Advances in financial technology are transforming banking as we know it and this spark innovation is changing the approach of this historically traditional sector. How can the industry ensure their cybersecurity strategy matches the rest of their next-gen business?
Long gone is the age of weekly visits to your friendly neighborhood banker, as the industry has evolved significantly over the last decade. At the heart of the shifting finance sector are innovative companies, many from outside the banking ecosystem boasting ultimate convenience, next-level agility and the ability to adapt to an increasingly mobile, on-the-go lifestyle for a friction-less society, who are already overhauling even the most traditional aspects – payments, lending, insurance and more. Regulations like PSD/PSD2, SEPA and IFR have only added fuel to that fire. Thus, a race began between the traditional payment providers and the non-bank competition disrupting the status quo.
It’s imperative that cutting edge cybersecurity is not buried by efforts to create innovative and revolutionary financial technology. Apathy towards security can have detrimental results, as highlighted by the recent Bitcoin hack on South Korean cryptocurrency exchange, Coinrail, which caused a 5.6 percent drop to the value. Beyond offering a buzz-worthy new payments app or automating exhausting mortgage applications, for example, traditional payment providers and FinTechs need to ensure that their business is resilient against increasingly sophisticated cybercrime and ready for a hyperconnected world.
Agility Now and into the Future
For traditional payment providers and FinTechs to be able to tout complete agility and advancement today, they must be able to accommodate the very serious security threats of tomorrow. To help streamline their imminent arrival into the market, many FinTechs partner with established, trusted firms to help bring their ideas to life. These are often mutually beneficial relationships and are effectively levelling the playing field for banks and payments companies, creating an environment where embracing technology and innovation can help them emerge in a crowded market, secure new customers and stay compliant with changing regulations.
In our hyperconnected world of the near future, consumers may never have to take out their wallets to hand over cash or swipe a card. When you leave a store, the cost of the items in your basket will be automatically charged to your bank account. Amazon has already successfully tested this out. The same goes for: buying gas, paying for parking, paying bridge tolls etc. as your connected vehicle communicates with your bank account, as well as the city infrastructure surrounding it. However, with each new endpoint is a new opportunity to compromise security – and there will be millions. How can you ensure your FinTech is implementing cybersecurity that can support our future of digital payments?
Here are a few constants to keep in mind:
- Identity security: From the moment of issue, identities which are used as authentication must have security that reflects their intrinsic value and the risk that is associated with their use.
- Regulations: Transactions must be protected in accordance both with the requirements laid out by the governing bodies and with the value of each and aggregated transactions.
- Personal data: All personal data must be protected in accordance with both industry governance and local law.
- Data in the cloud: And last but not least: any data at rest and in motion in or into the cloud needs to be secured.
At the core of these security “constants” is a reliable robust technology: cryptography. Even in the face of a rapidly evolving market, FinTechs can look to more traditional, established banks who’ve historically – and successfully — relied on this security to accomplish critical tasks like holding highly sensitive key material, processing transactions and generating, issuing and validating identities and payment cards, which will be even more crucial as our cities, cars and infrastructures become increasingly smart.
Considerations for a Post-Quantum World
So – your FinTech is fully compliant with industry regulations like GDPR and PCI DSS, and your entire data and communications are secured with the latest NIST standards using the highest AES 256 algorithms, FIPS 140-2 Level 3 compliant protection and more. Are you safe?
Not necessarily. With the advent of the quantum computer, current encryption algorithms stand to be broken, and all of our data vulnerable as a result. Some security experts predict this can happen in the next decade, maybe even sooner than we think.
It’s imperative that the products and platforms being developed today must be ready to handle the post-quantum computer (PQC) era of tomorrow.
Traditional payment providers and FinTechs who are making moves to bring new, innovative solutions to the industry must adopt a crypto agility stance — in line with the rest of their culture of innovation — to better prepare for a post-quantum future.
Here are a few strategies for getting started:
- The first step to becoming more crypto-agile is simply realizing that current cryptography can be broken. RSA-2048 is the encryption algorithm usually used today for authentication use cases but even the strongest of RSA encryption standards become vulnerable to the quantum computer.
- Adjust current workflows to accommodate your protocol and IT infrastructure. This means first evaluating your system’s position to adopt each or any crypto algorithm and preparing response plans. Existing security processes often become embedded into daily operations. How can you shift these to be more agile in changing environments?
- Make smart purchases of encryption solutions with post-quantum in mind. Can they be easily augmented to adapt to new algorithms if need be, and will they easily and seamlessly integrate?
- Start early. It may only take you 2-4 years to implement the new algorithms in your products and infrastructure once you have chosen the right one, but it may take you a decade or more to eliminate or migrate them in products that are already in the market.
- Privacy by design (PbD) is already considered a best-practice among many traditional payment providers and FinTechs. The apps and platforms within a given system that control much of the data must have robust security and access controls layered in the initial implementations, instead of simply added on afterward.
Innovation-centric banks and FinTechs are in a unique position to embrace crypto agility and prepare for smart cities, as they are likely already in the process of transforming their apps, platforms and infrastructures in other ways. And the benefits of preparing for tomorrow are clear even today – overall stronger cybersecurity posture, easier compliance with industry regulations and strategic implementations that maximize ROI. As these organizations shift and adapt to the rapidly evolving payments space, it’s crucial that cutting edge and future-forward cybersecurity is not buried by efforts to create innovative and revolutionary financial technology.
First published on:
- PaymentsSource – PayThink Traditional payment security isn’t enough for quantum computing
- PaymentsSource – PayThink Payment innovation is ‘disrupted’ by crime innovators
- on this blog in an earlier version on July 24, 2018