Moving securely into the digital future of payment

Ensuring a secure future with the optimum payment solution

Increasing acceptance of digital payments and new payment methods

With digitalisation on the rise, the payment industry is entering a new era. Acceptance of digital payment methods is increasing among customers and also experienced a significant boost during the COVID-19 pandemic. This has led to a new mix of payment options. Alongside traditional options, such as cash or debit/credit cards, consumers now also have access to mobile payment, SOFORT payment and eWallet solutions.

The topic of cybersecurity is therefore a top priority for financial institutions and banks. After all, incidents involving cybercrime such as phishing and other scams have also seen a dramatic rise during the pandemic.

Due to increasing use of digital financial services and eCommerce, cybercriminals are today capable of taking aim at a much larger number of users and online accounts in the form of social engineering attacks.

In light of the serious consequences of such security breaches, the use of reliable and proven cryptographic cybersecurity solutions is clearly of vital importance. In addition to this, all protagonists in the banking and financial services sector must meet and comply with extremely exacting IT compliance requirements and regulations.

By 2025, global non-cash transactions are set to hit a total volume of 1.8 trillion transactions –
up from 0.78 trillion transactions in 2020, representing a CAGR of 18.6%.
 
 
(Source: Capgemini, "World Payments Report 2021", October 2021)

Full-scope support and established products

achelos offers a comprehensive portfolio of products and services for providers in the field of payments.

We offer you comprehensive support - from professional consulting by our experienced security experts, through individual development services, all the way up to support during audits and successful operation of the new solution.

We use established, certified products from our strong network of partners here.



One market – many challenges

Payment systems

Digital payment systems are subject to particularly strict compliance requirements. Indeed, they must be certified to corresponding standards (primarily PCI PTS HSM, DK and FIPS 140-2 Level 3) or officially approved.

In December 2014, the PCI Security Standards Council (PCI SSC) added Requirement 18-3, Key Blocks, to the PCI PIN Security Requirements.

This requirement significantly improves protection of the symmetrical keys that are shared between payment system participants as a way of protecting PINs and other sensitive data.

It is broken down into three implementation phases and applies to all participants in the PIN security program:

  • Phase 1: Implementation of key blocks for internal connections and key storage in the environments of service providers. This includes all applications and databases that are connected to hardware security modules (HSMs). Phase 1 came into force on June 1, 2019.
  • Phase 2: Implementation of key blocks for external connections to associations and networks. Date of entry into force: January 1, 2023
  • Phase 3: Implementation of key locks for all retailer hosts, POS devices and ATMs. Date of entry into force: January 1, 2025

These key blocks should comply with ANSI standard ASC X9 TR 31-2018 "Interoperable Secure Key Exchange Key Block Specification" or a similar key format that satisfies the respective requirements. The solution must also be certified to PCI PIN and/or PCI PTS HSM.

However, proprietary formats are today still being used in many cases. These need to be replaced or certified according to the new specifications.

ISO 20022

In the past, there was a lack of uniform international formats for messages in the field of financial and payment transactions. With the ISO 20022 standard, the Payments Market Practice Group (PMPG) closed this gap and developed a uniform format for finance and payment-related messages between countries, customers and banks. In accordance with a defined methodology, the payment transaction processes can then be described and are based on message and file types in the XML data format.

ISO 20022 itself is based on a central repository that offers free access to all information.

In future, all protagonists in the field of payment transactions will need to introduce this new standard in a step-by-step approach or run the risk of losing access to the most important payment networks. This has technical effects on the existing payment systems and also leads to transformation of payment services all the way up to the global trade.

Global monetary transfer network SWIFT will already be requiring its member banks to receive new ISO 20022-compliant MX messages instead of SWIFTNet FIN messages (MT) from November 2022 onwards and then also to send these messages themselves from 2025 onwards at the latest. Until then, all financial institutions must be capable of both sending and receiving ISO 20022 CBPR+-compliant messages for cross-border payments.

For banks, the world of commerce and companies, there is a lot to consider when converting to ISO 20022. Learn from achelos how the existing infrastructure can be adapted to the new requirements in the best possible way!

 

Girocard | SECCOS®

The SECCOS® operating system is used for chip cards in the German banking industry and represents a special feature in the German EMV environment. The approval process for this system is highly complex and formalised. Indeed, the development environment must be certified by the German banking industry and compliance must be regularly confirmed during site visits.

 

Our portfolio for certified security in the payment environment

HSM consulting and firmware development

Securing an optimum HSM solution through independent consulting and first class products

achelos offers you comprehensive expert knowledge in and around successful deployment of standard HSMs as well as individual, certifiable HSM solutions for effective protection of your data.

The tried and tested, certifiable products of our partners (including Utimaco) represent the core of your new payment HSM environment. achelos provides smooth planning, provision, integration and commissioning, as well as support services here.

We also develop tailor-made payment HSM solutions for applications that are subject to proprietary requirements but do not currently have an HSM interface. Our experienced software architecture and software development teams adapt the firmware and interfaces of the payment HSM individually to your requirements. We obviously take into account applicable regulatory requirements here, such as PCI PTS HSM or DK. This ensures that you and your new HSM environment are optimally prepared for the requisite certifications and audits.

We are also happy to accompany and support you during the certification process for the new complete solution. The experts at achelos have longstanding expertise in the certification of security-critical products and applications. Thanks to our own CC site certification, we can provide full-scope support for even the most demanding development projects.

 

HSM partner products

In the field of payment HSMs, we use the high performance products of our partner Utimaco:

Utimaco PaymentServer

  • Designed for the Payment Card and Payment Transaction Industry
  • Certified hardware meeting strict compliance requirements for payment industry use cases
  • Specifically designed for cashless payment transaction processing, PIN transaction, card personalisation and card issuance use cases
  • Including software simulator for evaluation and integration testing

Highlights:

  • Strong compliance – PaymentServer satisfies the compliance requirements of PCI PTS HSM, DK and is FIPS 140-2 Level 3-certified. As such, the product can be used in PCI DSS audited environments.
  • Specifically designed for Payment Card and Payment Transaction Processing.
  • Highly customisable – for custom developments and certification / compliance to satisfy additional functional requirements.

More information: Utimaco PaymentServer

 

Utimaco Atalla AT1000

  • Designed for secure and compliant non-cash retail payment transactions and cardholder authentication
  • Superior hardware security
  • Secure payment ecosystems for payment service providers, acquirers, card processing companies and issuers
  • FIPS 140-2 Level 3 certified and FIPS 140-2 L4 (physical design) compliant
  • PCI PTS HSM v3 certified
  • Australian Payments Network approved

Highlights:

  • One of the fastest payment HSMs in the market. With up to 10,000 transactions per second, the Atalla AT1000 has been specifically designed for retail use cases and cardholder authentication.
  • Global support for the banking sector – supports all global card systems such as Visa, MasterCard, Amex, UnionPay, Diners and Discover.
  • The only payment HSM in the market supporting REST API – delivering unrivalled protection of an HSM in public, private and hybrid cloud environments with the Representational State Transfer Application Programming Interface (REST API).

More information: Utimaco Atalla AT1000

ISO20022 consulting and development

Ready for ISO 20022 – fast, convenient and efficient

achelos provides integrative support for banks and retailers looking to implement a secure switchover to the new stipulations resulting from ISO 20022. Use of middleware represents an efficient and fast solution for adapting existing systems to the new requirements. This is used to implement the message format between the payment network and internal infrastructure.

Benefit from our many years of experience in the development and certification of security-critical products and applications. Our experts accompany you from the consulting stage, through development and testing of the middleware, all the way up to support for the approval process.

This enables you to satisfy the strict time constraints of SWIFT quickly, conveniently and efficiently.

 

SECCOS® development and certification support

Full cost control thanks to flexible support

Minimise the risks associated with SECCOS® chip card functionalities for DK or PCI approval. Our qualified developers and testers support you in designing, implementing, and extending chip card functions in the SECCOS® and EMV environments, as well as assisting with the approval process.

You then have full control of your costs at all times. Our expert knowledge of SECCOS® chip cards can be called up individually and used flexibly. This saves time, minimises project risks and spares your own resources.

PCI-DSS support

Security engineering for PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) defines the uniform approach when implementing requirements for secure storage and management of credit card data.

The PCI data protection standards summarise the testing requirements of the programmes operated by VISA (Account Information Security - AIS) and MasterCard (Site Data Protection - SDP).

achelos offers payment service providers (PSP) full-scope support in drafting and implementing security concepts on the basis of PCI DSS requirements.

Click here to learn more about our services.

We are happy to be your professional partner for cybersecurity in the field of payment.

Carola Schwarzenberg

Strategic Sales

Email:

Phone:
+49 5251 14212-321