End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws

Safari Kasiyanto

    Research output: Contribution to journalSpecial issueScientificpeer-review

    121 Downloads (Pure)

    Abstract

    Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.
    Original languageEnglish
    Article number3
    Pages (from-to)99-126
    Number of pages28
    JournalIANUS 2015 – MODULO JEAN MONNET
    Volume2015 Special Edition
    Issue numberJean Monnet Modul
    Publication statusPublished - 26 Mar 2016

    Fingerprint

    Law
    industry
    legal factors
    credit system
    consumer protection
    audit
    currency
    obligation
    credit
    EU
    regulation

    Keywords

    • encryption
    • online payments
    • payment systems
    • Technological uncertainty
    • security breaches

    Cite this

    Kasiyanto, Safari. / End-to-end encryption in on-line payment systems : The industry reluctance and the role of laws. In: IANUS 2015 – MODULO JEAN MONNET . 2016 ; Vol. 2015 Special Edition, No. Jean Monnet Modul. pp. 99-126.
    @article{239b39cfadcf406ba05fa0475960650d,
    title = "End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws",
    abstract = "Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.",
    keywords = "encryption, online payments, payment systems, Technological uncertainty, security breaches",
    author = "Safari Kasiyanto",
    year = "2016",
    month = "3",
    day = "26",
    language = "English",
    volume = "2015 Special Edition",
    pages = "99--126",
    journal = "IANUS 2015 – MODULO JEAN MONNET",
    issn = "1974-9805",
    number = "Jean Monnet Modul",

    }

    Kasiyanto, S 2016, 'End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws', IANUS 2015 – MODULO JEAN MONNET , vol. 2015 Special Edition, no. Jean Monnet Modul, 3, pp. 99-126.

    End-to-end encryption in on-line payment systems : The industry reluctance and the role of laws. / Kasiyanto, Safari.

    In: IANUS 2015 – MODULO JEAN MONNET , Vol. 2015 Special Edition, No. Jean Monnet Modul, 3, 26.03.2016, p. 99-126.

    Research output: Contribution to journalSpecial issueScientificpeer-review

    TY - JOUR

    T1 - End-to-end encryption in on-line payment systems

    T2 - The industry reluctance and the role of laws

    AU - Kasiyanto, Safari

    PY - 2016/3/26

    Y1 - 2016/3/26

    N2 - Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.

    AB - Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.

    KW - encryption

    KW - online payments

    KW - payment systems

    KW - Technological uncertainty

    KW - security breaches

    UR - http://www3.unisi.it/ianus/numero_12_bis_Ianus_Special_Issue_2015/4_Safari_Kasiyanto_99-126.pdf

    M3 - Special issue

    VL - 2015 Special Edition

    SP - 99

    EP - 126

    JO - IANUS 2015 – MODULO JEAN MONNET

    JF - IANUS 2015 – MODULO JEAN MONNET

    SN - 1974-9805

    IS - Jean Monnet Modul

    M1 - 3

    ER -