Smartcards have become popular for individual use because of their set of features and especially their high level of security. Banks have been the pioneers, and thanks to EMV – an open standard of security and interoperability created by Europay, MasterCard and Visa that defines interactions between processing devices and cards at the physical, electrical, data and application levels – several companies can take advantage of the benefits of this technology.

Most card issuers have adopted EMV, initially due to regulations and fraud reduction. The EMV standard provides for the use of encryption at all stages of the process and is superior to the magnetic card mainly in three aspects:

• Card Authentication – Cards are authenticated online by the issuer using a Dynamic Data Authorization (DDA) or offline by the terminal using Static Data Authorization (SDA) according to the risk parameters defined by the issuer.
• Carrier Authentication – The holder is verified through encrypted credentials and stored on the card by the sender at the time of the personalization, protecting against theft or loss.
• Transaction Authentication – Unique data is created for each transaction, preventing any captured data from being used to execute new transactions. The information is sent along with a specific cryptogram to the issuer, which authorizes or denies the transaction.

The industry soon realized that the use of the chip, in addition to security and reduction of operating costs, would popularize the use of cards by allowing new features such as: benefit programs, access control, mobile payments (contactless cards), among others . Gradually, new segments such as government, retail, transportation, entertainment and telecommunications have aroused interest in this technology to offer dedicated solutions in the form of private label and benefit cards, packaging services in new payment instruments and retaining customers.

The technology structure that supports this process must be based on market practices, and the EMV standards provide an adequate balance between security, flexibility and interoperability.

In this context, there are four main points of attention regarding the security of electronic transactions:

• Institution Private Key Protection – The institution’s private key is the highest point in the trust chain of a payment system. The compromise of this key invalidates all cards issued by the institution. In this way the process of issuing and storing this key must occur in a Hardware Security Module (HSM).
• Card issuing / personalizing process – During the card issuing process, cryptographic keys are generated, which will later be used for carrier and card authentication. This generation must occur in a secure environment (servers are general-purpose equipment and do not provide the necessary protection for cryptographic keys) so that the keys involved in the process are not compromised.
• Transition between security domains – Authentication and transaction data travels between multiple participants (sender, acquirer, capture network, processor) during the payment process and has its security guaranteed by cryptographic operations. Only one HSM is capable of providing the security and performance adequate to perform these operations.
• Authentication / validation process – The authentication and validation process requires access to confidential information (cryptographic keys) and a high processing power at the central point in order to meet the increasing demand for real-time transactions, characteristics typically provided by a hardware Security Module.

Given the importance of encryption key protection, it is very risky to keep them stored on the server hard drive, and for corporate demands, it is unfeasible to keep them in smartcards or tokens. HSM Appliances or Hardware Security Module, as well as provide adequate protection, ease system load by performing complex cryptographic operations, and centralize cryptographic key management – more security with lower cost of ownership.

Using HSM for card issuance and transaction processing is the safest way to implement credit, debit, prepaid, or benefit card payment systems. DINAMO Networks has developed one of the best HSMs in the market, according to international standards such as FIPS 140-2 and homologated by the Institute of Information Technology – a government agency linked to the Civil House of the Presidency of the Republic, which defines and controls all technical and related to the Brazilian Public Key Infrastructure (ICP-Brazil).

Our team of engineers are thoroughly familiar with the technologies, standards, and standards that surround online transaction processing and can help you make the most of our solutions to improve or build your infrastructure with maximum security and performance.