Security Testing Payment Services in the Era of Connected Ecosystems
There are many new trends in online payment technology, thanks to consumer demands for value-added services, new payment-related technologies, and regulatory requirements, creating an open and collaborative ecosystem where stakeholders roles are changing.
The traditional banking business model has been transformed into a data-intensive, platform-based marketplace, and retailers are facing a digital era where consumers expect more flexibility, loyalty programs with personalized promotion offers, augmented reality applications, social shopping, same-day delivery, and payment innovation such as mobile wallets.
Consequently, the amount of data passing through and stored across varying systems is growing, requiring new standards around how data is captured, stored, used, and destroyed, with clearly outlined ownership, permission, access, and liability. It’s a good thing to deliver a better personalized experience for our customers, but we can expect more challenges ahead.
Just imagine: Invisible payments will take place without our timely, intentional action to initiate the transaction. In the event of a dispute or fraud, who will be liable? How will payments involving the internet of things be regulated? Who owns and secures the data? Will new ads and targeting services follow us? And is that something we’ll really appreciate?
The issue of data ownership is getting more complicated. Some people may not be aware that their location and other information is being sent from their smartphones to their mobile provider and device maker. Data is collected in exchange for an improved user experience, and the government has total access to a consumer’s entire record. As new commerce platforms and ways to engage devices, merchants, and consumers are rolled out, it’s unclear who truly owns the customer’s information in this complex space.
As testers, we have to understand that this new environment introduces more vulnerabilities related to data privacy and cyber security, and it is also becoming easier for criminals to commit fraud, as there are more touch points for more data. We’re already seeing threats such as malware applications, phishing and social engineering, unauthorized access, lost or stolen devices, tampering with payment applications, compromised payment systems, token service, and sensitive data being managed in the cloud.
Security is non-negotiable in the world of e-commerce and connected devices, and we have to ensure a safe environment with a comprehensive security program.
Here are some of the major components we should address:
- Governance to define procedures, and service-level requirements
- Users and identity management
- Application design, testing, access, and provisioning
- Managing data security by classifying, authenticating, and encrypting data
- Managing communication, network connectivity, devices, and overall infrastructure
Security is a fundamental element when it comes to online payments and e-commerce, and while it’s everyone’s responsibility to create a safe experience for customers, testers have a particular role to ensure security.
Elizabeth Koumpan is presenting the session Combatting Threats to Payment Processing in the Era of Connected Ecosystems at STARCANADA 2018, October 14–19 in Toronto, Ontario.