EI-101024

ETA Expert Insights: Cybersecurity — Safeguarding The Payments Industry


By Emily Baxter, Consultant, RPY Innovations
ETA Industry Affairs PCI/Cybersecurity Committee

As the financial landscape becomes increasingly digital, the need for strong cybersecurity measures must stay at the center. Cyber-defense importance has grown so much that major card brands Visa and Mastercard are proactively strengthening their cybersecurity measures by acquiring cybersecurity companies, a reassuring sign of the industry’s commitment to security.

The COVID-19 pandemic accelerated the adoption of digital payments and e-commerce and the penetration of Buy-Now-pay later in the American market. With all these shifts in payments, cybersecurity defrauders have also accelerated ways in which they can commit fraud, access critical information, and jeopardize even physical security.

In 2024, cybersecurity is not only about protecting digital transactions is about protecting information. As you may know, the payments landscape is somewhat complicated as it involves various parties, including issuing banks, PayFacs, acquirees, and the major card networks, to mention a few. They all have something in common: Data Centers.

Protecting data centers is the key to keeping information and digital assets away from hackers, as not only do they contain information, but data centers are also used by all parties involved in payments. The infrastructure for processing payments must be protected because payment systems handle sensitive financial information. Cyber and physical breaches can lead to fraud, data theft, or operational disruptions.

Here are the best cybersecurity practices and equally important physical security practices from ETA’s PCI/Cybersecurity committee chair, Emily Baxter, Consultant at RPY Innovations for 2024.

CYBERSECURITY

  • Data Encryption
    Data encryption is fundamental to protecting sensitive information in the banking and fintech sectors. As companies manage massive amounts of personal and financial data, ensuring this information is encrypted in transit (as it moves across networks) and at rest (when stored) is critical.
  • Zero Trust Architecture
    In an era where remote work is more common, and cyberattacks are becoming increasingly sophisticated, a Zero Trust architecture has emerged as one of the most effective strategies for protecting sensitive information. Unlike traditional security models, which assume that internal users are trustworthy, Zero Trust operates on the principle of “never trust, always verify.”
  • Red Teaming: Testing Security Through Realistic Cyber Attacks
    Red teams mimic potential attackers’ tactics, techniques, and procedures, providing valuable insights into how prepared an organization is to respond to an actual cyberattack. They help test the effectiveness of defenses such as firewalls, intrusion detection systems, and access controls. Red teaming also prepares incident response teams by giving them practice in detecting and mitigating breaches in real-time.

PHYSICAL SECURITY
Physical security refers to the measures taken to protect hardware and infrastructure from unauthorized access, theft, card skimmers & manipulation by bad actors. Be cautious about placing cameras near ATMs, safes, or computers, even security cameras can compromise data.

Recommended physical security measures to reduce vulnerabilities in the payment’s security framework:

  • Secure Access Control — Use keycards, biometric scanners, and surveillance systems to limit physical access to payment terminals, servers, and data centers.
  • Secure Devices — Ensure payment terminals and ATMs have detection features that trigger alerts when unauthorized changes or modifications are attempted.
  • Surveillance and Monitoring — Use cameras, alarms, and monitoring systems to detect and deter unauthorized access to payment infrastructure. Only use approved, secure cameras in these locations, as hackers can exploit footage to capture sensitive information such as PINs, safe codes, or login credentials.

THE USE OF AI TO PROTECT PAYMENTS
AI continues to be a hot topic in 2024, and many of us feel that AI is here to assist in our daily duties and to make our lives easier. AI is not as novel in payments as in other industries, as we have used it for at least a decade. Who do you think operated your Bank chatbot?

AI-driven threat intelligence tools have been widely used to analyze massive amounts of data quickly, identifying trends and anomalies that might indicate an imminent attack. These tools can predict and prevent attacks before they occur, giving banks and fintech companies a head start on securing their systems.

Nevertheless, AI can also be used negatively. With AI advances, scammers can mimic voices convincingly, even using AI-generated audio to impersonate trusted individuals like bank officials or family members. Another everyday use of AI to commit fraud is deepfake technology, which allows cybercriminals to impersonate individuals in real-time video calls.

With more transactions happening digitally, banks and FinTechs must enhance their fraud detection systems by employing machine learning algorithms to detect suspicious transaction patterns in real-time.

COMMON CYBERSECURITY THREATS IN 2024
Cybercriminals are constantly evolving their tactics, making it essential for organizations to stay vigilant. Below are some of the most common cybersecurity threats, according to Statista, that are relevant to the payments industry in 2024.

1. Phone Scams: Social Engineering at Scale

  • Phone scams, often called vishing (voice phishing), remain a common method fraudsters use to trick individuals into revealing sensitive information.

2. AI-Driven Video Call Impersonation: Deepfake Technology in Action

  • Allowing cybercriminals to impersonate individuals in real-time video calls. See examples.

3. Card Fraud: Persistent and Evolving

  • Despite implementing EMV chip technology and mobile payment security, card fraud remains a significant threat. Cybercriminals continue to find ways to steal card details through phishing, card skimming, and data breaches.

4. Distributed Denial-of-Service (DDoS) Attacks

  • Where attackers flood a network with traffic to overwhelm its infrastructure—are becoming more frequent and potent in 2024. These attacks can disrupt online services, leading to downtime, reputational damage, and financial losses for fintech companies.
  • To mitigate the risk of DDoS attacks, banks should deploy content delivery networks (CDNs) and DDoS protection services to absorb and reroute malicious traffic.

5. Zero-Day Vulnerabilities: Exploiting the Unknown

  • Flaws in software that developers are unaware of and haven’t patched—remain a significant risk. Cybercriminals can exploit these weaknesses before developers release a fix, putting financial systems at risk.

6. Email Phishing

  • Despite increased awareness, email phishing remains a significant threat, with attackers leveraging data from previous breaches to craft highly targeted emails.

ADAPTING TO THE CHANGING CYBERSECURITY LANDSCAPE
As cyber threats continue to evolve in 2024, it’s clear that banks and fintech companies must adopt a multifaceted approach to cybersecurity, from robust data encryption to the implementation of Zero Trust architecture and proactive red teaming. At the same time, they must remain vigilant against emerging threats like AI-driven impersonations and physical security to maintain trust in an increasingly digital world for the payments industry.

Categories
EXPERTS INSIGHTS

WEEKLY NEWSLETTER

Check out ETA’s weekly recap on innovations and policies shaping payments. Written by industry experts, get insights on payments like nowhere else. View weekly newsletter archives here.

Tags

Back to Top