Leading up to the Latin America Forum in São Paulo, Brazil, Associate Regional Director Carlos Caetano discusses payment security in Brazil.
What are unique challenges that Brazilian companies face when it comes to payment security?
Globally, Brazil ranks second only to the United States in the world for online banking fraud and financial malware, with approximately a third of computers in Brazil infected with malware. At the same time, Brazilians are some of the most avid social media users globally, the increasing sophistication with which Brazil interacts online has created two parallel phenomena: the accelerated rise of e-commerce, coupled with rapid development of a population that is digitally literate, but poorly educated in cyber security. Adding to this scenario are highly-skilled credit card fraudsters (focused mainly on card-not-present fraud) and cybercriminals that are specialists on producing banking malware. These criminals are focusing their expertise to develop one of the fastest rising threats to organizations today- ransomware.
So the challenges faced by Brazilian companies are related to high skilled gangs of criminals who every day work to find weaknesses in company processes and systems to commit fraud. The early EMV adoption by acquirer and issuers, plus the investments made on the ATMs (including biometrics) forced criminals to move to the online space for attacks. These criminals are finding companies not prepared to fight this battle. Lack of awareness results in unprotected stored data - a gold mine for these criminals. Ransomware attacks- while not aimed on payment systems- are revealing that companies are not making security a business-as-usual process, something that has been required by PCI DSS since the beginning.
EMV technology was deployed in early 2000s in Brazil. How has this impacted payment card security in the region?
As a normal trend for every country that improves authentication for transactions, we see the threats and attackers moving to another channel. So the early adoption of EMV in Brazil resulted in the shifting of fraud to the card-not-present channel, mainly e-commerce, now accounting more than 90% of the total fraud. There are still skimming attacks happening on POS and ATMs in country, but the EMV technology implemented means efforts to counterfeit national cards for the card present channel are no longer effective. This is a significant improvement, as criminals used to clone cards and perform purchases of expensive electronic devices in store, or withdraw money from ATM, which resulted in the counterfeiting of national cards to be useless for the card present channel.
What can Brazilian companies do to better educate their employees on payment security practices?
They should look for specific training and awareness education. The PCI Council offers a variety of training courses and other materials such as infographics and information supplements which were created to support the payment card industry stakeholders on their knowledge challenges. I’d like to highlight the PCI Internal Security Awareness training and certification that was just translated to Portuguese, and will be offered as an instructor-led course in Sao Paulo on August 7 – 8 with a special reduced price. We also published last year the Payment Protection Resources for Small Merchants, which was translated to eight languages including Portuguese. These are excellent resources for companies to use to educate their staff and also clients on payment security practices.
What is the one key takeaway you hope attendees will come away with after your panel discussion?
I’d like attendees to understand that the PCI Standards are the global standards that should be considered to support them on their challenges against card payment security. We also want to break some myths that complying with the PCI DSS is something impossible and always only expensive. Additionally I’d like to provide information that Brazilian companies are indeed suffering from the same problems as anywhere in the world, and failing to adopt a good security posture with mature guidelines such as the PCI Standards will result in security problems that at the end of the day will be more costly than maintaining sound security practices in the first place.
What are you most looking forward to at this year’s Latin American Forum?
I’m looking forward to seeing the first ever all day PCI event in Brazil, where we will have representation from all stakeholders in the payment card industry discussing payment card security. I’ve been working with payment security and specifically PCI Standards since the beginning here in Brazil, in 2006, when I was working for one acquirer processor. Back in 2006, people had no idea of what PCI DSS was, and mainly what was security for this industry. Eleven years later, people know what PCI is, but still do not understand how things fit together, how to better use the resources we offer and mainly how they can get involved. I’m sure that this first edition of the Latin American Forum will be excellent and everybody who attends will have a great experience.
