Viec nhiiu ngan hang tai Vidt Nam trd thinh thanh men cua td chiic the qud'c td Visa, Master...

vi tham gia phat hanh the thanh toin qudc te da Chung minh cho xu the lua chgn cHa khich hang cd nhu ciu 0ao dich thanh toan trdn toin ciu vdi tinh ning hien dai: ehi tieu tnrdc, tra tiin sau dua trdn han miic tin dung ngin hang cap cho. The tin dung dang phat tndn vdi tic dd chdng mat Tuy nhidn, ca hdi ludn di kem vea thach thiic, cang nhiiu the tin dung duac su dung, ea hdi cho nhOng ke 0an lan cing ldn. Didu nay ddi hdi cic ngin hang cin tnen khm nhirng bien phip lap thai de dam bao an toin cho ngudi su dung the.

The tin dung (Credit Card) li mflt hinh thtic thay thd cho vide thanh toin true tidp. Chu thd khdng cin phii tia Uen m&t ngay khi mua hang. Thay vio dd, ngan hang se ting trude tidn cho ngudi ban va chu the sfi thanh toin lai sau cho ngdn hang khoan giao dieh. The tin dung cho phep khich hing "tta din" sd tidn thanh toin trong tii khoan, Chu the khdng phai thanh toan toan bd sd du trfin bang sao kd giao dich hing thing. Tuy nhifin, Chu the phii tti khoan thanh toin tdi thidu trubc ngiy dio han

da ghi ro ttdn bang sao kfi. Thd tin dung khic vbi the ghi ng (Debit Card) vi tidn khflng bi tru true tidp vao tai khoan tidn gui eua chu thd ngay sau mfli lin mua hang hoac nit tidn mat. [1]

R U I RO TLT T H E T I N D U N G

The tin dung dugc phit hinh sau khi nhi cung cip dich vu tui dung duyfit chip thuan tai khoan the dua ttfin kha nang tii chinh. tai sin the chap Clia chu the. Sau db, chu the co thd sti dung nd de mua sim tai cie diem bin hing chip nh&n the.

Khi mua sim, ngufli dting the cam kdt se tta tidn cho nha phat hinh the. Chu the tiid hifin cam kdt nay bing each ky ten len hfla don cb ghi ehi tiet Clia the ciing vbi sd tidn, ho&c bing each nhap mgt mat ma ci nhan (PIN- Personal Identihcation Number}. Ngoai ra, nhidu didm ban hang eung chip nhan each thtic xac nunh qua didn thoai hoac xie minh qua Intemet eho nhting 0ao dich duoc ggi la giao dich ving the hoac vang ehu the (CNP - Card/

Cardholder Not Present). Tgi cac didm ban hing sfi su dung nhidu he thdng difin hi dd xie minh tinh

AN TOAN - BAO MAT

hgp lfi eua the cung nhu kidm tta xem ban mtic tin dung cua the cdn du ehi tta eho lin mua sim db khbng. Vide xic mmh dugc thuc hien bing mbt dau dge the (PoS - Pomt of Sale) kdt ndi vao ngan hang thu nhan (Aequinng Bank) etia ngudi bin hang. Diu dgc dgc du Udu cua the tti dai tti tinh hoac tti ban vi mach ttfin the. Hoae cae ctia hing ban hing true tuydn thudng sti dung mdt each thtic khac dd xac mtitii tai khoan the, ttong do ehu the thudng phil eung cip thfim thflng tm nhu ma sd an ninh in d mat sau the, dia chi chu the ho&e m&t khau dinh ttudc. [1]

Chtiih vific thanh to&n thuan tten niy Iai Ii eie kfi hd dd nhung ke gian loi dung thue hifin hinh vi gian ian. H&u qua ddi vbi tting ehti the bi lgi dyng cb thd khflng nhidu. nhung xfit tdng the, nfl cfl thd lfin tbi mdt con sd khdng lb. Co thd ke ddn mbt sd thti doan ma ke gian thudng sti dung nhu:

- Phit tin, lay nhidm virus ttfin cie thidt bi ci nh&n dd liy thflng tm cua chu tiie khi hg sii dung dich vu thanh toin true tuyen.

Trdn mang Intemet xuat hidn nhieu virus ma tm tic (hacker) da su dung di liy nhidm qua eae thiit bi thanh toan ddliy trdm cic thdng tm ca nhin cua chu thi nhu virus Eurograbber, tin tic da su dung email, hay cac website gii mao dilira khach hang cii virus ldn may ca nhin. Khi khach hang truy cip cac0ao dich true tuydn, virus se gia mao thdngbio cua ngdn hang de du khich eii dat virus ldn di$n tho?a, may tinh sau do se liy trdm ma xic thuc OTP, cic thdng tm cua chu the. Vdi thu doan niy nhdm tm tic su dung virus Eurograbber da liy trdm 36 tridu euro cUa cac ngan hing chau Au.

- Gian ian, gia mao, lim gii tiie tin dung, tiianh toan khdng qua PoS ho&c thuc hidn haitii vl nit ttdn.

"Skuammg" li mdt minh khde qua dd thdng tin tich hgp trdn the tu cua quy khach bi danh cip khi nd duac quet trong khi 0ao dich mua ban. Nhirng tdn trdm sau dd cd the Iam lai mdt cii the 0a su dung nhQng dUIidu da in dp dugc tir the cua qwy khich. Mdt khi da hoin thinh, nhiing chiic thd 0a cd thd dOng dS thuc hidn nhiing 0ao dieh mua bin cung ldc vdi the cua qu^ khich.

Cflng ty nghien cuu thi trudng cua My Research

& Markets cho bidt, thi ttubng the Vifit Nam li thi ttttflng nang dflng nhit thd gibi va dang budc vio cudc dua canh ttanh khdng khoan nhugng gianh gi&t thi phin giua cac ngin hang, ca ndi lin ngoai. Rifing ddl vdi tiie tin dung, nam 2010, sd Iugng ttid tin dung dat 440.000, nhung ehi mflt nam sau, ty lg tang truong ban 137%. Ddn nam 2013 sd luong da tten 2,43 ttieu the vdi ty le tdng tiirong hon 87% so nam 2012, vi den hdt nam 2014, sd lugng the ttii dung dat ttfin 3 trifiu did. Vbi mdt thi tiirdng day tidm ndng nhu viy, khdng khd dd khing dinh ring Vifit Nam se la didm ddn ua thieh cua tdi pham the ndu nhu chung ta khbncj • < uhunq qiai phap an toan ngay tu dau.

5 0 I TAP CHI CNTT & TT KY 2 ( 5 . 2 0 1 5 )

AN TOAN - BAO MAT

CAC G I A I PHAP DAM BAO AN NINH THE T I N DUNG

Trude tinh hinh tdi pham the ngdy cang 0 a tang, dd phdng ngua vd giam thidu nhting thifit hai cd thd xay ra cho ngdn hing cung nhu khaeh hang, eic ngin hing can ra soat lai quy trinh, ehinh sich quan ly rui ro ttong tting khdu; cfl su dau tu hgp ly eho eac 0ai phap cbng nghfi hifin dai, he thdng phbng ngua, quin Iy rui ro. Trach nhiem eua ngan hing ein dugc dat lfin hang diu. Bdn canh db, doanh nghifip kuih doanh va chmh chti the eung cin cb nhung bien phip vi ning eao nhan thtic dd tlf bio vfi ban than.

Trudc Udn, phai kd ddn vifie eac ngan hang cin efl mdt chtitii sieh bao m&t an toan, PCI DSS se giii quydt yeu cau dd.

Tieu chuan bao m i t PCI DSS

Bd tifiu ehuan bao m&t du lieu the thanh toan, vidt tit Ii PCI DSS (Payment Card Indutry Data Secunty Standard), bao gflm eic yfiu ciu vd ky thuat vi v&n hanh gitip eie td ehtie xu ly giao dich thanh toin qua thd, phflng ngua 0 a n l&n the tin dung, hanh vi x&m nh&p ttii phep vi nhting nguy co va rui ro vd an ninh.

PCI DSS duoc hgp thanh tti 5 chuong trinh khac nhau ctia cie "dng Ifln" ttong Unh vuc the tin dung qudc td, gdm:

- Chuang trinh Bio m&t Thflng tm The cua Visa (Visa Card UtiormaUon Security Program);

- Bao vd Dti Udu Hifin trudng eua MasterCard (MasterCard Site Data Protection);

- Chinh sich Van hanh Bao mat Du Ueu cua Amercian E:q)ress (Amereian Express Security Operating PoUcy);

- Yfiu cau tuan thu vi Thdng tin ctia Discover Fmancial Services (Discover Information and CompUance);

Chuong ttinh Bao m&t Dti Udu eua JCB

Uitemational (JCB Data Secunty Program).

Tifiu chuan PCI DSS duoc phat trien nhim hd ttg cie to ehtie thanh toan the bao ve du Ueu ctia khich hing, chdng Iai vigc x&m nh&p va sti dung dti Ueu khi chua duoc phfip. PCI DSS se gitip cho cic doanh nghiep han chd cac Id hdng bao mat va rtii ro bi danh cap thflng tin; dflng thfli tang cudng bio vd du Udu luu ttfin the. Tifiu chuan nay dugc ap dung eho tit ci cac td chtic cfl luu tru, xti Iy ho&e truydn tai dti Ufiu luu trtt ttfin the vi cac td chuc niy bat bude phii bao vfi du Udu luu trfin the khi ho thue hign giao dich.

PCI DSS la mflt tidu chuan bao gflm 12 yfiu eiu chinh:

1. Xay dung va duy Ui he thdng tirong Itia nhim bao vd du Udu the thanh toan.

2. Khdng dting cic tham sfl ho&c mat khiu ducrc thidt I&p sin hi cac nh& cung cap hd thflng (thidt bi mgng, dubng truydn Intemet...).

3. Bio vfi du Ufiu thd thanh toin khi luu trti trfin hd thflng.

4. Ma hoa thdng tm the ttfin dudng tmydn ttong qui trinh 0ao dieh.

5. Su dung va cip nhat thubng xuyen phan mdm phbng chbng virus.

6. X&y dung - duy tri he thflng va cac ting dung dam bao an ntiih mang.

7. Han chd vide tidp c&n vdi du Ueu the thanh toan.

8. Cap phat va theo ddi cac t&i khoan truy nhip hd thdng.

9. Gidi han cac phuong phip tidp can vat ly vfli du Ufiu the.

10. Kiem tta va luu tru tat ca cac tmy nhip vio hfi thdng vi dti hfiu the.

11. Thubng xuyfin dinh 0 a va thu nghiem lai quy trinh an ninh he thbng.

AN TOAN - BAO MAT

Hinh 1: Vi du v^CVC^VV h ^ cac logi the.

12. Xiy dung chinh sach bao vd thflng tin tai doanh nghidp.

Hifin hdu het cic ngan hang thuong mai tai Vifit Nam deu dang phat hanh the tin dung qudc te gin vol thuang hidu cua minh. Tuy nhifin, sfl ngdn hing dat tifiu chuan PCI DSS khdng nhidu. Day Ii mdt didu ding bio dbng! [3], [4]

Ngoii ra, doi vdi cic bifin phip ky thuat bao dam an toan cho giao dieh thd tin dung, chting ta phai kd ddn nhung 0ai phap sau:

Ma xac minh t h e - CVC/CVV

Ma xie mmh the (CVC - vdl Master Card, CW - vdl Visa Card) 0up tang cudng bio m&t cho chti thd.

CVC/CW la ba hoac bbn chu sd cudi eung cua sd hidn thi d mat sau eua the tm dung tren thartii chti ky. Vl tri cua CVC/CW vi sd Iugng chti sd khic nhau ttiy thube vao l o ^ the.

- Amencan Express: CVC la bdn ehti sd duoc d&t d ttudc the, phia bdn phai.

- Discover, Master, Visa: CVC la ba chti sd eufli cting cua so d mat sau cua the ttdn thanh chu ky.

[5]

Vific thanh toan ngoii eung cip ma xic minh thudng kem theo sb the va ngdy hdt han eua the.

Tit ca cac thbng tin ddu duge hidn thl ngay ttdn chide the eua ban. Day la ydu tfl rit dfi dd ke gian Igl dung.

Chip va P I N ( C h i p - a n d - P I N )

Trong bao cao quy III/2014, hang bao mit Trend Micro da phat hifin My dting diu thd gibi vd ti Ig bi nhifim phin mdm dgc hai ttfin cie hfi thdng 0ao dich bin le. Bio cio cho thiy ttong tdng sd x&m nhifim hfi thdng 0ao dich ban le tten toin thd 0di, 30% da xay ra tai My ttong quy EI nam 2014, eao hon 2S% so vol VI tri sb hai li PhiUppines, Dal Loan viY.

• United States 30%

• Philippines 6%

• Taiwan 6%

• Italy 6%

• Australia 5%

• Brazil S%

• France 3X

• United Kir>gdom 3%

• Canada 2%

• Gerniany 2%

• Others 32%

PoS Halwar* Infections by Country, 3Q 2014 Hinh 2 Thong k6 ty l§ xSm nhiem PoS cac nuoc tren the go

5 2 I TAP CHI CNTT & TT KY 2 ( 5 . 2 0 1 5 )

Ly do din den su chfinh lech ddng ke dd cd the ddn tti vific su dung rdng rai the thanh toin tti tinh (Magnetic Stripe Payment Card) ttdn toan nudc My.

Vide xim pham cbng nghfi the thanh toin tti khbng phii la didu mdi. Tu Iiu da cb su keu ggi tai My khbng sti dung cbng nghd niy vi tuih nhay eim cua nd vdi tin tae.

Dai tti tuih khdng duoc bao vfi ttdn the chtia tit ea thbng tin tii ehinh eua ehu the. Thflng tin nay dugc chuyen vao hfi thdng PoS cua nhi ban Id khi tiie duoc qufit tai may doe the 6' eua hang. Ndu hfi thflng giao dich PoS bi xam phgm, ke trdm cfl the m& hoa thbng tm danh cap rbi ghi vio mflt the mbi v i quet nb tai bit cti noi nio chting mufln.

Theo y kidn cua nhidu chuyfin 0a, 0al phap cho vin dd niy Id cbng nghfi 'Chip va Pm" (Chip-and- PU^). Thay vi dii tti tinh, the Chip va PIN chua mbt VI chip duge ma hda dd luu trti thdng tin tii chinh.

Thd niy cd thdm mdt ldp bao mat bang each ydu ciu ngubi dung nhap vao sfl nh&n dang cd nhin (PIN) truac khi tiiue hifin mflt thanh toan. COng nghfi xac thue hai nhan tfl nay da duac sti dung ttong nhidu th&p ky gin nhu tai moi qudc gia G20 khic vi d& duoc chting minh li lim giam ding ke su xam hgi. Theo mflt nghidn etiu do Ngan hing du trti Uen bang Kansas City thue hifin eho ket qua ndu My ap dung dugc cbng nghd Chip va PU^I, nhung vu xam phgm thdng ttii tai khoan ttong nubc cd thd 0 i m tdi 40%. [3],[6I

H% thong Itiem t r a dia chi - AVS Chip vi PIN cb the giup 0am sd luong the 0 a n l&n d cie lin 0ao dich true difin, my ititifin Iai "bb tay" truflc hinh thtie 0an l&n dfli vbi eae 0ao dieh khbng true tidp su dung the (Card not present).

Trong ndm 2014, Bfl Thuong mai Hoa Ky uflc tinh 0 a tri giao dich mua sim thflng qua Intemet lfin tbi 300 ti USD (du kidn se cbn tang manh ttong nhiing nam tbi). Trong c&c vu gian I&n true tuydn, hon 78%

duoc thuc hifin qua eac ting dung ttfin website, ehi

khoang 3% thbng qua cie ting dung tten didn thoai di ddng. Hinh thtic 0 a n lan dua ttfin phuong thtic thanh toin mang ten "Card not present" niy dang ttd thiiih ebng cu ehinh cho nhung tfin tbi pham mang su dung. Vi khbng cb hinh vi an cap the true tidp nfin khach hang thudng khdng nhan thtic dugc hinh VI ttdm cip cho ddn khi nhiing giao dich gian Iin da xay ra.

Hfi thdng kiem tta dia chi (Address Veritieation System - AVS) gitip kidm tta dia chi ehti the truflc khi giao dich. AVS ed thfi' so sanh dia chi cua khich hing ghi tten hoa don cua nha phit hinh the vdl dia chi ttfin don dat hing eua ho dd dam bao ring khich hang Ii ehu the hgp phap. Dbng thdi kidm tta phan mdm hay cac thidt bi xti ly eb h6 tta AVS khdng. AVS ra dbi nhim gitip eac nhi kinh doanh true toydn ttirtii gap phai Itia dao. Mdt ttong nhiing co hbi Ibn nhit mi Intemet dem lal db li kha nang chip nhan don d&t hang ttfin toan thd gibl. Mbt didm thuan lgi cua Intemet db la eie mat hing "mem" nhu phim mdm duoe mua va chuydn til ngay lap ttie.

Phan m e m t U dong chong gian ian Rit nhieu y tudng duoc dua ra nhim 0am thidu gian l&n ttong thanh toin bing the tin dung. Tuy nhien, phan ldn cac doanh nghifip ddu mudn tim kifi'm nhimg 0ai phdp khac, nhanh vi hifiu qua hon.

De Uep can vbi phuong thtic kinh doanh ttfin mang Intemet, van de la phai ngan ngtia qua trinh xti ly ttie thbi the tin dung khi 0ao dieh duge thuc Men. Mbt 0al phap da dugc nhidu doanh nghifip i p dung db Ii xay dung mbt ma ttin ehi rd cac cip <lb kifi'm tta tirong ting vbi hing Ioai don dat hing khac nhau. Nbi dung cua ma ttin hoin toan phu thubc vio hing hba, dia didm va mtic do rui ro ma doanh nghifip cb the ehap nh&n.

Cu thd d day la su dung mdt edng cu kiem tta tu ddng: Phin mem AntiFraud hoae He tiiong IVS cua

AN TOAN - BAO MAT

CyberSource. Ban cb the kiem tta hing loat dich vu xti ly the tin dung thbng qua eic dieu khoan chdng gian lan cho tting qua triiih giao dieh the tin dimg ttfin Intemet.

Vol AntiFraud, phin mdm niy eung cip mflt sd tinh ndng sau:

- Cho phfip tu dbng kiem tta dia ehi email cua ngubi mua dua vao danh sich 'Red Fla0'.

- Theo ddl dia ehi IP (IP ttacktiig). Chung sfi tu dflng ghi Iai eae dia ehl IP eua nhting miy tinh ma cac don dat hang dugc thidt I&p tidn dfl.

- Canh bio 0 a n l&n ttic thoi se eho phep cac thinh vlen phit hifin ra su 0 a n l&n eua nhau.

- Cac thbng bio duge gui ddu dan.

Cbn vdl IVS, CyberSource tuyen bb ring hg thflng Clia hg cd kha nang giam muc dd gian lan xudng cbn 0,5 % tri 0 a cic giao dich. IVS duoc xay dung dua tten dbng co "tri khdn nhan tao" va boat ddng nhd vdo su phan tich nhung net dae trung cua mOi giao dieh bao gdm: thdi 0an dat hdng, dia ehi IP, vi tri dia ly, noi giao hang va rit nhidu ydu td khic...

Nfl bao gdm tit ca 150 0ao dich vdi hang loat cdc

chuong trinh kiem tta dti Ufiu, phan tieh su tuong quan, phdn tich dd rtiiay cam eua cic giao dieh hifin thdi so vdi cac 0ao dich da tting cd 0 a n l&n. Sau dd, hd thbng IVS sfi can nhac dua ra kdt qua va so sanh chting vdi kdt qui du doin trudc cua cie n h i ktiih doanh dd tti dd khdng dinh giao dich efl the duoc thuc hidn hay huy bd. [6]

Bat ky cflng nghfi nio eting cd Id hdng. Moi ngudi nen sdn sang cho su thay ddl Ufin tue ttong eflng nghfi, boi tm tdc se khflng ngting pha vd nhung mb hinh bio mit cua cac he thdng duoc sti dting.

Tai lieu t h a m khao [l].http://vi.wikipedtaorg/wiki.

[2].http://vnba.org.vn.

[3].TechTarget, Wn's in your wallet? Stenmng Credit Card Frwd. 2015.

[41. Chi^baon^tPaDSS, http://www.pcworld.com.vn.

[51.http://en.wikipedia.org/wiki/Card_seajrity_o3de.

[61. The ^anh toan: L6 hdng bao mSt& gia f^kt^phi/:,httpj/

www.pcworld.com.vn.

[7].ht^://www.ddth.com/archive/index.php/t-147702.html.

54| TAP CHI CNTT & TT KY 2 ( 5 . 2 0 1 S )