Editor's note: For PCI compliance banks and credit unions’ digital banking platforms and payment systems must provide quality data security by going beyond the standard.
Criminals are not interested in having to work any harder than they have to when applying their “craft.” When it comes to fraud in the financial services industry, the same rule applies. If a weaker system (e.g., HVAC) is connected to a payment processing platform, why mount a direct attack on the payments system when you can exploit a weaker system connected to the same network. This is exactly what happened in the infamous breach at Target.
This approach by criminals has proven very effective. On October 25, 2017 the Identity Theft Resource Center (ITRC) published its latest compilation of confirmed data breach notifications affecting US organizations and customers to date in 2017. The headline numbers — 1,120 total breaches and more than 171 million records exposed — eclipsed all of 2016, when the ITRC reported 1,039 total breaches and just over 36.6 million records exposed. All industries were impacted but none more than healthcare where the systems used too often lack proper security protocol.
The payments industry has typically prided itself in utilizing all available measures to strength systems to a point that makes them unattractive to thieves. For example, the Payment Card Industry Data Security Standard (PCI DSS) is a benchmark for protecting credit card information, from acceptance to payments to storage. A regular assumption has been that one’s payment operations are secure if PCI compliant, but technology officers and IT managers should know that’s not necessarily the case.
Currently at version 3.1, PCI DSS is a baseline; quality data security for mobile wallet and other payment services involves going above and beyond the standard. This means dealing with some of the biggest payment security problem, such as scope. If a large organization has a system that is not segmented properly, including all user desktops, then its vulnerability to cyberattacks will be that much greater. This is why you see some systems, especially those used by merchants, using an “air gap” strategy, wherein the critical systems are not connected to other systems establishing a secure, one-way data transfer environment.
Other vulnerabilities can be addressed by handling sensitive information, e.g., credit card data, in a secure fashion that includes storing only essential information. In the past, a card’s magnetic strip held all data, making it more vulnerable to fraud. In addition, many merchants would save a whole scan of the customer info into a database so they could simply redo it later without requiring the card.
Other vulnerabilities are being introduced with the rise of mobile payments including online or in-app purchases, bill pay, P2P and more. Given that these devices often include mobile banking applications institutions must continually evaluate options for keeping critical mobile applications from being compromised. This is not easy given the app-rich environment of mobile devices and the digital consumer who will not tolerate inconvenience even for security’s sake oftentimes.
As a baseline for payment systems and companies, PCI DSS doesn’t mandate more robust security — as achieved with EMV cards that add an additional PIN-related mechanism on top of the magnet strip — but it is an excellent foundation on which to build a security strategy for critical areas such as payments. Even though it’s not a requirement, financial institutions should aim to work with vendors that are PCI compliant, or risk exposing critical data and information to fraudsters, which could be catastrophic to their reputations. In addition, financial institutions should consistently add security tools to their foundations and continually review and renew them to keep from becoming a target for fraudsters looking for an easy score.