Four Corners Model for Payment Security

Last updated September 02, 2022

The Four Corners model, often referred to as the Four Party Scheme is the most used card scheme in card payment systems worldwide. This model was introduced in the 1990s. It is a user-friendly card payment system based on an interbank clearing system and economic model established on multilateral interchange fees (MIF) paid between banks or other payment institutions.^[1]^[2]

Description

The Four Corner Model involves several flows between its four components that perform different jobs. However, the system is an extraordinarily complex mechanism that requires clearing and settlement processes.

In the Model, the Merchant connects to their Acquirer, who connects through a scheme to the Cardholder’s card Issuer. There is usually one or more third parties that act as a switch or gateway between the Merchant and Acquirer.

Typically, the Issuer is different from the Acquirer. When this occurs, there is a need for interbank processes. These processes involve transferring money and compensation between the involved banks.

The Four Corners Model begins with the action of the Cardholder’s making a purchase using their payment card from a merchant. The Merchant triggers an authentication flow to its Acquirer bank, and then the Acquirer bank sends the information to the Issuer bank. This flow is sent through a vast network of switches, gateways, and servers managed by the appropriate card scheme network.

The returning authorization flow will be binary as either a positive (authorized) or negative (declined) response. One of the following scenarios will typically occur at this point:

A positive authorization will generally result in the Merchant delivering the purchased goods or services and a printed receipt.
A negative response will result in the Merchant inputting the card information again or requesting another payment method.

The Four Corners Model can also be applied to other payment scenarios, including using an ATM where a positive authorization will result in banknotes and transaction receipts being dispensed to the Cardholder. However, a negative response will result in the bankcard being declined and no funds being dispensed.

Often, the Four Corner Model transforms into a Three-Corner Model (triangle). This occurs when the Acquirer bank is skipped, and the authorization flow is routed directly to the Issuer by the switches and gateways. Skipping the Acquirer bank speeds up the transaction and creates fewer problems on the payment network.^[1]

Participants

The Four Corners Model involves four participants: the Cardholder, the Merchant, the Issuer, and the Acquirer.^[1]

1. Cardholder

The Cardholder is the consumer who has been issued a payment card by their bank or other types of financial institution. The Cardholder does not own this card. Instead, it remains as the property of the issuing financial institution, e.g., the Issuer. The Cardholder is given the authorization to use the card.^[4]

Typically, the Cardholder has an account with the issuing financial institution directly linked to the payment card, e.g., a banking debit card. This is not always the case, for example, when corporate credit cards or fleet/fuel cards are given to employees.

2. Merchant

Often referred to as “The Acceptor,” the Merchant is the vendor receiving payment from the Cardholder/consumer. The Merchant accepts card payments for the goods or services it sells to the Cardholder.^[5]

Example of Merchants include:

An Automated teller machine (ATM) is also considered a Merchant even though it is a fully-automated machine. Its primary role is to accept payment cards.

3. Issuer

The Issuer is the bank or other financial institution that issues the payment card given to the Cardholder. There are typically three different types of payment cards:^[6]

The Issuer provides the payment cards on behalf of a card payment network. Such networks include:

The card payment network might also be a private, closed-loop network, such as a domestic scheme.

The Issuer bank handles the manufacturing of its payment cards and management of the cards’ associated cryptography. Generally, this is done with a card integrator company.

4. Acquirer

The Acquirer provides the tools used by the Merchant to accept payment cards. Often, the Acquirer is a third-party system that may not directly be the bank where the Merchant has an account. The Acquire typically provides the Merchant with the hardware and software needed to process transactions involving card payments.

The Acquirer manages the final return codes for the payment transactions. These codes will either be an authorization for the charge or a decline of the transaction. The Acquirer’s job within the Four Corners Model is to authorize payment from the Cardholder to the Merchant when a good or service is purchased.^[5]

Technology

The Four Corner Model requires end-to-end secure transactions. These transactions are ciphered and must be protected at each corner. The use of specialized tools, such as hardware security modules (HSMs) and automated key management, is an essential part of the model.^[3]

Hardware Security Modules

Cryptography is requested between all actors involved in the Four Corner Model. The many cryptographic keys and operations must be performed within a secure environment, such as a hardware security module (HSM). HSMs are a necessity in handling an increasing number of transactions and warding off attacks from skilled cybercriminals.^[7]

Cardholders: If their payment card has a chip, as is mandatory for EMV transactions, this acts as a micro-portative HSM.
Merchants: A smaller business will typically have one or more payment terminals (also POS terminal) with secure memory and cryptographic-specific hardware that allow the machines to act as small HSMs. Isolated ATMs payment transactions are grouped, and the POS terminals are managed. These hubs require network-attached HSMs to keep transactions secure as they are collected.
Issuers: They need HSMs for issuing cards, holding keys, and managing the cryptography associated with the cards. Issuers also need HSMs to authorize the cryptographic flow.
Acquirers: According to the Four Corner Model, Acquirers must manage all financial terminal keys for the Merchants and process the cryptographic flow toward the Issuer. These processes require a large quantity of performant and robust HSMs.

Key Management Systems

In addition to HSMs, a modern key management system is needed to provide the framework for managing multiple keys during their life cycles. There are different types of key management systems that can be implemented in different ways.

Essential features for KMS for payment security include:^[8]

Support for a variety of key types and formats
A certified hardware random number generator for strong key generation within an HSM
A certified, tamper-resistant hardware device to protect stored keys
Automation to perform common or tedious tasks
Logical access controls with strong user authentication
A tamper-proof audit log for compliance audits

Related Research Articles

A debit card, also known as a check card or bank card is a payment card that can be used in place of cash to make purchases. The term plastic card includes the above and as an identity document. These are similar to a credit card, but unlike a credit card, the money for the purchase must be in the cardholder's bank account at the time of a purchase and is immediately transferred directly from that account to the merchant's account to pay for the purchase.

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. The tokenization system must be secured and validated using security best practices applicable to sensitive data protection, secure storage, audit, authentication and authorization. The tokenization system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.

A personal identification number (PIN), or sometimes redundantly a PIN number or PIN code, is a numeric passcode used in the process of authenticating a user accessing a system.

EMV is a payment method based on a technical standard for smart payment cards and for payment terminals and automated teller machines which can accept them. EMV stands for "Europay, Mastercard, and Visa", the three companies that created the standard.

Secure Electronic Transaction (SET) is a communications protocol standard for securing credit card transactions over networks, specifically, the Internet. SET was not itself a payment system, but rather a set of security protocols and formats that enabled users to employ the existing credit card payment infrastructure on an open network in a secure fashion. However, it failed to gain attraction in the market. Visa now promotes the 3-D Secure scheme.

A payment gateway is a merchant service provided by an e-commerce application service provider that authorizes credit card or direct payments processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. The payment gateway may be provided by a bank to its customers, but can be provided by a specialised financial service provider as a separate service, such as a payment service provider.

A merchant account is a type of bank account that allows businesses to accept payments in multiple ways, typically debit or credit cards. A merchant account is established under an agreement between an acceptor and a merchant acquiring bank for the settlement of payment card transactions. In some cases a payment processor, independent sales organization (ISO), or member service provider (MSP) is also a party to the merchant agreement. Whether a merchant enters into a merchant agreement directly with an acquiring bank or through an aggregator, the agreement contractually binds the merchant to obey the operating regulations established by the card associations. A high-risk merchant account is a business account or merchant account that allows the business to accept online payments though they are considered to be of high-risk nature by the banks and credit card processors. The industries that possess this account are adult industry, travel, Forex trading business, multilevel marketing business. "High-Risk" is the term that is used by the acquiring banks to signify industries or merchants that are involved with the higher financial risk.

A payment service provider (PSP) is a third-party company that assists businesses to accept a wide range of online payment methods, such as online banking, credit cards, debit cards, e-wallets, cash cards, and more. They ensure customer's transactions make it from point A to point B, safely and securely.

A hardware security module (HSM) is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

<span class="mw-page-title-main">Payment card</span> Card issued by a financial institution that can be used to make a payment

Payment cards are part of a payment system issued by financial institutions, such as a bank, to a customer that enables its owner to access the funds in the customer's designated bank accounts, or through a credit account and make payments by electronic transfer and access automated teller machines (ATMs). Such cards are known by a variety of names including bank cards, ATM cards, client cards, key cards or cash cards.

An interbank network, also known as an ATM consortium or ATM network, is a computer network that enables ATM cards issued by a financial institution that is a member of the network to be used to perform ATM transactions through ATMs that belong to another member of the network.

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.

The payment card industry (PCI) denotes the debit, credit, prepaid, e-purse, ATM, and POS cards and associated businesses.

<span class="mw-page-title-main">Credit card</span> Card for financial transactions from a line of credit

A credit card is a payment card issued to users (cardholders) to enable the cardholder to pay a merchant for goods and services based on the cardholder's accrued debt. The card issuer creates a revolving account and grants a line of credit to the cardholder, from which the cardholder can borrow money for payment to a merchant or as a cash advance. There are two credit card groups: consumer credit cards and business credit cards. Most cards are plastic, but some are metal cards, and a few gemstone-encrusted metal cards.

Card schemes are payment networks linked to payment cards, such as debit or credit cards, of which a bank or any other eligible financial institution can become a member. By becoming a member of the scheme, the member then gets the possibility to issue cards or acquire merchants operating on the network of that card scheme. UnionPay, Visa and MasterCard are three of the largest global brands, known as card schemes, or card brands. Billions of transactions go through their cards on a yearly basis.

Card security code Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is embossed or printed on a card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud.

Ukrainian Processing Center is a Ukrainian company founded in 1997 which provides processing services and software for banks. UPC was the first Ukrainian company within the sphere of processing that received MSP and TPP status in Visa and Mastercard. In April 1997 UPC processed the first ATM EC/MC card transaction. Since 2005 UPC has become part of the Raiffeisen Bank International. The head office of UPC is based in Kyiv. Ukrainian Processing Center provides services to banks in Central and East Europe in the sphere of processing payment cards, merchant acquiring and ATM channel management. UPC also offers integrated IT systems for electronic commerce, card transactions monitoring systems of fraud prevention, card issuing system and SMS banking service. Moreover, UPC was the initiator of the establishment of the united ATM network "ATMoSphere", which consists of payment cards issuing banks. Annually UPC processes more than 400 million of payment card transactions.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. Payment solutions that offer similar encryption but do not meet the P2PE standard are referred to as end-to-end encryption (E2EE) solutions. The objective of P2PE and E2EE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

Utimaco Atalla, founded as Atalla Technovation and formerly known as Atalla Corporation or HP Atalla, is a security vendor, active in the market segments of data security and cryptography. Atalla provides government-grade end-to-end products in network security, and hardware security modules (HSMs) used in automated teller machines (ATMs) and Internet security. The company was founded by Egyptian engineer Mohamed M. Atalla in 1972. Atalla HSMs are the payment card industry's de facto standard, protecting 250 million card transactions daily as of 2013, and securing the majority of the world's ATM transactions as of 2014.

The IBM 4768 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

References

1 2 3 Rupp, Martin (April 22, 2021). "Cardholder, Merchant, Issuer & Acquirer - The Four Corners Model for Payment Security and Key Management". Cryptomathic.
1 2 Études et activités bancaires et financières (January 2013). "An interbank payment card system for the benefit of all" (PDF). Fédération Bancaire Française.
1 2 PCI Security Standards Council. "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018" (PDF). PCI Security Standards Council, LLC.
↑ Owen, Michael; Dixon, Colin (June 2007). "A new baseline for cardholder security". Network Security. 2007 (6): 8-12.
1 2 Teicher, Ron (21 November 2017). "Three Types of Merchant Fraud: A Guide For Merchant Acquirers". Finextra. Retrieved 17 May 2021.
↑ "Issuers and Payment Card Industry Security Standards" (PDF). VISA Inc. Retrieved 17 May 2021.
↑ Gregg, Michael (2014). CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002. John Wiley & Sons. p. 246. ISBN 9781118930847.
↑ Turner, Dawn M. "What Is Key Management? A CISO Perspective". Cryptomathic. Retrieved 30 May 2016.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[4CornersmodelRupp-1] 1 2 3 Rupp, Martin (April 22, 2021). "Cardholder, Merchant, Issuer & Acquirer - The Four Corners Model for Payment Security and Key Management". Cryptomathic.

[Fédération_Bancaire_Française-2] 1 2 Études et activités bancaires et financières (January 2013). "An interbank payment card system for the benefit of all" (PDF). Fédération Bancaire Française.

[PCI_DSS-3] 1 2 PCI Security Standards Council. "Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018" (PDF). PCI Security Standards Council, LLC.

[Owen-Cardholder-data-4] Owen, Michael; Dixon, Colin (June 2007). "A new baseline for cardholder security". Network Security. 2007 (6): 8-12.

[Teicher-Merchant-5] 1 2 Teicher, Ron (21 November 2017). "Three Types of Merchant Fraud: A Guide For Merchant Acquirers". Finextra. Retrieved 17 May 2021.

[VISA-Issuer-6] "Issuers and Payment Card Industry Security Standards" (PDF). VISA Inc. Retrieved 17 May 2021.

[7] Gregg, Michael (2014). CASP CompTIA Advanced Security Practitioner Study Guide: Exam CAS-002. John Wiley & Sons. p. 246. ISBN 9781118930847.

[Turner-What-is-key-management-8] Turner, Dawn M. "What Is Key Management? A CISO Perspective". Cryptomathic. Retrieved 30 May 2016.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]