Uncovering the ‘new normal’ in payment security for FIs
From acquirers and financial institutions to merchants and consumers, every entity in the payments system is subject to security risks. Building and maintaining a security program to manage these risks, is imperative in today’s environment.
Vantiv’s recent webinar, “The new normal in security—considerations for managing risk” provided an insightful look into the security threats facing today’s businesses and the responsibilities of financial institutions and the payments industry to protect their data. The Q&A-style webinar featured Jessika Wood, SVP, Merchant Solutions for Financial Institutions at Vantiv, interviewing Andrew Turner, Chief Security Officer at Vantiv.
Focus on Security
Wood opened up the discussion by asking Turner to share Vantiv’s Security Mission, which is based on protecting not only the Vantiv network, but also the entire Vantiv payments ecosystem.
Turner explained that Vantiv integrates security into every business process and every employee action. The company builds cyber security into the culture of the company, making it part of the DNA.
“Partnerships with private and public sector are key in Vantiv’s efforts to protecting against cyber-attacks,” noted Turner. “The sharing of threat intelligence is a necessity, in order to enable merchants and issuers to rapidly detect and respond to cyberattacks against their infrastructure.”
Next, Wood asked Turner to address the “new normal” in securing commerce in our hyper-connected, always-on world. Greater connectivity means the threat is constant, evolving rapidly, and not limited to simple viruses and malware.
“The Internet of Things has created an Internet of Threats,” said Turner. “Cyber security has evolved from being a challenge for only a select few into a challenge for everyone.”
The risk is high due to two reasons, Turner explained. First, there are more threats from more sources, resulting in attacks that are global, intelligent and highly targeted. Second, companies are more vulnerable due to the proliferation of devices that can lead to leaks, old technologies that aren’t meeting today’s threats, and technologies that are being built without security as a primary objective.
Cyber Security for FIs
Wood then asked Turner to explain how cyber security applies to FI operations. Turner began by noting that companies in the payments ecosystem have faced separate options of either innovating, or being secure, but it’s not really a choice.
“Companies, large and small, need to innovate, thrive, and be secure,” Turner stated. “Focusing solely on either innovation or security is detrimental to survival.”
Instead, he said, the key to innovating responsibly is identifying and managing risk instead of striving to eradicate it. It’s critical to have a unified strategy and deploy tactics to counter adversaries.
Achieving Security Excellence
Next, Wood asked how enterprise organizations can best achieve excellence in security. Turner explained that Vantiv avoids security failures by providing protection over core technologies, adapting to changing business conditions, preparing for and responding to global threats, and administering regulatory guidance in ways that simultaneously create client value and operational resiliency.
To meet these goals, Vantiv organizes itself against six control missions: Cyber Defense and Response, Security Risk Management, Data Security & Protection, Attack Surface Management, Physical Security, and Business Resiliency.
“Ultimately, the security strategy and control missions drive our enterprise mission and brand promise to ‘Protect our Customers,’” said Turner. “What this means is the investments we make in security expand well outside of our core security organization.”
Implications for FIs
So what does all of this mean for FIs?
“Any security practitioner will tell you that it’s not a matter of if you will be compromised, it’s a matter of when,” said Turner. A running joke in the security industry that there are two types of companies—those that have been breached, and those that have not, but currently are and don’t know it.
And the consequences of a merchant being breached are significant. Roughly 80 percent of cyberattacks target small merchants, and over 69 percent of consumers avoid businesses that have been breached. Even more alarming, 60 percent of small businesses typically close within six months of a breach.
“Cyber criminals are going to either target the industry that has the lowest risk and lowest cost for them, or the entity that produces the highest value,” he said. “There’s no doubt that this not only affects the merchant community but we believe it has a direct effect on the acquirers and FIs as well.”
At the end of the day, we’re really all focused on protecting ourselves as consumers, whether that’s financial services, goods and services, or other personally-identifiable information, noted Wood.
Indeed, managing cyber risks to enable fearless shopping takes an ecosystem effort of acquirers, FIs, and merchants alike, agreed Turner. Devaluing data by using technologies like point-to-point encryption and tokenization helps merchants protect data, transfer risk, and remove operational and compliance regulations.
“It’s very important that we continue to understand the cyber risk and stay ahead of managing and protecting the data whether it’s in our data centers or in the other entities.”
To learn more about Vantiv merchant solutions for financial institutions visit our website.
View the 30-minute webinar on-demand.