What’s Next in Payments Report

AWS and Mastercard Lead Call for Urgency in Protecting the Payments Perimeter

August 2024

The threat of a cyberattack plagues all companies. Eight executives told PYMNTS what it takes to protect the perimeter of their enterprises. First thing’s first: Be proactive.

Get Unlimited Access
Complete the form below for free, unlimited access to all our Data Studies, Trackers, and MonitorEdge reports.

Thank you for registering. Please confirm your email to view all our Trackers.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    To keep fraud from having an impact, enterprises and executives must keep it from getting into the organization in the first place.

    It is a strategy known as protecting the perimeter and blocking unauthorized access to operations and technology. The threats are everywhere, and as eight security and payments executives told PYMNTS in a series of interviews, the old ways of protecting banks and enterprises, and protecting their end commercial and retail customers by extension, no longer apply.

    The threats? They are both external and internal, as rogue employees might wreak havoc. The only certainty is that they will always be there. The lines between digital and physical operations are blurring, data is critical, and the threats are rendered in real time.

    As part of a “What’s Next in Payments” series, the eight executives told us how they guard the perimeter of their firms, offering roadmaps, examples and philosophies that guide them.

    Garrett Laird, director of product management at Amount, told PYMNTS that many financial institutions do not reconsider their anti-fraud methods until it is too late.

    “You may not have realized it yet, but they’re going to hit you,” Laird said, adding, “the fraudsters are jerks — and they like to hit you on holidays and on weekends, at two in the morning.”

    Examine the Links

    “You’re only as secure as your weakest link,” Chris Wyatt, chief strategy officer at Finexio, told PYMNTS.

    There’s a need to be proactive about those threats and in identifying the weak links. Education is key, as is examining the interconnectedness between companies, particularly up and down supply chains. The focus isn’t just on reacting to incidents but on creating an environment where risks are identified and mitigated before they escalate into crises.

    Build in the Layers

    The best strategy evolves, builds in layers and is always on.

    Security events and security alerts are something we deal with every single minute of every day,” David Drossman, chief information security officer at The Clearing House, told PYMNTS.

    “First things first, you need to have your incident response planning right,” Drossman said, stressing the importance of employing an overarching incident response plan, supplemented by detailed information security procedures. This approach ensures that when alerts occur, the organization can respond swiftly and effectively.

    Embracing a “defense in depth” strategy involves creating multiple layers of defense to protect an organization’s most valuable assets, often known as “crown jewels.” Drossman described it as building a “labyrinth of control” to mitigate damage even if one layer fails. Segmentation is critical, especially in separating employee networks from sensitive areas to minimize the risk of internal breaches.

    Mike Rivers, chief technology officer at Spreedly, emphasized the importance of a multilayered security approach and the benefits of open payments strategy.

    “We have to start with the basics,” Rivers said, in crafting a strategy he likened to “layers in an onion” to reduce the risk of threats being realized. The foundation of this approach includes working with independent third-party assessors to maintain PCI DSS Level 1 compliance and annual SOC 2 Type 2 certification. Rivers highlighted the importance of conducting multiple penetration tests throughout the year, typically every quarter.

    “We recommend that our clients safeguard their companies via implementation of robust testing and validation procedures to ensure their effectiveness,” Laurent Domb, chief technologist for worldwide public sector financial services at Amazon Web Services (AWS), told PYMNTS. “This should include methods such as penetration testing for cybersecurity, disaster recovery testing, but more importantly, health engineering ‘game days’ where they can truly practice the various incidents that happen in a real-world event.”

    Fighting Back With the Same Weapons

    The executives noted that emerging technologies like artificial intelligence are becoming favorites of fraudsters. But the same advanced tech is available to the white hats — the executives tasked with fighting fire with proverbial fire.

    A tech-enabled onboarding experience, said Amount’s Laird, underpinned by AI and machine learning, can not only beef up security but also foster a good customer reaction so that legitimate relationships prove sticky and long-lived.

    “In our technology environment, leaders and individuals need to feel empowered to take ownership if they see something that’s not right,” Ron Green, cybersecurity fellow and former chief security officer at Mastercard, told PYMNTS.

    Businesses, particularly those operating in security-critical sectors, must invest in advanced threat detection and response solutions, implement robust backup and recovery processes, and conduct regular security training for employees to reduce the risk of phishing attacks.

    “At AWS, we have pioneered the integration of AI and ML into our suite of services, such as Amazon GuardDuty, which uses machine learning models to continuously analyze data streams and identify potential threats,” AWS’s Domb said. “Similarly, services like the AWS Firewall employ machine learning techniques to detect and block malicious network traffic in real time, adapting their defenses to evolving attack vectors.”

    The Home Team Advantage

    There’s an advantage in the human element too. Continuous learning is essential not just for security professionals but for everyone in the organization, and by educating all employees, companies can reduce the risk of human error leading to breaches, said Mastercard’s Green.

    Steve Smith, global director of strategic projects at Esker, said redundancy is a key part of resilience and stressed the importance of embracing a diversified approach to operations. Employees at Esker are trained annually on the latest cybersecurity threats and are required to follow strict protocols if they inadvertently trigger a security event.

    “What you want to do is catch it before it becomes a crisis,” said Rick Kenneally, chief technology officer at Boost Payment Solutions.

    By partnering with companies that provide early warnings about threats and scams when they see them independently, such as domain spoofing attempts, businesses can stay ahead of potential threats.

    “That’s an important control, and I strongly recommend it for any company,” Kenneally said, stressing the benefits of collaborative working partnerships.

    The fraudsters and their means of attack change. The only constants are vigilance and adaptability, which can be companies’ best weapons when it comes to defending the perimeter.

    About

    PYMNTS INTELLIGENCE

    PYMNTS Intelligence is a leading global data and analytics platform that uses proprietary data and methods to provide actionable insights on what’s now and what’s next in payments, commerce and the digital economy. Its team of data scientists include leading economists, econometricians, survey experts, financial analysts and marketing scientists with deep experience in the application of data to the issues that define the future of the digital transformation of the global economy. This multi-lingual team has conducted original data collection and analysis in more than three dozen global markets for some of the world’s leading publicly traded and privately held firms.

    We are interested in your feedback on this report. If you have questions or comments, or if you would like to subscribe to this report, please email us at feedback@pymnts.com.

    Disclaimer

    The What’s Next in Payments Series may be updated periodically. While reasonable efforts are made to keep the content accurate and up to date, PYMNTS MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, REGARDING THE CORRECTNESS, ACCURACY, COMPLETENESS, ADEQUACY, OR RELIABILITY OF OR THE USE OF OR RESULTS THAT MAY BE GENERATED FROM THE USE OF THE INFORMATION OR THAT THE CONTENT WILL SATISFY YOUR REQUIREMENTS OR EXPECTATIONS. THE CONTENT IS PROVIDED “AS IS” AND ON AN “AS AVAILABLE” BASIS. YOU EXPRESSLY AGREE THAT YOUR USE OF THE CONTENT IS AT YOUR SOLE RISK. PYMNTS SHALL HAVE NO LIABILITY FOR ANY INTERRUPTIONS IN THE CONTENT THAT IS PROVIDED AND DISCLAIMS ALL WARRANTIES WITH REGARD TO THE CONTENT, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT AND TITLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES, AND, IN SUCH CASES, THE STATED EX CLUSIONS DO NOT APPLY. PYMNTS RESERVES THE RIGHT AND SHOULD NOT BE LIABLE SHOULD IT EXERCISE ITS RIGHT TO MODIFY, INTERRUPT, OR DISCONTINUE THE AVAILABILITY OF THE CONTENT OR ANY COMPONENT OF IT WITH OR WITHOUT NOTICE.
    PYMNTS SHALL NOT BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND, IN PARTICULAR, SHALL NOT BE LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL DAM AGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE, OR LOSS OF USE, ARISING OUT OF OR RELATED TO THE CONTENT, WHETHER SUCH DAMAGES ARISE IN CONTRACT, NEGLIGENCE, TORT, UNDER STATUTE, IN EQUITY, AT LAW, OR OTHERWISE, EVEN IF PYMNTS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    SOME JURISDICTIONS DO NOT ALLOW FOR THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, AND IN SUCH CASES SOME OF THE ABOVE LIMITATIONS DO NOT APPLY. THE ABOVE DISCLAIMERS AND LIMITATIONS ARE PROVIDED BY PYMNTS AND ITS PARENTS, AFFILIATED AND RELATED COMPANIES, CONTRACTORS, AND SPONSORS, AND EACH OF ITS RESPECTIVE DIRECTORS, OFFICERS, MEMBERS, EMPLOYEES, AGENTS, CONTENT COMPONENT PROVIDERS, LICENSORS, AND ADVISERS.
    Components of the content original to and the compilation produced by PYMNTS is the property of PYMNTS and cannot be reproduced without its prior written permission.