Master Payment Security: Proven 20-Year Methods to Stop Leaks, Tampering & Fraud

What Are the Biggest Fears in Payments?

"Information leakage", "data tampering", "transaction repudiation", "service attacks" – and ultimately "money loss". Using the underlying payment security methodology accumulated over 20 years, I have never had an incident or lost a single cent.

Online Payment Main Security Issues

Sensitive information such as account or password is stolen. Hackers may obtain user accounts and passwords, leading to fund theft. This is the most commonly perceived security issue.

Transaction information is tampered. Users often do not notice this. A typical case is the payment amount being altered, e.g., the actual paid amount is less than the amount due, or the recipient account in a transfer is changed. Example: an attacker first compromised a bank system, then initiated a $20,000 recharge on a payment platform, altered the bank deduction order to $1, then the bank successfully deducted $1, the platform thought the deduction succeeded, and credited $20,000 to the user’s balance. The attacker later withdrew the $20,000, causing huge loss.

In a transfer scenario, the recipient account or amount can be altered after interception, leading to funds being sent to a wrong account if the platform’s security measures are insufficient.

Transaction information is repudiated. This is rarer. Example: a payment platform requests a bank to deduct ¥200, the bank actually fails but notifies success; the platform ships goods. Later the bank claims the success message was not from them, leading to repudiation.

Fraudulent transactions. Includes cash‑out, money‑laundering, and unauthorized transactions caused by user information leakage.

Service unavailability attacks. Very frequent but often unnoticed. Search for Distributed Denial‑of‑Service (DDoS); attackers flood the payment system with malicious traffic, exhausting resources and preventing legitimate users from accessing the service, potentially causing financial loss.

Core Focus Areas of Payment Security

Payment security is a large domain, but we generally need to focus on the following core points:

Sensitive information secure storage. Securely store personal and merchant/channel sensitive data. Personal data includes ID numbers, clear‑text payment card data, passwords, etc. Merchant data includes login/operation passwords and channel certificate keys.

Secure transmission of transaction information. Ensure secure data transmission between client and payment server, merchant system and payment system, internal servers, and between payment system and bank. This typically involves encryption technologies.

Prevention of tampering and repudiation. Guarantee integrity and authenticity of transaction data. A typical transaction involves user, merchant, payment institution, and bank; each party’s information must remain unchanged and non‑repudiable.

Fraud transaction prevention. Identify and block fraudulent activities such as cash‑out and money‑laundering, and protect assets by detecting compromised user information and suspicious transactions. Usually handled by a payment risk control system.

Service availability. Defend against DDoS attacks, ensuring stable operation and availability of payment services through firewalls, intrusion detection systems, and traffic‑scrubbing devices.

Minimalist Payment Security Diagram

Payment security is a comprehensive system engineering; beyond technical measures, robust security policies and compliance procedures are essential, though often overlooked.

The following diagram presents a minimalist view of the core points to consider in payment security.

Policy is the foundation. Policies define when encryption is needed, which algorithms to use, minimum key lengths, and when signatures are required. Policies are divided into industry regulations (e.g., Network Security Law, Payment Business Management Measures) and internal security policies.

Technical measures focus on four goals: 1) Sensitive data secure storage. 2) Secure transaction transmission. 3) Transaction integrity and authenticity. 4) Transaction legality (no fraud). Corresponding techniques include:

Sensitive information secure storage: Use encryption and restrict access.

Secure transmission: Use SSL/TLS encryption.

Integrity and authenticity: Apply digital signatures and identity authentication.

Fraud prevention: Leverage payment risk control systems.

Service availability: Deploy traffic‑scrubbing devices and intrusion detection systems.

Data Security: Encryption and Decryption Techniques

Encryption and decryption are foundational to data security in payment systems, used both for communication between payment platforms and banks and for internal sensitive data storage.

What Is Encryption and Decryption?

Encryption transforms plaintext into unreadable ciphertext using an algorithm and a key, preventing unauthorized parties from understanding the data even if intercepted.

Decryption reverses the process, converting ciphertext back to plaintext using the appropriate algorithm and key.

Symmetric Encryption Algorithms

Symmetric encryption uses the same key for both encryption and decryption. It is efficient but key distribution is challenging.

Common symmetric algorithms:

AES (Advanced Encryption Standard):

Features: High security, fast speed, variable key length.

Use cases: Network communication, file encryption, database encryption. It is the mainstream algorithm in the payment industry.

DES (Data Encryption Standard):

Features: Older, 56‑bit key, relatively weak security.

Use cases: Historically used for data protection but largely replaced by AES.

3DES (Triple DES):

Features: Applies DES three times for stronger security, slower performance.

Use cases: Previously used as a DES replacement, now also superseded by AES.

RC4:

Features: Fast and simple.

Use cases: Previously used in SSL/TLS, now discouraged due to security issues.

IDEA:

Features: Fast and secure.

Use cases: Once popular for network and file encryption, now less common.

AES is currently considered the most secure and widely used symmetric algorithm; a key length of 256 bits or more is recommended.

Asymmetric Encryption Algorithms

Asymmetric encryption uses a public‑key/private‑key pair. The public key encrypts data; the private key decrypts it. The private key must never be used for encryption.

It also enables digital signatures: the private key signs, the public key verifies.

Common asymmetric algorithms:

RSA:

Features: High security, widely adopted.

Use cases: Encryption, digital signatures, key exchange. Dominant in the payment industry.

DSA:

Features: Designed for digital signatures, fast verification.

Use cases: Identity verification and signatures, e.g., SSL/TLS.

ECC (Elliptic Curve Cryptography):

Features: Short keys, high security, efficient.

Use cases: Mobile and IoT devices where resources are limited.

Diffie‑Hellman (DH):

Features: Secure key exchange.

Use cases: Key agreement in protocols like TLS.

RSA is still the most widely used for signatures in payments (recommended key length ≥ 2048 bits). ECC is gaining traction on mobile/IoT due to efficiency (recommended key length ≥ 256 bits).

Digital Envelope Encryption

Digital envelope combines symmetric encryption, asymmetric encryption, digital signatures, and verification. Data is encrypted with a symmetric key; the symmetric key is encrypted with the receiver’s public key; the sender signs with its private key. The receiver verifies the signature, decrypts the symmetric key with its private key, then decrypts the data.

PGP (Pretty Good Privacy) is a popular implementation of digital envelope, often used for securing files and communications between payment platforms and banks.

Many banks require PGP encryption for payout files containing sensitive data such as card numbers.

Signature and Verification Techniques

Signature and verification ensure data integrity and authenticity, preventing tampering and repudiation.

What Is a Signature and Verification?

Signature: Sender hashes the message, then encrypts the hash with the private key, producing a digital signature.

Verification: Receiver decrypts the signature with the sender’s public key to obtain the hash, hashes the received message, and compares the two hashes. If they match, integrity and authenticity are confirmed.

Common signature algorithms: RSA, DSA, ECDSA, EdDSA. RSA and ECDSA are the mainstream choices; RSA is widely used, while ECDSA offers shorter keys and higher security for constrained environments.

Digital Digest (Hash) Algorithms

Hashes produce a fixed‑length unique string for data integrity verification. Common algorithms: MD5 (deprecated), SHA‑1 (deprecated), SHA‑256/384/512, RIPEMD, BLAKE, Keccak, Whirlpool. In the payment industry, SHA‑256 is the recommended digest algorithm.

HMAC

HMAC combines a hash function with a secret key to provide message authentication. It is fast and widely used for integrity and authenticity, though it is not a true digital signature because both parties share the same secret key.

Digital Timestamp

A digital timestamp binds a specific time to a digital signature or hash, proving that data existed before that time. It is useful for legal documents, contracts, and certificates, but rarely used in payment systems.

Identity Authentication Techniques

Identity authentication verifies that participants in a payment transaction are who they claim to be. Methods include username/password, multi‑factor authentication (MFA), biometrics, SSO/OAuth, and digital certificates.

Digital Certificates

Certificates, issued by a Certificate Authority (CA), bind an entity’s identity to its public key. They contain public key, holder information, issuer information, validity period, and a digital signature.

During TLS/HTTPS connections, servers present certificates to clients for verification.

Certificate Authority (CA)

CA is a trusted third party that issues, manages, and revokes certificates, establishing a trust chain (root → intermediate → end‑entity).

Public Key Infrastructure (PKI)

PKI manages digital certificates and public keys, providing components such as certificates, CAs, Registration Authorities (RAs), certificate repositories, and key management services.

Transport Security Protocols

Data transmitted over the internet must be protected. Common protocols:

SSL (Secure Sockets Layer) – legacy protocol providing encryption, integrity, and authentication.

TLS (Transport Layer Security) – successor to SSL with improved security.

HTTPS – HTTP over SSL/TLS, encrypting web traffic.

VPN – virtual private network using encryption and tunneling over public networks.

Dedicated lines – private physical connections offering higher security and reliability.

Payment Risk Control (Anti‑Fraud)

Risk control systems manage and mitigate fraudulent transactions. Core resources are the risk‑control strategies, which are highly confidential. Typical suspicious behaviors that trigger risk control include sudden large foreign payments, device changes, and rapid high‑frequency transactions.

Unified Key Management and Security Services

Secure storage of encryption keys is critical because a key’s value equals the value of the ciphertext it protects. Key management includes storage, rotation, backup/recovery, and destruction.

Keys are divided into master keys (stored in hardware security modules, HSM) and working keys (encrypted by master keys and stored in databases). Working keys are loaded into memory when needed.

Unified Key Platform Architecture

Applications call the key management system for encryption/decryption and signing/verification, ensuring keys are never exposed to business logic.

Conclusion

Payment security is a vast and specialized field. While each cryptographic or signing technique could fill a book, the knowledge presented here covers over 90 % of what most payment‑industry professionals need to understand.

Key take‑aways:

Use AES‑256 for large‑scale data encryption.

Use RSA‑2048 for small data blocks and digital signatures.

Adopt SHA‑256 as the digest algorithm; avoid using it as a substitute for signatures.

Always salt passwords and login credentials.

Secure network and file transfers with HTTPS, SSL/TLS, VPN, or dedicated lines.

Combine symmetric encryption, asymmetric encryption, digital signatures, and certificates for comprehensive security.