Payment Paradox: The True Cost of Payment Data Breaches

It’s natural to assume the most direct impact of a cyberattack within the financial payment system is the stolen data or funds. In reality, the true impact extends to the loss of consumer confidence and the subsequent increase of transactional costs.

Most bankers subscribe to the notion that the payment system is the heart and soul of banking and the financial markets. I believe that the payment system in many ways is the heart and soul of all local and global economies. From retail merchants and global banking entities to local families and individuals who make up our neighborhoods, the tie between banks and retailers is the payment system.

The payment system is under constant attack. Beyond the price of defending payment networks, or beyond the tangible dollar loss associated with a breach, the true cost of a successful cyberattack on the payment system is the erosion of consumer confidence.

The true cost of a successful cyberattack on the payment system is the erosion of consumer confidence

This intricate interconnection of networks that governs the movement of money or credit from the payer to the payee is in many ways paradoxical. The payment system is built to make commerce easier, but it’s incredibly complex in structure. More than just an intricate puzzle of seemingly innocuous payments, the payment system is a careful balance between the transmission of monetary policy, central banks, the delivery of services to financial intermediaries, and the supervision of the larger banking system.

When you overlay a seemingly endless change associated with the disruptive forces of technology what you have is a complex and dynamic, global system filled with gaps and places where cybercriminals can hide, steal and attack.

Certain industries, especially financial services, continue to be most susceptible to high turnover in customers in the aftermath of a data breach.

Certain industries, especially financial services, continue to be most susceptible to high turnover in customers in the aftermath of a data breach. The finance sector on average spends five times more money attracting new customers than retaining their current customers. These two factors are part of what makes cyberattacks so perilous to the financial community.

Payment system vulnerabilities

In many ways, the payment system represents the soft spot in the finance sector. In an effort to retain and attract customers, financial institutions are starting to abandon the brick and mortar branches and embrace digital banking at faster rates.

As a result, payment systems are evolving with new technologies and in a myriad of new channels. For example, a purchase as simple as shoes can involve several payment channels for the customer. The customer can go to the store and use cash, a debit card, a credit card, a prepaid card or even a mobile phone. The customer can also buy the shoes online with a credit card, debit card, PayPal or direct withdrawal from a bank account. And most recently, customers now have the choice of using a mobile app such as Apple Pay or Google Wallet.

On the front end, there are 11 ways which someone can buy a pair of shoes today. The back end of that simple transaction is a jungle of various options and an amazing amount of combinations of different authentication systems, payment systems, intermediaries and technologies.

All of these systems and transactions occur over the foundations of the traditional banking system, which was built in large part by acquisition and the stacking of data silos, or legacy technology that is not integrated with other systems or networks. According to a recent Gartner report, the pace of payment innovations is accelerating, and has not peaked. The key takeaway according to Gartner is that a bank's siloed systems and operations, as well as product development approaches, are unfit to respond to new market requirements.

Payment system solutions

Most banks approach payment system vulnerability issues through a combination of trying to prevent the intruder from entering the system and preventing the intruder’s ability to remove confidential data. While this approach is effective in defending from the majority of attacks, it can often prove ineffective with advanced persistent threats (APT) and the tools and techniques of organized and well funded criminals.

Additionally, smaller banks, community banks and credit unions are often more limited in resources and budget, and often struggle to secure their systems.

One way to accomplish this task is to map the organization by complete line of business and perform a gap analysis to determine information silos or potential areas of cyber vulnerability. For example, if the capital markets team is moving to flash data clusters and integrating big data systems, how do these activities provide potential IT security gaps?

Perform a gap analysis to determine information silos or potential areas of cyber vulnerability

Finally, finding and monitoring legacy systems on your network can help immensely in identifying network vulnerabilities for institutions of any size. For example, the Tenable SecurityCenter Continuous View™ has many tools that can perform a whole host of valuable cybersecurity services, including the ability to detect both primary applications and possible secondary applications running with them. This discovery capability of internal applications that require updates can help keep your financial and payment systems better protected from possible cyberattackers.