The ever evolving digital technology brought many new opportunities and efficiencies into the payment industry, but it has also brought a lot of risk. Our businesses, as well as our private lives, increasingly depend on online services, and this makes us more and more exposed to theft, fraud, malicious disruption, computer viruses, and other incidents that affect our lives in ways that range from inconvenient to life-threatening. When it comes to personal finances, customers are either unaware of all possible threats or simply refrain from shopping online, while security issues also affect retailers and their business decisions to deploy mobile payment and mobile wallet offerings.
Despite best efforts, the financial services cannot protect themselves 100 percent, as absolute security does not exist. It is not a matter of “if” but a matter of “when” and “how” the breaches will occur. Sophisticated individuals, groups and even states exploit vulnerabilities to steal information and money, and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. Not surprisingly, cybersecurity is becoming a critical issue not just for corporations, but for governments, military, hospitals, i.e. for any business that collects, processes, transmits and stores (confidential) information.
Cybersecurity has become everyone’s responsibility. Our ignorance, indifference and failure to recognize and adequately respond to a threat become a weapon in the hands of malicious persons. Today, any serious cybersecurity strategy should start with the recognition that at some point every organization will be attacked. Knowing this and understanding which information assets represent the “crown jewelry” to organization is a good starting point from which a proper cybersecurity strategy can be built. The only way to fight cyber-threats is to keep our eyes open, stay informed and embrace security culture, and get rid of bad security habits.
Although it may seem that cybersecurity is nothing but a fancier and a little bit more dramatic term for good old IT security, it in fact matches the evolving trends in cybercrime and reflects the seriousness of the underlying menace. Similarly to cybersecurity, cyber threat intelligence is an emerging and very promising new field. The idea behind cyber threat intelligence is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner. Its primary purpose is helping organizations understand the risks of the most common and severe external threats, such as zero-day threats, advanced persistent threats (APTs) and exploits. Cyber threat intelligence, as a result of mining all internal data and incorporating data from outside sources, has imposed itself as a natural evolution.
It may be too early to say if there’s a champion or one security technology that may dominate the payments space, but tokenization is definitely one of the main competitors.
Tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.
The tokenization process takes place inside a centralized and highly secure system, aka “token vault”, where real payment data is stored securely and a random unique number is generated (i.e. token), and then used in various business applications as a reliable substitute for the real payment data. The tokenization process can be applied to any type of sensitive data, not just debit or credit card numbers. Its capabilities include social security numbers, driver’s license numbers, electronic health records, prescriptions, and even addresses – all personal information that should be properly protected.
From a security perspective, tokenization is a tool for keeping security activities focused, effective and in better control. It significantly reduces risk based on the fact that sensitive data can’t be breached if it’s not there in the first place. At a time when payment data loss is at an all-time high, this is an extremely interesting prospect for many organizations.
Securing virtual payment cards
Host Card Emulation is the core technology behind Mobile Wallet virtual card service, Mercury Processing Services International’s flagship product. HCE enables mobile payment transactions using virtualized cards, without traditional physical, hardware-based Secure Element (SE) chips. In other words, for easy and user-friendly contactless mobile payments on POS terminals, it is enough to have a smartphone supporting Near Field Communication (NFC), no need for special SIM cards, SD cards or other forms of hardware chip integrations. This means better customer experience, less development costs and an unbeatable time to market.
However, the game changing technology of HCE has brought numerous security challenges to the table, and smartphones, the home of HCE, have increasingly become a target for malicious hackers and fraudsters. In order to enable the HCE virtual card business model, the key is to provide a reasonable level of security, which appropriately lowers recognized risks. When we say reasonable, it means that, although extreme scenarios can always be imagined, security measures should significantly reduce practicality and cost-benefit ratio for fraudsters. To put it simple, is it possible to break in a bank with an army tank? Obviously it is, but owners and customers may still rest safely.
When designing security for products in the payment card industry, it is critical to consult the best practices, standards, as well as special payment scheme requirements and recommendations of security. While this is both necessary and helpful, highly innovative products, which Wave2Pay is, require raising the bar of security expertise, setting the standards. Therefore, the approach to security in Mercury Processing Services International resulted in a complex, layered design of security functionalities, which achieved the goal of enabling Wave2Pay HCE service in the first place, at the same time with an excellent time to market and a great user experience.
What we do to provide security?
Security is an essential element with any payment option and Mercury Processing Services International has put significant effort into the development of solutions and products that provide safe and secure payment options and reduce the risk of data breach and fraudulent activity, while providing a strong competitive advantage in the payments market. From tokenization and cybersecurity to implementing security measures to virtual payment cards, the security methods Mercury Processing Services International uses and develops significantly reduce risk of data breach and fraudulent activity.