Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

PUTTING DATA AT THE HEART OF A PAYMENT ECOSYSTEM STRATEGY

Paul Hampton

Paul Hampton, Payments and Crypto Management Expert, SafeNet

The use of online banking and shopping has grown significantly[i], but so too has the number of security threats targeting such services. Every day we hear of another company falling foul to a data breach, with nearly 200 million records stolen in the first quarter of 2014, so protecting financial data has never been more important. Yet, while the need to secure payment transactions and data remains critical, it doesn’t seem to be getting easier.

Today, security teams have to contend with increasingly sophisticated attacks, a technological environment that is evolving rapidly and compliance with multiple standards and regulations. Add this to the fact that any transaction relies on a complicated ecosystem with multiple points of vulnerability and it’s clear that securing financial data is far from simple. So what steps should businesses take to ensure that their most sensitive data remains protected?

Where do the vulnerabilities exist?

Paul Hampton

Paul Hampton

In order to protect data in the best way possible, businesses must first understand the vulnerabilities – one of which is the payment ecosystem. A successful transaction relies on a complicated ecosystem with many potential points of vulnerability and involving several parties, including the merchant, acquirer, switch and bank or card issuers. This ecosystem is only as strong as its weakest link. Another major point of vulnerability is the internet. Today, just about every business has an eCommerce site which aims to securely capture and process customer data. But when the customer makes a purchase, the business loses control of a large portion of the transaction interaction as customers use a variety of devices, operating systems and browsers to access eCommerce sites. It is becoming vital for businesses to protect their customers’ data as early in the transaction process as possible.

Another vulnerability is the gap between compliance and security. Merchants have been subject to a myriad of compliance requirements around how to handle customer data and process transactions, such as the Payment Card Industry Data Security Standard (PCI DSS). According to our Secure Payments survey, one-third of respondents spend more than six weeks a year complying with card schemes’ regulations, yet these guidelines fail to address some key areas of vulnerability in the payment ecosystem. Areas which have been exploited with disastrous consequences – for example, 70 million customers were affected by the Target customer credit card data theft in December 2013.

Why a ‘secure breach’ mind-set is best

With so many points of vulnerability, organisations must adopt a framework where data is central. This means adopting a ‘secure breach’ approach to data protection which focuses on protecting sensitive data wherever it exists and limiting access to this data, even when it lives in an uncontrolled, untrusted environment.

Today, Point-to-Point Encryption (P2PE) is the best method of protection. Rather than focusing on specific points of vulnerability, P2PE uses special payment terminals to encrypt card data at the earliest possible moment of its capture, ensuring that data remains in an encrypted state consistently until it arrives at the payment gateway. This means that even if an external attacker bypasses perimeter defences, or an unauthorised internal user looks to leak or steal data, the data remains protected.

This approach not only increases security, but also dramatically reduces the scope of PCI DSS compliance for merchants of all sizes. In fact, recent breaches in the retail industry, including those of retailer Office and eBay, may have been greatly mitigated by the use of Point-to-Point Encryption. Yet according to our research, only 24% of respondents are currently implementing P2PE solutions.

The detail: pay attention

For organisations that manage sensitive data, whether payment card information, personally identifiable information, or other sensitive records, safeguards need to be applied, both to guard against security threats and ensure compliance with privacy and security mandates.  However, encryption alone is only part of the solution. Encryption keys need to be preserved in a secure and reliable manner. But, surprisingly, one of the most common mistakes that organisations make is storing encryption keys where the data resides, thus exposing sensitive information to significant risk.

Perhaps the problem is that currently, many teams that are responsible for key management, are small and distributed, or significantly contributing to their organisation’s heavy compliance workload. According to our research, two-thirds have four or less people involved in key management. So, to succeed in meeting administrative demands and security objectives, it is imperative security teams begin to leverage more centralised, efficient, and secure key management platforms.

Organisations should invest in a standards-based enterprise key management platform or strategy that can be used to control keys over their life cycle. This strategy should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for them as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who could then access cardholder data.

A security strategy with data at the heart

As hacking attempts become almost a daily occurrence, being breached is not a question of “if” but “when”, so best-practice data protection is vital. CIOs have long considered the best defence to be a good offense when it comes to handling security threats.  But in the new reality of security, the best offence is now the best defence, and encryption is the key to that strategy.

For security teams tasked with safeguarding payment data, demands for encryption and key management are only increasing, both in scale and urgency. Sensitive information must be secured across the entire lifecycle, which means leveraging approaches like centralised key management and P2PE will be more critical than ever. Only such a data centric approach will leave companies safe in the knowledge that their data is protected, whether or not a security breach occurs.

If you are worried your company may have suffered a data breach, why not assess the severity of the breach using our Breach Level Index here: http://www.breachlevelindex.com/

Read the Executive Summary of SafeNet’s Payment Survey here and the full report here.

[i] According to the UK Cards Association, the UK is Europe’s leading online shopping economy with spending by British
consumers online growing by 16 per cent in 2013 to reach £91 billion. http://www.theukcardsassociation.org.uk/news/EOYFFfor2013.asp – March 2014

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: Global Banking & Finance Review │ Banking │ Finance │ Technology. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post