The Risks and Benefits of Payment Gateways and The Cloud

Why IT security skills can make or break your company.

The ability to accept online payments for goods and services is generally considered a good idea for businesses of all sizes, allowing for transactions to take place where the buyer is not physically present. Obvious benefits include convenience, the ability to purchase from any Internet-ready device, and no requirement to travel to the store, which translates to increased profits and the potential to attract clients from other locations, whether national or international. Unfortunately, as with any use of technology, there are always risks to consider when financial data is shared, whether you decide to use a merchant account, payment gateway or a combination. Loss of such data has serious implications for companies, leading to loss of reputation, fines for lack of compliance and even bankruptcy in some cases.

According to a recent survey from PricewaterhouseCoopers LLP, cybercrime is now the second most reported economic crime, with more than one-third of the 6300-plus respondents indicating they were victims of cybercrime in the last 24 months. In first place for 2016 is 'asset misappropriation', which includes accounting fraud, reflecting 62 percent of reported incidents. In technical terms, these problems are easily detected. What is more worrying is the rise in cybercrime figures, with only 37 percent of polled organizations having any sort of cyber incident response plan. How can companies identify risks in their IT infrastructure and protect themselves and their customers from cybercriminals?

Identify your Risks and Weaknesses

Your company size or industry is of little importance but the data you hold is of considerable value to hackers, sometimes leading to larger clients or of use in financial fraud or identity theft.

For any company that processes credit card information, it is necessary to clearly understand how customers pay for goods or services.

When a transaction is processed where is data stored?

In most cases, the transaction will take place in the cloud, in a remote data center and no financial data is stored on your servers. This is probably the best method, with PayPal just one leading payment gateway that uses a hybrid cloud in its operations. However, if your transaction takes place on your own website, PayPal transaction or not, some information is stored on your Web server before data transmission takes place. If you use proprietary or customized shopping carts you will also need to know the communication path involved.

Is data encrypted?

Companies need to ensure that all financial data is encrypted at all stages of the purchasing processes, regardless of the payment solution selected.

How about PCI-DSS?

Secure websites are considered the norm and in internet browsers are easily identified by 'https://' designation or by the 'lock' symbol'. Ongoing compliance with the PCI-DSS standard is essential and mandatory for providers of financial services. Company decision-makers should make themselves familiar with all aspects of this standard, and becoming compliant is an easy way to assure the customer of company legitimacy and security awareness. Industry practice is to ensure that all companies, service partners and cloud service providers are PCI-DSS compliant, to ensure that all confidential data remains encrypted during its journey from buyer to the payment provider.

Security Awareness

Part and parcel of enhancing your security posture is identifying the level of training necessary for three levels of employee, namely general staff members, middle management and senior executives or IT experts. Your exact requirements are determined by the value of the data you hold and the payment methods employed. If you consciously decide not to store financial data on your own servers, then security concerns are the responsibility of your service provider. Note- Ensure your selected service providers are all PCI-DSS compliant and meet other security expectations.

However, even if financial data is of little concern, other data is present and you will need IT security experts to make life difficult for cybercriminals and of course to detect breaches and ensure ongoing compliance with applicable security standards and guidance materials, which could include, in addition to PCI-DSS some or all of the following:

• HIPAA – for companies in the healthcare sector
• NIST
• ISO 27002
• ISO 27001
• COBIT 5

IT Security experts are in high demand globally and according to Cybrary's Cyber Security Job Trends Report, there are more than a million positions open around the world. In fact, the demand is 12 times the growth of the total labor market. When, according to the PwC report mentioned earlier, one in ten breaches are detected accidentally, how does your company measure up in terms of security awareness training, IT security and cyber-attack response plans?