Last week, Cloud Security Alliance held their virtual 2023 FinCloud Security Summit, featuring the world’s cybersecurity leaders within the financial sector and showcasing the conversations about the future of protecting digital assets. The focus was a forum to learn and collaborate on security best-practices to minimize risk and demonstrate ongoing regulatory compliance.
The financial sector has seen tremendous growth in digitized commerce. With the evolution of embedded finance, today’s organizations must keep pace with the changes – as well as merchant and consumer behavior – adopting technologies that scale their operations while keeping digitized data secure. This evolution offers great opportunity – but with it comes great responsibility.
The panel session, Protecting the Next Generation of Payments in the Cloud, dove into the topic of embedded payments, outlining the increased responsibilities organizations face in protecting sensitive and card payment data. Deana Rich – Co-CEO and C0-Founder of Infinicept; Ron Isaacson, Field CTO at Illumio; and Bluefin Founder and Chief Cybersecurity Advisor Ruston Miles shared their expertise on PCI and the various levels of data security in the world of embedded payments. Key highlights of the panel session include:
Ransomware
Ransomware did not start recently, but the cyber threat has evolved and remains enemy #1. Once a simple code that infiltrated Windows operating systems via a floppy disk, today’s ransomware functions more like a career for cyber thieves, with sophisticated ransomware-as-a-service (RaaS) cyber-attacks unfolding in mere hours, resulting in data exfiltration, downtime for organizations, financial loss and a re-haul for organizations regarding their cybersecurity program, posture, and controls.
There is no good news for 2022/2023, as ransomware has continued its upward trend with an almost 13% increase–a rise as big as the last five years combined (for a total of 25% this year), according to Verizon’s 2022 DBIR.
All signs are that the coming decade will be even worse as ransomware gangs continue to refine and intensify their attacks, vastly outflanking businesses that are juggling the need for ransomware defenses with a broad range of security, data protection, privacy, and corporate risk priorities. Ransomware will cost its victims more around $265 billion (USD) annually by 2031, Cybersecurity Ventures predicts, with a new attack (on a consumer or business) every 2 seconds.
Panel members emphasized that as organizations adopt embedded payments, they are controlling all forms of payments -essentially taking on more data, more vendors, more points of entry for hackers – making their risks higher for data exposure. Even if a company can restore data from backups, leaked data from a company that refuses to pay ransom may appear on database websites operated by threat actors.
As ransomware threats continue to rise, security strategies for e-commerce are less about prevention (of a breach) and more about having a strong security solution in place that devalues data in the event data is stolen.
Embedded Payments – Strategies for Data Security
While embedded payments offer a seamless experience and increased revenue for organizations, it comes with increased responsibility to manage the risk and controls of storing sensitive (PII) and card payment data.
Developing a security standpoint that includes PCI compliance as well as strategies to devalue data in the event of a breach is critical, stated Miles. These technologies are P2PE and tokenization.
“The ’secure the perimeter’ approach, where firewalls were built to keep the bad guys out, has proven time and again that it is impossible to prevent attacks from coming through the networks. This failure to protect data caused the payment industry to create new technologies like point-to-point encryption (P2PE) and tokenization to secure data, so if hackers steal the data, they can’t monetize it because they can’t decrypt it. These technologies are where I see learnings coming over from payments to PII and PHI data.”
Bluefin is a member of Cloud Security Alliance, and the first company in North America to earn Payment Card Industry (PCI) validation for our point-to-point encryption (P2PE) solution. Learn more about Bluefin’s P2PE and tokenization solution, ShieldConex today.
Watch panel session here.