Industry Views: The Risky Business of Payments
Being in the payments business is risky for one simple reason—it’s where the money is. So, fraudsters and cybercriminals are going to attack it over and over and over again. The problem for payments professionals is that said fraudsters and cybercriminals are using more sophisticated techniques to access consumer financial data—or data that can help them open fake accounts.
The total cost of data breaches worldwide is projected to quadruple by 2020, to $1.2 trillion, according to a Juniper Research study, with the average cost per breach exceeding $150 million. With the threat of cybercrime growing considerably, we canvassed top payments providers and data security consultants to find out what they see as the biggest cyber-risks, and what steps companies should take to help keep consumer data—and the financial system—safe.
What should payments providers be most concerned about when it comes to data/cybersecurity?
A primary concern with data and cybersecurity relates to integrations or third-party service providers or partners. We ensure that all of our partners follow API and remote access security best practices, such as enforcing multifactor authentication, requiring unique credentials for each user and setting least-privilege permissions. Capturing a comprehensive audit trail of all activity is key, as well as disabling third-party accounts as soon as they’re no longer needed. Staying a step ahead of security threats is difficult but achievable if your monitoring systems are real-time and alert key parties the moment an attack or suspicious event is detected.
— Hunter Wolfe, senior vice president, sales and operations, Cachet Financial Solutions
Cybersecurity and protecting data are two of the largest—and most impactful—issues we face. In the payments industry, companies must apply an internal phased assessment approach. What sensitive information does the firm need in house? What sensitive information does the firm need to be able to access but not necessarily need on its servers? What information is truly being transmitted and stored by the company? What data are vendors passing along in files? What are employees unknowingly storing, etc.? We’ve seen multiple situations where vendors were sending personally identifiable information and personal account numbers to contracted partners that weren’t PCI-compliant. While data are great for multiple purposes, companies must also keep in mind the increased risks and costs associated with data and cybersecurity. An internal assessment of information received at the firm will provide more clarity.
—Andrea Corbine, senior consultant, SightSpan Inc.
Regardless of how many data breaches are yet to come, our daily focus is to safely transfer card funds from customers, merchants and financial institutions, and to prevent someone else’s data compromise from damaging Store Financial’s portfolio. The challenge is to obtain timely information, have the experience to understand red-flag redemption patterns and make necessary adjustments to limit exposure without creating a negative customer experience.
— Mark Tomasic, vice president, risk management and fraud prevention, Store Financial Inc.
Cybercrime is a phenomenon against which security doors and alarm systems are powerless because it trespasses our privacy using completely different methods. When data security is endangered it can massively weaken the reputation of a brand. Having the best possible protection against this permanent threat requires continual investment in employee training and technology.
—Udo Mueller, CEO, paysafecard
What should payments providers be investing in to protect their systems from hacks or misuse?
We continually invest in the latest security technologies. Our security and fraud prevention experts are constantly developing their knowledge and skills to be able to enhance our systems. In addition, our experts always are implementing proactive processes to counter fraud and unsettling trends.
—Udo Mueller
People, processes and technology. We’re investing in employees who are industry leaders with expertise in important and emerging areas, including supplier payments, BSA/AML compliance, legal, risk, recovery and system analysis. We’re also encouraging creativity, focusing on results and automating everywhere possible to provide a fast, reliable and secure customer experience.
—Mark Tomasic
What should payments providers be investing in to protect their systems from hacks or misuse?
Cachet continues to employ a proactive and aggressive approach to data and security protection. We invest heavily in vulnerability management technology that detects and flags out-of-date and unpatched devices and software. We also employ sophisticated encryption for data at rest and in transport, as well as automated penetration and vulnerability scanning to reduce the time to discover defects, decrease the likelihood of human errors and confirm issue-free results.
—Hunter Wolfe
Before firms can invest in a solution, they need to identify the problems they’re solving for. The first, crucial step is a vulnerability threat assessment to determine a firm’s strengths and weaknesses and to identify any existing gaps. The most important investment of time, for any firm, is to work on behavior modification within its internal teams and with external partners. Data and cybersecurity awareness is key, and the employee and partner training programs should include a holistic view of information security and proper oversight.
—Andrea Corbine
As consumers shift to digital and mobile channels, what are the best ways to ensure that customers/ users aren’t the weak link in the security chain?
Customers utilizing digital and mobile methods for connectivity presents large security risks; but offering unsecured and untested connectivity will always generate risk factors. Payment firms should not enter into digital transactions unless they have previously identified the specific risks and put risk mitigants into place for those risks.
—Andrea Corbine
Even though our solutions meet the highest security standards, it’s still necessary that users play their part with regard to their own online security. As part of sensitizing our customers to this subject, we regularly inform them about current threats and countermeasures, such as new product features, developed to increase their security. We’re currently running a security campaign with a wide range of educational materials and activities.
—Udo Mueller
We work directly with our clients to implement solutions that are easy to deploy, yet sophisticated enough to ensure end users are protected and not a point of vulnerability. We secure data at rest and in transport with secure encryption (such as AES 256-bit), and include separate key storage and one-time-use transaction tokens to create a secure environment that protects every stage of the transaction. To further protect clients and end users, we also are working aggressively to deploy cutting-edge emerging technologies, such as biometric authentication, as part of the multifactor-authentication strategy. Finally, we work closely with clients to deliver comprehensive end-user education programs. We believe consumers who are knowledgeable about the service and the technology consistently use our platforms in more responsible and secure ways, such as safeguarding their devices and log-in credentials.
—Hunter Wolfe
In other words, how do we protect our most naive customer from the savviest fraudster? This is an ongoing concern and we’ve faced it before. For years, some customers were tricked into disclosing bank account information through email or phone call phishing. Education and mass mailings were not the answer. Store Financial led the industry with a proactive solution; by adding an extra authentication value, not shared with the customer, the bad guys were phishing in a contaminated pond. Even if cardholders were phished out of all known account information, the fraudsters’ transactions would still be declined, proving our efforts stopped fraud.
—Mark Tomasic