Securing the Payment Platforms
View(s):The payments landscape is evolving at a rapid pace and digital payments are displaying an exponential growth globally. The ongoing digital and technology revolution, led by the ever-increasing penetration of the smartphones and Internet on mobile, is revolutionizing digital payments. The payment space is also witnessing the entry of several non-banking organizations offering payment services and solutions. Customers too are expecting instantaneous and one-touch payment solutions. Hence, it is expected that the digital payments space will witness significant disruption in the days ahead and transform the landscape.
Today, it may not be obvious that the financial and tech industries are converging in the digital world as new technologies offer added convenience and opportunity. The convergence of these two industries mean âTECHâ companies are getting into “FINancial” services while the âFINance” and “TECHnology” are evolving in a shared universe. This has started to disrupt incumbent financial systems. In fact, many financial companies are evolving and innovating themselves or partnering with and investing in FinTech solutions to instantly provide resources, industry knowledge and scale.
The Payment Platforms is another layer on top of the existing payment channel which will enable real-time payments and transform the process of making and receiving payments viz Consumer to Business, Business to Consumer, Business to Business, Business to Government, Consumer to Government etc. Through the direct participants, the Payment Platforms infrastructure can connect all institutions in a standard way, which will enable them to process credit payments in real time 24/7, even when the payer and the payee are with different banks.
Smartphone penetration, ubiquitous connectivity, biometrics, tokenization, cloud computing and the Internet of Things will shape the way the consumers transact in the future. The technology will make digital payments much simpler. Digital Identity will accelerate customer acquisition, online authentication and confirmation of KYC (Know Your Customer) data which will also enable the growth of digital payment systems.
Mobile devices are inherently vulnerable to security issues. In view of the speed of technological advances, the evolution of security threats and fraud mechanisms as well as the introduction of new ways of effecting mobile payments, an ongoing identification and assessment of the relevant risks is of utmost importance.
The security of mobile payments relies heavily on the robustness of authentication and registration controls configured within the design of individual mobile payment services. Therefore, service providers should protect the initiation of mobile payments, as well as access to sensitive payment data, by strong customer authentication. Strong customer authentication is a procedure based on the use of two or more of the following elements categorized as knowledge, ownership and inherence:
a. Something only the user knows (e.g. a static password, code or personal identification number);
b. Something only the user possesses (e.g. a token, smart card or mobile device); and
c. Something the user is (e.g. a biometric characteristic, such as a fingerprint).
In addition, the elements selected must be mutually independent, ie the breach of one does not compromise the others. At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen. The strong customer authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data. The service providers with no or only weak authentication procedures cannot, in the event of a disputed transaction, provide proof that the customer has authorized the transaction.
A robust data protection mechanism should also be implemented to protect sensitive data wherever it is transmitted, processed or stored. Sensitive data include personal data and sensitive payment data. The software installed in the mobile device and used to manage sensitive data should be distributed via a secure channel. The core platform and the software installed in the mobile devices should be regularly reviewed for tampering and manipulation.
Service providers should implement secure processes for authorizing transactions, as well as robust processes for monitoring transactions and systems to identify abnormal customer payment patterns and prevent fraud and money laundering.
Service providers should engage in enhancing customer understanding and provide information on security issues related to the use of payment services with a view to enabling customers to use such services in a safe and secure manner.
The payment platform solution should be periodically audited against globally accepted best practices, relevant industry and ISO standards and regulatory requirements to identify any weaknesses in the system and assess the ability to protect from emerging threats.
All current and future participants should develop a digitally driven strategy flexible enough to respond dynamically to both the market and cybersecurity evolution. Be it banks, telcos, device manufacturers, retailers, tech companies, startups or others will need to address real customer needs which includes cybersecurity.
The regulations are still evolving and it imperative that the government and the regulators take a long-term view of building a sustainable digital payments market. Government investments in building merchant acceptance networks, setting up common payment infrastructure, and developing a proper framework for grievance redressal are also essential. Strengthening regulations, anti-money laundering and payment account category management practices are very important. Regulations play a critical role in determining the nature and success of payment solutions.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA) and a board member of the (ISC)2 Colombo Chapter. He can be emailed at sujit@layers-7.com)Â Â