Blog article
See all stories »

Securing customer data in a digital world filled with threats

On New Year’s Eve 2019, hackers struck foreign exchange giant Travelex and held them to ransom. The London headquartered firm with a presence in more than 70 countries, were forced to take down all its global websites. $6 million was demanded (£4.6 million) to return access or else customer information would be released.

Sensitive personal information breaches, like Travelex, are hardly unexpected now. The kind of attacks which are putting data at risk are evolving and becoming more complex to defend against. In the payment sector, much has been done to start protecting against attacks but as one security barrier goes up i.e. defending customer authentication, new challenges pop up elsewhere along the supply chain.

The medicine for these challenges was never accounted for when technology was in its infancy. The internet was built with the intention to connect, instead of protecting, people. Yet, the convenience of using online and mobile communications channels means these platforms are not going away. Demand will keep going up due to this convenience, the genie is out of the bottle, but it is the responsibility of enterprises to get up to speed with technological change and safeguard their sensitive data. Part of this is being aware of their responsibilities with data and what that means. Essentially, security needs to be unassailable from the get-go, less reactive and ready for attacks from day one.

No organisation is safe from data security risks. Threats can be both external and internal, and even the most knowledgeable companies get breached.

While there is no silver bullet, some basic practices can bring dramatic improvements an organisation’s security and leave customers more at ease. This includes: 1. adopting secure emerging technologies; 2. staying up to date on industry requirements; and, 3. ensuring staff are aware of and fully trained in changing security protocols.

Prioritising security for future peace of mind

Currently, companies are looking to digitally transform their infrastructure to perform more efficiently with fewer overheads. There is also a competitive first to market mentality currently which leads to increased pressure on security resources and difficult trade-offs to be made.

Companies must look for product solutions that integrate security from the start of the design process. This is essential when these products transmit and store sensitive customer information, such as in the case of POS systems and payments software. These issues are proven to be especially difficult to solve when customers are using devices that may not be secure, such as phones, smart watches and other devices, to make their purchases easier and more streamlined. Nonetheless, many transactions and personal data would be secure through strong PKI and encryption initiatives.

Defending against Phishing

The traditional payment card world effectively relies on a complete end-to-end hardware-based security infrastructure. The online, digital world is very different – it accepts that a consumer’s mobile device is inherently untrusted and relies on a range of software security approaches underpinned by strong risk management and hardware-based security at the service provider or issuer to minimise the threat of fraudulent transactions. With payment cards, we have a trusted bank-issued device, where the cryptographic keys are secured inside the chip and are valid for the full lifetime of the card.

With more shops and merchants accepting mobile payments than ever before, retailers must make themselves aware of the security vulnerabilities. Brand loyalty runs deeper than reward programs and the security of information is a large piece of what keeps consumers tied to a specific brand. Ultimately, retailers must be sure their technology is meeting PCI DSS regulations, especially for something that continuous to update itself every few years.

Upskill to save data

Handling sensitive information is a reality in the world of digital and physical payments. Upskilling IT staff, customer service and management to deal with emerging technologies is integral to avoid security breaches and data leaks. We have seen it happen throughout 2019 up to the Travelex breach.

Regulation has never been more aware of its responsibilities, with the European Payments Council 2019 Payment Threats and Fraud Trends Report recently calling on payment service providers to understand and fully invest against emerging threats. That means investing in appropriate security and monitoring technologies – as well as customer awareness campaigns.

Companies that do not secure their data will not only be punished by regulatory bodies, but also by a loss of reputation and customer loyalty. As customers become more concerned about where their financial data is – and what it’s being used for – businesses must let them know the steps they’re taking to secure it and why they are to be trusted.

7143

Comments: (0)

Paul Hampton

Paul Hampton

Security Expert

Thales

Member since

25 Sep 2015

Location

London

Blog posts

5

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all