Wednesday 28 July 2021

Payment Security: Understanding the Four Corner Model

Online shopping digital payment transactions may seem quite simple, but in reality, just one single transaction sets off multiple, long-chain reactions. The Payment Card Industry comprises debit cards, credit cards, prepaid, e-purse/e-wallet, and POS payment transactions that enable easy payment transactions for consumers. However, the card scheme is a popular payment transaction process which is also a central payment network that uses credit and debit cards to process payments. 

The card scheme comes in two variants namely the Three-Party Scheme and the Four Party Scheme payment model. The Four Corner Model also popularly known as Four-Party Scheme is the model under which most of the payment systems in the world operate. It is used in almost all standard card payment systems around the globe. So, explaining in detail the payment model, we have shared details on how the Four Corner Model works while also explain the role of every entity involved in it
The Payment Network: Four Corner Payment Security Model
The Four Corner Model of Payment Security and How it Works
The card payment network, often called the Four Party Scheme, comprises multiple entities involved in an online transaction. The entities involved would include the Cardholder, the Merchant, the Issuer, and the Acquirer. So, before moving on to understanding how the Four Corner Model works, let us briefly learn about the entities involved and their role in the process.

Cardholders are the consumers who are issued a debit or credit card by a financial institution, such as a bank. The cardholder is a client of the issuing financial institution and may have an account directly linked to the payment card. The cardholder uses the card to make financial transactions for products or services they avail from businesses.

Merchants are organisations that accept card payments from cardholders for the products or services they offer to them. These can be merchants offering “Card Present Payment” digital payment options such as card swipe terminals and/or “Card Not Present” digital payment options such as online portals or even using modes such as UPI at the POS itself.) For instance, the e-commerce platforms, restaurants, hotels, and shops equipped with POS payment terminals, etc. can be termed as merchants. For that matter even an ATM can be termed as a Merchant as the primary role of the merchant is to “accept” payment cards.

Issuer/Issuing Bank
The issuer is the Financial Institution that issues the payment card to the cardholder. It is generally the bank that issues a payment card which could be a debit card, credit card, or prepaid card. However, it is important to note the issuing bank on behalf of various payment card brands like Visa, Mastercard, American Express etc provides customers with payment cards. This can even be a private payment brand or network like a domestic scheme. But it is the issuing bank that is responsible for the security of the payment card, the cryptography, and the other relevant security controls.

An acquirer is basically a software and hardware vendor who provide a medium or a tool for accepting payment cards to the Merchants. They are a third-party system and not the bank where the merchant has an account. So, an acquirer provides hardware or a software application to the merchant for accepting card payments and process the transactions. That said, the acquirer is responsible for managing the final return authorization codes from a transaction and ensures the merchant delivers the goods or services based on the payments received. Examples for this can be Razorpay, PayU, Paytm, etc.

How the Four Corner Model Works
The Four Corner Model triggers when a consumer makes a payment online with a payment card for products or services purchased from the merchant. This triggers the event or flow of payment authentication and processing with various entities involved in the process. However, for this to happen a cardholder needs to have a payment card while the POS terminal of the merchant must be able to accept the payment card.

So, when a customer makes a payment with the card, an authorization request transmits from the merchant's POS terminal to the acquirer, and then to the issuer who either returns a positive or negative response which then again goes back to the merchant and then to the cardholder. The authorization process and response can be obererved on the POS terminal screen. It is important to note that the authorization requests and associated responses are transmitted via the card networks like VISA and MasterCard or a vast network of switches, gateways, and servers by card scheme network. On receiving a positive response from the issuing bank, the merchant processes the delivery of the goods or services to the client. At this point, it is also important to note that the Four Corner Model can also be a Three Corner Model if the Acquirer bank is skipped in the process, and the switches and gateways route the authorization flow directly to the Issuer. This makes the payment process less hassle on the payment network and also speeds up the transactions.

While this is just one side of the payment process, now there is the clearing and settlement process that requires the merchant to transmit the transaction details to the acquirer. On receiving the transaction details, the acquirer collects the funds from the cardholders’ account by transmitting the corresponding payment flows to the issuing banks. So finally the merchant bank receives the money only after there is an interbank settlement of funds.

The Four Corner Model is a popular model for online payment transactions. It is a systematic payment transaction process that facilitates end-to-end secure transactions that are ciphered and protected at every stage of the information or payment transmission process. That said, such payment transactions often need HSM and automated key management to prevent hacks or criminal activity during the processing of online payment transactions. It provides the framework for managing numerous keys throughout their life cycles and ensuring secure payment transactions.

Author Bio
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC)
is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2,

PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Tuesday 13 July 2021

Free Coventry University Course to Help Everyone Protect their Online Privacy

Now everyone can learn what privacy means, how your privacy is impacted when using the web and mobile apps, and how to protect your privacy online thanks to a free course from Coventry University.

The UK university has worked closely with experts including Pat Walshe at PrivacyMatters to create an informative online course, offering participants easy access to key information about how to keep their online privacy safe.

Coventry University has a strong reputation for its digital education provision and online offering after it was ranked number 1 in the world for the delivery of Massive Online Open Courses (MOOCs) by MOOCLabs for 2021.

With people's information and digital footprint becoming increasingly sought after, the university hopes the course will build further awareness while helping people stay protected online. Typically, data is collected through cookies and pixels on websites or other means such as browser fingerprinting and trackers embedded in mobile apps. Tracking techniques allow multiple parties to learn about the pages you visit, what you click and view, what devices you use and your location, all of which has data protection and privacy implications.

Citizen Scientists Investigating Cookies and App GDPR compliance (CSI-COP), an EU Horizon2020 funded project led by Coventry University, has facilitated the free informal education course, called ‘Your Right to Privacy Online’. The project has already seen the creation of a privacy-by-design, no-tracking website.

The course is designed to help people gain the knowledge and skills to turn off tracking by disabling cookies on websites and changing app permissions on mobile devices. It features an introductory video, practical tasks and activities, a knowledge test and recommended reading to help participants stay safe online.

Huma Shah, Assistant Professor and Researcher in Artificial Intelligence at Coventry University, said: “We’re delighted to be able to tap into the university’s expertise in digital education to deliver this new, accessible and really useful course. The hope is that we can help as many people as possible to protect their online privacy and personal data while using the internet as well as giving them the tools and knowledge to better understand their rights to online privacy.”

Beyond the MOOC, members of the public can join the CSI-COP team as citizen scientists to explore the extent of tracking across the internet. Citizen science is a great way for volunteers to collaborate with research teams, raising awareness of issues impacting society and increasing trust between the general public and scientists.

Pat Walshe, Director for PrivacyMatters, said: “It’s never been more important to help people understand how their privacy is impacted when using websites and mobile apps and to help them protect their rights under data protection and ePrivacy law. I’m glad to see Coventry University working hard to achieve this with the development of this course which I’m sure will help greatly."

Find out more about this new course and the CSI-COP project.

Sunday 4 July 2021

Cyber Security Roundup for July 2021


A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2021.

How was UK Government Building CCTV Leaked?
The Sun newspaper published CCTV workplace footage of Health Secretary Matt Hancock, kissing aide Gina Coladangelo on 6th May 2021, the fact both are married to different people fuelled several days of sensational headlines. Given Matt Hancock has led the charge on directing the UK's COVID rules, his position in government quickly became untenable, resigning a few days later after the story broke. However, the big security concern here, is how was internal UK government building CCTV footage obtained by an external reporter?  
CCTV Leaked from UK Gov Buildings is a security concern
The Northern Ireland secretary, Brandon Lewis, summed up the security concern when he said “the security and privacy of government business mean ministers need to understand how someone was able to access and record the footage and then share it with a newspaper. What happens in government departments can be sensitive, important and people need to have confidence that what is happening in a government department is something that allows the government to be focused on these core issues, and the sensitivity sometimes in the security sense of those core issues."

Multiple media reports seem to point to a Department of Health and Social Care (DHSC) employee that was behind the leak. The Mail on Sunday reported that the leaker sent messages via Instagram to the unnamed anti-lockdown activist. One said: “I have some very damning CCTV footage of someone that has been recently classed as completely f***ing hopeless. If you would like some more information please contact me.And a further message said, “I have the full video … it’s now been deleted off the system as it’s over 30 days.”

The government announced it will be launching an internal investigation and inquiry into how the CCTV footage was leakedHopefully, this inquiry's findings will be publicly shared, I say hopefully as they don't have to make their findings public.

There was another security own-goal for UK Gov after classified Ministry of Defence (MoD) documents about the HMS Defender was found at a bus stop in KentThe MoD said it is investigating "an incident in which sensitive defence papers were recovered by a member of the public".

Pandemic Homeworker Employee Spying

Sticking with the workplace spying theme, a French court has ordered Ikea to pay a fine of €1m after the Swedish furniture chain was found guilty of spying on staff in France. Ikea France was accused of using private detectives and police officers to collect staff's private data.


With so many more people working from home during the pandemic, employers have stepped up the extent to which they are monitoring their staff online. Not so many years ago, employees were having to adjust to having their work emails monitored, but that seems almost quaint compared to the digital surveillance we are seeing today. Dr Evronia Azer, from Coventry University’s Centre for Business in Society, says surveillance at work can make employees feel vulnerable, leading to reduced productivity. In a recent blog, she offers solutions to curb this trend

FIFA 21 Source Code Stolen

Game publishing giant, Electronic Arts (EA), reported a hack involving the theft of several of their games source-code, including FIFA 21, the source code of which has been offered for sale on an underground forum. While some 780Gb of EA data was stolen, EA said no player data had been stolen. "We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen," an EA spokesperson said in a statement. "No player data was accessed, and we have no reason to believe there is any risk to player privacy," she added. 

FIFA 21 Source Code Stolen
EA said it had already improved security and stated that it did not expect "an impact on our games or our business". The "network intrusion" was not a ransomware attack and had happened recently, EA added.

Ransomware Update

JBS, the world's largest meat processing company, had some of its global meat production operations ground to a halt after its computer systems were attacked by ransomware. It was reported JBS paid a £7.8m ($11m) Bitcoin ransom payment to the REvil, a Russian linked cybercriminal group.  REvil had initially demanded $22 Million, and after paying the ransom, the attackers provided JBS with the decryptor.

REvil Ransomware Decryptor

The United States recovered most of the £3.1m ($4.4m) ransom paid to the DarkSide group, responsible for taking the Colonial Pipeline offline last month, an attack which caused several days causing fuel shortages in the United StatesDarkSide is thought to operate out of eastern Europe and possibly Russia. Deputy Attorney-General Lisa Monaco said investigators had “found and recaptured” 63.7 Bitcoin worth $2.3m – “the majority” of the ransom paid. Since the ransom was paid thought, the value of Bitcoin has fallen sharply, so a hit has been taken on the recovered amount given the new poorer exchange rate.


Stay safe and secure.