And How You Can Put a Foot Inside
What is the quickest vehicle to grow an organization? To increase the positive cash flow. More revenue means you have more money in your pockets for future investments and new initiatives inside your company. But there is a catch here: More money in your pockets, also means that the risks associated to lose that money are higher too.
You have to think seriously how to protect your money, how to protect the credit cards of your users or their banks accounts with a good strategy. Here is when Payments Security Engineering comes to play a key role.
First, some numbers and facts to discuss
Payments fraud, data breaches, unauthorized access to high level banks networks are more common everyday globally.
I wanted to share some statistics related to Payments Security to give you a close look to the industry:
- The estimated annual number of unauthorized transactions (third-party fraud) in 2012 was 32.2 Million, with a value of $6.4 Billion in United States. Source: 2013 Fed Payments Study, U.S Federal Reserve
- In 2015, the 5 most common causes of card data breaches in United Kingdom were: Malicious web shell (22.0%), SQL Injection (20.2%), No evidence found (15.6%), Malware (14.7%) and Database hack (7.3%). Source: 2015 Payment Security Report, WorldPay
- More than 133,000 fraudulent transactions were reported in United Kingdom, equating to stolen card details being used every 20 seconds. Source: 2015 Payment Security Report, WorldPay
- In the first half of 2016, there were 554,454,942 records breached, 974 of breach incidents, 29 breaches with over 1 Million records affected and 52 percentage of breaches where compromised records was unknown. Source: Breach Level Index Report Half 1 2016, Gemalto
How I got here
During the investigation to write my last post about Adyen, the global payments company based in Amsterdam, Netherlands; I read several papers about Financial Risk Management, watched several talks related to Payments Engineering (more on this later), answered several questions at Quora related to Online Payments & Payments Processing; reviewed some videos and websites about new payments initiatives in the world like Faster Payments System in United Kingdom and the Unified Payments Interface backed by the National Payments Corporation in India.
With time, I understood there is a tech revolution happening right now, and many people are not aware of it. If you analyze deeply any company interested to scale globally, one of the first questions they make to their respective teams is:
How we could handle payments in this market and this market?
Even before internationalization and Content Marketing efforts, everyone is wondering how to handle payments. That´s why with Adyen´s help, companies like Netflix, Facebook, Yelp, AirbnbEng, Spotify and more, are taking a payments-first approach to scale to new markets.
Basically, that question was the trigger to put me seriously in this field, but with a little modification:
How we can handle payments in these markets in the fastest and most secure way?
Payments Security Engineering: A Quick Primer
Looking for a good definition for this interesting and challenging field, I took the approach to look for Security Engineering definitions, and I found with the amazing Ross Anderson’s Security Engineering: The Guide to Building Dependable Distributed Systems book about the same topic.
In Chapter 1 of the book, Ross defined the field in this form:
Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to a knowledge of applied psychology, organizational and audit methods and the law.
System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with error and mischance rather than malice.
So, let’s talk about Payments Security Engineering. Taking borrowed some words from Ross, a quick definition of the field could be:
The discipline focused on the tools, processes, and methods needed to design, implement, and test complete payments systems, and to adapt existing systems as their environment evolves.It also studies the different strategies, protocols and laws involved in the protection of the huge range of payments methods.
I’m not an academic person, so I’m not the best one to provide a good definition of this field. This is just based in my own research, putting some words together. OK?
Payments at Scale
There are many examples of great Payments focused infrastructure out there, but recently I watched an Airbnb´s TechTalk by Ian Logan (Engineering Manager in charge of Payments at Airbnb) and Harsh Sinha (Vice President of Engineering at TransferWise) and I felt an instant love for Large Scale Payments systems.
This talk was called: “Building Payments: Insights from Transferwise & Airbnb”
Quick note: If you are a Product Manager or a Software Engineer interested to work in Payments, I encourage you to watch this talk completely and I take your notes. If you love this field, you will enjoy every second of the talk.
In this talk, Ian and Harsh explained brilliantly Payments Tech stacks from Airbnb & TransferWise respectively; and I found a lot of interesting players there: Apache Kafka for publish/subscribe systems to build Events-based processing, Apache Spark + Scala for Offline Financial Reporting and Accounting, and more.
They put a lot of insights in this talk, so you want to enter in the Payments Engineering world, again, you must watch this talk.
Due to my Engineering background and my passion for Security, especially for everything related to TLS, DDoS, HTTPS, PKI, PCI DSS and more, I got immersed in the talk and I began to search some interesting facts why Payments Security Engineering could be my next career move.
But what actually shocked me was a recent article published by Reuters in Fortune´s Tech section explaining how Esther George, President of Kansas City Federal Reserve called to everyone in U.S to improve CyberSecurity of Payments Networks:
“Regarding the issue of security, there should be no doubt that dynamic, persistent and escalating threats are challenging public confidence in the U.S. payment system. The growing scale, sophistication, and global nature of cyber threats, along with the proliferation in points of vulnerability, has made security a key priority for financial institutions, payments providers, central banks and regulators around the world.
More than 170 individuals joined the Secure Payments Task Force in 2015 to address the most pressing challenges in our existing payment systems and to define the criteria for a safe and secure faster payments future. Let me highlight two areas where this Task Force is focused today.
Preventing and managing fraud is a key challenge given certain inherent limitations and weaknesses in existing payment systems and processes. Today, there is no universally accepted way to establish and verify the identity of a payment system participant. The Task Force has begun to address this problem. Their work will consider the identification and adoption of payment identity management practices, as well as the opportunities to share fraud and cyber-threat information and how to analyze related data.
These efforts all promise to produce valuable information, tools and insight for the industry. Driving widespread adoption of security improvements, however, remains a considerable challenge. Fortunately, U.S. payment system security is strong. And although we remain vigilant, we must keep pace with the rapidly-evolving and expanding risks that threaten the payments ecosystem. I commend the work of the Secure Payments Task Force and the collaboration it brings to these important issues.
You can find the complete speech here .
Yes, I know, I´m not based in U.S, but it does not matters: Financial systems are increasingly becoming a primary target for Cybercrime globally, so this is a global problem to tackle.
I want to help to fight this global problem, that’s why I’m considering seriously to make a career movement to Payments Security Engineering.
I began to compile online resources, to ask people about how to make a career transition to a Security-career focused to protect payments in every form.
Payments Security Engineering 101
There is a lot of things to cover here: Anomaly Detection, Risk Management, PCI DSS compliance, Development of secure APIs to handle pay-ins and pay-outs, use of TLS 1.2 to provide the best Security standards for Online and Mobile Payments, etc.
A vast amount of fields related to Payments Security.
I wondered to myself:
Why not to create a list of these resources and make it available for everyone interested in this field?
Payments Security Engineering resources
OK, like me, you want to become more competitive in this challenging field, so what you can do right now? What resources I could use for it?
I made to myself the same questions, so I began to look for presentations, papers, videos, posts related to this field and the results is this massive list organized by related topics.
Payments Security, Cyber threats and Fraud
More than 554 million data records were lost or stolen in the first half of 2016, compared with some 424 million lost or stolen during the previous six months.That represents a dramatic increase of 31%. And considering that 510 of the data breaches (52%) had an unknown or unreported number compromised records, the true number of lost or stolen records is much higher.
- Operations of a Brazilian Payment Card Fraud Group, FireEye
- Breach Level Index, First Half 2016, Gemalto
- Verizon 2015 Data Breach Investigations Report, Verizon
- Odinaff Trojan targets SWIFT users, financial organizations, Symantec
- Cybercrime will cost Businesses over $2 Trillion by 2019, Juniper Research
Secure and Faster Payments Initiatives
- Unified Payments Interface, National Payments Corporation of India
- Faster Payments Service, United Kingdom
- FedPayments Improvements, Federal Reserve, United States
- SecuRe Pay’s Recommendations for the security of internet payments, European Central Bank
- Ripple Solutions Use cases and Interledger Protocol
Building Secure Payments Infrastructures
- Stripe Engineering blog
- Adyen´s blog
- Braintree´s blog
- Secret Ingredients to Building Airbnb’s International Payments Platform, by Ian Logan (Airbnb)
- WePay’s blog
- Ripple Insights blog
- Interledger´s Architecture
- PayPal Engineering blog
- Wealthfront’s Engineering
- Building Scalable Event-Driven Data Pipelines for Payments, Fred Galoso, Dwolla
- AWS:reInvent 2015 Compliance Summit, Daniel Shaefer, Dwolla
- Security for Billing & Payments — Billing & Payments Engineering, Poorna Udupi & @Rudra Peram, Netflix
Compliance & Standards
- Payments Card Industry Data Security Standard ( PCI DDS)
- Service Organization Controls (SOC 1,2,3)
- ISO 20022
- Pin Transaction Security, PCI Council
- Payments Application Data Security Standard (PA-DSS)
- W3C Web Payments Interest Group Payments Requests API
3-D Secure is an authenticated payment system to improve online transaction security and encourage the growth of e-commerce payments. Collectively Visa, MasterCard and AMEX secure systems are brand identities of the 3-D Secure Cardholder Authentication Scheme.
- 3D Secure, Wikipedia
- How 3D Secure can increase conversion rates, Adyen
- 3D Secure 2.0, Mobile Payments Today
- 3D Secure Guide, MasterCard
- 3D Secure Explained, SagePay
- EMV 3D Secure 2.0 Webcast, EMVCo
With the October 1 liability shift behind us, U.S. merchants who haven’t transitioned their point-of-sale infrastructure to support EMV need to do so as soon as possible. Experts estimate that card-related fraud may cost the U.S. card payments industry $10 billion this year. With the lesser-EMV compliant entity now shouldering that cost, lack of EMV compliance could potentially cost merchants millions of dollars if they are not set up to support EMV.
Source: EMV Guide, Adyen
- The EMV Switch: Chip-and-PIN Cards and the Target Breach, Trend Micro
- E-Commerce Security: What Every Enterprise Needs to Know, Dark Reading:
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
- EMV certification doesn’t have to be so hard, Adyen
- The EMV Guide, Adyen
- Companies Embracing Payments As A Service Roll Out New EMV-Enabled Security, Business Wire
- Non-EMV merchants see 77% raise in fraud cost, Mobile Payments Security
- After EMV, Will Fraud Move Online?, MultiChannel Merchant
HTTPS, TLS 1.2/1.3 for Online and Mobile Payments
The SSL and TLS Protocols have evolved as new threats emerge. Since 2011, SSL 3.0, TLS 1.0 and TLS 1.1 have suffered three major attacks and several deprecations that have cost companies millions of dollars. The risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure option available in an effort to eliminate their impact. Enabling only TLS 1.2 eliminates the risk that vulnerabilities in earlier versions can affect PayPal or our merchants. Today, TLS 1.2 offers the best security features to protect our communication channels
Source: The Foundation for PayPal´s June 2017 TLS 1.2 Upgrade, PayPal
- Migration from SSL and Early TLS Information Supplement, PCI Council
- 2016 Merchant Security System Upgrade Guide, PayPal
- 2015–2016 SSL Certificate Change Microsite, PayPal
- TLS 1.2 and HTTP/1.1 Upgrade Microsite, PayPal
- Security/Server Side TLS Guide, Mozilla
- Introducing TLS 1.3, Cloudflare
- PayPal’s TLS v1.2 Update: If you are a developer, this is a must-read for you. PayPal’s development team explained to how make changes in your application’s code if you use PayPal’s REST SDKs for Java, .Net, Python and Ruby
- SSL/TLS compared: This is very interesting too because it explains the exact OpenSSL version you need to support TLS 1.2 to be able to work with curl, a system library used by many programming languages, specially PHP.
In this case, you need to use OpenSSL 1.0.1c or higher
Other benefits you can find if you upgrade your systems to this particular version of OpenSSL are:
- Support for Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI), two mechanisms used to improve TLS performance
- Better support for modern cyphersuites like ChaCha20-Poly1305
Risk Management and Payments Fraud Detection
- Stripe Radar: A primer on Machine Learning for Fraud Detection, Stripe
- Randomness and fraud, Michael Manapat, Stripe
- Fighting Fraud at Scale with Machine Learning, Michael Manapat, Stripe
- Risk Analysis and Chargebacks, Shopify
- [VIDEO] Fraud Detection in Bitcoin Payments Networks, Soups Ranjan (Coinbase)
- [PAPER] Fraud Detection on Bulk Tax Data Using Business Intelligence Data Mining Tool: A Case of Zambia Revenue Authority, Memorie Mwanza & Jackson Phiri, University of Zambia
- [PAPER] GPS-Based Fraud Detection Model, Min-gyu Lee, Hyo-jung Sohn, Baek -min Seong & Jong-bae Kim, Soongsil University
- [Webinar ] Beating Payment Fraud: SWIFT Hacking Use Case, NetGuardians
Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their payment processing provider. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. If you cannot keep your chargeback rate under 1 percent, your processor will suspend and eventually close your merchant account. In reality, processors suspend and close merchant accounts before their chargeback rates come even close to 1percent.
- Chargebacks: Another Payment Card Acceptance Cost for Merchants, by Fumiko Hayashi, Zach Markiewicz and Richard J. Sullivan
- Chargebacks 101: What E-commerce merchants should know, Chain Store Age
- How Should E-commerce Businesses Handle Chargebacks?, UniBul Merchant Services
Security in Mobile Payments
- Application Transport Security, Apple
- What’s new on Security, WWDC 2016, Apple
- Apple Pay Security and Privacy Overview, Apple
- Venmo’s Security
- How Safe is WeChat Pay?
- Is it safe to link your bank card to WeChat? Quora
- Alipay Security
- Mobile Payments Security 101, Mobile Payments Today
- Mobile Banking and Payments Security Guidelines, Federal Financial Institutions Examination Council
Job Opportunities inside Payments Security Engineering and Risk Management
As always I do, I wanted to let you here some interesting positions related to Payments Security, Risk Management and more, in organizations where you could build a career in this challenging field. Feel free to apply for your favorite position.
- System Engineer, Payments Security Engineering at Amazon (Dublin, Ireland)
- Security Engineer at Apple (Santa Clara, CA, USA)
- Software Engineer, Payments at Airbnb (San Francisco, CA, US)
Here you can see the opportunities inside the Payments team at Airbnb
- Risk Product Manager at Adyen (Amsterdam, Netherlands)
- Linux System Engineer at Adyen (Amsterdam, Netherlands)
- Fraud Product Manager at TransferWise (Tallinn, Estonia)
Ask Harsh Sinha for the right contact for this
- Security Engineer at Tyro Payments (Sydney, NW, Australia) This is one of the most interesting positions on the list.
- Product Manager at N26 (Berlin, Germany)
- Senior Manager, Global Payment Risk at Uber (San Francisco, CA, USA)
- Head of Product — Payments Growth at Uber (Amsterdam, Netherlands)
- Data Scientist — Fraud & Security at Uber (San Francisco, CA, USA)
- Core Systems Software Engineer — Fraud at Uber (San Francisco, CA, USA)
- Senior Manager, Risk Operations at Etsy (San Francisco, CA, USA)
- Senior Relationship Manager, Payments at Etsy
- Product Manager, Ripple Solutions at Ripple (New York, NY, USA)
- Chargeback Analyst at Braintree Payments (Chicago, IL, USA)
- Fraud-Risk Specialist at Braintree Payments (Chicago, IL, USA)
- Product Manager, Payments at BigCommerce (Sydney, NW, Australia)
- Product Manager at Paytm (Delhi, India) Why? Read this piece from Bloomberg Technology:
I know many of these positions in the upcoming months could be fulfilled, so I wanted to start a newsletter to maintain all of you updated with fresh positions, resources and more related to Payments Security Engineering, Payments as a Growth Engine and more. This is the result:
Payments Security Engineering is a very challenging field, but if you want to fight this global Cyber-crime problem, I encourage you to follow my lead here.
You will enjoy every second on it, if you love Security + Payments like me.
Thanks for reading, and you feel I need to add a new resource or a new topic to the post let me know with a response or a Tweet.