Académique Documents
Professionnel Documents
Culture Documents
Thought Paper
www.infosys.com/finacle
Universal Banking Solution | Systems Integration | Consulting | Business Process Outsourcing
Overview of banking application security and PCI
DSS compliance for banking applications
Card based transactions account for barely banking applications and carrier networks against
1% of all non-cash transactions by value, in deliberate attack or unintentional breach. This
India. Security concerns rank high on the list of paper discusses banking software application
barriers to card adoption, not just in this country, security practices in general, as well as banks
but also in those with much higher penetration. compliance with the provisions of the Payment
Card Industry Data Security Standard (PCI DSS),
The card ecosystem, comprising issuing banks,
which focuses specifically on the safeguards for
application developers, technology vendors
credit and debit card data.
and regulators, has taken several steps to secure
02 Thought Paper
Debit/ credit card data is usually stored in Working of card based payments
databases, which are in turn stored in data
centers. These must be safeguarded through SWITCHING
Services by external
a transaction.
Thought Paper 03
Current card-related security practices Security (TLS) and Secure Socket Layer (SSL),
of banks and the latter to encrypt specific fields
such as account number rather than the
Most banks deploy a Hardware Security
entire message.
Module (HSM) at terminals involved in card
payment transactions. This hardware could Tunneling refers to the encapsulation of a
be in the form of a smart card, which message, say, in Protocol A within another
must remain inserted for the transaction to one, say, Protocol B, prior to transmission
take place. over a virtual private network (VPN) which
can be set using Secure Shell (SSH) protocol.
Another technique in use is End-to-End
It is useful for sending unencrypted data
Encryption. Data is encrypted (or encoded)
within an encrypted network. Likewise,
at its origin (Point A) and transmitted to
HTTPS (Secure HTTP) is another protocol that
its target (Point B), where it is decrypted
is used for tunneling.
(decoded). This technique employs both
transport-level and data level security; the Of late, the JPOS library framework (Java library
former to encrypt transmitted data using based ISO8583 framework) has come into use.
network protocols such as Transport Level
04 Thought Paper
To encrypt all non-console administrative security is effective only if the user is trained
access to credit card holders data through to implement the right practices; integrators
specialized devices such as POS, Swap and customers who are direct stakeholders in
terminals, ATM switches and so on. the system must be supported with adequate
documentation, explaining what is expected
To maintain instructional documentation and
from them.
training programs for customers, resellers and
integrators. It must be noted that application
Core Banking System (CBS) applications handle Compliance at the level of the application, at
debit /credit card data through two distinct modes: which code level dependency can be resolved.
Direct dealing with card based data Compliance in the external environment in
which card based data is processed, namely
Using vendor driven modules to deal with card
switches, token drivers or specified devices for
based data
hardware level security.
Since PCI DSS standards are comprehensive, they
Since PCI involves both layers, compliance usually
impact virtually every aspect of core banking
requires multiple dependencies to be resolved.
applications supporting card transactions.
However, the biggest impact is the banks
The way forward
demand for complete security of the core b
anking application, its environment and coding In India, PCI DSS compliance is at a nascent
practices, and also of the data handled by stage. At present, there is no regulatory thrust in
other applications. this direction, nor adequate infrastructure and
skilled manpower to perform audits. This is still
Achieving PCI DSS continuity a growing market, and may take a while to come
to terms with the higher security expectations laid
PCI DSS specifies periodic validation; banks and
down by these standards.
application vendors must periodically perform
Sandhya Ravikumar
Senior Systems Engineer, Finacle E-Banking and Channel Support, Infosys
Thought Paper 05
About Finacle
Finacle from Infosys partners with banks to transform process, product
and customer experience, arming them with accelerated innovation
that is key to building tomorrows bank.