Payments companies haven't seen any significant uptick in cyberattacks since Russia's invasion of Ukraine increased threats, but security analysts say the industry is an attractive target and should be on high alert.
Russian hackers tend to focus on attacking sensitive and economically important networks, like payment networks, given their high public profile and economic importance. Attacking payments companies also offers plenty of targets, such as card networks, processors and gateways.
Ralph Dangelmaier, the CEO of Waltham, Massachusetts-based business-to-business payments service provider BlueSnap, said his company is abiding by the international sanctions, which has reduced e-commerce with the affected regions, but his company hasn't been impacted by increased cyberattacks.
"We're ready," Dangelmaier said in an interview last week, regarding any possible cyber incursions. "This is a payments company. This stuff happens all the time. We get tagged 100 times a day."
He suspected that other companies might be more vulnerable to such attacks.
"We're really well defended for this stuff," said Dangelmaier, whose company caters to merchants and vendors to facilitate their e-commerce. "We haven't seen any uptick in the attacks, personally. I think what they're doing is they're probably attacking more weaker types of businesses, municipalities and schools."
Hackers 'punch back' at West
Cliff Gray, a senior associate with industry consulting firm Strawhecker Group, echoed those sentiments, saying payments companies were already a big target for hackers.
But now, partly because the West is attacking Russia's regional economy through financial sanctions, hackers in that Russian region "want to punch back at similar targets" in the U.S., he said in an interview.
For payment networks and multinational corporations like Visa and Mastercard, the danger posed by hackers is real. U.K.-based payroll provider Parasol and Indonesia's central bank were targeted in recent years by hackers. The outage at Parasol in January delayed payments to thousands of contractors. Indonesia was attacked by ransomware in January, though its public services were not affected.
And they're rich targets. According to industry research firm The Nilson Report, Visa, Mastercard, American Express and Discover credit, debit and prepaid cards generated a combined $6.2 trillion in U.S. purchase volume in the first nine months of 2021.
Consultancy EY estimates that global cross-border payment flows are expected to reach $1 trillion in 2022.
The Ukrainian war poses unique challenges to processors, according to Dror Liwer, co-founder and chief marketing officer of Coro, a security software company with offices in the U.S. and Israel.
"The West is shutting down payments in Russia and Russia is trying to retaliate by hurting European and American payments companies," Liwer said.
Professor Branden Williams of the University of Dallas, who specializes in business technology and information security, said the assault could be a little less direct.
"I doubt that payment processors would be directly targeted outside of normal criminal activity, however, the payments going through those processors could absolutely end up causing financial harm through either chargeback risk or the inability to claw back funds sent," Williams said in an email. "The fraud I would expect to see here would be related to humanitarian-related scams, from fake funds that collect payments in various capacities."
Merchant trouble, too?
On the merchant side, the major trend is removing the sensitive data from merchants' hands, so they don't have to touch a primary account number (PAN), and instead only deal with a token, which is worthless if stolen. Tokenization is "super common, and growing," Gray said.
With merchants, "that's far and away the biggest trend, as far as cybersecurity: Just don't give them dangerous data in the first place," Gray said.
Payments processors and networks do have to deal with sensitive data, however. They employ obfuscation techniques and have multiple layers of both encryption and firewalls, "and they're pretty good at this," Gray said.
More companies, however, should employ dual custodian procedures, similar in concept to two-factor authentication.
"Two-factor would solve a lot of hacks, but the reality is, a lot of scenarios don't employ two-factor because it's inconvenient," Gray said. "Some of them do it, but they don't do it enough, and a lot of them don't do it at all."
Recommendation: Be on high alert
Like legitimate business owners, hackers also innovate to maintain an edge over their competitors in the criminal world, said Dean Weber, a senior vice president at AlixPartners who specializes in cybersecurity. Whereas ransomware previously was an effort to extract money from targets, now those requests are weaponized with malware that jam systems, he said.
In light of that and cyber evolution generally, Weber and his AlixPartners colleague Beth Musumeci, global head of cybersecurity and data privacy, said they are telling their payments clients, among others, to be on high alert for cyberattacks, even if they aren't currently experiencing increased threats.
"We are telling our customers to be very aggressive in their cybersecurity practices,” Musumeci said in commenting on the recent increase in threats.