoft products deployed in production environment
• Avoid installing MS Office, WinZip, WinRAR, Outlook on production environment as they may become the entry point for all kind of malware and viruses
• Patch all systems for critical vulnerabilities, prioritizing immediate patching of Internet-connected systems for known vulnerabilities

Securing Operating System, Network and Infrastructure

Normally breaches into the network are carried out by injecting malware into a weakly guarded network infrastructure. Network and Infrastructure Level Security must be ensured by

• Applying the latest Security Updates on Windows Servers and Internet facing Web Servers
• If running Windows XP in the environment, upgrade to Windows 10 with latest patches
• If running Windows Server 2008, upgrade to at least Windows Server 2012 and preferably to Windows Server 2016
• Implement Enterprise grade Anti-Virus and keep AV Definitions updated
• Implement strong Anti-Malware Software with latest malware definitions
• Ensure IP & Port Whitelisting. Only Ports and IPs required by the payment applications should be open on Servers, Routers, Firewalls and Switches. All other IPs and Ports should be blocked
• Ensure network segregation between Production Environment and all other environments like Test, Intranet and Public networks. Normally test environment or Intranet is compromised through which the Production System is accessed by the malware
• Implement DMZ for components of Production Environment which are Internet facing (e.g. API Gateways, Internet banking applications etc.). Rest of the production environment (Transaction Processing Server, Card & Customer Management, Settlement and Reconciliation Back Office, ATMs, POS etc.) should be in separate network segments and not exposed to internet. Consult with Network Security Experts for the right network configuration/implementation specific to the your requirements
• Perform regular (at least once a quarter) Scanning and Penetration testing by renowned security vendors. Engage more than one vendor for scanning and penetration testing
• Engage Third Party Security Auditors to audit payment system environment
• Monitor for remote network protocols and administrative tools used to pivot back into the network or conduct post-exploitation of a network
• Protect production system with least access privileges. Remove unnecessary users from production environment. Give only required access permissions to users defined in production environment both at Application and Operating System Level
• Monitor traffic coming into and going out of production environment
• No network traffic should be going to any unidentified IP / Geographical region from production environment
• Block execution of files from TEMP directories, from which most phishing malware attempts are done
• Continuous monitoring of Servers for services running in the background. Identify and respond to any unknown services
• Implement SIEM across your Network for continuous log monitoring

Implement Fraud Detection on Payment Transactions

• Preferably use an AI based fraud detection system to discover unusual transaction patterns and raise alarm to FRMU in case of spikes in the transaction behavior
• At the minimum use a Rule Based Fraud Detection System which can detect suspected fraudulent transaction behavior

Study & Implement Industry Standards for securing payment networks

• Implement Guidelines from PCI DSS Standards
• Implement PA-DSS certified applications in your production environment. Ask your application vendor how they support PCI-DSS and PA-DSS requirement
• Use CIS Benchmarks to harden your Operating Systems, Networks, and Web Application Servers
• Implement Applications Security guidelines of OWASP in your Payment Applications
• List of known vulnerabilities and their fixes are available on OWASP website (https//:www.owasp.org)

How to Secure TPS Payment Applications

• TPS Payment Applications (IRIS 3 & IRIS 5) are PA-DSS Certified & PCI DSS Compliant. TPS Payment Applications come with Implementation Guides on how to implement them in a secure environment
• IRIS Transaction Processing System: Core Transaction processing engine of IRIS 3 & IRIS 5 runs on Redhat Enterprise Linux Operating System. We encourage our customers to subscribe to Redhat Subscription which will enable them to obtain and deploy latest Security Patches from Redhat running in production / test environment
• IRIS Back Office: IRIS 3 & IRIS 5 Back Office applications run on Windows Server Operating System and should be implemented as per the Implementation Guide in Customer Environment. IRIS should be implemented preferably in a PCI-DSS Compliant environment to ensure security of customer data
• IRIS Database: IRIS 3 & IRIS 5 Database is hosted in Oracle 11g/12c. Oracle ASO (Advance Security Options), Oracle TDE (Transparent Data Encryption) and Oracle DataVault should be used to secure sensitive customer data
• IRIS Core, IRIS Back Office and IRIS Database Servers should be hardened by applying the CIS Best Practices (https://www.cisecurity.org/cis-benchmarks/) applicable to the customer’s environment
• Apply the latest Security Patches from Operating System vendors
• Monitor hourly transaction analysis for Domestic & International transactions. Feel free to contact TPS Support if you need any assistance for implementing hourly transaction analysis report. Review the transaction pattern for any unusual behavior in volume and amount of transactions being performed. Alert authorized personnel to investigate further if some fraudulent transactions are observed
• Ideally transaction behavior should be monitored using a Fraud Detection System

TPS shall be sending technical guidelines to its customers based specific implementations and software version deployed in the bank environment.

TPS Security Advisory Services

TPS performs comprehensive security testing of its applications based on PCI & PA DSS standards and OWASP guidelines. We use popular simulation and security testing tools for ensuring the security at the Operating System, Web Server and Application in our test environments.

Our dedicated team of experts uses a mix of tools and expertise to determine that Application / Security Requirements are properly implemented.

We shall be happy to provide assistance and consultancy for assessing security of Payment Applications in your environment in the following areas

1. Security Assessment of your Payment System Application
2. Hardening of Payment System Stack (Operating System, WebServer and the Payment Application)
3. AI Based Fraud Detection System

We can provide necessary remediation steps based on our assessments.

For details, please get in touch with us over security@tpsonline.com

References

Visa Advisory https://usa.visa.com/dam/VCOM/global/support-legal/documents/visa-security-alert-atm-malware-compromise.pdf
Themida Malware https://www.oreans.com/themida.php
VMProtect https://vmpsoft.com/
PCI-DSS https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
PA-DSS 3.2 https://www.pcisecuritystandards.org/documents/PA-DSS_v3-2.pdf
OWASP https://www.owasp.org/index.php
CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/

Salman Khwaja

Payment Systems Security Specialist He advise cross Development Teams on how to best utilize web security architecture & applications to help align business processes & systems to achieve enterprise security goals. His team designs and Implements the Corporate Web Security program based on industry frameworks, standards, & best practices. OWASP, PA-DSS, PCI-DSS. He coordinates and perform system penetration testing and vulnerability assessment testing of proposed web and mobile applications. He is also responsible for the Vulnerability Management program and conduct regular scans of Company web computing platforms to detect the presence of vulnerabilities, malware, unauthorized software and web security threats and risks. Tools of the trade are IBM App Scan, Accunetix, Netsparker, Kaali, Burp Suite, OWASP Zap, and Manual Security Testing.