In my regular talks with clients within the NonStop community, I’m encouraged by the number who increasingly recognize the importance of both payments security and end-to-end protection. As other writers on this blog have observed, both tokenization and encryption are required for an ideal payment security solution.
In this post, I will share some of what I’m hearing about the state of end-to-end protection in the payments space, particularly from those who use NonStop systems.
Current State of Organizations
Many of the companies I speak with believe they have vulnerabilities that must be addressed. Most tell me they’re concerned about three specific threat vectors:
- Points where consumers interface with payment systems (e.g., point of sale devices, eCommerce websites, etc.)
- Data in motion
- Data at rest
Within the payments space, the most concerning threats tend to fall into a few common categories:
- External network exploitation
- Theft or sabotage of data in databases
- Insider threats
To deal with these vulnerabilities, companies are turning to standards – such as the Payment Card Industry Data Security Standard (PCI DSS) – as a first step in securing systems. Companies use these standards to develop a security approach for their environment. Most know that compliance does not guarantee data protection. But bringing a system into compliance with an established standard still serves as a useful starting point.
For instance, in the first part of 2016, I met with several Latin American companies who handle various aspects of payment transactions. The companies included banks, payment processors, and retailers. Most of these companies have begun focusing on protecting data in motion, which they determined was the weak part in their overall end-to-end protection. The tasks involved safeguarding Secure Sockets Layer (SSL) certificates at the company level. Most are following a new government-mandated regulation, similar to PCI DSS, as the starting place for securing their SSL certificates.
When talking with these clients to understand the overall market, I’d estimate approximately 75% of clients have an existing solution for data in motion, while more than 50% have a solution for data at rest. And it wasn’t apparent how many in the market are using endpoint encryption. Although better than historical averages, these numbers are not nearly good enough. Fortunately, these percentages are increasing due to a number of factors.
Drivers for End-to-End Protection
More broadly, I’m seeing several drivers for the use of end-of-end protection. These fall into four broad categories.
Companies in the payments space can face anywhere from two to six audits a year. For instance, one company I spoke with last month was audited by Visa, MasterCard, and an internal security taskforce over the past year. In most cases, audits are performed using standards such as PCI DSS, which is helping to drive adoption of end-to-end protection.
- Brand Protection / Customer Trust
Anyone in the payments space knows customer trust is central to brand perception. For this reason, IT security and data protection have become a broader business issue, including a topic of discussion in many boardrooms. Security teams appear to be receiving more internal funding (or are not getting the funding slashed) to deploy enterprise security solutions, either reactively or proactively.
- Past Exposure
Partly because of the need to drive customer trust, companies that have already experienced a breach or other intrusion are especially motivated to avoid another. This is particularly true if the breach was highly publicized in mainstream media and/or if there were broader consequences throughout the enterprise.
- CIO/CISO Initiative for Enterprise Security
Only a year or two ago, it seems most American companies in the payments space were primarily focused on the adoption of the Europay, MasterCard, and Visa (EMV) standard and ApplePay. Over the past year, I have noticed a shift to fulfilling internal security priorities and to reducing their exposure to potential security threats.
A particular focus right now is on implementing SSL and Transport Layer Security (TLS) to protect against data-in-motion vulnerabilities, such as man-in-the-middle attacks. Another focus is on making the data useless to data thieves by using encryption or tokenization.
End-to-End Protection Solutions: Asking the Right Questions
Whenever I’m contacted about security, I always ask two questions.
- Are you using the built-in (included) security features?
Many systems, devices, and products include built-in security components, yet I often find these features are not being used, or they are not patched or updated with the latest security protection.
For instance, the NonStop operating system has built-in security functionality for SSL and secure shell (SSH). However, I’d estimate 30% of administrators aren’t sure if they are using the full functionality, and another 30% haven’t configured the security settings correctly. Still another 20% need more security protection than the baseline built-in features provide due to their own unique applications and configuration. Some need more robust solutions, while others need a targeted point solution. This leaves only 20% who probably have configurations set in a secure and compliant manner.
As mentioned before, almost all companies go through security audits, and many times compliance questions in this area are asked. However, here’s a frustrating observation about some audit reports: While they often inform a company about noncompliance issues, audits usually do not provide detailed instructions on how to bring systems into compliance. Companies often must figure out the solution themselves or turn to their partners for help.
- What is your enterprise security solution for data-at-rest?
Many times, while discussing data-in-motion protection, the conversation turns towards a company’s solution for data-at-rest. The enterprise solution many companies have usually includes tokenization and encryption. However, there are questions and concerns about protecting data at certain points throughout the complex financial transaction infrastructure.
Security gaps are a big issue for data at rest. Getting it right requires a comprehensive knowledge of the end-to-end payment infrastructure, as well as its specific components. For instance, your enterprise security solution purportedly covers data at rest within the payment infrastructure, but does that include the back-office processing? How do you protect the payment files that are transferred on and off of your systems daily?
I spend a lot of time helping prospects evaluate areas of concern throughout the entire payment infrastructure and finding solutions to close security gaps. While comForte could sell enterprise security solutions, we choose to focus on the niche NonStop space. Because of this focus, we bring a unique understanding of how NonStop fits into the enterprise and how enterprise solutions cover (or not) NonStop systems.
If your enterprise security solution and/or recent audit findings are uncovering more questions than answers, then contact us and let’s talk.