The Four Corners Model for Card Payment Security and Key Management

The “Four Corners” model, also called the “Four Party Scheme”, is utilized in almost all standard card payment systems across the globe. Here, we talk about that model and explain what kind of hardware security module (HSM) is needed for each of its components involved in the cryptographic process.

Review of the Four Corners Model

The Four Corners are:

1. The Cardholder (or the consumer)
2. The Merchant
3. The Issuer (usually a bank)
4. The Acquirer (usually also a bank)

These terms should be very well-known for anyone involved in the card payment industry. Let us recall what they represent.

The Cardholder

The Cardholder is a consumer who has been given a card by a financial institution (typically, a bank). That cardholder doesn’t really own the card and is only authorized to use it. The card remains the property of the financial institution that issued it (aka the “issuer bank”). Generally, the cardholder is a client of the issuing financial institution and has an account directly linked to the payment card. But this is not a rule because, in some instances, this may not be the case (e.g., corporate credit cards or petroleum cards given to employees, for example).

The Merchant

The Merchant, often also called “The Acceptor,”  is the vendor to the consumer. The Merchant sells goods or services to the cardholder and accepts card payments. Typical examples are restaurants, hotels and shops equipped with POS payment terminals (Ingenico, Verifone, Telpo, or Vax machines, for instance).

Note that the Merchant could be an ATM and represent a fully automated machine. The primary role of the merchant is indeed to “accept” payment cards. 

The Issuer

At this stage, things become more opaque and are generally beyond the scope of the average user’s experience. The Issuer is the financial institution that issues the payment cards given to the cardholder. More often than not, it’s going to be a bank. The payment card issued by the Issuer may be of three different types:

1. Credit card 
2. Debit card
3. Prepaid card

Note that the issuing bank provides these payment cards on behalf of a specific card payment network. Examples of such card payment networks include Visa, Mastercard, Europay, JCB, American Express, and Discover. They can also be private, closed-loop payment networks like a domestic scheme. 

The issuer bank is responsible for manufacturing the payment card as well as managing the associated cryptography. This is usually done with card integrator companies.

The Acquirer

The Acquirer is the financial system that provides the Merchant the tools needed to accept payment cards. The acquirer can be a third-party system that is not directly the bank where the merchant has an account. In general, the Acquirer will provide hardware and software to the Merchant and allow the Merchant to process transactions.

The Acquirer must manage the final return codes (return authorization codes or not) from a transaction.

The Acquirer will be responsible for authorizing the Merchant to deliver a good or service.

Explanation of the Model

The quadripartite model is represented below:

In the Four Corner Model, the Merchant connects to their Acquirer. The Acquirer connects through a scheme to the card Issuer of the Cardholder. Note that, between the Merchant and the Acquirer, there is usually one more third-party acting as a switch or gateway.

Despite its apparent simplicity, the Model involves several flows between the four components.

Generally, the Issuer will be different from the Acquirer. In such cases, interbank processes are required. Interbank processes involve money transfer and compensation between banks. 

This is a very complex mechanism involving clearing and settlement processes.

Of course, the starting point is the Cardholder’s action of buying something from the Merchant using their payment card. This triggers an authentication flow from the Merchant to their Acquirer bank and then from the Acquirer bank to the Issuer bank through a vast network of switches, gateways, and servers managed by the relevant card scheme network.

The authorization flow will ultimately result in a positive or negative result (this may be a bit more complicated in reality). When a positive authorization is received, the Merchant will generally deliver the goods or services. This is what you experience when you use your card in your local shop. Once this happens, the cashier will provide the goods, the ATM will provide the banknotes, and usually, a receipt will be printed, etc.

Note that this Four Corner Model tends to become a Three-Corner Model (e.g., a triangle) more often where the Acquirer bank is skipped, and the switches and gateways route the authorization flow directly to the Issuer.

This reduces the burden on the payment network and speeds up transactions.

Which HSMs Are Needed for the Four Corner Model?

Of course, in this model, cryptography is requested between all the actors. Therefore, the numerous cryptographic keys and cryptographic operations must be handled in secure environments such as provided by a hardware security module (HSM). 

The cardholder has an HSM: If the payment card has a chip (which is mandatory in EMV transactions), it behaves like a micro-portative HSM. Here are the needs for the other three components.

For the Merchant

This depends on the size of the Merchant and the nature of the Merchant. A small Merchant will be equipped with POS terminals that are usually provided with a secure memory and secure cryptographic-specific hardware. These machines can act as “small HSMs” and fit the needs of small shops. This is also true for isolated ATMs. 

On the other side, big shops such as malls often operate some “hubs” where the payment terminals are managed, and transactions are grouped. Still, under the Merchant’s control, these hubs might be gigantic and collect thousands of transactions before they are finally sent to a gateway. These hubs need network-attached HSMs to secure the transactions that they collect.

For the Issuer

The Issuer needs HSMs when it issues cards, holds keys, and manages the cryptography involved with the cards. It also needs HSMs to authorize the cryptographic flow. 

For the Acquirer

In the model, the Acquirer must manage all the Merchants’ financial terminals’ keys and process the cryptographic flow towards the Issuer. Acquirers usually need performant and robust HSMs in large quantities.

Conclusion

The Four Corner Model involves end-to-end secure transactions that are ciphered and protected at every corner. So, the need for HSMs and automated key management in such a model is essential. Superfast and super-secure HSMs are now demanded with the ever-increasing amount of transactions and increasing criminal hackers’ skills.

A modern key management system (combined with HSMs) provides the framework for managing numerous keys throughout their life cycles. There are multiple types of key management systems and ways a system can be implemented, but the most important characteristics for a payments security team to search for include:

• Ability to support a variety of key types and formats
• Certified hardware random number generator for strong key generation (within an HSM)
• Protection for stored keys using a certified, tamper-resistant hardware device
• Automation for common/tedious tasks
• Logical access controls with strong user authentication
• Full tamper-proof audit log (for compliance audits)

References, Side Notes and Further Reading

• Read more articles on Payment Security (2018 - today), by Martin Rupp, Jo Lintzen, Matt Landrock and more
• Read more articles on the ANSI X9.24-1-2017 (2018 - today), by Martin Rupp, Matt Landrock and more