By Dale S. Laszig
Advanced payment technologies are meeting the needs of a changing world. In this two-part series, payments industry leaders discuss four pillars of digital commerce—security, intelligence, agility and transparency—and their predicted impact on consumers, industry trends and regulatory landscapes in 2022.
Jodie Kelley, CEO at the Electronic Transactions Association, described the ETA's efforts to expand public and private sector collaboration. "Federal legislators grapple with a wide range of issues: privacy, security, cryptocurrencies, Central Bank Digital Currencies, stablecoin and other forms of digital assets," she said. "We meet in person and in webinars, individual meetings and broader, lunch-and-learn sessions in the U.S. and Canada, to engage and provide information."
Policymakers and payments stakeholders are equally invested in protecting consumer identities and data in stores, mobile apps and online, Kelly stated, highlighting mutual areas of interests in a Nov. 30, 2021, letter to the Federal Trade Commission, summarized as follows:
"These are just some of the tools that the payments industry has developed in recent years to fight fraud, protect consumers, and ensure the integrity of the payments ecosystem," Kelley wrote. "These efforts have been remarkably successful in reducing fraud while ensuring that consumers have access to fast, reliable, and safe payment options."
The PCI Security Standards Council evolves the Payment Card Industry (PCI) Data Security Standard (DSS) by soliciting feedback, educating merchants and expanding reach beyond physical points of interaction to emerging mobile and virtual technologies. The Green Sheet learned more about council initiatives in a November 2021 interview with Troy Leach, former senior vice president, engagement officer for market intelligence and stakeholder engagement at the PCI SSC.
"We're on track to release PCI DSS 4.0 in March 2022," Leach said. "This is a big leap forward and full revision of 'dot 0' most prominently with customized validation. This avant garde approach to security provides a path to compliance to companies with long-standing, mature risk models for managing payment data security, that would not otherwise meet testing requirements."
Customized validation enables qualifying companies to create their own requirements, using their frameworks and testing procedures, Leach noted. This alternative to traditional compliance protocols gives flexibility to large, multinational organizations with deep security knowledge that can demonstrate requirements that are testable, repeatable and equivalent in strength to existing DSS validation requirements, so we're excited about that, he added.
"We're providing a three-year implementation window but encourage people to review the standard early, even if they don't test and implement the requirements right away," Leach said. "This will help them prepare for 2025, when they will have to show they meet that level of security."
Ruston Miles, founder at Bluefin, expects to see more PCI-validated point-to-point encryption (P2PE) implementations in 2022. P2PE, which he called the gold standard in payment security, protects data in transit and at rest, from initial point of entry to final destination, where it is securely decrypted by a receiving host. Of all existing P2PE solutions, Miles affirmed only those validated by the PCI SSC meet rigorous standards for encryption, decryption, key management and chain of custody for P2PE transactions initiated by tap, dip, swipe or key entry.
"Bluefin became a PCI-validated P2PE solution provider in 2014 and hundreds of our P2PE devices and integration partners use P2PE Manager, our online portal for managing chain of custody," Miles said, adding that 2021 was a breakthrough year for the company, in terms of innovation and payments industry recognition.
Bluefin's ShieldConex won accolades in 2021, Miles stated, including FinTech Breakthrough, CyberSecurity Breakthrough and MPC Digital Commerce Visionary awards. Judging panels recognized the company for bringing hardware-grade security to ecommerce and using a subscription-based model to help reduce costs and scope of work in maintaining regulatory compliance.
Miles predicted 2022 will bring stricter privacy mandates for protecting all types of sensitive data, not just payments. "People tend to associate tokenization with payments, but that's not the way it is anymore," he said. "There's so much more information being entered online but if that data is authenticated, encrypted and tokenized, it will be rendered useless to a hacker."
Ryan Smith, vice president, global business development at Futurex, expects hardware virtualization to continue to scale throughout the payments ecosystem. Futurex has been helping retailers, processors and VARs tokenize customer data to derive generic shopping trends without compromising individual consumer privacy, he stated. "There have been good strides to protect data in transit, and point-to-point encryption has been a key driver," Smith said. "It's pushed the bad guys to look for golden nuggets of data elsewhere and challenged retailers to get to know customers while protecting their personal information as well."
Futurex created a virtualization technology by placing a hypervisor within a hardware secure module (HSM), which runs behind a PCI-compliant physical security boundary, Smith stated. And PCI P2PE version 3.0, released in December 2019, enabled Futurex engineers to selectively enable and disable features in the HSM without placing those burdens on customers or end-users, which simplified compliance testing even more, he added.
As Smith noted, virtualization pushes machines in the background but does not replace them. "We can spin in multiple agents within that secure boundary, but at the end of the day, you're still deploying a physical agent with physical requirements such as tamper resistance, heat sensitivity, etc.," Smith said. "You still have to buy a physical appliance to be able to run it and then you have the service side, where we've taken our HSM and created a service out of it."
Andrew Shikiar, executive director and chief marketing officer at the FIDO Alliance, predicted on-device biometrics will eventually replace server-side credentials and shared secrets, better known as passwords. "Servers that hide secrets can be manipulated and attacked," he said. "With biometrics, you're authenticating to or near your device, securely communicating with the server by proving possession of that device in an irrefutable manner."
When Google tested biometrics in 2017, not one Google employee was successfully phished, and help-desk costs went down while productivity went up, Shikiar stated. These measurable proof points helped biometrics gain ubiquity and global scale, he added. Market leader support from Microsoft, Google, PayPal and stakeholders in FIDO working groups helped standardize web authentication technology and Apple joined FIDO's board of directors in January 2020, he said.
Implementing support and technology at scale has changed the conversation between service providers and hardware vendors, Shikiar noted, adding that it's no longer, how can I get this or send security keys to all my users or get them to download something? "The answer to all of those questions is, they already have it; it's just there in the devices and platforms," Shikiar said. "We're seeing widespread adoption of FIDO authentication because it's supported so broadly in consumer devices. If I'm a web developer, it's quite easy for me to incorporate FIDO authentication into a website or web service instead of a password."
Michael Magrath, vice president, global regulations and standards at OneSpan, expects digital identity verification and app shielding to play a broader role in omnichannel commerce in 2022 and beyond. Magrath also co-chairs the FIDO Alliance's government deployment working group and serves on the board of directors at the Electronic Signature and Records Association.
"Digital identity verification is a reality, and leading financial institutions are already using it to remotely confirm a person's identity," Magrath said. "These solutions compare government issued IDs with information you've provided on a document and take a selfie picture to match the picture with your ID and make certain that you're a living person." Magrath further noted that a good digital identity process happens very quickly, usually in under a minute, allowing end users and vendors to start relationships in a trusted environment. While end-users interact with apps, service providers do a bunch of things behind the scenes, he added, such as obtaining information about the device, getting SIM card, geolocation and related data, and shielding individual apps.
"App shielding is the second component of protection that prevents attackers from accessing mobile apps," Magrath said. "If attackers get onto your phone in some way, they can't compromise your mobile banking, because the banking application has been shielded."
Kevin Gosschalk, CEO and founder at Arkose Labs, stated technology has changed the game for both fraudsters and the businesses trying to stop them. The same advanced technologies that help organizations detect and prevent fraud are being weaponized by criminals, he explained, which is why we need Intelligence, not just tools, to bankrupt the business model of fraud.
"Proxy IPs are readily available, and enterprise plans allow fraudsters to buy hundreds of thousands for an economical price," Gosschalk said. "They can buy SaaS software to load combo lists and launch attacks at scale with ease." Vanita Pandey, chief marketing officer at Arkose Labs, agreed, stating security analysts around the world expect digital account openings and online activity to increase exponentially in 2022, adding fuel to attacks across digital touchpoints. Pandey's Dec. 20, 2021, blog post, "Top 10 Fraud Trends in 2022 and Your Cybersecurity Blueprint," cited the following near-term threats:
"In 2022, businesses must remain aware of the shifting risks they face and take appropriate measures to protect themselves and their consumers," Pandey wrote, urging stakeholders to think in terms of deterrence, not just mitigation.
Part 2 of this series will explore two other pillars of digital commerce: agility and transparency.
Dale S. Laszig, senior staff writer at The Green Sheet and managing director at DSL Direct LLC, is a payments industry journalist and content strategist. Connect via email firstname.lastname@example.org, LinkedIn www.linkedin.com/in/dalelaszig/ and Twitter @DSLdirect.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next