As fintechs and crypto amplify security risks, PCI DSS 4.0 promises benefits for everyone
– David Braue
Melbourne, Australia – Mar. 4, 2022
Chronic deficiencies of cybersecurity expertise have left many businesses focused on firefighting as they ride the pandemic-era wave of digital transformation.
Without the right support or security standards, however, many have struggled to meet the new challenges of online commerce: delivery logistics, online fraud, ransomware, data exfiltration, and the relentless depredations of online criminals that have not missed an opportunity to pillage operational data.
Security standards like PCI DSS have been protecting high-sensitivity industries like card processing for many years — yet expensive and Byzantine certification processes are still keeping many companies from benefiting from its robust guidelines for the storage and processing of sensitive payment card information.
Maintained by the PCI Security Standards Council and mandated for any company handling credit card transactions, PCI DSS certifications have traditionally been time-consuming, expensive, and difficult to maintain even where a company does manage to obtain certification once.
“At the end of the day, we believe that our mission as a cyber defense business is providing trust to all participants of the system,” he told Cybercrime Magazine, “and we’re providing a layer of trust by helping them with things like PCI DSS — which, even if you are not in the payments industry, it’s still good practice.”
Supporting the effort is credit card giant Visa, which has partnered with GM Sectec to help raise the baseline level of cybersecurity across companies — whether they’re processing credit card data or not.
Visa’s goal is “to help our clients protect themselves by adopting standards like PCI,” notes Eduardo Perez, CFA, Visa’s senior vice president and regional risk officer for Latin America & Caribbean.
“We’re ensuring that they meet those minimum standards to secure their payment environment in particular, but many of those standards apply more holistically to entities’ overall systems — and those are good security principles and standards to apply across the board.”
“We’ve seen that entities that continually strive to meet those standards become less vulnerable to being attacked and suffering in a cybersecurity event, or that they’re able to very quickly recover and mitigate an event even if they are attacked.”
Fighting CNP fraud
One of the biggest challenges to payment card security has been the explosion of e-commerce during the COVID-19 pandemic, which pushed card not present (CNP) transactions to new levels — and sent fraud skyrocketing as well.
CNP fraud accounted for 68 percent of losses by card industry merchants and acquirers in 2020 alone, pushing payment card processors to push for new ways of protecting transactions.
The ongoing fight against CNP fraud has given Visa more experience than most in fighting to protect sensitive data from compromise: it has, for example, leaned into the cryptocurrency space with partnerships that enable it to offer crypto-backed credit cards that let investors spend their holdings anywhere.
Yet as the once tightly-controlled world of payment card data expands into the Wild West of crypto — whose substantial financial returns have attracted significant interest from cybercriminals — data security has become even more important, as have been partnerships with security specialists like GM Sectec.
The partners are exploring the possibility of a range of new technologies such as tokenization, which Martinez says are “key to not only reducing scope, but if they do get in, [ensuring] that there’s nothing valuable that they can steal.”
Defensive security techniques have become particularly important as fintechs bypass conventional payment card structures, building online payment architectures without the benefit of requiring a physical token — the credit card — as a measure of assurance.
Companies have been largely left to their own devices when it comes to securing those architectures, but as cryptocurrency regulations tighten worldwide over time, Martinez anticipates a flight to security that will see fintechs warming to the verifiable security that PCI DSS compliance provides.
Strength in numbers
The sector will require not only Visa’s expertise in managing secure payment ecosystems, Martinez believes, but will also benefit from the ongoing security consulting and monitoring capabilities that GM Sectec brings to the table.
“We’re providing cybersecurity assessments and 24x7x365 monitoring on the CNP side,” he said, noting the company’s increasing involvement in digital forensics around cybersecurity threats such as ransomware attacks.
“We’re seeing an opportunity where we can also provide more trust to more traditional financial institutions, and to fintechs who want to lean into the crypto space but do not have visibility of things like transactions and Virtual Asset Service Providers.”
“Those are key themes that will grow in necessity as the crypto space gets more regulated,” he continued, “and we are certainly looking at ways to have that responsible innovation while looking at the new ways that people are looking to transact and have digital goods — whether it’s in the real world or in the metaverse.”
If enabling secure payments is one of the core pillars of Visa’s work with its partners, protecting entities involved in the payments chain is another — and it is in this respect, said Perez, that the partnership with GM Sectec will pay dividends.
Working closely with GM Sectec will help every company, no matter how small, benefit from viable security controls that address the flurry of new developments in the fintech and payments space.
“A good amount of our focus in partnering is bringing some of the same fundamentals that we’ve applied historically to other payment types,” he explains, “and the transference and use of payments for other assets to the crypto space.”
“We have a number of partnerships that we continue to work on, and I’m very optimistic that we’re going to be able to continue to grow trust in the crypto space. We’re going to continue focusing on enabling and protecting our payment ecosystem participants, buyers and sellers so they can transact everywhere, every way, and any way they want to pay.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.