Introduction

The migration of payment card transactions to public Internet and mobile IP networks brought significant advantages to payment services. Transactions volume increase, faster response time, wider geographical availability and lower telecommunications costs are just some of the benefits. Anyway some negative side effects like exposure to denial of service attacks and data breaches, quality of service issues and much higher complexity of transport and security protocols like TCP and SSL/TLS are also introduced. Today it is far from easy to get the real image of payments service security, availability and performance as merchants perceive it in their daily business.

SITO IP POS is a specialized SSL/TLS transactions monitoring system for payment services via fixed and mobile Internet and private IP networks. It continuously monitors all SSL/TLS encrypted transaction flows and shows vital payment service security, availability and performance KPIs and dashboards.

Security

Security module is focused only on payment transactions IP packets and TCP/TLS flows. Traffic anomalies, like some DoS attacks, could be easily detected through such specialized and sensitive traffic triggers. In addition to these traffic triggers each TLS/SSL session is compared to black and white lists of client and server IP addresses and white lists of client and server SSL certificates. In case of any irregularity (or abuse) alerts will be triggered. Stolen POS terminals, transaction attempts from unauthorized locations (or countries) or transaction attempts with compromised server or client SSL certificates will be easily detected. Even misconfigured POS terminals with wrong or expired SSL certificates will be observed with this module. Most of other generic security and monitoring systems like firewalls and intrusion detection systems will overlook some or most of such incidents due to insufficient knowledge of normal payment transactions behavior and specific payments network environment.

Availability

Availability module takes track of all successful and failed TLS/SSL transaction sessions. The significant percentage of such failed transaction sessions may be not visible to transaction hosts or gateways since they could be dismissed several network hops before reaching them. Due to inherent quality problems in IP telecommunication networks (especially in mobile networks), DDOS attacks or due to even simple configuration errors like expired SSL certificates, percentage of such failed transaction sessions may become unacceptable and merchants will start to complain. Availability graphs can easily show merchants with the highest number of failed TLS/SSL transactions or pinpoint telecommunication operators with unacceptable quality of IP transport services.

Performance

Performance module analyzes only successful TLS/SSL transactions quality. Although successful even such transaction sessions may be unnecessary long due to transmission errors and packet retransmission. Continuously monitoring all IP TLS/SSL transactions SITO IP POS provides detailed quality of experience information for all such transaction sessions. Merchants, specific shops or even certain POS terminals within shop with lower quality of service and unacceptable quality of experience (QoS/QoE) can be easily spotted from dedicated dashboards and proper measures can be taken proactively.

Merchant Loyalty

Merchant loyalty reports and dashboards are based on TLS/SSL transaction sessions behavior analysis. Successful transaction session after single or multiple failed sessions may indicate frustrated merchants and clients. The lack of successful transaction after one or more failed transaction sessions may indicate that customer gave up from this payment card transaction and decided to pay with cash or via other POS terminal. Such event may be called transaction churn.

SSL Certificates

SSL Certificates module passively monitors tens and hundreds of thousands of client certificates and tens of server certificates used in real-time payment transactions. It discovers all certificates directly from transaction IP packet flows. If any detected SSL certificate is not found in the white list or SSL certificate has already expired security alert will be immediately triggered. Detailed statistics including expiration dates of all SSL certificates are shown in tabular and graphical reports. If a certain SSL certificate is close to its expiration date the warning will be clearly shown.

Architecture

SITO IP POS appliance is based on a standard high availability Linux server hardware with optional additional Ethernet network card. SITO IP POS appliance cannot influence payment transactions in any way. All analysis are done on a copy of the transaction traffic so SITO IP POS cannot change, add or delay monitored packets. High appliance security is based on network separation. There are no IP addresses on dedicated physical Ethernet port used for payment transactions monitoring. SITO IP POS appliance configuration and management is done through a separate dedicated physical Ethernet port.

It is recommended to connect SITO IP POS to monitored network with an intelligent filtering inline monitoring tap. Span (mirror) port on switch is also an option but filtering tap is less likely to drop packets and can also perform intelligent hardware packet filtering for payments traffic only.

PCI DSS

All sensitive credit card information remains hidden from the SITO IP POS system. SITO IP POS analyzes only IP/TCP/SSL/TLS transaction envelope and cannot see any encrypted payment card and financial transaction data. Neither private keys needed for sensitive data decryption nor any credit card information is stored on SITO IP POS appliance. According to these facts SITO IP POS does not have to be a part of PCI DSS scope. Anyway SITO IP POS can help in PCI DSS procedures since it can provide SIEM or other security systems with unique information not available by most of generic network security and monitoring systems.