An introduction to cybersecurity in fintech and the role of the PCI DSS

Article

an-introduction-to-cybersecurity-in-fintech-and-the-role-of-the-pci-dss

Over the course of the last decade, users have become more comfortable sharing their personal information online. An unfortunate consequence of this is the explosion of identity theft over the recent years, driven by the steadily increasing number of high-profile data breaches.  According to the Identity Theft Resource Centre’s Data Breach Report 2019, the total number of breaches reported in 2019 neared 1,500, a jump of 17% from the previous year. While the banking and financial sector had the least number of breaches (about 7% of the total), 61% of those breaches involved sensitive Personal Identifiable Information (PII) – the highest across sectors – largely driven by the massive Capital One data breach reported in July 2019.

These data breaches, and the natural tendency of users to practice poor password hygiene (i.e. having only a few passwords that we cycle through and/or are weaker than recommended), has led to a similarly massive growth in account takeover fraud, where a criminal uses stolen personal data in order to seize control of an online account and make unauthorised transactions. In the UK in 2019, around 11 million adults (over a fifth of the population) have had their credit card replaced or cancelled because of attempted fraud. A mid-2019 report also stated that there was a 57% increase in account takeover cases that went to court, indicating the severity of the issue.

Cybercrime is all-pervasive, and even the Goliaths of the tech industry – Facebook, Google, Amazon, Microsoft – have all reported data breaches in the last decade. As a result, cybersecurity has become essential to the integrity of any digital service, especially in the burgeoning fintech sector. This was highlighted in Verizon’s 2019 Payment Security Report, which focuses on the industry’s commitment to meeting the Payment Card Industry Data Security Standard, or PCI DSS, requirements. While the PCI DSS is designed to protect card data, the underlying security principles are sound, and can be considered a good framework to build your cybersecurity infrastructure around. The report found that, of all organizations that suffered data breaches since 2008, none were fully compliant with all 12 PCI DSS key requirements at the time of the data compromise.

While Verizon’s report states that the Financial sector has the highest rate of compliance with PCI DSS (39%), that number has steadily fallen over the years – the rate of compliance was 47.9% in 2018, and in 2017, it was at 59.1% – highlighting a disturbing trend. When looked at regionally, APAC seems to be most compliant.

The 12 requirements of the PCI DSS

  1. Maintain a firewall configuration to filter traffic as it passes between internal and external networks, as well as traffic to and from sensitive areas within the organizations’ internal networks.
    Controls –

    1. Implement firewall and router configurations
    2. Restrict connections between the cardholder data environment (CDE) and untrusted networks
    3. Prohibit direct public access between the internet and the CDE
    4. Install personal firewall software
    5. Document policies and procedures for managing firewalls
  2. Change vendor-supplied defaults to reduce the available attack surface on the system. Remove unnecessary services, functionality and user accounts, and change insecure vendor default settings.
    Controls –

    1. Change vendor-supplied defaults, disable unnecessary accounts
    2. Develop configuration standards
    3. Encrypt non-console administrative access
    4. Maintain an inventory of in-scope system components
    5. Document policy and procedures for managing vendor defaults
    6. Share hosting providers data protection responsibility
  3. Protect stored cardholder data and other sensitive authentication data using appropriate methods, and make sure to securely delete them once they’re no longer needed.
    Controls –

    1. Keep data storage to a minimum
    2. Do not store sensitive authentication data after authorization
    3. Mask primary account numbers (PANs) when displayed
    4. Render PAN unreadable anywhere it is stored
    5. Protect keys used to secure stored cardholder data against disclosure
    6. Set up key management processes
    7. Document policies for protecting stored cardholder data
  1. Encrypt sensitive data when it is transmitted over public networks.
    Controls –

    1. Use strong cryptography and protocols
    2. Never send unprotected PANs by end-user messaging
    3. Set up processes for encrypting transmissions
  2. Protect all systems against malicious software such as viruses, worms and Trojans.
    Controls –

    1. Deploy anti-virus software
    2. Maintain all anti-virus mechanisms
    3. Actively run anti-virus mechanisms and not allow them to be disabled
    4. Document policies for malware protection
  3. Develop and maintain secure applications and manage change appropriately, whether by the organisation or third parties.
    Controls –

    1. Use reputable outside sources to assess vulnerabilities
    2. Protect components and software from known vulnerabilities
    3. Develop secure software applications
    4. Follow change control processes
    5. Address common coding vulnerabilities
    6. Protect public-facing web applications against known attacks
    7. Establish policies and procedures for secure systems and apps
  4. Restrict each user’s access rights to the minimum they need to perform their duties effectively.
    Controls –

    1. Limit access to system components
    2. Allow access to control system on need-to-know basis
    3. Set up policies and procedures for restricting access to data
  5. Each user should be issued a unique authentication key that they need to use to access the system.
    Controls –

    1. Define clear policies and procedures for user identification
    2. Ensure user authentication is managed appropriately
    3. Establish multi-factor authentication for all remote access to CDE
    4. Communicate authentication policies to all users
    5. Do not use shared IDs or group IDs
    6. Ensure that authentication mechanisms are not shared among multiple accounts
    7. Restrict all access to any database containing cardholder data
    8. Ensure policies and procedures for identification and authentication are followed
  6. Control physical access to all systems within the DSS scope and all hard copies of data.
    Controls –

    1. Ensure there are appropriate facility entry controls and monitoring access of CDE
    2. Distinguish between onsite personnel and visitors
    3. Control physical access for onsite personnel to sensitive areas
    4. Have clear procedures to identify and authorize visitors
    5. Physically secure all media
    6. Control internal and external distribution of media
    7. Control storage and accessibility of media
    8. Destroy media when no longer needed
    9. Prevent data capture devices
    10. Document policy restricting physical access to cardholder data
  7. Track and monitor all access to systems in the DSS scope and ensure synchronisation of all system clocks.
    Controls –

    1. Audit trails linking access to individual users
    2. Automate audit trails to reconstruct events
    3. Record user ID, date and time, events
    4. Have time-synchronization technology in place
    5. Secure audit trails so they cannot be altered
    6. Review logs to identify anomalies or suspicious activity
    7. Retain audit trail history for at least one year
    8. Report any failures of critical security control systems
    9. Set up policies and procedures for monitoring all access
  8. Run vulnerability scans, penetration tests, file integrity monitoring and intrusion detections to ensure that weaknesses are identified and addressed appropriately.
    Controls –

    1. Test for the presence of wireless access points
    2. Run network vulnerability scans
    3. Implement penetration testing
    4. Use intrusion-detection systems
    5. Deploy change-detection mechanism
    6. Document procedures for monitoring and testing
  9. Actively manage data protection by establishing, updating and communicating security policies and procedures as per the results of regular risk assessments.
    Controls –

    1. Publish, maintain and disseminate security policy
    2. Implement a risk-assessment process
    3. Develop usage policies for critical technologies
    4. Define InfoSec responsibilities for all personnel
    5. Assign InfoSec management responsibilities
    6. Implement a formal security awareness program
    7. Screen potential personnel prior to hire
    8. Manage service providers with policies and procedures
    9. Service providers acknowledging responsibility
    10. Implement an incident response plan
    11. Additional requirements for service providers

In our next installment, we take a closer look at some of a new breed of cybersecurity players that are emerging on the scene, and better understand the need for them in tomorrow’s digital dawn.

At Penser, we have developed the industry expertise to be able to provide our clients with the guidance they need to make informed decisions in the banking and payments sector. Through our technical due diligence services, we have helped clients identify vulnerabilities and gaps in the business’s IT infrastructure. Our commercial due diligence services also provide clear, comprehensive reports that outline the strengths and weaknesses of the target company.

If you’d like to learn more about our due diligence services, request a sample report by clicking here.

We also provide consulting services in strategic planning and digital transformation. Find out more by visiting our services page.