e-Path Payment Gateway Security
Credit card fraud is one of the most challenging issues facing business, credit card providers, the banking industry and law enforcement authorities today. Fraud costs in the area of $600,000,000+ per year and is on the rise. e-Path's reason for existing is to boldly help change this.But firstly, what exactly does credit card fraud mean to you, the business owner? Consider this all too common scenario sent in from a new e-Path gateway merchant. We have published it here with permission as it perfectly illustrates not only the risks of accepting credit cards online but also what can be done to help eliminate them ...
| Thanks for the info. I have to let you know of a real brush we had with a crim last week. We received an order for a $799.00 digital camera a pretty typical order for us and like you say we always do a check on a few things before we do the charge. The email address was from a free yahoo account so it was sus to start with and he wasn't in the phone book either. We smelled a rat so we tried calling the customer but the phone number turned out to be fake. On this one we decided to ring our bank to check and was told the credit card was active, we could have got an authorisation number if we wanted to, I think they gave us one anyway, can't remember. So it hadn't been reported stolen. If we had stayed with XXXXXXXXXXX [real time credit card payment gateway - name removed] it would have just done the transaction and we'd have sent out the cam. But we didn't send anything out cause it looked like we were being shafted big time. I contacted the bank a few days later and they told me the card had now been cancelled. Must have happened over the previous two days. They couldn't tell me if it was stolen only it was cancelled, but I knew it was stolen that's a no brainer. Had we sent out the camera we would have been hit with a charge back of $799.00 debited from our account plus pay a charge back fee plus we would have had to go hunting to get the cam back. Fat chance of that. I thought you would like to know our new e-Path account has just saved us a fortune just on this one order. To say we are impressed is a bit of an understatement. Thanks heaps for a totally awesome service and we will be recommending you to everyone wanting to accept credit cards on the internet for sure. |
Falling victim to credit card fraud causes inconvenience, frustration and financial loss. It can have a severe impact on the bottom line of any business. For the smaller business operator especially, falling victim to credit card fraud can be a very costly and painful experience.
Despite the best efforts of the banking industry and the card vendors themselves, the risk of falling victim to credit card fraud and then having to pay for the consiquent loss is still very much a part of accepting credit cards online for the business owner ... but not so for the business in the above example!
Identify What Causes Vulnerability & Risk . . . . Then Engineer To Terminate Them!!
To understand the significance of what e-Path has brought to the industry in terms of improved online ecommerce security and what this means in real terms for you as the merchant (business owner) and for your online credit card paying customers, we first must recognise what the actual root causes of vulnerability and risk are with the current system.We're not proposing adding to the endless variety of automated fraud screening plug-ins and add-ons that try to address symptoms, we are going right back to the heart, to the design, to the mechanics, to the very core reasons why there is so much vulnerability and risk with accepting credit cards online today .... and then we terminate them by engineering a system where those vulnerabilities and risks either are reduced substancially or simply do not even exist.
The two main areas are:
ROOT CAUSE #1 - MERCHANT ACCOUNT VULNERABILITY
THE PROBLEM: In order for a thrid party real time payment processng gateway to function it will directly communicate with your merchant account immediately processing any credit card entered into it by anyone and from anywhere.
Your own private merchant account facility at your bank is therefore open to the entire internet and will receive any communication from your third party real time payment processing gateway, even without you knowing. That's what 'real time' online credit card processing is, i.e., instant transactions into your merchant account 'live' on the open internet.
For those not within the culture of the online e-commerce industry the insanity of putting your own merchant account on the open internet accessible to all without any control speaks for itself. For those within the industry the common view on this situation is "well, that's just the way the system is".
If a credit card is stolen but not reported stolen and funds are available on the card then there is the likelihood the transaction will be approved. Fraud screening systems such as Verified By Visa™ and Mastercard Secure Code™ are designed to assist in preventing this from happening, however, if the response returned is "approved" then instantly the fraud has been perpetrated.
In some circles it is suggested that all a criminal needs to do with a stolen credit card is to locate a website that accepts credit cards online and if the transaction comes back 'approved' they know they may have a short period of time to undertake their criminal activities in the physical world.
Unfortunately the business owner who has fallen victim to this fraud has no idea at this stage. The business owner will send out the goods or provide the service and it may be some weeks before the bank breaks the news the transaction was in fact a fraudulent one.
A merchant (business owner) cannot keep funds from a credit card payment that was not authorised to be paid to the merchant by the legitimate cardholder. Therefore the entire amount is reversed out of the business owners bank account by the bank in a process called 'charge back'. Some banks even charge an hefty extra fee for this.
Without any form of control the online business owner is totally at the mercy of the system. And it is the business owner who has to pay for the loss - a highly undesirable event played out tens of thousands of times every single day around the world, and one of the main reasons why accepting credit cards online is considered the highest risk transaction type of all.
THE SOLUTION: Engineer a payment gateway that does not require private merchant accounts to be sitting open and accessible to everyone on the open internet.
e-Path completely removes the merchant account from the internet thereby denying access to 'anonymous' individuals and transactions from being performed automatically without the business owner's knowledge.
The business owner becomes the one who is in control over their own merchant account. The merchant (business owner) can check the order and buyers details first before the charge even looks like doing harm.
Criminals never use their real address, phone number, fax etc., so it can be surprisingly easy to identify then delete attempts at fraud as they are received. e-Path provides you with the ability to check things first before the charge is performed which gives online business a powerful and highly effective tool in the fight against falling victim to credit card fraud and having to deal with costly bank 'charge backs'.
It has long been recognised that when potential fraud victims are themselves put in control of preventing themselves from falling victim to credit card fraud in the first place, the result is perhaps the most powerful and effective fraud prevention system available today.
e-Path sees this on a regular basis with those businesses who have made the switch from other gateway types to e-Path. Because of e-Path and their own vigilance they are now dramatically reducing, and in most cases, completely eliminating instances of falling victim to credit card fraud. We do not mention this lightly, this is exactly what occurs.
At this point it is important that you understand this does not guarantee you won't receive an attempt at credit card fraud. However, what it does guarantee is a total change of the status from 'falling victim to credit card fraud' to 'receiving a credit card fraud attempt'. The difference is that one has already done irreparable damage and the other hasn't done a single thing - a most glaring difference between the e-Path payment gateway and the typical third party payment gateway processing system.
e-Path has just eliminated root cause of vulnerability #1.
Your own private merchant account facility at your bank is therefore open to the entire internet and will receive any communication from your third party real time payment processing gateway, even without you knowing. That's what 'real time' online credit card processing is, i.e., instant transactions into your merchant account 'live' on the open internet.
For those not within the culture of the online e-commerce industry the insanity of putting your own merchant account on the open internet accessible to all without any control speaks for itself. For those within the industry the common view on this situation is "well, that's just the way the system is".
If a credit card is stolen but not reported stolen and funds are available on the card then there is the likelihood the transaction will be approved. Fraud screening systems such as Verified By Visa™ and Mastercard Secure Code™ are designed to assist in preventing this from happening, however, if the response returned is "approved" then instantly the fraud has been perpetrated.
In some circles it is suggested that all a criminal needs to do with a stolen credit card is to locate a website that accepts credit cards online and if the transaction comes back 'approved' they know they may have a short period of time to undertake their criminal activities in the physical world.
Unfortunately the business owner who has fallen victim to this fraud has no idea at this stage. The business owner will send out the goods or provide the service and it may be some weeks before the bank breaks the news the transaction was in fact a fraudulent one.
A merchant (business owner) cannot keep funds from a credit card payment that was not authorised to be paid to the merchant by the legitimate cardholder. Therefore the entire amount is reversed out of the business owners bank account by the bank in a process called 'charge back'. Some banks even charge an hefty extra fee for this.
Without any form of control the online business owner is totally at the mercy of the system. And it is the business owner who has to pay for the loss - a highly undesirable event played out tens of thousands of times every single day around the world, and one of the main reasons why accepting credit cards online is considered the highest risk transaction type of all.
THE SOLUTION: Engineer a payment gateway that does not require private merchant accounts to be sitting open and accessible to everyone on the open internet.
e-Path completely removes the merchant account from the internet thereby denying access to 'anonymous' individuals and transactions from being performed automatically without the business owner's knowledge.
The business owner becomes the one who is in control over their own merchant account. The merchant (business owner) can check the order and buyers details first before the charge even looks like doing harm.
Criminals never use their real address, phone number, fax etc., so it can be surprisingly easy to identify then delete attempts at fraud as they are received. e-Path provides you with the ability to check things first before the charge is performed which gives online business a powerful and highly effective tool in the fight against falling victim to credit card fraud and having to deal with costly bank 'charge backs'.
It has long been recognised that when potential fraud victims are themselves put in control of preventing themselves from falling victim to credit card fraud in the first place, the result is perhaps the most powerful and effective fraud prevention system available today.
e-Path sees this on a regular basis with those businesses who have made the switch from other gateway types to e-Path. Because of e-Path and their own vigilance they are now dramatically reducing, and in most cases, completely eliminating instances of falling victim to credit card fraud. We do not mention this lightly, this is exactly what occurs.
At this point it is important that you understand this does not guarantee you won't receive an attempt at credit card fraud. However, what it does guarantee is a total change of the status from 'falling victim to credit card fraud' to 'receiving a credit card fraud attempt'. The difference is that one has already done irreparable damage and the other hasn't done a single thing - a most glaring difference between the e-Path payment gateway and the typical third party payment gateway processing system.
e-Path has just eliminated root cause of vulnerability #1.
ROOT CAUSE #2 - PERMANENT STORING OF SENSITIVE CREDIT CARD DATA
THE PROBLEM: It is estimated that near 75% of the worlds credit card fraud can be traced back to credit card data being compromised from within databases on web servers and from similar internet accessible storage devices.
When a database, a web server or internet accessible device is 'hacked' or broken into it can have catastrophic consequences simply because it may contain hundreds, thousands or perhaps even hundreds of thousands of credit card details.
In a recent case a high profile real time payment gateway processor had its database 'hacked' into. The cyber criminals netted over 40 million credit card details of which the exact cost of that one particular breach is still being calculated to this day -
ZDNet Australia, CNN Money, msnbc..
The issue is also technology itself. High-end security technology and understanding how it works is not just the exclusive domain of those who do things legally. Even with third party payment gateway service providers utilising the highest strength hardware and software firewalls currently available and a plethora of other advanced security measures to protect their stored credit card data, there is always risk involved.
Despite hundreds of millions dollars being continually spent in attempts to protect sensitive credit card data and to strengthen security defences, breaches still happen, hackers still get through and credit card data is still being stolen. This is an uncomfortable fact.
Therefore, it is the very fact that highly sensitive and private credit card data is permanently stored in the first instance by current third party online credit card payment processing gateway systems that is the core root cause of this vulnerability and risk.
THE SOLUTION: Engineer a gateway that does not permanently store credit card data.
e-Path does not permanently store credit card details. No names, no credit card numbers, no expiry dates, we don't even have databases, nothing is permanently stored. Once the merchant is in receipt of their customers credit card payment, as far as e-Path and the internet is concerned it is as if the credit card payment never occurred in the first place.
A method that allows the safe accepting of credit cards online without credit card data being permanently stored online is an advancement in security of very tangible proportions for the entire industry. It provides the absolute ultimate form of protection for cardholder data - if it doesn't exist on the internet it can't possibly be stolen from the internet, which in itself has the potential to make the largest single contribution in the fight against online credit card fraud of any service or method to date.
e-Path has just eliminated root cause #2.
When a database, a web server or internet accessible device is 'hacked' or broken into it can have catastrophic consequences simply because it may contain hundreds, thousands or perhaps even hundreds of thousands of credit card details.
In a recent case a high profile real time payment gateway processor had its database 'hacked' into. The cyber criminals netted over 40 million credit card details of which the exact cost of that one particular breach is still being calculated to this day -
ZDNet Australia, CNN Money, msnbc..The issue is also technology itself. High-end security technology and understanding how it works is not just the exclusive domain of those who do things legally. Even with third party payment gateway service providers utilising the highest strength hardware and software firewalls currently available and a plethora of other advanced security measures to protect their stored credit card data, there is always risk involved.
Despite hundreds of millions dollars being continually spent in attempts to protect sensitive credit card data and to strengthen security defences, breaches still happen, hackers still get through and credit card data is still being stolen. This is an uncomfortable fact.
Therefore, it is the very fact that highly sensitive and private credit card data is permanently stored in the first instance by current third party online credit card payment processing gateway systems that is the core root cause of this vulnerability and risk.
THE SOLUTION: Engineer a gateway that does not permanently store credit card data.
e-Path does not permanently store credit card details. No names, no credit card numbers, no expiry dates, we don't even have databases, nothing is permanently stored. Once the merchant is in receipt of their customers credit card payment, as far as e-Path and the internet is concerned it is as if the credit card payment never occurred in the first place.
A method that allows the safe accepting of credit cards online without credit card data being permanently stored online is an advancement in security of very tangible proportions for the entire industry. It provides the absolute ultimate form of protection for cardholder data - if it doesn't exist on the internet it can't possibly be stolen from the internet, which in itself has the potential to make the largest single contribution in the fight against online credit card fraud of any service or method to date.
e-Path has just eliminated root cause #2.
By recognising and then engineering to eliminate core root causes of vulnerability and risk rather than just continue on trying different things to plug-up the symptoms, e-Path has established a payment gateway that provides a level of security and protection for its gateway merchants and ordinary credit card holders that, we believe, is beyond anything seen before within the payment gateway industry. A true new era in e-commerce security.
However, improving the way online credit cards payments are handled doesn't come without a trade off. In e-Path's case this trade off is automation. e-Path does not transact credit cards online in real time. Furthermore, because there is no data permanently stored by e-Path we do not provide a credit card transaction history reporting facility - we can't do anything with data that doesn't exist .... but then again neither can 'hackers' or 'cyber criminals'!
Asymmetric Cryptography (Encryption - Decryption):
e-Path uses extraordinarily powerful encryption to further encrypt the payment data entered by the customer. 2,048 bit RSA encryption is a patented algorithm and recognised by Visa, Master Card, American Express and Diners Club as an approved encryption type. With e-Path there are multiple instances of this which all occur on top of and in addition to the SSL encryption that exists to protect the live connection between cardholder and the business owners e-Path gateway system.Only one key in the world can decrypt data encrypted for a particular e-Path merchant. This is called asymmetric cryptography and if the encryption is to a certain strength, it is recognised as one of the few truly secure methods to protect data in the world today.
According to Qualys CEO Philippe Courtot: "The challenge with encryption is that older payment systems were not built to support the scrambling technology... Encryption is the ultimate measure of security.." (From: http://news.zdnet.com/2100-1009_22-6072594.html)
Here is a example of how a credit card looks when it is encrypted by e-Path. This data is utterly useless to anyone other than the specific merchant it has been encrypted for in the first place ...
Az3jASSVoqHNAKg4bvopr9wjDtdsCT1UTEYBbwAAVc5TvVIuNt7gI830aafGgcfkF
80qAS4Gi7PbKuBhcE7JEx1aSLIxq2jJ2pD0dd2jzznYnxrX6uULu+ec5dsdcRBXVL
WEKPzeKu6htRV9D4U0/lWzgnJEcfp0+tkzS3ntdCfFZnNNABo/d2OAPmjfe9jMDrJqf
u50uEOXkjG2fFn6MFQxvz4jpj7fieo93nZn26J8wOtuDqFcqM9woj5ccBYH63k/ueR8
SD7GZwvfdDJqYmcvrMqRIP0ZmZNdQ9mzRsgjnL9/r9qCt58eg1mgSayGPESd+9
QZp7B6XPpUBybGF4JOF0sOK/CGbZPIrs9/5uOxPx49g1CG2rbjfkkETCUUUScW
PUNNFSTdU9vQlYvtZWCrtn7XRwZQ7clC+vyMhr6XdLATwGE/lsGlNuB97hSV3CJzU
5zaVzP0Skwz0LNhJMJDGNifabjwVQjrj5CPYJhBov8MfCx4VHlekJ+seVn7utPLNk/f2
C6cLVbiXvBmbKlndDeijtn3bi7VU+CkKitmOhOewhlGak6yrLGXEJq33bXyfKyB/A
bYN/3zxqQ4eDERs1Ur4KbOXQ51qImXrTHXntJprGvC8pokl4soPCgGZPM9uEgoqx
vfO0wrwOP6E6gK4htSvZVLVihh80Kmqf2sZXecPfTDZ6ZGrde2/rqw4+tjV++BKa+
c4DP8KtJMkyxK2wSrN7Nooi689trshrQ1Pgq1yVGnKdm/xHr/6sRHvJLfR+KHygfaLr
3xytPX8skkoyU9zf255QvVm5cxrXaDhshsjKVwWlpNbr8VJw55XgjAME0jcQeouXZI
UMVHt4RVIPongqI4ixjqkDqBkIb7qbB3qwdMLMcF6jvULQwGr4JA86wgxgzILHeS3
jdkuri78s8839jkdmmfku59384j&9wksm))kdolem2ui+Nhfu4SEldOkdnka/xon+u8
Ii/TxMDqbc86Lzm94nklenswkxF8=
=tOdt
You may be interested to learn the above is a true example, it is the actual credit card belonging to e-Path's founder. It remains totally and absolutely secure despite being publicly viewable on this website since 2007. A bold but very effective demonstration of the strength of the encryption used by e-Path.
Once an individual gateway system has been set up for an online business owner they become the only party in the world capable of decrypting card data encrypted on their unique gateway. Each and every e-Path gateway is separate with its own unique encryption system.
Asymmetric cryptography is used by the Department of Homeland Defence in the U.S., ASIO here in Australia and numerous other government departments, intelligence services and other high level enterprises and organisations serious about keeping highly sensitive data protected and secure.
The Difference Between Symmetrical and Asymmetrical Cryptography
Symmetrical cryptography is different to asymmetrical cryptography. Symmetrical where only one key does both the encrypting and decrypting. With symmetric cryptography an entire database of highly confidential credit card data data may be protected by only one key.Although the symmetrical method is a fully approved method and is used by many payment gateways service providers to protect permanently stored data, the encryption type is not consistent with e-Path's primary objective to provide the maximum level of security technically possible. Therefore, e-Path does not use symmetric cryptography, nor does e-Path have any databases where credit card data is permanently stored.
The e-Path system utilises asymmetric cryptography which means the data encrypted for a particular merchant is encrypted using only that merchants unique key. Each gateway has its own unique and exclusive encryption/decrytion systems which are entirely separate to any other gateway or system.
Physical Credit Card Data Security: The Raw Truth
Mostly all third party real time internet credit card payment gateways permanently store credit card details, i.e., the PAN (primary account number), name on card, expiry date etc. It is roughly estimated that near 75% of the worlds credit card fraud can be either directly or indirectly attributed to credit card data being compromised (hacked into, stolen, copied) when permanently stored within databases on webservers or on similar storage devices.However, it is estimated that less than 5% of credit card fraud can be attributed to credit card data being compromised when credit card details are in the sole physical possession of the business owner i.e., when things are done manually (offline), well away from the open internet.
With facts like these any reasonably clear thinking person would conclude that to finally put an end to the majority of fraud in the world today payment gateways only need to stop permanently storing sensitive credit card data online. If this is your thinking then we believe you would be 100% correct.
However, the third party online payment gateway processing industry and its supporting internet based merchant systems usually operated by the banking industry is how the online processing system was designed to operate from the very begining. Its mechanics still remain largely unchanged to this day.
No matter how much money is continueally invested in security it is impossible to guarantee 100% protection against hacking threats that are continually evolving in complexity, effectiveness and severity. You can not defend now against a threat that may be invented and exist tomorrow morning. The only 100% fool proof defence against this is to not have credit card data permanently stored in the first place - if data doesn't exist on an internet accessible permanent storage device it can't possibly be stolen from that device.
In a recent high profile case 'hackers' were able to breach the security defences of a real time payment gateway processor company in the U.S. -
ZDNet Australia, CNN Money, msnbc. 40 million credit cards were stolen.The cost to business all over the world from supplying goods and services purchased using these cards and the levels of hardship to cardholders from that one single episode is incalculable.
Yet, had e-Path been the payment gateway not a single credit card would have existed in any internet accessible permanent storage device and thus not a single credit card could have possibly been stolen.
When the merchant is processing the transaction manually offline, as they do when e-Path is the payment gateway, the credit card details are only in his/her possession, credit card details are nowhere near the open internet and are not being stored on the internet. The very core reason why highly sensitive credit card details are potentially available to 'hackers' and other types of 'cyber criminals' in the very first place is TERMINATED.
We have no doubt that if everyone started paying online by e-Path, 'hackers' and 'cyber criminals' would be extremely upset ... and perhaps the countless hundreds of millions of dollars spent each and every year in desperate attempts to keep 'hackers' and cyber criminals away from stored credit card data on the internet could be better spent elsewhere, perhaps towards helping to meet the needs for proper medical care for those less fortunate children in the world today.
THAWTE SSL
All e-Path communication between cardholder and any e-Path gateway is protected by THAWTE SSL. This is completely separate and in addition to the various encryption systems we utilise to protect actual data as mentioned above. THAWTE is a recognised world leader in SSL security.A secure connection can be confirmed by a small padlock (1.) that appears bottom right of customers browser window and with newer browsers will appear in the address bar. Customer may also click on the THAWTE link (2) top right of all e-Path secure pages to obtain confirmation directly from THAWTE that SSL is currently valid and protecting the connection.
| 1. The Padlock | 2. The THAWTE SSL Graphic | |
 |
 |
e-Path, PCI DSS and McAfee™
e-Path utilises the Payment Card Industry Security Standards Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).| McAfee™ is best known for their HACKER SAFE trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services. The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB. McAfee™ performs complex security and vulnerability scanning and provides e-Path with concise information on the continued security and PCI DSS compliance status of our secure server. Maintaining daily PCI DSS compliance is critical. The 'device' is the secure server used to exclusively perform the e-Path secure credit card payment gateway service on the internet. Our secure infrastructure is physically located in a secure datacentre which operates to a maximum security non-access to server infrastructure standard. |
 Above: The above graphic is an actual screen capture of part of a McAfee™ report on the security status of the secure e-Path gateway servers (device). |
While the actual physical security of our secure servers is critical, it is how they communicate and operate the actual gateway functions that is one of the main contributing factors in determining compliance to PCI DSS.
e-Path Payment Gateway Security - Conclusion
e-Path, combined with the vigilance of those who have e-Path as their payment gateway, is indeed making a highly tangible contribution towards reducing the instances of credit card fraud.If criminals plan on perpetrating credit card fraud on the internet by entering stolen credit cards into websites to be transacted live into the merchant accounts of unsuspecting businesses, then they'll have to stay doing this on websites that use other payment gateway types because when e-Path is the payment gateway this is simply not possible.
Similarly, if criminals plan on thieving large numbers of credit cards in one hit by 'hacking' into permanent data storage devices, then they will have to remain targeting other payment gateway types because with e-Path not a single snippet of credit card data (or any other data for that matter) is permanently stored in any internet accessible device. You can't thieve data that doesn't exist, again, another impossibility.
