In this Help Net Security interview, Nir Rothenberg, CISO at Rapyd, discusses global differences in payment security maturity and the lessons that can be learned from leading regions. He points out that good engineering usually leads to strong security, and cautions against just going through the motions to meet compliance requirements.
Rothenberg also points to overlooked areas such as monitoring, account takeover prevention, and collaboration across the payments ecosystem.
Are you seeing notable differences in payment security maturity between regions such as North America, Europe, and Asia-Pacific? What lessons can be learned from regions that are leading in payment security innovation?
Generally, my impression is that companies with good engineering quality will have good security. They want to ship quality products, and that includes making them secure. Good or bad quality can be found in any region.
I’ve seen some jaw-droppingly bad security in well-known companies across the world, these are usually companies where the management did not care about having high-quality, but focused on the “bare minimum”, which means passing audits and checking boxes (AKA covering a**es). Conversely, some unexpected companies presented strong security teams and principles, even leaving me with great takeaways I later implemented in Rapyd’s security program.
Lessons I took:
1. There is always something to learn from other companies, even if it is affirmation that your approach is “better”. Lead with curiosity.
2. It’s important to collaborate, payments is a small world. Find out what your counterparts in and out of the company are up against, then partner with them on solving that in a way that addresses your issues as well.
3. Focus on account takeovers – hardening and validating the relevant fields regarding account login is a good start. Add as many captcha and MFA triggers as you can, sprinkle in some rate-limiting for the sensitive endpoints and you will be in a great place to stop one of the most popular attacks today.
4. Advanced companies have lots of fingerprinting on their portals – last login, device associated with account, security audit logs, SSO and much more.
How are threat actors adapting to security improvements in payment systems?
Sadly, threat actors don’t need to improve, most of the market is very far behind and old-school attacks like phishing still work easily.
One trend we’re seeing in the last few years is a strong focus on crypto attacks, and on crypto exchanges. Even these usually involve classic techniques.
Another are “SMS abuse” attacks, where attackers exploit endpoints that trigger sending sms messages, which they send to premium numbers they want to bump up. Many such attacks are only discovered when the bill from the SMS provider arrives.
What’s one area of payment security you think is currently overlooked but deserves much more attention?
Monitoring. Think of it this way: you wouldn’t drive a Formula 1 car without a dashboard, right? You need to know your speed, fuel, engine temperature – everything! But in the world of high-volume, global payments, many companies are essentially driving blind, or at best, with a dashboard designed for a golf cart. Current Security Information and Event Management (SIEM) vendors often offer stacks and pricing models that just don’t fit the sheer scale and speed of transactions. Sure, you can make them work, if you spend millions!
It’s like trying to monitor a global superhighway with a single traffic camera – it’s theoretically possible with the right add-ons, but you’re probably not going to invest that much and thus you will miss a lot of “incidents” until it’s too late. We need monitoring solutions that can keep pace with the autobahn of payments, not just the local dirt road from yesteryear.
What advice do you have for companies preparing to comply with PCI DSS 4.0 or similar regulatory frameworks?
Knowledge is power. Especially with newer standards, a few hours of research can change everything. Look at the PCI DSS 4.0 standard itself, it’s not a secret, and it’s very thoroughly documented (even if it’s a long and dry read). I’d also recommend reading the various blogs and publications from organizations that are focused on PCI DSS (and a little spice from talking to AI can’t hurt). If someone in the company becomes an expert in the standard, everything just gets so much easier.
From my perspective, three important principles come to mind:
1. Don’t treat it as a checklist: If you just check boxes, you are not protecting your customers, you are just protecting your company from the auditor. Try to understand the rationale behind the control and implement it according to your company’s architecture. Think of it philosophically, would you be happy being a box-ticker or would you prefer to have impact?
2. It’s a marathon, not a sprint: The goal is not just to pass the audit, but to live and breathe security. Work on your company’s security posture year-round, not just when the audit is around the corner. PCI DSS 4.0 is new, the QSAs themselves don’t initially know how all your controls match with the audit requirements. See it as an opportunity to blaze the trail for future security practitioners.
3. Your auditor is your partner, not your adversary: Your goal is to find a way to collaborate with your QSA, they can be true partners for driving positive change in the company. Share concerns ahead of time and be brave enough to implement the changes they recommend. This doesn’t mean you always have to accept your QSA’s interpretation like the word of God. If you are well versed in the standard, you can be prepared to gently push back on an unacceptable suggestion and find a better way forward, as long as you do it collaboratively, you will find a ready partner most times.
Source link
