White Paper

Bridging the Security Gapfor IP Payment Networks

White Paper

Contents

Contents

Executive Summary

Are You Prepared for the Risks Of IP Network Migration?

Problems with IP-Based Transaction Networks

Distributed Denial of Service Attack

Understanding the Risks

Securing IP-Based Transaction Infrastructure

It Comes Down to a Focus on Security

Learn More, About TNS

1

2

3

4

5

6

7

9

10

Executive Summary

Moving your card payment transaction network from the

walled garden of X.25, frame relay and dial networks to

an open IP network and the public Internet reduces costs,

simplifies your business,and helps create new business

opportunities to generate revenue.

But does a cheaper communication path also

expose your business to more risk? Or, are the

risks involved in moving to an Internet- based

transaction infrastructure, such as the impacts

of breaches and lost customer goodwill, too

great to even consider?

But a cheaper Internet- based communication path can

also expose your business to more risk. How will your

business be impacted if this increased exposure results

in a serious data breach or a significant disruption in

service?

With the right infrastructure, people, and equipment,

payment service providers can take advantage of the

public Internet and enjoy significant savings over closed

or guarded X.25, frame relay, and dial solutions. By moving

to IP, you can consolidate networks, simplify topologies,

and save money.

But, to take advantage of IP for transaction networks,

several steps must be taken to ensure your network,

equipment, people, and processes are up to the challenge.

Secure Sockets Layer (SSL) encryption is only the first of

many requirements for paymentservice providers to build

a payment solution that exceeds the level of security of

legacy systems and delivers on the availability, cost

savings, and openness of Internet- based infrastructures.

In particular, special care must be given to the choice of

network provider, as solutions to many of the challenges

with Internet- based transactions rely on leveraging the

power and security of cloud- based approaches to keep

your business up and operational during a hacking attack.

2

Are You Prepared for the Risks of IP Network Migration?

IP makes sense. If you are not leveraging IP as the primary

mode of transport for your payment transactions today,

you will be in the future.

And the reasons are obvious: IP is simple, ubiquitous,

resilient and very easy to deploy. The same network that

you use to carry e-mail, voice, and to surf the Internet can

be used to carry your financial/transaction data as well.

This results in fewer networks to manage and lower

networking costs for your business.

However, as payment processors and service providers

move from early trials and pilots to carrying the majority

of their payment transaction traffic over IP, many are

not taking advantage of the latest technologies and

approaches to build a network that is as stable and

reliable as their proprietary networks of the past.

In fact, many commercially deployed IP-based networks

today are simply not up to the challenge of global

large-scale deployments over the Internet. And, as these

legacy solutions begin to handle more and more of your

transaction traffic, the exposure to your business in terms

of risk increases exponentially.

To add to the challenge, the risks these networks face

continue to evolve. An acknowledged standard approach

today may become the security risk of tomorrow.

This evolutionary state of threats necessitates constant

vigilance with your IP security infrastructure, and the need

to create a culture of security that can continually adapt

to meet the challenges of the ongoing threats. If you are

relying on dated security measures, you are placing your

network at risk.

In this paper, we review the best practices for Payment

Service Providers (PSPs) and payment processors to build

reliable, highly secure transaction networks on an IP-based

network infrastructure.

Was Your Legacy Network More Secure Than Your New One?

Doing business on the Internet exposes your network to

a whole host of new criminal threats. PSPs and payment

processors in particular are key targets of these criminals,

as they carry key cardholder data and provide access to

large sums of money via the payment transactions that

cross their networks every day.

When your network was based on X.25 or frame relay, you

didn’t have many network security problems. In fact, these

closed systems provided security from what one might be

exposed to by using the public Internet.

First, the proprietary nature of legacy transaction

networks provided a gate that kept people with few

resources and capabilities out of the network. These

closed networks required proprietary equipment to enter

them — creating, in essence, a firewall that kept potential

criminals out.

Second, a specialized network only carrying transaction

traffic with proprietary systems was fundamentally

more expensive to attack and therefore less attractive

to hackers. Hacking into a proprietary network took them

to only a few places; the barriers to entry were high, and

the payoffs were low.

Businesses for years relied on these closed networks to

make transactions fast for their customers, to consolidate

their transactions back to corporate offices, and to make

the deployment of large-scale interconnections cost

effective.

But many of these same businesses did not realize that

they were also relying on their closed systems to provide

security against the general threats that exist against

all types of networks. All of these proprietary, expensive

technologies and specialized systems provided powerful

security against criminals.

3

Problems with IP-Based Transaction Networks

A transaction network based on IP is the opposite of

a closed or proprietary system. IP-based transaction

networks use common, off-the-shelf equipment, common

transport, and standard protocols (SSL and IP). Moreover,

the network is connected to an ISP network, and all the

ISP networks are connected together. This design enables

access to the public Internet, with its ability to lower costs.

However, this type of infrastructure removes virtually all

of the “security by obscurity” payment processors enjoy

in proprietary transaction network systems.

Payment processors and PSPs building IP-based

transaction networks need to replace the security benefits

that were inherent in the legacy infrastructure with new

solutions designed for IP-based networks. And they must

try to do this without significantly increasing costs.

How does a payment processor know it is secure?

The Payment Card Industry Data Security Standard

(PCI DSS) gives end users and PSPs guidelines on how

to secure and maintain the security of their infrastructure.

But, the now tri-annual update process of the PCI DSS

provides a guideline that may not be able to stay up to

speed with the constantly evolving threats. PCI DSS sets

a standard for compliance — it does not define the best

you can do to protect your network.

For payment processors and PSPs, the PCI DSS does not

cover many of the issues they must address. PCI does not

cover issues such as DDoS attacks, and does not provide

any guidance to many of the specific issues that they face.

These organizations are exposed to significant threats

if they are relying on the standard capabilities of off-

the-shelf equipment to provide their overall transaction

security. Often, these products are secured simply

with SSL and are built on top of open source or other

commonly available operating systems, with little concern

to hardening their security or providing additional threat

countermeasures.

Many systems used in production environments by PSPs

and payment processors were built in-house and were

originally designed and deployed as trials or prototypes.

They were built quickly, inexpensively and without the

rigoroustesting required to ensure they are as secure as

possible. Of particular concern are the components of

this type of equipment that can also be easily and

inexpensively acquired by criminals.

This gives criminals easy access to a test environment

they can use to design effective attacks against existing

production systems.

Relying on your equipments’ security and open standards

to protect your payment infrastructure is clearly not a

complete solution.

Hackers do not have to ‘succeed’ to be successful

Without adequate protections, a hacker leveraging

bandwidth alone can bring your network down.

If the criminal’s goal is to disrupt your business, this

can be accomplished without actually breaching your

network; they can simply flood your network with bad

data requests. Without adequate protections, you will

not be able toprocess transactions, and, as all payment

processors and PSPs know, any processor or service pro-

vider that cannot process transactions will not be

in business for long.

Protecting against Denial of Service attacks is an area

where legacy networks shined. Legacy dial networks

are inherently Denial of Service safe. It was virtually

impossible to be denied a transaction over dial networks,

because if a port is down, the network simply dials to the

next one.

But with IP, a hacker focused on damage, not simply

financial reward does not actually have to be successful

to cause significant damage.

The move to IP-based networks reduces the

cost and level of effort required by criminals

to attempt to hack your network. For example,

a botnet that can be used to implement a

distributed denial of service (DDoS) attack

against a chosen target on the Internet can

be rented for a few hundred dollars a day.

Computing power and bandwidth can literally

be had for pennies, making it easier than in

the past to crunch the data necessary to break

encryption keys. And criminals from all over the

world can communicate, share information, and

help each other with techniques that make your

business more exposed than ever before.

4

Distributed Denial of Service (DDoS) Attack

As mentioned earlier, many off-the-shelf IP solutions

to this problem are inadequate. Your ISP may advertize

Distributed Denial of Service (DDoS) protection as a

selling feature to your business. But, once you look under

the covers, you typically find that the DDoS capabilities

of ISPs are designed solely to keep their core ISP network

up. The ISP’s focus is to prevent themselves from being

adversely impacted, not specifically keeping you and

your business up and running. So if you are depending

on your ISP’s DDoS system to ‘protect’ your network

(with techniques such as black hole filtering or

null-routing), all of the traffic destined to your IP address

may be discarded during an attack—both the bad traffic

and the good transaction traffic from your legitimate

paying customers.

The reality is that the Internet is a big front door and a

criminal does not have to actually come in; they just need

to knock a lot to disrupt your business dramatically.

One breach can literally mean the end of your business

The uncomfortable truth is the direct costs and the

reputational damage from an attack to a business can be

devastating. And while every business is different, consider

the implications to your business if you could not process

transactions from 10 a.m. to 3 p.m. tomorrow.

What would the financial impacts be?

Do you have service level agreements in

place with your merchants? And what about

your merchants? Would they move to other

providers? And most importantly, what

is the long term impact to your business’

reputation should you be breached or your

service becomes unavailable?

Payment security is big news, and when a corporation

has a breach or service disruption, it often gets spread

all overthe news, not only exposing the flaw, but also

damaging the reputation of the business. For example,

Sony’s PlayStation Network was the victim of a DDoS

attack in August 2014, prompting much press coverage

and speculation about a repeat of the lawsuits filed as a

result of a 2011 security breach which cost Sony more than

$15 million. Ultimately, news on even the small breaches

and attacks get printed.

The costs of a breach can be devastating to your business

— not only the transactional costs, but also the loss of

goodwill and reputation. Given this fact, the overall

importance of ensuring the security of your IP-based

transaction network simply cannot be overemphasized.

Even if you have only IP-enabled a single payment

application with low volumes, the door from the public

Internet to your payment systems is now open, putting

your entire business at increased risk.

5

Attacker BotnetController

Attacker compromisesvulnerable system

Victim

Large volumesof traffic sentto overwhelm

victim network

Understanding the Risks

So, given the risks, what are the problems that must be

managed in the IP context?

Distributed Denial of Service (DDoS)

A distributed Denial of Service attack is an attempt by

a hacker to prevent legitimate users of the service from

using the service. In practice, it’s a relatively simple thing

to accomplish. Criminals get a number of compromised

computers, known as bots, join them together to form a

botnet, and send traffic to one IP address all at the same

time. Botnets are available for rent online starting at a

few hundred dollars. A person with a small amount of

knowledge and money, could create a large amount

of damage with ease.

In 2014, a botnet took control of more than 162,000

WordPress sites which it then used to amplify DDoS

attacks against unsuspecting organizations.

The latest data from Verizon’s 2014 Data Breach

Investigations Report shows that DDoS attacks have

grown to an average of 10Gbps (bits per second) from

4.7Gbps in 2011. The number of packets on average is

now 7.8Mpps (packets per second), which is a massive

increase from 0.4Mpps in 2011.

PSPs, payment processors, and financial institutions can

experience multi- day outages from a sustained attack.

And as discussed, asking your ISP to solve the problem

may result in them simply shutting your entire service

off—not the best way to maintain high service quality

Ωand availability for your customers.

Gateway spoofing

A type of man-in-the-middle attack, these attacks redirect

users through a third-party to steal or sniff transaction

information. These types of attacks can go undetected for

days, weeks or months, exposing potentially millions of

transactions and cardholders to the criminal.

In many situations, the only indication that a problem

has occurred with these sorts of attacks is a few

milliseconds of latency in the network. While less

common than DDoS attacks, man-in-the-middle and

gateway spoofing attacks pose one of the greatest

risks to payment processors and PSPs since they can

occur and exist without easy detection.

Denial of service is a concentrated attempt to impact

service by disrupting processing on the system. The goal

with denial of service attacks is to max out processors,

trigger unrecoverable errors, crash systems, or install

malware on systems, potentially disrupting network

services for a period of days or weeks.

Duration of Largest DDoS Attack

6

■ 48% 0–6 Hours

■ 11% 7–12 Hours

■ 5% 13–24 Hours

■ 15% 1–3 Days

■ 10% 4–7 Days

■ 6% 1–4 Weeks

■ 5% 1+ Month

Source: Arbor Networks, Inc. 2013

Denial of service attacks are especially troubling for

payment processors and PSPs who have built their own

proprietary gateways. Often these gateways are built on

top of common, open-source tools, and rely only on those

open-source components or commonly available

components for their security compliance.

If you think about how common problems are on the

PC, it is scary to think about a transaction network

being susceptible to the same problems. But, the fact is

most machines that are hacked are built on the same

core operating systems used on most desktops and

servers. This is particularly true for payment gateways

built in-house — these systems leverage commonly

available components without significant modification

and hardening that are necessary for higher security.

For processors, the risks of denial of service attacks are clear:

1. A compromised transaction network that cannot

process transactions due to equipment failures.

2. The network is null-routed out of availability by the

Internet service provider to keep the ISP network from

being affected.

3. A compromised transaction network that leaks

confidential information, increasing business liability.

In all cases, denial of service attacks and hacking

attacks must be addressed in any transaction

network deployment.

Securing IP-Based Transaction Infrastructure

As a payment processor, there are three main areas to

address when securing your IP-based infrastructure:

1. Your network — how does it function, what capabilities

does it provide, and how is it built?

2. Your people — what is their expertise, what procedures

do you have in place?

3. Your equipment — how is it maintained, how well is it

shielded from threats?

Your network equipment is important, but equipment

alone is not the magic bullet. Many things need to be

involved in the overall solution—from the client devices

to the transaction gateways to the network in between.

Everything needs to be managed as one cohesive unit

to ensure maximum security.

1. Your network

The network connection between terminals and

payment gateways is the most likely entry point for a

hacker. Therefore, your network infrastructure needs to

be up to the task of helping you manage, defend and

protect your network from criminals. While there are

several issues to consider, there are a number of best

practices payment processors and PSPs should leverage

when upgrading to an IP-based transaction infrastructure.

7

Operational Security Concerns in the Next 12 Months

■ 65% DDoS attacks toward infrastructure

■ 62% DDoS attacks toward customers

■ 57% DDoS attacks on services (DNS, email)

■ 48% Infrastructure outage (partial or complete) due to failures or misconfiguration

■ 44% Bandwidth saturation (streaming, over-the-top services)

■ 35% Botted/compromised hosts on service provider network

■ 3% Other

Source: Arbor Networks, Inc. 2013Su

rve

y R

esp

on

de

nts

0%

10%

20%

30%

40%

50%

60%

70%

Use a cloud-based DDoS mitigation solution that is transaction-ready and independent of your ISP

The goal of your DDoS, Intrusion Detection System (IDS)

and firewall solutions should be to protect your network,

while letting the good transactions through. This requires

specialized expertise and specialized configurations — not

the same, run-of-the-mill IDS and firewall solutions used

by corporations for securing baseline data networks.

A cloud-based DDoS mitigation solution should be

transaction aware and shut down distributed denial

of service attacks while keeping your transactions

processing and your merchants happy. A solution must

not only understand obvious threats, but also make

intelligent, policy-based determinations about whether

each and every packet is a good one or a bad one, with

the focus of keeping transactions up and operational.

Test your network regularly through the use of ethical hacking

Is your network regularly tested? Do you have dedicated

people on your staff tasked with finding new ways into

your network? Ethical hacking on your own internal

systems helps you find ways to make your network more

secure. Ethical hacking also helps keep your security team

on guard as the network is constantly under attack.

Use 24x7x365 trending and monitoring solutions that are security focused

Many times, the biggest problems are not obvious but

occur gradually over time. It’s a 24x7x365 world, and

hacking attempts occur literally every minute from all

points around the globe. Therefore, it is important to have

your network monitored 24x7x365 not only for uptime

and bandwidth, but also for security concerns and trends.

By integrating security monitoring into your overall

network monitoring, you are always on watch for trouble.

And, should anything start to occur, it can be caught early

before it becomes critical.

Use partners that continually perform integration testing on all new software releases

Every software upgrade potentially exposes your network

to more risk. While one patch may solve one security

problem, it may expose another. More importantly, this

exposure might not be in the piece of equipment that had

its software updated.

Making sure that every piece of equipment, with every

software update on any piece of equipment does not

expose an exploitable hole in your security is an important

part of providing transaction networks. This continual

integration testing is essential to ensuring your network

is as secure as possible.

8

Targeted Customer Types

■ 48% End user/subscriber

■ 43% E-commerce/business

■ 43% Financial services

■ 34% Government

■ 29% Gaming

■ 13% Gambling

■ 13% Manufacturing

■ 11% Law enforcement agency

■ 11% Utilities

■ 23% Other

Source: Arbor Networks, Inc. 2013

Su

rve

y R

esp

on

de

nts

0%

10%

20%

30%

40%

50%

60%

2. Your people

Many times, hacking attempts start with people, not

machines. It is important your people are up to the task

of maintaining a highly secure, highly available and reliable

transaction network for your business.

There are three areas you should focus on in terms of your

personnel: expertise, training and procedures.

Expertise

Networking expertise is an obvious component of building

a transaction network. You need to have personnel that

understand how scalable and reliable networks are built.

Security expertise needs to be an important skill of your

people. Do you have personnel that focus exclusively on

making sure your network is secure?

Hacking expertise, often missing within payment teams,

is the opposite of security expertise. While a security

expert focuses on policies and procedures to help make

your network more secure, the hacking expert focuses on

understanding how exploits can be used to hack into your

systems. Hacking expertise is a required skill in any

large-scale transaction network deployment.

Training

Your staff needs to be trained against social engineering

attacks so they understand how to secure and maintain

things as simple as passwords in order to keep people out

of sensitive areas.

Procedures

Your personnel need to use defined, standard operating

procedures every time. Items such as how to manage

software rollouts, how to conduct rigorous testing, and

things as simple as password management should all be

part of the procedures your personnel use everyday to

manage your transaction network.

3. Your equipment

Networking equipment is the foundation of transaction

networks, and while many pieces are interchangeable, it

is important to consider the security requirements needed

to maximize the security of your network before making

equipment choices.

First, equipment should be proven by results, and not

simply insured against financial risk. If there is anything

to be learned from disasters like the US Gulf oil spill, it is

there is a difference between proven by results and

insured against financial risk. Just because you have some

amount of insurance against risk, does not mean that a

breach won’t occur.

The equipment you use should be proven to be reliable,

specifically within secured transaction-oriented networks.

Transaction networks are different to traditional IP traffic,

and have very special requirements. The best equipment

for streaming video on the Internet might not be the best

choice for your critical credit and debit card transactions.

Second, your equipment should have the appropriate

certifications for use in transaction networks. While

standards such as FIPS-140-2 play a major part in helping

choose the best equipment, it is up to networking

equipment suppliers and your organization to choose

equipment with the appropriate reliability and

performance certifications.

When building an IP-based transaction network that is

planned to carry the majority of your transactions, care

should be taken in terms of your network, equipment and

people to ensure that every part of your infrastructure

lives up to your expectations for performance, reliability,

and most importantly security.

It Comes Down To a Focus on Security

Are you prepared to risk your entire business on your

existing infrastructure or on your current plans for your

IP-based transaction network?

Ultimately, the answer to that question should drive your

decisions about which equipment and partners to use to

help you build an IP network you can rely on in the future.

An IP-based transaction network can save you money and

provide added benefits to your business. If designed and

operated correctly you can enjoy these benefits, without

taking on unnecessary risks. The key is to focus on making

sure that every piece of the solution can live up to the

challenges and high expectations of securely managing

transaction data.

9

Learn More

TNS has been partnering with leading Payment

Processors, Acquirers, and PSPs around the globe for over

20 years, providing solutions designed to ensure that their

payment infrastructures remain secure, resilient, and

scalable. To learn more about how TNS can help you

better secure your payment host or gateways, contact us

by calling 703 453 8300 or emailing solutions@tnsi.com.

About TNS

Transaction Network Services (TNS) is a leading global

provider of data communications and security solutions.

TNS offers a broad range of networks and innovative

value- added services which enable transactions and

the secure exchange of information in diverse

industries such as retail, banking, payment processing,

telecommunications and the financial markets.

Founded in 1990 in the United States, TNS has grown

steadily and now provides services in over 65 countries

across the Americas, Europe and the Asia Pacific region,

with our reach extending to many more. TNS has

designed and implemented multiple data networks which

support a variety of widely accepted communications

protocols and are designed to be scalable and accessible

by multiple methods.

Visit us at:

www.tnsi.com for more information

10

October 2014