Posts

EMV: A Multitude of Payment Solutions

Clearent Payments API

What is EMV?  EMV, by definition , “is a global standard for credit and debit payment cards based on chip card technology taking its name from the card brands Europay, MasterCard, and Visa – the original card brands that developed it.” That definition doesn’t really tell us much. Most of us understand EMV to mean chip cards that can be inserted into a slot in the payment terminalChip cards allow additional verification to prevent fraud in card-present transactions. They are much harder to copy than the traditional magstripe.  They also have additional verification built into each transaction so that each use can’t be reused, like magstripes can be.

EMV has disrupted the industry because as of October 2016 the Card Brands (Mastercard, Visa, Discover and Amex) have required their merchants to either accept EMV chip cards, or be responsible for additional fraud liability. This has been referred to as the liability shift. This liability shift has rattled the payments industry. It’s the first time in years that U.S. merchants will be forced to upgrade their point-of-sale (POS) equipment and terminals. Vendors of terminals are scrambling to support the technology and grab more market share; merchants that are forced to buy new equipment start looking at new vendors. Read more

OWASP Security Vulnerability #9 – Components with Vulnerabilities

Developer Cyber Security PCI

This post is a continuation from my first Developer Blog post “PCI Check Up” – outlining the OWASP Top 10 web security vulnerabilities.  We keep these security vulnerabilities in mind as we build out our own payments platform and provide integration points to our partner developers.  In this post, I will review the number 9 OWASP web security vulnerability.

The number 9 vulnerability is Using Components with Known Vulnerabilities.  Most modern web applications take advantage of third-party libraries or frameworks that facilitate application development.  If those third-party components have vulnerabilities in them, then by extension any application that uses those components have security vulnerabilities.  It seems fairly obvious, but many developers simply lose site of this concern.

Read more

OWASP Security Vulnerability #10 – Unvalidated Redirects and Forwards

Payment Security PCI

In a previous post ”Developer PCI Check up”, I provided a high-level overview of the OWASP (Open Web Application Security Project) Top 10 web security vulnerabilities.  Ensuring that these security vulnerabilities don’t exist in a web application is a critical part of being PCI compliant.  This is the first of ten posts going into more detail on each of the vulnerabilities.

Number 10 on the list is Unvalidated Redirects and Forwards.  Quite often, modern web applications use HTTP redirects and forwards to control the flow of their application.  A vulnerable system can be used to redirect users to malicious sites or to download malicious code.  A system may be vulnerable if it uses query string parameters passed in the URL to redirect their application.  Here is an example of a URL that is vulnerable:

Read more

How Our Hosted Payments Page Is Different

Hosted Payment Page 1

Generally, a hosted payments page is a web page your payments provider hosts for you. They aren’t hosting your payments page but rather a generic payments page that your website will use for the payments processing of your eCommerce store, shopping cart, or checkout page. In this case, your customers will come to your website, add products to their shopping cart, pay for their goods and get a confirmation of the completed sale and pending shipment.

The image below shows the typical flow when using a hosted payments page.

Hosted Payments Page Flow

There are many benefits to using a hosted payments page:

  • Reduced PCI scope
    • Because you are not sending financial data to your server your PCI scope is greatly reduced.
  • Ease of implementation
    • Hosted payments pages generally offer much less coding and development time to start accepting payments. This allows you to start accepting payments much faster.
  • Reduced development costs
    • Because development and implementation time is reduced, so is the cost associated with developing a payments solution.

But not all hosted payments pages are created equal. There are also some downsides with using typical hosted payments solutions:

Read more

PCI Check Up

Clearent PCI

At Clearent, we are starting preparations for our annual PCI audit.  One of the components of the PCI audit is ensuring that web applications guard against the OWASP Top 10 Web Application Vulnerabilities.  I thought this would be a good time to review that list.

The OWASP.org_PDF is the best source of information if you are creating web applications.  Below is a listing of the 10 vulnerabilities and a brief explanation of them.

Top Ten Web Application Vulnerabilities:

  1. Injection: This vulnerability covers all kinds of injection attacks, including SQL injection.  Applications need to ensure that user-entered data can’t modify execution paths of the application itself.  It is important to guard against data coming into the application, as well as data being retrieved by the application.
  2. Broken Authentication and Session Management: Quite often developers create all of their application’s functionality themselves, and introduce bugs.  Authentication and Session management are no different.  If possible, use tried-and-true third party applications to handle these functions.
  3. Cross-Site Scripting (XSS): XSS is a nasty vulnerability that typically hijacks a user’s browser to access a malicious website or to steal data.  Applications generally protect against this flaw by properly escaping data entered through the browser.
  4. Insecure Direct Object References: This vulnerability typically happens when a developer exposes file names, unique identifiers or other “internal” data that would allow an attacker to directly manipulate the system, bypassing data validation checks.
  5. Security Misconfiguration: Not locking down systems, changing default passwords, or keeping software up-to-date causes this vulnerability.  All of these things seem obvious, but if they are obvious to us, they are obvious to attackers as well.
    Read more