Towards Secure IoT-Based Payments by Extension of Payment Card Industry Data Security Standard (PCI DSS)

,


Introduction
IoT has emerged as a new phenomenon and has revolutionized the world once again after invention of computer systems [1].The IoT emergence has given emergence to the development of smart cities [2], machine-to-machine economy where connected devices will interact with each other.This leads to a new digital experience of payment of transactions for both consumers and businesses.Consumers can pay using a wide of range of connected devices including connected cars, household appliances, and wearables.Businesses have also adapted new point of sales including touch points, parking meters, and vending machines [3].
IoT-based payments are going to change the way payments are made for purchases in-store, online, or on phone.Many companies have already started providing their products for payments based on IoT.Amazon has launched their payment product called "Amazon Go" to change the shopping experience.Customers receive the final bill when they leave the store after finishing their shopping without going to any checkout or waiting in lines for payment.Amazon deducts the payment from registered customer account [4].A similar effort called "SMARTBUY" is done in [5] by linking the online shopping with a coalition of small retailers as a concept of "Distributed Shopping Mall."SMARTBUY introduces a blended retailing system of combining online shopping with the attractiveness of traditional shopping in stores.On the top, the added benefits for products and services by SMARTBUY are (i) centralized inventory management, (ii) geo-location-based marketing, (iii) location-based searching facility for neighboring retailers, and (iv) personalized recommendations for products by using different business analytics [5].Another system developed by Mas-terCard is "Groceries"; it is an app developed based on Samsung family's hub refrigerator to order groceries.The app was demonstrated to connect to groceries online shopping apps (FreshDirect and ShopRite) by using their provided open APIs [3,6].The Visa in association with Honda and Parkwhiz has also enabled cars to make payments for fuels.Similarly, Samsung and Visa are working on payment from refrigerator [7].
In the future, even more hardware devices will make payments to give a smoother experience to humans.For example, refrigerators will be able to detect the needed grocery and will the store to deliver the required items and payment will be done from credit card linked with refrigerator and car's dashboard consoles will make payment for fuel after finding a suitable station during travel [3,8].NFC technology is being considered for initiating the vehicle toll payments at highways.A mobile having NFC initiates the toll payment for car in [9] supported by cloud-based webbased payment processing system.
However, with this advancement and increase in the number of endpoint devices, vulnerabilities have also increased.Some of the important security threats to be addressed are the security of the IoT payment device itself, data leakage and privacy due to inherent low resistance of IoT devices to data leakage, and distributed denial of services attacks [3,10].Many such problems are also highlighted in [11] with detailed discussion on Amazon Go.To combat these threats, compliance to Payment Card Industry Data Security Standard (PCI DSS) for payment card industry is required by government and payment industry.This lack of compliance can lead to fines, lawsuits, and other ever-present negative impacts of degraded public perception within the court of public opinion [7,[12][13][14].
The PCI DSS provides set of technical and operational requirements to protect cardholder's account data to make payments.It requires all entities from payment card processing industry including merchants, processors, acquirers, issuers, and service providers to be involved in this process.PCI DSS also applies to all entities that store, process, or transmit cardholder account or authentication.PCI DSS is comprised of a minimum set of twelve security requirements to protect account data which may be enhanced by additional controls and practices according to risk.Additionally, it does not supersede any government or legal requirements set to any industry [7,15,16].
Therefore, to implement secure IoT payments, these connected IoT devices and payment systems must also comply with PCI DSS and Payment Application Data Security Standard (PA DSS) as per government and industry standard requirements as being practiced previ-ously [14,17].The current version of PCI DSS is 3.2 and now looking forward to version 4 [15].However, these IoT-based payment systems will not be able to comply with PCI DSS recommendations in its original form to achieve security due to inherent characteristics of IoT.There are a variety of IoT devices available in the market with varying level of capabilities for various types of applications.However, the paper discussion focuses on resource-constrained devices with limited capabilities as majority of IoT devices are resource constrained.Further, almost all types of IoT systems require efficiency anyways [1,3].These characteristics especially resource-constrained nature of devices, limited capability of operating systems, diverse array of hardware computing platform, frequent use of alternative networking protocols, updating software/firmware of so many physical devices, interconnectivity, physical aspects of things, heterogeneity, dynamic changes, enormous scale, safety and connectivity, and lack of documentation make it difficult to comply with PCI DSS [1,3,8,18].This is the main motivation of this paper to not only shape the upcoming versions PCI DSS to consider IoTbased payments but also highlight important relevant research issues for secure IoT payments and give recommendations for future research directions.So the main contribution of this paper is to make a first attempt to analyze the payment process and standard PCI DSS in detail for IoTbased payment system and make recommendations for extension in a suitable way for IoT.At the end, the paper is concluded in Section 4.

PCI DSS and Payment Systems
2.1.Purpose of PCI DSS.The purpose of PCI DSS is to enhance cardholder data security by providing consistent security measures globally for all entities involved in payment processing including merchants, processes, service providers, acquirers, and issuers.It provides the minimum technical and operational requirements for the security of cardholder data as summarized in Table 1.The security is achieved once these requirements are met.The PCI DSS also lays down the testing procedures to assess the security measures applied by the organization [7].However, the PCI Data Security Council separates the security of payment application security from security of card payment processing as discussed in Section 2.2.

Payment Application Data Security Standard (PA DSS).
PA DSS lays down the security requirements and assessment procedures to ensure implementation of recommended security measures for the organizations of payment applications.These requirements and assessment procedures are derived from PCI DSS requirements and assessment procedures.Thus, payment processing applications must be implemented in a PCI DSS compliant environment considering the recommendations of PA DSS [17].The following points elaborate the relationship between PCI DSS and PA DSS [7,16].1.These security requirements apply to all payment system components including computing devices, network devices, servers, and applications [7].All the 14 PA DSS requirements as outlined in Table 1 are in line with PCI DSS requirements and are analyzed in Section 3 for IoT as well.
To understand the applicability of these requirements, it is vital to understand the payment working models and processes.
2.4.The Traditional Payment Process.Before discussing the process in detail, let us discuss first the entities and their roles in the payment process [16].
(1) Merchant: an organization who provides the payment facility via card payment terminal at their premises or via an online website by entering the card details (2) Merchant acquirer: a merchant acquirer is a financial institution responsible for providing services to merchants for payment processing (3) Payment card networks: there are two models for payment card networks.In the first model, payment card networks do not directly issue cards like MasterCard and Visa, and in the second model, payment card networks issue cards directly to customers like American Express.Such networks play two roles of merchant acquirer and payment network The payment process consists of two steps: transaction flow and clearing and settlement of funds [16].After that, the following steps are taken: (i) The card payment terminal or website payment processing merchant records the card data, e.g., account number, the card type, expiry date, and other required data, and forwards it to the merchant acquirer as step 3 in Figure 1 (ii) The merchant acquirer then forwards the transaction data to the card issuer using a secure payment card network as described in step 4 in Figure 1.In some cases, the acquirer can directly authorize the transaction without getting verification from the issuer (iii) The issuer then verifies the status of then customer account and replies to the merchant acquirer (iv) The acquirer then forwards an authorization code to the card terminal device or website for completing the transaction process on successful verification of funds in database In this transaction flow process, the actual funds are not collected; instead, it is merely a confirmation that issuer has authorized the transaction and agrees to settle the transaction with merchant customer and merchant acquirer.The funds are settled in a process called "clearing and settlement" [16].
(2) Clearing and settlement: the clearing and settlement processes start when the transaction details are sent to the acquirer as described from step 4 in Figure 1.Usually, the small merchants send the transaction details at the end of the day while the large merchants send the transaction details in real time [16].
The following steps are followed in this process [16]: (i) The acquirer forwards the transaction data to the issuer via the appropriate payment card network (such as Visa and MasterCard) as mentioned in steps 5 and 6 in Figure 1 (ii) The issuer then charges the amount to the customer card and remits the funds to the acquirer via same secure payment card network as described in step 7 in Figure 1 (iii) The acquirer deducts the fees for issuer, the network, and itself before depositing the funds to the merchant's account Typically, this process takes 24 to 72 hours for charging the customer and transferring funds to the merchant [16].
2.5.IoT-Based Payment Systems.Digital payments have evolved with inclusion of payment-enabled IoT devices.Customers can pay with a new range of connected devices including cars, household appliances like refrigerators, or wearables.The retail point of sales in relation to traditional payment process are changed as well with new touch points like parking meters, fitting mirrors, and vending machines [3,19].
There are five key components of IoT-based payment systems [4]: 1. Card data available for payment processing via card payment terminal or an online payment website.
2. e card terminal or online payment system checks for authentication and authorization.[20,21].However, blockchains and DLT technologies will require further optimization to be truly effective as an IoT payment platform [21] Whichever payment model or multiple models are used, the organizations will be required to implement PCI DSS recommendations to achieve a defined level of security according to compliance and regulatory authority recommendations.Let us discuss the considerations of IoT-based payments with above defined models in mind as compared to traditional payment systems.

Considerations for IoT-Based Payment Systems as
Compared to Traditional Payment Systems.Despite many similarities between IoT-based payments and traditional payment process as described above, there are many differences as well.The IoT device itself is a payment component which can store, process, or communicate user credentials using cloud or any other technology like edge or fog computing.So, it raises the following considerations, based on IoT characteristics, for designing IoT-based payment systems in comparison to traditional payment systems [3,19]

Analysis of Extension of PCI DSS Suitability for IoT
This section analyzes the PCI DSS and PA DSS requirements and assessment procedures and gives recommendations for their extension for of IoT as also summarized in Section 4. The IoT device lifecycle is an important consideration for applicability of PCI DSS and PA DSS, as the PCI DSS security requirements will apply to IoT device manufacturers for designing and building payment-enabled IoT devices and PA DSS will be applicable to cloud and connectivity API providers for storing and processing of user's credentials.The analysis has also taken into account the IoT characteristics and considerations for IoT-based payment systems.It recommends deploying the servers like database servers and application servers in internal secure network.PCI DSS also emphasizes on explicitly changing the default vendor supplied passwords and security parameters before installing the IoT devices in the network [7].In line with that, PA DSS put more focus on changing the default passwords of applications which are used for managing the user, application, and services accounts.It also recommends to use cryptography to securely store the account's data and deploy database servers in separate machines from application servers [17].[7,16].Fort this purpose, PCI DSS focuses on secure storage and transmission of cardholder data on the public unsecure by relying on cryptographic encryption, authentication, authorization, and hashing mechanisms.It also takes extra measures by limiting the size of storage data and only allowing limited vendors and service providers to store the cardholder data in the payment network [7].In line with it, PA DSS also recommends by not storing the cardholder data at most of the locations in the application and payment processing network with exceptions of limited controlled network locations.It emphasizes to implement strong authentication and authorization mechanism to access and process the cardholder data [17].

Analysis and Recommendations for IoT-Based Payment
Systems.There are many considerations for IoT-based payment networks in this regard of securely storing and transmitting the cardholder data.The first most important one is that IoT devices have very small amount of memory and limited processing capability so cardholder data will be stored and processed in cloud to save computation and communication power of IoT devices.In this regard, research efforts are being focused on using tokens instead of actual exchange of cardholder data called tokenization in clouds [3,27].The other consideration is authentication of IoT device and relevant cardholder data.In traditional payment processing, the cardholder is authenticated by using PIN, but in IoT-based payment systems, the payment credentials are programmed in IoT devices and cardholder can be authenticated by sensors or even biometrics.Hence, PCI DSS must consider the diversity of authentication mechanisms depending upon the model of payments in IoTbased payment systems [3,28].

Control Objective 3: Maintain a Vulnerability Management Program
3.3.1.PCI DSS and PA DSS Requirements, Assessment Procedures, and Guidelines.PCI DSS recommends all personal and organizational devices to be protected against malwares including viruses, worms, and trojans.It is recommended that all participating devices including personal computers must install antivirus software along with additional antimalware software.It is also recommended that all participating entities must regularly download and install the security patches from the vendors.These security patches are updated version of the software to address the recently known attacks or vulnerabilities in the system [7].In this regard, PA DSS emphasizes on secure development of payment applications in accordance with industry standards and best practices to protect against at least wellknown vulnerabilities like buffer overflow, insecure communication, and improper error handling.It is also recommended that any code change or addition must be reviewed for security issues before release.PA DSS recommends that any accounts, IDs, and passwords created during application development must be removed before installation of the payment application [17].

Analysis and Recommendations for IoT-Based Payment
Systems.The major problems which can be encountered in IoT-based payment systems are as follows.(a) It will be difficult to regularly download and install the new security patches for so many IoT devices with extra consideration for their small-sized memory and limited computation power.(b) It will not be suitable to install antivirus and antimalware software to be installed on resource-constrained IoT devices.The diverse capabilities of IoT devices and diverse mechanisms to download and apply patches to these devices may put extra challenges for new version of PCI DSS suitability for IoT.However, research efforts are already in progress to address this issue, e.g., it is recommended to develop behavioral-based antimalware like Intrusion Detection/Prevention Systems (IDPS) for IoT-based systems rather than using signature-based systems where loaded signature databases can slow down the performance of IoTbased systems [29].Some research efforts are also on the way to improve the behavior-based antimalware further by using machine learning techniques such as Hierarchical Extreme Learning Machine (H-ELM) [30] and machine learning techniques in Hardware-based Malware Detectors (HMDs) [31,32].Furthermore, spatial firewalls equipped with state-of-the-art security and antimalware programs are also being designed to protect the IoT-based systems [24].Procedures, and Guidelines.According to PCI DSS, access control systems and processes including authentication and physical access control must be implemented to ensure that critical account data is only accessible to authorized personal.It focuses on using cryptographic and other authentication means to valid users and provide limited access according to the roles and privilege levels.It must be ensured that users change their password regularly and security policies are in action all the times [7,[33][34][35].In line with it, PA DSS recommends assigning unique IDs to all users, implementing multifactor authentication to validate them, and implementing password change and revocation policies to ensure security.It also emphasizes on implementing user 7 Wireless Communications and Mobile Computing roles and access control mechanisms to only allow limited access to validated authorized users [17].

Analysis and Recommendations for IoT-Based Payment
Systems.There are many considerations in this regard.The first one is providing varying methods of authentications and providing access controls to device manufacturers and service providers in a limited authorized way to process secure payments.Certificateless and blockchain-based solutions can be a way to provide such facilities [19,21,36].There is also a need to pay special attention to physical access to IoT devices which have already installed cardholder credentials.These physical IoT devices are provided more vulnerable due to remote access for configuration and physical access for their easy deployment [3].
3.5.Control Objective 5: Regularly Monitor and Test Networks 3.5.1.PCI DSS and PA DSS Requirements, Assessment Procedures, and Guidelines.To track, alert, and analyze the user activities (including access to network resources and access to cardholder data by privileged users) must be monitored, logged, and regularly tested to store the user identification and event type along with date and time.PCI DSS also ensures that these audit logs are not alterable and any updation and deletion of these logs must also be recorded [7].Besides that, PA DSS also recommends to store all the activities of the users for payment applications including additions, changes, and deletions to application accounts in the recommended format for logs.

Analysis and Recommendations for IoT-Based Payment
Systems.To regularly monitor the network, the aspects related to storing and accessing the credentials in cloud or edge and in physical devices are of critical importance.Also, the manufacturing and distribution models and day-to-day usage according to diverse capabilities of IoT devices must be considered for access control and logging activities [3,19].

Maintain an Information Security Policy
3.6.1.PCI DSS and PA DSS Requirements, Assessment Procedures, and Guidelines.PCI DSS also emphasizes to establish, publish, maintain, and disseminate a security policy to enforce all security requirements.It also encourages to educate all the permanent employees, temporary employees, contractors, and consultants of payment vendors to participate in enforcing the security policy.The security policies must be revised at least annually or with changes in environment [7].In line with it, PA DSS encourage to pay special attention to payment application updates delivered via remote access.It focuses on the role of vendors to educate customers to keep remote-access off most of the time and only be turned on when needed from vendor and then turned off immediately [17].

Analysis and Recommendations for IoT-Based Payment
Systems.The regular security updates of IoT firmware is of utmost importance in IoT research.Over-the-air (OTA) updates are being considered as a viable solution to update so many devices in IoT networks in a manageable way.The firmware updation of resource-constrained IoT devices is also an important consideration for extension of PCI DSS and for IoT research community.

Recommendations and Future
Research Directions  (i) The security patches must be lightweight in terms of storage and computation and must be released in a fashion to optimize the memory usage for older releases.
(ii) Antiviruses and antimalware must be designed suitable for resource-constrained natures of IoT devices for payments.

CO4: implement strong access control measures
There is also a need to pay special attention to physically access the individual IoT devices securely (e.g., physically accessing the refrigerator with installed security credentials) which have already installed cardholder credentials.CO5: regularly monitor and test networks The manufacturing and distribution models and day-to-day usage according to diverse capabilities of IoT devices must be considered for access control and logging activities.CO6: maintain an information security policy Over-the-air updates are being considered as a viable solution to update so many devices in IoT networks in a manageable way.8 Wireless Communications and Mobile Computing (i) Firewalls are very important components to achieve security for any IoT-based system.To design scalable and efficient firewalls for large rules set in a suitable way for IoT is a research topic of high importance for IoT and PCI DSS research communities.Furthermore, efficient antivirus and antimalware software are to be developed for IoT (ii) Authentication methods based on biometrics, tokenization, and secure efficient methods to process the stored data in cloud are of great research interests as well (iii) The regular updation of so many IoT resourceconstrained devices of security is a challenging research issue.Over-the-air (OTA) types of methods to be defined (iv) Blockchain-and certificate-based access control methods are recommended to be developed based on above research to provide access to card and IoT device's manufacturers for updating firmware

Conclusion
The next generation of interconnected payment-enabled IoT devices will play a significant role in consumers' and vendors' life by providing a unique payment experience.This process, of improving people's life by allowing the IoT devices to store user credentials and make payments in an autonomous way, must be secured by adapting the same PCI DSS requirements and assessment procedures at the global level.This paper has focused on highlighting that PCI DSS is not applicable to such IoT-based payments in its current form.PCI DSS must be modified by considering the issues highlighted in this paper to make it suitable for IoT.The important issues are highlighted in this paper, such as installing antiviruses, firewalls, and other antimalware on all resource-constrained IoT devices, addressing the unique diverse authentication requirements, over-the-air security updates for IoT devices, logging mechanisms, and implementing access control using blockchain must be addressed in research.This paper presents the limited study in theory by critically analyzing the recommendations of PCI DSS and PA DSS for IoT-based secure payments.For future studies, it is highly recommended that the recommended security issues and technologies should be studied for implementation and practicability using simulations.

( 1 )
Transaction flow: as shown in step 1 of Figure1, the payment process begins after a customer swaps a card on a payment terminal (POS (point of sale)) or details of the card are entered on an e-commerce website.
card data and transaction amount is forwarded to merchant acquirer for authentication and authorization.4.e acquirer checks the status of the account in the database and issue authorization code if to allow transaction 5. e acquirer forwards the authorization code to terminal.

3. 1 .
Control Objective 1: Build and Maintain a Secure Network 3.1.1.PCI DSS and PA DSS Requirements, Assessment Procedures, and Guidelines.For building and maintaining a secure network, PCI DSS focuses on deployment of firewalls in personal computers as well as in networks and secure configuration of routers along with segregation of networks.
R10: track and monitor all access to network resources and cardholder data RA10: facilitate secure remote access to payment application R11: regularly test security systems and processes RA11: encrypt sensitive traffic over public networks CO6: maintain an information security policy R12: maintain a policy that addresses information security for all personnel RA12: encrypt all nonconsole administrative access RA13: maintain a PA-DSS implementation guide for customers, resellers, and integrators RA14: assign PA-DSS responsibilities for personnel and maintain training programs for personnel, customers, resellers, and integrators 3 Wireless Communications and Mobile Computing [20]nomy of IoT-Based Payment Models.The IoT payment landscape is not yet defined or standardized, and no one can predict the future with complete certainty.However, three different payment models are identified in literature as shown in Figure2: (1) card scheme payment model, (2) bank credit transfer model, and (3) digital currency payment model.These models are abstract level descriptions of the payment process[20].blockchain allows IoT devices to have direct transactions with or without the involvement of a trusted third party.It is still uncertain how such digital currency-based payment model will be adapted in the future; however, a possible scenario is converging towards regulated digital currency networks where central banks will play a crucial regulating role as of blockchain nodes with possible interchange of different currencies.Currently, different standardization efforts are going on to help facilitate interoperability of digital currency networks [20]ion of instant payment systems with open APIs enables most of the IoT payment use cases that are imaginable with card scheme payments[20](3) Digital currency payment model: blockchain distributed ledger technology (DLT) is being considered very suitable for IoT environment.The distributed nature of .1.2.Analysis and Recommendations for IoT-Based Payment Systems.As discussed above, IoT devices may have limited capability to implement security measures.In this consideration, how can a resource-constrained IoT device implement personal firewall which should be active all the time to provide security?The limited power and computational capability of IoT devices will not allow such firewall installations, [22][23][24] the compliance rule implementation on IoT devices.The firewalls must be modified to consider the resource-constrained nature of IoT devices.Already research efforts are going to design firewalls suitable for IoT in industry as well as academia as addressed in[22][23][24].Furthermore, efficient suitable encryption/decryption mechanisms for low-powered IoT systems are also required.The

Table 2
summarizes the recommendations drawn in this paper for each of the control objectives.The future research directions in the light of above discussions for achieving security in IoT-based payment systems and drawing PCI DSS guidelines are listed below.

Table 2 :
Control objectives of PCI DSS and recommendations for IoT-based payment security.