Vulnerabilities / Threats

2/7/2019
02:30 PM
Ellen Richey
Ellen Richey
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

4 Payment Security Trends for 2019

Visa's chief risk officer anticipates some positive changes ahead.

Change that leads to improvement is usually good, in my opinion, and in my role at Visa, I anticipate some healthy changes ahead for the payment industry. Of course, no one can perfectly predict what is to come, but here is my take on four notable payment security trends for 2019.

Trend 1: Continued growth in E-Commerce and M-Commerce will drive the need for secure digital payments.
The volume of digital payments will likely continue to increase, driven, in part, by the growing comfort and habit among consumers with making purchases on their smartphones, tablets, computers, and IoT devices. Industry analysts predict that there could be more than 20 billion IoT devices by 2020. While chip technology has significantly reduced fraud in stores, we need a similar security defense for the digital channel. Tokens can be that solution.

Tokens replace the transmission of actual payment card numbers, so if a point-of-sale (POS) system, mobile device, mobile application, or network connection is compromised, payment card numbers are safe since they are not exposed. Tokens also include a dynamic value that changes with each transaction, similar to chip technology for in-person transactions.

With tokenization, merchants no longer have to store sensitive data, like primary account numbers, greatly reducing risk for people who store their card information on mobile devices, in mobile apps, or online with e-commerce merchants. Instead, merchants will be able to mask their customers' primary account number with a token, which is protected by restrictions that render it useless to fraudsters if it were ever to be compromised.

Trend 2: Password insecurity and consumer frustration will lead to increased adoption of biometrics.
Cardholder verification methods have evolved, including the optional removal of signatures in 2018. Many people would probably also agree that remembering passwords and PINs as a way to verify identity can be difficult and insecure. The use of biometrics for authentication for in-person and online shopping causes less friction for consumers and offers stronger identity verification for issuers and merchants.

A survey commissioned by Visa showed that 86% of consumers are interested in using biometrics to verify identity or to make payment, and more than 65% are already familiar with biometrics.

Last year, issuers piloted on-card biometrics programs in which a fingerprint scanner was built directly into a payment card because consumers still prefer the plastic card form factor to other available options. I expect more pilot programs to emerge in the year ahead.

Trend 3: Sharing of cyber threat intelligence will Continue to chip away at attempted fraud.
Cybercriminals are increasingly organized and well-funded, backed by criminal organizations with deep pockets. The black market for cybercrime has also evolved to enable individuals of all skillsets to participate as long as they have the desire. This democratization means more attempts at exploiting known vulnerabilities will take place, so organizations have to be vigilant.

Although collaboration already exists among partners in the payment industry and law enforcement, I believe you will see more collaboration in the coming year because it yields results. Most notably, three senior members of the Fin7 cybercrime group – one of the largest known cybercrime organizations, responsible for stealing roughly $1 billion over the years from some well-recognized retail and hospitality companies – were arrested last year because of a public-private partnership between payment networks (including Visa), financial institutions, merchants, and law enforcement.

Trend 4: Advanced technology in risk-based decision-making will help reduce CNP payment fraud.
According to the latest figures from eMarketer, e-commerce was on track to represent only 11.9% of total global retail sales in 2018, with brick and mortar still the dominant retail channel. This means there is still much room for growth for e-commerce sales. However, we know cybercriminals follow the money, so what can we do to protect card-not-present (CNP) transactions?

This year the payment industry will be introducing advanced, risk-based decision-making for e-commerce to reduce CNP fraud using updated standards from EMV 3D-Secure. This will enable financial institutions to better assess whether a transaction is legitimate or fraudulent by examining 10 times more risk factors than before, including browser type, device type, and location of a transaction, among other factors to help decide whether step-up authentication is required. In addition, companies that facilitate digital payments will likely layer 3D-Secure with other advanced analytics technologies like artificial intelligence, to help analyze for fraud.

In 1965, Gordon Moore of Intel predicted that the increase in computing power and the decrease in relative cost would occur at an exponential pace. The pace of digital innovation over the years has been fast, but so has the evolution of payment security and risk management. I'm optimistic about the future.

Related Content:

 

Ellen Richey joined Visa in 2007 and serves as vice chairman and chief risk officer. She leads risk management, including enterprise risk, settlement risk, and risks to the integrity of the payments ecosystem. She coordinates the company's strategic policy initiatives, leads ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.