PCI SSC Chief Technology Officer Troy Leach talked with PCI Europe Community Meeting attendees in Barcelona this week about the next generation of payment security. Here we share some highlights from his presentation.
Interconnectivity, authentication, encryption attacks and agile software programming are key areas of payment security to watch, according to PCI SSC Chief Technology Officer Troy Leach:
The world is becoming more connected every minute of every day with 20+ billion devices expected by 2020. As this opens up a wealth of opportunities for businesses and consumers alike, the internet of things is also a growing target for criminal attacks.
“We must keep security at the forefront of design and rollout, preparing our payment products with the ability to respond to new threats by releasing new safeguards that minimize inconvenience to both the consumer and the merchant,” Leach told attendees.
E-commerce transactions are growing globally, with more and more new merchants entering the field each day. At the same time, card-not-present fraud targeting e-commerce and m-commerce channels continues to rise, making good authentication increasingly important.
“How we go about protecting payments is not just about keeping certain data confidential,” said Leach. “We must expect to disadvantage criminals with dynamic forms of authenticating cardholders, authenticating transactions and reducing the likelihood of using stolen data to commit fraud.”
Agile software programming
The pace of change and the complexity of today’s payment software makes secure and agile development and design essential.
“Software for payment acceptance is now released in days rather than months,” said Leach. “We must accommodate the speed requirements of business but in a manner that maintains the integrity for each update. This is done, in part, by teaching good security practices to developers and finding methods to create incentive to adhere to secure product lifecycles.”
Encryption technology provides lots of opportunities for securing payment data – unfortunately, for malicious use by criminals too, as high-profile ransomware attacks have demonstrated.
“We continue to see the rise of encryption used in payments which is an encouraging sign. But criminals are also utilizing ransomware to disguise their activities or as a mechanism for disruption such as with ransomware,” said Leach. “Ransomware can be combatted through basic security controls found in the DSS and good contingency planning.”