Security Testing Payment Services in the Era of Connected Ecosystems
There are many new trends in online payment technology, thanks to consumer demands for value-added services, new payment-related technologies, and regulatory requirements, creating an open and collaborative ecosystem where stakeholders roles are changing.
The traditional banking business model has been transformed into a data-intensive, platform-based marketplace, and retailers are facing a digital era where consumers expect more flexibility, loyalty programs with personalized promotion offers, augmented reality applications, social shopping, same-day delivery, and payment innovation such as mobile wallets.
Consequently, the amount of data passing through and stored across varying systems is growing, requiring new standards around how data is captured, stored, used, and destroyed, with clearly outlined ownership, permission, access, and liability. It’s a good thing to deliver a better personalized experience for our customers, but we can expect more challenges ahead.
Just imagine: Invisible payments will take place without our timely, intentional action to initiate the transaction. In the event of a dispute or fraud, who will be liable? How will payments involving the internet of things be regulated? Who owns and secures the data? Will new ads and targeting services follow us? And is that something we’ll really appreciate?
The issue of data ownership is getting more complicated. Some people may not be aware that their location and other information is being sent from their smartphones to their mobile provider and device maker. Data is collected in exchange for an improved user experience, and the government has total access to a consumer’s entire record. As new commerce platforms and ways to engage devices, merchants, and consumers are rolled out, it’s unclear who truly owns the customer’s information in this complex space.
As testers, we have to understand that this new environment introduces more vulnerabilities related to data privacy and cyber security, and it is also becoming easier for criminals to commit fraud, as there are more touch points for more data. We’re already seeing threats such as malware applications, phishing and social engineering, unauthorized access, lost or stolen devices, tampering with payment applications, compromised payment systems, token service, and sensitive data being managed in the cloud.
Security is non-negotiable in the world of e-commerce and connected devices, and we have to ensure a safe environment with a comprehensive security program.
Here are some of the major components we should address:
- Governance to define procedures, and service-level requirements
- Users and identity management
- Application design, testing, access, and provisioning
- Managing data security by classifying, authenticating, and encrypting data
- Managing communication, network connectivity, devices, and overall infrastructure
Security is a fundamental element when it comes to online payments and e-commerce, and while it’s everyone’s responsibility to create a safe experience for customers, testers have a particular role to ensure security.
Elizabeth Koumpan is presenting the session Combatting Threats to Payment Processing in the Era of Connected Ecosystems at STARCANADA 2018, October 14–19 in Toronto, Ontario.
About the Author
Elizabeth Koumpan is a cognitive and data leader with IBM Global Markets, with a focus on solving business problems in information architecture, analytics, information integration, and governance and ensuring we use data responsibly. She has been performing evaluation and analysis of the current technical environments and completed assessments against the set of leading practices within different organizations. She has developed reference architecture that addresses key integration, migration, and consolidation decisions and is recognized for her expertise in the area of unstructured data and her ability to understand information patterns. Elizabeth led IBM ILG Software's social campaign to develop industry white papers about information governance in the era of big data. She is a member of the IBM Academy of Technology and has led multiple studies and been a speaker at several internal and external conferences.