Welcome to another insightful discussion on CloudTweaks. Today, we have the privilege of delving into the dynamic intersection of DevOps, Security, and Tokenization with a seasoned expert in the field, Jeremy Smillie. With over 17 years of IT experience, Jeremy acts as VP of DevSecOps for Exact Payments and is an expert in managing strict industry standards such as SOC, PIPEDA, CCPA, NIST, SANS, CIS, and more. Jeremy brings a wealth of experience to the table, having been at the forefront of technological advancements in the payments industry. His journey began with pioneering work in Canada, where he collaborated on implementing EMV payments at gas pumps and integrating payments for in-store sales. Furthermore, he played a pivotal role in assisting merchants in achieving PCI-DSS certification during the early stages of its adoption.
Today, we’ll explore Jeremy’s insights into navigating the complexities of DevOps practices while ensuring stringent security measures and leveraging tokenization for enhanced data protection.
Jeremy, with the rise in payment fraud and the projected merchant losses reaching an alarming $362 billion in the next five years, could you start by giving us an overview of the current landscape of payment fraud and why innovative strategies are more critical now than ever?
With digital transactions on the rise and the use of more traditional payment methods such as cash decreasing, fraudsters are finding new and innovative ways to steal money. Unfortunately, new tools used to develop ground-breaking payment technology can also be used for nefarious purposes. For example, in today’s world, it is relatively easy to spoof almost anything. The standard credit card we have in our wallet has a lifespan of three to five years. Using modern generative AI, it is very easy to create a credit card number generator script that can produce millions of card numbers, easily producing real card numbers over such a long lifespan. When the fraudster runs test transactions to validate which card numbers are active, merchants are charged transaction fees, chargeback fees, and reversal fees. So even if the test transaction was only one dollar, multiplying these small fees by millions of test transactions adds up to amounts that can put some merchants out of business.
In response, we must go further than standard techniques such as velocity checks and CAPTCHAs. We must act now to protect merchants from these attacks, developing different strategies that prevent bad actors from being successful. For example, AI programs can watch over credit card transactions as they happen, checking them against large volumes of past transaction data to find patterns and actions that suggest fraud. This involves noticing strange spending habits, odd places where the card is used, and other warning signs that might show a card has been stolen or misused. AI can evaluate how different things like gadgets, accounts, and internet addresses are connected to spot complicated fraud plans, like stealing someone’s identity or creating fake identities. This kind of analysis helps find groups of fraudsters and tricky scams that are hard to catch using older methods.
You emphasize a holistic approach to fraud prevention. Can you elaborate on how this strategy empowers businesses to better safeguard their transactions against the evolving threats in the digital payments space?
Fraud prevention starts from the ground up. All of the applications that are involved in the chain of custody of transactions need to be built with the highest security standards. The entire application supply chain must also undergo constant checks, not only at the time of deployment but throughout its entire lifecycle. The hardware that runs that software needs to be meticulously configured, patched, and validated continuously.
For example, let’s look at a small business that wants to open an online store. Most small businesses are unwilling to spend big money on a venture if they aren’t confident of a positive return. So what do they do? A quick Google search will show them many easy online store options like WordPress, WooCommerce, Shopify, and others. These platforms are easy to set up with intuitive user interfaces and allow businesses to get set up with a payment provider within about a week. Though these platforms provide an all-in-one solution, there are still security considerations and responsibilities for the business. Leaving their online store on cruise control and not patching the software it runs on can allow attackers a foothold. For example, if I don’t install updates for my WooCommerce plugin, it is easy for a hacker to target me. They can run a card testing script on my site, racking up transaction fees. Eventually, the real cardholders will start to file chargeback claims, resulting in fees of about $25 per claim. Add these fees to the cost of lost goods or services, and my business could be in real trouble. This is why businesses must consider security from the onset and build it into every layer of their applications, hardware, people, and processes. Only by thinking of all potential vulnerabilities can businesses prevent attacks.
Employee Training and Fraud Mitigation: You’ve mentioned comprehensive employee training as a key component of your strategy. How significant is the role of employee awareness and training in mitigating fraud risks, and what are some effective practices you’ve implemented at Exact Payments?
Researchers from Stanford University and a top cybersecurity organization found that approximately 88 percent of all data breaches are caused by an employee mistake. Security isn’t just the job of IT. It is everyone’s job. Every employee needs to be armed to protect the company’s best interests, which is why we invest heavily in training curriculum. Each employee must take online courses and pass exams when hired, including topics like phishing, social engineering, mobile device safety, and more. Training is even more comprehensive for developers who become well-versed in technologies like encryption, logging standards, PCI compliance, and SANS 25, a list of the top 25 most dangerous coding flaws. Additionally, we routinely send fake phishing emails to test employees’ security awareness. Each person has a personal risk score that is calculated using a variety of factors such as job title, phishing test results, and completed training. We even have a competition going between departments to see which has the least risk as measured by these scores.
Regarding the use of innovative technologies like low-code payment forms and network tokenization, how do these technologies enhance the security and efficiency of payment processes?
We offer clients the ability to utilize embeddable UI components. This proprietary technology allows developers to build custom payment forms, or low-code forms, using comprehensive documentation and pre-written JavaScript components. This technology, known as ExactJS, allows us to deliver an efficient and straightforward process for developers. The fields that collect sensitive payment data are hosted by Exact Payments and do not touch the client’s network. By keeping sensitive data off our clients’ systems, we reduce their risk of breach. This also reduces the workload for our clients who must maintain Payment Card Industry Data Security Standards (PCI DSS).
Network tokenization seems to be a ground-breaking method for protecting account holder information. Can you explain in more detail how this technology works and why it’s considered a significant fail-safe against information theft?
In order to understand network tokenization, let me explain tokenization in general. Tokenization is the process of replacing sensitive cardholder data with algorithmically-generated data, so no actual card information is stored or transmitted, only randomized characters. As opposed to encryption, which can be decrypted with the correct key, tokenization does not allow reverse engineering to obtain the original data from the token. This makes it a more robust method for protecting data at rest. A significant distinction between a tokenized transaction and a standard credit card transaction is the fraud prevention mechanism—a credit card uses a static CVV, whereas a token uses a dynamic CVV for every transaction. As a result, payment tokens cannot be used by bad actors in the event of data loss or breach—making this technology a secure means of storing cards for future transactions, as is the case in many subscription-based businesses that process recurring payments. Different types of tokenization exist, including gateway, processor, and network tokenization. Network tokens are created and ‘issued’ by the bank’s system (via the Visa or Mastercard network) rather than an external party, as is the case with gateway or processor tokens. The bank establishes the relationship between the token and the underlying cardholder…
Source link
