Payments Security Engineering: One of the Most Exciting Fields in Technology Today

payments Nov 12, 2016

And How You Can Put a Foot Inside

What is the quickest vehicle to grow an organization? To increase the positive cash flow. More revenue means you have more money in your pockets for future investments and new initiatives inside your company. But there is a catch here: More money in your pockets, also means that the risks associated to lose that money are higher too.

You have to think seriously how to protect your money, how to protect the credit cards of your users or their banks accounts with a good strategy. Here is when Payments Security Engineering comes to play a key role.

First, some numbers and facts to discuss

Payments fraud, data breaches, unauthorized access to high level banks networks are more common everyday globally.

I wanted to share some statistics related to Payments Security to give you a close look to the industry:

  • The estimated annual number of unauthorized transactions (third-party fraud) in 2012 was 32.2 Million, with a value of $6.4 Billion in United States. Source: 2013 Fed Payments Study, U.S Federal Reserve
  • In 2015, the 5 most common causes of card data breaches in United Kingdom were: Malicious web shell (22.0%), SQL Injection (20.2%), No evidence found (15.6%), Malware (14.7%) and Database hack (7.3%). Source: 2015 Payment Security Report, WorldPay
  • More than 133,000 fraudulent transactions were reported in United Kingdom, equating to stolen card details being used every 20 seconds. Source: 2015 Payment Security Report, WorldPay
  • In the first half of 2016, there were 554,454,942 records breached, 974 of breach incidents, 29 breaches with over 1 Million records affected and 52 percentage of breaches where compromised records was unknown. Source: Breach Level Index Report Half 1 2016, Gemalto

How I got here

During the investigation to write my last post about Adyen, the global payments company based in Amsterdam, Netherlands; I read several papers about Financial Risk Management, watched several talks related to Payments Engineering (more on this later), answered several questions at Quora related to Online Payments & Payments Processing; reviewed some videos and websites about new payments initiatives in the world like Faster Payments System in United Kingdom and the Unified Payments Interface backed by the National Payments Corporation in India.

With time, I understood there is a tech revolution happening right now, and many people are not aware of it. If you analyze deeply any company interested to scale globally, one of the first questions they make to their respective teams is:

How we could handle payments in this market and this market?

Even before internationalization and Content Marketing efforts, everyone is wondering how to handle payments. That´s why with Adyen´s help, companies like Netflix, Facebook, Yelp, AirbnbEng, Spotify and more, are taking a payments-first approach to scale to new markets.

Basically, that question was the trigger to put me seriously in this field, but with a little modification:

How we can handle payments in these markets in the fastest and most secure way?

Payments Security Engineering: A Quick Primer

Looking for a good definition for this interesting and challenging field, I took the approach to look for Security Engineering definitions, and I found with the amazing Ross Anderson’s Security Engineering: The Guide to Building Dependable Distributed Systems book about the same topic.

In Chapter 1 of the book, Ross defined the field in this form:

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to a knowledge of applied psychology, organizational and audit methods and the law.
System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with error and mischance rather than malice.

So, let’s talk about Payments Security Engineering. Taking borrowed some words from Ross, a quick definition of the field could be:

The discipline focused on the tools, processes, and methods needed to design, implement, and test complete payments systems, and to adapt existing systems as their environment evolves.It also studies the different strategies, protocols and laws involved in the protection of the huge range of payments methods.

I’m not an academic person, so I’m not the best one to provide a good definition of this field. This is just based in my own research, putting some words together. OK?

Payments at Scale

There are many examples of great Payments focused infrastructure out there, but recently I watched an Airbnb´s TechTalk by Ian Logan (Engineering Manager in charge of Payments at Airbnb) and Harsh Sinha (Vice President of Engineering at TransferWise) and I felt an instant love for Large Scale Payments systems.

This talk was called: “Building Payments: Insights from Transferwise & Airbnb”

Quick note: If you are a Product Manager or a Software Engineer interested to work in Payments, I encourage you to watch this talk completely and I take your notes. If you love this field, you will enjoy every second of the talk.

In this talk, Ian and Harsh explained brilliantly Payments Tech stacks from Airbnb & TransferWise respectively; and I found a lot of interesting players there: Apache Kafka for publish/subscribe systems to build Events-based processing, Apache Spark + Scala for Offline Financial Reporting and Accounting, and more.

Airbnb’s Payments Tech Stack
A simplified view of the tech stack at TransferWise

They put a lot of insights in this talk, so you want to enter in the Payments Engineering world, again, you must watch this talk.

Due to my Engineering background and my passion for Security, especially for everything related to TLS, DDoS, HTTPS, PKI, PCI DSS and more, I got immersed in the talk and I began to search some interesting facts why Payments Security Engineering could be my next career move.

But what actually shocked me was a recent article published by Reuters in Fortune´s Tech section explaining how Esther George, President of Kansas City Federal Reserve called to everyone in U.S to improve CyberSecurity of Payments Networks:

“Regarding the issue of security, there should be no doubt that dynamic, persistent and escalating threats are challenging public confidence in the U.S. payment system. The growing scale, sophistication, and global nature of cyber threats, along with the proliferation in points of vulnerability, has made security a key priority for financial institutions, payments providers, central banks and regulators around the world.
More than 170 individuals joined the Secure Payments Task Force in 2015 to address the most pressing challenges in our existing payment systems and to define the criteria for a safe and secure faster payments future. Let me highlight two areas where this Task Force is focused today.

Preventing and managing fraud is a key challenge given certain inherent limitations and weaknesses in existing payment systems and processes. Today, there is no universally accepted way to establish and verify the identity of a payment system participant. The Task Force has begun to address this problem. Their work will consider the identification and adoption of payment identity management practices, as well as the opportunities to share fraud and cyber-threat information and how to analyze related data.

These efforts all promise to produce valuable information, tools and insight for the industry. Driving widespread adoption of security improvements, however, remains a considerable challenge. Fortunately, U.S. payment system security is strong. And although we remain vigilant, we must keep pace with the rapidly-evolving and expanding risks that threaten the payments ecosystem. I commend the work of the Secure Payments Task Force and the collaboration it brings to these important issues.

You can find the complete speech here .

Yes, I know, I´m not based in U.S, but it does not matters: Financial systems are increasingly becoming a primary target for Cybercrime globally, so this is a global problem to tackle.

I want to help to fight this global problem, that’s why I’m considering seriously to make a career movement to Payments Security Engineering.

I began to compile online resources, to ask people about how to make a career transition to a Security-career focused to protect payments in every form.

Payments Security Engineering 101

There is a lot of things to cover here: Anomaly Detection, Risk Management, PCI DSS compliance, Development of secure APIs to handle pay-ins and pay-outs, use of TLS 1.2 to provide the best Security standards for Online and Mobile Payments, etc.

A vast amount of fields related to Payments Security.

I wondered to myself:

Why not to create a list of these resources and make it available for everyone interested in this field?

Keep reading.

Payments Security Engineering resources

OK, like me, you want to become more competitive in this challenging field, so what you can do right now? What resources I could use for it?

I made to myself the same questions, so I began to look for presentations, papers, videos, posts related to this field and the results is this massive list organized by related topics.

Payments Security, Cyber threats and Fraud

More than 554 million data records were lost or stolen in the first half of 2016, compared with some 424 million lost or stolen during the previous six months.That represents a dramatic increase of 31%. And considering that 510 of the data breaches (52%) had an unknown or unreported number compromised records, the true number of lost or stolen records is much higher.

Source: Gemalto

Secure and Faster Payments Initiatives

Building Secure Payments Infrastructures

Compliance & Standards

3D Secure

3-D Secure is an authenticated payment system to improve online transaction security and encourage the growth of e-commerce payments. Collectively Visa, MasterCard and AMEX secure systems are brand identities of the 3-D Secure Cardholder Authentication Scheme.

EMV cards

With the October 1 liability shift behind us, U.S. merchants who haven’t transitioned their point-of-sale infrastructure to support EMV need to do so as soon as possible. Experts estimate that card-related fraud may cost the U.S. card payments industry $10 billion this year. With the lesser-EMV compliant entity now shouldering that cost, lack of EMV compliance could potentially cost merchants millions of dollars if they are not set up to support EMV.

Source: EMV Guide, Adyen

The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.

HTTPS, TLS 1.2/1.3 for Online and Mobile Payments

The SSL and TLS Protocols have evolved as new threats emerge. Since 2011, SSL 3.0, TLS 1.0 and TLS 1.1 have suffered three major attacks and several deprecations that have cost companies millions of dollars. The risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure option available in an effort to eliminate their impact. Enabling only TLS 1.2 eliminates the risk that vulnerabilities in earlier versions can affect PayPal or our merchants. Today, TLS 1.2 offers the best security features to protect our communication channels

Source: The Foundation for PayPal´s June 2017 TLS 1.2 Upgrade, PayPal

In this case, you need to use OpenSSL 1.0.1c or higher

Other benefits you can find if you upgrade your systems to this particular version of OpenSSL are:

  • Support for Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI), two mechanisms used to improve TLS performance
  • Better support for modern cyphersuites like ChaCha20-Poly1305

Risk Management and Payments Fraud Detection

Chargebacks

Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their payment processing provider. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. If you cannot keep your chargeback rate under 1 percent, your processor will suspend and eventually close your merchant account. In reality, processors suspend and close merchant accounts before their chargeback rates come even close to 1percent.

Security in Mobile Payments

Job Opportunities inside Payments Security Engineering and Risk Management

As always I do, I wanted to let you here some interesting positions related to Payments Security, Risk Management and more, in organizations where you could build a career in this challenging field. Feel free to apply for your favorite position.

Ask to Ian about this position or you can talk with Paul Youn (Director of Security) and Vanessa Van Epps, one of the technical recruiters at Airbnb in charge of the Security team inside the company.

Here you can see the opportunities inside the Payments team at Airbnb

Ask Harsh Sinha for the right contact for this

India's Cash Ban the Best Thing to Happen to Digital Payments
Vijay Shekhar Sharma's Twitter feed has come alive these past two weeks. From a roadside egg-seller in Bhopal to a soda…www.bloomberg.com

I know many of these positions in the upcoming months could be fulfilled, so I wanted to start a newsletter to maintain all of you updated with fresh positions, resources and more related to Payments Security Engineering, Payments as a Growth Engine and more. This is the result:

Payments as Growth Engine by Marcos Ortiz
Stories, tips, jobs of companies and organizations around the globe who has use Payments as a Growth Engine.tinyletter.com

Conclusions

Payments Security Engineering is a very challenging field, but if you want to fight this global Cyber-crime problem, I encourage you to follow my lead here.

You will enjoy every second on it, if you love Security + Payments like me.

Thanks for reading, and you feel I need to add a new resource or a new topic to the post let me know with a response or a Tweet.

Marcos Ortiz Valmaseda

Editor at The Panda Way, where I help companies to earn more income through #investing. Cloud Data Engineer in the morning at Grupo Intercorp