Connect with us

Technology

GOING ABOVE AND BEYOND COMPLIANCE FOR TRUE CARD DATA SECURITY

Published

on

GOING ABOVE AND BEYOND COMPLIANCE FOR TRUE CARD DATA SECURITY 1

By: Dave Oder, President and CEO, Shift4 Corporation

Due to the ongoing efforts of cyber criminals to steal personal financial information, the Payment Card Industry (PCI) Council has created a comprehensive Data Security Standard (known as PCI DSS) with the aim of protecting merchants and cardholders. Merchants certainly should adhere to these requirements in order to attain the “PCI compliant” designation, but there is far more to transaction security than this designation.

Though PCI compliance is important, it can lull merchants into complacency, and complacency is never a good thing in business. Much more is required for a well-rounded security plan than simply ticking off the check boxes of an annual PCI-compliance assessment. The string of recent security breaches involving major brands should serve as a stark reminder that complacency in the face of ever-more-sophisticated threats can lead to brand disaster and lost revenue.

Passing the yearly PCI assessment is no guarantee against security breaches. Security measures must surpass the basics of compliance, moving beyond a ‘moment in time’ assessment. As any security-minded merchant will understand, security does not happen once a year – it must be a daily consideration.

Remove Sensitive Data to Improve Security

Dave Oder

Dave Oder

One of the largest challenges with PCI’s requirements is that their goal is to keep cardholder data safe in a merchant’s environment. I like to compare this to trying to protect a princess in a castle. The princess may be guarded by the king’s strongest men, and the walls fortified and the moat deepened, but a persistent attacker will lay siege to the castle and eventually find a way in.
Contrast this with a much simpler solution: simply taking the princess out of the castle and hiding her away in a safe location. The same holds true for payment card data. In order to be fully protected from hackers and criminals, merchants must remove sensitive data from their environment altogether. After all, they can’t steal what you don’t have.

This can be done with a combination of two existing technologies, tokenization and point-to-point encryption (P2PE). When properly implemented, these solutions combine to prevent cardholder data from ever passing the swipe device where customers present their cards for payment. By shrinking the card data environment down to a swipe device, all sensitive payment data in the environment is essentially eliminated. Suddenly, thieves have nothing to steal, and business can continue without fear of an impending, brand-damaging data breach.

The added benefit of using these technologies is that they may significantly reduce the scope of a merchant’s annual PCI DSS assessment. PCI’s security assessors will find their jobs much easier if all merchants did away with onsite storage and processing of sensitive payment data. But again, it is not PCI-compliance that should be our main focus. Security beyond compliance is vital to the protection of customers’ sensitive data and a merchant’s brand integrity.

EMV: A “New” Factor in the Security Equation

The newest card data security tool in merchants’ quivers (at least in the U.S.) is a technology called EMV. Global credit card brands Europay, MasterCard and Visa partnered nearly two decades ago to create EMVCo, an organization dedicated to bringing chip cards(smart cards) to the payments industry. This technology has made headlines recently in the U.S., the last major market in the world to adopt the technology. EMV cards are equipped with embedded computer chips that help to authenticate the cards when they are presented for payment. The card brands and major banks behind EMV have become increasingly vocal in promoting the technology as a solution to massive retail data breaches like the ones we’ve seen in the past year – capitalizing on the industry’s heightened fear to advance their own agenda.

The EMV “liability shift” date is less than a year away, set by the card brands as

October 2015. Essentially, that means that after October of 2015, any organization that does not support EMV technology will become financially liable for credit card fraud that could have been prevented if EMV had been in use. This has the potential to shift billions of dollars of fraud losses away from the major banks and credit card companies and onto the shoulders of merchants. In exchange, they claim, merchants will be protected from the next wave of data breaches. Unfortunately, this is a major exaggeration of EMV’s security capabilities.

While EMV will help prevent fraudsters from using stolen card data in stores, it does not stop card numbers from being stolen in the first place. EMV also does nothing to prevent e-commerce fraud. Just like PCI compliance, EMV is only a small part of the solution, not the solution itself.

When Compliance Isn’t Enough

When it comes to secure payments, there is no magical panacea. PCI compliance and EMV are important, but they must be considered components of a larger card data security strategy. This strategy must speak to every point at which cardholder data exists within the merchant environment. Merchants should add a comprehensive tokenization approach and encryption at the swipe to their arsenal alongside EMV and PCI compliance. Tokenization prevents long-term storage of card data, and P2PE encodes card data as soon as it enters the merchant environment. All these approaches taken together will make data theft next to impossible and EMV will render any data that is stolen very difficult to use. To overcome today’s cyber criminals, merchants must go beyond mere compliance in order to truly safeguard payment card data.

Technology

What does cybersecurity look like for the financial sector in 2021?

Published

on

What does cybersecurity look like for the financial sector in 2021? 2

By Neill Lawson-Smith, managing director at CIS

The landscape is changing incredibly fast, with cybercriminals using the most up-to-date technology to hack systems. Here are the six areas those in finance should be watching out for…

The finance and insurance sector is increasingly becoming a notable target for cyber attacks. Many of these breaches happening are believed to be due to inadequate security measures when teams or businesses are using cloud services.

The financial industry is also being affected by changes in processes with more fintech, virtual banks, and other digital disruptors impacting the market. The landscape is changing incredibly fast, with cybercriminals using the most up-to-date technology to hack systems, so it is therefore up to the financial sector to keep up to avoid security breaches.

What does this look like for the year ahead in the financial sector? Here are the Six areas those in finance should be watching out for:

  1. AI securityand cyber defence

Both Cybercriminals and cyber defence are commonly using Artificial Intelligence (AI). In cybersecurity, it is used to identify new threats, as well as assess the effectiveness of the responses to threats, enabling them to foresee and essentially block attacks before they happen. It is also used to spot behavioural patterns and can quickly identify possible infiltrations.

Hackers have also started to use AI to make it easier for them to get past security systems in place. This year, it is likely that AI will be increasingly used as a means of gaining personal details (i.e. credit card details) as well as optimising spam phishing campaigns.

  1. Mobile cybersecurity in banking

With the number of consumers using their mobile devices for banking and financial transactions increasing, especially since the COVID-19 pandemic has rendered society predominantly cashless, cybercriminals have been heavily targeting mobile systems. For example, mobile malware only targets mobile phone operating systems. The most common forms of mobile malware are virus and trojans, spyware and madware (mobile adware), phishing campaigns, and browser exploits.

This means it is now more important than ever to protect mobile devices to the same extent as traditional hardware.

The same protocols that are in place to ensure your staff PCs and laptops are secure now, need to also be applied to their mobile devices as well, such as:

  • Ensuring the latest versions of the operating system and other applications are installed.
  • Installing a firewall.
  • Enabling mobile security software to protect against malware and viruses.
  • Using password protected lock screens.
  • Ensuring apps are only downloaded from official sites like Apple App store and Google Play.
  1. Multi-factor authentication

Multi-factor authentication adds an extra layer of security to all your business networks by ensuring every transaction or login is supported by at least two security measures for access. It is one of the easiest security measures to implement within your business and is becoming more common within the financial sector for many transactions. The traditional username and password are becoming increasingly easy for cybercriminals to acquire, whereas adding an extra identification method, that is not easily accessible to the hackers, ensures an extra layer of protection.

The most commonly used multi-factor authentication methods are:

  • Passwords – They should be complex and comprise at least eight characters and be a combination of upper- and lower-case letters, numbers, and special characters.
  • One-time use code – A randomly generated code sent via SMS or email which is used only once. With weaknesses in mobile networks and email accounts, these can however be intercepted by hackers.
  • App generated codes – a code generated by an app on a mobile phone often created by scanning a QR code that contains a ‘key’. As the key is stored on the phone itself this is less likely to be intercepted by a third party.
  • Physical authentication keys – this is a USB which the user inserts every time they login from a new computer. Unfortunately, they don’t work on all devices without adapters (such as iPhone, MacBook or Android).
  • Biometrics – Using a fingerprint, voice, or an eye dent is an effective identifier. They are extremely difficult to hack but if they are, they cannot be used ever again for anything.
  • Information – this could be something that only the user would know – either a password or a piece of information.

Most of these methods are free or relatively cheap to implement and don’t require anything other than a mobile phone for the user. The added security of multi-factor authentication means even if a hacker has acquired a username/password combination there is still an extra security barrier preventing access.

  1. Refined testing

As the finance industry is constantly changing, then so too are the security threats. Financial cybersecurity is an ongoing commitment, so installing new anti-virus software and implementing MFA, and stopping there is not going to keep you protected for long. It requires ensuring software and firewalls are up to date as well as ensuring access is regularly updated. In addition to this constant maintenance regular testing of the systems is essential. All systems have vulnerabilities, and as these change, cybercriminals learn to overcome them, and therefore software develops.

One thing to remember is that it is not possible to be over-cautious when it comes to cybersecurity. Regular penetration testing essentially identifies any weaknesses in your systems before the cyber criminals do. It is essential to schedule penetration testing or vulnerability scans at least once a quarter unless compliance dictates otherwise. They can be carried out using a vulnerability scanner.

  1. Hiring the right people

It is crucial to have the right team on hand to ensure your systems are up to date, regularly tested and maintained is essential.

Your IT team should have the following skills and knowledge:

  • Knowledge and understanding of the company’s IT infrastructure
  • Knowledge of cybersecurity best practices
  • Understanding of company processes and data flows
  • Up to date knowledge of cybersecurity solutions
  1. Plan a Defence, Prepare for Attack…

Although businesses can take many precautions, there are limitations on skills, investment and timescales in implementing a comprehensive cybersecurity infrastructure, it is essential that appropriate procedures, policies and processes are established to ensure that an appropriate response is carried out in the event of a detection – whether manual or ideally automated – so that whenever an attack occurs, the appropriate and proportionate response is carried out immediately to limit any further damage or intrusion.

Continue Reading

Technology

Data protection: it’s time to reassess your security strategy

Published

on

Biometrics and data protection in financial services

By Tony Pepper, CEO of Egress

It’s no secret that the Covid-19 pandemic has created a perfect storm of cybersecurity risk. External threats are heightened, but there’s also a higher level of internal risk too, exacerbated by home working. With most financial services organisations planning to continue with mass remote working for the foreseeable future, it’s important for security teams to review their strategy and assess whether it still works in this new landscape. When it comes to insider threat, there are three key areas that IT leaders should focus on: building a positive culture around security, understanding their organisation’s level of risk and protecting their people.

  1. Build a security-positive culture

Many organisations have unknowingly instilled a security-negative culture among their employees, where people are punished or shamed if they cause a security incident. While they might think that this would discourage employees from causing data breaches for fear of repercussions, this actually makes your organisation less secure. Our Outbound Email Security Report found that 62% of organisations rely on their people to report email data breach incidents – and if employees are too afraid to come forward, that means your business is at risk of developing a security blind spot.

A security negative culture won’t actually prevent data breaches caused by human error, something which organisations need to recognize as largely unavoidable without technological intervention; it just delays remediation, which makes every incident worse. By creating a security-positive culture, you can better engage and educate employees, as well as ensure you’re able to rapidly triage any incidents if they occur.

  1. Understand your risk

When mapping out your risk, you’ll likely find that the picture looks very different to how it did even a year ago. In the past, organisations have focused on their networks and their devices when it came to security strategy. While these are vital areas for consideration, what hasn’t been as well-addressed to date is the human aspect of risk, particularly human error. You need to look closely at the tools that your employees are using daily to facilitate digital communication with clients and colleagues, including when sending sensitive information.

Employees are specifically using email more than ever before – our recent research found that 94% of organisations are sending more emails due to Covid-19, with one-in-two IT leaders reporting an increase of more than 50%. With this expansion of email volumes comes an increase in the risk that an email containing sensitive data might be misdirected. Remote working has also heightened the threat – our research found that 35% of organisations’ serious email data breaches were caused by remote working. Why? The causes lie in their behavior and the environments in which they operate. Some individuals may feel they’re able to take more risks away from the “watchful eyes” of their Security team, and every employee is  faced with a myriad of distractions that make them more likely to make a mistake.

It’s time for organisations to take stock of their risk by looking at where gaps in their security might exist – and provide safety nets for their employees that can automatically detect and mitigate inadvertent data breaches and risky behaviour.

  1. Protect your people

It goes without saying that not all data breaches are caused by malicious activity. An overwhelming amount of data breaches are caused by hardworking employees making honest mistakes, from sending an email to the wrong person to responding to a phishing attack. Unfortunately, human error is an unavoidable part of life, and mistakes will happen. In the past, many organisations have taken the approach that employee error can be ‘trained away’, embarking on comprehensive security training programs in the hope that security incidents might decrease.

Unfortunately, if that were the case, then employee activated data breaches would be a thing of the past! Organisations need to employ a multifaceted approach when it comes to avoiding accidental insider data breaches – education and training remain an important element, but ultimately businesses need to implement the right technology to provide a safety net for their people. Many organisations have legacy DLP solutions in place that cannot mitigate the risk as they fail to fully understand employees’ behaviour.

Often, these tools stand in the way of productivity, prompting users even when there isn’t a legitimate risk. When click fatigue sets in, these solutions become ineffective, with users ignoring prompts whenever they appear. Luckily, advances in machine learning mean that there’s technology available to prevent insider data breaches such as misdirected email, by deeply understanding the way that users behave and the context in which they share data, to ensure emails are sent to the right recipients with the right level of security.

The vast majority of organizations will never go back to every employee working full time within the office environment, instead post-pandemic we will see a myriad of different approaches – with some based in the office, while others work at home part or full-time, and as the world opens up again, their locations may change throughout the day. To mitigate risks from inadvertent errors to intentional data exfiltration, CISOs must address their security culture and protect their human layer with intelligent controls that mitigate employees’ behaviors and stop breaches before they happen.

Continue Reading

Technology

Sumitomo Life Insurance Selects Talend to Build Company’s Data Infrastructure

Published

on

Sumitomo Life Insurance Selects Talend to Build Company’s Data Infrastructure 3

Leading life insurer uses Talend in data lake environment for data analytics

Talend (NASDAQ: TLND), a global leader in data integration and data integrity, announced today that Sumitomo Life Insurance Company, one of the Japan’s leading life insurance companies, has selected Talend Data Fabric for its data analytics infrastructure.

Sumitomo Life aims to become the most trusted and supported company by its stakeholders, including its customers, and to grow sustainably and stably. Sumitomo Life’s vision is to offer advanced products to enable customers to live vigorously. To respond to that, the company is developing and delivering cutting-edge products that respond to its customers’ current and expected futures needs in areas focusing on nursing care, medical insurance and retirement planning.

“With the trust from our customers as the starting point of all our activities, Sumitomo Life is providing optimal life insurance services to every person through the sound management of the insurance business,” said Mr. Masakazu Ohta, General Manager in Charge of Information System Department at Sumitomo Life. “As a new approach, it was necessary to build a common foundation for big data management, and Talend is the driver. Talend’s superiority in cloud implementation, development productivity, features, and licensing model convinced us to be part of this journey together.”

To meet the needs of its customers and offer them innovative products and services, Sumitomo Life has decided to build a foundation for data analysis (Sumisei Data Platform) in the cloud for the promotion of new insurance products. The company evolved its legacy data environment to the new environment where they can store the data extracted from various systems both on-premises and effectively in the cloud.

In order to meet the needs of each individual customer and provide the best insurance for them, Sumitomo Life uses Talend Data Fabric as the hub of its data infrastructure. This manages data across the organization and integrates data into a data lake, which makes them able to utilize data across the company.

“We have been able to release projects with the continuous support of Talend, even amid the changing business environment in the Covid-19 crisis. We will continue to collaborate with Talend in order to actively promote company-wide data analysis projects,” added Mr. Ohta.

“The insurance market is one of the most competitive sectors. By facing tight regulations and complex customer needs, companies must be at the forefront of innovation to offer even more services and new products to its customers,” said Kenji Tsunoda, Country Manager Japan, at Talend. “Talend helped Sumitomo Life reinvent its data-driven infrastructure to provide a data management platform that enables the development of advanced products for its customers.  We are delighted to support Sumitomo Life in the pursuit of their vision.”

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2021
2021 Awards now open. Click Here to Nominate

Latest Articles

Portable Oxygen Concentrators Market to Register 7.8% CAGR Through 2026; Sales to Surge as Oxygen Therapy Becomes Crucial in Covid-19 Treatments 4 Portable Oxygen Concentrators Market to Register 7.8% CAGR Through 2026; Sales to Surge as Oxygen Therapy Becomes Crucial in Covid-19 Treatments 5
Research Reports1 hour ago

Portable Oxygen Concentrators Market to Register 7.8% CAGR Through 2026; Sales to Surge as Oxygen Therapy Becomes Crucial in Covid-19 Treatments

Portable oxygen concentrator manufacturers are largely concerned with the maintenance of inventories throughout the coronavirus crisis, with optimization of supply...

Cancer Supportive Care Products Market to Reach US$ 32 Bn by 2030; Sales Limited by Complications for Cancer Patients Through Covid-19 Infections 6 Cancer Supportive Care Products Market to Reach US$ 32 Bn by 2030; Sales Limited by Complications for Cancer Patients Through Covid-19 Infections 7
Research Reports1 hour ago

Cancer Supportive Care Products Market to Reach US$ 32 Bn by 2030; Sales Limited by Complications for Cancer Patients Through Covid-19 Infections

The cancer supportive care products market is anticipated to reach a valuation of US$ 32 billion by 2030. The industry is expected...

Bronchoscopes Sales to Rise 1.5x Between 2018 and 2028; Potential Covid-19 Diagnostic Applications to Generate Lucrative Growth Opportunities 8 Bronchoscopes Sales to Rise 1.5x Between 2018 and 2028; Potential Covid-19 Diagnostic Applications to Generate Lucrative Growth Opportunities 9
Research Reports1 hour ago

Bronchoscopes Sales to Rise 1.5x Between 2018 and 2028; Potential Covid-19 Diagnostic Applications to Generate Lucrative Growth Opportunities

Bronchoscope manufacturers remain focused on development initiatives to improve product functionality and accuracy for higher adoption amid healthcare facilities. The bronchoscopes...

US$ 1.1 Bn Hypoparathyroidism Treatment Market Still in Infancy 10 US$ 1.1 Bn Hypoparathyroidism Treatment Market Still in Infancy 11
Research Reports1 hour ago

US$ 1.1 Bn Hypoparathyroidism Treatment Market Still in Infancy

Mushrooming incidences of thyroid cancer have amplified the number of thoracic surgeries, thus stimulating growth of hypoparathyroidism treatment market. Future...

Asia Pacific Plastic Additives Market Research Report by Type, by Production Technology, by Application, by Function – Global Forecast to 2020 – Cumulative Impact of COVID-19 12 Asia Pacific Plastic Additives Market Research Report by Type, by Production Technology, by Application, by Function – Global Forecast to 2020 – Cumulative Impact of COVID-19 13
Research Reports1 hour ago

Asia Pacific Plastic Additives Market Research Report by Type, by Production Technology, by Application, by Function – Global Forecast to 2020 – Cumulative Impact of COVID-19

The market report envelopes an all-in information of the global Asia Pacific Plastic Additives market and the nature of the market growth...

Comprehensive Report on Metal Stamping Market 2021 | Trends, Growth Demand, Opportunities & Forecast To 2025 | American Industrial Company, Martinrea International Inc., Magna International Inc 14 Comprehensive Report on Metal Stamping Market 2021 | Trends, Growth Demand, Opportunities & Forecast To 2025 | American Industrial Company, Martinrea International Inc., Magna International Inc 15
Research Reports1 hour ago

Comprehensive Report on Metal Stamping Market 2021 | Trends, Growth Demand, Opportunities & Forecast To 2025 | American Industrial Company, Martinrea International Inc., Magna International Inc

The market report envelopes an all-in information of the global Metal Stamping market and the nature of the market growth over the foreseeable...

Rheology Modifiers Market 2021 Segmentation and Analysis by Recent Trends, consumption by Regional data, Development, Investigation, Growth by to 2026 16 Rheology Modifiers Market 2021 Segmentation and Analysis by Recent Trends, consumption by Regional data, Development, Investigation, Growth by to 2026 17
Research Reports1 hour ago

Rheology Modifiers Market 2021 Segmentation and Analysis by Recent Trends, consumption by Regional data, Development, Investigation, Growth by to 2026

The market report envelopes an all-in information of the global Rheology Modifiers market and the nature of the market growth over the...

Fine Hydrate Market | Present Scenario, Key Vendors, Industry Share, and Growth Forecast up to 2026 | Nabaltec AG, Huber Engineered Materials, Hindalco Industries Limited 18 Fine Hydrate Market | Present Scenario, Key Vendors, Industry Share, and Growth Forecast up to 2026 | Nabaltec AG, Huber Engineered Materials, Hindalco Industries Limited 19
Research Reports1 hour ago

Fine Hydrate Market | Present Scenario, Key Vendors, Industry Share, and Growth Forecast up to 2026 | Nabaltec AG, Huber Engineered Materials, Hindalco Industries Limited

Future Market Insights in this report on the fine hydrate market has drawn an in-depth picture of the global market....

Ion Exchange Resins Market 2021 | Latest Trends, Demand, Growth, Opportunities & Outlook Till 2026 | Top Key Players: The Dow Chemical Company, Lanxess Ag, Purolite Corporation 20 Ion Exchange Resins Market 2021 | Latest Trends, Demand, Growth, Opportunities & Outlook Till 2026 | Top Key Players: The Dow Chemical Company, Lanxess Ag, Purolite Corporation 21
Research Reports1 hour ago

Ion Exchange Resins Market 2021 | Latest Trends, Demand, Growth, Opportunities & Outlook Till 2026 | Top Key Players: The Dow Chemical Company, Lanxess Ag, Purolite Corporation

An in-depth analysis of the current ion exchange resins market along with an effective evaluation of the future avenues of...

Rough Terrain Cranes Market Outlook 2016-2026| Global Growth Analysis and Forecast Report with Key Players – Liebherr Group, Terex Corporation, Tadano Ltd. 22 Rough Terrain Cranes Market Outlook 2016-2026| Global Growth Analysis and Forecast Report with Key Players – Liebherr Group, Terex Corporation, Tadano Ltd. 23
Research Reports1 hour ago

Rough Terrain Cranes Market Outlook 2016-2026| Global Growth Analysis and Forecast Report with Key Players – Liebherr Group, Terex Corporation, Tadano Ltd.

Future Market Insights presents a comprehensive analysis of the Middle East and Africa rough terrain cranes market in its new...

Newsletters with Secrets & Analysis. Subscribe Now