With the combination of Orbiscom’s Controlled Payment Application Platform and nCipher’s payShield hardware security modules, NTT DATA is implementing the very highest level of security available.

Download in PDF »

Background

Online credit card payments have been plagued by high levels of fraud and disputed transactions. To counter this trend Visa has introduced a new security protocol, Verified by Visa (VbV), that incorporates new payment authentication systems that ensures card issuers authenticate their cardholders with an additional level of security that significantly reduces fraud. This is expected to encourage greater numbers of merchants to trade online, while at the same time increasing shopper confidence.

As part of the rollout of VbV in Japan, NTT DATA Corporation have launched their CAFIS Access Control Server (ACS) ASP service. This builds on NTT DATA’s existing Credit and Finance Information System (CAFIS), a nationwide card authentication data center system connecting credit card companies, financial institutions, enterprises and merchants for online transactions involving credit information. The service makes use of a password, obtained in advance from the card issuer, which adds additional security to Internet shopping and other online card transactions.

The Challenge

Credit card companies make use of the CAFIS ACSASP service by having the necessary VbV system environment installed in the CAFIS data center. By deploying a readymade secure application, card issuing banks are able to implement Verified by Visa without the expense of developing their own inhouse solution. NTT DATA had to ensure that customer PIN, password, and other sensitive information provided by the card issuer could be protected in a way that not only met the security requirements of VISA International but also matched the highest levels of security that have helped CAFIS build a solid reputation over the years. NTT DATA needed to select application software and secure cryptographic hardware that would meet these stringent requirements.

Solution Overview

NTT DATA selected Orbiscom’s Controlled Payment Application Platform™ suite underpinned by nCipher’s payShield™ hardware security modules. This joint implementation protects cryptographic keys, key operations and enhances key management functionality for NTT DATA’s Verified by Visa service.

Orbiscom’s technology provides a major enhancement to current payment initiatives. The Controlled Payment Application Platform™ suite uses cryptography in a variety of ways to encrypt sensitive information and to store customer information securely. The integration of nCipher’s payShield HSM establishes a safe, tamperresistant environment that overcomes the inherent security flaws associated with handling sensitive information or performing secure processes on unprotected server platforms. payShield is certified to the Federal Information Processing Standard (FIPS), a mandatory part of the Verified by Visa infrastructure.

Used in the context of a PKI application, Orbiscom’s product suite uses the nCipher payShield to store and manage PKI certificates and keys for use in SSL communications. The cryptographic keys used to create these trusted paths become a principal point of risk, with the focus of attacks changing from conventional eavesdropping and man-in-the-middle attacks to extraction of the server keys themselves. The addition of the nCipher HSM ensures personal details and authorization rights can’t be stolen for fraudulent use or corrupted to provide unauthorized access.

In addition, Orbiscom’s Controlled Payment Application Platform uses potentially vulnerable keys to sign XML data and to encrypt sensitive data held in an Oracle database in a similar way. With the integration of a payShield HSM (hardware security module) the integrity of the cryptographic keys, all communications, customer data and hence the trusted infrastructure remains intact and secure.

Solution Benefits

The combination of nCipher’s payShield hardware security module and Orbiscom’s Controlled Payment Application Platform provides a number of significant benefits to NTT DATA and to customers of the CAFIS ACS ASP service. The use of hardware combats the threat of eavesdropping by securing valuable SSL keys in tamperresistant hardware. This protects the confidential communications channel between a server and the user’s browser, over which personal credentials are presented.

payShield also prevents an attacker from gaining inappropriate access to XML communications, ensuring Web services are secured from eavesdroppers and ensuring the integrity of information by securely signing XML messages.

The database encryption functionality provides the highest level of protection for stored data. By allowing fine-grained access control to the Orbiscom database and selective encryption of secure information at the data-item level, payShield not only guarantees the confidentiality of stored data but at the same time allows NTT DATA to enforce its own security policies to control access to sensitive data.

Conclusion

For NTT DATA, security is more than simply compliance with Visa’s guidelines for online authentication. As an outsourced service, CAFIS ACS ASP must deliver the highest levels of assurance to customers yet meet stringent service availability requirements. The very nature of the sensitive financial information that NTT DATA manages heightens the risk of attack and therefore the security for the ASP service has to be focused on all points of risk, at both the database as well as the individual transaction level. With the combination of Orbiscom’s Controlled Payment Application Platform and nCipher’s payShield hardware security modules, NTT DATA is implementing the very highest level of security available.