Gone are the days when buyers relied exclusively on cash, checks and credit cards to conduct financial transactions. Today, digital transformation and next-gen technology are dramatically transforming payment methods, processes and systems. Digital payment methods such as e-wallets, digital currency (e.g. Bitcoin) and corporate mobile apps linked to bank accounts, for example, are now all popular forms of payment.
In this new world, digital payment security is paramount. Buyers need to feel confident their data will not be compromised, regardless of payment method. The combination of a digital ecosystem and the elevated importance of security has forced merchants to rethink their payment security strategy.
PCI Is Not A Security Framework
Many merchants still use the Payment Card Industry Data Security Standard (PCI DSS) as their security framework, which is a mistake. PCI DSS was never designed to be an entire framework, and it only focuses on POS credit card security.
With new digital payment methods popping up all the time, a singular focus on PCI DSS introduces significant security risks and leaves even PCI-compliant organizations vulnerable to data breaches. In other words, PCI DSS leaves organizations with a false sense of security, causing them to neglect the broader risk environment.
Today, merchants need to move beyond PCI DSS compliance and implement a risk-centric security strategy across the entire digital payment lifecycle. The process will be different for every merchant, but should always start with the same first step: A comprehensive risk assessment. This should include identifying strengths, weaknesses and gaps between the current PCI-compliant environment and the rest of the organization; who the most likely attackers are and which assets are likely targets; and which regulations need to be addressed.
Based on the assessment findings, IT security teams can then develop a strategic payment security strategy based on the organization’s unique risk profile. Program elements to consider include:
- Identity and data management (IDM) – Protecting against external threats is only half the solution for digital payment security. Merchants also must protect against deliberate and accidental insider threats through strong IDM programs. Implementing least-privileged access, which only gives employees access necessary to successfully perform their jobs, is a good practice to adopt.
- Penetration testing – Penetration testing programs can help merchants identify vulnerabilities in technologies, processes and people. Expand testing to cover evolving security risks such as endpoints, authenticated applications and cloud deployments, which may not be fully addressed by PCI DSS requirements. Because business and infrastructure are constantly changing, penetration testing must evolve from a periodic exercise to a continuous discipline.
- Application security – Software vulnerabilities continue to be a prime target for attackers. Securing the application development lifecycle entails processes such as code reviews, regular testing, vulnerability management and automating security policies.
- Cyber operations – Efficient cyber operations are critical to meeting breach disclosure windows and minimizing the likelihood of breaches. These competencies are especially important as digital payments move between consumers, POS systems, credit card providers and issuing banks.
- Incident response – Incident response programs, which define who does what before, during and after a security or compliance incident, are helpful for several reasons. First, they help organizations respond quickly to minimize the damage of an attack. Second, similar to cyber operations programs, they help organizations meet breach notification deadlines, such as the 72-hour deadline imposed by the EU’s General Data Protection Regulation (GDPR).
Taking An “Inside-Out” Approach to Security
Fundamentally, the transition from a sole focus on PCI DSS compliance to securing the entire payment lifecycle requires a change in security strategy from “outside in” to “inside out.” The “outside in” approach allows external threats and compliance mandates (in this case, PCI) to dictate security strategy and spending. As noted earlier, this leaves merchants exposed through treating PCI DSS as a security framework. With an “inside out” model, merchant-specific risk and business objectives dictate the security model. It starts with the development of an enterprise risk model, providing a blueprint for security based on a unique risk profile.
This risk-centric approach enables merchants to prioritize risk and make intelligent decisions around the infrastructure, technology and operations required to mitigate it. Most importantly, it results in a holistic payment security program that reduces the risk of payment fraud, data breaches and compliance violations, delivering comprehensive security across the entire payment lifecycle. In other words, merchants can lock down their entire digital payment network so it’s truly secure, while remaining PCI DSS compliant. And that’s a winning security framework!
Robert Block is global executive services director at Optiv Security