Merchant losses due to payment fraud are expected to reach a staggering $362 billion between 2023 and 2028. In addition, every $1 of fraud costs U.S. retail and ecommerce merchants $3.75. This situation is further compounded by the growing move toward online shopping, making the need for robust security measures more critical than ever. The urgency for effective fraud prevention measures is at an all-time high.
Over time, cyber fraud has become more and more complex, and our approach to cybersecurity must adapt to stay ahead of the latest attacks. As VP of DevSecOps at Exact Payments, I have learned many lessons about safeguarding sensitive payment data. My role has focused on a security-first perspective and making security a forethought rather than an afterthought.
Security-first is the philosophy and practice of prioritizing security in all aspects of business operations, especially in the development and deployment of IT systems and services. This means that all aspects of people, processes, and technology need to be considered from a security perspective.
In this article, I’ll highlight some of my key areas of focus over the past several years, including secure development processes, employee training, complying with payment industry standards, and utilizing the latest payment security technology.
Secure Development Processes
Adopting a security-first mindset in development is a way to be proactive and head off problems before they arise.
My development team is trained in the best secure coding practices and armed with tools to detect vulnerabilities in their code in near real-time. By fixing issues during development, we prevent vulnerable code from being committed to our code repositories.
In fact, 91% of all vulnerabilities are fixed in the developers’ integrated development environment before being committed to the repository. What’s more, our fix rate is 99%, 40% higher than that of companies that fix at the end of the development cycle.
Our development time is also faster because we aren’t losing time to fix extra vulnerabilities on the back end. And since developers address issues in real-time, we can often eliminate mistakes going forward. All these approaches mean we can ensure no vulnerabilities enter the production environment. However, it takes considerable effort to get to this point.
Start by training developers on security best practices and how to create robust code that has reduced surfaces to attack. That also means having developers stay on top of current security findings and practices with the code libraries and tools they use in order to avoid known trouble spots.
It also means giving developers cutting-edge tools in their integrated development environment (IDE) to identify risks, errors, and vulnerabilities in real time. Using developer monitoring tools, we can log and visualize our developers coding competencies.
Finally, as these approaches are brought together by changing coding practices and procedures, we can now automate the deployment of their code with our continuous integration and continuous deployment (CI/CD) pipelines. Once the new code has been deployed, we now have automated tests that perform penetration and regression tests in a live environment before being placed into production.
As an additional step, we continuously monitor our code in production and are alerted when a new vulnerability has been reported in the National Vulnerability Database.
Train Employees on Security
Another area for security focus is training employees—all employees. A common avenue of initial attack for hackers and cybercriminals is through employees, using attacks like phishing, social engineering, smishing, or taking advantage of employees who are using weaker security precautions.
A recent study by Verizon highlighted that 74% of vulnerabilities came through the human element, and 50% of social engineering attacks later escalated to full attacks using the data gathered. These vulnerabilities are particularly important for payment fraud because of the additional risk of potentially exposing customer card data. JP Morgan reports that 71% of organizations have now experienced payment fraud.
It’s important to know that many employee security issues arise from employees who don’t know better, so training in this area is critical. Conversely, employees can make a massive difference in front-line protection with proper training.
First, train employees and provide them with resources on phishing, ransomware, and best practices when working remotely. Remote access issues can cover public wifi, VPNs, locking devices, and immediately reporting lost or stolen devices. Also, provide them with tools that make it easier to be secure—think multi-factor authentication tools and hardware authenticators rather than just passwords.
Test employees periodically on their security knowledge to remain sharp and aware of security issues and risks. At my organization, it’s standard practice that every employee take online courses and pass tests covering topics like phishing, social engineering, mobile device safety, and more. Training is even more comprehensive for developers who need to know encryption, logging standards, PCI compliance, and lists of the most dangerous coding flaws.
We have also implemented fake phishing emails to test employees' security awareness. Each employee has a personal risk score that is calculated using a variety of factors such as job title, phishing test results, and completed training. We even compete between departments to see which has the least risk as measured by these scores.
PCI Compliance and Advanced Security Protocols
One of the primary tools to prevent payment fraud is adherence to the Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of standards used to protect businesses and their customers against payment card theft and fraud. Businesses that accept, store, or transmit card data are required to maintain PCI DSS compliance by the major card brands, including Visa, MasterCard, and Discover.
PCI compliance is all about keeping cardholder data as safe as possible. However, it’s not just about putting up a bunch of firewalls and calling it a day. It's about understanding and limiting where and how this sensitive data is handled and creating a secure ecosystem where every transaction is safeguarded from threats, no matter how small.
As we navigate the ever-changing landscape of data security, I remain committed to the belief that minimizing data touchpoints is key. In addition to safeguarding with PCI compliance, several technologies stand out in this endeavor, offering robust solutions to the challenges we face daily:
- Tokenization: Tokenization replaces a credit card number with a randomized, anonymous token that stands in for sensitive payment data throughout a transaction. Unlike encryption, which can be reversed with the correct key, tokenization does not allow reverse engineering to obtain the original data from the token.
- Network Tokenization: Taking tokenization a step further, network tokens are created and issued by the payments network (via the Visa or Mastercard network) rather than an external party, as with other tokens. Since the payment networks establish the relationship between the token and the underlying cardholder account, all activities can be tracked across the lifecycle of that token.
The end-to-end security journey that network tokenization offers by being tied to bank systems greatly reduces the risk of losing valuable card data due to malware, phishing attacks, and data breaches. It also improves authorization acceptance rates, effectively increasing sales—a huge bonus!
- Point-to-Point Encryption (P2PE): By encrypting all data from end to end, transactions are protected from interception. P2PE uses a combination of complex algorithms, hardware, software applications, and secure devices to encrypt the customer’s payment card data as it moves from the point of interaction (such as a POS terminal) through the merchant’s system to protect it from theft during the transaction process.
As I sit back and reflect on my journey in the payments industry, it becomes increasingly clear that the path to robust payment security is both complex and evolving. The goal is to enhance security without affecting user experience.
Embracing the security-first principle has been more than just a strategy—it's been a mindset. From instilling new secure coding practices in our development teams to ensuring continuous monitoring and improvement, we've made security an integral part of our business ethos. This approach has paid dividends, not just in compliance and reduced risk but in the trust and confidence it has built with our customers.
With over 17 years of IT experience, Jeremy Smillie acts as VP of DevSecOps for Exact Payments and is an expert in managing strict industry standards such as SOC, PIPEDA, CCPA, NIST, SANS, CIS, and more. Early on in his payments career, Jeremy worked with the first company in Canada to roll out EMV payments at gas pumps and integrated payments for in-store sales. He also worked closely with merchants to help them become PCI-DSS certified shortly after the introduction of the standards. As a former entrepreneur of a successful software development company, Jeremy applies a proactive, ITIL-based approach to ensure IT always meets the needs of business.
