“Any processing of sensitive financial information should prioritize security as a first port of call.”
As we enter a new digital world thanks to COVID-19, there is a growing need for companies to educate and employees to understand about the responsibility they have online, writes Simon Keates head of strategy and payment security at Thales.
Hackers are taking advantage of the situation by launching phishing or spearfishing campaigns using the COVID 19 as a lure in order to better infiltrate IT systems. Frighteningly, more than 50% of newly created domain names linked to the virus can lead to the injection of malwares.
This is coupled with the growing concern among global IT leaders that businesses aren’t doing enough to protect the financial data they hold. In fact, last year’s Thales Data Threat Report – Global Edition, proved sobering reading for the industry as over two-thirds (70%) of companies admitted they’re failing to deploy measures, such as encryption, to provide robust security for their business.
In 2020 where security is becoming an increasingly bigger issue, lessons are still being missed, as more companies announce that they’ve been hit by hackers. Whilst poor password management by consumers accounts for some of the risk, businesses are judged as being ultimately responsible for the protection of the data.
But against a backdrop where convenience remains king, how can financial organisations ensure they have a coherent plan in place to mitigate the risks hackers bring?
Evolving Payment Landscape
Today the financial landscape continues to evolve, offering new ways for businesses and consumers to both manage their money and pay for goods. While change drives better end-user experience and convenience, it means that security is having to adapt with it to ensure that it remains safe to use.
Take the humble payment card for example. Over the last 30 years card security has evolved from a simple piece of cardboard to a sophisticated cryptographic device designed to robustly secure the transaction – essentially the technology had full trust of the end-to-end transaction. With the rise of mobile devices, convenience has seen the card disappear from the wallet and into the mobile device itself. But the online, digital world is different – it accepts that a consumer mobile device is inherently untrusted and relies on a range of software security approaches underpinned by strong risk management and hardware-based security at the service provider or issuer to minimise the threat of fraudulent transactions. With payment cards, we have a trusted bank-issued device where the cryptographic keys are secured inside the chip and are valid for the lifetime of the card.
With more stores and merchants accepting mobile payments than ever before, retailers must be aware of the security risks. Brand loyalty runs deeper than reward programmes and the security of information is a large piece of what keeps consumers dedicated to a specific brand. Ultimately, retailers must be sure their technology is sufficient to meet PCI DSS regulations especially with an update on the horizon.
Faced with the need to improve experience and convenience, regulators believed that organisations also needed a slight push towards improving security too. In fact, the introduction on the revised Payment Services Directive (PSD2) has put security at its heart with Strong Customer Authentication (SCA).
SCA, as defined in PSD2, means that transactions are authenticated using two or more of the following elements:
- Knowledge: something only the user knows (e.g. password, pin, ID number)
- Ownership: something only the user possesses (e.g. mobile device, token, smart card)
- Inherence: something only the user is (e.g. fingerprint, face or voice recognition)
For organisations, they need to look for product solutions that build security into their design. This is essential when these products transmit and store sensitive customer information, such as in the case of POS systems and payments software. As these methods evolve, more consumers become vulnerable to hacking as further information is exposed online. It’s a riddle that businesses need to solve. These issues can prove to be especially difficult to mend when customers are using devices that may not be secure, such as phones or smart watches, to make purchases. A clear majority of transactions and data can and would be secured through strong PKI and encryption initiatives, as well as adopting hardware security modules.
An Educational Need
As the rise of alternative payment methods continue to evolve, there is a growing call for standardisation of the security methods needed to protect the sensitive financial data companies hold.
Until that happens, one thing business can do is ensure that the organisation and their staff are up to date on the issues with handling sensitive information in the world of digital and physical payments. Training IT staff, customer service and management in the proper handling of sensitive data is integral to avoid security mishaps.
The enterprise world, and specifically financial services, is only becoming more digitally focused and given the current situation, it’s not likely to go back to the way things used to be. It’s incumbent on employees to be aware of the sensitive information that they are responsible for and ensure they are trained on how to successfully handle it.
As companies look to adopt new payment methods in the push to meet customer demand for convenience, any processing of sensitive financial information should prioritize security as a first port of call. If they don’t, they’ll be sure to repeat the breaches that have plagued the industry of late. Consumers are more interested than ever in security and their personal data, so those handling financial information must put their security above all else.