March 2020 changed how firms look at security and compliance.
As the pandemic set in and sent us all to live life and conduct commerce online, companies across all verticals had to take on an existential reckoning of sorts, Spreedly Chief Information Security Officer Jennifer Rosario told PYMNTS.
Now, more than ever, she said, companies are examining the business continuity plans they’ve crafted, with an eye on how to defend against ransomware attacks and vulnerabilities that have yet to present themselves.
“The threat landscape is ever evolving and will continue to evolve as we seek ways to combat it in the digital payments and card-not-present environment,” she said.
Among the most pressing points of vulnerability, companies must always be vigilant about the “human factor” — namely, the employees themselves, who may be unwitting victims of phishing, smishing and other compromises, Rosario said. Attacks via text message are gaining currency too. The fraudsters have goldmines of data to access via the internet.
With all the data flying around online, she said — cellphone data, personal email addresses, the nuggets contained in social media — there’s really no such thing as privacy anymore. The bad actors can use those data points to create new fraud schemes via social engineering.
To Err Is Human
“We’re all human, and humans are fallible,” she said.
Against that backdrop, education remains a key line of defense. Employees need be trained to recognize some of the signs of an orchestrated fraud campaign, she said.
The urgency is there, given the fact that the average online storefront experienced 344 fraud attempts in 2020, up 24% from the prior year. And as Rosario said, cybersecurity from a payments standpoint is an evergreen concern. Beyond the need to shore up vulnerabilities among the people within a firm, companies need to examine and address the processes and technologies that are part of daily operations.
With a nod toward processes, she said it is critical that enterprises and vendors document their security processes and expectations around compliance that they share up and down supply chains.
“It’s important to be able to address the question, ‘What are the processes that are in place to engage incident responses, to engage corporate communications, to make sure that end customers are communicated with in a timely manner?’” she said. “There is no single control that can be put in place from a security or privacy standpoint to mitigate all this risk.”
She said enterprises need to implement a multilayered approach to risk control to make it tough enough to commit fraud — indeed, so much so that the fraudsters go somewhere else to ply their trade.
Simply complying with government and other mandates can get companies to some level of basic security, she said, but best practices should go beyond Payment Card Industry Data Security Standard (PCI DSS), and platforms like Spreedly offer layers of security that can better buffer a range of payment methods, all housed within one environment at a single point of contact via an application programming interface (API).
Rosario noted that it can be overwhelming to try to manage regulatory requirements and frameworks, particularly for international companies, and avoiding the technical heavy lift is a benefit for most firms (and their margins). Tokenization and other advanced technologies, along with payments orchestration, can increase both security and authorization rates (while reducing false positives and declines).
Looking ahead, she said a proactive approach will be important in building the relationships between enterprises, service providers and employees to defeat cybercriminals.
“Collaboration and transparency will differentiate you as an organization,” she said.