Digital Payments Security Processes for secure and frictionless electronic payments
Written By: Darren Anderson – 2 min read
The Importance of Digital Payments
The nature of digital payments, being transactions that take place via digital or online mechanisms, creates convenience for customers, but, on the other hand, might create security concerns. Digital payments are electronic payments. This form of cashless payment has been widely adopted by developed economies. Growing economies like China, India, and Eastern Europe are also very quick in adopting new payment solutions. At the same time, developing economies such as Africa and Latin America have found beneficial use cases for digital payments through mobile payments and digital wallet innovations.
According to Statista, total transaction value in the digital payment segment is projected to reach US$8.49tn in 2022 with an annual growth rate of 12.31%. A global Mastercard study from 2021 showed that 90% of consumers are using and/or comfortable with emerging digital payment methods, driven largely by the pandemic, with 60% saying they shy away from retailers who do not offer digital payment options.
However, online fraud increased by 49% in the same period, so security is a major concern, with biometrics and other verification methods on the rise to go beyond PINs and passwords.For example, Singapore where contactless payments has high penetration, saw a 79% increase in online fraud/cyber crime during the pandemic, resulting in new government legislation including stiffer penalties for organisations with data breaches.
The FinTech Society Research Team (FTR) at University College London points out that, alongside benefits, digital payments also bring a unique set of disadvantages, some of which make them especially vulnerable to criminal exploitation. With cash, there is a physical exchange of value. In digital applications, FTR notes there is ‘no concrete payment proof’ of the value transfer. ‘Criminals can easily obtain credentials, online-banking passwords and control online-banking meetings remotely through the rampant use of trojans.’
Statista—a provider of global market and consumer data—noted worldwide losses from online payment fraud reached $17.5 billion in 2020 and were likely to be around $20 billion in 2021, representing an increase of more than 14 percent.
Digital Payment Security Risks And Challenges
It is worth noting that even without a deep analysis of the specifics around digital payment processes, some security fundamentals apply and should be considered- is the infrastructure which hosts my system secure? Is the web application and web services behind my payment process secure? Do I know, on going, if new vulnerabilities are introduced to my platform/infrastructure due to changes or new releases? It is vital to have secure foundations and assurance that what you build upon is itself secure. This is security 101- has security been ‘baked in’ as the application has been developed, and has it been penetration tested to highlight flaws (and get them fixed) before any release?
With cashless the lack of a “person at the counter” necessitates more strict control of cash flow and the protection of customers, vendors, and clients’ transactions. Instead of a physical presence, the concept of trust in digital payments can be provided by a device, QR code, customer’s fingerprint (hand or face recognition), or a password.
In China, for example, QR codes are widely used to pay and collect money. It really is that simple. QR codes are also used by street musicians to collect money. Unlike Apple Pay, where merchants must purchase technical equipment to accept payments, a simple piece of paper with a QR code suffices in China. Biometric identification methods—fingerprints and face recognition—are the most widely used authentication methods in China, with password verification trailing behind.
Cyber Security Threats in Electronic Payment Systems
While the technology behind digital payment systems is progressing at a rapid speed, so are cyber attacks. Malicious actors invent different ways to penetrate security systems, so electronic service providers need more and more robust technology.
Here are some types of the most common attacks:
- Distributed Denial of Service (DDoS) – when a huge number of false requests are made to the payment processing system and the system cannot handle them.
- Account Takeover – a fraud when a credit card skimmer takes over the account of the card holder.
- Supply Chain Breach – when the software and hardware of the payment system is compromised during the payment transaction.
- Advanced Persistent Threats (APTs) – they come in mails and prompt people to download malware, thus enabling information phishing including confidential data leakage.
From the aforementioned, it is clear that improving card and internet transaction security is vital. There are several types of payment security methods that should be kept in mind and followed strictly:
Upgrading 3D Secure Protocols – an extra layer of authentication administered by the cardholder’s bank. This could include pin codes, tokens, or biometric scans. More security layers provide a more secure data connection for authentication between businesses, payment networks, and banks.
Secure Socket Layer (SSL) Protocol – security encryption protocol that could be recognised as a website URL. It can be recognised by the “s” after “http” in website URLs. It usually has a lock symbol next to it in the URL field of the browser.
Tokenisation – an extra layer of security that protects customer payment data, a way of converting payment data into a random string of numbers or code, called tokens.
Address Verification Service (AVS) – the billing address is used to authenticate the customer’s credit card and when it matches the address entered in the website, the transaction succeeds.
Regular updates of computer operating systems (OS) – the latest updates fix all previously discovered security bugs and other security issues.
Fraud Screening Mechanisms – there are dedicated fraud-screening tools that can figure out when a potential fraud may happen. Previous tools were based on a reputation-based system, while the modern ones use AI-based algorithms and Machine Learning mechanisms.
One-time Password (OTP) – it is used in online transactions using a debit or credit card, and also in virtual payment gateways. OTP is valid for a short time only after the payment processing begins.
Biometric Authentication – this authentication method involves fingerprints, voice or face recognition, which is unique to each person.
Risk-Based Authentication (RBA) – the provider analyses the device and the network used by the customer to determine the level of authentication security that should be applied. This is a sort of custom-made form of verification for each payment session.
PCI Compliance – any business that processes credit card payments must comply with PCI (Payment Card Industry) standards and practices.
Payment Card Industry Security Standards Council (PCI SSC) Standards
Currently there are four standards for PCI SSC.
- Level 4 is for merchants with under 20,000 transactions annually.
- Level 3 is when merchants have from 20,000 up to million transactions per year.
- Level 2 is for merchants with one to six million annual transactions.
- Level 1 is for merchants processing over six million card transactions per year.
To become compliant with the standards above, businesses should be able to conduct a thorough inventory check of all systems and store as little information on the network as possible. Strict and fast action should be taken to discover any potential vulnerabilities during the payment process. At the same time, businesses should let their affiliated banks and card networks know as soon as possible about any problems with digital payments.
Self-Service Payment Options
Self-service technology provides customers with unattended payment options and allows merchants to bring their goods or services closer to the consumer. With the latest technology trends, the number of self-payment options across any industry constantly grows, with some examples mentioned below:
- Events & Ticketing.
- Electronic Bill Presentment & Payment (EBPP).
- Text-2-Pay – or SMS payment, widely used in places with no internet service (e.g. some African countries).
- EMV/NFC (Europay, Mastercard, Visa/Near Field Communication) contactless payments – EMV strengthens card security while NFC is an acronym for complementary technology that enables secure contactless payments.
PCI DSS (Payment Card Industry Data Security Standard) is set to protect merchants and buyers from financial fraud. The standard is constantly evolving to respond to threats.
The EMV standard is a technical standard that optimises card payments and data transfer security. There is an extension of the EMV standard named the EMV Contactless Standard. It provides for the use of a card (equipped with NFC) or a smartphone.