In the 21st century, it is common to shop online. We order shoes, clothes, gifts, technology, and various other things on the Internet. Part of the purchasing process is the payment transaction that you do via your debit or credit card (most often) or with another form that allows online payment. You list your financial data and trust the websites and companies that handle the payment to protect it.
Have you ever asked yourself how they do that? How do they protect your sensitive financial data? In this article, we are going to answer those questions for you in a more general scope. We will take a closer look at cybersecurity, related to online payments. In our dissection, we will go through the challenges for companies that process payments, the regulations, and compliance they have to meet, and some good practices and ideas for improving their cybersecurity.
Cybersecurity related to payments
Like any other sector, Covid-19 boosted further e-commerce. That itself resulted in more payments going online. It all sounds great – the world is going digital and being more connected. However, this growth in online transactions comes with a responsibility to the companies in the industry to be up-to-date with cybersecurity that will prevent the major cyber threats ahead for them.
An article on paymentsdive.com cited the chairman of the board of the Electronic Payments Coalition – Jeffrey Tassey, who said that the business is dead in the water if consumers don’t trust the security of the systems they have. In the same article are some statistics that show growth in both online payments and in businesses that were frauded or scammed in some way:
- In 2020 there was a 22% increase in daily mobile transactions that went up to 2 billion dollars; (GSM Association’s State of the Industry Report on Mobile Money 2021);
- Just 25% of businesses were not a victim of some form of fraud related to payment (annual survey by the Association of Financial Professionals).
The challenges will be similar around the world. And while big companies can invest a lot of money in cybersecurity, the question is what small and medium companies do. Usually, they rely on a third-party system that handles the online payment process. And this is fine, as long as the provider is on the proper level when it comes to addressing cybersecurity.
Cybersecurity challenges for companies that process online payments
When we talk about cybersecurity issues, we have to understand that there are some similar challenges that every industry faces. And then, other specific threats are common for this type of business. One of the biggest achievements in the sector of online payments is that the big players in the industry started sharing the lessons they have learned with each other to improve the overall security of the sector.
Aciworldwide.com published an article back in 2018 that outlined the major issues for the payment industry in terms of cybersecurity. Most of the problems are valid today and here are some of the most urgent ones:
- Devices for mobile payment;
- Phishing attacks;
- Failure to understand the importance of cybersecurity;
- Service providers that have weak cybersecurity;
- Web applications that the company uses;
- Software that is not up to date and actualized with the latest security protocols;
- Zero-day Malware.
Each of these challenges has to be addressed in a specific way. This requires companies to have a 360-degree-cybersecurity policy with measures tailor-made to their needs. And it has to be updated regularly. As Christoph Fischer, owner and CEO of BFK edv-consulting GmbH told in an interview for European Payment Council:
“When we look at identity theft and other malware that attack payment techniques, the industry can implement far more advanced risk-mitigation mechanisms in the future. Multi-layered approaches will evolve in the next few years.”
Cyber defenses are evolving but so are the cyber risks for the payment industry. While years ago the major issue was fraudulent behavior, today the sector faces a whole variety of cyber threats (some of which we mentioned above). For payment companies, the damages after they have suffered from a cyber attack will not end with the attack itself. The wave of reputational damage, lawsuits, and possible fines from authorities can deliver a hard blow to any name in the industry. Regardless of how big it is.
Regulations and compliance regarding payment methods
In the European Union, even kids have heard of GDPR and how it is supposed to protect our data. However, there are various other regulatory and compliance measures and standards that payment processing companies have to follow.
One of the major international ones is PCI DSS. It contains several technical and organizational requirements designed to help businesses protect cardholders’ data against fraud through robust payment security. It is considered to be the minimum set of measures that are to be taken by organisations that process payments. Each organisation that processes over 6 million card transactions annually has to take a yearly audit to examine its cybersecurity. The standard is enforced by the biggest names in the payment industry, members of the PCI Council like Visa, Master Card, American Express, and others.
Each country might have some national standards as well. Such are the UK CYBER ESSENTIALS that are valid for any business that wants to bid for public contracts. And even if you are not going to do it, it is beneficial to have such certifications. This will inspire the trust of your users.
ISO 27001 is another widely known international information security standard that companies can apply to help them keep their information assets secure. A lot of companies adopt the standard to benefit from the best practices it reinforces while others decide to get certified because they want to reassure customers that the standard’s recommendations have been followed.
Good practices and ideas for improving cybersecurity for companies that process payments.
In the industry, there are a lot of good practices that can be implemented by payment processing companies. As we mentioned it is great that the industry members are sharing information about cyberattacks to help each other. Of course, some other things can be done to improve cybersecurity and reduce the chance of being hacked:
- Follow and maintain compliance with the latest standards;
- Make an extra effort beyond the basic measures that everyone takes;
- Check your systems and structure for vulnerabilities and take the measures needed to remove the risk points;
- Train your staff to be aware of how to handle and avoid the cyber security threats you can face;
- Go beyond vulnerability assessment and conduct penetration testing;
- Assess the 3rd party service providers you work with;
And most important – remember that these things have to be done regularly. They are not one-time efforts.
Check out time
It is challenging for a company to handle and protect online payments today. While the most common threats are known, each business has internal issues related to cybersecurity. This is why it is for the best when measures are going to be taken, to have a tailor-made approach. We at 3 Cyber-Sec believe that. If you are looking for a trusted partner to help you with any cybersecurity issues, feel free to contact us.