Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

2/7/2019
02:30 PM
Ellen Richey
Ellen Richey
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

4 Payment Security Trends for 2019

Visa's chief risk officer anticipates some positive changes ahead.

Change that leads to improvement is usually good, in my opinion, and in my role at Visa, I anticipate some healthy changes ahead for the payment industry. Of course, no one can perfectly predict what is to come, but here is my take on four notable payment security trends for 2019.

Trend 1: Continued growth in E-Commerce and M-Commerce will drive the need for secure digital payments.
The volume of digital payments will likely continue to increase, driven, in part, by the growing comfort and habit among consumers with making purchases on their smartphones, tablets, computers, and IoT devices. Industry analysts predict that there could be more than 20 billion IoT devices by 2020. While chip technology has significantly reduced fraud in stores, we need a similar security defense for the digital channel. Tokens can be that solution.

Tokens replace the transmission of actual payment card numbers, so if a point-of-sale (POS) system, mobile device, mobile application, or network connection is compromised, payment card numbers are safe since they are not exposed. Tokens also include a dynamic value that changes with each transaction, similar to chip technology for in-person transactions.

With tokenization, merchants no longer have to store sensitive data, like primary account numbers, greatly reducing risk for people who store their card information on mobile devices, in mobile apps, or online with e-commerce merchants. Instead, merchants will be able to mask their customers' primary account number with a token, which is protected by restrictions that render it useless to fraudsters if it were ever to be compromised.

Trend 2: Password insecurity and consumer frustration will lead to increased adoption of biometrics.
Cardholder verification methods have evolved, including the optional removal of signatures in 2018. Many people would probably also agree that remembering passwords and PINs as a way to verify identity can be difficult and insecure. The use of biometrics for authentication for in-person and online shopping causes less friction for consumers and offers stronger identity verification for issuers and merchants.

A survey commissioned by Visa showed that 86% of consumers are interested in using biometrics to verify identity or to make payment, and more than 65% are already familiar with biometrics.

Last year, issuers piloted on-card biometrics programs in which a fingerprint scanner was built directly into a payment card because consumers still prefer the plastic card form factor to other available options. I expect more pilot programs to emerge in the year ahead.

Trend 3: Sharing of cyber threat intelligence will Continue to chip away at attempted fraud.
Cybercriminals are increasingly organized and well-funded, backed by criminal organizations with deep pockets. The black market for cybercrime has also evolved to enable individuals of all skillsets to participate as long as they have the desire. This democratization means more attempts at exploiting known vulnerabilities will take place, so organizations have to be vigilant.

Although collaboration already exists among partners in the payment industry and law enforcement, I believe you will see more collaboration in the coming year because it yields results. Most notably, three senior members of the Fin7 cybercrime group – one of the largest known cybercrime organizations, responsible for stealing roughly $1 billion over the years from some well-recognized retail and hospitality companies – were arrested last year because of a public-private partnership between payment networks (including Visa), financial institutions, merchants, and law enforcement.

Trend 4: Advanced technology in risk-based decision-making will help reduce CNP payment fraud.
According to the latest figures from eMarketer, e-commerce was on track to represent only 11.9% of total global retail sales in 2018, with brick and mortar still the dominant retail channel. This means there is still much room for growth for e-commerce sales. However, we know cybercriminals follow the money, so what can we do to protect card-not-present (CNP) transactions?

This year the payment industry will be introducing advanced, risk-based decision-making for e-commerce to reduce CNP fraud using updated standards from EMV 3D-Secure. This will enable financial institutions to better assess whether a transaction is legitimate or fraudulent by examining 10 times more risk factors than before, including browser type, device type, and location of a transaction, among other factors to help decide whether step-up authentication is required. In addition, companies that facilitate digital payments will likely layer 3D-Secure with other advanced analytics technologies like artificial intelligence, to help analyze for fraud.

In 1965, Gordon Moore of Intel predicted that the increase in computing power and the decrease in relative cost would occur at an exponential pace. The pace of digital innovation over the years has been fast, but so has the evolution of payment security and risk management. I'm optimistic about the future.

Related Content:

 

Ellen Richey joined Visa in 2007 and serves as vice chairman and chief risk officer. She leads risk management, including enterprise risk, settlement risk, and risks to the integrity of the payments ecosystem. She coordinates the company's strategic policy initiatives, leads ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19797
PUBLISHED: 2019-12-15
read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds write.
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.