Sooo, I have spent some time this week thinking about architectures for “technical security systems”. I could say “cryptography” straight away, I guess. Thinking about protecting sensitive data that may be subject of independent audits.
The scope of PCI audits is given by storage and processing of credit card numbers and PINs (in case of Chip&PIN systems). Once you experience the pain, you definitely want to get “out of scope”. This is true for merchants just as banks.
When you look at a payment system (in a very simplistic form), it consists of three parts:
- payment terminals – the device where you put your card into and type your PIN to pay for your custom;
- payment gateway – a server-like system that connects terminals to one of card-payment schemes (like American Express, VISA, and so on). This gateway will also keep merchant accounts and charge them for the service; and
- the card scheme and banks (acquirer and issuer).
Payment terminals are easy to audit – you do it once before you start manufacturing. It is an “immutable” device so that’s it.
What banks do is an interesting topic but not really any worry for payment companies that make card payments easy.
The middle column on the picture above is the core of the hassle. Credit card numbers (PANs) are stored in database and processed in servers. Some payments are cleared straight away, some are subject to batch-processing.
One still has to use encryption modules (HSMs) to provide physical security and PIN re-wrapping functions.
Our thinking was around a question of whether we can take most of the payment gateway out of PCI scope. Well, the answer seems to be Yes.
The core of the solution is in creation of secure logical channels and replacement of sensitive data (credit card numbers) with something that can’t be misused – so called “tokens”. One needs a completely new concept of encryption device. It has to:
- provide a larger set of atomic functions;
- compute tokens for credit card numbers; and
- transparently create direct secure channels to banks / schemes.
It sounds easy but it is in fact doable. We start with small building blocks like tokenisation and PIN re-encryption. Eventually, we will take the whole payment gateway out of PCI scope.
Once completed, we believe you will be able to open your own payment gateway with a simple PCI self-attestation form saying that you don’t process any credit card numbers or PINs. Life will be so much easier for you.
Does it make you curious? Let me know 😉