Payment Networks

Introduction

Payment process

Debit
1. Customer to merchant
2. Merchant over processor to merchant bank
3. Merchant bank to customer issuer bank
  - Payment risk at issuer bank
Credit
1. Customer to merchant
2. Merchant over processor to merchant bank
3. Merchant bank over credit card issuer to customer bank
  - Payment risk at credit card issuer
Credit / Debit with Trusted Service Provider (TSP)
1. Customer to merchant
2. Customer to TSP
3. TSP to merchant bank
4. TSP to merchant
NFC

Payment card types

Magnetic stripe card
- strip 3 for debit
- strip 2 for credit
Chip cards
- EMV (Europay, MasterCard, Visa)
- Contact & Contactless
Smartphone / Token
Encrypted PIN Pad (EPP)
- Keypad certified for payment process
- HW & SW security
- Alarm secured

Multi-Factor
Out-of-band
Types
- Token
- Knowledge
- Presence
2-Factor Auth
- OTP: time based or event based
- 3D-Secure: XML-based SSL communication
Authentication for eID systems
- Password-Authenticated Connection establishment (PACE)
- Terminal Authentication Version 2 (TA2)
- Passive Authentication (PA)
- Chip Authentication V2 (CA2)
PKI
- User
- Registration Authority
- Certification Authority
- Validation Authority
- Merchant
Digital Signature
Qualified Digital signature
eIDAS Regulation
- national IDs for all of EU
- European internal market for electronic signatures

Body measurements and calculations
Identifivation and access control
Surveillance
Types
- Physiological: static
- Behavioral: dynamic
Process
- Enrollment: recording & analysis
- Verification: 1:1 decision
- Identification: 1:n decision
Evaluation
- False Acceptance Rate
- False Rejection Rate
- Equal Error Rate
Security levels (in descending order)
1. DNA
  - (hidden features)
  - lifelong
2. Iris, Face, fingerprint, behavioral
  - (dedicated detection device)
  - change over time
  - spoofing
3. Photo, identification
  - (manual inspection)
  - Inaccurate
  - Morphing
  - Human errors

Rapid DNA

ABIS (Automated Biometric Identification System)

Mobile Wallet

Scenarios
- Generic app-independent solution
- "Walled Garden", operator-centric, designated compatible apps
- One app one payment
Operators
- OEMs: Apple Pay
- MNOs: MPESA (Vodafone)
- Trusted Service Providers: PayPal
Applications
- Loyalty
- Identity management
- Service discovery
- Ticketing
- Money transfer
- Gaming
- Physical access
- Payment

SEPA (Single European Payment Area)
- SEPA Direct Debit: Withdrawal of service payment
- SEPA Credit Transfer: Money to customer send
- Communication via SEPA XML messages
IBAN
- 2 digit country code
- 2 digit checksum
- up to 30 digit bank and account number
- Verification step
  1. Check valid iso country code
  2. replace country chars by corresponding digit + 9, e.g A -> 10
  3. move country digits and 00 to end of IBAN
  4. remove checksum at start
  5. Calculate $\mathrm{checksum} = 98 - \mathrm{IBAN} ~\mathrm{mod}~ 97$
  6. compare checksum with original checksum
SWIFT (Society for Worldwide Interbank Financial Telecommunication)
- Standardized communication between banks
- BIC (Bank Identifier codes) also known as SWIFT codes
- Alternatives
  - Ripple: Crypto
  - INSTEX: EU
  - CIPS: China
  - SPFS: Russia
PSD2 (Payment Standard Directive)
- EU directive
- Guidelines on provided information for authorization of payment institutions
  1. Payment institutions (PIS)
  2. Information service providers (AISPs)
  3. Electronic money institutions (EMIs)
  4. Competent authorities (CAs)
- Key points
  - strict security requirements
  - transparency
  - rights and obligations
RTGS (Real-time Gross Settlement)
- Continuous process of inter-bank payment settlement through central bank
- Use cases for large scale fund transfers
- No bundling with other transactions
- Immmediate and irrevocable transaction

Topics

The golden eight

Money Flower: Taxonomy of money

Central Bank Digital Currency (CBDC)

Libra

Backing of currency by real life financial assets
private digital currency
Global world payment system
Sortof-blockchain
Building blocks
- Blockchain
- Programming language: Move
- Replcation of state
- Consensus mechanism

Company certificates
- ISO 9001
  - Family of quality management systems
  - Company standardization to fulfill customer & stakeholder needs
- ISO 14000: Environmental management
- ISO 27001: Plan-Do-Check-Act information security standards
Product / Solution certificates
- Common Criteria for Information Technology Security Evaluation (CC)
  - Standard for computer security specification
  - Components
    - Target of Evaluation
    - Protection Profile
    - Security Target
    - Security Functional Requirement
    - Security Assurance Requirements
    - Evaluation Assurance Level
- NIST (National Institute of Standards and Technology)
  - NIST Certificate of Calibration: Testing and calibration by NIST
  - NIST Certificate of Compliance: Testing but no calibration performed
Local Certificates
- CCC: China
- PIF / FIPS: USA
- VDS: Germany
Payment Certificates
- EMV: technical standard for smart cards & (-readers)
- CAST (Compliance Assessment & Security Testing): standard for mobile payments
- PSD2