The landscape around payments processing is a convoluted, pockmarked patchwork with hazy bogs of uncertainty parked right beside towering bastions of safety and confidence. Increasing regulations and innovations stripe the globe, creating a continuum of trust that shifts by the minute and by the location. Devices are so interconnected that they touch every aspect of many people’s lives. AI and touchless device usage has risen; consumers call out demands to their ever-listening helpers, allowing control over anything that can be performed by a machine. Add a pandemic to the stage and voice purchasing, which was already on the rise, suddenly becomes even more popular. What was once portrayed as a usage standard in so many science fiction films has become reality, but to be secure, some precautions must be in place.
The direction this is leading us is more towards a need for correct identity within the mesh of intercommunicating devices we use. Identity theft has proven the need for such distinction time and again; lacking it, every message, every signal, every payment becomes suspect. Alexa was just found to allow voice commands to be hijacked and mimicked, enabling the teaching of skills about which the owner knows nothing.
FOLLOW THE LEADER: MONEY
Naturally, the desire to add security drove the banking industry to take the lead in this regard; the Payment Card Industry Data Security Standard (PCI DSS) imposed stringent protections to meet the three basic security principles, each fundamental to this endeavor. Because the payment industry is moving towards a more personal tack—that of giving consumers a financial feed that makes recommendations based on market changes or trends or perceived security vulnerabilities—and because the payment industry is already established in the business of guaranteeing authentication, at least one Forbes contributor believes the financial feed will become the de facto data permission mechanism of the future. Regulations and their repercussions are trending, becoming entrenched, hidden beneath the surface, in everything important online that exchanges sensitive data.
The fact that voices are PII on their own is of paramount importance. Voices, like the images that represent most biometrics, are still subject to being recorded or copied for later use.. Everyone is familiar now with traditional biometrics—your fingerprint, your face scan. But new ones are always around the corner. We recently learned about a recent exploration into using your body composition as the foundation for proving who you are—but to make that a reality, your most sensitive information like your weight, waistline, and BMI, would have to be recorded and stored. A tough sell, for sure.
The lessons learned from the payments industry echo across the cyberverse; principles that apply to payments are useful in other applications. Just look at hackers and their penchant for blockchain, which has security and privacy built into its core—but which, for now, is only viable on a small scale, making it perfect for paying ransoms—but when it’s scaled up, (a little bird told us...) it still has some weak links.
The impact to businesses is not to be ignored. We agree with the lawmakers and FinTech gurus around the globe: if banking and buying is to be safe, ensuring money’s source and intention is paramount. Here are some industry facts to know:
FIDO2 Authentication: Almost every regulation regarding data privacy or payments demands authentication first. FIDO2 represents a rare confluence of heightened security and ease of use. It has also been hailed as the strongest authentication method possible, surpassing the US Department of Defense. If a solution isn’t on this FIDO2 CertifiedTM list, it’s not really FIDO2 and may not afford the same level of security as one that’s formally certified.
Tokenization of Sensitive Data: Important data at rest should be masked. This not only makes it useless if exfiltrated, but it reduces the scope of affected assets when an auditor rolls through.
Effective Key Management: If the keys that underpin any part of your cyptographic setup are stored on a network drive, or passed back and forth casually, they’re not going to stay just yours for very long. Make sure you have solid Key Management policies in place. And just like products in the cupboard, make sure to rotate them periodically, or they become stale.
Per-transaction/Per-user Fees: These can drive costs up quickly and eat into profits—and they scale with your growth. Look for solutions that don’t charge these extra fees; no cost also scales with your business, but in the best way possible.
Leave Your Options Open: Card capture manufacturers vary, and often will try to make exclusive deals with processing vendors. To maximize your potential, look for solutions that work with multiple vendors.
Very few compliance-oriented solutions offer all of the above under one umbrella, but we hope the list above helps, should you decide your future is in finance. Even if you’re a consumer and not in FinTech, knowing what your payment processor is doing behind the scenes will help you make safe choices. Making future-oriented choices now will put you ahead of the curve, waiting for the regulations to catch up to you, and not the inverse.
You might even be able to make it happen by just asking.