Securing Payment Gateways: a Collaborative EffortPanel Says Information Sharing, End-to-End Security Critical
New-age banking methods have led to a sustained push in the form of initiatives and reforms from the government as well as the Reserve Bank of India in terms of increasing the banking outreach. This movement has resulted in a transformation driven by changes in payments technology and its adoption.
The new payment systems and form factors enable businesses to use technology to become more efficient, cost-effective and grow, but at the same time they introduce huge security challenges for CISOs, who are required to stay ahead of the curve to secure against attacks and breaches.
This is the theme that emerged during the SISA Summit 2016, (held in Mumbai) as a panel of experts debated "Payments Security: Think Ahead of the Curve."
The panellists included moderator Nitin Bhatnagar, head-business development (SAARC), SISA Information Security; Rishi Rajpal, director-IT Governance, Concentrix Corporation; Harish Prabhu, MD & CEO, Sarvatra Technologies Pvt. Ltd.; Ashutosh Jain, CISO, Axis Bank; and Ramesh Thimmana, founder and CEO, Paynguin Payments.
The panel argued that a collaborative effort is needed in securing payments, as all the stakeholders including the CISOs, business heads, operators and users take responsibility to adhere to security measures.
According to SISA's Bhatnagar, "Payment security is not one person's job. As new technologies in payment bring a multitude of risks drawn from varied sources and end points, every stakeholder plays a role in establishing certain basic security standards during the payment process."
The evolution of payment methods and technologies such as near field communication, m-payments, m-banking, mobile wallet, point of sale, immediate payment service, unified payment interface and payment gateways have not just given sleepless nights to CISOs, but also to business heads in order to live up to the trust bestowed on them by customers who expect secure transactions.
Security experts see a big surge in mobile wallets and mobile payments in the country; this is expected to grow by more than 50 percent in the next two years (despite being at an infancy stage now.)
"As the world moves into contact-less payment, the challenge for us as service providers is to ensure that every attack becomes an expensive and complicated proposition for the attacker, with stringent security controls and adapting every standard available," says Concentrix's Rajpal.
Sarvatra's Prabhu sees growing concerns among many of the co-operative and regional banks in terms of adapting new age payment systems, as their customers are not equally knowledgeable. "At this point of time, I do not share the enthusiasm of a cardless world, as the most banks are just taking to core-banking," he says.
Axis's Jain sees three distinct challenges that new technologies would bring in:
- Client security brings in new forms of risks with new mobile form factors;
- Customers using the applications (when most applications do not come with secure coding);
- Digital India providing new digital identities to every individual transaction, which increases the potential for phishing attacks.
"The source of emanating risks due to new payment methods has increased alarmingly," says Jain.
Paynguin's Thimmana points out that as over 50 percent of citizens are still not comfortable with transacting online, and 45 percent of them do not have access to new forms of payment methods, they are bound to depend upon third parties. This lack of awareness to conduct a secure transaction is going to be a huge challenge.
Measures for a Secured Transaction
The big concern for security leaders today is how to keep new mobile-based banking transactions secure.
"What kind of new standards should we follow, how good do the old standards hold, and what more needs to be looked at?" are the questions posed by Bhatnagar.
Security leaders say that while having security controls and deploying standards are fine, a collaborative approach is required to address the new-age payment security challenge. They argue that a risk-based strategy is important in tackling the challenges in place of a compliance-based strategy.
According to Thimmana, "It is not the form factors we need to be concerned about, but the technology gaps existing between various teams, business groups and customers about understanding security where anyone can become the weakest link.
"A strong information-sharing and collaborative approach to make everyone cognizant of security is critical to respond to cyber threats which are inevitable," he says.
For Prabhu, the primary task is to build awareness and spot the loopholes in the transaction system at every level with a strong assumption that criminals are smarter than the users.
Rajpal suggests, "The key risk mitigation to address new age technology challenges would be to have strong security control measures and enforce shared responsibility of the mobile wallet (or any other operator) and end-users to ensure sufficient security is established.
"I would see mobile devices being shipped with the operators installing security frameworks and doing valid checks to ensure that customer data is protected in any transaction," he argues.
Jain sees the need for a mandatory disclosure norm, as we cannot avoid breaches and online fraud scenarios. "This will help every bank and financial institution take a serious note of risks and prevention mechanisms," he says. Every enterprise should have a designated CISO to help the organisation and its employees to securely leverage payment innovations," says Jain.
"While it is critical for every institution to adopt PCI DSS norms and RBI security guidelines, the person in charge should reinforce the concept of data privacy among employees and secure all end-points to tackle the risks that new payment methods usher in," says Bhatnagar.