Articles by this author

Top Rated Articles

Wedding Invitations Don'ts

By Sarrah Beaumont | 5 Rating | Published 2009-07-21 18:24:23

Much is already written regarding weddin...
Read more..

Car Bodywork Paint Repair Restoration Techniques - Spray Painting

By Mario Goldstein | 5 Rating | Published 2009-07-22 21:11:32

When buying a car one of the biggest cho...
Read more..

How Do I Make My Home Insurance Company Hurry Up?

By Anthony Peck | 5 Rating | Published 2009-08-07 05:45:36

Is there anything more frustrating that ...
Read more..

Do You Really Need Car Insurance

By Warren Fets | 5 Rating | Published 2009-08-21 03:45:27

There are many advantages to having car ...
Read more..

So What Do You Really Know About Fashion?

By Benedict Smythe | 5 Rating | Published 2009-08-24 15:48:39

Fashion is extremely seductive, slightly...
Read more..

Since the core technology around online payment solution By kabir khan

  in Business | Published 2015-02-11 02:42:06 | 113 Reads | Unrated

Summary

End-to-end, or point-to-point, encryption (P2PE) technologies provide the ability to encrypt the data before it even reaches the memory of the hosting machine inside the fee payment gateway terminal or standalone MSR device), and decrypt it only after it has left the POS

Full Content

PCI standards require only disk storage encryption, and in some cases communication encryption. Since the core technology around online payment solution card processing has fundamental security flaws, the payment application should encrypt the sensitive cardholder data wherever possible: in memory, at rest, and in transit. In addition, it's a good idea to implement the defense in depth principle   put in extra layers of protection wherever possible. For example, when s

ending data via a network, a payment application can encrypt the sensitive data elements using symmetric algorithms, and also encrypt the entire communication session by a transport security mechanism such as SSL, HTTPS, or IPSec. In theory, physical and logical security controls can form another layer of protection. However, they are not effective in the hazardous working environment of POS which is directly exposed to the public.

The answer to questions about memory protection is simple: the sensitive cardholder data can't be completely safe if it is not encrypted before it is placed in memory. There are no existing reliable security mechanisms that would prevent memory scraping. If an attacker gains access to the POS hosting computer, the chances that the data will be leaked are very high because most of the operations (including encryption, decryption, and cryptographic key management) with sensitive data are performed in memory.

There are some preventive measures that can be implemented to minimize data exposure or, more precisely, to reduce the duration of data in clear text in memory, so that less sensitive and sophisticated memory scrapers do not have enough time to catch the tracks. In order to do that, the payment application needs to store the sensitive data in memory encrypted most of the time, and decrypt it only for a short period of time when it is needed for processing in clear text.

It is important that the data in clear text is cleaned up after it is used. For example, the memory buffers (byte arrays) containing sensitive data should not be left for garbage collection (which may happen after an indefinite time), but zeroed using special methods before the reference to the buffer is lost. Therefore, using buffers is preferable to strings, especially in managed runtime environments such as .NET Framework or Java Virtual Machine where a programmer has no direct control of strings.

There is no doubt that the only reliable way to protect data in memory is not to have it in memory in clear text. End-to-end, or point-to-point, encryption (P2PE) technologies provide the ability to encrypt the data before it even reaches the memory of the hosting machine inside the fee payment gateway terminal or standalone MSR device), and decrypt it only after it has left the POS (in the payment gateway's data center). Even software P2PE, where data is encrypted in the application running on the POI device, while still vulnerable provides a much higher level of confidentiality than not having P2PE at all and exposing data to the POS RAM. Moreover, P2PE doesn't just protect memory, but also ensures that sensitive data is unreachable in transit and at rest.

The key components can be stored in different places, such as an application code, a configuration file, and the Registry. So in order to reconstruct the key, the hacker needs to get simultaneous access to all those places. The basic principles of data files and message signing stay the same as they are for the code signing: generating the digital signature after the data is written, and signature validation before the data is read. However, the technology behind the data signing is slightly different from Authenticode which was previously described in connection to the code signing.

Author Bio: -   

Feepal  is the fastest growing online community for   fee payment gateway Relevant and Much needed information about including latest news about online payment and online payment solution  for college Current Affairs and CSAT is updated on a regular basis.

 

21pbn

Comments

Add Comment:

About the Author