payment_card_flashcards
(12 cards)
What was the first method used for conducting payment card transactions, and what was its limitation?
The initial method involved transferring embossed information from cards onto paper using a manual imprinter. While simple, it lacked security features and required physical recordkeeping, making fraud and error more likely.
How has payment card technology evolved over time?
Payment cards progressed from embossed cards to magnetic stripe (logging transactions electronically), then to EMV “Chip+PIN” technology (requiring PIN input for added security), and finally to contactless payment systems for faster, tap-based transactions.
Who are the key players involved in a card payment system and what are their roles?
Cardholder: Uses the card for purchases. Retailer/Merchant: Sells goods or services. Acquirer: Processes card transactions for the merchant. Issuer: The bank or institution that issues the card. Card Scheme: Oversees rules and transaction flows (e.g., Visa, Mastercard).
What is the significance of the PAN (Primary Account Number) in payment systems?
The PAN is the card number used to identify the account and route transactions correctly. The first digits indicate the card scheme (e.g., Visa, Mastercard), and it plays a central role in the payment authorization process.
What functions do card schemes perform in the transaction cycle?
Card schemes define transaction rules, ensure proper routing, and facilitate clearing and settlement. They also set merchant fees (typically 1–3%) and may offer fraud detection tools.
How can the card scheme be bypassed during a transaction?
Sometimes the acquirer caches the issuer information and communicates directly, avoiding scheme routing—but the scheme still collects its fees regardless.
What type of cyberattack did the Magecart group use on British Airways?
They altered BA’s JavaScript file to include malicious code that captured and serialized form data when the payment button was pressed. The stolen data was sent to a rogue server mimicking BA, exploiting the page’s trust and structure.
What happened during the Magecart attack on Newegg, and what was the impact?
Similar to the BA attack, 15 lines of JavaScript were injected on Newegg’s payment page. The code harvested user data and sent it to a spoofed domain. With an estimated 10% hit rate across 50M visitors, attackers may have earned ~$50M.
Why is JavaScript’s event-driven nature a security challenge in web development?
Event-driven scripts can execute based on user actions (e.g., clicks), allowing malicious scripts to intercept sensitive data. This makes security a “whole-system” concern, requiring secure integration across all layers.
Why is JavaScript difficult to formalize or secure through verification methods?
JavaScript supports prototype inheritance, dynamic code modification, and ambiguous semantics, making it hard to predict behavior or enforce security guarantees through formal models.
Why has the credit card industry remained a persistent target for cybercriminals?
Due to its high monetary value and widespread usage, attackers have always followed the money—from physical card theft in the 1800s to phishing in the 1990s to modern JavaScript skimming attacks.
What advancement made physical card cloning less effective, and how did attackers respond?
Chip+PIN technology added a layer of authentication, but criminals responded by installing covert cameras or malware to capture PINs, showing that improved tech still requires holistic security.
