AUTHOR : Gayatri Nayak       Payment Gateway Security  Abstract : India is the fastest growing economy and is one of the favourite destination for the investors . As a result of the investment and trade more number of transactions are occurring . Most of the transactions are electronic in nature ; hence , India introduced the RuPay payment Gateway. This paper will give overview of how Rupay Payment Gateway provide security during online transactions . Keywords : Payment Gateway , Cyber attacks.  

• Introduction

  The “RuPay” word is derived from two words rupee and payment. The Rupay card was launched on 26th March 2012 with the help of National Payment Corporation of India. The main objective of introduction of RuPay by RBI is to offer the multilateral and domestic system to enable the Indian banks and financial institution to participate in the electronic payment. The Rupay supports the pin based transaction , it is embedded with a microprocessor chip which contains the details of the card holder and highly secured as it is using EMV technology. EMV is a global standard for credit and debit payment cards based on chip card technology, taking its name from the card schemes Europay, MasterCard, and Visa - the original card schemes that developed it. The standard covers the processing of credit and debit card payments using a card that contains a microprocessor chip. E-commerce is the easy way for making online business. The payment process in e- commerce makes transaction reliable and faster with low cost.E-payment and E-commerce are tightly coupled to each other as user have to pay for using online services.There are many ways for communicating between customer and merchant. For online transaction customer wants reliable and secure payment gateway for placing the order.The flowchart of payment gateway is as follows: Payment gateway receives all details of user and verifies it . After that , payment gateway debit appropriate amount from user’s account and then transfer that amount to merchant’s account. RuPay abides by 2FA mandated by RBI for card not present transaction. Card details and OTP are used as the factors of authentication . There are three most common factors for authentication: Something you know, e.g. a password or PIN Something you have, e.g. a credit card or an identity card Something you are, e.g. your voice or fingerprint Rupay follows Triple DES, it is a type of computerized cryptography where block cipher algorithms are applied three times to each block. The key size is increased in triple DES to ensure additional security through encryption capabilities. Each block contains 64 bits of data. Triple DES is advantageous because it has a significantly sized key length, which is longer than most key lengths affiliated with other encryption modes. Three keys are referred to as bundle keys with 56 bits per key. The triple DES key length contains 168 bits but the key security falls to 112 bits. It is backward compatible with DES. This prevents the system from being vulnerable to various attacks.  

Study:

  The Rupay Debit card has to be registered before any online transaction, it can be done in following steps:  

1. The customer will have to register his RuPay Debit Card for enabling it for e- Commerce while making the first transaction online. Direct registration is also supported by banks so that the customers do not necessarily have to make any
2. Registration transaction will involve selection of an image and entering a
3. The customer will enter all the correct RuPay HDFC Bank Debit Card details on the payment screen viz. card number, expiry date and CVD (3 digits on back of the card).
4. OTP Authentication: This option will retrieve an OTP (One Time Password) to the customer’s mobile number/email ID registered with the bank .
5. Once the customer is authenticated through one of the above mentioned options a small frame of random mix of images will appear. The customer has to select one image. This image has to be remembered for all the subsequent transactions. This is termed as his registered image. In case, this is forgotten the customer can re-register for fresh authentication.
6. The customer will also be asked to enter a phrase of his choice (upto maximum 40 characters) and remember the same for identification in future
7. The customer will then be shown a scrambling PIN pad page. This page will look like the design of the bank’s RuPay card that the card holder is using. This page will also display last four digits of the card number (rest of the digits are masked). The customer will have to enter the correct PIN using mouse clicks only; key board entry is not permitted. This PIN pad shuffles each time a digit is entered, thus giving an additional security
8. The transaction will be successful once the correct PIN has been entered using the scrambling PIN pad and the transaction has been approved by the issuer post which a success page will be displayed to the customer. On the success of the transaction, the card is said to be registered for PaySecure
9. If the transaction is not successful it could mean any of the following:

the PIN was not correctly entered Insufficient funds Bank did not authorize the transaction for other reasons connectivity issue .In this case, the customer’s card is not considered to be registered. The Customer has to start a fresh transaction. [6]   Fig . 2.1 Enities involved in a Transaction An e-payment process is a sequence of actions that involves a business task. There are mainly two kinds of payment transactions:

1. Atomic payment transaction-single payment transaction and single payment and
2. Composite payment transaction-single payment transaction and multiple

  Usually, a composite payment transaction involves multiple atomic transactions. Each atomic transaction supports the traditional ACID properties and must either fully commit or fully rollback. However, the classical ACID properties do not hold when a single payment transaction involves multiple atomic payments, especially when a failure occurs in any atomic payment transaction. Since atomic transactions use a two-phase commit protocol, a coordinating process is required to manage and synchronize the composite e- payment services within a given payment transaction. The primary goal of cryptography is to secure important data as it passes through a medium that may not be secure itself. Usually, that medium is a computer network. There are many different cryptographic algorithms, each of which can provide one or more of the following services to applications. It is generally accepted that, in order to be considered secure, a payment system must satisfy the following fundamental security requirements.

1. Authentication

 The assurance that the communicating parity is the one that is claims to be prevents the masquerade of one of the parties invoved in the transaction. Both parties should be able to feel comfortable that they are communicating with the party with whom they think they are communicating. Applications usually perform authentication checks through security tokens or by verifying digital certificates issued by certificate authorities. Cryptography can help establish identity for authentication purposes.

1. Access Control.

The prevention of unauthorized use of a resource.

1. Data Confidentiality (Secrecy)

 The protection of data from unauthorized disclosure. Confidentiality is an essential component in user privacy, as well as in the Protection of proprietary information, and as a deterrent to theft of information services. The only way to ensure confidentiality on a public network is through strong encryption. Data is kept secret from those without the proper credentials, even if that data travels through an insecure medium

1. Data Integrity (Anti-tampering)

 The assurance that data received are exactly as sent by an authorized entity (i.e., contain no medications, insertion, deletion, or replay). Prevents the unauthorized medication of data. Financial messages travel through multiple routers on the open network to reach their destinations. We must make sure that the information is not modified in transit.

1. Non-Repudiation

 Provides protection against denial by one of the entities involved in a communication of having participated in all or part of communication.

• Non-repudiation, Origin- Proof that the message was sent by the specified
• Non-repudiation, Destination- Proof that the message was received by the specified party.
• Non-repudiation is usually provided through digital signatures and public key certificates .
• Types of attack on an insecure system:
  1. Network Attacks :

These simple services can be used to stop a wide variety of network attacks, including:

1. Snooping (passive eavesdropping)

An attacker watches network traffic as it passes and records interesting data, such as credit card information.

• Tampering

An attacker monitors network traffic and maliciously changes data in transit (for example, an attacker may modify the contents of an email message).

• Spoofing

An attacker forges network data, appearing to come from a different network address than he actually comes from. This sort of attack can be used to thwart systems that authenticate based on host information (e.g., an IP address).

• Hijacking

Once a legitimate user authenticates, a spoofing attack can be used to "hijack" the connection.

• Capture-replay

In some circumstances, an attacker can record and replay network transactions to ill effect.

• PIN-guessing attack

An attacker can fake the digits and use the user authentication code (UAC) to launch a PIN- guessing attack.  

1. Cryptographic attacks:

In order to define the security level of a cryptosystem we have to specify the type of attack we are assuming (the power of the adversary) and the type of breaking which we wish to prevent (what tasks should the adversary be able to perform as the result of the attack) The types of attacks are.

• Cipher text-only attack

Cipher text-only attack in which the adversary sees only cipher texts

• Known-plain text attack

Known-plaintext attack in which the adversary knows the plaintexts (messages) and the corresponding cipher texts transmitted.

• Chosen-plaintext attack

Chosen-plaintext (CP) attack where the adversary gets to pick (adaptively) plaintexts of his choice and by exploiting the encryption mechanism he sees their encryption value.

• Chosen-cipher text (CC) attack

Chosen-cipher text (CC) attack - where in addition to access to the encryption mechanism the adversary can pick (adaptively) cipher texts of his choice and by using the decryption mechanism, he gets the corresponding plaintexts[3].  

(3)    Analysis

  After the through study ,this paper focus on the security parameters followed for the authentication .The security of Rupay Payment gateway is based on 2FA. Card Authentication requirements NPCI has provided a string of card security features to enable multiple levels of verification before a transaction is processed. The following guidelines regarding usage of these features should be implemented.

• PIN Verification
• PIN Verification is mandatory for all ATM
• If the Issuer performs PIN Verification, it must comply with requirements for PIN processing specified in the RuPay manuals .
• Acquirers must ensure that while handling the PIN used to identify a cardholder in a transaction, the process and technology used by the acquirer, merchant as well as its agents are compliant with the standards followed during the RuPay Fraud Risk Management . Non-compliance to the same, will lead to penalties and
• Triple Data Encryption Standards
• All issuers must be certified to receive and process Triple Data Encryption Standard (DES)
• All ATMs must support Triple DES .
• All PIN-based POS acceptance devices must be Triple DES
• All transactions initiated at Triple DES-capable devices must be Triple DES-encrypted from point of acceptance to NPCI .

 

• Card Verification Data (CVD)
• Ensure that CVD is verified in all authorization requests .
• All CVD mismatches must be reported and the reason for mismatch (acquirer error, bad magnetic stripe, counterfeit card etc.) must be
• An acquirer must ensure that the entire unaltered contents of the magnetic stripe/chip are transmitted by the merchant terminal or the acquirer can be subject to a

 

• CVD2

1)   Ensure that the 3-digit CVD2 is printed on the signature panel of all cards.  

• Expiration Date
• The expiration date may be used by merchants as an additional level of authentication and must be clearly mentioned on the
• Verify expiration dates from authorization requests and decline most requests with mismatched expiration

 

• Hologram

1)   The card must bear the Rupay hologram as an additional security feature.  

• Signature Panel
• The signature panel provided on the card should be tamper-evident.
• The panel must be duly signed by the cardholder failing to which the card should not be accepted [5].

 

Methodology:

 Mainly secondary data collected from various resources to study and analyse the topic to reach the conclusion.

Conclusion:

This review paper concludes that NPCI-Rupay payment gateway is secure channel for online transaction. It follows two factor authentication, triple data encryption standard and the use of one time password prevents the system from attacks which may result in loss of integrity.

Future enhancements:

 The use of Secure communication tunnel will enhance the security of payment gateway. Other advanced encryption standards can be integrated in future.

Biblography:

  [1] www.npci.org.in/PaySecure.aspx [2] www.technopedia.com/4414/triple-des [3] Ajeet singh , Karan singh “ A Review : Secure Payment System for Electronic Transaction”- March 2012. [4] Krantee Jamdaade , Hetal Champaneri “A Review : Secured Electronic Payment Gateway”- International Journal of emerging Research in management & Technology 2015. [5] Rupay Operating Regulations by NPCI [6] Rupay –eCommerce Merchant Integration Guide by NPCI