Thales e-Security Takes BACS to the Future

Case study written for Thales, UK, July 2003.

The key issue associated with making financial payments electronically is security, whether simple transactions between two parties via debit or credit card, or payment via the internet. ‘Skimming’ of consumers’ credit cards in restaurants and other retail outlets, misdirected payments via the internet, and fraud on a much grander scale are all issues that have hit the headlines this year alone. The responsibility for securing such payments, whatever the size, is a daunting task for any individual or organisation. Imagine then, undertaking to supply the security solution to the Bankers Automated Clearing System (BACS).

BACS is the organisation - owned by all the major UK clearing banks and building societies - that processes the majority of business-related electronic funds transfers in the UK. For example, every month businesses in the UK perform the payroll operations for their personnel, triggering thousands of money transfers as staff salaries are paid directly into their bank accounts. This is just part of what BACS does and by the end of the year, BACS will have processed more than 14,400,000,000 direct debit and direct credit payments on behalf of over 100,000 UK businesses.

With such an important system there is no margin for error, given that any difficulties could potentially affect all UK businesses. It is therefore great testimony to BACS that its payment delivery system, BACSTEL, has been almost 100 per cent reliable since its inception more than two decades ago. However, by early 2002, the BACS board had concluded that the BACSTEL infrastructure should be upgraded as the first stage of a comprehensive technology upgrade plan for all BACS systems. In 2002 BACS migrated BACSTEL’s infrastructure to run on internet protocol (IP), enabling BACS to offer a wider range of services to business users, as well as an improvement in existing services. These services would lead to cost savings for the UK businesses that used BACSTEL-IP, and with the flexibility of IP, would make it much quicker and easier to incorporate new payment services in the future.

However, BACSTEL-IP had to be secure, as the sheer quantity of payments and sums of money on the system made security critical. Further, the security solution had to fulfil a number of criteria in addition to simply authenticating UK businesses as they accessed the system. It had to be able to trace all the transactions made on the system if needed, and secondly for every transaction it needed to produce an audit trail. The size of the project also made it daunting – the solution had to be able to scale to a total of 500,000 users and up to 100 million payment items per day. Perhaps most complex of all, it would have to interoperate with 12 banks, operating seven different public key infrastructure (PKI) systems with five different smart card manufacturers. BACS called on Thales e-Security to help them secure the future of UK business electronic payments.

Thales e-Security’s implementation of the project was a true team effort. The Thales e-Security project team worked closely with the other vendors involved, as well as the BACS technical design and implementation teams, throughout the development cycle. This minimised the project risk, and ensured successful on-time delivery of the complete solution. BACS’ project security team had already recommended using smart cards to enable the solution. Once approved by the member banks and BACS senior management, the project was trialed with Royal Bank of Scotland for four months before being rolled out to all other member banks in the UK. Hardware and Thales software was installed around the UK by BACS approved solution suppliers.

In order to support the simultaneous connection to 12 banks required by BACSTEL-IP, Thales e-Security worked closely with BACS to develop the fourth generation of its digital signature messaging system, AssureTransaction. UK businesses wishing to organise payments via BACSTEL-IP from their office are issued the cryptographic smart card by their bank. That smart card is then used to digitally authenticate all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered. Each bank was given the flexibility to select its own public key infrastructure (PKI) for the issuing of the digital certificates used on this card.

AssureTransaction ensures compatibility with all relevant PKI standards by verifying each transaction against the set of rules defined by the bank that issued the smart card being used to sign the transaction. It authenticates the smart card holder by generating a random number. The cardholder responds by signing the logon challenge using the smart card together with his or her secret PIN, a so-called two-factor authentication. AssureTransaction then cryptographically confirms the identity against the cardholder’s public key certificate, and validates this in real time with the issuing bank. Similarly, all payment requests and other transactions submitted to BACS are digitally signed by the user with his smart card and PIN, and verified in real time. AssureTransaction also digitally signs the reports sent by BACS to users, so that the user knows he or she can rely on the contents of the report.

Since all digital certificates used are verified in real time against the issuing bank, lost or stolen cards cannot be used to sign transactions, and changes in employee status are reflected in the system as soon as the bank is made aware of them. This substantially reduces the risk of fraud compared to the old system. Varying levels of security access are supported for different personnel working in the banks or businesses using the system.

After the system had been rolled out, BACS surveyed its member banks for their opinion on the new technology and its impact on their business. The results were very promising. Over 75 per cent of users expressed the intention to migrate to the new solution as soon as it was available to them. In the same survey, users rated the enhanced security of the new system the number one benefit to their business. Users particularly valued the ability to tightly define payment permissions for individuals in the business, allowing delegation of signing responsibility to specific cardholders within subsidiaries or departments whilst retaining full control at a corporate level. All in all, the feedback was so positive that BACS now intends to work again with Thales e-Security to develop and implement further service enhancements in the future.