Industry Observations

183 Million Reasons to Improve Payment Security

When British Airways was informed it was facing a fine of £183 million by the UK’s Information Security Commissioner (ICO) in July, at the heart of the problem was the company’s failure to protect customer information including their credit card details.

While BA is far from alone in falling victim to hackers, the size of the proposed GDPR fine provided a fresh reminder that risk is ever-present, and across the entire payment security landscape, keeping protection standards as high as possible is vital.

And while for many, the subject of industry standards doesn’t leap onto their reading list, it’s useful to understand how the standards and compliance landscape is shifting to remain strongly positioned against criminals targeting this kind of data.

Given that the nature and methods of payment have shifted radically in recent years it’s no surprise that those with the job of designing and promoting industry-wide standards have been at work to bring compliance in line with the hyper-dynamic digital economy.

For example, the new PCI Software Security Framework (PCI SSF) is a development of the globally recognized Payment Card Industry Security Standards Council (PCI SSC). Published in early 2019, they are a collection of software security standards and validation requirements which, according to PCI SSC have been developed “for the secure design, development and maintenance of modern payment software.”

These new standards are a response to changing software development practices and have the objective of ensuring that payment software “protects the integrity and confidentiality of payment transactions and data.” At a basic level, they mean payment application developers have to perform additional testing and take further precautions to ensure the security of their software.

Key security principles addressed include critical asset identification, secure default configuration, sensitive data protection, authentication and access control, attack detection, and vendor security guidance. The objective is to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.

In June, the accompanying validation programs were launched by the PCI Security Standards Council, under which vendors and their payment software products will be assessed for compliance. At some point to be determined, PCI SSF will replace the existing PCI Payment Applications Data Security Standard (PCI PA-DSS), but for the time being they are running concurrently.

Security professionals, software developers and businesses who process payments digitally should start reviewing and adopting PCI SSF guidelines.