Payments Security Engineering: One of the Most Exciting Fields in Technology Today

And How You Can Put a Foot Inside

What is the quickest vehicle to grow an organization? To increase the positive cash flow. More revenue means you have more money in your pockets for future investments and new initiatives inside your company. But there is a catch here: More money in your pockets, also means that the risks associated to lose that money are higher too.

You have to think seriously how to protect your money, how to protect the credit cards of your users or their banks accounts with a good strategy. Here is when Payments Security Engineering comes to play a key role.

First, some numbers and facts to discuss

Payments fraud, data breaches, unauthorized access to high level banks networks are more common everyday globally.

I wanted to share some statistics related to Payments Security to give you a close look to the industry:

The estimated annual number of unauthorized transactions (third-party fraud) in 2012 was 32.2 Million, with a value of $6.4 Billion in United States. Source: 2013 Fed Payments Study, U.S Federal Reserve
In 2015, the 5 most common causes of card data breaches in United Kingdom were: Malicious web shell (22.0%), SQL Injection (20.2%), No evidence found (15.6%), Malware (14.7%) and Database hack (7.3%). Source: 2015 Payment Security Report, WorldPay
More than 133,000 fraudulent transactions were reported in United Kingdom, equating to stolen card details being used every 20 seconds. Source: 2015 Payment Security Report, WorldPay
In the first half of 2016, there were 554,454,942 records breached, 974 of breach incidents, 29 breaches with over 1 Million records affected and 52 percentage of breaches where compromised records was unknown. Source: Breach Level Index Report Half 1 2016, Gemalto

How I got here

During the investigation to write my last post about Adyen, the global payments company based in Amsterdam, Netherlands; I read several papers about Financial Risk Management, watched several talks related to Payments Engineering (more on this later), answered several questions at Quora related to Online Payments & Payments Processing; reviewed some videos and websites about new payments initiatives in the world like Faster Payments System in United Kingdom and the Unified Payments Interface backed by the National Payments Corporation in India.

With time, I understood there is a tech revolution happening right now, and many people are not aware of it. If you analyze deeply any company interested to scale globally, one of the first questions they make to their respective teams is:

How we could handle payments in this market and this market?

Even before internationalization and Content Marketing efforts, everyone is wondering how to handle payments. That´s why with Adyen´s help, companies like Netflix, Facebook, Yelp, AirbnbEng, Spotify and more, are taking a payments-first approach to scale to new markets.

Basically, that question was the trigger to put me seriously in this field, but with a little modification:

How we can handle payments in these markets in the fastest and most secure way?

Payments Security Engineering: A Quick Primer

Looking for a good definition for this interesting and challenging field, I took the approach to look for Security Engineering definitions, and I found with the amazing Ross Anderson’s Security Engineering: The Guide to Building Dependable Distributed Systems book about the same topic.

In Chapter 1 of the book, Ross defined the field in this form:

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance and formal methods to a knowledge of applied psychology, organizational and audit methods and the law.
System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with error and mischance rather than malice.

So, let’s talk about Payments Security Engineering. Taking borrowed some words from Ross, a quick definition of the field could be:

The discipline focused on the tools, processes, and methods needed to design, implement, and test complete payments systems, and to adapt existing systems as their environment evolves.It also studies the different strategies, protocols and laws involved in the protection of the huge range of payments methods.

I’m not an academic person, so I’m not the best one to provide a good definition of this field. This is just based in my own research, putting some words together. OK?

Payments at Scale

There are many examples of great Payments focused infrastructure out there, but recently I watched an Airbnb´s TechTalk by Ian Logan (Engineering Manager in charge of Payments at Airbnb) and Harsh Sinha (Vice President of Engineering at TransferWise) and I felt an instant love for Large Scale Payments systems.

This talk was called: “Building Payments: Insights from Transferwise & Airbnb”

Quick note: If you are a Product Manager or a Software Engineer interested to work in Payments, I encourage you to watch this talk completely and I take your notes. If you love this field, you will enjoy every second of the talk.

In this talk, Ian and Harsh explained brilliantly Payments Tech stacks from Airbnb & TransferWise respectively; and I found a lot of interesting players there: Apache Kafka for publish/subscribe systems to build Events-based processing, Apache Spark + Scala for Offline Financial Reporting and Accounting, and more.

Airbnb’s Payments Tech Stack

A simplified view of the tech stack at TransferWise

They put a lot of insights in this talk, so you want to enter in the Payments Engineering world, again, you must watch this talk.

Due to my Engineering background and my passion for Security, especially for everything related to TLS, DDoS, HTTPS, PKI, PCI DSS and more, I got immersed in the talk and I began to search some interesting facts why Payments Security Engineering could be my next career move.

But what actually shocked me was a recent article published by Reuters in Fortune´s Tech section explaining how Esther George, President of Kansas City Federal Reserve called to everyone in U.S to improve CyberSecurity of Payments Networks:

“Regarding the issue of security, there should be no doubt that dynamic, persistent and escalating threats are challenging public confidence in the U.S. payment system. The growing scale, sophistication, and global nature of cyber threats, along with the proliferation in points of vulnerability, has made security a key priority for financial institutions, payments providers, central banks and regulators around the world.

More than 170 individuals joined the Secure Payments Task Force in 2015 to address the most pressing challenges in our existing payment systems and to define the criteria for a safe and secure faster payments future. Let me highlight two areas where this Task Force is focused today.

Preventing and managing fraud is a key challenge given certain inherent limitations and weaknesses in existing payment systems and processes. Today, there is no universally accepted way to establish and verify the identity of a payment system participant. The Task Force has begun to address this problem. Their work will consider the identification and adoption of payment identity management practices, as well as the opportunities to share fraud and cyber-threat information and how to analyze related data.

These efforts all promise to produce valuable information, tools and insight for the industry. Driving widespread adoption of security improvements, however, remains a considerable challenge. Fortunately, U.S. payment system security is strong. And although we remain vigilant, we must keep pace with the rapidly-evolving and expanding risks that threaten the payments ecosystem. I commend the work of the Secure Payments Task Force and the collaboration it brings to these important issues.

You can find the complete speech here .

Yes, I know, I´m not based in U.S, but it does not matters: Financial systems are increasingly becoming a primary target for Cybercrime globally, so this is a global problem to tackle.

I want to help to fight this global problem, that’s why I’m considering seriously to make a career movement to Payments Security Engineering.

I began to compile online resources, to ask people about how to make a career transition to a Security-career focused to protect payments in every form.

Payments Security Engineering 101

There is a lot of things to cover here: Anomaly Detection, Risk Management, PCI DSS compliance, Development of secure APIs to handle pay-ins and pay-outs, use of TLS 1.2 to provide the best Security standards for Online and Mobile Payments, etc.

A vast amount of fields related to Payments Security.

I wondered to myself:

Why not to create a list of these resources and make it available for everyone interested in this field?

Keep reading.

Payments Security Engineering resources

OK, like me, you want to become more competitive in this challenging field, so what you can do right now? What resources I could use for it?

I made to myself the same questions, so I began to look for presentations, papers, videos, posts related to this field and the results is this massive list organized by related topics.

Payments Security, Cyber threats and Fraud

More than 554 million data records were lost or stolen in the first half of 2016, compared with some 424 million lost or stolen during the previous six months.That represents a dramatic increase of 31%. And considering that 510 of the data breaches (52%) had an unknown or unreported number compromised records, the true number of lost or stolen records is much higher.

Source: Gemalto

Operations of a Brazilian Payment Card Fraud Group, FireEye
Breach Level Index, First Half 2016, Gemalto
Verizon 2015 Data Breach Investigations Report, Verizon
Odinaff Trojan targets SWIFT users, financial organizations, Symantec
Cybercrime will cost Businesses over $2 Trillion by 2019, Juniper Research

3D Secure

3-D Secure is an authenticated payment system to improve online transaction security and encourage the growth of e-commerce payments. Collectively Visa, MasterCard and AMEX secure systems are brand identities of the 3-D Secure Cardholder Authentication Scheme.

3D Secure, Wikipedia
How 3D Secure can increase conversion rates, Adyen
3D Secure 2.0, Mobile Payments Today
3D Secure Guide, MasterCard
3D Secure Explained, SagePay
EMV 3D Secure 2.0 Webcast, EMVCo

EMV cards

With the October 1 liability shift behind us, U.S. merchants who haven’t transitioned their point-of-sale infrastructure to support EMV need to do so as soon as possible. Experts estimate that card-related fraud may cost the U.S. card payments industry $10 billion this year. With the lesser-EMV compliant entity now shouldering that cost, lack of EMV compliance could potentially cost merchants millions of dollars if they are not set up to support EMV.

Source: EMV Guide, Adyen

The EMV Switch: Chip-and-PIN Cards and the Target Breach, Trend Micro
E-Commerce Security: What Every Enterprise Needs to Know, Dark Reading:

The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.

EMV certification doesn’t have to be so hard, Adyen
The EMV Guide, Adyen
Companies Embracing Payments As A Service Roll Out New EMV-Enabled Security, Business Wire
Non-EMV merchants see 77% raise in fraud cost, Mobile Payments Security
After EMV, Will Fraud Move Online?, MultiChannel Merchant

HTTPS, TLS 1.2/1.3 for Online and Mobile Payments

The SSL and TLS Protocols have evolved as new threats emerge. Since 2011, SSL 3.0, TLS 1.0 and TLS 1.1 have suffered three major attacks and several deprecations that have cost companies millions of dollars. The risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure option available in an effort to eliminate their impact. Enabling only TLS 1.2 eliminates the risk that vulnerabilities in earlier versions can affect PayPal or our merchants. Today, TLS 1.2 offers the best security features to protect our communication channels

Source: The Foundation for PayPal´s June 2017 TLS 1.2 Upgrade, PayPal

Migration from SSL and Early TLS Information Supplement, PCI Council
2016 Merchant Security System Upgrade Guide, PayPal
2015–2016 SSL Certificate Change Microsite, PayPal
TLS 1.2 and HTTP/1.1 Upgrade Microsite, PayPal
Security/Server Side TLS Guide, Mozilla
Introducing TLS 1.3, Cloudflare
PayPal’s TLS v1.2 Update: If you are a developer, this is a must-read for you. PayPal’s development team explained to how make changes in your application’s code if you use PayPal’s REST SDKs for Java, .Net, Python and Ruby
SSL/TLS compared: This is very interesting too because it explains the exact OpenSSL version you need to support TLS 1.2 to be able to work with curl, a system library used by many programming languages, specially PHP.

In this case, you need to use OpenSSL 1.0.1c or higher

Other benefits you can find if you upgrade your systems to this particular version of OpenSSL are:

Support for Application Layer Protocol Negotiation (ALPN) and Server Name Indication (SNI), two mechanisms used to improve TLS performance
Better support for modern cyphersuites like ChaCha20-Poly1305

Risk Management and Payments Fraud Detection

Stripe Radar: A primer on Machine Learning for Fraud Detection, Stripe
Randomness and fraud, Michael Manapat, Stripe
Fighting Fraud at Scale with Machine Learning, Michael Manapat, Stripe
Risk Analysis and Chargebacks, Shopify
[VIDEO] Fraud Detection in Bitcoin Payments Networks, Soups Ranjan (Coinbase)

[PAPER] Fraud Detection on Bulk Tax Data Using Business Intelligence Data Mining Tool: A Case of Zambia Revenue Authority, Memorie Mwanza & Jackson Phiri, University of Zambia
[PAPER] GPS-Based Fraud Detection Model, Min-gyu Lee, Hyo-jung Sohn, Baek -min Seong & Jong-bae Kim, Soongsil University
[Webinar ] Beating Payment Fraud: SWIFT Hacking Use Case, NetGuardians

[VIDEO] Fraud Detection Using H2O’s Deep Learning, Venkatesh Ramanathan, PayPal

Modern Fraud Prevention using Deep Learning, Phil Winder, GOTO 2015

Fraud detection in real-time with Spark, Mehrdad Pazooki, CEO and Co-Founder at TranQuant

Credit Fraud Prevention with Spark and Graph Analysis, Chris D’Agostino, Capital One DevExchange

Chargebacks

Chargebacks are the single biggest reason why e-commerce businesses get into trouble with their payment processing provider. Processing banks are required by Visa and MasterCard to monitor their merchants’ chargeback levels and must ensure that the number of charged back transactions for any given month is below 1 percent of the total number of transactions. If you cannot keep your chargeback rate under 1 percent, your processor will suspend and eventually close your merchant account. In reality, processors suspend and close merchant accounts before their chargeback rates come even close to 1percent.

Chargebacks: Another Payment Card Acceptance Cost for Merchants, by Fumiko Hayashi, Zach Markiewicz and Richard J. Sullivan
Chargebacks 101: What E-commerce merchants should know, Chain Store Age
How Should E-commerce Businesses Handle Chargebacks?, UniBul Merchant Services

Security in Mobile Payments

Application Transport Security, Apple
What’s new on Security, WWDC 2016, Apple
Apple Pay Security and Privacy Overview, Apple
Venmo’s Security
How Safe is WeChat Pay?
Is it safe to link your bank card to WeChat? Quora
Alipay Security
Mobile Payments Security 101, Mobile Payments Today
Mobile Banking and Payments Security Guidelines, Federal Financial Institutions Examination Council

Job Opportunities inside Payments Security Engineering and Risk Management

As always I do, I wanted to let you here some interesting positions related to Payments Security, Risk Management and more, in organizations where you could build a career in this challenging field. Feel free to apply for your favorite position.

System Engineer, Payments Security Engineering at Amazon (Dublin, Ireland)
Security Engineer at Apple (Santa Clara, CA, USA)
Software Engineer, Payments at Airbnb (San Francisco, CA, US)

Ask to Ian about this position or you can talk with Paul Youn (Director of Security) and Vanessa Van Epps, one of the technical recruiters at Airbnb in charge of the Security team inside the company.

Here you can see the opportunities inside the Payments team at Airbnb

Risk Product Manager at Adyen (Amsterdam, Netherlands)
Linux System Engineer at Adyen (Amsterdam, Netherlands)
Fraud Product Manager at TransferWise (Tallinn, Estonia)

Ask Harsh Sinha for the right contact for this

Security Engineer at Tyro Payments (Sydney, NW, Australia) This is one of the most interesting positions on the list.
Product Manager at N26 (Berlin, Germany)
Senior Manager, Global Payment Risk at Uber (San Francisco, CA, USA)
Head of Product — Payments Growth at Uber (Amsterdam, Netherlands)
Data Scientist — Fraud & Security at Uber (San Francisco, CA, USA)
Core Systems Software Engineer — Fraud at Uber (San Francisco, CA, USA)
Senior Manager, Risk Operations at Etsy (San Francisco, CA, USA)
Senior Relationship Manager, Payments at Etsy
Product Manager, Ripple Solutions at Ripple (New York, NY, USA)
Chargeback Analyst at Braintree Payments (Chicago, IL, USA)
Fraud-Risk Specialist at Braintree Payments (Chicago, IL, USA)
Product Manager, Payments at BigCommerce (Sydney, NW, Australia)
Product Manager at Paytm (Delhi, India) Why? Read this piece from Bloomberg Technology:

India's Cash Ban the Best Thing to Happen to Digital Payments
Vijay Shekhar Sharma's Twitter feed has come alive these past two weeks. From a roadside egg-seller in Bhopal to a soda…www.bloomberg.com

I know many of these positions in the upcoming months could be fulfilled, so I wanted to start a newsletter to maintain all of you updated with fresh positions, resources and more related to Payments Security Engineering, Payments as a Growth Engine and more. This is the result:

Payments as Growth Engine by Marcos Ortiz
Stories, tips, jobs of companies and organizations around the globe who has use Payments as a Growth Engine.tinyletter.com

Conclusions

Payments Security Engineering is a very challenging field, but if you want to fight this global Cyber-crime problem, I encourage you to follow my lead here.

You will enjoy every second on it, if you love Security + Payments like me.

Thanks for reading, and you feel I need to add a new resource or a new topic to the post let me know with a response or a Tweet.