Why rethink and update approaches to payment security management
Electronic payments offer business advantages over older payment methods, but pose greater security risks.
As new and innovative credit card payment methods are developed and become popular, improving compliance standards has become more important.
This was a major driver for the PCI DSS 4.0 compliance standard, the first major update since 2014, which raised the bar for technical and governance requirements.
These updates reflect significant changes within the payment card industry and address risks in an increasingly complex and evolving threat landscape.
However, navigating the changing requirements introduced by PCI DSS version 4.0 will require clear goals and innovative models to eliminate key conflicts and constraints.
These were among the findings of Verizon’s 2022 Payment Security Report, which found that overall PCI DSS compliance improved significantly in 2020, although more serious cybersecurity threats require a security posture. even more robust security.
“In this sea-change in technology, PCI DSS v4.0 provides new navigational points to help organizations achieve sustainable control effectiveness in control and compliance environments,” the report notes.
Cynthia Hanson, senior analyst, professional services for the security assurance consulting division of Verizon Business Group, points out that the percentage of organizations maintaining full compliance improved by 15.5 percentage points, from a low 27.9% in 2019 to 43.4% in 2020.
“It means a significant improvement,” she says, noting that the control gap has also improved significantly in 2020, from a high of 7.7% in 2019 (bad) to a low of 4% in 2020 (best).
Mobile banking requires 5G-enhanced security
Hanson says the financial industry is seeing a significant increase in the use of mobile devices for customer transactions, especially personal banking.
“The speed and stability of 5G could improve that experience and provide greater security by allowing consumers to opt for advanced biometric-based identification and verification methods,” she said.
She adds that the financial industry could also allow consumers to opt for location-based technologies to more effectively identify fraud.
For customers, 5G can provide highly secure connections for video conferencing with finance professionals and credit counselors.
More risk means more regulation
Dan Stocker, director of Coalfire, a provider of cybersecurity consulting services, points out that electronic payments offer business advantages over older payment methods, but pose broader security risks.
He also says the growth of innovative payment services has brought many non-banks into the industry. “These entities are subject to regulation by the FTC, and those operating at the forefront of integration with cryptocurrencies should expect increased regulatory pressure following the events of 2022,” he says.
New security vulnerabilities are being developed and discovered at an accelerated pace, emphasizing traditional security practices, he adds.
From Storer’s perspective, new approaches, such as Zero Trust and cloud-native security models, represent fundamental investments.
“Talent in security is a challenge to find,” he adds. “Over the next few years, many entities will be challenged to find the right crossover point of security investments in order to simply stay in business.”
Encryption requirements Anti-fraud
Darryl MacLeod, vCISO at LARES Consulting, an information security consultancy, says the rise of e-commerce has led to an increase in the number of ways criminals can commit fraud.
“Additionally, the growth of online banking and other financial services has made it easier for criminals to gain access to sensitive information,” he explains.
MacLeod notes that in response to the growing threat of payment fraud, PCI SSC has made some changes to PCI DSS.
Some of the most significant changes will be the requirement for organizations to encrypt electronically stored SAD (Sensitive Authentication Data) prior to completion of an authorization and the requirement to implement Multi-Factor Authentication (MFA) for all access to the CDE (Cardholder Data Environment) .
“There are several payment security challenges that organizations will face in the next year,” he adds.
These include the continued growth of e-commerce and the associated increase in fraud, as well as the adoption of new technologies, such as EMV chips and mobile payments, which may create new opportunities for the criminals.
Digital transformation efforts impact payment security
Hanson agrees that enterprises will pivot and adapt to new v4.0 standards in an era where threat actor capabilities continue to evolve and intensify, enabling the skillful exploitation of existing threats and weaknesses and emerging in payment systems and processes.
Additionally, digital transformations that rely heavily on cloud technologies are introducing new drivers that are impacting the payment security industry, further complicating the role of CISOs and other security managers and practitioners.
“CISOs are increasingly challenged in their efforts to ensure payment security compliance and to convince board members and other stakeholders of the importance and significance of securing payment. support and strategic resources,” says Hanson.
In the 2022 Payment Security Report, it is highlighted that CISOs often use outdated methods to secure support, and that a change is needed for all stakeholders in the approach.
“Rather than taking a checkbox approach to compliance, CISOs and other security leaders need to take a thoughtful, out-of-the-box approach that involves implementing frameworks and templates,” says Hanson. “This is especially true for those taking the personalized approach to compliance.”
MacLeod says there are several key stakeholders in organizations that drive payment security compliance, from the CEO and CIO to the CISO and CFO — and those roles are changing as the payments industry evolves.
“For example, the introduction of new technologies such as mobile payments and contactless payments are changing the way payments are processed and increasing the importance of security,” he says.
Therefore, stakeholders such as the CIO and CISO play an increasingly important role in ensuring payment security compliance.
In its report, Verizon includes a metaphor for the container ship Evergiven that got stuck in the Suez Canal in March 2021.
“If the canal authorities had foreseen the potential accident, they probably would have planned more comprehensively and cautiously,” says Hanson. “It will become increasingly critical for CISOs, board members and those involved in governance to think outside the box and consider the unintended consequences of their payment security choices.”
What to read next:
BaaS, social payment applications are gaining ground
DC Fintech Week explores the risks and opportunities of Crypto Winter
Mobile technology is transforming bill payment habits