Why to Rethink and Update Approaches to Payment Security Management

Electronic payments offer business advantages over older payment methods but have broader security risks.

As new and innovative methods of credit card payments are developed and become popular, enhancing compliance standards has become more important.

This was a major driver for the PCI DSS 4.0 compliance standard, the first major update since 2014, which has raised the bar for both technical and governance requirements.

These updates reflect significant changes within the payment card industry and account for risks in an increasingly complex, ever-changing threat landscape.

However, navigating the changing requirements introduced by PCI DSS version 4.0 will require clear goals and innovative models to eliminate core conflicts and constraints.

These were among the findings from Verizon's 2022 Payment Security Report, which revealed that overall PCI DSS compliance improved significantly in 2020, although a more serious cybersecurity threats require an even more robust security posture.

“In this technological sea change, PCI DSS v4.0 provides new navigation points to help organizations achieve sustainable control effectiveness across control and compliance environments,” the report noted.

Cynthia Hanson, senior analyst, professional services for Verizon Business Group's security assurance consulting division, points out the percentage of organizations maintaining full compliance improved by 15.5 percentage points, from a low 27.9% in 2019 to 43.4% in 2020.

“That means saw significant improvement,” she says, noting the control gap also improved substantially in 2020, from a high 7.7% in 2019 (bad) to a low 4% in 2020 (better).

Mobile Banking Requires Security Enhanced by 5G

Hanson says that the finance sector is experiencing a significant increase in the use of mobile devices for customer transactions, especially personal banking.

“The speed and stability of 5G could enhance this experience as well as provide greater security by enabling consumers to opt into advanced biometric-based identification and verification methods,” she says.

She adds that the financial sector could also allow consumers to opt into geolocation technologies to more effectively pinpoint fraud.

For customers, 5G can provide highly secure connections for video conferencing with financial professionals and loan counselors.

More Risks Mean More Regulation

Dan Stocker, director at Coalfire, a provider of cybersecurity advisory services, points out that electronic payments offer business advantages over older payment methods, but have broader security risks.

He also says that the growth of innovative payments services has brought many non-banks into the industry. “These entities are subject to FTC regulation, and those that operate at the bleeding edge of integration with cryptocurrencies should expect increased regulatory pressure in the wake of the events of 2022,” he says.

New security vulnerabilities are being developed and discovered at an accelerating rate, putting stress on traditional security practices, he adds.

From Stocker's perspective, newer approaches, such as Zero Trust and cloud native security patterns, represent fundamental investments.

“Security talent is a challenge to source,” he adds. “Over the next few years, many entities will be challenged to find the right crossover point of security investment in order to simply stay in business.”

Encryption Requirements Combat Fraud

Darryl MacLeod, vCISO at LARES Consulting, an information security consulting firm, says the rise in electronic commerce has led to an increase in the number of ways that criminals can commit fraud.

“In addition, the growth of online banking and other financial services has made it easier for criminals to access sensitive information,” he explains.

MacLeod notes that in response to the growing threat of payment fraud, the PCI SSC has made some changes to the PCI DSS.

Some of the most significant changes will be the requirement for organizations to encrypt electronically stored SAD (Sensitive Authentication Data) before the completion of an authorization and the requirement to implement multi-factor authentication (MFA) for all access to CDE (Cardholder Data Environment).

“There are several payment security challenges that organizations will face next year,” he adds.

These include the continued growth of online commerce and the associated increase in fraud, and the adoption of new technologies, such as EMV chips and mobile payments, which can create new opportunities for criminals.

Digital Transformation Efforts Impact Payment Security

Hanson agrees that corporations will be pivoting and adapting to the new v4.0 Standards during a time when the capabilities of threat actors continue to evolve and escalate, enabling the skillful exploitation of both existing and emerging threats and weaknesses within payment systems and processes.

Additionally, digital transformations that rely heavily on cloud technologies are introducing new drivers that impact the payment security industry, further complicating the role of CISOs and other security managers and practitioners.

“CISOs are increasingly challenged in their efforts to secure payment security compliance, and in convincing board members and other stakeholders of the importance and significance of securing strategic support and resources,” Hanson explains.

In the 2022 Payment Security Report, it's pointed out how CISOs are often using outdated methods to secure support, and a change is needed for all stakeholders in approach.

“Rather than taking a check-the-box approach to compliance, CISOs and other security leaders need to take an out-of-the box, thinker’s approach that involves implementing frameworks and models,” Hanson says. “This is especially true for those taking the Customized approach to compliance.”

MacLeod says there are several key stakeholders in organizations who ensure payment security compliance, from the CEO and CIO across to the CISO and CFO -- and these roles are changing as the payments industry evolves.

“For example, the introduction of new technologies such as mobile payments and contactless payments are changing the way that payments are processed and increasing the importance of security,” he says.

As a result, stakeholders such as the CIO and CISO are playing an increasingly important role in ensuring payment security compliance.

In its report, Verizon includes a metaphor of the Evergiven container ship that got stuck in the Suez Canal in March 2021.

“Had the canal authorities foreseen the potential accident, they likely would have planned more comprehensively and carefully,” Hanson says. “It will become increasingly essential for CISOs, board members, and those involved in governance to think out of the box and consider unintended consequences of their payment security choice.”

What to Read Next:

BaaS, Social Payment Apps Gain Traction

DC Fintech Week Explores Risks and Opportunity in Crypto Winter

Mobile Tech Transforming Bill Payment Habits