End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws

Safari Kasiyanto

Research output: Contribution to journalSpecial issueScientificpeer-review

116 Downloads (Pure)

Abstract

Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.
Original languageEnglish
Article number3
Pages (from-to)99-126
Number of pages28
JournalIANUS 2015 – MODULO JEAN MONNET
Volume2015 Special Edition
Issue numberJean Monnet Modul
Publication statusPublished - 26 Mar 2016

Fingerprint

Law
industry
legal factors
credit system
consumer protection
audit
currency
obligation
credit
EU
regulation

Keywords

  • encryption
  • online payments
  • payment systems
  • Technological uncertainty
  • security breaches

Cite this

Kasiyanto, Safari. / End-to-end encryption in on-line payment systems : The industry reluctance and the role of laws. In: IANUS 2015 – MODULO JEAN MONNET . 2016 ; Vol. 2015 Special Edition, No. Jean Monnet Modul. pp. 99-126.
@article{239b39cfadcf406ba05fa0475960650d,
title = "End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws",
abstract = "Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.",
keywords = "encryption, online payments, payment systems, Technological uncertainty, security breaches",
author = "Safari Kasiyanto",
year = "2016",
month = "3",
day = "26",
language = "English",
volume = "2015 Special Edition",
pages = "99--126",
journal = "IANUS 2015 – MODULO JEAN MONNET",
issn = "1974-9805",
number = "Jean Monnet Modul",

}

Kasiyanto, S 2016, 'End-to-end encryption in on-line payment systems: The industry reluctance and the role of laws' IANUS 2015 – MODULO JEAN MONNET , vol. 2015 Special Edition, no. Jean Monnet Modul, 3, pp. 99-126.

End-to-end encryption in on-line payment systems : The industry reluctance and the role of laws. / Kasiyanto, Safari.

In: IANUS 2015 – MODULO JEAN MONNET , Vol. 2015 Special Edition, No. Jean Monnet Modul, 3, 26.03.2016, p. 99-126.

Research output: Contribution to journalSpecial issueScientificpeer-review

TY - JOUR

T1 - End-to-end encryption in on-line payment systems

T2 - The industry reluctance and the role of laws

AU - Kasiyanto, Safari

PY - 2016/3/26

Y1 - 2016/3/26

N2 - Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.

AB - Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges.

KW - encryption

KW - online payments

KW - payment systems

KW - Technological uncertainty

KW - security breaches

UR - http://www3.unisi.it/ianus/numero_12_bis_Ianus_Special_Issue_2015/4_Safari_Kasiyanto_99-126.pdf

M3 - Special issue

VL - 2015 Special Edition

SP - 99

EP - 126

JO - IANUS 2015 – MODULO JEAN MONNET

JF - IANUS 2015 – MODULO JEAN MONNET

SN - 1974-9805

IS - Jean Monnet Modul

M1 - 3

ER -