Digital payments remain at the forefront of tech progress in the banking industry. But with the advancement of payment tools, a variety of payment platforms, and hundreds of payment providers, the security of digital payments remains a top priority for consumers.
Banks and payment service providers (PSPs) will only be profitable and trustworthy if their services are smooth and secure. Otherwise, their losses will be colossal. Security in digital payments 101 will help you find out how to provide a secure environment for digital payments and tell you what mistakes to avoid.
The cost of failure in digital payment security
Do you remember the unfortunate data leak incident that happened to Home Depot back in 2014? Due to a breach in the system of the home improvement retailer, the payment card data of 40 million people and around 53 million email addresses were stolen. Home Depot has agreed to pay at least $19.5 million to customers to compensate the losses and considerably strengthen their digital payment services.
Unfortunately, data breaches of different sizes happen daily. Users are constantly at risk of compromising personal information and losing money. At the same time, digital payment providers, established banking organizations, and FinTech players risk their reputations and also their money. This makes security in digital payments a headache for stakeholders and a necessity to protect against intruders and criminals.
Seventy percent of the US population states that security is the biggest obstacle to using mobile payments.
Barriers to use digital payments
This also concerns the adoption of mobile wallets. Thirty-nine percent of respondents in the US don’t find them safe enough to make payments with.
Why haven’t you used mobile wallets to make purchases?
Advanced methods to secure payment environments
Let’s explore the measures and cybersecurity advisory services that PSPs should take to secure digital payments.
Using a Secure Sockets Layer certificate is a must for any digital financial transaction. When users deal with a payment solution that has an SSL icon, they’re guaranteed a secure connection and encryption of their card data. Any reputable payment solution should receive an SSL certificate from an SSL certificate issuer or certificate authority. An SSL issuer is an organization that has been audited and granted the right to issue security and authentication standard certificates.
This technology for digital payment security is used by top payment solution providers. Apple and Google use tokenization in their NFC-enabled mobile wallets. When a payment takes place, the user’s sensitive data is encrypted with randomly generated symbols, called tokens. These tokens are sent back to the merchant to process in place of the actual card numbers. This minimizes the risk of a data breach since the merchant’s servers store tokens instead of actual user payment details.
Software security testing
Testing the security of digital payments is an effective measure to prevent hacks that exploit code loopholes or architectural bugs. There’s no such thing as too much digital payment security testing for PSPs. SSL testing, testing of the token generation process, and PCI compliance testing are mandatory for digital payment security. Scalability and performance testing should also be ordinary activities for developers of a trustworthy payment solution.
But without penetration testing, a software solution can hardly be a secure environment for digital payments. Performing penetration testing is important for verifying the effectiveness of security controls implemented in the architecture of a payment service. Test results can expose potential vulnerabilities that come from poor system configuration, hardware or software flaws, and operational drawbacks when fighting a potential threat. On top of that, penetration testing helps payment providers to assess the estimated impact of intruders on the operational capacity of their software.
Fraud prevention tools
Anti-fraud tools detect hidden malware that tries to conceal the actual location of attackers and the behavior of botnets. When anti-fraud tools are integrated into a payment solution, they gather information about transactions, usually at the checkout, and verify it against embedded methods. Entry mode and time, periods of inactivity, and transaction frequency are the most common indicators of possible fraudulent attacks. If fraud is detected at any stage, the transaction is stopped and logged in a report. When selecting fraud prevention software, we recommend that you focus on machine learning algorithms, real-time reports, customizability, and compliance with payment security standards.
Security threats and solutions for the most popular payment methods
According to Statista, debit and credit cards are the most commonly used payment methods in the United States. Thirty-nine percent of Millennials used debit cards to pay for purchases in 2017, mainly because it’s easy for them to track expenses and manage their budgets using debit cards. Twenty-five percent use credit cards because they offer better security measures. Mobile payments and mobile banking are the next most popular categories among digital payments. But for now, due to security concerns, the adoption of smartphones as the most convenient payment method is under threat. The question remains: are digital payments secure at all?
Payment methods used most frequently in the United States in 2017, by generation
Mobile payments went viral. So did the threats to their security
The ubiquity of mobile devices is one of the key factors promoting digital payments. But the vast range of payment methods including e-wallets, payment apps (including P2P payment platforms), and NFC-based payments has only increased the number of threats. The most widespread are mobile malware, phishing attacks, data leakage at POS terminals, duplicating SIM cards, and physical theft.
An average cost of a phishing attack is $1.6 million for a mid-sized company.
The key responsibility of technology providers is to make their software self-defending and capable of operating securely irrespective of any device’s native security features. If you strive to be a trustworthy PSP and a reliable FinTech provider, you have to consider different self-defense techniques and anti-tampering technologies while designing the architecture of your solution. And don’t forget about comprehensive testing during development.
How to minimize threats to mobile payments:
- Use self-defense techniques like runtime application self-protection (RASP)
- Include dynamic integrity checking
- Make use of code signing or obfuscation
- Validate frequently used third-party libraries before integrating them
- Implement strong encryption of sensitive data on devices
- Implement device owner/user verification
- Implement mobile device verification
- Use two-factor authentication when the risk is high
- Perform application penetration testing
- Test for authentication and authorization modes
- Create awareness campaigns to educate consumers on how to avoid the most common fraud scenarios
Card-related fraud is not going to subside
According to The Nilson Report, global card fraud losses will exceed $35 billion in 2020. And it doesn’t even matter if you carry your card around or keep it locked up in a safe. Card-not-present (CNP) fraud is conducted without the physical presence of a card as a result of malware or phishing attacks. Card-present fraud takes place at POS terminals and ATMs, where criminals intercept data when people make payments using contactless technology or even the comparatively obsolete magstripe. On top of that, there are cases of targeted attacks on specific institutions or stores (like Home Depot). In this case, the attacker’s aim is to find weaknesses in the payment system architecture to gain payment card data and identity information.
How to minimize threats related to card fraud:
- Use the 3D security authentication protocol based on the 3D model — acquirer, issuer, and interoperability domain — to secure digital transactions
- Tokenize users’ sensitive data, substituting real cardholder data with randomized non-sensitive equivalents
- Deploy real-time anti-fraud solutions that make use of machine learning, automated workflows, customizable scenarios and rules, and guaranteed chargebacks
- Set blocking to limit the use of payment cards to specific channels or situations
- Provide geo-blocking
- Ensure strong customer authentication
- Perform annual risk assessments
Security standards you should remember
There are no boundaries to security threats. That’s why businesses, governments, and tech providers all over the world must join efforts to set policies and standards for the payment industry. While international businesses seek a standardized and secure exchange of payment data, PSPs need global security benchmarks to take cues from. Security regulations and fraud prevention measures may differ from region to region, so let’s take a closer look at the most reputable.
Universal standards and regulatory bodies
The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2006 as a managing body for the Payment Card Industry Data Security Standard (PCI DSS). The latter standard was elaborated by the five major credit card vendors and has become the universally required digital security guideline for all organizations dealing with key card schemes. PCI SSC is the gold standard for digital payment security and the FinTech industry.
European compliance policies for data protection
The Payment Service Directive (PSD2) applies to payment services and payment service providers on the territory of the European Union and the European Economic Area. Its primary goal is consumer protection. It also regulates PSP–user relations and facilitates online payment processing.
The General Data Protection Regulation (GDPR) renews and strengthens requirements in the sphere of personal privacy and data protection for all EU citizens and individuals within the European Economic Area (EEA). It applies to all entities doing business within the EEA. Under this regulation, individuals now have increased opportunities to control how companies preserve and use their personal details.
The US authority in digital payment security
In the US, users of financial services are protected by the Consumer Financial Protection Bureau (CFPB). The main goal of the bureau is to protect the rights and sensitive data of users of all sorts of financial services. The CFPB observes compliance with federal financial laws working to prevent, detect, and eliminate fraud and illegal business practices within the banking and payment fields.
Despite all the harm and financial losses that lack of digital payment security causes, today’s security challenges are actually business enablers. Advanced threat mitigation mechanisms have proved effective and are forging ahead. Payment service providers along with other stakeholders have finally understood the emerging threats and their potential impacts. PSPs need to invest in appropriate security and monitoring technologies, follow payment industry standards, and watch for updates. On top of that, promoting awareness of digital payment security is always a good idea.
The cost of a mistake in digital payment security is very high, which means that only industry professionals can be entrusted with developing financial solutions. Intellias takes the security of the payment solutions we develop very seriously. We create software solutions that can be trusted by both customers and end users. Contact us today for a quote from our FinTech professionals.