Margento Security

Through the development of Margento System privacy and security have been an important part of the system. Unlike standard EFT-POS systems payment instrument or user’s identity details are never known to merchant or disclosed at point of sale. They are securely stored within Margento System and strongly protected in case they need to be passed to 3rd party systems like banks for authorization or to service provider for service delivery.

  • No data is required to conduct transaction is stored on a mobile phone; all server based
  • Mobile phone does not hold money, lost phone does NOT mean loss of $
  • PIN protected accounts: Client must have phone and PIN to access account (optional)
  • In case of a lost/stolen phone: client cancels his/her number with mobile operator; Margento service is immediately disabled
  • SIM card is hard to clone, cloned SIM cannot coexist with original SIM in mobile network
  • Real-time authorization
  • User identity and account information remains confidential – never revealed to the Margento terminal / merchant

Margento uses Secure Communications

Public/private key based encryption ECC (elliptical curve cryptography) for data transmission.

Communication between POS Terminals and Margento Center:

  • Encrypted (SSL like) data link based on Elliptic Curve Cryptography (ECC)

Communication between Margento Center components:

  • IPsec VPN tunnels
  • Dedicated secure leased lines
  • ECC offers the highest security at given key size
  • On-line Authorization
  • All transactions are processed in real-time
  • All white and black lists are managed centrally within Margento system
  • Every transaction is checked against white and black lists
  • Enables centralized credit limit management
  • In case of a stolen phone, service can be immediately disabled
  • User Authentication based on SIM (MSISDN) and PIN
  • User identification via SIM (MSISDN); user authentication via PIN
  • SIM card is hard to clone, cloned SIM can not coexist with original SIM in the mobile network

End-to-End PIN Encryption:

  • PIN encryption using standardized algorithms:
  • DES (ANSI X3.92 , X9.24)
  • 3DES (ANSI X9.52)
  • ECDSA (ANSI X9.62)
  • ECDH (ANSI X9.62)

On a payment terminal PIN is never associated with payment instrument (credit card or account) number – this prevents attacks via compromising payment terminals:
  • Merchant Authentication based on PKI
  • Terminal is identified through a unique preloaded terminal ID (TID)

Two-way PKI based authentication during secure session setup:
  • Identity of terminal is verified by Margento Center;
  • Margento Center identity is verified by terminal

Data Security

All data transferred through the network is encrypted. The following encryption standards are employed:
  • ANSI X9.8 – Banking - Personal Identification Number Management and Security
  • ANSI X9.24 – Financial Services Key Management Using the DEA
  • ANSI X9.42 – Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography
  • ANSI X9.52 – Triple Data Encryption Algorithm Modes of Operation
  • ANSI X9.62 – Public Key Cryptography for the Financial Services Industry : The Elliptic Curve Digital Signature Algorithm (ECDSA)
  • ANSI X9.63 – Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography
  • ISO 9564-1 – Banking – Personal Identification Number (PIN) management and security – Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems
  • ISO 11568-2 – Banking - Key management (retail) – Part 2: Key management techniques for symmetric ciphers
  • ISO 11568-3 – Banking - Key management (retail) – Part 3: Key life cycle for symmetric ciphers

System Access Control

Margento employs a standard access control mechanism through User and Group Administration, where groups of users define role in the system. System Access Control is achieved through username/password concept, where passwords are always stored encrypted and have minimum requirements like length, character mix, non repeatability strictly enforced.

System can also use Smart Card based digital user certificates and IP rules to protect the system against unauthorized access. System logs all user/group management activities, including all log-ins and log-outs.

Margento system grants access to users based on the access rights of groups it belongs to. Access rights are usually defined per group, which defines group roles. System has a capability to segregate the responsibilities for unlimited number of user roles. It offers also a per-user permission settings allowing for fine grade security tuning. Network access restriction is provided to allow users to login to the system from specific workstations.