Gabriel Bello
ABSTRACT
Traditional payment systems have standards designed to keep transaction data secure, but blockchain systems are not in scope for such security standards. We compare the Payment Application Data Security Standard's (PA-DSS) applicability towards transaction-supported blockchain platforms to test the standard's applicability. By highlighting the differences in implementation on traditional and decentralized transaction platforms, we critique and adapt the standards to fit the decentralized model. In two case studies, we analyze the QTUM and Ethereum blockchain platforms' industry compliance, as their payment platforms support transactions equivalent to that of applications governed by the PA-DSS. We determine QTUM's and Ethereum's capabilities to properly ensure secure data handling with respect to current security standards. After adapting the PA-DSS and analyzing the QTUM and Ethereum platforms, we revise the new set of standards to create a set of best-practices for ensuring data security on both traditional and blockchain payment systems. We report the security gaps identified on each platform based on the final revision of the standards, presenting a conclusive perspective that neither platform is suitable for business adoption based on the PA-DSS standard's results. Finally, we discuss open research issues.
- M. Andrychowicz, S. Dziembowski, D. Malinowski, and L. Mazurek. 2014. Secure Multiparty Computations on Bitcoin. In 2014 IEEE Symposium on Security and Privacy (SP). IEEE, San Jose, CA, USA, pp. 443--458. Google Scholar
Digital Library
- N. Atzei, M. Bartoletti, and T. Cimoli. 2017. A Survey of Attacks on Ethereum Smart Contracts (SoK). In Principles of Security and Trust. Springer, pp. 164--186. Google ScholarDigital Library
- M. Bartoletti and L. Pompianu. 2017. An Empirical Analysis of Smart Contracts: Platforms, Applications, and Design Patterns. In International Conference on Financial Cryptography and Data Security. Springer, Sliema, Malta, pp. 494--509.Google Scholar
- A. Biryukov, D. Khovratovich, and I. Pustogarov. 2014. Deanonymisation of Clients in Bitcoin P2P Network. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, Scottsdale, AZ, USA, pp. 15--29. Google ScholarDigital Library
- M. Conti, S. Kumar, C. Lal, and S. Ruj. 2018. A Survey on Security and Privacy Issues of Bitcoin. IEEE Communications Surveys & Tutorials 20, 4 (2018), pp. 3416--3452.Google ScholarDigital Library
- K. Delmolino, M. Arnett, A. Kosba, A. Miller, and E. Shi. 2016. Step by Step Towards Creating a Safe Smart Contract: Lessons and Insights from a Cryptocurrency Lab. In International Conference on Financial Cryptography and Data Security. Springer, ChristChurch, Barbados, pp. 79--94.Google Scholar
- G. Bello and A.J. Perez 2018. Adapted PA-DSS Standards. https://tinyurl.com/yabykwf8Google Scholar
- A. Kosba, A. Miller, E. Shi, Z. Wen, and C. Papamanthou. 2016. Hawk: The Blockchain Model of Cryptography and Privacy-Preserving Smart Contracts. In 2016 IEEE symposium on security and privacy (SP). IEEE, San Jose, CA, USA, pp. 839--858.Google Scholar
- P. Koshy, D. Koshy, and P. McDaniel. 2014. An Analysis of Anonymity in Bitcoin using P2P Network Traffic. In International Conference on Financial Cryptography and Data Security. Springer, Christ Church, Barbados, pp. 469--485.Google Scholar
- L. Luu, D. Chu, H. Olickel, P. Saxena, and A. Hobor. 2016. Making Smart Contracts Smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, Vienna, Austria, pp. 254--269. Google ScholarDigital Library
- M. Di Ferrante and R. Mercer. 2017. Towards Blockchain Transaction Privacy. https://www.clearmatics.com/wp-content/uploads/2017/06/IEEE-Presentation.pdfGoogle Scholar
- M. Gray and C. Hajduk. 2017. Anatomy of a Smart Contract. https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/AnatomyofASmartContract.mdGoogle Scholar
- M. Gray and C. Hajduk. 2017. Anatomy of a Smart Contract 2. https://azure.microsoft.com/en-us/blog/scanatomy-2Google Scholar
- S. Ma, Y. Deng, D. He, J. Zhang, and X. Xie. 2017. An Efficient NIZK Scheme for Privacy-Preserving Transactions over Account-Model Blockchain. IACR Cryptol. e-Print Arch., Tech. Rep (2017), 1239.Google Scholar
- M.Gray and C. Hajduk. 2017. Cryptlets Deep Dive. https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/CryptletsDeepDive.mdGoogle Scholar
- N. Szabo. 1997. The Idea of Smart Contracts. http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/idea.htmlGoogle Scholar
- N. Szabo. 2002. A Formal Language for Analyzing Contracts. http://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/contractlanguage.htmlGoogle Scholar
- S. Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. (2008).Google Scholar
- PCI Security Standards Council. 2008. Payment Application Data Security Standard: Frequently Asked Questions. https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_faqs.pdfGoogle Scholar
- PCI Security Standards Council. 2013. Payment Card Industry (PCI) Payment Application Data Security Standard-Requirements and Security Assessment Procedures version 3.0. https://www.pcisecuritystandards.org/minisite/en/docs/PA-DSS_v3.pdfGoogle Scholar
- Y. Sompolinsky and A. Zohar. 2015. Secure High-Rate Transaction Processing in Bitcoin. In International Conference on Financial Cryptography and Data Security. Springer, San Juan, Puerto Rico, pp. 507--527.Google Scholar
- U.S. Small Business Administration. 2016. Contract Law - How to Create a Legally Binding Contract. https://www.sba.gov/blogs/contract-law-how-create-legally-binding-contractGoogle Scholar
- V. Buterin 2016. Thinking About Smart Contract Security. https://blog.ethereum.org/2016/06/19/thinking-smart-contract-security/Google Scholar
- F. Zhang, E. Cecchetti, K. Croman, A. Juels, and E. Shi. 2016. Town Crier: An Authenticated Data Feed for Smart Contracts. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. ACM, Vienna, Austria, pp. 270--282. Google ScholarDigital Library
Index Terms
- Adapting Financial Technology Standards to Blockchain Platforms
Recommendations
The Use of Blockchain in Financial Area: A Systematic Mapping Study
SBSI '20: Proceedings of the XVI Brazilian Symposium on Information SystemsBlockchain is a technology for decentralized transactions that has been widely used with cryptocurrencies such as Bitcoin. Many studies have been conducted in the last decades, approaching cryptocurrencies, and blockchain technology, more strongly in ...
IoT and Blockchain combined: for decentralized security
AbstractBlockchain technology, a version of distributed ledger technology, has been grabbing a huge amount of attention in fields beyond its roots in crypto-currencies: blockchain and finance, blockchain and logistics, blockchain and the Internet of ...
A Survey of Payment Card Industry Data Security Standard
Usage of payment cards such as credit cards, debit cards, and prepaid cards, continues to grow. Security breaches related to payment cards have led to billion dollar losses annually. In order to offset this trend, major payment card networks have ...
Reviews
Balint Molnar
Financial technology (fintech) has become an important component of the finance, banking, and payment industry. Essential financial technologies include the various approaches for blockchain and smart contracts. In this paper, the authors investigate the standard defined by the payment industry as it applies to recent blockchain and smart contract solutions. The literature overview discusses vulnerabilities and privacy problems related to the actual implementation of blockchain and smart contracts. User anonymization, pseudo-anonymization, and identification are crucial issues. There are some contradictory requirements: simple payment transactions necessitate the anonymity of the payer side generally; on the other hand, business transactions among firms demand the unambiguous identification of partners. The authors select two available solutions: QTUM and Ethereum. The authors analyze whether the Payment Application Data Security Standard (PA-DSS) permits the application of blockchain and smart contract technologies, and where gaps exist in its definition. A comparative study highlights the violations and discrepancies of the prescribed rules between the two technologies and PA-DSS. The paper is an interesting read for security experts, professionals, and consultants involved in fintech. The authors examine privacy, data security, and protection problems using the two platforms. They conclude that the smart contract solution offers enormous business potential; however, several security issues remain. PA-DSS designates the roadmap that contributors to blockchain and smart contract technologies should follow.
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments