Like the rest of the financial services sector, the payments industry is on alert about a rise in cybersecurity incidents, a concern that has only become more acute as the world economy adjusted to the COVID-19 pandemic.
Large industry players are aware of the growth in cybercrime and are taking steps to fight it, leveraging automation and artificial intelligence, but are increasingly concerned about third-party risk from vendors and clients, many of them small businesses that don't have the same security resources at their disposal. The industry argues that security tools are available, thanks to automation and artificial intelligence, but all parties need information and coordinate their defenses to build a secure payments ecosystem.
"If consumers don't trust our system, we're dead in the water," said Jeffrey Tassey, chairman of the board of the Electronic Payments Coalition. "I don't think anybody is resting on their laurels, and doesn't stay awake at night worrying about security."
Online payments surged parallel to the growth in online shopping during the COVID-19 pandemic. Nearly $2 billion in mobile payments were processed daily in 2020, up 22% from the year before, according to the GSM Association's State of the Industry Report on Mobile Money 2021 published in March. At the same time, the annual survey by the Association of Financial Professionals found almost 75% of businesses were hit by payment scams. Thirty percent of companies in that 2021 AFP Payments Fraud and Control Survey Report said payment fraud was on the rise and the majority blamed adjustments brought on by the pandemic.
The pandemic "has thrust our whole world into a very different trajectory" said Johan Gerber, Mastercard's executive vice president of security and cyber innovation. Speaking at the company's recent Virtual Cyber & Risk Summit, he noted 2,400 successful ransomware attacks last year led to a "staggering" $350 million in payments being made to criminal gangs.
"It's a really bad situation that we as an industry have to attack and have to address as a matter of urgency," Gerber said.
Shoring up smaller businesses
The large legacy players in the sector have been aware for some time of the importance of cybersecurity, since they are subject to a number of regulations regarding data and privacy protection, said Norma Krayem, vice president and chair of the cybersecurity, privacy & digital innovation practice at Van Scoyoc Associates.
The payments industry is considered part of the nation's critical infrastructure, said Krayem, who is also director of the American Transaction Processors Coalition's Cyber Council. (Infrastructure attacks have been in the news lately, after cyberthieves caused the shutdown of the Colonial Pipeline in May.)
Many payments companies now share information on cyberattacks and software vulnerabilities with their partners, and are building tools and incentives to create a cybersecurity model of shared responsibility with vendors, clients and customers.
Tassey noted the major payments networks have invested in developing key technologies to help secure payments, such as tokenization, which obfuscates sensitive data, and 3D Secure, a protocol that secures the online authentication of credit and debit transactions. These are all supplied at no cost to merchants, he said: "Any small business should ask their processor: ‘Can I get these technologies?'"
Much of cybersecurity goes back to practices that have been in place for years, such as a good knowledge of the internal environment, adherence to policies, knowing your suppliers and knowing their risk level, said Kelly White, CEO of RiskRecon, a data company MasterCard acquired last year.
"You can't cheat your way to being a secure enterprise," he told the Summit held in May. "You have to do the basics well."
'Trust-but-verify environment'
Partnerships have exploded in recent years because of all the different needs that companies have to meet, but it's important to learn to manage that risk, said Lisa Lee, a chief security advisor at Microsoft. Supply chain attacks are a rising concern, especially since the SolarWinds breach reported late last year. That case involved a software vendor used by thousands of organizations globally.
"I think there's a lot more maturity in the financial space," Lee told the MasterCard Summit. "We're starting to see how that lack of maturity in other industries is going to impact all of us."
Financial service companies have the advantage of having had to look at third-party risk for some time, to adhere to regulations; now they have to extend that to their partners. When an institution creates a consumer experience, it can't know if its partners are raising its security posture, or creating more security risk, said Gerber. As an example, he shared a slide with the summit audience, showing a single financial institution that had 3,000 internet-facing systems connecting to 7,000 third parties.
"You see very quickly how risk can go very, very wide," he said.
This worry will change how companies work with third parties, said Sharon Barber, chief security officer for Lloyds Banking Group. Today, those relationships are handled by contracts, with both parties reluctant to share much information about their security. That will need to change, Barber told the MasterCard summit.
"We will have to reduce our supply footprints, but we will end up being much more proactive going forward," she said. That will mean sharing vulnerabilities that are found in each other's systems and sharing how they're being addressed, she said.
"This is a trust-but-verify environment," said Krayem. Having a trusted supplier program should also include security audits, she said: "This is not simply a directive included in a contract, and then you just hope that your vendors achieve it."
Understanding the threats
Information is the root of setting up good cybersecurity, based on an understanding of the threat landscape, said White.
"Everything in cybersecurity is based on awareness of your assets and your attack surface," he said. Vulnerability management depends on objective information and metrics, he said; if not, "you're going to have an echo chamber that thinks you're doing well."
The information sharing has to start internally, said Gerber: "As organizations, we're going to have to move from the siloed approach to a hyperconnected organization," said Gerber. "Your cybersecurity group cannot be separate and completely distinct from those managing risk and those managing fraud."
Organizations need to establish a model of security-by-design, "not a bolt-on, add-on," said Krayem. (Security-by-Design is a framework for developing software and services that prioritizes security as part of the development process.)
"Cybersecurity should be understood, accepted and managed," said Krayem. "Yes, it is certainly a shared risk, but it is a shared mandate in many ways, if you are a player in this industry."