e-Path Payment Gateway Security

Credit card fraud is one of the most challenging issues facing credit card providers, the banking industry and law enforcement authorities today. Fraud costs in the area of $550,000,000+ per year and is on the rise. e-Path's reason for existing is to boldly help change this.

But firstly, what exactly does credit card fraud mean to you, the merchant? Consider this all too common scenario sent in from a new e-Path merchant. We have published it here with permission as it perfectly illustrates not only the risks of accepting credit cards online but also what can be done to help eliminate them ...

Thanks for the info. I have to let you know of a real brush we had with a crim last week.

We received an order for a $799.00 digital camera a pretty typical order for us and like you say on your site we always do a quick check on a few things before we do the charge. The email address was from a free yahoo account so it was sus to start with and he wasn't in the phone book either.

We smelled a rat so we tried calling the customer but the phone number turned out to be fake.

On this one we decided to ring our bank to check and was told the credit card was 'active', we could have got an authorisation number if we wanted to, I think they gave us one anyway, can't remember. So it hadn't been reported stolen.

If we had stayed with XXXXXXXXXXX [real time credit card payment gateway - name removed] it would have just done the transaction and we'd have sent out the cam.

But we didn't send anything out cause it looked like we were being shafted big time. I contacted the bank a few days later and they told me the card had now been cancelled. Must have happened over the previous two days. They couldn't tell me if it was stolen only it was cancelled, but I knew it was stolen that's a no brainer.

So had we sent out the cam we would have been hit with a charge back of $799.00 debited from our account and we would have had to go hunting to get the cam back. Fat chance of that.

I thought you would like to know our new e-path account has just saved us $799.00 in one hit. To say we are impressed is a bit of an understatement. Thanks heaps for a totally awesome service and we will be recommending you to everyone wanting to accept credit cards on the internet for sure.

Why dad didn't get on to you guys first is beyond me. Way to go guys.

Falling victim to credit card fraud causes inconvenience, pain and anger. It has the potential capacity to ruin a small business. Despite the best efforts of the banking industry and the card vendors themselves, credit card fraud is still very much a part of the world in which we live. Merchants themselves are usually the ones who take the full impact of the loss .... not so in the above example!!

Identifying What Causes Risk ..... Then Eliminate It.

To understand the significance of what e-path has brought to the industry in terms of improved security, and what this means in real terms for you as the merchant and for your online credit card paying customers, we must first recognise the two major root causes of vulnerability that exist within the current real time online processing system that are fundamental to the function of that system.

The two main areas are:

ROOT CAUSE #1 - AUTOMATIC MERCHANT ACCOUNT VULNERABILITY

THE PROBLEM: In order for a real time payment gateway to function it will directly communicate with your merchant account immediately processing any credit card entered into it by anyone and from anywhere. You have no control. Your own private merchant account facility at your bank is therefore open to the entire internet and will receive any communication from your real time payment gateway, even without you knowing. That's what 'real time' means, i.e., instant transactions into your merchant account on the open internet.

If a credit card is stolen but not reported stolen and funds are available on the card then there is the likelihood the transaction will be approved, instantly the fraud has been perpetrated.

In some circles it is suggested that all a criminal needs to do with a stolen credit card is to locate a website with a real time payment gateway and if the transaction comes back 'approved' they know they may have a short period of time to undertake their criminal activities in the physical world.

Unfortunately the merchant who has fallen victim has no idea at this stage. The merchant will send out the goods and it may be some weeks before the bank breaks the news the transaction was a fraudulent one.

A merchant cannot keep funds from a credit card payment that was not authorised to be paid to the merchant by the legitimate card holder. Therefore the entire amount is reversed by the bank in a process called 'charge back'. Some banks even charge an extra fee for this.

Without any form of control, the merchant is at the mercy of the system. And it's the merchant who has to deal with the loss - a highly undesirable and painful event played out tens of thousands of times every single day around the world.
THE SOLUTION: Engineer a gateway that does not require private merchant accounts to be sitting open and accessible to everyone on the internet.

e-Path completely removes the merchant account from the internet thereby denying access to 'anonymous' individuals and transactions from being performed automatically without the merchant's knowledge. The merchant becomes the one who is in control over their own merchant account. The merchant can check the order and buyers details first before the charge even looks like doing harm.

Criminals never use their real address, phone number, fax etc., so it can be surprisingly easy to identify then delete attempts at fraud as they are received. e-Path provides you with the ability to check things first before the charge is performed which gives online merchants a powerful and highly effective tool in the fight against falling victim to credit card fraud and having to deal with costly bank 'charge backs'.

It has long been recognised that when potential fraud victims are themselves put in control of preventing themselves from falling victim to credit card fraud in the first place, the result is perhaps the most powerful and effective fraud prevention system available today.

e-Path sees this on a regular basis with those merchants who have made the switch from the real time system to e-Path. Because of e-Path and their own vigilance they are now completely eliminating instances of falling victim to credit card fraud. We do not mention this lightly, this is exactly what occurs.

With e-Path the merchant account is safe, protected and well away from the vulnerabilities and risks of the open internet. The merchant has full and total control over what is and what is not transacted into their own private merchant account at their bank.

At this point it is important that you understand this does not guarantee you won't receive an attempt at credit card fraud. However what it does guarantee is a total change of the status from 'falling victim to credit card fraud' to 'receiving a credit card fraud attempt'. The difference is that one has already done irreparable damage and the other hasn't done a single thing - a most glaring difference between the e-Path gateway system and a real time payment gateway system.

e-Path has just eliminated root cause of vulnerability #1.

ROOT CAUSE #2 - PERMANENT STORING OF SENSITIVE CREDIT CARD DATA.

THE PROBLEM: It is estimated that near 70% of the worlds credit card fraud can be traced back to credit card data being compromised from within databases on web servers and from similar storage devices.

When a database or a web server is 'hacked' or broken into it can have catastrophic consequences simply because it may contain hundreds, if not thousands, of credit card details. In a recent case a high profile real time payment gateway processor had its database 'hacked' into. The criminal/s netted over 40 million credit card details (read more: Internet Security, Internetrix , Hereld Sun Wikipedia Zednet, Security Focus, Softpedia, MSNBC, The Washinton Post)

The issue is also technology itself. High-end security technology and understanding how it works is not just the exclusive domain of those who do things legally. Despite some payment gateway service providers utilising the highest strength hardware and software firewalls currently available and a plethora of other advanced security measures to protect their stored credit card data, there is always risk involved. When credit card data is being permanently stored on the internet it can never be guaranteed 100% safe. This is an uncomfortable fact.

It is important to understand that payment gateway service providers are rarely at fault. Indeed many will go to extraordinary expense to minimise the risk in this area. It is the very fact that highly sensitive and private credit card data needs to be permanently stored in the first instance for the 'real time' online transaction system to function that is the core root cause of vulnerability.

Simply put, if credit card data is permanently stored in internet accessible databases on web servers there will always remain an omnipresent security risk.

What is interesting to note is that consumers are becoming increasingly aware of this risk and are not happy. Would you be happy paying by credit card on the internet if your credit card details are going to be permanently stored in a database on an internet accessible web server somewhere? A recent poll conducted in the UK asked a similar question which resulted in some not so surprising answers:

NO: 87%
YES: 11%
UNDECIDED: 2%

The above poll results seem to confirm what the industry is starting to realise but is perhaps trying hard to ignore - that the demand for a better and safer system that does not permanently store sensitive credit card details on the internet is growing by the day.
THE SOLUTION: Engineer a gateway that does not permanently store credit card data.

e-Path does not permanently store credit card details. No names, no credit card numbers, no expiry dates, we don't even have databases, nothing is permanently stored.

Once the merchant is in receipt of their customers credit card payment, as far as e-Path and the internet is concerned it is as if the credit card payment never occurred in the first place.

A method that allows the safe accepting of credit cards online without credit card data being permanently stored online is a leap in security of truly unheard of proportions. It provides the absolute ultimate form of protection for card holder data - if it doesn't exist on the internet it can't possibly be stolen from the internet, which in itself has the potential to make the largest single contribution in the fight against online credit card fraud of any service or method to date.

e-Path has just eliminated root cause #2.

By attacking and eliminating core root causes of vulnerability and risk rather than just continue on trying different things to plug-up the symptoms, e-Path has established a payment gateway that provides a level of security and protection for its gateway merchants and ordinary credit card holders that is beyond anything seen before. The fact we ended up with a system that is less expensive and a lot easier to use than the real time system are totally unplanned bonuses.

However, improving the way the world handles online credit cards payments doesn't come without a trade off. In e-Path's case this trade off is automation. e-Path does not transact credit cards online in real time. Further, because there is no data permanetly stored by e-Path we do not provide a credit card transaction history reporting facility. We can't do anything with data that doesn't exist .... but then again neither can 'hackers' and criminals!!!

Card-Not-Present Transactions Security & PVV

While e-Path provides the mechanics that enables a new and powerful approach to reducing the instances of falling victim to credit card fraud, merchants will still be handling card-not-present transactions. CNP (card-not-present) transaction types are classified as high risk by merchant account providers and card vendors for very good reason. However, this risk can be reduced substantially when a merchant follows a specific process to challenge and check the buyers details prior to accepting the order and charging the card.

e-Path Pty Ltd is currently finalising formal submissions to The Payment Card Industry Security Standards Council, Visa International (via Visa Asia Pacific), Master Card, American Express, Diners Club and JCB suggesting consideration be given for the introduction of a simple and easy points based ID checking process, called Preprocess Verification Validation (PVV).

A uniform standards guide for merchants to adhere to when performing all types of card-not-present transactions would further strengthen the recognised security advantages of the manual (offline) method. It would also give merchant account providers (banks) the necessary confidence to further increase their support for the manual method which, as it has proved, substantially lowers their own exposure to risk on a merchant account service provider level.

e-Path currently provides its own PVV to which each e-Path merchant must follow in order to utilise the e-Path service, it is a condition of our service. Subsequently, e-Path merchants can identify fraudulent orders/transactions as they come through and eliminate them from doing any harm. The effectiveness of this in negating instances of credit card fraud is truly extraordinary and evidence of which is the foundation of our submission to the PCI Security Standards Council and card vendor companies.

It is interesting to note that in a person/card present situation (officially the lowest risk classification) the merchant does not have any highly pertinent details about the cardholder to check. They only have a piece of plastic and a signature, nothing more and therefore are totally reliant on automatic fraud screening processes to guard them. There is a 550+ million dollar fraud bill (and growing) each year that is evidence that these automatic fraud screening processes whether online or in the physical world are not beyond needing quite a bit of help.

As we have mentioned in an above section, when potential fraud victims (merchants) are themselves put in control of preventing themselves from falling victim to credit card fraud and preventing themselves incurring the subsequent financial loss in the first place, the result is a most extraordinarily effective fraud prevention system. We have little doubt that if the world switched from internet based live transactions to manual offline transactions, criminals and fraudsters would be extremely upset.

As more information on our PVV proposal comes to hand we will publish it here.

Physical Credit Card Details Security: Manual offline vs Real Time Internet Based

Real time internet based credit card payment gateway processors permanently store credit card details, i.e., the PAN (primary account number), name on card, expiry date etc. It is roughly estimated that near 70% of the worlds credit card fraud can be either directly or indirectly attributed to credit card data being compromised (hacked into, stolen, copied) when permanently stored within databases on webservers or on similar storage devices.

However, it is estimated that less than 5% of credit card fraud can be attributed to credit card data being compromised when credit card details are in the sole physical possession of a merchant i.e., when things are done manually (offline), well away from the open internet.

When the merchant is processing the transaction manually the credit card details are only in his/her possession, credit card details are nowhere near the open internet and are not being stored on the internet. If the concern is genuinely about actual physical credit card data security then the insurmountable security advantage of doing things manually (offline) without credit card details being permanently stored on the internet, is therefore self evident.

Removing credit card data from having to be permanently stored on webservers or on similar storage devices on the internet, as is the case when e-Path is used to accept online credit card payments, is one of the most tangible advancements in improving protection for actual physical credit card data the industry has seen.

THAWTE SSL

All e-Path activity is protected by THAWTE SSL. THAWTE is a recognised world leader in SSL security. The THAWTE SSL protection with e-Path means there is a live 128/256 bit secure connection protecting your customers sensitive credit card data while they make payment on your e-Path gateway system.

A secure connection can be confirmed by a small padlock¹ that appears bottom right of customers browser window and with newer browsers will appear in the address bar. Customer may also click on the THAWTE link top right of all e-Path secure pages to obtain confirmation directly from THAWTE that SSL is currently valid and protecting the connection.

1. The Padlock		2. The THAWTE SSL Graphic

The e-path gateway system will not function if SSL is not present. Normal internet http connection with our secure gateway server is not possible.

Asymmetric Cryptography (Encryption - Decryption):

e-Path uses extraordinarily powerful encryption to further encrypt the payment data entered by the customer. 2,048 bit RSA encryption is a patented algorithm and recognised by Visa, Master Card, American Express and Diners Club as an approved encryption type. With e-Path this occurs on top of and in addition to the SSL encryption that exists to protect the live connection between customer and e-Path.

Only one key in the world can decrypt data encrypted for a particular e-Path merchant. This is called asymmetric cryptography and if the encryption is to a certain strength, it is recognised as one of the few truly secure methods to protect data in the world today.

According to Qualys CEO Philippe Courtot: "The challenge with encryption is that older payment systems were not built to support the scrambling technology... Encryption is the ultimate measure of security.." (From: http://news.zdnet.com/2100-1009_22-6072594.html)

Here is a example of how a credit card looks when it is encrypted by e-Path. This data is utterly useless to anyone other than the specific merchant it has been encrypted for in the first place ...

Az3jASSVoqHNAKg4bvopr9wjDtdsCT1UTEYBbwAAVc5TvVIuNt7gI830aafGgcfkF
80qAS4Gi7PbKuBhcE7JEx1aSLIxq2jJ2pD0dd2jzznYnxrX6uULu+ec5dsdcRBXVL
WEKPzeKu6htRV9D4U0/lWzgnJEcfp0+tkzS3ntdCfFZnNNABo/d2OAPmjfe9jMDrJqf
u50uEOXkjG2fFn6MFQxvz4jpj7fieo93nZn26J8wOtuDqFcqM9woj5ccBYH63k/ueR8
SD7GZwvfdDJqYmcvrMqRIP0ZmZNdQ9mzRsgjnL9/r9qCt58eg1mgSayGPESd+9
QZp7B6XPpUBybGF4JOF0sOK/CGbZPIrs9/5uOxPx49g1CG2rbjfkkETCUUUScW
PUNNFSTdU9vQlYvtZWCrtn7XRwZQ7clC+vyMhr6XdLATwGE/lsGlNuB97hSV3CJzU
5zaVzP0Skwz0LNhJMJDGNifabjwVQjrj5CPYJhBov8MfCx4VHlekJ+seVn7utPLNk/f2
C6cLVbiXvBmbKlndDeijtn3bi7VU+CkKitmOhOewhlGak6yrLGXEJq33bXyfKyB/A
bYN/3zxqQ4eDERs1Ur4KbOXQ51qImXrTHXntJprGvC8pokl4soPCgGZPM9uEgoqx
vfO0wrwOP6E6gK4htSvZVLVihh80Kmqf2sZXecPfTDZ6ZGrde2/rqw4+tjV++BKa+
c4DP8KtJMkyxK2wSrN7Nooi689trshrQ1Pgq1yVGnKdm/xHr/6sRHvJLfR+KHygfaLr
3xytPX8skkoyU9zf255QvVm5cxrXaDhshsjKVwWlpNbr8VJw55XgjAME0jcQeouXZI
UMVHt4RVIPongqI4ixjqkDqBkIb7qbB3qwdMLMcF6jvULQwGr4JA86wgxgzILHeS3
jdkuri78s8839jkdmmfku59384j&9wksm))kdolem2ui+Nhfu4SEldOkdnka/xon+u8
Ii/TxMDqbc86Lzm94nklenswkxF8=
=tOdt

For those interested, the above is the actual encrypted credit card belonging to one of e-Path's founders. It was first published on this site in 2005 and remains to this day absolutely secure, despite it being openly available to the entire world for over three years.

Asymmetric cryptography is used by the Department of Homeland Defence in the U.S., ASIO here in Australia and numerous other government departments, intelligence services and other high level enterprises and organisations in the business of keeping highly sensitive data protected and secure.

It is our understanding that e-Path was the first credit card payment gateway in the world to deploy individual asymmetric cryptography (encryption) security, different and unique for each and every e-Path merchant. This is of course on top of and in addition to the 128/256 bit SSL connection encryption.

The Difference Between Symmetrical and Asymmetrical Cryptography

Symmetrical cryptography is where one key does both the encrypting and decrypting. With symmetric cryptography an entire database of highly confidential credit card data data may be protected by only one key.

Although the symmetrical method is a fully approved method and is used by many payment gateways to protect permanently stored data, this encryption type is not consistent with e-Path's primary objective to provide the maximum level of security technically possible. Therefore, e-Path does NOT use symmetric cryptography, nor does e-Path have any databases where credit card data is permanently stored.

The e-Path system utilises asymmetric cryptography which means the data encrypted for a particular merchant is encrypted using only that merchants unique key. Only that particular merchant can decrypt their encrypted data.

e-Path, PCI DSS and McAfee™

e-Path utilises the Payment Card Industry Data Security Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).

McAfee™ is best known for their HACKER SAFE trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services.

The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB.

McAfee™ performs complex security and vulnerability scanning on an almost continual basis and provides e-Path with concise information on the continued security and PCI DSS compliance status of our secure server.

The 'device' is the secure server used to exclusively perform the e-Path secure credit card payment gateway service on the internet.

It is physically located in a secure datacentre which operates to a non-access to server infrastructure standard.

HackerSafe & PCI Compliance Scan Results for e-Path

Above: The above graphic is an actual screen capture of part of a McAfee™ report on the security status of the secure e-Path gateway server (device).

While the actual physical security of our secure server is critical, it is how secure the server communicates and operates the actual gateway functions on the internet that is one of the main contributing factors in determining compliance to PCI DSS.

The Bottom Line

The end result of all this is e-Path, combined with the vigilance of those who have e-Path as their payment gateway, is indeed making a highly tangible contribution towards finally ending online credit card fraud.

If criminals plan on perpetrating credit card fraud on the internet by entering stolen credit cards into websites to be transacted live into the merchant accounts of unsuspecting businesses, then they'll have to stay doing this on websites that use 'real time' payment gateways because on websites that use e-Path as their payment gateway it is NOT going to happen.

Similarly, if criminals plan on thieving large numbers of credit cards in one hit by 'hacking' into databases on web servers, then they will have to remain targeting 'real time' payment gateways because with e-Path not a single snippet of credit card data is permanently stored on the internet. You can't thieve data that doesn't exist - it is NOT going to happen.

Criminals who engage in online credit card fraud have had it too easy for too long. There's a new payment gateway in town that's finally put the odds fair and square in favour of the 'goodies'.

Payment Card Industry Data Security Standards

e-Path can be integrated into many shopping carts

2048 bit Patented RSA Asymmetric Cryptography

New generation payment gateway security for merchants



	Home\| The Credit Card Payment Gateway \| How e-Path Works \| Merchant Requirements \| About e-Path Pty Ltd e-Path Security \| Payment Gateway Integration \| About the PCI DSS \| Price \| e-Commerce Hosting \| e-Partner Opportunities F.A.Q. \| Support Centre \| TOS, UA, Merchant Agreement \| Privacy Policy \| Contact \| Apply for e-Path Now \| DEMO \| Site Content Disclaimer


	This website makes no determination as to the suitability of the e-Path service for your particular personal or business needs. e-Path is an Australian based global provider of the e-Path Internet Credit Card Payment Gateway Service. All Rights Reserved - Copyright 2005, 2006, 2007, 2008 E-PATH PTY LTD ACN:124032917 \| ABN:70124032917